The Research Council's Privacy Policy

Go directly to:

• Contact us
• Why do we process personal data?
• When do we process personal data?
• How do we share personal information with others?
• Our duties
• Your rights
• How do you complain about our processing of your personal data?

Our guidelines for processing of personal data are:

• The Personal Data Act
• General Data Protection Regulation (GDPR)
• Internal policies and procedures governing our privacy practices

Personal data is processed as part of our operations. When we, alone or jointly with others, determine the purpose of the processing of personal data and the means used to process it, we are the data controller. It is these processing operations that are described in this policy.

In some cases, the Research Council may also act as a data processor. This is when we process personal data on behalf of another data controller. The data controller shall facilitate the exercise of your rights by you. The Research Council will only assist the data controller without direct contact with you.

When the Research Council processes your personal data

• we document all our treatments
• we work actively to protect your privacy so that we can fulfil our obligations and help you exercise your rights
• we only process and store the information about you that is necessary for the processing or that the law requires, for example in accordance with the Archives Act

Contact us

If you have any questions about how we process your personal data or if you wish to exercise your rights, you can contact the Research Council at:

• https://tjenester.forskningsradet.no/kontakt
• phone: +47 22 03 70 00
• letter: The Research Council of Norway, P.O. Box 564, 1327 Lysaker

You can also contact our Data Protection Officer if you have any questions about how we process your personal data, or if you need help exercising your rights. The Data Protection Officer has a duty of confidentiality.

Contact information for the Data Protection Officer at the Research Council: personvern@forskningsradet.no

Why do we process personal data?

We process your personal data because it is necessary to fulfil:

• The overarching purposes and tasks we are required to do:  Forskrift om vedtekter for Norges forskningsråd - Lovdata 
• The ancillary purposes, requirements, guidelines, and principles set forth in our policies, as well as their ancillary practices and duties.

When do we process personal data?

We process personal data when the work of fulfilling the statues, policies and procedures requires it. For example, we process personal data

• when you send us a question through our answers.
• When you use our websites
• for statistical and analysis purposes
• during application processing, assessment and follow-up of projects
• when you are in contact with us, for example when we
• send out a newsletter
• arrange meetings, courses, seminars or other events
• send out surveys
• we put forward a public hearing
• processing requests for access pursuant to the Freedom of Information Act
• when you apply for an advertised position or are employed by us

How do we share personal information with others?

We share personal data with our data processors, other data controllers, and other public bodies. We do this on the basis of a data processing agreement, an agreement on shared data management, a law/regulation or an equivalent legal basis.

If we process personal data outside of Norway, but within the EU/EEA area otherwise, we safeguard your privacy by complying with the Personal Data Act, the data protection rules that apply within the EU/EEA and any relevant Member State laws.

If we process personal data outside the EU/EEA, we also safeguard your privacy by only transferring personal data to parties who either receive and process the data in a country that is recognised as safe enough by the European Commission or is subject to or has signed a data processing agreement containing standard data protection rules adopted by the European Commission or equivalent, or which has been certified in advance through the Data Privacy Framework program.

We ensure that the parties with whom we share the personal data process the data in accordance with their obligations under applicable law and the legal basis for the disclosure.

Our duties

When processing personal data, the Research Council shall

• establish a reasonable and necessary purpose for the processing
• ensure the correct basis for processing
• provide information about the processing in a concise, transparent, understandable and easily accessible manner
• facilitate rights of the data subjects
• correct inaccurate or incomplete information, and delete it when the purpose has been fulfilled and where we are not required by law or regulation to retain them further
• carry out and maintain Data Protection Impact Assessments (DPIAs)
• ensure that new ICT solutions comply with the principle of privacy by design
• establish internal control to ensure compliance with the regulations
• ensure the information security of the data subjects' personal data
• keep a record of processing activities
• entering into data processing agreements when we use a data processor or are data processors ourselves
• ensure a valid legal basis for transfer when transferring to countries outside the EU/EEA
• handle and report personal data breaches to the Data Protection Authority, as well as inform affected individuals
• have a data protection officer who is kept informed on an ongoing basis, safeguards the interests of the data subjects and acts as our point of contact with the Data Protection Authority

Your rights

You have the right to:

• Information about the processing of your own personal data
• Access to the processing of your own personal data
• Rectification and erasure of your own personal data
• Restriction of processing of your own personal data
• Data portability
• Not being subject to fully automated processing
• To withdraw your consent if you have provided this to us as a basis for the processing
• File a complaint with the Data Protection Authority

You have the right to receive the information without undue delay, and in any event within 30 days when you contact the Research Council to exercise your rights.

Please note that your rights may, in each individual case, be limited due to legal or regulatory requirements we are obliged to comply with. We will assess this on a case-by-case basis and inform you accordingly when you contact us to exercise your rights.

We would also like to point out that we are required to keep a postal journal pursuant to Section 10 of the Freedom of Information Act. This means that we record all correspondence in connection with case processing, unless the documents are to be exempted from public disclosure, for example due to a duty of confidentiality. We useeInnsyn, which is an open, public search service where anyone can search for and order access to letters and documents (einnsyn.no).

We also have an archiving obligation under the Archives Act. This means, among other things, that our case documents are stored in an archive and that all documents that have been recorded in the records are transferred to the National Archives of Norway.

In the processing related to the postal journal and the obligation to archive, our legal basis is GDPR Article 6 (1) (c), as the processing is necessary to comply with our legal obligations. Where the processing involves special categories of personal data, our legal basis for processing is Article 6 (1) (c) of the GDPR, cf. Article 9 (2) (g).

How do you file a complaint about our processing of your personal data?

The Norwegian Data Protection Authority is the supervisory authority for our processing of personal data.

If you have any questions about our processing of personal data, the Norwegian Data Protection Authority recommends that you first contact us to try to clarify the question. If you are not satisfied with the clarification and wish to file a complaint, the Norwegian Data Protection Authority recommends that you first contact our Data Protection Officer.

If, after contacting our Data Protection Officer, you still wish to file a complaint about something you believe is a violation of the rules, the Data Protection Authority provides good information on the website about how you can complain to the Data Protection Authority about our processing.