Privacy policy

This privacy policy describes how Diku collect and process personal data.

Below you will find a general overview over the various context where we collect such data, how the data is processed by us, and which rights you have in relation to our processing of data connected to your person. The responsibility for our processing of personal data is held by the Director General of Diku. 

The privacy policy is continuously updated to reflect changes in how we collect and process personal data. 

In what contexts do Diku collect personal data?

In general, Diku receive and process personal data in the following contexts:  

  • Use of our webpages and web-based services. 
  • Inquiries received by us and visits to our offices. 
  • Requests for guidance in respect of our different programmes and schemes. 
  • Registration for seminars/webinars, conferences etc. arranged by us.
  • Ordering of various forms of printed information that we prepare and distribute.
  • Participation in surveys and polls that we initiate .
  • Subscription to newsletters and other information services we provide.
  • Assessment of applications/nominations received in connection with our various programmes and schemes.
  • Submittal of various notes, reports and notifications etc., containing information connected to private persons.
  • Submittal of requests for access to public records or administrative appeals in connection with our case handling.
  • Evaluations of programmes and schemes.
  • Production of relevant statistics for the educational sector.
  • Submittal of job applications.
  • Administration of employees, personal assignments and the like.
  • Keeping and ensuring access to public records 

What is registered when you use our webpages?

Web-analysis and ‘information cookies’

When you visit diku.no, studyinnorway.no, utdanningiverden.no and erasmuspluss.no we use Google Analytics and Siteimprove to analyze the use of the sites. Google Analytics  and Siteimprove employ information cookies (small text files saved on the users’ device) registering the user’s IP address and providing information regarding the user’s navigation on our sites. Examples of what the statistics include is the number of users per site, how long the visits last, which webpage the used navigated from and which browser services are used. 

Read more about how to administer information cookies. 

The information is not tied to specific persons and are deleted at regular intervals. The information is used to cater for improved functionality on our webpages, and to increase the quality of the information provided via them. 

Google Analytics

The information collected via Google Analytics, is stored on Google’s servers in the USA and is subject to Google’s privacy policy. Information such as IP-address, timestamps, web address, HTTP status, the number of bytes sent, HTTP referer and HTTP user agent is also logged on our servers. We also store information about keywords users apply in the search fields available on our webpages. Also this information is deleted at regular intervals.

The legal basis for such processing is the General Data Protection Regulation (GDPR) article 6, para. 1 f), which allow processing based on legitimate interests when this does not contradict central privacy interests. The legitimate interest is to ensure proper maintenance and development of our web services. 

Siteimprove    

Siteimprove is a tool we use to make all our webpages better for the end-user. Siteimprove helps us detect misspellings, issues with accessibility and broken links, and we can also see how the users navigate through our web pages. All ip-addresses are anonymized.

What is registered when you contact us? 

Telephone

When you telephone us, your phone number and information about when you called and how long the call lasted, will be stored on the phone of the person you called. Such logs are necessary in order to ensure proper handling of cases/request and to answer your inquiries. If a telephone conversation is related to a specific case, we may also prepare a short note to be archived on the case, in line with the applicable rules for archiving of public documents.  
The legal basis for such processing is the General Data Protection Regulation article 6, para. 1 f), which allow processing based on legitimate interests when this does not contradict central privacy interests. The legitimate interest is to ensure an effective and proper public administration.  

E-mail

We use TLS encryption to secure our e-mail correspondence and the information we receive via e-mail. Most webmail services support such encryption, which then will serve to secure your e-mail correspondence with us. We nevertheless ask that you avoid sending information that you regard sensitive via e-mail, as we cannot guarantee that your e-mail service support TLS. In addition to such encryption, we also carry out virus and malware scans of all incoming and outgoing e-mails.

The legal basis for such processing is the General Data Protection Regulation article 6, para. 1 f), which allow processing based on legitimate interests when this does not contradict central privacy interests. The legitimate interest is to secure our IT infrastructure, and to ensure an effective and proper public administration.  

Visits to our offices  

By Diku’s entrance door on the street level, there is mounted a doorbell system with camera and microphone which are activated upon ringing the bell. Video captured by the camera is only in real-time, so no images are stored. In our reception, all visitors are registered via our visitor system. The information collected is the visitors’ name, organization and phone number. This information is stored on Diku’s local servers and is used to ensure the safety of our visitors in case of fire or similar. The information is deleted at regular intervals. 

The legal basis for such processing is the General Data Protection Regulation article 6, para. 1 d) and f), which allow processing to secure our visitors’ vital interests, and processing based on legitimate interests when this does not contradict central privacy interests. The legitimate interest is to secure access to our premises.  

How is personal data collected and processed when you are in touch with us?  

Requests for guidance 

When you get in touch to for obtaining our advice, we may process personal data in order to provide such guidance. We store data insofar it is necessary to answer your requests. If you telephone us, we will store your telephone number and the duration of the call, plus any notes which may be taken, cf. above. If you contact us via e-mail, we will store your request, our answers and your e-mail address. If the matter is subject to the applicable rules regarding public access/archiving, the information will be stored for 25 years. 

