Data Protection Declaration for Stiftelsen Kristian Gerhard Jebsen

This data protection declaration describes how Stiftelsen Kristian Gerhard Jebsen (hereafter the Foundation) collects and uses personal data in its operations and sets out your rights if we process any of your personal data in the capacity of data controller.

The Trond Mohn Foundation provides management services to the Foundation and processes personal data on behalf of the Foundation, cf. Section 2.1.

1. Which personal data are processed by the Foundation?

The Foundation collects and processes the personal data needed to process applications, fulfil contracts and/or comply with Norwegian law. Personal data are only used for the purpose for which they were collected, and the Foundation does not sell any personal data to other parties. Personal data are only shared with third parties (see section on Sub-processors) if the third party in question is involved in the Foundation’s processing of applications and fulfilment of contracts.

The Foundation erases personal data when there are no longer any legitimate grounds for processing them. We will never store personal data any longer than is necessary for the purpose for which they were collected.

The bases for the Foundation’s processing of your personal data are:

  • The Foundation processes personal data when that is necessary to fulfil an agreement to which the data subject is a party, such as if you have sent us an application that we need to process
  • The Foundation processes personal data if it has a legal obligation to do so
  • If the Foundation does not have a basis for processing your personal data, any processing will only take place as a result of your voluntary consent. You may at any time withdraw your consent.

1.1. Processing of personal data in conjunction with applications

Personal data in applications is received by e-mail and is processed by the Foundation. Applications are shared with and processed by peer reviewers, who evaluate the applications both individually and jointly on expert panels.

The Foundation’s scientific advisory committee and board also process applications and the personal data they contain. In conjunction with processing applications, the Foundation creates records of the applicants and peer reviewers that contain personal data. This information is stored together with the applications on the servers of the Foundation’s supplier of data storage services, see Section 2.2. The applications and records may be shared with the Foundation’s auditor during audits of the Foundation’s grant allocation process.

The personal data held by the Foundation vary depending on the role of the person in question. As a general rule, the Foundation stores the person’s name, e-mail address, job title, date of birth, educational background and employment history, as well as their role in the project for which funding has been requested or granted.

1.2. Processing of personal data in conjunction with signing and managing grant agreements

The vast majority of the grants awarded by the Foundation are contributions to projects at public research institutions, which are responsible for any hiring decisions and HR, including processing the personal data of the people working on projects receiving funding from the Foundation.

In order to ensure compliance with contractual obligations, the Foundation keeps records of its agreements. These records contain contact details such as the name, e-mail address and employer of the project manager. The agreements and records are shared with the Foundation’s accountant and auditor.

When signing a grant agreement, the recipient undertakes to send annual update reports to the Foundation. These reports may contain personal data. The reports are processed by the Foundation’s provider of management services and are also made available to the Foundation’s scientific advisory committee, board and auditor.

Reports and records are stored with ECIT Solutions DI AS and Admincontrol AS; see sections 2.2.1 and 2.2.2.

1.3 Processing of personal data in conjunction with payroll

Members of the board and scientific advisory committee, peer reviewers and other people who receive fees and reportable fringe benefits from the Foundation are recorded in the payroll management system used by the Foundation’s external accountant. These records are needed to meet contractual and statutory requirements, including reporting to the authorities.

2. Sub-processors

The suppliers used by the Foundation as sub-processors are listed in Section 2.1.1. These organisations shall be able to document, with certifications, audits or other relevant documentation, that they have good internal procedures in place for data protection and information security.

2.1 Management services supplied to the Foundation

The Foundation purchases management services from the Trond Mohn Foundation. In conjunction with that, the Trond Mohn Foundation processes personal data on our behalf. We have signed a data processor agreement with the Trond Mohn Foundation. When using sub-processors, we confirm that they will be subject to the same obligations with respect to data protection as stipulated by our data processor agreement with the Trond Mohn Foundation.

In conjunction with its work for us, the Trond Mohn Foundation uses the data processors (sub-processors) listed below.

2.1.1 Sub-processors involved in running the Foundation’s website – analysis – security
Note that the Foundation does not use its website to collect personal data from applicants or employees. The Foundation’s website may contain links to its Facebook and Twitter pages. The use of these services is governed by the data protection declarations of the companies that supply them.

2.1.1.2 Picapoint AS
Picapoint AS supplies the web hosting and security services for the Foundation’s website. Picapoint AS only processes and store the data that the Foundation publishes on its website.

2.1.1.3 Google Analytics
The Foundation uses the analysis tool Google Analytics on its website. When someone visits the Foundation’s website, their IP address is recorded. (An IP address is defined as an item of personal data because it can be traced back to a specific device and thus to an individual.)

Google Analytics is designed in such a way that the IP address is only processed anonymously. The information processed is therefore not personally identifiable and cannot be traced back to individuals.

The Foundation uses Google Analytics to obtain statistical data that it can use to develop and improve the information on its website.
https://www.google.com/analytics/terms/no.html

2.1.2 Other sub-processors

2.1.2.1 ECIT Solutions DI AS
ECIT supplies cloud computing services for running the management service provider’s office suite and for data storage. The Foundation uses these services to process and archive personal data electronically. Trond Mohn Foundation has a data processor agreement with ECIT Solutions DI AS.

2.1.2.2 Admincontrol AS
Admincontrol AS is the Foundation’s supplier of secure document exchange software, which is used to distribute documents to the board, the external accountant and the auditor. The Foundation has a data processor agreement with Admincontrol AS.

2.1.2.3 Fett Økonomi AS

Fett Økonomi AS is a firm of external accountants that supplies accounting services to the Foundation and hence processes the personal data of anyone who receives fees or any other form of remuneration from the Foundation. Fett Økonomi AS processes personal data on behalf of the Foundation in accordance with the applicable legislation and industry standards. The Foundation has a data processor agreement with Fett Økonomi AS.

3. Rights

The people whose personal data we process (“data subjects”) have the following rights:

  • The right to access their own personal data
  • The right to rectify their own personal data
  • Pursuant to Article 17 of the General Data Protection Regulation, the right to erase their own personal data
  • Pursuant to Article 18 of the General Data Protection Regulation, the right to restrict the processing of their own personal data
  • Pursuant to Article 20 of the General Data Protection Regulation, the right to data portability
  • Pursuant to Article 21 of the General Data Protection Regulation, the right to object to the processing of their own personal data

The Foundation will respond to any such requests free of charge and within 30 days.

Your personal data are not used for automated individual decision-making.  You can read more about your rights at www.datatilsynet.no.

4. Data protection officer

The Foundation considers that there is no requirement for it to have a data protection officer.

5. Contact details and complaints to the Norwegian Data Protection Authority

The Foundation’s provider of management services shall respond to questions from people whose data are being processed or may be processed by the Foundation. Contact: post@stiftkgj.no

You may at any time complain to the Norwegian Data Protection Authority if you believe that our processing of personal data does not adhere to our description, or that we are breaking data protection legislation in some other way. You can find more information about this at www.datatilsynet.no.

Note that we may make changes to our data protection declaration, in which case the new version will be published on our website. This documented was published on 30/06/2023.