Privacy in NORCE

Personal data at NORCE

When NORCE determines the purpose and means of processing personal data, NORCE is data controller for the processing. This privacy policy provides details about the processing for which NORCE is responsible.

Overall responsibility for personal data protection lies with CEO Camilla Stoltenberg.

NORCE's privacy work is coordinated by Renate Storetvedt Lien, Head of Research administration.

The data protection officer for NORCE is Ina Nepstad, Senior Adviser, Sikt - Norwegian Agency for Shared Services in Education and Research.

You can also download the policy as a pdf-file.

Data controller

NORCE attn. CEO Camilla Stoltenberg

Postal address: PO Box 22 Nygårdstangen, 5838 Bergen
Tel.: +47 56 10 70 00
Email: post@norceresearch.no

Privacy Coordinator

NORCE attn. Renate Storetvedt Lien, Head of Research Administration

Postal address: PO Box 22 Nygårdstangen, 5838 Bergen
Tel.: +47 92 89 80 57
Email: reli@norceresearch.no

Data protection officer

Ina Nepstad, Senior Advisor Privacy Services, Sikt - Norwegian Agency for Shared Services in Education and Research.

Postal address: Lars Hilles gate 22, 5008 Bergen.
Email: personvernombud@norceresearch.no

We process personal data about you in the following situations:

• When you are employed by us or carry out consultancy assignments for us.
• When you have been in contact with, or collaborate with, our employees.
• When you apply for a job with us or are provided as a reference by a job seeker.
• When information about you is included in data material in one of our research projects.
• When you are registered in one of our registers.
• When you participate in courses, seminars, workshops or other events with us.
• When you participate in initiatives that we deliver under the auspices of Competence Centres.
• When you subscribe to our newsletters.
• When you visit our website.
• When you have access to our premises.
• When you have access to our IT services or are connected to our guest networks.
• When you represent a supplier, provider, customer or funder with whom we cooperate.
• When you have received a fee or refund from us.
• When you are contacted as a media representative, premise provider or stakeholder.

IT platform

NORCE's IT platform consists of physical infrastructure, networks, PCs, configuration, data, IT services including internal and external, and more. Data traffic and activities in the IT platform are inspected and logged. This is used in troubleshooting, uncovering and documenting any violations of the law, deviations from internal rules and routines or other breaches of our information security. Logs may be disclosed to external partners that NORCE has an agreement with. This also applies to guests who connect equipment to the IT platform, typically wireless network. The legal basis for processing is Article 6(1)(f) of the General Data Protection Regulation, which allows us to process information that is necessary to safeguard a legitimate interest that outweighs the interests or fundamental rights and freedoms of the individual.

Classification and storage of data and information

NORCE has guidelines for classification and storage of data and information. The classification has an impact on where and how information is processed and stored. The IT service catalogue has an overview of which information classes are approved for the specific IT services and applications.

Use of artificial intelligence (AI)

In the autumn of 2025, NORCE started piloting Microsoft's AI, Copilot for Microsoft 365 (M365). This means that Copilot will be available in M365 applications such as Word, Outlook, Excel, Teams and more. Technical and organizational measures will be implemented to safeguard privacy.

Technical measures include access control, disabling certain functions of Copilot by default, technical control of certain categories of information that should not occur in the Microsoft environment, classification of data and technical measures that prevent Copilot from using personal data stored in email and chat. The measures will limit Copilot's access to personal data with special protection needs and information in applications where the data subjects have a special expectation of confidentiality.

Organizational measures include training with a focus on correct use and quality assurance of output, in addition to an increased focus on information about the use of the tool by employees and external parties. This is to prevent incorrect information from being used further and ensure sufficient transparency towards the data subjects.

Transfers to third countries (outside the EEA)

If it is relevant to transfer data outside the EU/EEA, special assessments are made and a data protection officer is involved, and transfers only take place if it is in line with Chapter 5 of the GDPR.

