Privacy policy for Søknadsweb
Updated 3 September 2019
1) Brief presentation of Søknadsweb
Søknadsweb is a web application where candidates can apply for admission to studies at The University Centre in Svalbard (UNIS).
Søknadsweb is linked to the study administration system Common Student System (Felles studentsystem – FS). This means that any data registered in Søknadsweb will also be stored in FS. In various contexts, data stored in FS is shared with a number of different parties/institutions. Please cf. the privacy policy for FS.
2) What is a privacy policy?
This privacy policy describes how UNIS manages your personal data in the FS system. The purpose of this privacy policy is to inform you of the types of personal data processed, how it is processed, who is responsible for the processing, your rights and whom to contact.
3) What is considered personal data?
The term personal data includes any data, information and assessment that can be linked to you as an individual, cf. GDPR Article 4 no. 1. The determining factor in whether data is considered personal information, is whether it is fit to identify a specific person.
In some cases, data which, on its own, cannot be linked to an individual person, may constitute personal data if it is used in combination with other data.
4) The purpose of and legal basis for the processing of personal data in Søknadsweb
Purpose
The purpose of data processing in Søknadsweb is to enable you to apply for admission to courses at UNIS.
Legal basis
The legal basis for the processing of personal data in Søknadsweb is GDPR Article 6 no, 1 litra e, cf. no. 3 litra b, and provisions in the Act Relating to Universities and University Colleges § 4-15. The institution’s data processing is part of its exercise of official authority vested in the institution, and a decision to grant an offer of admission to a programme of study, for example, constitutes an administrative decision.
5) Which kinds of personal data are processed in Søknadsweb, and how long to we store your personal data?
Currently, no sensitive personal data about you is stored or processed in Søknadsweb.
When you log in to Søknadsweb, we register your Norwegian national identity number (if you have), your IP address and any errors you encounter. This data is stored so that we can provide technical and user support to you in connection with your use of Søknadsweb. Personal data related to your log-ins is stored for a period of 12 months, and then the data is erased.
We also store information about your actions in Søknadsweb. This data is erased after a period of 12 months.
The following personal data may be processed in Søknadsweb: profile information (including your name, Norwegian national identity number/D-number/S-number (11 digits)), contact information, information about your background, native language, application information, consents you have given, information about application options and any documents you may upload in connection with your application.
Any personal data registered in Søknadsweb is shared with the study administration system Common Student System (FS). In principle, all personal data in FS is stored permanently. Please cf. the privacy policy for FS.
Your personal data may come from:
- You, submitted via Søknadsweb
- The Common Student System (FS)
Voluntary registration
- You, submitted via Søknadsweb
Registration of personal data in Søknadsweb is voluntary, but without your personal data, we may not be able to process your applications.
Information registered without your express consent
- The Common Student System (FS)
In certain circumstances, it is necessary for administrative staff at UNIS to register information about you in connection with your applications. Examples include assessments related to your application for admission. These types of data are only sent to Søknadsweb so that you can have access to your data.
6) We disclose your personal data to third parties
Disclosure or export of data is defined as any transfer of data save for use in the controller’s own systems/processing or to the data subject itself or any other party receiving data on the data subject’s behalf.
UNIS may disclose or export data including personal data to other systems, i.e. external data processors, whenever it is deemed necessary.
Your personal data will not be disclosed to countries outside of the EU/EEA, or to any international organizations.
Your personal data may be disclosed to the following parties/agencies:
- Unit – The Norwegian Directorate for ICT and Joint Services in Higher Education and Research
Søknadsweb is developed by Unit. Unit staff who need to access your personal data as part of their job will be granted such access. They need this access in order to provide user support and, if relevant, correct errors as part of their duties.
- University Center for Information Technology (USIT) at the University of Oslo (UiO)
Søknadsweb is operated by USIT at UiO. USIT staff who need to access your personal data as part of their job will be granted such access. They need this access in order to provide user support and, if relevant, correct errors as part of their duties.
- Other parties
Any personal data you register in Søknadsweb is shared with the study administration system Common Student System (FS). Please see the privacy policy for FS for more detailed information about who the recipients of personal data from FS are.
