Privacy and Data Protection in NORCE

Personal data is information that can be linked to you as a person. It could be your name and contact details, but also much other information that can be linked to you more indirectly. The purpose of this declaration is for NORCE to provide information about the type of personal data we process and how the people whose data we process can protect their rights under data protection legislation.

Sist oppdatert: Feb 12, 2020

Personal data at NORCE

NORCE is the controller, the agency which determines the purpose and means of the processing of personal data we use in our operations. This personal data declaration provides details about the processing NORCE is responsible for. The declaration can also be downloaded as pdf-file:

Privacy and Data Protection in NORCE

Overall responsibility for personal data protection lies with CEO Elisabeth Maråk Støle.

NORCE's personal data work is coordinated by Renate Storetvedt Lien, Head of Administrative Support for Research.

The data protection officer for NORCE is Øyvind Straume, Special Adviser, Norwegian Centre for Research Data (NSD).

NORCE personal data contact information

Data controller

NORCE attn. CEO Elisabeth Maråk Støle

Postal address: PO Box 22 Nygårdstangen, 5838 Bergen

Tel.: +47 56 10 70 00

Email: post@norceresearch.no

Personal data coordinator

NORCE attn. Renate Storetvedt Lien, Head of Administrative Support for Research

Postal address: PO Box 22 Nygårdstangen, 5838 Bergen

Tel.: +47 92 89 80 57

Email: reli@norceresearch.no

Personal data officer

Øyvind Straume, Special Adviser, NSD

Postal address: Harald Hårfagres gate 29, 5007 Bergen

Tel.: +47 55 58 21 88

Email: personvernombud@norceresearch.no

When does NORCE collect personal data?

NORCE processes personal data either because there is a statutory basis for this or because we have received consent from the person in question.

We generally process personal data about you in the following situations:

  • Personal data about you is included in the data in one of our research projects.
  • Your details have been entered into one of our registers.
  • You participate in one of our activities.
  • You represent one of our commissioners or a party that funds our research.
  • You or the company you are employed by is affiliated with us or one of our clients.
  • You have been in contact with or collaborate with our researchers.
  • You have attended one of our courses, seminars, events, workshops or other events.
  • You subscribe to our newsletter.
  • You visit our web page.
  • You have applied for a job with us.
  • A job applicant has given your name as a reference.
  • You have received access to our systems or premises.
  • You have been paid remuneration or have received a reimbursement from us.
  • You are one of our suppliers or you have submitted a tender to us.

IT infrastructure, classification of data and storage guide

NORCE is the result of a recent merger of several companies, and a shared IT infrastructure will be established in 2020. At present, part of the infrastructure is operated by external service providers. Processor agreements have been entered into with them, in order to ensure that the personal data processing meets our requirements.

NORCE has established guidelines for classification and storage of data and information. The classification has an impact on where and how data and information can be stored at NORCE. The guidelines include a storage guide explaining how we process, store and manipulate data, based on how the data and information are classified.

Persons we are in contact with – email, phone and archive

NORCE processes the personal data of people we are in contact with. We use email, phone, video conferencing and other collaboration tools for our internal and external communication. We store the necessary information about our activities in file and archive systems. Each employee is responsible for deleting emails they no longer need to keep. Once an employment relationship comes to an end, that person's email account is deleted, but certain relevant emails are normally transferred to his/her colleagues. Strictly confidential information must not be sent by email. Confidential information must only be sent by encrypted email.

Documents that should be preserved will be archived in NORCE's document system. The different companies that make up NORCE have had different archive systems that are still in use. The whole company will transition to a shared archive solution starting in 2020. Everyday responsibility for NORCE's archive has been delegated to the archive manager.

The basis for this processing is point (f) of article 6 (1) of the General Data Protection Regulation (GDPR), which allows us to process the data that is necessary in order to protect a legitimate interest that weighs more heavily than the consideration of each individual's privacy. The legitimate interest is being able to perform our task as a research institute.

Use of personal data in research

NORCE delivers research and innovation in energy, health care, climate, the environment, society and technology. Part of our research requires the use of research data that contains personal data.

We have an agreement with NSD for the purchase of personal data services for research. NSD must be notified of all projects that contain personal and health data. It also provides NORCE with the following services:

  • General information, training and counselling on the processing of personal data and security of personal data in research.
  • Assessment of the use of personal data in research projects that have been reported to NSD, both before, during and at the end of a research project.
  • Handling queries from data subjects (participants) in research projects.
  • Notification of and, if applicable, assistance with handling personal data breaches and other data protection breaches that are identified in any part of a research project's planning, execution and/or conclusion.
  • Data Protection Impact Assessment – DPIA.
  • Prior consultation and dialogue with the Norwegian Data Protection Authority.
  • Development and maintenance of systems for notification and counselling, and an updated notification archive for all research projects.
  • Publicly-accessible overview of the personal data processing.