The legal basis for such processing is the General Data Protection Regulation article 6, para. 1 e), which allow processing necessary for the performance tasks carried out in the public interest/exercise of official authority. Insofar your request contains special categories of personal data, the legal basis for our processing is article 9, para. 2) g).  

Registration for seminars/webinars etc. 

When we arrange seminars, webinars, conferences etc., Diku use various registration systems. Information collected during such registration may include i.a. names, e-mail addresses, job titles, organisations, payment details, health information (food allergies, special needs) and information related to reservation of accommodation. The information is solely used for administering participation in and execution of the relevant seminars etc., and is deleted when the relevant event is completed. Diku has entered into data processing agreements with the various service providers used in connection with such registrations, to ensure that your information remains safe.    

The legal basis for such processing is the General Data Protection Regulation article 6, para. 1 b), which allow processing information necessary prior to entering into a contract. Insofar your request contains special categories of personal data, the legal basis for our processing is article 9, para. 2) g).  

Participation in surveys and polls

When we carry out surveys and polls, we will always inform you of the purpose of the survey/poll, and whether it is anonymous or not. Diku will not share personal data received with any other party, and we will not use the information for any other purpose than that which the participants have been informed of.

If the survey/poll is anonymous, neither Diku or any external service providers will collect any personal data. If the survey is not anonymous, Diku and its service providers may identify the respondents. The legal basis for such processing is the General Data Protection Regulation article 6, para. 1 a), which allow processing of personal data when consent has been given to such processing. 

Subscription to newsletters etc. 

Diku distributes its newsletters via e-mail. For this purpose we need to register an e-mail address for each recipient. The e-mail addresses are stored in separate databases at Diku and are not shared with anyone else and are revised upon recipients terminating subscriptions. We use an external mailing service for administering the distribution of such newsletters. 

For information material distributed via post, Diku use various distributors. In order to execute such distribution, we need to collect names and post addresses for those interested. This information is shared insofar necessary with the distributors used, whom we also have entered data processing agreements with. 

The legal basis for such processing is the General Data Protection Regulation (GDPR) article 6, para. 1 a), which allow processing of personal data when consent has been given to such processing. 

Processing of applications/nominations in relation to our programmes and schemes

Upon receipt of applications to our various programmes and schemes, we receive and process various kinds of personal data. What information is requested will vary depending on the programme or scheme in question. 

Typical personal data received via applications to institutional projects may be name, contact details, job titles/organization for the project management etc. at the involved institutions, as well as information regarding relevant experience etc. (CV) for persons central to the project. The information is exclusively used for assessing applications, administering allocations and ensuring proper control and follow-up of the projects. 

For applications to schemes for study places, exchange, scholarships etc., typical personal data may include name, contact details, account details, CV/transcripts/grade sheets, various declarations regarding motivation etc. For schemes concerning persons under 18 years, we may also request information from the persons’ legal guardians. The information is exclusively used for assessing applications, administering allocations and ensuring proper control and follow-up of the  allocations made.

Information received and processed in connection with assessment of applications to our progammes and schemes, will be stored in our electronic application and reporting systems, and in our archive systems approved under the applicable standards for such systems (NOARK). The information will be stored as long as the cases are pending, and insofar the information is subject to the applicable rules regarding public access/archiving, the information will be stored for 25 years.  

The legal basis for such processing is the General Data Protection Regulation (GDPR) article 6, para. 1 e), which allow processing necessary for the performance tasks carried out in the public interest/exercise of official authority. Insofar your request contains special categories of personal data, the legal basis for our processing is article 9, para. 2) g).  

Submittal of various notes, reports, notifications etc. 

In connection with our control and follow-up of administrative decisions and contracts relating to allocations made under our programmes and schemes, we receive and process various kinds of information relating to persons involved in project management, use of funds and implementation of project activities, etc. In cases where we are notified of potential breach of anti-corruption regulations, we may also receive information regarding suspicion about concrete persons’ breach of legal norms. Such information will form part of our assessments of whether breach has occurred, and if so, how they shall be handled.  

When received, such information will be stored in our electronic application and reporting systems, and in our archive systems approved under the applicable standards for such systems (NOARK). The information will be stored as long as the cases are pending, and insofar the information is subject to the applicable rules regarding public access/archiving, the information will be stored for 25 years.  

The legal basis for such processing is the General Data Protection Regulation (GDPR) article 6, para. 1 e), which allow processing necessary for the performance tasks carried out in the public interest/exercise of official authority. Insofar your request contains special categories of personal data, the legal basis for our processing is article 9, para. 2) g).  

Submittal of request for access to public information and appeals

When Diku receives requests for access to public information and appeals, we process personal data in order to carry out our legal duty to answer such requests. This may inter alia include contact information and such other information which is necessary in order to process the requests. Upon requests for access, we provide such access in line with the Public Administration Act and the Freedom of Information Act. For data requiring particular protection, Diku have in place special routines to safeguard internal and external access. The information will be stored as long as the cases are pending, and insofar the information is subject to the applicable rules regarding public access/archiving, the information will be stored for 25 years.  