8) Security relating to your personal information
The University Centre in Svalbard regularly performs risk and vulnerability analyses to protect your personal data in FS. In addition, various security measures have been implemented, such as access control, to keep the number of people who have access to your personal data as low as possible. All registrations are logged.
9) Your rights
Right to information and access
You are entitled to information about how UNIS processes your personal data. This privacy declaration is intended to contain the information you are entitled to receive.
You are also entitled to see/gain insight into any personal information registered on you at UNIS. You are also entitled to receive a copy of your personal information upon request.
Right of correction
You have the right to have incorrect personal information about you corrected. You also have the right to have incomplete personal information about you supplemented. If you think we have registered incorrect or incomplete personal information about you, please contact us. It is important that you state the reason and, where appropriate, document why you think the personal data is incorrect or incomplete.
Right to limitation of processing
In certain circumstances, you have the right to demand limited processing of your personal data. Limiting the processing of personal data means that your personal data will still be registered, but the opportunities for further processing are limited.
If you think that personal data about you is incorrect or incomplete, or you have filed a complaint against the processing of your data (read more about this below), you have the right to demand that the processing of your personal data be limited temporarily. This means that processing will be limited until, if relevant, we have rectified your personal data, or until we have been able to assess whether your complaint is justified.
In other circumstances you may also demand a more permanent limitation on the processing of your personal data. In order to qualify for the right to limit processing of your personal data, the conditions established by the Personal Data Act and Article 18 of the GDPR must be met. If we receive a request from you to limit processing of your personal data, we will assess whether the statutory conditions have been met.
Right of deletion
In some cases, you are entitled to request that we delete personal information about you. The right of deletion is not an unconditional right, and whether or not you have the right of deletion must be considered in the light of the Personal Data Act and the Personal Data Protection Regulation. If you wish to have your personal information deleted, please contact us. It is important that you state the reasons why you want your personal information deleted, and if possible, which personal information you want to have deleted. We will then consider whether the legal conditions for requiring deletion are met. Please note that in some cases the legislation allows us to make exceptions from the right to deletion. For example, this would be the case when we are obliged to store your personal data to fulfil a task that is required by the University and University College Act, or to safeguard important societal interests such as archiving, research and statistics.
Right to object
You may have the right to file an objection against the processing, i.e. object to the processing, on grounds that you have a specific need to stop the processing, e.g. if you have a need for protection, have a secret address, etc. The right to object is not unconditional, and it is contingent upon the legal basis for the processing, and on your particular circumstances. The conditions are established by Article 21 of the GDPR. If you object to processing of your personal data, we will consider whether the conditions for filing an objection have been met. If we find that you have the right to object to the processing and that your objection is justified, we will discontinue processing, and you will have the right to demand erasure of the data. Please be advised that we, under certain circumstances, may make exceptions from erasure, e.g. if we have to store your personal data for the purpose of performing a task in compliance with the Act Relating to Universities and University Colleges, or for reasons of public interest.
Right to appeal against the processing
If you think we have not processed your personal data in a correct and lawful manner, or if you think that we have failed to fulfil your rights, you have the possibility to appeal against the processing. You can find information about how to contact us under Point 12.
If we do not accept your complaint, you have the option of presenting the complaint to the Norwegian Data Protection Authority. The Norwegian Data Protection Authority is responsible for verifying that Norwegian companies comply with the provisions of the Personal Data Act and the Personal Data Protection Regulation in processing personal data.
10) Contact information
If you wish to make use of your rights referred to in point 9 above, please contact us at post@unis.no. We will deal with your inquiry without undue delay and no later than one month after we receive the request.
Service provider
Unit – The Norwegian Directorate for ICT and Joint Services in Higher Education and Research is the provider of FS. This means that Unit develops and maintains FS, and Unit is also responsible for the day-to-day operation of FS. As part of this task, a select few of Unit’s staff have access to all personal data registered in FS, including personal data sent to and from FS.
Contact information for Unit: postmottak@unit.no