Research data that contains personal data must be processed securely at NORCE, and must only be available to the people who will be processing the data. Each research project will contact the data subjects directly and provide information about what personal data is processed, the purpose of the processing, how the data is processed, and their rights as a data subject. This will be done by giving the data subjects an information sheet or – if this is not possible – by publishing the information on the project’s web page.

The basis for processing personal data in connection with research may be consent or the public interest. This information will be provided in each research project’s listing in the notification archive.

Use of personal data at our knowledge and competence centres

NORCE runs several knowledge and competence centres on behalf of the Norwegian authorities which, in addition to their research activities, process different types of personal data for different purposes. The centres of excellence and centres of knowledge will contact the data subjects directly and provide information about what personal data is processed, the purpose of the processing, how the data is processed, and their rights as a data subject. This will be done by giving the data subjects information directly and by describing the activities on the website.

The basis for processing personal data at centres of excellence and centres of knowledge in connection with research may be consent or the public interest. This will be clear from the different types of processing.

More information about the activities at our knowledge and competence centres.

Participants at seminars, conferences, courses and continuing education

When you attend a seminar, conference, course or continuing education at NORCE, we register information such as your name, email, workplace, position and IP address. When we serve food at one of our events, we also ask questions relating to food allergies or other considerations we need to take. This registration is based on consent. The registration will be deleted once the purpose of the participation is no longer valid.

We organize regular seminars for research communities, users, commissioners, decision-makers and other parties. In addition, some of our units organize regular courses and teaching. Information about these regular courses and continuing education activities can be found on the website of the NORCE community that organizes them.

The basis for processing your personal data in connection with participation is point (a) of GDPR article 6 (1), i.e. consent. You may withdraw your consent at any time by pulling out of the event. The withdrawal of your consent will not affect the lawfulness of the personal data processing that took place before you withdrew consent.

Newsletter subscribers

You must give your email address if you want to subscribe to our newsletter. Your email address will be used by the Mailchimp service to send you the newsletter. Your email address will only be used to distribute the newsletter, and it will not be shared with other third parties. Your email address will be deleted when you unsubscribe from the newsletter.

Mailchimp’s guidelines for cookies

The basis for processing your email in connection with our newsletter is point (a) of GDPR article 6 (1), consent. You may withdraw your consent at any time by unsubscribing from the newsletter. The withdrawal of your consent will not affect the lawfulness of the personal data processing that took place before you withdrew consent.

Data subjects in connection with dissemination activities

NORCE takes photos/videos in different situations showing activities involving NORCE. People who participate in these activities may have their photo taken, and we use such material in the external dissemination of our research and innovation. The dissemination includes articles on NORCE’s website that contain photos/videos, posts in our social media channels, brochures, etc. The basis for this processing is point (e) of GDPR article 6 (1), which allows us to process the information necessary in order to perform a task that is in the public interest.

Media contacts and contacts from influential players

NORCE occasionally collects and stores contact details about representatives of the media, influential players, and other relevant contact persons. We do this in order to increase the efficiency of our contact with these groups. In such cases, we obtain information from the internet and ensure that if any data subjects leave their job, they are also deleted from the list of such contacts.

The basis for the processing is point (f) of GDPR article 6 (1), which allows us to process the data that is necessary in order to protect a legitimate interest that weighs more heavily than the consideration of each person’s rights and freedoms. The legitimate interest is to provide information about our activities in the media and effectively cooperate with influential players.

Visitors to our website

At norceresearch.no we use cookies to record how visitors use our website. We collect personal data when visitors sign up for webinars, courses, conferences and our newsletter.

Cookies

Cookies are automatically stored on your computer or device when you visit norceresearch.no. Cookies are small temporary files that are stored on your device when you visit a website.

You decide whether to allow such cookies to be stored on your device. You can set up your browser so that you can choose which web pages may store cookies. Remember to change the settings in each browser if you use several browsers or devices.

Read about how you can block and allow use of cookies in your browser (Nettvett.no).

Web analytics

We use Google Analytics to collect statistics on how our website is used, so that we know what pages we should focus on most, and which ones could be improved or deleted. Google Analytics is a web analytics service from Google, Inc. (“Google”). Google Analytics uses cookies that start with _ga, _gid and _gat. We have turned on the function "anonymizeIP”, so that your IP address is not stored by Google. We cannot use data to identify individuals and their use of our web pages.

