Personal data protection - privacy statement

Personal data protection - privacy statement

The web site euraxess.no is maintained by The Research Council of Norway . The Research Council acts as the Bridgehead Organisation (Coordinator) of the EURAXESS Norway network and as the editor and publisher of the EURAXESS Norway website.

The Research Council meets obligations related to protection of personal privacy through its compliance with the Norwegian Personal Data Act and the EU’s General Data Protection Regulation (GDPR).

This privacy statement describes how the Research Council of Norway processes personal data.

The Chief Executive of the Research Council is the designated data controller for the Research Council’s processing of personal data when we are responsible for deciding the purpose of and means for carrying out such data processing alone or together with others, and in other instances when we are legally obligated to act as data controller.

The Research Council is the data processor when processing personal data on behalf of a data controller.

This privacy statement is structured by topic and is updated on an ongoing basis.

Why we process personal data

As the national strategic research administrative body under the Ministry of Education and Research we are required to process personal data in order to realise::

• the overall purposes and tasks we are required to perform by the regulation on articles of association for The Research Council of Norway
• the subsequent routines and tasks set out in our procedures and policies.

Processing of personal data

We process personal data in connection with the following:":

• website traffic;
• organisation of courses, seminars or other events;
• meetings;
• communication activities;
• Connecting accounts to the right Norwegian research institution/EURAXESS Contact Point.

Types of personal data that we process

The personal data being processed consists of IP-address, contact information such as name and email address, and your Member Profile if you are connected to the Norwegian network.

How we process personal data

Personal data are processed in accordance with the policies and procedures in effect at all times. Most relevant in this context are the policy and the procedure on information security and the policy and the procedure on processing of personal data

We keep records of our personal data processing activities. We notify our Data Protection Officer of all such activities before they are initiated.

We take active steps to fulfil our obligations regarding personal privacy and to ensure that you are able to exercise your rights related to personal data.

We do not process any other personal information and the data we do collect are not stored any longer than is dictated by the purpose of the processing or is required by the statutory framework, such as the Act relating to archiving (Arkivlova) .

More information about privacy protection is provided below by topic:

EURAXESS accounts

Even though EURAXESS accounts can be created and accessed by you directly on the EURAXESS Norway web site, your account is handled on the EU-level. Please see the web page Privacy Statement for EURAXESS for more information regarding the protection of your personal data when creating and using your account on euraxess.no.

Use of our website

Visiting this page may generate cookies to provide functionality. Specifically these are:

• SESS[Unique ID]: This cookie allows logging in and remembering which contact forms you have submitted. This cookie is essential for site functionality and the user experience.
• Drupal.tableDrag.showWeight, has_js: Our Content Management System, Drupal sets these cookies to store user interface preferences.
• Furthermore, Google Analytics (see below) sets cookies for analytical purposes. These are _ga, _gat cookies.

Web usage statistics

EURAXESS' webpages register the IP address of users visiting the site. These data are processed in a de-identified format which prevents the data from being linked to individual persons. These data are collected for statistical analysis to develop and improve webpage content. The statistics are used to find out the number of times different pages are viewed, the duration of these visits, which websites users are visiting from and which browsers are being used.

Web analysis and cookies

We use the analytical tools Google Analytics on our website, www.euraxess.no.

Google Analytics is set up so that IP addresses may only be processed in an anonymised format.

Cookies are small text files downloaded to the visitor’s computer when a webpage is downloaded. We use cookies to generate statistics and for web analysis to provide the best possible functionality and user experience on our webpages.

A cookie can be classified by its lifespan and the domain to which it belongs. By lifespan, a cookie is either a:

• session cookie which is erased when the user closes the browser or
• persistent cookie which remains on the user's computer/device for a pre-defined period of time.

Most web browsers are configured to handle cookies automatically. A browser’s settings may have to be changed if the user does not wish to accept cookies. Blocking cookies may limit a website’s functionality.

For more information about cookies, visit: www.allaboutcookies.org and www.cookiepedia.co.uk.

