Kristiania University College and Kristiania Professional College work to protect the privacy of our employees, students, research participants and partners. We aim to ensure the correct use and sharing of your personal data, as well as promote a culture of privacy that safeguards the rights of those involved.
Last updated 15.07.2021
Kristiania University College, Kristiania Professional College and their wholly or partly owned subsidiaries(hereinafter collectively referred to as Kristiania, "the college", or "we”/“us”) are to be regarded as a group thatshares certain digital systems. We have introduced advanced security measures, including strictly limited access control, and personal data is shared only when it is legal, necessary, and appropriate.
Personal data is all forms of information and assessments that are directly or indirectly linked to you as an individual. Information that cannot be linked solely to an individual may, in cases where the information occurs together with other data, nevertheless constitute personal data. Examples of personal data include your name, telephone number and email address.
Kristiania processes personal data with respect and care, and in accordance with European Parliament and Council Regulation (EU) 679/2016 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (GDPR) and the Act relating to the processing of personal data (Personal Data Act).
Kristiania University College represented by its CEO, is the data controller for the university college's processing of personal data. Kristiania Professional College, represented by its rector, is the data controller for the professional college’s processing of personal data.
Any questions concerning access and deletion must be directed to the data controller at e-mail firstname.lastname@example.org.
All personal data shall be collected for specific, explicitly stated, and justified purposes and shall not be further processed in a manner incompatible with these purposes. As the data controller, Kristiania determines the purpose of the processing of personal data. At Kristiania, personal data is processed mainly for administrative purposes, for archival purposes, for research purposes, and for marketing. We will not process personal data to a greater extent than is necessary to fulfil the purpose of the activities.
Personal data shall be collected and processed on a legal basis:
- The processing of personal data is based on a legal obligation, such as the provisions of the Universities and University Colleges Act, the Tertiary Vocational Education Act, the Working Environment Act, the Bookkeeping Act, and the Archives Act.
- Processing is necessary to fulfil an agreement with you (for example, a study or employment agreement).
- Processing is based on your consent as a person.
- Processing must be necessary to carry out an activity that is in the public interest.
- For some processing activities, we use legitimate interest as a basis for processing, unless your interests or fundamental rights and freedoms take precedence and require the protection of personal data.
We may process special categories of personal data (such as health information, information about ethnic origin, political opinion, religion, philosophical beliefs, trade union membership, or on sexual relations or sexual orientation) based on your express consent. We may also process special categories of personal data when this is necessary to fulfil obligations/exercise rights in employment law, social security law and social law, or for the sake of important public interests.
Kristiania retains information for as long as is necessary to carry out our tasks and in accordance with the regulations. When you give consent, the retention period is identified in the consent text (but you have the right to withdraw consent at any time).
As a general rule, information will be deleted when this need no longer exists, unless we have a statutory duty to keep it in compliance with other regulations, such as the Archives Act, the Bookkeeping Act or the Universities and University Colleges Act.
The Marketing and Communications Department has day-to-day responsibility for the college's processing of personal data on kristiania.no, unless otherwise stated below. It is voluntary for visitors to the website to provide personal data in connection with services, such as receiving newsletters. The basis for processing is the consent of the individual, unless otherwise specified.
In essence, we process data that you have provided to us based on one of the following reasons:
- You have contacted us regarding study programmes, or you are or have been a student/research fellow with us
- You have applied for a job with us or have been an employee (permanently or temporarily), a trainee or hired consultant/contractor with us. Read more about the processing of employees' personal data here
- You have been a researcher, participant in a research project with us, or somehow contacted Kristiania for research purposes
- You are or have been a patient at our student clinic
- You have signed up for courses or events
- You subscribe to newsletters
- You have booked a professional visit with us
- You are a visitor at one of our premises
- You are or will be our contractual partner
We also process personal data about you indirectly for the following reasons:
- We receive data about you from another government agency
- A complaint or guidance case contains data about you
- A non-conformance report contains data about you
- An employee, student, patient, or research participant has named you as next of kin
- A job applicant has named you as a reference
- When it is allowed for previously collected data to be reused for research or quality assurance purposes
- You are an exchange student from a partner college
As a result of the Covid pandemic, a questionnaire has been established where students and staff are required to register if they are infected with coronavirus (COVID-19) or are quarantined. The purpose of collecting this data is to take measures to reduce the risk of the college's other students and staff being infected by coronavirus (COVID-19). The legal basis for the processing of personal data relating to employees is the Norwegian Personal Data Act and the General Data Protection Regulations article 6 no. 1, a) and f).