Email, telephony and archive

NORCE processes personal data about people we are in contact with. This is done using e-mail, telephone, video conferencing and other interaction tools, both internally and externally. We store the necessary information for the business in our file and archive systems.

Each employee is responsible for deleting emails that are no longer relevant. When an employee leaves NORCE, his or her email account is closed and deleted after 30 days. However, some emails that are necessary for business will be transferred to colleagues. Confidential information is not sent via regular email. Such information is only sent via encrypted email.

Archival documents are stored in our documentation system. The day-to-day responsibility for our archive is delegated to the archive manager.

The processing of personal data about people we are in contact with takes place based on NORCE's legitimate interests (Article 6 (1) (f) of the General Data Protection Regulation). Our legitimate interest is to be able to carry out our activities as a research institute in an efficient and safe manner.

Use of personal data in research

NORCE conduct research and innovation in energy, health, climate, environment, society and technology. Some of our research involves the use of research data that contains personal data.

To ensure privacy in research, we use privacy services from Sikt - the knowledge sector's service provider. All research projects that use personal or health data must be reported to Sikt via their notification form. Sikt's privacy services assist NORCE with the following:

• General information, training and advice on the processing of personal data and safeguarding privacy in research
• Assessment of the use of personal data in research projects, both before start-up, during and at the end of the project.
• Handling inquiries from registered (participants) in research projects.
• Notification of, and possibly assistance in the event of, breaches of personal data security or other breaches of data protection regulations in all phases of research projects.
• Implementation of Data Protection Impact Assessments (DPIAs).
• Preliminary discussions and dialogue with the Norwegian Data Protection Authority.
• Development and maintenance of systems for enrolment and counselling, as well as an updated processing protocol for the research projects.
• Ensuring a publicly available overview of the processing of personal data for research purposes.
  

Research data containing personal data shall be processed in accordance with our guidelines for classification and storage of data and information. The data is only accessible to people who have a legitimate need to process it.

Each research project provides information to the data subjects (participants) about what personal data is to be processed, the purpose of the processing, how the data is to be processed and what rights the data subjects have. As a rule, the information is provided directly to those concerned. If this is not practically possible, the information will be posted on the project's website.

The processing of personal data in research will most often take place based on consent (Article 6(1)(a) of the General Data Protection Regulation) or because it is in the public interest (Article 6(1)(e)). The specific basis for processing each research project is described in the information to the data subjects and is stated in the project's registration with Sikt.

Use of personal data at the Knowledge and Competence Centre

NORCE operates several competence centers on behalf of the Norwegian authorities. These centres process personal data both for research purposes and for other purposes. The competence centres provide information to the data subjects about what personal data is processed, the purpose of the processing, how the data is processed and what rights the data subjects have. The information is provided both directly to the data subjects and through descriptions of the activities on the centres' websites.

Processing personal data in this context will in some cases be carried out on the basis of consent (Article 6(1)(a) of the General Data Protection Regulation) and in some cases because it is in the public interest (Article 6(1)(e)). This will be evident from the various treatments, as the data subjects have been informed.

Here you will find more information of activities at our Competence Centres.

Participants in meetings, seminars, conferences, courses and continuing education initiatives

When you participate in meetings, seminars, conferences, courses, continuing education initiatives or the like at NORCE, we register information such as name, e-mail, place of work, position and IP address. At events where food will be served, we also ask questions about food preferences/food allergies or other considerations we need to take. In some cases, it may be appropriate to have photos and video recordings during events. Participants will be informed in advance and given the opportunity to opt out of such participation.

Participant lists with names and other relevant information may be shared with third parties for reporting purposes. Personal data that is necessary for invoicing, statistics and reporting is deleted as soon as it is no longer necessary for the purpose. Other personal information will be deleted as soon as the event has ended.

We regularly arrange academic seminars aimed at research environments, users, clients, decision-makers and others. Some of our units also offer regular courses and teaching initiatives. Information about these activities can be found on the website of the relevant organizer in NORCE.

