Privacy policy for Nettskjema

Published Nov. 13, 2023 8:51 AM - Last modified Dec. 14, 2023 3:22 PM

Brief presentation of Nettskjema

Nettskjema is a web application where external institutions can nominate exchange students for programmes at Norwegian institutions.

Nettskjema is linked to the study administration system Common Student System (FS). This means that any data registered in Søknadsweb will also be stored in FS. In various contexts, data stored in FS is shared with a number of different parties/institutions. Please cf. the privacy policy for FS.

About this privacy policy

This privacy policy describes how Norwegian School of Sport Sciences manages your personal data in Nettskjema. The purpose of this privacy policy is to inform you of the types of personal data processed, how it is processed, who is responsible for the processing, your rights and whom to contact.

What is personal data?

The term personal data includes any data, information and assessment that can be linked to you as an individual, cf. GDPR Article 4 no. 1. The determining factor in whether data is considered personal information, is whether it is fit to identify a specific person.

In some cases, data which, on its own, cannot be linked to an individual person, may constitute personal data if it is used in combination with other data.

The purpose of the processing of personal data in Nettskjema

Purpose

The purpose of processing personal data in Nettskjema is to identify the person nominating.

Furthermore, a second purpose of processing personal data in Nettskjema is to register that a student has been nominated for an exchange programme, and to identify the student in question. Identification of the student is necessary, both so that the institution receiving the data can know which student it involves, and so that the student can be notified that he/she has been nominated, and that he/she must register an application for the exchange programme.

Legal basis

Nettskjema is subject to the provisions of the Personal Data Act and Personal Data Regulations. The legal basis for processing personal data in Nettskjema is regulated in the contract between you, as an employee, and your employer.

Which kinds of personal data are processed in Nettskjema, and how long to we store your personal data?

No sensitive personal data is stored in Nettskjema.

When you log on to Nettskjema, we log your e-mail address, the institutional number of the institution you logged on with, your IP address, and the date and time of your log-in. This data is stored so that we can provide technical and user support to you in connection with your use of Nettskjema. Personal data related to your log-ins is stored for a period of 12 months, and then the data is erased.

Any personal data linked to students you nominate is shared with the study administration system Common Student System (FS).

Automatic processing

Your personal data in Nettskjema will not be made subject to automated processing or profiling.

Disclosure of your personal data to third parties

Disclosure or export of data is defined as any transfer of data save for use in the controller’s own systems/processing or to the data subject itself or any other party receiving data on the data subject’s behalf.

Norwegian School of Sport Sciences may disclose or export data including personal data to other systems, i.e. external data processors, whenever it is deemed necessary.

Your personal data will not be disclosed to countries outside of the EU/EEA, or to any international organizations.

Your personal data may be disclosed to the following parties/agencies:

  1. Unit – The Norwegian Directorate for IT and Joint Services in Higher Education and Research. Nomination is developed and provided by Unit. Unit staff who need to access your personal data as part of their job will be granted such access. They need this access in order to provide user support and, if relevant, correct errors as part of their duties.
  2. University Center for Information Technology (USIT) at the University of Oslo (UiO). Nettskjema is operated by USIT at UiO. USIT staff who need to access your personal data as part of their job will be granted such access. They need this access in order to provide user support and, if relevant, correct errors as part of their duties.
  3. UNINETT AS. When you log on to EpN, you use the log-in service FEIDE. FEIDE is developed and provided by UNINETT AS. UNINETT AS staff may access your FEIDE user name and IP address, provided they need such access in order to perform their duties. They need this access in order to provide user support and, if relevant, correct errors as part of their duties. Your personal data will be erased from FEIDE after six months.

Personal data safety

Norwegian School of Sport Sciences regularly perform risk and vulnerability analyses to protect your personal data in Nettskjema. In addition, various security measures have been implemented, such as access control, to keep the number of people who have access to your personal data as low as possible.

Your rights

Right to information and access

You have the right to information about how  Norwegian School of Sport Sciences processes your personal data. The purpose of this privacy policy is to provide you with any and all information you have the right to get.