7.1 Online statistics
Kristiania has a legitimate interest in collecting data about visitors to kristiania.no. Most data are de-identified, except IP addresses. The purpose of this is to compile statistics, which are used to improve and further develop the information offered on the website. Examples of what the statistics show, are how many people visit different pages, how long the visit lasts, which websites the users come from, and which browsers are used.
Forte Digital, Knowit and Publicis Groupe are Kristiania's partners for the development and maintenance of the website. Data collected in connection with the operation of the website is stored on separate servers operated by suppliers. Only Kristiania, Forte Digital, Knowit and Publicis Groupe have access to the data collected. A separate data processing agreement between Kristiania and data processors regulates what data the supplier has access to and how it should be processed.
Siteimprove and Hotjar: Siteimprove and Hotjar gather visitor statistics and usage analysis of our websites. We do this to work with user experience and the quality of our websites. Siteimprove and Hotjar cookies do not collect personal data and are only used for web statistics.
7.2 About cookies and analytical tools
Cookies are text strings that is stored on your device for between one minute and two years when you visit kristiania.no. Cookies are necessary for kristiania.no (and other websites) to work optimally for you, for example in order to make a purchase. Cookies help us to look at the user patterns of those who visit the website so that we can customise it and make it more user-friendly. No data is stored in a cookie that can be linked to your use of the website as an individual.
Cookies are stored on Kristiania:
- _ga is stored for two years and is used to differentiate users
- _gid is stored for 24 hours and is used to differentiate users
- _gat is stored for one minute and is used to process request data
Most modern internet browsers are configured to accept cookies automatically, but you can change these settings yourself in your browser.
Note that it will result in a large number of websites not functioning optimally if you do not accept cookies.
7.3 Google Analytics
This website uses Google Analytics, a web analytics service provided by Google, Inc ("Google"). See more about Google Analytics here.
Visits to this website are recorded as anonymous data. The data is used for statistical measurement and analysis to improve the functionality of the website. The data contains non-identifiable personal data. Scripts from the Google Analytics analysis tool are used for this measurement. During your visit, cookies are stored as text files on your computer.
The data that the cookie collects about your use is sent to Google and stored on the company's servers.
What does Google use the data for?
- Assessing your use of the website
- Create reports for the website owner about site activity
- Create reports to provide other services in connection with website activity and internet usage.
Google may also transfer this data to third parties if there is a legal obligation to do so, or if such third parties process the data on Google's behalf. Google will not match your IP address with any other data Google may have in its possession.
Do you not want to be tracked? Use Google Analytics Opt-out Browser Add-on
7.4 Double Click Campaign Manager and Adform
Cookies allow you to:
- frequency-control adverts based on activity
- See user behaviour on the website in relation to the direct marketing that takes place
- collect product interest data in order to present more relevant ads
- target adverts to selected customer groups
7.5 Google Remarketing
In order to make our advertising more relevant to those who have shown interest in our products, Kristiania uses something called Google Adwords Remarketing. This is a service from Google that uses third-party cookies and allows us, through Google's advertising services, to display adverts more relevant to you as a user.
You can opt out of these types of adverts by changing your Google Advertising settings.
By using the website, you agree that Google will process data about you in the manner and for the purposes described above.
7.6. Google Tag Manager
Google Tag Manager is used to organise and manage scripts that run on Kristiania's domains. This allows us to manage, distribute and track through marketing pixels on Facebook, Snapchat, LinkedIn, Google ads, Google Adwords, DoubleClick Campaign Manager and Adform.
8.1 Facebook and Instagram
Kristiania does not disclose or sell personal data that we access through Facebook.
You can adjust your advert settings if you want to control and manage what kind of adverts you see on Facebook.
Through a legitimate interest, Kristiania uses Facebook pages as a medium of communication. Facebook collects personal data from everyone who visits Kristiania's Facebook pages, both those logged in with a Facebook profile, and those who visit the pages without being logged in. This is in order to be able to adapt the communication to stakeholders.
9.1 Sending newsletters
Loopify AS is Kristiania's partner for sending newsletters.
Our goal is for the information we send out to be as relevant as possible to the recipient. In order to adapt the information to your wishes and needs, as well as previous education, we ask for, among other things, your name, e-mail, and data about previous education. At the same time, this helps to avoid double email dispatches by avoiding duplicates in the database. We do not disclose the data to others.