Contact with the Research Council

Event registration

The Research Council uses an external registration system by Pindena in connection with registration for various events. In addition, we have entered into framework agreements with three event management agencies, Congress Conference, Conventor and Medvind AS, who handle event registration for us using their own registration systems. The information provided by registrants is stored for the purpose of administering registrations, participant services/communications and post-event evaluations. In addition, the data is stored in the Research Council's CRM system, Microsoft Dynamics 365. The purpose of the processing of personal data in the CRM system is maintenance and updating of contact information, mapping and analysis of activities and events offered to users, as well as performing necessary administration for conducting events (including documentation of participation) and mobilisation.

Surveys/data collection

The Research Council uses the survey tool, SurveyXact, in connection with questionnaire-based surveys and other data collection activities targeting users of our services.

Survey participation is voluntary, and it is easy for recipients of survey invitations to opt out of receiving these requests in the future.

We process names and email addresses to manage survey invitations. The distribution list includes users of our services, newsletter subscribers, event registrants and the CRM system, Microsoft Dynamics 365.

The basis for this data processing in part involves weighing the legitimate interest of improving performance of our tasks as a national executive body for strategic research management, to best serve the interests of our users and society at large, and in part an assessment of how this activity aligns with other primary purposes for personal data collection. More information about this is available upon request.

Office 365

Interactivity solutions. Personal data are utilised to provide you with access to systems such as Microsoft Teams.

Webpage

If you visit our webpage www.forskningsradet.no, please see our privacy statement for information regarding how your personal data is processed when visiting.

Requests for access to public documents

With regard to access to public documents, personal data are disclosed in accordance with the Freedom of Information Act and the Public Administration Act.

Special security measures and routines have been implemented for highly confidential information stored in the archive, such as sensitive personal data.

Safeguarding personal data security

We safeguard personal data by administering them in keeping with our internal procedures for information security, and our procedures for how we process them.

Our procedures govern how we organise work activities with regard to information security; how we carry out secure data storage, encryption or masking; how we establish and restrict access to data or physical locations; communicate, adapt related procurements, follow up respective suppliers and manage any issues that arise. The main, definitive rule is that access to personal data is only provided to persons with a concrete need for such access in connection with their work for the Research Council.

We conduct regular risk and vulnerability assessments of our activities related to personal privacy, information security and of the IT systems we use, and use the results of these analyses to adjust how we work. Our efforts are supported by our department for internal revision and our Data Protection Officer.

Sharing of personal data with others

The Research Council shares personal data with its data processors, other data controllers and other public agencies. This is done on the basis of data processor agreements, agreements on shared data controller responsibility, legislation/regulations or other corresponding legal grounds.

If we are processing data outside Norway but within the EU/EEA, personal privacy is protected through compliance with the Personal Data Act, regulations relating to personal privacy within the EU/EEA and any relevant nation-specific regulations in the area.

If we are processing personal data outside the EU/EEA we take additional steps to protect personal privacy by only transmitting personal data to parties that: receive and process data in a country that is previously recognised by the European Commission to provide an adequate level of data protection, are subject to or have signed a data processor agreement containing standard contractual clauses for data transfers between EU and non-EU countries or similar provisions.

We check that those parties with which we share personal data process the data in accordance with the statutory framework and the purpose of the data sharing.

Our obligations

When processing data we are first, among other things, obligated to:

• have a reasonable, necessary purpose for the activity
• ensure a fair and lawful basis for data processing
• provide information about the activity that is concise, transparent, intelligible and easily accessible;
• create a framework that enables registered individuals to exercise their rights;
• rectify inaccurate or incomplete information;
• erase information after it has served its purpose when further storage is not required by the statutory framework;
• conduct a Data Protection Impact Assessment when the processing activity is likely to result in a high risk to the rights and freedoms of the registered individuals;
• implement data protection principles in the development of our services and solutions (data protection by design and default);
• establish internal controls to ensure and demonstrate that compliance with the Personal Data Act, and safeguard personal data on record;
• document the processing activities where we act as data controller or data processor;
• enter into a data processor agreement when using or acting as a data processor;
• handle breaches arising in connection with data processing, report breaches to the Norwegian Data Protection Authority   when and as we are statutorily obliged to, while ensuring adequate information to the registered persons affected;
• safeguard the protection of personal privacy if and when we undertake international transfers of personal data.