Videos

The films we show on norceresearch.no are hosted by the video sharing services Vimeo and YouTube. YouTube is delivered by Google. When you visit one of our pages with an embedded video, Vimeo and/or Google can store cookies on your device.

Vimeo’s guidelines for cookies

Google’s guidelines for cookies

Partners

As one of our partners, your personal data is included in the applications and tenders we submit, and projects we carry out. You will already have sent us your CV, hourly rate, qualifications, and other necessary information in an application, tender or for execution of a project. Your personal data will therefore be stored in application and project folders in our archive and filing system.

Project cooperation and shared results will be visible on our web pages, the Current Research Information System in Norway (Cristin), and in our academic repository.

NORCE uses the Brage academic repository service to provide open access to reports, series, films, audio recordings, and other material produced at the institute, if applicable in collaboration with others.

More information about NORCE's Brage academic repository.

NORCE makes its results available in Cristin. Publications you have co-authored with our researchers are registered here. We link the authors’ names and publication address to the publication in Cristin. We register several types of personal data in the system for academic and administrative staff with roles in Cristin.

More information about how personal data is processed in Cristin.

The basis for this processing is point (f) of GDPR article 6 (1), which allows us to process the data that is necessary in order to protect a legitimate interest that weighs more heavily than the consideration of each individual's privacy. The legitimate interest is being able to perform our task.

Contact persons from the client/source of funding, suppliers and providers

As the contact person of the client/source of funding or supplier, we store contact details regarding your workplace, like your email, telephone, and position. Such information will be found in documents that we store in our archive and filing system.

When competing for projects, we are happy to provide documentation of our reference projects, including the client's contact details. We therefore occasionally give the details of your workplace to such a third party who represents the client.

The basis for this processing is point (f) of GDPR article 6 (1), which allows us to process the data that is necessary in order to protect a legitimate interest that weighs more heavily than the consideration of each individual's privacy. The legitimate interest is being able to perform our task as a research institute.

Applicants for positions at NORCE

If you apply for a job with NORCE, we need to process information about you in order to review your application. The hiring process entails processing the data you furnish in the documents you send us, including your application, CV, diplomas and certificates. In addition to interviews, NORCE may perform its own checks, which typically involves talking to the applicant’s references.

NORCE uses the Jobbnorge application portal to manage applications for our job vacancies.

In order to review the documentation submitted, conduct interviews and call references, the basis for the processing is point (b) of GDPR article 6 (1). This provision allows us to process personal data when necessary in order to take action on the applicant’s behalf before entering into an agreement. By applying for a position and uploading documents, it is our position that the applicant is asking us to review the documentation submitted, conduct interviews, and call references, with a view to entering into an employment agreement.

If we perform any other checks, for example contacting someone who has issued a certificate, but is not listed as a reference, the basis for processing in connection with such checks is point (f) of GDPR article 6 (1), which allows us to process the data that is necessary in order to protect a legitimate interest that weighs more heavily than the consideration of each person’s rights and freedoms. The legitimate interest is finding the right candidate for the position.

You do not need to provide special categories of personal data in your application or at the interview. However you may choose to do so. If you state that you have a disability that requires adaptation of the workplace or the employment relationship, our basis for processing will be point (a) of GDPR article 6 (1), i.e. your explicit consent, see point (a) of article 9 (2). You can withdraw this consent at any time. The withdrawal of your consent will not affect the lawfulness of the personal data processing that took place before you withdrew consent.

Job applications are kept in Jobbnorge's application system. Applications are deleted 6 months after a position is filled. Lists of applicants and recommendations are transferred to the case and archive system. If we hire you, your application will be transferred to your personnel file.

Employees

Based on the different positions they hold, NORCE employees are registered in different IT systems and services that are either operated by NORCE itself or by external suppliers. All employees are registered in our central systems, such as the ERP system, authentication system, archive system, access control system and case processing system. In addition, employees are registered in specific systems associated with their role in order to be able to perform work for NORCE. Information about how we process personal data about our employees at NORCE can be found in our personnel handbook, which is available to our employees on the intranet.

NORCE processes personal data about its employees in order to perform pay administration, personnel tasks, and for each employee to be able to do the job they were hired to do. The legal basis for the processing is point (b) of GDPR article 6 (1) (performance of a contract) and point (c) of article 6 (1) (compliance with a legal obligation). This means in order to fulfil the employment agreement with you as an employee and in order to meet our statutory obligations.

