Privacy statement

The Research Council meets obligations related to protection of personal privacy through its compliance with the Norwegian Personal Data Act and the EU’s General Data Protection Regulation (GDPR).

The Chief Executive of the Research Council is the designated data controller for the Research Council’s processing of personal data when we are responsible for deciding the purpose of and means for carrying out such data processing alone or together with others, and in other instances when we are legally obligated to act as data controller.

The Research Council is the data processor when processing personal data on behalf of a data controller.

This privacy statement is structured by topic and is updated on an ongoing basis. The date of the most recent page update can be found at the bottom of the page. 

Why we process personal data

As the national strategic research administrative body under the Ministry of Education and Research we are required to process personal data in order to meet

• the overriding objectives and duties that we have been ordered to fulfil pursuant to the Regulations relating to the Research Council’s statutes
• the secondary objectives, requirements, guidelines and principles established by our policies
• the subsequent routines and tasks set out in our procedures

When are we processing personal data?

We process personal data when the work of fulfilling the articles of association, policies and procedural requirements requires it. For example, we process personal data when

• you use our websites
• for statistical and analysis purposes
• during application processing, assessment and follow-up of projects
• you are in contact with us, for example when we
  • send out a newletter
  • arrange meetings, courses, seminars or other events
  • send out surveys
  • put forward a public hearing
  • process requests for access pursuant to the Freedom of Information Act
• you are applying for an advertised position or have been applied to us

What types of personal data do we process?

The personal data we collect and process at any given time will vary depending on the type of processing activity being carried out.

Examples of the types of personal data collected for processing include name, address, telephone number, email address, personal identity number, employer, CV, hourly rates, time sheets for work carried out, and personal or professional affiliations in connection with impartiality assessments.

How we process personal data

Personal data are processed in accordance with our policies and procedures. Most relevant in this context are the policy for the protection of personal privacy, the policy on security, the policy on processing of personal data and our procedure for information security.

We keep records of our personal data processing activities. We notify our Data Protection Officer of all such activities before they are initiated.

We take active steps to fulfil our obligations regarding personal privacy and to ensure that you are able to exercise your rights related to personal data.

We do not process any other personal information and the data we do collect are not stored any longer than is dictated by the purpose of the processing or is required by the statutory framework, such as the Norwegian Archives Act (Arkivlova) and pertaining regulations.

Safeguarding personal data security

We safeguard personal data by administering them in keeping with our internal information security procedure, and our procedures for the processing of personal data.

Our procedures govern how we organise work activities with regard to information security; how we carry out secure data storage, encryption or masking; establish and restrict access to data or physical locations; communicate, adapt related procurements, follow up respective suppliers and manage any issues that arise. The main, definitive rule is that access to personal data is only provided to persons with a concrete need for such access in connection with their work for the Research Council.

We conduct regular risk and vulnerability assessments of our activities related to personal privacy, information security and of the IT systems we use, and use the results of these analyses to adjust how we work. Our efforts are supported by our department for internal revision and our Data Protection Officer.

How do we share personal data with others?

The Research Council shares personal data with its data processors, other data controllers and other public agencies. This is done on the basis of data processor agreements, agreements on shared data controller responsibility, legislation/regulations or other corresponding legal grounds.

If we are processing data outside Norway but within the EU/EEA, personal privacy is protected through compliance with the Personal Data Act, regulations relating to personal privacy within the EU/EEA and any relevant nation-specific regulations in the area.

If we are processing personal data outside the EU/EEA we take additional steps to protect personal privacy by only transmitting personal data to parties that: receive and process data in a country that is previously recognised by the European Commission to provide an adequate level of data protection, are subject to or have signed a data processor agreement containing standard contractual clauses for data transfers between EU and non-EU countries or similar provisions, or that have prior certification through the EU-U.S. Privacy Shield Framework.

We check that those parties with which we share personal data process the data in accordance with the statutory framework and the purpose of the data sharing.

