Nord University manages large amounts of personal data. The university manages personal data in accordance with applicable laws and regulations.
We should all be entitled to control information about ourselves. We have a fundamental right to privacy, and to decide over how information about ourselves is used and disseminated.
Personal data is any kind of data, information, facts and assessments that can be linked to you as an individual. What determines whether a piece of information is personal data is whether the data can identify you as a person.
Nord University processes personal data in order to fulfil the institution's duties and obligations.
We process personal data to protect the rights of applicants, students, course participants and Ph.D candidates.
Research is one Nord’s most important tasks, and we process personal data on research subjects in many of our research projects.
We process personal data on job applicants, employees and contractors for administrative purposes, and to fulfil our obligations as an employer.
We also process personal data about customers, suppliers and other contracted parties to the extent necessary to evaluate bids in competitive tendering, to administrate a contractual relationship or fulfil an agreement. For example, we process data on borrowers related to the lending of books in our university library.
For security purposes, we have video surveillance on parts of our campus, and therefore, video images of visitors are processed. We also have electronic access control on all our campuses, and we will register the use of access cards.
The processing has a legal basis in GDPR article 6 or 9, and may be necessary in order to carry out a task in the public interest, exercise public authority, or fulfil an agreement or other legal obligation.
In most cases, processing is also based on national legislation, e.g. The Universities and University Colleges Act, or the Working Environment Act. In certain cases, processing requires your consent.
In most cases, only general personal data, such as name, contact information, applications, certificates, CVs, grades, photos, agreements, etc.
In some cases, we also process sensitive data. This could be for example data concerning health or data on trade union affiliation.
We use Public 360 as the administrative procedures- and archive system. Here everything is recorded that is necessary for us to be able to fulfil our duties and obligations.
E-mail and phone
We use e-mail and phone in our daily work and for both internal and external communication. Relevant information resulting from phone calls and e-mail exchange that occurs as part of administrative procedures is recorded in Public360.
We would inform you that normal e-mail is unencrypted. We would therefore urge you to refrain from sending confidential, sensitive or any other type of confidential information via e-mail.
Phone calls (phone numbers, as well as time of call) are logged. This log is needed for administration and operation of the system. In addition, employees have a record of the most recent calls on their phones. If a phone call is linked to a single case, a note may be written after the call that will be recorded. There is no other systematic registration of phone calls where the caller can be identified.
Most of the data that we process has been provided by you in connection with an application registration, conclusion of an agreement etc. We collect some data from other sources. For example, this could be NAV, the National Population Register or Register of Expelled Students (RUST).
It is important for Nord to have good procedures and guidelines for processing personal data, and responsibility for this is well- organized. Thus, anyone associated with the university can contribute to your personal data being processed in accordance with applicable regulations.
Nord University regularly conducts risk- and vulnerability analyses of our work processes and the data processing systems we use.
We have several security measures that safeguard your personal data. For example, we have access controls in our data processing systems that ensure that our employees only have access to the personal data they need to carry out their work. Employees who process personal data are subject to a confidentiality obligation and are given training in personal privacy.
We do not disclose your personal data to anyone else unless there is a legal basis for such disclosure. Examples of such grounds could typically be because you have given your consent, because disclosure is necessary to fulfil an agreement with you or if there is a legal obligation to disclose the data.
We can distribute or export data that contains personal data to other systems, that is to say, to an external data processor, in cases where it is deemed necessary.
In principle, personal data will not be transferred to countries outside the EU/EEA, or any international organizations. In cases where this is necessary, Nord will ensure that there is a legal basis for transfer and implement necessary security measures.
In certain cases, we carry out fully- or partially automated processing. For example, this could be calculation of points with admission to programmes of study, checking the syllabus or preparing an invoice.
In general, personal data will not be stored longer than necessary. It is the data controller’s responsibility to assess how long it is necessary to have the data available. In some cases, we are obliged to store the data for a certain period of time, for example, in accordance with the Accounting Act and the Act on Public Procurement.
Even if we delete personal data in our data processing systems, the Archives Act will in many cases require that the data should be archived.
As a data subject, you are entitled to information on how Nord University processes your personal data. You also have a number of other rights that are listed below.
If you wish to make use of your rights, have any questions or need advice regarding the processing of personal data at Nord, please contact firstname.lastname@example.org. We will deal with your inquiry without unnecessary delay, and no later than within 30 days.
When you contact us, you will be asked to verify your identity. We do this to ensure that unauthorized persons do not gain access to your personal data. You may also be asked to provide additional information.