The legal basis for such processing is the General Data Protection Regulation (GDPR) article 6, para. 1 e), which allow processing necessary for the performance tasks carried out in the public interest/exercise of official authority. Insofar your request contains special categories of personal data, the legal basis for our processing is article 9, para. 2) g).  

Evaluation of programmes and schemes

From time to time Diku carries out evaluations of the programmes and schemes we administrate, either with internal resources or through use of various external service providers we have entered into a data processing agreement with. During such evaluations we may, depending on the circumstances, initiate surveys, polls, personal interviews and analysis of project documentation and statistics which contain personal data. 

For surveys initiated in connection with evaluations, we consult the Norwegian Centre for Research Data (NSD) in order to safeguard our processes. For personal interviews, we may use external consultants in order to ensure e.g. impartiality. Diku enters into data processing agreements with such external service providers/consultants in order to safeguard a prudent processing of any personal data processed. At Diku, access to such information is also subject to restrictions during their processing into aggregate information of relevance for the evaluation. After our processing is concluded, the information is deleted from our systems.  

The legal basis for such processing is the General Data Protection Regulation (GDPR) article 6, para. 1 e), which allow processing necessary for the performance tasks carried out in the public interest/exercise of official authority. Insofar your request contains special categories of personal data, the legal basis for our processing is article 9, para. 2) a) and g).

Production of statistics 

On basis of various data sources, Diku develop a broad range of statistics of relevance for the various parts of the education sector. During such production, we use information available from previous and current allocation processes, as well as data collected from other relevant entities (e.g. NSD and the Norwegian State Educational Loan Fund). 

The information is aggregated and de-identified prior to publishing and may thus not be used to identify any particular person. For data received from other entities, we enter into data processing agreement which i.a. regulate access, use and confidentiality. 

Submittal of job applications to Diku

For persons who apply for a position at Diku, we process information such as name, work experience/CV, and such information the applicants provide about themselves in the applications. In addition, we use a recruitment agency to provide a personality test of candidates invited to a second job interview. We have entered a data processing agreement with the recruitment agency, ensuring that the information they receive and process in connection with personality tests is subjected to strict routines regarding access and confidentiality. 

All job applications are stored in Diku’s archive and published in our public journal, but only the persons involved in the application process have access to concrete information about the applicants. The applications and other documentation involved in the application process is stored in our electronic archives in line with applicable regulations.

The legal basis for such processing is the General Data Protection Regulation (GDPR) article 6, para. 1 b), which allow processing information necessary prior to entering into a contract. Insofar your request contains special categories of personal data, the legal basis for our processing is article 9, para. 2) b) and h).  

Administration of employees etc. 

In order to administrate payment of salaries/remuneration to employees and others who take on engagements for Diku etc., we process various information. Examples of such data may be personal information, salary level, time registration, tax information, membership in labour organisations and health information in connection with sick leaves or other leaves of absence. For such purposes, Diku keep a record in our archive for all persons who are or have been engaged in our organization. 

For administration of time registrations, payment of salaries etc., Diku employ standard systems used by the Norwegian state. In addition, information may be stored in our archive system. Regardless of where the information is stored, access to such information will be restricted to strict necessity. Routines for deletion of such information are in line with the Norwegian Accounting Act and the Norwegian Archives Act. Information such as name, position and field of work is regarded public information and may be published. 

The legal basis for such processing is the General Data Protection Regulation (GDPR) article 6, para. 1 b), which allow processing information necessary prior to entering into a contract. Insofar your request contains special categories of personal data, the legal basis for our processing is article 9, para. 2) b) and g).  

Maintainance and publishing in Diku’s the public journal

Diku keep a systematic and continuous record of all incoming and outgoing documents. The journal is accessible via the public electronic mail journal (eInnsyn), and is maintained in line with the rules applicable for the public’s access to such documents. 

The legal basis for such processing is the General Data Protection Regulation (GDPR) article 6, para. 1 c), which allow processing personal data insofar this is necessary in order to meet a legal obligation, cf. Section 6 of regulation no. 1119 to the Freedom of Information Act.

Which rights do you have when Diku store and process personal data concerning yourself? 

If Diku store and process personal data concerning yourself, you retain several rights put in place to enable you to control that our processing is legitimate and correct: 

  • You may request access to personal data that we store/process in relation to yourself; 
  • You may request that personal data concerning your person is corrected/supplied if they otherwise would be erroneous or incomplete;
  • You may, in certain circumstances, request that personal data about yourself is deleted;
  • You may, in certain circumstances, request that our processing of your personal data shall be limited;  
  • You may, in certain circumstances, request that our processing of your personal data shall cease. 
  • You may, in certain circumstances, request that personal data we store is transferred to yourself or another data controller; and
  • You may appeal our decisions to process personal data concerning yourself.  

See more information on your rights.

We kindly ask that questions and requests concerning our processing of personal data is directed to our Data Protection Officer. Requests will be answered free of cost and latest within 30 calendar days.