The Arctic Student Welfare Organisation, hereinafter referred to as Samskipnaden, is always committed to complying with Norwegian legislation and regulations when it comes to our processing of your personal data.
Controller of personal data
The Arctic Student Welfare Organisation
Universitetsvegen 29, Teorifagsbygget hus 2
Phone: +47 776 49 000
Samskipnaden collects, processes and stores personal data about our customers so we can offer all our customers the best possible services and make it easy for our customers to manage their overall customer relationship with Samskipnaden. When a customer relationship ends, all personal data that we no longer need is erased. This privacy statement deals with how the personal data that Samskipnaden collects is processed and stored.
We mostly process information that you have provided us for one of the following reasons:
We also receive information indirectly for the following reasons:
We have asked an organisation for a statement and information about you is included in this statement.
We disclose your personal data:
You can exercise your rights by sending an e-mail to firstname.lastname@example.org, or by contacting us in another way. You have the right to a response without undue delay and no later than one month after receiving the request.
Access to personal data about you:
You can request access to personal data we process about you.
Read more about the right of access
Rectification of personal data:
You can ask us to rectify or complete personal data about you that is inaccurate or incomplete.
Read more about the right to have inaccurate or incomplete data rectified or completed
Erasure of personal data:
In certain circumstances, you can ask us to erase information about you.
Read more about the right or erasure
Restriction of processing of personal data:
In certain circumstances, you can also ask us to restrict the processing of your personal data.
Read more about the right to restriction of processing
Object to processing of personal data:
If we are processing your personal data on the basis of performing our tasks or of a weighing of interests, you have the right to object to our processing of information about you.
Read more about the right to object
If we are processing your personal data on the basis of your consent or a contract, you can ask us to transmit the personal data about you to you or to another controller.
Read more about the right to data portability
You can complain about our processing of your personal data:
We hope you will tell us if you believe we do not comply with the provisions of the Personal Data Act. You can do so directly to us via email@example.com or you can complain directly to the Norwegian Data Protection Authority.
Samskipnaden has general security logs in the various task-specific systems we use, which the superuser/manager has delegated responsibility for. The logging concerns the employees’ use of the respective systems.
The lawfulness of processing for this is Article 6 (1) (f) of GDPR, which allows us to process data that is necessary for the purposes of a legitimate interest that overrides the individual’s privacy considerations. The legitimate interest is to secure Samskipnaden’s personal data against unauthorized access or access without a service-related requirement.
Samskipnaden’s use of data processors:
UiT The Arctic University of Norway contributes in the operation of a high proportion of our systems, such as several servers, file server, e-mail, Skype, active directory, laundry server, the technical system for housing, security company, intranet, access rights to UiT’s buildings and some of the key systems at the student housing.
Operation of the task-specific systems is left to the system providers during the transition to cloud solutions. All our providers are obliged to work in accordance with the General Data Protection Regulation (GDPR) and have subcontractors in compliance with the legislation.
Owing to UiT’s operation of Samskipnaden’s IT requirements, in some cases, named employees at UiT have access to personal data in some of our systems. In other cases, we must provide access to them or providers via split screen, remote access or in person when the need for assistance arises.
Personal data breaches:
Samskipnaden has established procedures for notifying the Norwegian Data Protection Authority in the event of personal data breaches.
This complies with the regulation concerning providing notification without undue delay and not later than 72 hours of becoming aware of it, in accordance with Article 33 of GDPR.
Administration and record management
Samskipnaden uses Business360 case, document and record management system for storing documents. The system is a cloud service provided by Tieto.
Various types of personal data are registered in the case, document and record management system. This information includes name, address, telephone number, e-mail address (basic data) and other relevant information and documentation depending on the inquiry. Registering, retaining and storing of data occurs in accordance with archive legislation, GDPR and the new Personal Data Act.
The lawfulness of processing for this is Article 6 (1) (f) of GDPR, which allows us to process data that is necessary for the purposes of a legitimate interest that overrides the individual’s privacy considerations. This is the documenting of the rights of individual people, as well as documents of significance for the organisation.
Information capsules (better known as cookies) are small text files stored on your computer when you download a website.
Storing of data and processing of these data is not permitted unless the user has been informed about such processing and has given his or her consent to this. The user shall be informed about and approve which data shall be processed, the purpose of the processing and who is processing the data, cf. Section 2-7b of the Electronic Communications Act.
