ONUC´s Privacy Policy

This privacy statement covers Oslo New University College (ONH) and their wholly or partially owned subsidiaries (hereinafter collectively referred to as "ONH" or "we"/"us"/"our"). In connection with our operations, we process personal data about stakeholders, applicants or students, and others we are in contact with. We are committed to handling personal data in a secure, reassuring, and confidence-inspiring manner.

 

Our processing as a controller of personal data is based on the activities we conduct as a university college. Information about the personal data we process about you, the legal basis for processing, the purpose of processing, how long we process personal data, etc., is also described below.

If you have questions or want to know more about our processing of personal data, you can contact us.

1. Responsible for processing personal data

Oslo New University College is the controller, i.e., determines why and how personal data should be processed, for processing as described below.

Contact information for the controller:

Oslo New University College Lovisenberggata 13,
0456 Oslo, Norway
Tel.: +47 23 23 38 20
Email: hei@oslonh.no

2. Processing of personal data

We collect and use personal data for various purposes depending on who you are and how we come into contact with you.

All processing of personal data is carried out in accordance with the applicable data protection rules, including the Personal Data Act and the General Data Protection Regulation (GDPR).

By "personal data," we mean all information that can be linked to a physical person (the latter referred to as "registered").

By "processing," we mean everything done with personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, deletion, or destruction.

2.1 Processing of personal data about students

ONH collects and processes information about you as a potential or current student.

The information we collect about you as a student should only be relevant and necessary and should only be used for what it was collected for and secured in a safe manner. They are not used for purposes other than what is natural when you are interested in or have applied for one of our study programs or are a student or former student with us.

Our processing of personal data is based on a contract, legal basis in the law, legitimate interest, or consent. Below we describe what information we collect, why we do this, and on what basis. We tell you who we share the information with, why, and how long we keep your information. Finally, we tell you about your rights regarding access, correction, and deletion.

When you apply for studies with us When you apply for studies with us, we will process your application based on the information and documentation you have entered, such as first name, last name, address, email, phone number, social security number, and study wishes.

ONH verifies information from relevant external sources, such as the National Diploma Database (NVB). You also send us proof of previous education, often in the form of a high school diploma. In some cases, you must also send us proof of other education, proof of name change, high school transcripts, job certificates, birth certificates of your children, a CV, or a motivation letter. This is done so we can see if you qualify for admission with us, which is regulated by the University and College Act and, in some cases, our foreign partners.

If you apply for admission to studies abroad, we share the information with ONH Education, which is the organization within us that works with this, and the foreign educational institutions you have applied to.

Processing of personal data is carried out to handle your application, and we then process personal data based on an agreement with you by wishing to enter into an agreement about a study place (GDPR Article 6 (1) letter b).

If you do not become a student with us, we will delete your personal data after 1.5 years in case you contact us again later. The Accounting Act also requires that we keep information for five years if you pay a deposit or an application fee. There may also be other legislation that requires us to transfer or retain information, such as the Archives Act.

When you are a student with us When you are a student with us, we are legally required to keep all personal data and documents that you have provided as an applicant. This is information that we must have, and therefore it cannot be deleted. We, of course, also keep your assignments, essays, exams and results, and all other information related to you as a result of you being a student. In this way, we can handle the student relationship and, for example, send you a transcript of grades a long time after you have finished as a student with us.

Processing of personal data is carried out to handle the student relationship, and we then process personal data based on an agreement with you by having entered into a study agreement (GDPR Article 6 (1) letter b).

All our students will use our e-learning platform, Qybele. We perform access control and electronic user measurement of Qybele, and register, for example, data (including IP address) that is significant for ensuring follow-up of you, documentation of your activity and study progression, quality assurance of studies and our exams, and documentation of your achievements. The data can also be used for pedagogical research approved by public authorities, but in such cases, data will not be able to be identified at the individual level.

On some occasions, we need more personal data collected via the e-learning platform Qybele. We only ask for the information we believe is necessary for our case processing of applications for adaptation and in cases of illness. Regarding study trips, we ask for information about illness, relatives, insurance company, citizenship, and passport number. This is done to ensure a safe and secure study trip. This information is kept while you are on a study trip and deleted at the end of each academic year.

Oslo New University College is required to provide student information to organizations such as:

  • Statistics Norway
  • BIBSYS
  • The Norwegian State Educational Loan Fund
  • NOKUT
  • The Student Welfare Organization in Oslo

Disclosure will take place following a legal obligation or as a result of us being contractually obliged to disclose the information. In the latter case, personal data is disclosed based on our legitimate interest.

When you are an alumni with us (a former student who has completed a degree) When you are a former student, you become part of our alumni network. As an alumnus, we process first name, last name, email, phone number, and study and job history (the study you have taken, when you started, when you finished, what job you have), and possibly other study interests.

