The Research Council's Privacy Policy

Go directly to:

• Contact us
• Why do we process personal data?
• When do we process personal data?
• How do we share personal information with others?
• Our duties
• Your rights
• How do you complain about our processing of your personal data?

Our guidelines for processing of personal data are:

• The Personal Data Act
• General Data Protection Regulation (GDPR)
• Internal policies and procedures governing our privacy practices

Personal data is processed as part of our operations. When we, alone or jointly with others, determine the purpose of the processing of personal data and the means used to process it, we are the data controller. It is these processing operations that are described in this policy.

In some cases, the Research Council may also act as a data processor. This is when we process personal data on behalf of another data controller. The data controller shall facilitate the exercise of your rights by you. The Research Council will only assist the data controller without direct contact with you.

When the Research Council processes your personal data

• we document all our treatments
• we work actively to protect your privacy so that we can fulfil our obligations and help you exercise your rights
• we only process and store the information about you that is necessary for the processing or that the law requires, for example in accordance with the Archives Act

Contact us

If you have any questions about how we process your personal data or if you wish to exercise your rights, you can contact the Research Council at:

• https://tjenester.forskningsradet.no/kontakt
• phone: +47 22 03 70 00
• letter: The Research Council of Norway, P.O. Box 564, 1327 Lysaker

You can also contact our Data Protection Officer if you have any questions about how we process personal data about you, or if you need help exercising your rights vis-à-vis us. The Data Protection Officer has a duty of confidentiality.

Contact information for the Data Protection Officer at the Research Council: personvern@forskningsradet.no

Why do we process personal data?

We process your personal data because it is necessary to fulfil:

• The overarching purposes and tasks we are required to do (link to the articles of association).
• The ancillary purposes, requirements, guidelines, and principles set forth in our policies, as well as their ancillary practices and duties.

When do we process personal data?

We process personal data when the work of fulfilling the articles of association, policies and procedural requirements requires it. For example, we process personal data

• when you send us a question through our answers.
• When you use our websites
• for statistical and analysis purposes
• during application processing, assessment and follow-up of projects
• when you are in contact with us, for example when we
• Sends out a new letter
• Arrange meetings, courses, seminars or other events
• sends out questionnaires
• We put forward a right ring
• Processing requests for access pursuant to the Freedom of Information Act
• when you apply for an advertised position or are employed by us

How do we share personal information with others?

We share personal data with our data processors, other data controllers, and other public bodies. We do this on the basis of a data processing agreement, an agreement on shared data management, a law/regulation or an equivalent legal basis.

If we process personal data outside Norway, but within the EU/EEA area otherwise, we safeguard your privacy by complying with the Personal Data Act, the data protection rules that apply within the EU/EEA and any relevant country-specific rules in the area.

If we process personal data outside the EU/EEA, we also safeguard our privacy by simply transferring personal data to parties who either receive and process the data in a country that is recognised as safe enough by the European Commission or is subject to or has signed a data processing agreement containing standard data protection rules adopted by the European Commission or equivalent, or which has been certified in advance through the European Commission.Data Privacy Framework program.

We ensure that those with whom we share the personal data process the data in accordance with their obligations in accordance with the law and the basis for the sharing.

Our duties

When processing personal data, the Research Council shall:

• Establish a reasonable and necessary purpose for the processing
• Ensure that the correct basis for processing
• Provide information about the processing in a concise, transparent, understandable and easily accessible manner
• Facilitate the exercise of their rights by data subjects
• Correct incorrect or incomplete information, and delete it when the purpose has been fulfilled and we are not required to store it further by law/regulation
• Perform and maintain privacy impact assessments (DPIAs)
• Ensure that new ICT solutions safeguard the principle of privacy by design
• Establish internal controls to ensure compliance with the regulations
• Ensure the information security of the data subjects' personal data
• Keep a record of processing activities
• Entering into data processing agreements when we use a data processor or are data processors ourselves
• Ensure a valid basis for transfer when transferring to countries outside the EU/EEA
• Handle and report deviations to the Data Protection Authority, as well as inform affected persons
• Have a data protection officer who is informed on an ongoing basis, safeguards the interests of the data subjects and acts as our point of contact with the Data Protection Authority

Your rights

You have the right to:

• Information about the processing of your own personal data
• Access to the processing of your own personal data
• Correction and deletion of your own personal data
• Limited processing of own personal data
• Data portability
• Not being subject to fully automated processing
• To withdraw your consent if you have provided this to us as a basis for the processing
• Complaint to the Data Protection Authority

You must receive an answer without undue delay, and no later than 30 days when you contact the Research Council to exercise your rights.

Please note that your rights in each case may be limited by terms or requirements we are required to comply with by law/regulation or equivalent legal basis. We will consider this specifically and inform you of this on a case-by-case basis when you contact us to exercise your rights.

We would also like to point out that we are required to keep a postal journal pursuant to Section 10 of the Freedom of Information Act. This means that we record all correspondence in connection with case processing, unless the documents are to be exempted from public disclosure, for example due to a duty of confidentiality. We useeInnsyn, which is an open, public search service where anyone can search for and order access to letters and documents (einnsyn.no).

We also have an archiving obligation under the Archives Act. This means, among other things, that our case documents are stored in an archive and that all documents that have been recorded in the records are transferred to the National Archives of Norway.

In the processing related to the postal journal and the obligation to archive, our legal basis is GDPR Article 6 (1) letter c, as the processing is necessary to comply with our legal obligations. Where the processing involves special categories of personal data, our legal basis for processing is Article 6 (1) (c) of the GDPR, cf. Article 9 (2) (g).

How do you complain about our processing of your personal data?

The Norwegian Data Protection Authority is the supervisory authority for our processing of personal data.
If you have any questions about our processing of personal data, the Norwegian Data Protection Authority recommends that you first contact us to try to clarify the question. If you are not satisfied with the clarification and wish to complain, the Norwegian Data Protection Authority recommends that you first contact our privacy policy.

If, after contacting our data protection agency, you still wish to complain about something you believe is a violation of the rules, the Data Protection Authority provides good information on the website about how you can complain to the Data Protection Authority about our processing.