Recipients of remuneration and reimbursements

The information needed to disburse remuneration must be registered in the pay system. This includes the person’s remuneration, tax rate, tax municipality, a copy of their passport (for foreign citizens without a work permit in Norway), expenses to be reimbursed, per diems, and bank account number. Expenses can also be reimbursed as supplier disbursements. Information about the person's name, address and bank account number, and documentation of what is being reimbursed will then be stored in the invoice processing system.

Access to the information is limited through access control to the pay system, invoice processing system, general ledger, and reporting tools.

Under the Bookkeeping Act, NORCE is under an obligation to keep accounting documentation regarding disbursements for 5 years after the end of the financial year. NORCE's clients may request that they be kept for longer. This information is provided in the contracts for each project. At NORCE, accounting documents are deleted 15 years after the end of the financial year.

The basis for this processing is point (f) of GDPR article 6 (1), which allows us to process the data that is necessary in order to protect a legitimate interest that weighs more heavily than the consideration of each individual's privacy. The legitimate interest is being able to disburse remuneration and reimbursements and to comply with the Accounting Act and documentation requirements towards commissioners.

Visitors to our locations

NORCE has several locations, and cameras are installed at some of these, both inside the building and outside the entrance doors. The reason for this is to:

  • Prevent break-ins, theft and vandalism
  • Secure evidence in the event of a crime.
  • Prevent attacks against our buildings and facilities.
  • Protect our employees and guests.

There are signs at every door at these locations, stating that there is CCTV in the area, as well as at the driveway.

The staff at the reception at the location in question can see images from every camera. The cameras record continuously. There are also sensors that can send an alarm to the security company. The security company can access the relevant cameras when an alarm is triggered.

Access to surveillance data is highly restricted, and storage and deletion follows current legislation and recommendations.

Recordings are automatically deleted after 7 days, unless there is good reason to do otherwise, for example the police has opened an investigation in connection with a break-in or other crime. In such cases, recordings may be stored for up to 30 days.

At certain locations, the visitor's name, company and the name of the person they are visiting are registered in the building owner's visitor management system. The data is managed by the building owner's reception. The data is used for security purposes, and is stored for 180 days in a system with strictly limited access.

The basis for this processing is point (f) of GDPR article 6 (1), which allows us to process the data that is necessary in order to protect a legitimate interest that weighs more heavily than the consideration of each person’s rights and freedoms. The legitimate interest is to secure access to the premises.

Your rights

According to personal data legislation, data subjects have more rights when dealing with those of us who process data:

  • You are entitled to a reply without undue delay, and at latest within one month.
  • You can ask for a copy of all of the information we process about you.
  • You can ask us to correct or supplement data that is incorrect or misleading.
  • In certain situations you can ask us to delete information about yourself.
  • In some situations you can also ask us to limit the processing of your data.
  • If we process your data because of our activities or based on a weighing of interests, you have the right to object to our processing of your data.
  • If we process your data based on consent or a contract, you may ask us to transfer your data to you or to a different controller.
  • You can appeal our processing of your personal data.

NORCE is under an obligation to provide general information about the personal data we process. Research managers, project managers and data managers on research projects, in registers, and teaching and programme measures at NORCE must further ensure transparency about the use of the personal data.

As an individual, you generally have the right to information about what data has been registered about you, and the right to access the data. If you believe that the information registered about you is incorrect, you can ask for it to be corrected. In certain situations you can ask us to delete information about yourself. In that case, please contact the project manager of the research project in question. You may withdraw your consent to participate in research projects at any point, and without giving an explanation.

Note that some limits have been placed on the rights to access, correction and limitation of processing, pursuant to section 17 of the Personal Data Act. The ability to demand destruction, deletion or surrender will not apply if the material or data have been anonymised. You may exercise your rights by contacting NORCE as the controller, or our personal data officer.

More about your rights as a data subject on the Norwegian Data Protection Authority's website.

We hope that you let us know if you believe that we are not complying with the rules in the Personal Data Act. Please contact us initially via the contact or channel that you have already established with us. You can also contact our personal data officer if you need advice or guidance. The personal data officer has a duty of secrecy if you want to discuss something in confidence.

You can file a complaint about our processing of personal data. Such a complaint must be sent to the Norwegian Data Protection Authority. If you believe that NORCE is processing personal data illegally, you can contact the Authority via their web page.

How to send a complaint to the Norwegian Data Protection Authority.

Renate Storetvedt Lien

Head of Research Administration - NORCE
reli@norceresearch.no
+47 56 10 76 20
+47 928 98 057