Our obligations

When we process personal data, we have a duty to, among other things,

• determine a reasonable and necessary purpose for the processing;
• ensure a correct legal basis for the processing;
• provide information about the processing in a concise, transparent, understandable and easily accessible manner;
• enable data subjects to exercise their rights;
• correct information that is incorrect or incomplete;
• delete data when the purpose has been fulfilled and we are not required to further store data by law/regulations;
• carry out a data protection impact assessment when it is likely that the processing may entail a high risk to the rights and freedoms of the data subjects;
• take privacy into account when developing our services and solutions (privacy by design);
• establish internal control to ensure and show that we comply with the Personal Data Act;
• ensure the information security of registered personal data;
• keep records of processing activities for which we are the controller or data processor;
• enter into a data processing agreement when we use a data processor or are data processors ourselves;
• handle deviations that arise in connection with the processing, report deviations to the Data Protection Authority when and as we are required to do so, and ensure information for the affected persons, and
• safeguard privacy if we transfer data abroad.

As a public body, we are obliged to have a data protection officer who is to be informed of our processing on an ongoing basis and who works to safeguard the interests of data subjects and acts as liaison with the Norwegian Data Protection Authority (Datatilsynet).

Your rights

You have the right to (please see the Norwegian version of this page to access links to more information on the points below)

• access the information we process about you;
• rectification or completion of inaccurate or incomplete information;
• erasure of your data if they have been processed unlawfully (please note, there are exceptions to this right, for example, when legislation requires that we continue to store data);
• restriction of data processing pending clarification of a question regarding the legal basis, to reach a decision regarding an objection to data processing, or to delay/restrict data erasure;
• withdraw your consent if you initially granted it to us as the basis for a data processing activity;
• object to the data processing if it is not based on consent, agreement or legal obligation; if the processing is carried out in the public interest or as an exercise of official authority (GDPR Art. 6(1) letter e), or in the pursuit of legitimate interests (same article, letter f), and the processing is not necessary for the protection of vital interests. You may at any time object to direct or targeted marketing.
• data portability in a structured, commonly used, machine-readable format if the data processed were based on consent/agreement and you are the one who has provided them to us. We will only release data when able to confirm your identity, secure the data using encryption, and ensure that doing so does not infringe on the rights or freedoms of others. The information will be transmitted free of charge unless we can prove that the cost is unjustifiable or excessive (please note, however, that this right is primarily intended to protect customers in commercial matters such as switching between service providers, and will only be applicable to our processing in certain cases);
• information about our processing of personal data that is concise, transparent, intelligible and easily accessible;
• not to be subject to a decision based solely on automated processing that is wholly automated (i.e. independent of human influence) and produces legal effects concerning you (i.e. controlling your rights or obligations). This does not apply, however, unless the decision is based on consent, is necessary for entering into or performance of a contract, or is based on legislation that safeguards the interests of the individual. In the case of such decisions we will implement measures to safeguard your interests, and you will have the right to express your point of view, to contest the decision and to obtain human intervention.

When you contact us to exercise your rights we will respond without undue delay, and within 30 days at the latest.

Please note that in certain circumstances, your rights may be limited by terms or requirements we are subject to under laws/regulations or for corresponding legal reasons. We will evaluate this specifically and inform you about this each time you contact us to exercise your rights.

Contact us with questions about privacy

If you have any questions regarding our processing of personal data or if you wish to exercise your rights, please contact the Research Council at:

• Email: post@forskningsradet.no
• Tel.: +47 22 03 70 00
• Post: Research Council of Norway, P.O. Box 564 NO-1327 Lysaker

The Data Protection Officer at the Research Council works to safeguard the personal privacy of all individuals whose data we process, to provide advice on our obligations and your rights, and serves as a liaison with the Norwegian Data Protection Authority. You may contact our Data Protection Officer by email at personvern@forskningsradet.no.

How do you complain about our processing of personal data?

The Norwegian Data Protection Authority is the supervisory authority for our processing of personal data.

For questions regarding our processing of personal data, the Norwegian Data Protection Authority recommends that you contact us first to try and clarify the issue. If you are not satisfied with the clarification and wish to lodge a complaint, the Norwegian Data Protection Authority recommends that you then contact our Data Protection Officer.

If after having contacted our Data Protection Officer you still wish to lodge a complaint about what you see as a breach of regulations in our processing of personal data, the Norwegian Data Protection Authority website provides information on how to lodge a complaint with the Norwegian Data Protection Authority.