Below is information about how Nofima handles personal data, your rights as a data subject, and whom you can contact.
Data controller and data protection officer at Nofima
The data controller is the party who determines the purpose of the processing of personal data and the means to be used for such processing. CEO Bente Torstensen holds the overall responsibility for the processing of personal data at Nofima.
Data protection officer
If you wish to exercise your rights, have questions or need advice concerning the processing of personal data at Nofima, please contact the data protection officer.
The data protection officer at Nofima is Mia Bencze Rørå.
Why does Nofima process personal data?
Nofima is a research institute which processes personal data in order to fulfil the institute’s responsibilities and obligations. We process personal data about research objects in some of our research projects.
We process personal data concerning employees and job candidates in order to administer appointments and to fulfil our obligations as an employer.
We also process personal data concerning customers, suppliers and other contractual parties to the extent necessary for the administration of a contractual relationship, fulfilment of an agreement or evaluation of quotations.
We process personal data for the fulfilment of an agreement and to safeguard the rights of students, guest researchers and course and event participants.
For security reasons, Nofima has electronic access control and video surveillance of all premises.
What is Nofima’s basis for processing personal data?
Processing takes place under Article 6 or 9 of the General Data Protection Regulation (GDPR): processing is necessary for the fulfilment of an agreement or other legal obligation, or for the performance of a task carried out in the public interest.
In several cases, the data processing is also sanctioned by national statutory provisions, such as the Norwegian Working Environment Act or the Norwegian Accounting Act. In individual cases, your consent may be required for the data processing.
Which personal data is processed by Nofima?
In general, Nofima only processes ordinary personal data, such as name, contact details, applications, certificates, CV, examination grades, photos, appointments, etc.
If you are a research project participant
All projects for which personal data is used in research must prepare a data management plan describing how the personal data is handled. Nofima uses the Sikt – Norwegian Agency for Shared Services in Education and Research as privacy adviser. All projects in which personal data is processed are notified to Sikt or to Nofima’s data protection officer, for assessment according to current statutory requirements and ethical research principles. We obtain the written consent of the parties who provide their personal data under our projects, on the basis that they participate voluntarily and after being informed of their statutory rights. The security of our information systems, and our obligation to make personal data anonymous or to erase the personal data after the project is completed, are described in the data handling plan and followed up by the data protection officer and Sikt.
If you attend our events
If you attend our events, the necessary information is registered for communication and possible invoicing of the attendance fee. If, on registration, you have consented to the retention of your data in order to inform you of future events, the data will be stored in Nofima’s contact database. Personal data that is not registered in the contact database will be erased after the event has been completed and reported.
If you are a job candidate
How does Nofima protect your personal data?
It is important for Nofima to have good procedures and guidelines for the processing of personal data, and that the responsibility for the processing of personal data is well-organised. Nofima conducts regular risk assessments of our work processes and the data systems we use.
We have several security measures to protect your personal data, including access controls on our computer systems, to ensure that our employees only have access to the personal data they need to perform the necessary processing.
Is personal data disclosed to other parties?
We do not disclose personal data to third parties unless there is a legal basis for such disclosure. Typical examples might be that you have consented to this because such disclosure is necessary to fulfil an agreement, or to take part in a research project with several partners, or that we are required to disclose the information on legal grounds.
We may disclose or export data containing personal details to other systems, i.e. an external data processor, in cases where this is deemed necessary. In such cases, we have a data processing agreement with the external data processor, in order to protect the personal data.
In most cases, personal data is not issued to countries outside the EU/EEA.
For how long is the personal data stored?
In principle, personal data may not be stored for longer than necessary. It is the data controller’s responsibility to assess for how long it is necessary to have the information available. In some cases, we have a duty to store the data for a certain period of time, for example in accordance with the Norwegian Accounting Act.
What are your rights and options?
As a data subject, you are entitled to information about how Nofima processes your personal data. You have the right of access, the right to withdraw your consent, the right to rectification of incorrect information, the right to restrict processing, the right of erasure and the right to object to and lodge a complaint about processing. You can find more information about your rights on the Norwegian Data Protection Authority’s website.
If you wish to exercise your rights, have questions or need advice concerning the processing of personal data at Nofima, please contact the data protection officer: email@example.com. We will process your inquiry without undue delay and within 30 days.
If we do not uphold your complaint, you can submit the complaint to the Norwegian Data Protection Authority. The Data Protection Authority is responsible for controlling that Norwegian companies comply with the provisions of the Norwegian Personal Data Act and the GDPR in their processing of personal data.
What happens if information security is breached?
If Nofima discovers or is notified of a security breach, it will be handled by the IT Manager in accordance with applicable regulations and procedures.
If the security breach is assessed to entail a risk of infringing personal data protection, the Data Protection Authority will be notified without undue delay, and within 72 hours.
The data subjects likely to be affected by a security breach will be notified as soon as possible. The data subjects will be notified individually. If it is not possible to notify the data subjects individually, the breach will be announced as a news story on Nofima’s website.
You may also read about privacy and cookies.