Data Protection Declaration for Stiftelsen Kristian Gerhard Jebsen

 

This data protection declaration describes how Stiftelsen Kristian Gerhard Jebsen (hereafter the Foundation) collects and uses personal data in its operations and sets out your rights if we process any of your personal data in the capacity of data controller.

The Trond Mohn Foundation provides management services to the Foundation and processes personal data on behalf of the Foundation, cf. Section 2.1.

1.   Which personal data are processed by the Foundation?

The Foundation collects and processes the personal data needed to process applications, fulfil contracts and/or comply with Norwegian law. Personal data are only used for the purpose for which they were collected, and the Foundation does not sell any personal data to other parties. Personal data are only shared with third parties (see section on Sub-processors) if the third party in question is involved in the Foundation’s processing of applications and fulfilment of contracts.

The Foundation erases personal data when there are no longer any legitimate grounds for processing them. We will never store personal data any longer than is necessary for the purpose for which they were collected.

The bases for the Foundation’s processing of your personal data are:

  • The Foundation processes personal data when that is necessary to fulfil an agreement to which the data subject is a party, such as if you have sent us an application that we need to process
  • The Foundation processes personal data if it has a legal obligation to do so
  • If the Foundation does not have a basis for processing your personal data, any processing will only take place as a result of your voluntary consent. You may at any time withdraw your consent.

1.1. Processing of personal data in conjunction with applications

Personal data in applications is received by e-mail and is processed by the Foundation. Applications are shared with and processed by peer reviewers, who evaluate the applications both individually and jointly on expert panels.

The Foundation’s scientific advisory committee and board also process applications and the personal data they contain. In conjunction with processing applications, the Foundation creates records of the applicants and peer reviewers that contain personal data. This information is stored together with the applications on the servers of the Foundation’s supplier of data storage services, see Section 2.2. The applications and records may be shared with the Foundation’s auditor during audits of the Foundation’s grant allocation process.

The personal data held by the Foundation vary depending on the role of the person in question. As a general rule, the Foundation stores the person’s name, e-mail address, job title, date of birth, educational background and employment history, as well as their role in the project for which funding has been requested or granted.

1.2. Processing of personal data in conjunction with signing and managing grant agreements

The vast majority of the grants awarded by the Foundation are contributions to projects at public research institutions, which are responsible for any hiring decisions and HR, including processing the personal data of the people working on projects receiving funding from the Foundation.

In order to ensure compliance with contractual obligations, the Foundation keeps records of its agreements. These records contain contact details such as the name, e-mail address and employer of the project manager. The agreements and records are shared with the Foundation’s accountant and auditor.

When signing a grant agreement, the recipient undertakes to send annual update reports to the Foundation. These reports may contain personal data. The reports are processed by the Foundation’s provider of management services and are also made available to the Foundation’s scientific advisory committee and board.

Reports and records are stored with Visolit AS and Admincontrol AS; see sections 2.2.1 and 2.2.2.

1.3 Processing of personal data in conjunction with payroll

Members of the board and scientific advisory committee, peer reviewers and other people who receive fees and reportable fringe benefits from the Foundation are recorded in the payroll management system used by the Foundation’s external accountant. These records are needed to meet contractual and statutory requirements, including reporting to the authorities.

2.   Sub-processors

The suppliers used by the Foundation as sub-processors are listed in Section 2.1.1. These organisations shall be able to document, with certifications, audits or other relevant documentation, that they have good internal procedures in place for data protection and information security.

2.1 Management services supplied to the Foundation

The Foundation purchases management services from the Trond Mohn Foundation. In conjunction with that, the Trond Mohn Foundation processes personal data on our behalf. We have signed a data processor agreement with the Trond Mohn Foundation. When using sub-processors, we confirm that they will be subject to the same obligations with respect to data protection as stipulated by our data processor agreement with the Trond Mohn Foundation.

In conjunction with its work for us, the Trond Mohn Foundation uses the data processors (sub-processors) listed below.

2.1.1 Sub-processors involved in running the Foundation’s website analysis – security
Note that the Foundation does not use its website to collect personal data from applicants or employees. The Foundation’s website may contain links to its Facebook and Twitter pages. The use of these services is governed by the data protection declarations of the companies that supply them.