Feed AS is Samskipnaden’s data processor, provider and developer for samskipnaden.no. When creating an account on “My page”, the user gives Samskipnaden the right to store his or her information on Samskipnaden’s database. Examples of the information the user shares with Samskipnaden include: their favourites stored on samskipnaden.no, name, e-mail address and phone number. If consent is given on “My page”, Samskipnaden collects information about purchases and use of Food & Beverages’ loyalty programme, and/or purchases, activity and history of use of Kraft sports centre. Information from Kraft sports centre is collected from the account created by the user on kraftsportssenter.no and services provided by Exceline and iBooking. In addition, Samskipnaden will store information about the user’s student status and campus if the user has logged in to Feide.
Retail Solution AS is Samskipnaden’s provider and data processor of user data in the cash register system RSPOS. Users are registered in Retail Solutions’ database when they register for Samskipnaden’s loyalty programme. Registration requires an approved declaration of consent on the user’s “My page”. By using the loyalty programme, information about purchases, use of QR code (membership card) and the time and place of the purchase is stored in the databases of both Samskipnaden and Retail Solutions. The name and personal data of the user are not stored in Retail Solutions’ user database. User identification between the services occurs via web tokens from Samskipnaden’s database to the Retail Solutions’ system.
iBooking AS is Samskipnaden's priovider of user data from Kraft Sportssenter to "My page". By giving consent to "My training", you give permission to collect your membership information from Kraft Sportssenter and iBooking. We use collected data to present your membership info on MyPage, provide customized offers and improved our services. The user consents to giving Samskipnaden the ability to retrieve your account information from Kraft and iBooking, store and present visits, payments and membership information. And analyze training data from Kraft and iBooking for the development of better services and adapted offers on Samskipnaden.no.
By consenting to receiving offers and news from Samskipnaden by email, the user email will be listed and label as receiver of marketing-emails from Samskipnaden. Other users will not be labeled or listed as recipients of marketing emails from Samskipnaden and will not receive this marketing.
Twilio is used to send two-factor verification codes via SMS to confirm a user’s mobile number. This is to secure a user’s access to their data on “My page” on samskipnaden.no. Twilio gets access to users’ phone numbers for the purpose of sending a verification code. Read about Twilio’s compliance with data protection requirements: https://www.twilio.com/gdpr.
By registering an account on “My page”, the user gives their consent to Samskipnaden using the user’s activity, data and details to offer a user profile on samskipnaden.no and to collect and compile data for the further development of the services.
The user’s account on “My page” and Samskipnaden’s loyalty programme will be anonymised when the user no longer has an active Feide account or has deleted the account on “My page”. For users of Kraft sports centre, student housing and the other services, separate guidelines apply for storing data and deleting accounts.
Samskipnaden does not sell user and personal data to third party companies and organisations.
Searches on our website www.samskipnaden.no:
Samskipnaden stores data about search terms used by the users. The purpose of the storage is to improve our information provision. The usage pattern for searches is stored in aggregate form in a separate database. The search terms stored cannot be linked to other data about the users, such as the IP addresses. The search terms will be stored to generate statistics about search terms. Samskipnaden stores data about the search terms the users use on our websites.
The lawfulness of processing for this is Article 6 (1) (f) of GDPR, which allows us to process data that is necessary for the purposes of a legitimate interest that overrides the individual’s privacy considerations. The legitimate interest is to ensure services on the website work.
Registering for groups and courses arranged by Samskipnaden:
On samskipnaden.no you can register for groups and courses under the auspices of Samskipnaden. Such registrations occur in a system for course registration supplied Affy AS. Read more about course registrations at the end of this document.
Ordering of catering
Users can order catering on samskipnaden.no by filling out a form in Microsoft Forms developed by Samskipnaden. The form in Microsoft Forms was developed in Samskipnaden’s internal Office 365. When a form is registered in our systems, an e-mail is sent to the head chef, head of catering and executive officer at Food & Beverage to process the order and handle invoicing. The order is stored in the e-mail account firstname.lastname@example.org, and deleted from Microsoft Forms one year after the order date. Samskipnaden stores orders to analyse major ordering trends and customer requirements.