We carry out processing so that ONH's alumni section can send you relevant information about, among other things, our alumni work, about the college's development, and about relevant professional, professional, or social events or news. Your information gives us the opportunity to continue your relationship with ONH and we can, among other things, send you information.

We keep your information as long as you are part of the alumni network. You can unsubscribe from receiving information at any time, or if we are notified of death or other reasons why you cannot continue with alumni.

We process the information based on the fact that we have a legitimate interest in keeping in touch with our former students and organizing alumni events for them (GDPR Article 6 (1) letter f). We have assessed that the privacy of the individual former student does not conflict with this interest.

2.2 Communication and contact

We process personal data about those who contact us to answer and document communication and to address others. This applies to all forms of communication, physical and digital, written and oral.

In such cases, we process names, phone numbers, email addresses, and any personal data that may result from the inquiry, including history/logs of the inquiry.

Processing of information is based on the fact that we have a necessary legitimate interest in processing personal data related to the above (see GDPR Article 6 (1) f). We have therefore assessed that our legitimate interest in having contact with the outside world is part of our business and in documenting the business we run, as well as answering those who contact us and registering such contact. We have assessed that this is necessary for us to handle the inquiries we receive, and that the privacy of the registered does not take precedence over these interests.

It is voluntary to provide us with personal data, but it will be necessary to provide us with the information for us to be able to respond to inquiries.

We process the information until we believe that there will be no further follow-up of the contact, usually for [one] year.

2.3 Email

We use email as a communication solution that contains personal data. Processing is based on the fact that we have a necessary legitimate interest in processing personal data through email (see GDPR Article 6 (1) f) to have a work tool and communication solution, and that the privacy of the registered does not take precedence over these interests. What is processed of personal data in emails depends on the purpose of the email and what is included in it. Emails are deleted when they are no longer necessary, and we have measures to ensure regular deletion of email. Our security solutions also have access to email, but then only in machine processing.

2.4 Newsletters

If you request information or subscribe to newsletters, or are a student or alumnus, we will send out information about us and studies. We will then process your name, email address, telephone number, and any study/interests.

The newsletters contain information about the studies you are interested in and what life is like as a student at the college.

The processing of personal data in connection with the sending of newsletters is based on consent or agreement with you. The processing will continue until you have either received the requested information, withdrawn your consent, are no longer a student, and after 2 years if you have not become an applicant or student with us. Thereafter, your personal data will be deleted.

You can withdraw your consent at any time by using any cancellation options in the shipments you receive, or to opt-out of direct marketing and/or profiling under GDPR 21 (2), by contacting us. Note that you may miss out on relevant study information and important information about the application process, so in some cases, we may also send you information without your consent. The dispatch then occurs after our legitimate interest, as we see it as important to inform our students.

2.5 Partners and Contacts, etc.

We process personal data about contacts at our partners and other contacts to manage our relationship with them and to prepare, implement, and document services as well as evaluate the use of services. In these cases, we will process names, contact information, company names, and information related to the contact's company.

The processing of personal data is based on our necessary legitimate interest (GDPR Article 6 (1) f) to manage the relationship with our customers, partners, and suppliers, and that our interest outweighs the individual's privacy.

We store and disclose information also where we have a legal obligation to do so, for example, under accounting and tax legislation.

We may store information for as long as we think it might be used, for example, to document services.

In many cases, it will be necessary for us to obtain personal data in order to enter into agreements with partners and contacts, including documenting that an agreement has been entered into. If we do not receive the information we need, we will not be able to enter into agreements.

It is voluntary for contact persons whether they want to provide us with personal data. If we collect personal data from others, it will mainly involve contact information (including name, address, telephone number, and email address), position, function, and employer, and possibly competence and references where relevant. The source of such information will be the contact person's employer, for example, from the employer's website. In some cases, we collect references from others to assess the suitability of suppliers and partners.

We store the information until the relationship with the supplier or partner ceases or until the contact person ceases to be a contact person, with the exceptions mentioned above.

2.6 Recruitment

In recruiting for new positions, we will process, among other things, CVs, applications, diplomas, course certificates/certificates, notes from interviews, results from reference checks, and these will contain personal data.

The basis for processing personal data in recruitment is that the processing is necessary to take steps before an employment contract with a job applicant is potentially concluded (GDPR Article 6 (1) b).

If we conduct investigations beyond contacting persons listed as references, checking search history, etc., personal data is processed on the basis of our necessary legitimate interest in securing the right candidate for the position (GDPR Article 6 (1) f). For the latter, we have assessed that our legitimate interest in recruiting new employees outweighs the individual's privacy. We encourage you not to include special categories of personal data, such as health, religion, political opinions, trade union membership, etc., in your application.

