1. Introduction
The University of Agder, henceforth referred to as "UiA", is responsible for the handling of personal data that has been registered and is being managed by UiA regarding to research projects at UiA that has a project leader. This privacy statement provides information about how UiA manages your personal data and what your rights are.
1.1 Basis for management
Generally, UiA asks for permission to manage personal data for research purposes, cf. the EU’s General Data Protection Regulation (GDPR) article 6 (1) (a). This is usually done by a consent form that you sign and confirm digitally. All who have given their consent can at any time withdraw it.
UiA may also have reasons for managing personal data, by the legal authority of GDPR article 6 (1) (e), when a task of general interest is carried out. This applies to instances when personal data is managed for academic or historic research or for statistical purposes.
2. What personal data is managed?
Personal data refers to all information that can be connected to you as an individual person.
2.1 Below are typical examples that we register
What data is being registered varies greatly from research project to research project. Typical examples of information would be name, age, gender, place of residence, education, profession, e-mail address and phone number. Normally, you must accept that such information is collected, cf. section 1.1. A complete overview of what personal data is managed, is stored in the message archive of NSD’s data protection services.
3. Securing data
UiA has an internal control system that contains regulations and routines for how personal data shall be managed. At regular intervals, we carry out risk and vulnerability analyses of the data software systems we use in order to secure your personal data.
In addition, we have security measures in place, such as access controls, to prevent that no more employees than necessary have access to your personal data. Such access controls can be both access control in data software systems and physical control such as lockable archives/cabinets. Employees and students handling personal data is bound to a duty of secrecy and is given training in handling personal data.
4. Who do we share your data with?
We do not make your personal data available for other parties unless there exists a legal basis for doing so.
We use different data managers who assist us with various processes. Different categories of data managers are stated below:
- Service providers who operate IT systems
- Service providers who assist us with operating various core systems
- Service providers who operate archive systems
5. Geographical storage of personal data
UiA assures that your personal data is stored according to data protection regulations regarding geographical storage. Any storing of data in third countries is done legally through the EU’s approved methods for transferring data. If you want specific information about where certain personal data is stored, please contact the data protection officer. Contact information can be found in section 8.
6. For how long do we store information?
The period of which we store your personal data is a short as possible and only as long as it is necessary or when it is required by law.
7. Your rights
You can request more detailed information about how we manage data about you, and you are entitled to seeing your own personal data. If your personal data is incorrect, you are entitled to have it corrected. Personal data we do not have reason to manage must be deleted, and you can demand that this is done if we have not made sure of it ourselves. You can request that we limit the use of your data. You are entitled to so-called data portability and can request that your personal data is transferred to you or another organisation in a structured, commonly used and machine-readable format. You can oppose our use of your data. You can also oppose being the object of completely automated individual decisions of legal character. If you believe that we manage your personal data without legal basis, you can submit a complaint to the Norwegian Data Protection Authority, but we request that you contact us so we, if possible, can evaluate your objections and clear up any possible misunderstandings.
The data protection regulations contain comprehensive statements about the above-mentioned rights, and exceptions regarding some rights may exist. If you wish to exercise your rights, please contact us, see contact information below, and we will respond to your request as soon as possible and normally within 30 days.
8. Contact information
We are available for any questions you may have. Please use the contact information stated below:
- trond.hauso@uia.no