A prerequisite for receiving newsletters with promotional content is that you have given your prior consent to this (does not apply to information that is necessary to communicate to you in connection with having applied for a place of study or being a student at Kristiania). You can request to be deleted from the distribution list at any time via email@example.com or unsubscribe via unsubscribe link in the newsletter.
Personal data that appears in communication with you as the recipient of our newsletters is deleted after 2 years if you do not unsubscribe earlier.
9.2 Chat/Telephone/Email/Personal attendance
Kristiania has a legitimate interest in maintaining the quality of customer follow-up. Therefore, chat, call data and emails are stored in our systems. When using chat, only the sender's IP address is logged, in addition to the content of the conversation. If we receive telephone calls, data about the time and duration of the call is stored. At the same time, telephone number data is stored for 30 days, before it is automatically deleted from our systems.
In case of personal attendance, we will log that the visit has taken place and what the purpose of the visit was. This data is used to increase the quality of guides at a later date. If this data is requested to be deleted, this will be done individually if we receive a notification.
9.3 Follow-up for sales
Once you have chosen a study programme, we will send out order and submission documents, surveys and follow-up emails related to your study and your relationship with Kristiania. We collect this data in order to complete the enrolment, and Kristiania has a legitimate interest in following up you as a student after the selection. This data is stored for two weeks.
If your transaction at our online shop is interrupted, we will send you emails with a reminder of the products you put in your shopping cart. We do this as an additional service, to make the buying experience with us as smooth and easy as possible.
9.4 Reservations in the Central Reservation Register
Kristiania adheres to the current rules for updating with respect to the Central Reservation Register, consent to or reservation against newsletters, and carries out ongoing maintenance of personal data with respect to publicly available sources.
10.1 Purpose and legal basis
We need to process personal data about applicants and students. We do this for study administrative purposes and to fulfil legal obligations and agreements that Kristiania has. The legal basis for the processing of personal data concerning applicants and students is the Personal Data Act’s Article 6, no. 1a (consent), b (study contract), c (our legal obligation, e.g. in the Universities and University Colleges Act), e (the public interest), f (our legitimate interest that outweighs the consideration of the individual's privacy), Article 9, no. 2a (consent to the processing of special categories of personal data), b (within areas of employment law/social security law), g (general interests) and §3(8), §4(2), §4(3), §4(15) and §4(16) of the Universities and University Colleges Act and §9 and §15 of the Tertiary Vocational Education Act.
As a general rule, your personal data related to admission and studies is stored in Kristiania's databases for as long as is necessary to carry out our legal obligations and our agreement with you, and in accordance with the regulations, with certain exceptions.
10.2 Application and admission processing
The purpose of collecting and storing your personal data is to process your application for admission to a study programme or course at Kristiania.
When you create a search profile and an application on our application portal, cookies will be created in your browser that store data during the search process. Once your application is complete, these will be deleted, and your browser will be reset. We also store the time of login, IP address and login path, as well as changes to the online application made at each login.
When you submit your application, we will process this and the data you have entered, such as your name, address, telephone number, national identity number, e-mail address and password, data about your previous education and any work experience, with associated documentation, as well as any name of the employer with contact details (if you have provided it in cases where it is relevant).
In some cases, we will process health data related to your study situation (if you have provided it in cases where it is relevant). The legal basis for the processing of health data is the Norwegian Personal Data Act and the General Data Protection Regulations, Article 9, no. 2 a), b) and g).
Kristiania will be able to collect and store data from other sources if necessary for the application process and will also store case processing data.
We use Feide, which is the national solution for secure login and data sharing within education. With Feide, users get secure and correct access to a variety of digital services with one username and password. Read more about Feide here.
The personal data we have stored about you can be viewed in the application, and you can also correct the data there. In the application portal you can also see the status and the result of the case processing of your application. Documents for applicants who do not get a study place are deleted when the admission is completed.
When the applicant has become a student at Kristiania, the personal data is transferred to the Common Student System (Felles Studentsystem, FS), which is a study administrative system. A number of applications are associated with the study administrative system FS. That means that data entered into these applications is also stored in FS. Data in FS is reported in various contexts to a number of parties/enterprises.
In principle, all your personal data is stored in the Common Student System (FS) forever. There are some exceptions:
- Personal data related to actions you take in Studentweb, including your IP address, and for example whether you register for or withdraw from the exam, is stored for 365 days before it is deleted.
- Personal data relating to sanctions cf. §3(7)(8), 4(8)(1) to (3) or 4(10)(3) of the Universities and University Colleges Act, are automatically deleted from the Common Student System six months after the sanction period has expired.