Levelup 2.0 is Samskipnaden’s data processor for kraftsportssenter.no and is our provider and developer of the website. Level Up 2.0 is also the operations service provider for kraftsportssenter.no.
Ibooking AS is our provider and developer of the service for booking of group sessions and registration of membership on the website. Exceline is our operations service provider for purchase and management of memberships at our gyms.
View AS is Samskipnaden’s data processor for studentbolig.samskipnaden.no and the provider and developer of the website. This is an application where students can register their student housing application. The personal data is registered by the applicant and will later form part of an agreement to which the applicant is a party.
Tenants of our student housing:
By signing a tenancy agreement, the tenant gives Samskipnaden the right to process and store personal data.
Telephone / Skype:
Skype calls (phone number from and to, as well as the time of the conversation) are logged in Skype for Business. The telephone number, time/date and duration of the call are stored in our telephone network. This log is necessary to manage and operate the system and provide a basis for statistics at aggregate level. The info in the call detail record (CDR) is deleted after one month. The complete log is deleted after three months. There is no other systematic registering of telephone calls that can lead to the identification of the caller.
The lawfulness of processing for this is Article 6 (1) (f) of GDPR, which allows us to process data that is necessary for the purposes of a legitimate interest that overrides the individual’s privacy considerations. The legitimate interest is to manage and operate the telephony system.
E-mail and written messages in Skype for business:
Samskipnaden utilises Microsoft Outlook E-mail; Microsoft Teams and Skype for Business as everyday digital tools. Relevant information that appears in telephone calls, e-mail exchanges and call logs, and which is part of administrative procedures, can be stored in the case, document and record management system (see the section about Administration and record management).
All employees have a responsibility to delete e-mail that is no longer relevant, including to review and delete unnecessary content in their Inbox at least once a year. E-mail accounts are deleted on terminal of employment and employees normally transfer relevant e-mail to colleagues before leaving.
Sensitive personal data must not be sent by e-mail. Please be aware that regular e-mail is unencrypted. Consequently, we encourage you not to send confidential, sensitive or other personal information via e-mail.
Purpose: Samskipnaden’s employees utilise Microsoft Teams, Skype and e-mail in general dialogue with internal and external contacts. The purpose is to have an efficient tool for communication between us and our customers.
The lawfulness of processing for this is Article 6 (1) (f) of GDPR, which allows us to process data that is necessary for the purposes of a legitimate interest that overrides the individual’s privacy considerations. The legitimate interest is general dialogue with internal and external contacts.
The purpose of video surveillance is to protect employees and prevent vandalism, theft, robbery and other criminal acts, as well as to have extended security control of entrances.
The lawfulness of processing for this is Article 6 (1) (f) of GDPR, which allows us to process data that is necessary for the purposes of a legitimate interest that overrides the individual’s privacy considerations. The legitimate interest is to protect employees and prevent vandalism, theft, robbery, undesirable people entering the building and other criminal acts.
Cameras at MIX Campus:
The design of the MIX kiosks present challenges when it comes to maintaining a constant overview of the entire premises. Consequently, we use several surveillance cameras at our premises. One of them is operated by UiT The Arctic University of Norway, while the other four are operated internally. The internal cameras only show real time images with sound and do not have recording capability.
The monitor for the internal cameras is mounted in kiosk manager’s office and shows the kiosk’s premises from different angles.
The last camera records images, but not sound. Recordings are deleted automatically after seven days. Two employees at the Department of Property Management at UiT have access to these recordings. The recordings are not disclosed to parties other than the Police/prosecuting authority and only when they hold a valid warrant issued by the prosecuting authority or courts.
Nokas is not responsible for the surveillance cameras at UiT. However, they have access to the real time images in connection with their service provision. They can also see recordings from the period before an incident or discrepancy so they can, for instance, get an image of any perpetrator(s). Nokas cannot copy/store recordings. Furthermore, they have been advised that caution must be exercised when using the ITV system.
Cameras at Kraft sports centre and Elverhøy student gym Tromsø:
During certain periods, the student gym at Elverhøy is unmanned.
Kraft sports centre and Elverhøy student gym have cameras without microphones/sound in access-controlled areas, as well as at some exterior doors/entrances. The images show who enters and exists the various places. These images are shown in real time and have recording capability.