We process your personal data in connection with participation based on NORCE's legitimate interests (Article 6 (1) (f) of the General Data Protection Regulation). Our legitimate interests are to carry out events in a good way and to be able to document participation.

Regarding information about food allergies or other health conditions, we will ask you for your explicit consent before we process such information (cf. cf. Article 9(2)(a) of the GDPR. You can withdraw your consent at any time. Withdrawing consent will not affect the lawfulness of the processing that occurred before you withdrew consent.

Newsletter subscribers

To subscribe to newsletters from NORCE, you must provide your email address. We use your email address to send you newsletters via the Mailchimp service. The email address will not be shared with other third parties and will be deleted when you unsubscribe from the newsletter.

Mailchimp sine retningslinjer for informasjonskapsler.

Your e-mail address is processed in connection with our newsletter on the basis of your consent (Article 6 (1) (a)). You can withdraw your consent at any time by unsubscribing from the newsletter. Withdrawing consent will not affect the lawfulness of the processing that occurred before you withdrew consent.

Registration for photography and filming

In several contexts, NORCE takes photos or videos in connection with activities that we arrange or participate in. People who participate in these activities may be photographed or filmed. The photos and videos are stored in our image archive and are used for publicity and profiling NORCE.

In line with the GDPR, we generally ask for consent to photos or videos and the publication of such material (Article 6 (1) (a) of the General Data Protection Regulation). Consent is stored together with the image in our image archive.

When the situation or activity is the actual motive, we may, instead of consent, consider that photo/film recording, storage and publication are necessary to safeguard our legitimate interest (Article 6 (1) letter f). In such cases, our legitimate interest is the dissemination of our activities as a research institute. Our legitimate interest must then outweigh the consideration of the individual's privacy.

We use images and film footage in our external dissemination of research and innovation. The dissemination may include, for example, articles with images or videos on our website, posts on our social media channels, annual reports, brochure material, etc.

Photos and film recordings are stored in our photo archive together with the names of the people depicted and consent. The service is provided by Fotoware.

In the consent, you enter your name, email address and phone number, as well as a picture of you and your signature. We ask for this to have contact information, as well as to be able to recognize yourself in photos and link your consent to relevant photos.

All data and photos stored in Fotoware are stored in Europe.

The material is stored indefinitely, unless otherwise agreed.

Media contacts and contacts for premise providers, stakeholders, etc.

In some cases, NORCE collects and stores contact information from public sources we obtain from the internet, about representatives of the media, premise providers, stakeholders and other relevant contact persons. We do this to ensure effective communication with those concerned. If a data subject leaves their position, we ensure that their personal data is deleted from our lists.

The processing of contact information is carried out based on NORCE's legitimate interest (Article 6 (1) (f) of the General Data Protection Regulation). Our legitimate interest is to communicate about our business and interact effectively with the media, premise providers, stakeholders and other relevant actors.

Visitors to our websites

At norceresearch.no, we use cookies to register how visitors use the website. In addition, we collect personal data when visitors sign up for webinars, courses, conferences or newsletters via the website.

Read more about NORCE's use of cookies, and the basis for processing this, in our cookie statement.

Collaborating partners

When you are a partner with NORCE, personal information about you may be included in applications and offers we send and in projects we carry out. In this connection, you are welcome to provide us with your CV, hourly rate, competence description and other information required in the application, offer or project implementation. In joint project implementation, we also often have contact and participant lists, minutes of meetings and similar documents that contain personal data.

The personal data is stored in our archive and file system, in application and project folders and on a common platform for project partners.

Project collaboration and joint results will be visible on our website and in the The Norwegian Research Information Repository (NVA).

NORCE uses the The Norwegian Research Information Repository (NVA) to provide open access to reports, series, films, sound recordings and other material produced at the institution, possibly in collaboration with others.

Learn more about The Norwegian Research Information Repository (NVA)

NORCE makes its results available in the The Norwegian Research Information Repository (NVA). Publications that you co-author with our researchers will be registered here. As a partner on publications we register, we associate the name and publication address with the publication. Academic staff and administrative people who have roles in the The Norwegian Research Information Repository (NVA) are registered with more personal data.