2.1.1.2 Tanken Bak AS
Tanken Bak AS, Gamle Drammensvei 196, 1365 Blommenholm supplies the hosting and security service WPvakt, which includes website security monitoring and regular backups of, and upgrades to, the Foundation’s WordPress website. Tanken Bak AS only processes the data that the Foundation publishes on its website.
https://tankenbak.no

2.1.1.3 Google Analytics
The Foundation uses the analysis tool Google Analytics on its website. When someone visits the Foundation’s website, their IP address is recorded. (An IP address is defined as an item of personal data because it can be traced back to a specific device and thus to an individual.) However, people who visit the website are informed about, and can opt out of, Google Analytics’ use of cookies to collect analytical data.

Google Analytics is designed in such a way that the IP address is only processed anonymously. The information processed is therefore not personally identifiable and cannot be traced back to individuals.

The Foundation uses Google Analytics to obtain statistical data that it can use to develop and improve the information on its website. The statistical data gives information about the number of people who visit each page, how long their visits last, which websites they have come from, and which browsers and devices (desktop/mobile/tablet) they are using.
https://www.google.com/analytics/terms/no.html


2.1.2 Other sub-processors

2.1.2.1 Visolit AS
Visolit AS, Drengsrudbekken 12, 1371 Asker supplies cloud computing services for running the management service provider’s office suite and for data storage. The Foundation uses these services to process and archive personal data electronically. Visolit AS is audited and certified each year by DNV GL in accordance with the standards ISO 9001 Quality management, ISO 27001 Information security management and ISO 14001 Environmental management.
https://www.telecomputing.no

2.1.2.2 Admincontrol AS
Admincontrol AS, Lille Grensen 7, 0159 Oslo is the Foundation’s supplier of secure document exchange software, which is used to distribute documents to the board, committees, peer reviewers, the external accountant and the auditor. The Foundation has a data processor agreement with Admincontrol AS. The agreement stipulates that Admincontrol AS may under no circumstances pass on to third parties any information or data that it obtains through the Foundation’s use of the service. The service is administered on servers in a secure environment and only by authorised personnel who are bound by the above agreement. Admincontrol is certified to the standard ISO 27001:2013 (information security).
https://admincontrol.com/nb/

2.1.2.3 Fett Økonomi AS
Fett Økonomi AS, Litleåsveien 41, 5132 Nyborg is a firm of external accountants that supplies accounting services to the Foundation and hence processes the personal data of anyone who receives fees or any other form of remuneration from the Foundation. Fett Økonomi AS processes personal data on behalf of the Foundation in accordance with the applicable legislation and industry standards. The Foundation has a data processor agreement with Fett Økonomi AS.
http://www.fettokonomi.no/


3.  
Rights

The people whose personal data we process (“data subjects”) have the following rights:

  • The right to access their own personal data
  • The right to rectify their own personal data
  • Pursuant to Article 17 of the General Data Protection Regulation, the right to erase their own personal data
  • Pursuant to Article 18 of the General Data Protection Regulation, the right to restrict the processing of their own personal data
  • Pursuant to Article 20 of the General Data Protection Regulation, the right to data portability
  • Pursuant to Article 21 of the General Data Protection Regulation, the right to object to the processing of their own personal data

The Foundation will respond to any such requests free of charge and within 30 days.

Your personal data are not used for automated individual decision-making.

You can read more about your rights at www.datatilsynet.no.

4.   Data protection officer

The Foundation considers that there is no requirement for it to have a data protection officer.

5.   Contact details and complaints to the Norwegian Data Protection Authority

The Foundation’s provider of management services shall respond to questions from people whose data are being processed or may be processed by the Foundation. Contact:

You may at any time complain to the Norwegian Data Protection Authority if you believe that our processing of personal data does not adhere to our description, or that we are breaking data protection legislation in some other way. You can find more information about this at www.datatilsynet.no.

oo0oo

Note that we may make changes to our data protection declaration, in which case the new version will be published on our website. This documented was published on 18/10/2019.