- If Kristiania receives information that you are dead, we will delete your contact data. Any applications for admission, teaching and examination messages will be withdrawn.
- Sensitive personal data is stored for a maximum of six years before it is deleted.
Access to personal data to applicants and students is limited by the need to safeguard their interests as an applicant/student at Kristiania. Persons with access can be employees in the student administration, academic staff and managers. In addition, necessary data is shared with external practice institutions.
10.3 Student register and student data
Personal data about you as a student is mainly processed in our student administrative systems. In order to administer you as a student, it is necessary for us to process the following data:
- Identity data (e.g., name, national identity number (11 digits), student number, D-number)
- Contact data (e.g., address, telephone number, the college’s and private email addresses)
- Employer and employer's address, if necessary
- Information about previous education
- Work experience, if any
- Health conditions (e.g., in connection with extensions of leave of absence and facilitation)
- Study contract
- We can save your applications (e.g., for leave of absence, extension of exam time, etc.)
- Warnings, complaints
- Individual decisions in which the student is involved
In addition, data about the courses and studies you complete, as well as exam results (grades), is recorded and stored. This data is stored in the Common Student System (FS). The basis for this processing is legal obligation, provided by the Universities and University Colleges Act and the Tertiary Vocational Education Act.
Kristiania uses Studentweb, a web application that allows you as a student to perform a number of study administrative tasks, such as semester registration. Studentweb also gives you access to the data that Kristiania has stored about you in the student administrative system Common Student System (FS), such as contact data and exam results. Studentweb is linked to the student administrative system Common Student System (FS). This means that data registered in Studentweb is stored in FS. Read more about FS and Feide in section 10.2.
We collect the contact data of active and former students at Kristiania (private e-mail and private mobile phone number) from the central Contact and Reservation Register (KORR), pursuant to the General Data Protection Regulation’s Article 6, no. 1 c), e), and §4(15) of the Universities and University Colleges Act. It is therefore important that you have correct data registered here at all times.
You can check and update this in Studentweb, via My Profile or directly via the central Contact and Reservation Register with login via BankID.
This is data that Kristiania is required to keep in accordance with national decisions on archiving. The data is not disclosed to unauthorized persons.
If your employer pays for your education and wants data about your exam results, the college cannot disclose this data without your consent as a student.
We use student data (grades, study progression, drop-out, etc.) for statistical purposes internally. The student data is anonymised and in accordance with the requirements and guarantees of the GDPR. We have a legitimate interest in using student data for internal analysis.
We have a legitimate interest in sharing your personal data (name, email, telephone number and study) with the local student organisation. This is in order to ensure that the student organisation performs its student welfare services for our students.
10.4 Follow-up of active students
Contact data, guidance, data about health conditions and study progression will be processed in order to safeguard the individual student and study progression. This data is processed by the Student Administration pursuant to Article 6, no. 1(c) of the General Data Protection Regulation and §4(15) of the Universities and University Colleges Act and the Tertiary Vocational Education Act. Data is registered and stored in the Common Student System (FS), Kristiania's internal document management system and/or in our electronic archive system.
10.5 Registration of compulsory attendance
Some courses have compulsory attendance, where the college needs to register and check your attendance. Each course description specifies whether there is compulsory attendance. This processing is based on the Regulations concerning admission, courses, degrees and examinations at Kristiania University College, the Regulations relating to admissions, studies, and examinations at Kristiania Professional College, §4(15) of the Universities and University Colleges Act, and the Tertiary Vocational Education Act.
In order to give students access to college buildings via a student card, the college must process the students' photo, name and affiliation (e.g. "student"). The photo on the student card is stored in FS, and is also transferred to the student ID app, if the student chooses to use it. Read more about the student ID app here.
Students' personal data is transferred to a number of digital systems in order to provide students with the necessary services, such as library services, copy/print servers, room booking and welfare services.
10.7 Who can access personal data about you?
We disclose data to the following organisations in accordance with the Universities and University Colleges Act and the Tertiary Vocational Education Act:
- Statistics Norway
- Lånekassen (“The Norwegian State Educational Loan Fund”)
- Database for Higher Education (DBH)
- Norwegian Agency for Quality Assurance in Education (NOKUT)
Disclosure of data from FS
We occasionally receive inquiries from various agencies and institutions requesting information about current and former students for research purposes or for statistics. Such inquiries must always refer to a legal basis/grounds in order to be the subject of an assessment. A check is performed to ensure that there is actually a legal basis that allows for access and that it takes precedence over general provisions of the GDPR.