The processing of personal data in this context is carried out based on NORCE's legitimate interests (Article 6 (1) (f) of the General Data Protection Regulation).Our legitimate interest is to be able to carry out our activities as a research institute and carry out collaborative projects in an efficient manner.

Contact persons at customers, financiers, suppliers and providers

If you are a contact person for a customer, financier, supplier or funders, we process contact information about you related to your workplace. This may include information such as your email address, phone number, and job title. Such information will be stored in documents in our archive and file system.

In connection with a project evaluation, you as a contact person may be contacted to give us an evaluation. The evaluation is saved in the questionnaire tool from which you receive the inquiry.

In competitions for assignments, we may be required to document reference projects we have carried out. In such cases, we may provide your contact information related to your workplace.

The processing of this personal data is carried out based on NORCE's legitimate interests (Article 6 (1) (f) of the General Data Protection Regulation). Our legitimate interests are to be able to carry out our activities as a research institute and to ensure effective communication and collaboration with customers, financiers, suppliers and providers.

Applicants for positions in NORCE

If you apply for a job at NORCE, we process personal data about you to assess your application. This includes the information you provide to us in documents such as applications, CVs, diplomas and certificates, as well as information we collect during any interviews. NORCE can also conduct its own investigations, such as contacting the references you have provided.

NORCE uses the job search portal Jobbnorge to manage applications for our vacancies.

The processing of personal data in connection with the assessment of submitted documentation, conducting interviews and contacting references takes place on the basis that it is necessary to carry out measures at the request of the jobseeker before entering into an agreement (Article 6(1)(b)). By applying for the position and uploading documents, we consider that you as a job seeker are asking us to assess submitted documentation, conduct interviews and call references with a view to entering an employment contract.

If we conduct our own investigations beyond this, for example contacting someone who has issued a certificate but who is not provided as a reference, the legal basis for such investigations is Article 6(1)(f) of the General Data Protection Regulation, which allows us to process data that is necessary to safeguard a legitimate interest that outweighs the consideration of the individual's interests or fundamental rights and freedoms. The legitimate interest is to find the right candidate for the position. If this becomes relevant, it will be agreed with you as the applicant.

If you provide health information in your application or interview, for example that you have a disability that will require adaptation in the workplace or in the employment relationship, we will process this information based on your explicit consent (Article 6(1)(a) of the General Data Protection Regulation, cf. Article 9(2)(a)). You can withdraw your consent at any time. Withdrawing consent will not affect the lawfulness of the processing that occurred before you withdrew consent.

Job applications are stored in Jobbnorge's jobseeker system and are deleted 6 months after the position has been filled. If you are employed in a position with us, the application will be transferred to your personnel file.

Employees

Employees in NORCE are registered in various IT systems and services in their various positions. These systems can either be operated by NORCE itself or by external suppliers. All employees are registered in our central systems, such as ERP and HRM systems, authentication systems, archive systems, access control systems and case management systems. In addition, employees can be registered in other systems that are required to be able to perform tasks related to the specific position.

Information about how we process personal data about our employees in NORCE can be found on the intranet about Privacy in NORCE. Here you will also find our privacy protocol for employees and associated people.

NORCE processes personal data about its employees to administer payroll, perform personnel tasks and to ensure that the employee can perform the tasks they are hired to do. In certain cases, it will also be necessary for us to share your personal data with other parties. The processing takes place because it is necessary for the performance of an (employment) contract to which the employee is a party (Article 6(1)(b) of the General Data Protection Regulation) or because it is necessary to comply with a legal obligation imposed on us (Article 6(1)(c)).

Fee and reimbursement recipients

To be able to pay fees, we register the necessary information in our payroll system. This includes information about the amount of fees, tax rate, tax municipality, copy of passport (for foreign nationals without a work permit in Norway), expenses that are refundable, subsistence rates and bank account number. Reimbursement of expenses can also be made via supplier payment. In this case, information such as name, address, bank account number and documentation of what is refunded is stored in the invoice processing system.