As a public agency we are required to have a Data Protection Officer who is to be informed of our activities on an ongoing basis and who works to safeguard the interests of registered users and acts as liaison with the Norwegian Data Protection Authority.

Your rights

You have the right to:

• >access the information we have on record for you;
• rectification or completion of inaccurate or incomplete information;
• erasure of your data if they have been processed unlawfully (please note, there are exceptions to this right, for example, when legislation requires that we continue to store data).
• restriction of data processing pending clarification of a question regarding the legal basis, to reach a decision regarding an objection to data processing, or to delay/restrict data erasure.
• withdraw your consent if you initially granted it to us as the basis for a data processing activity;
• object to the data processing if it is not based on consent, agreement or legal obligation; if the processing is carried out in the public interest or as an exercise of official authority (GDPR Art. 6 (1) litra e), or in the pursuit of legitimate interests (same article, litra f), and the processing is not necessary for the protection of vital interests. You may at any time object to direct or targeted marketing.
• data portability in a structured, commonly used, machine-readable format if the data processed were based on consent/agreement and you are the one who has provided them to us. We will only release data when able to confirm your identity, secure the data using encryption, and ensure that doing so does not infringe on the rights or freedoms of others. The information will be transmitted free of charge unless we can prove that the cost is unjustifiable or excessive (please note, however, that this right is primarily intended to protect customers in commercial matters such as switching between service providers, and will only be applicable to our activities in certain cases);
• information about our processing of personal data that is concise, transparent, intelligible and easily accessible.
• Not to be subject to a decision based solely on automated processing that is wholly automated (i.e. independent of human influence) and produces legal effects concerning you (i.e. controlling your rights or obligations). This does not apply, however, unless the decision is based on consent, is necessary for entering into or performance of a contract, or is based on legislation that safeguards the interests of the individual. In the case of such decisions we will implement measures to safeguard your interests, and you will have the right to express your point of view, to contest the decision and to obtain human intervention.

When you contact us to exercise your rights we will respond without undue delay, and within 30 days at the latest.

Please note that in certain circumstances your rights may be limited by terms or requirements we are subject to under legislation/regulations or for corresponding legal reasons. We will evaluate this specifically and inform you about this each time you contact us to exercise your rights.

Contact us with questions about privacy

If you have any questions regarding our processing of personal data or if you wish to exercise your rights, please contact the Research Council at:

email: post@forskningsradet.no

telephone: +47 22 03 70 00

mailing address: Research Council of Norway, P.O. Box 564 NO-1327 Lysaker

The Data Protection Officer at the Research Council works to safeguard the personal privacy of all individuals whose data we process, to provide advice on our obligations and your rights, and serves as a liaison with the Norwegian Data Protection Authority. You may contact our Data Protection Officer by email at personvern@forskningsradet.no.

If you are looking for further information regarding personal privacy and its related regulations in English, we recommend you consult the following international web pages as sources:

The European Data Protection Supervisor, which is the EU's independent data protection authority.

The Information Commissioner's Office, which is the United Kingdom's independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Complaints about our processing of personal data?

The Norwegian Data Protection Authority is the supervisory authority for our processing of personal data.

For questions regarding our processing of personal data, the Norwegian Data Protection Authority recommends that you contact us first to try and clarify the issue. If you are not satisfied with the clarification and wish to lodge a complaint, the Norwegian Data Protection Authority recommends that you then contact our Data Protection Officer.

If after having contacted our Data Protection Officer you still wish to lodge a complaint about what you see as a breach in our processing of personal data, the Norwegian Data Protection Authority website provides information on how to contact the Norwegian Data Protection Authority for assistance.