The purpose of the processing is to deliver research on a national and international professional level. In all research projects, the purpose of the processing must be made clear.
Nord University normally asks for consent to process data information for research purposes, in line with the EU General Data Protection Regulation, article 6, 1a. Everyone who has consented, can withdraw their consent at any time.
The treatment of personal data may be based in the EU General Data Protection Regulation, article 6, 1e, when a task of general interest is ongoing. This applies when personal data is processed for scientific or historical research or for statistical purposes.
Typical personal data that is processed is name, location, age, education, profession, choice of study, and more. Which data that is actually collected will vary from project to project.
The complete overview of which personal data is processed, is kept in the message archive of the Norwegian Centre of Research Data (NSD) Data Protection Officer.
Nord University collects data from various sources, dependant of purpose and project. The regular methods for data collecting is by the help of surveys (paper or electronic), personal interview, group interview, observation, or from registers (DBH, Statistics Norway, OECD, and more).
Nord University has an internal control system containing rules and routines for how personal data is to be treated. We conduct regular risk and vulnerability analyses of the data systems we utilize to secure your personal data.
In addition, we have security measures in place, such as access control to prevent that more employees than necessary have access to your personal data. Such access controls can be both access control in data systems and physical control in the form of locked archive/lockers.
Employees and students that process personal data subject to duty of confidentiality and are trained in data protection. All registrations are logged.
Nord University does not disclose personal data to third parties. In some research projects, however, personal data may be shared with other research environments. If such disclosing is planned, we will inform about this when ask for consent.
Data files and data sets are deleted or anonymised when the process ceases, as long as nothing else is agreed. Nord University will inform how long we save the personal data. If it is not possible to indicate a specific time, Nord University will inform which criteria decides how long the data will be saved.
Right to information and access to information
You are entitled to information on how Nord University processes your personal data. This Data Privacy Policy is intended to include the information that you are entitled to obtain.
You are also entitled to see/access information in respect of personal data recorded about you at Nord University. You are also entitled to receive a copy of your personal data if you wish.
Right of correction
You have the right to have corrected any incorrect personal data about yourself. You also have the right to have supplemented any incomplete personal data about yourself.
If you believe we have registered incorrect or incomplete personal data about you, please contact us. It is important that you state the reasons and, if appropriate, document why you believe that the personal data is incorrect or incomplete.
Right to limit processing
In certain cases you may be entitled to require that the processing of your personal data should be limited. Limitation of personal data means that your personal data will still be stored, but that the possibilities for further use and processing will be limited.
If you believe that your personal data is incorrect or incomplete, or you have objected to the processing (see more about this below), then you are entitled to require that your personal data should be temporarily limited. That means that processing will be limited until we have either corrected your personal data, or have been able to assess whether your objection is justified.
In other cases, you may also be able to require a more permanent limitation of your personal data. In order to be entitled to require the limitation of your personal data, the terms of the Personal Data Act and GDPR article 18 must be met. If we receive a request from you regarding the limitation of personal data, we will consider whether the legal provisions are being met.
Right to erasure
In certain cases, you can require that we delete personal data about you. The right to erasure is not an unconditional right, and whether or not you have the right to erasure must be considered in the light of the Personal Data Act and the Privacy Protection Regulation.
If you wish to have your personal data deleted, please contact us. It is important that you state the reason why you want your personal data to be deleted, and if possible, which personal data you would like to have deleted. We will then consider whether the legal conditions for requiring erasure are met.
Please note that, in some cases, legislation allows us to make exceptions to the right to erasure. For example, this would be the case when we are obliged to store your personal data to fulfil a task that is required by the Universities and University Colleges Act, or to safeguard important societal interests such as archiving, research and statistics.
Right to present an objection
You may have the right to present an objection to the processing, i.e. to protest against the processing, if you have a special need for the processing of your personal data to be stopped. Examples might be if you have a need for protection, a secret address, or the like.
The right of objection is not an unconditional right, and it depends on the legal basis for the processing, and whether you have a special need. The conditions are set out in GDPR article 21.
If you present an objection to the processing, we will consider whether the conditions for presenting an objection are met.
If we determine that you have the right to object to the processing, and that the objection is justified, we will stop the processing and you will then be able to require that the data should be erased.
However, please note that in certain cases we would not be allowed to erase your data. This could be the case, for example, when we are obliged to store your personal data to fulfil a task that is required by the Universities- and University Colleges Act, or to safeguard important societal interests.
Right to lodge a complaint in respect of the processing
If you believe we have not processed your personal data in a correct and lawful manner, or if you believe that we have failed to fulfil your rights, you have the possibility to object to the processing. You can find information about how to contact us in Point 11.
If we do not accept your complaint, you have the possibility to present your complaint to the Norwegian Data Protection Authority. The Data Protection Authority is responsible for verifying that Norwegian enterprises comply with the provisions of the Personal Data Act and the GDPR regulations for the processing of personal data.
If Nord University uncovers or receives an alert about a security breach, the case is processed through the institution's information security coordinator (CISO) in line with the current regulations.
If one believes the security breach to entail a risk of breach of privacy, the Norwegian Data Protection Authority will be notified with no unnecessary delay and no later than 72 hours.
The registered affected by a security breach will then be notified as soon as possible. They will be notified individually. If it is not possible to notify the registered individually, the breach will be made known through Nord University's website.
Data Controller
The data controller is the one who decides the purpose of thee processing of personal data and which means are used in the processing. The rector has the overall responsibility for the processing of personal data in research projects.
If you wish to make use of your rights, have any questions or need advice regarding the processing of personal data at Nord University, please contact behandlingsansvarlig@nord.no. We will deal with your inquiry without unnecessary delay, and no later than 30 days.
Data Protection Officer
The Data Protection Officer is a contact point for the registered (the persons whose data is being processed) and the Norwegian Data Protection Authority. You can apply for general guidance from the Data Protection Officer.
The Data Protection Officer will also inform about the commitment one has after the new regulations, as well as control that the regulations are upheld and that the data protection consequences are considered where there may be a high risk for people's data protection and other interests.
In many cases, Nord University has a duty to consult with the Data Protection Officer. Nord University, as responsible for processing, will make sure the data protection officer is involved in the right time and in the right way in the case of data protection issues.
The Data Protection Officer at Nord University is Toril Irene Kringen. She can be contacted at personvernombud@nord.no.
This privacy statement describes how Nord University collects and uses personal data in its research activities. In cases where consent is obtained from the registered, accurate information will be given at the same time about the treatment of personal data in the project in question.