Access to this information is restricted through access management in the payroll system, invoice processing system, general ledger and reporting tools.

According to the Bookkeeping Act, NORCE is obliged to keep accounting vouchers for payments for 5 years after the end of the financial year. Our customers may require longer storage, which will be stated in the contracts for the individual projects. Accounting vouchers are deleted 15 years after the end of the financial year.

The processing of personal data in connection with the payment of fees and refunds is carried out because it is necessary to comply with a legal obligation imposed on us (Article 6(1)(c) of the General Data Protection Regulation) or based on NORCE's legitimate interests (Article 6(1)(f)). Our legitimate interests are to be able to pay fees and refunds in the correct manner and to meet documentation requirements for clients.

Visitors to our locations

NORCE has several locations, and in some of these, cameras are mounted both indoors and at the front doors. The purpose of our camera surveillance is:

• To prevent attacks, burglary, theft and vandalism against our buildings and facilities.
• Securing evidence in connection with any criminal proceedings.
• To ensure the safety of employees and visitors.

At all locations with cameras, clear signs have been set up at entrances and driveways that warn that the area is under camera surveillance.

The staff at the reception at the location in question can see overview images from the cameras. The recordings are continuous. There are also sensors that can send an alarm to the security company. In the event of such an alarm, the security company can gain access to relevant cameras to assess the situation.

Only dedicated employees have access to the recordings, and all withdrawals of recordings are logged.

Recordings are automatically deleted after 7 days, unless there is an objective reason to keep them longer, for example if the police have initiated an investigation in connection with burglary or other criminal acts. In such cases, the recordings can be stored for up to 30 days.

At some locations, visitors' information, such as name, company and who they visit, is registered. The information is registered in the homeowner's visitor system, which is administered by the homeowner's reception. The information is recorded for security reasons and stored in an access-controlled system for up to 180 days.

The processing of the personal data is carried out because we have assessed that it is necessary to safeguard NORCE's legitimate interests (Article 6 (1) (f) of the General Data Protection Regulation). Our legitimate interest is to secure access to the premises and protect employees, guests and property.

Your rights

As a data subject, you have several rights under the data protection legislation:

• You are entitled to a response without undue delay, and no later than one month after we have received your inquiry.
• You can request a copy of any personal data we process about you.
• You can ask us to correct or supplement information that is incorrect or misleading.
• In some situations, you can ask us to delete information about you.
• In some situations, you can ask us to restrict the processing of information about you.
• If we process information about you based on our tasks or based on a balancing of interests, you have the right to object to this processing.
• If we process information about you based on consent or a contract, you can ask us to transfer information about you to yourself or to another data controller.
• You can complain about our processing of your personal data.

NORCE has a duty to provide you with information about how we process personal data. In addition, Research Directors, Project Managers and Data Managers in our research projects, registers, teaching and program initiatives are responsible for ensuring transparency regarding their use of personal data.

As a data subject, you have the right to know what information is registered about you, and to access this information. If you believe that the information is incorrect or incomplete, you can generally request correction. If the information registered about you feels strongly burdensome to you, you can request that it be blocked or deleted. In this case, please contact the project manager for the research project in question.

You can withdraw consent at any time and without special justification, for example consent to participation in a research project.

There are certain limitations on the rights of access, correction and restriction of processing, cf. Section 17 of the Personal Data Act. The right to demand destruction, deletion or disclosure does not apply if the material or information is anonymized.

You can exercise your rights by contacting NORCE as a data controller or our Data Protection Officer.

Read more about your rights as registered on the Data Protection Authority’s pages.

If you believe that we do not comply with the rules of the data protection legislation, we encourage you to contact us through the channel you have already established with us. You can also contact our Data Protection Officer for advice and guidance. The Data Protection Officer has a duty of confidentiality if you wish to report something in confidence.

If you wish to complain about our processing of personal data, you can contact the Norwegian Data Protection Authority.