Personal data is deleted as soon as the recruitment is completed unless you have consented to longer storage. If the application is relevant to other recruitment processes, the information is stored for up to 1.5 years.

2.7 Events

etc. For participants in events, contact information and which event the person will participate in will be registered and processed, so that the person can be identified as registered and that necessary communication and possibly billing of the participation fee can be carried out. The processing of personal data will take place on the basis of fulfilling an agreement with the participant (GDPR Article 6 (1) b), or if the participants represent a business on the basis that we have considered that we have a necessary legitimate interest (GDPR Article 6 (1) f) in holding events as part of the business. In the latter case, we have assessed that our legitimate interest outweighs the individual's privacy.

In cases where food and/or drink are served, we may collect information about any preferences, which may indicate health and/or religion based on the preferences. This is information that will only be processed by us and will be deleted immediately after the event. In such cases, the information will be processed on the basis of consent.

2.8 Social Media

We have contact with stakeholders and others through social media. Among other things, we have established a Facebook page, where we are responsible for the processing of personal data in this connection along with Facebook. Through the Facebook page, personal data will be processed if you post on the page, comment on posts, or "like"/follow the page. Our purpose of processing personal data through Facebook is to have contact with you who wish to communicate with us or interact on our Facebook page in other ways, see also about communication under section 2.2 above.

In this context, your name and connection to other information that you have posted on Facebook associated with your name/account on Facebook will be processed. In addition, everything you share through posts and comments on our Facebook page, as well as the fact that you have "liked"/followed our website, will be processed. What you share on the Facebook page is up to you and voluntary.

We process personal data on social media, such as Facebook, on the basis that we believe we have a necessary legitimate interest in communicating with the outside world through social media and will then process personal data in this context (GDPR Article 6 (1) letter f). We have assessed that this is necessary for us to communicate with the outside world and handle inquiries we receive, and that the registered individuals' privacy does not outweigh these interests.

The information will be processed as long as postings/comments are available on social media, and you can delete this at any time yourself.

If you have consented to it, your information may also be transferred to advertising networks and social media to provide you with customized and relevant ads and information. You can withdraw your consent for such transfer at any time.

2.9 Use of Websites

On websites and in our digital services, cookies are used, among other things, to collect information to provide a better customer experience on websites and services, as well as to offer functionality in the services. We also use the information to give visitors recommendations and service adaptations that are as relevant as possible for you. This will both be given based on the visitors' behavior, for example, based on services used, links clicked on, or information read, and based on the behavior of other users with similar usage patterns. In addition, cookies are used to provide tailored marketing on our websites, in advertising networks, and on social media. As far as possible, we try to do this with anonymous information, without us knowing that the information is specifically linked to the individual visitor.

A cookie is a text file that is placed in your browser's internal memory or a number/series of numbers that can identify your browser or device using the websites (referred to as cookies below for simplicity).

You have the opportunity to prevent us from placing cookies in your browser. Many browsers or devices are set to automatically accept cookies, but you can choose to change the settings so that cookies are not accepted. The disadvantage of disabling cookies in your browser is that the websites will not function optimally. The reason is that the purpose of most of the cookies we use is to ensure functionality in the services.

We also use other tools than cookies to collect information about your IP address, which type of browser you use, your broadband provider, operating system, date, and time of visit to the website and services. We use this information to analyze trends so that we can make the website and services more user-friendly.

We process the personal data above on the basis of our necessary legitimate interest (GDPR Article 6 (1) f) to tailor the website to our users and that this interest outweighs the individual's privacy. However, we protect the privacy of visitors to the website by using the information only for statistics. In these statistics, it is not possible to identify individuals. The information will be stored as long as necessary for the purposes mentioned above.

3 Storage and Deletion of Personal Data

We store personal data as long as necessary for the purpose for which the personal data were collected, and delete the information in accordance with regulatory requirements. How long we process the individual types of information we process is included above where the individual processing is mentioned.

Instead of deleting personal data, it may in some cases be appropriate to anonymize the personal data. Anonymization means that all identifying or potentially identifying characteristics are removed from the data sets that are kept.

This means, for example, that personal data that we process based on your consent is deleted if you withdraw your consent. Personal data we process to fulfill an agreement with you is deleted when the agreement is fulfilled and all obligations arising from the contractual relationship are fulfilled, such as legal obligations related to accounting, follow-up of the customer relationship related to complaints, etc. Personal data we process as a result of legal obligation will be deleted as soon as we no longer have an obligation to store the information.

4. Transfer or disclosure of Personal Data to others

We do not pass on personal data to others except in cases mentioned in this statement or unless there is a legal basis for doing so. Such a basis would typically be an agreement with or consent from the data subject, or a legal obligation that requires us to disclose the information. The latter applies to public services such as tax collection (if necessary), accountants/auditors, and others necessary for our business operations, like banking connections.