Right of access
You are entitled to see/gain access to any personal data recorded about you at Nord University. You are also entitled to receive a copy of the personal data recorded on you, if you so desire. In some electronic solutions (e.g., StudentWeb and CRIStin) you can yourself see what we have registered about you, and are also allowed to change some of the data.
Right to withdraw consent
If we process data about you based on your consent, you can withdraw your consent at any time. The simplest way to do this is to contact directly the department/unit that obtained your consent. You can also contact the data controller.
Right of correction
You have the right to have incorrect personal data about yourself corrected. You also have the right to have incomplete personal data about yourself supplemented. If you believe we have registered incorrect or incomplete personal data about you, please contact us. It is important that you state the reasons and, if appropriate, document why you believe that the personal data is incorrect or incomplete.
Right to limited processing
In certain cases you may be entitled to require that the processing of your personal data should be limited. Limitation of personal data means that your personal data will still be stored, but that the possibilities for further use and processing will be limited.
If you believe that your personal data is incorrect or incomplete, or you have protested against the processing, then you are entitled to require that your personal data should be temporarily limited. That means that processing will be limited until we have either corrected your personal data, or have been able to assess whether your protest is justified. In other cases, you may also require a more permanent limitation of your personal data. In order to be entitled to require the limitation of your personal data, the terms of GDPR’s article 18 must be met. If we receive a request from you about limiting personal data, we will consider whether the terms of the law are being met.
Right to erasure
In certain cases, you can require that we delete personal data about you. The right to erasure is not an unconditional right, and whether or not you have the right to erasure must be considered in the light of the Personal Data Act and the Privacy Protection Regulation. If you wish to have your personal data deleted, please contact us. It is important that you state the reason why you want your persona data to be deleted, and if possible, what personal data you would like to have deleted. We will then consider whether the legal conditions for requiring erasure are met. Please note that, in some cases, legislation allows us to make exceptions to the right to erasure. For example, this would be the case when we are obliged to store your personal data to fulfil a task that is required by the University- and University College Act, or to safeguard important societal interests such as archiving, research and statistics.
The right to protest
You may have the right to present an objection to the processing, i.e. to protest against the processing, if you have a special need for the processing of your personal data to be stopped. Examples might be if you have a need for protection, a secret address, or the like. The right to protest is not an unconditional right, and it depends on the legal basis for the processing, and whether you have a special need. If you protest against the processing, we will consider whether the conditions for the protest are met. If we determine that you have the right to object to the processing, and that the objection is justified, we will stop the processing and you will then be able to require that the data should be erased. However, please note that in certain cases we would not be allowed to erase your data. This could be the case, for example, when we are obliged to store your personal data to fulfil a task that is required by the University- and University College Act, or to safeguard important societal interests such as archiving, research and statistics.
Right to object to the processing
If you believe we have not processed your personal data in a correct and lawful manner, or if you believe that we have failed to fulfil your rights, you have the possibility to object to the processing.
If we do not accept your objection, you have the possibility to present your objection to the Norwegian Data Protection Authority. The Data Protection Authority is responsible for verifying that Norwegian enterprises comply with the provisions of the Personal Data Act and the GDPR regulations for the processing of personal data.
If Nord discovers, or is notified of, a security breach, the case will be handled by the institution's Information Security Coordinator (CISO) in accordance with applicable regulations and procedures.
If it is considered that the security breach will lead to a risk of infringement of your privacy, the Data Protection Authority will be notified without undue delay, and at the latest within 72 hours.
The data subject(s) that are likely to be affected by a security breach will be notified as soon as possible. The data subject(s) are then notified individually. If it is not possible to notify the data subject(s) individually, the breach will be made known as a news item on Nord’s website.
The data controller is the person who decides the purpose of the processing of personal data and the methods to be used in the processing. The Director for HR and Finance (CSO), has overall responsibility for the processing of personal data at Nord University. The Rector has overall responsibility for the processing of personal data in research projects.
If you wish to make use of your rights, have any questions or need advice regarding the processing of personal data at Nord, please contact email@example.com.
Data Protection Officer
The Data Protection Officer is to act as a point of contact for the data subjects (the people on whom the personal data is processed) and for the Data Protection Authority.
General guidance can be obtained from the Data Protection Officer.
The Data Protection Officer will provide information on your obligations according to the new rules. The Data Protection Officer will also make sure that the regulations are complied with, and that the consequences to privacy protection are assessed where there may be a high risk to the privacy protection of individuals and other interests.
In many cases, Nord has an obligation to consult with the Data Protection Officer. Nord, as Data Controller, must ensure that the Data Protection Officer is involved in a timely and correct manner in issues relating to personal privacy.
The Data Protection Officer at Nord University is Toril Irene Kringen who can be contacted at firstname.lastname@example.org.