You also have the right to view/access any and all personal data registered about you at  Norwegian School of Sport Sciences. You also have the right to request a copy of the personal data registered about you if you so wish.

Right to correction

You have the right to have corrected any and all incorrect personal data about you. You also have the right to supplement any and all incomplete data registered about you. Please contact us if you believe we have registered incorrect or incomplete personal data about you. It is important that you justify and, if relevant, document why you believe the personal data registered is incorrect or incomplete.

Right to limit processing

In certain circumstances, you have the right to demand limited processing of your personal data. Limiting the processing of personal data means that your personal data will still be registered, but the opportunities for further processing are limited.

If you believe that personal data about you is incorrect or incomplete, or you have filed a complaint against the processing of your data (read more about this below), you have the right to demand to demand that the processing of your personal data be limited temporarily. This means that processing will be limited until, if relevant, we have rectified your personal data, or until we have been able to assess whether your complaint is justified.

In other circumstances you may also demand a more permanent limitation on the processing of your personal data. In order to qualify for the right to limit processing of your personal data, the conditions established by the Personal Data Act and Article 18 of the GDPR must be met. If we receive a request from you to limit processing of your personal data, we will assess whether the statutory conditions have been met.

Right to erasure

In certain circumstances you have the right to demand that we erase your personal data. The right to erasure is not unconditional, and whether this applies to your situation must be assessed in light of relevant privacy legislation, i.e. the Personal Data Act and GDPR. Please contact us if you want to have your personal data erased. It is important that you justify why you want the personal data erased, and, if possible, that you also specify which personal data you want erased. We will den consider whether the conditions for erasure, as established by law, have been met. Please be advised that the law allows for us to make exceptions to your right to erasure. For example, we may need to store personal data for the purpose of performing a task in compliance of the Act Relating to Universities and University Colleges, or for reasons of public interest, such as archiving, research and statistics.

Right to object

You may have the right to file an objection against the processing, i.e. object to the processing, on grounds that you have a specific need to stop the processing, e.g. if you have a need for protection, have a secret address, etc. The right to object is not unconditional, and it is contingent upon the legal basis for the processing, and on your particular circumstances. The conditions are established by Article 21 of the GDPR. If you object to processing of your personal data, we will consider whether the conditions for filing an objection have been met. If we find that you have the right to object to the processing and that your objection is justified, we will discontinue processing, and you will have the right to demand erasure of the data. Please be advised that we, under certain circumstances, may make exceptions from erasure, e.g. if we have to store your personal data for the purpose of performing a task in compliance with the Act Relating to Universities and University Colleges, or for reasons of public interest.

Right to file complaint against processing

If you believe we processed your personal data incorrectly or unlawfully, or if you believe we failed to protect your rights, you have the right to file a complaint against processing. Please see item 10 below for how to contact us.

If we dismiss your complaint, you may file your complaint with the Norwegian Data Protection Authority (DPA). The DPA is responsible for making sure Norwegian enterprises comply with the provisions of the Personal Data Act and the GDPR in their processing of personal data.

Contact information

Data controller

Norwegian School of Sport Sciences is the data controller of personal data in Nomination, cf. GDPR Article 4 no. 7.

If you wish to exercise your rights as established in item 9 above, please contact us at personvernombud@nih.no. We will process your request as soon as possible and within 30 days at the latest.

Data protection office

Norwegian School of Sport Sciences has appointed a data protection officer whose responsibility it is to protect the personal data interests of both students and staff at  Norwegian School of Sport Sciences. You may contact the data protection officer about the administrative processing of personal data at  Norwegian School of Sport Sciences via e-mail: personvernombud@nih.no.

Service provider

Unit – The Norwegian Directorate for ICT and Joint Services in Higher Education and Research is the provider of Nomination. This means that Unit develops and maintains Nomination, and Unit is also responsible for the day-to-day operation of Nomination. As part of this task, a select few of Unit’s staff have access to all personal data registered in Nomination.

Contact information for Unit: fs-sekretariat@fsat.no

E-mail this page