Employees working at the reception at Kraft sports centre have access to see surveillance images of the doors at Elverhøy student gym since that centre is completely unmanned. Kraft sports centre has limited access to a monitor in the office of the Head of Section and Sports Adviser. The recording devices are situated in a secure location with a separate key and access control. The Head of Section has access to the recordings. The recordings are deleted/overwritten automatically after seven days. The recordings are not disclosed to parties other than the Police/prosecuting authority with a valid warrant issued by the prosecuting authority or courts.
Video surveillance – Gym and ‘private’ areas:
Student sports only has video surveillance in access-controlled areas. Areas such as cloakrooms, gym rooms and other places where one could expect privacy and discretion are not covered by video surveillance.
Video surveillance of Kraft sports centre Narvik:
The centre has a surveillance camera without microphones/sound at the entrance and five cameras in the gym rooms.
Employees working at the centre’s reception have access to see images from all the cameras. The recordings are done at reception. Three employees have currently undergone training and have access to see the recordings.
Samskipnaden processes information about employees to attend to all aspects of an employment relationship. As a minimum, basic data (the employee’s name, personal identity number, address, telephone number and e-mail address) are registered. In addition, necessary information about payment of salary, salary level, time registration, tax details, trade union affiliation, next-of-kin, follow-up of absence, insurance and pension matters are also registered. The information is obtained from the organisation, public authorities and the employee himself/herself.
The lawfulness of processing for this is Article 6 (1) (b) of GDPR. The processing is necessary for the performance of a contract to which the data subject is party and to attend to an employment relationship.
Necessary and statutory personal data is disclosed to public bodies and partners in relation to the Norwegian Labour and Welfare Administration (NAV), Police, tax, tax assessment, enforcement office, bank, insurance, trade union, pension and the like to attend to employees’ interests and/or comply with statutory tasks.
Procedures related to deletion of personnel data comply with the provisions of the Accounting Act and the new Personal Data Act. Information about name, position and line of work are considered public information and can be published on our website.
All former and current employees have a personnel file in our records management system. When the employment relationship ends, all information that is no longer relevant is cleared from the files. Access to the files is limited to service-related requirements.
Samskipnaden utilises Webcruiter.no as a recruitment system.
The lawfulness of processing for this is Article 6 (1) (b) of GDPR. The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. If an application contains special categories of personal data, the lawfulness of processing is Article 9 (2) (b) and (h).
Only data about the person appointed to the job is transferred to the internal systems for employees. The other applicants are deleted automatically after six months.
Users of Samskipnaden’s loyalty programme:
Retail Solution AS is Samskipnaden’s data processor for user accounts in RSPOS Backoffice, while Feed AS is Samskipnaden’s data processor on samskipnaden.no.
Registration of a user account in Samskipnaden’s loyalty programme occurs via “My page” on Samskipnaden.no and given consent to “My perks”.
Samskipnaden processes personal data that are necessary for registered users, or to implement measures at the request of the registered user in relation to an agreement on the use of Samskipnaden’s loyalty programme. Samskipnaden does not share personal data with Retail Solution. Identification occurs via an identification code that can identify the users in Samskipnaden’s database.
Users of Samskipnaden’s kindergartens:
Admission occurs through the municipalities’ kindergarten systems and follows the municipality’s guidelines.
Samskipnaden processes personal data in accordance with Article 6 (1) (b) of GDPR – the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract concerning a kindergarten place.
Personal data is also processed in accordance with other legislation and statutory requirements from public bodies.
Users of Samskipnaden’s health services:
Services that are covered by health legislation (Health Records Act) are processed in accordance with this legislation and kept separate from Samskipnaden’s other data.
Use of counselling services and courses requires that when a user makes an appointment/registers for a course, he/she must consent to Samskipnaden collecting their personal data.
Users of Health & Counselling and Student Life’s course booking service:
AFFY is Samskipnaden’s data processor and provider for Health & Counselling, and Student Life’s course booking system. This is a web-based service where students can register for courses run by Samskipnaden. By attending courses, personal data provided at the time of registration will be stored for up to 90 days after the end of the course, after which personal data will be anonymized for historical reporting. When registering for Samskipnaden’s course, the user must consent to Samskipnaden collecting necessary personal data.