We use data processors to collect, store, or otherwise process personal data on our behalf. In such cases, we have agreements in place to protect your rights and the security of your personal data throughout the processing.

If required by law, or if there is suspicion of criminal activity in connection with the use of our services, personal data we have stored about you may be disclosed to public authorities.

Should personal data be subject to transfer to another organization in connection with a merger, financing, reorganization, or dissolution transaction of all or part of us, we will only do so if the involved parties have entered into an agreement where the collection, use, and sharing of personal data are limited to the purposes related to the transaction, including a provision on whether or not the transaction should proceed, and the personal data should only be used by the involved parties to carry out and complete the transaction. If another company acquires us or our business or assets, that company will have access to the personal data collected by us and will assume the rights and obligations regarding your personal data as described in this privacy statement.

5. Transfer of Personal Data to Recipients in Countries Outside the EEA

It is our goal that all processing of personal data should take place within the EEA, but we may use suppliers or process personal data outside the EEA. In such cases, transfer and processing outside the EEA (third countries) will take place in countries approved by the EU Commission or in accordance with valid legal grounds for the transfer of personal data under GDPR Chapter V. If transfer is not to countries approved by the EU Commission, it will only take place following the guarantees set out in GDPR Article 46 (2). You can be informed about the basis used for the transfer if you contact us.

6. Links to Third Parties/Other Websites

There may be links to other websites or third parties offering products or services, and other places not under our control, on our websites. These links are provided only as an opportunity for users to obtain more information. Websites that are not part of ours, i.e., not under the address oslonyehoyskole.no, will process personal data as data controllers themselves and may have separate and independent privacy policies. We are not responsible for the content and activities of these websites.

7. Security of Processing

We prioritize the security of personal data highly in our operations and will implement all required technical and organizational measures to secure your personal data.

We handle information so that it is correct, accessible, and handled according to the degree of sensitivity of the data. We also use a variety of security technologies and information security procedures to protect personal data from unauthorized access, use, or disclosure. Risk assessments are conducted for the processing of personal data.

We have entered into data processing agreements with all our suppliers who process personal data, where they undertake the same level of security as we have for our processing of personal data.

We limit access to personal data to the personnel or third parties who are to process the information on our behalf. These parties are subject to a duty of confidentiality.

Procedures have been established for handling breaches of information security and procedures (data protection breaches), and if there is a breach that poses a risk to the privacy of the personal data concerned, we will send a deviation report to the Data Protection Authority as quickly as possible and no later than 72 hours after the breach was discovered. If the breach poses a high probability of privacy risk to those affected by the breach, we will also notify these individuals.

8. Your rights when we process personal data about you

Below are your rights regarding the processing of personal data. To use your rights, you must contact us (see contact information above) or in another way as follows below.

We will respond to your request to us as soon as possible, and no later than one month. If it takes longer than one month, you will be informed.

We will ask you to confirm your identity or provide additional information before we allow you to exercise your rights against us. We do this to ensure that we only give access to your personal data to you - and not someone who pretends to be you.

8.1 Information

You have the right to information about the personal data we process about you. Through this statement, we inform you about our processing of personal data. You can also contact us if you want more information.

8.2 Access

You have the right to request access to the personal data processed about you. Contact us if you want access.

8.3 Correction and Deletion

You can also ask us to correct inaccurate information we have about you or ask us to delete personal data. We will accommodate a request to delete personal data as far as possible, but we cannot do this if we still need the data.

8.4 Processing Based on Consent

If we process personal data based on your consent, you can withdraw your consent at any time. The easiest way to do this is to use the method informed of when you gave your consent or contact us.

8.5 Right to Restrict or Object to Processing

You have the right to have processing restricted in certain cases, see more in GDPR Article 21.

8.6 Right to Data Portability

For information that you have provided to us and is necessary to carry out an agreement with us, and which is processed automatically (i.e., not manually by us), you can request to have the personal data about you delivered or transferred to another provider in a structured, commonly used, and machine-readable format (data portability).

8.7 Automated Processing, Including Profiling There will be no automated processing, including profiling, based on your personal data that has legal effects or significantly affects those to whom the personal data pertains. See GDPR Article 22 nos. 1 and 4.

9. Complaints

If you experience that our processing of personal data is not in accordance with what we have described here or that we otherwise violate data protection legislation, you can complain to the Data Protection Authority. However, we ask you to contact us first so that we can rectify any incorrect processing as quickly as possible.

You can find information about your rights and how to contact the Data Protection Authority on the Data Protection Authority's website: www.datatilsynet.no.

10. Changes

If there are changes to our services or changes in the regulations on the processing of personal data, it may lead to changes in the information you are given here. If we have your contact information, we will notify you of these changes. Otherwise, updated information will always be easily accessible on our websites.


Back to top