The following third parties are provided with personal data:
10.8 Student welfare organisations
If you have paid the semester fee for the current semester or been granted a right to study in the last two months, the Student Welfare Organisation can access personal data about you from Kristiania. This is so that they know that you are a student and that you are entitled to student discounts on the student welfare services. The Student Welfare Organisation can access your national identity number (11 digits), your name, when you last paid the semester fee and the ID of your student card. The legal basis is the Personal Data Act and GDPR Article 6, no. 1c (our legal obligations) of the GDPR and Article 6. no. 1 (our legal obligations), with a supplementary legal basis in §4 and §5 of the Student Welfare Organisation Act.
10.9 National Registry (Folkeregisteret)
If you come to Norway to study and are not yet registered in the National Registry, Kristiania will apply to the Norwegian Universities and Colleges Admission Service (Samordna opptak) for you to receive a provisional national identity number (S-number). The admission service checks with the National Registry to ensure that you are not already registered in the National Registry before you are issued an S-number.
10.10 Norwegian Directorate of Immigration (UDI)
If you are not registered with a permanent residence permit in Norway, Kristiania will prepare a report about you regarding study progression and part-time work permits. You will receive the report in paper format from the college, and then you yourself give it to the Norwegian Directorate of Immigration (UDI). Read more about UDI's regulations.
10.11 The Norwegian State Educational Loan Fund (Lånekassen)
In order for you not to have to document that you are a student, that you have graduated and received results from partial studies abroad, Lånekassen receives this personal data about you directly from FS at the college. They also receive data about your national identity number/D-number (11 digits) and which university/college you are admitted to as a student. The legal basis is the Personal Data Act and GDPR Article 6, no. 1c (our legal obligations) of the GDPR and Article 6. no. 1 (our legal obligations), with a supplementary legal basis in §21 of the Student Financial Aid Act.
10.12 Nordic Institute for Studies in Innovation, Research and Education (NIFU).
In several cases, HK sends personal data about you to NIFU for research purposes. This is personal data related to your education with us (bachelor's and master's degree). The data transfer goes via DBH.
10.13. The Norwegian Diploma Registry (Vitnemålsportalen)
The Diploma Registry retrieves the students' national identity number (11 digits, possibly D-number or S-number), connection to the college, and exams the student has taken and passed, directly from the college's databases. The Diploma Registry ensures that the results shared are correct. Read more about the Diploma Registry here.
10.14 RUST – the National Student Exclusion Register
Excluded students are registered in RUST – the National Student Exclusion Register. The data is transferred to RUST pursuant to cf. §3(7)(8), §(4)(8)(1-3), §4(10)(3) and §4(12)(1-3) of the Universities and University Colleges Act. When the sanction period has expired, personal data and data about the decision are automatically deleted from the register.
10.15 Unit – Norwegian Directorate for ICT and joint services in higher education and research - supplier and developer of FS
Employees at Unit who need it for their work, have access to your personal data in order to perform support and any error correction in FS.
10.16. UNINETT AS
It is possible to log in to the application portal and Studentweb with the login solution Feide, which is developed and delivered by UNINETT AS. Employees at UNINETT AS, who need it for their work, have access to your FEIDE name and IP address. This is in order to perform support and any bug fixes in the service.
11.1 Canvas (digital learning environment system)
Canvas is a learning platform used by administration and teaching staff to support the implementation of teaching and exams. Canvas is used to communicate academic feedback to students from academic staff and for dissemination of messages between students.
Kristiania uses Canvas for teaching purposes. This means that Instructure, which develops and operates Canvas, will have access to your name, your role in the organisation, your username and your student email address, data taken from the Common Student System FS (such as name, email, course and study programme), student submissions and when the submissions occurred, individual feedback from teachers, debate contributions (forum) and various types of messages/notifications.
In principle, sensitive personal data is not processed in Canvas, but may be stated in student responses.
Most of the personal data in Canvas is registered and managed by the data subjects. Data in Canvas is deleted when the student leaves the college.
Kristiania is committed to, and interested in, providing students with high quality and continuous education. Kristiania therefore has a legitimate interest in processing the student activity logs from Canvas. These logs are pseudonymised and processed using a machine learning algorithm that predicts and helps limit college drop-out rates.
We have a legitimate interest in developing and improving our study programmes so that our students are educated to the needs of the labour market and society. Kristiania therefore enters into agreements with external partners for, among other things, the development of specific study programmes as well as teaching. This is done through agreements with teaching staff and guest lecturers. In such cases, they will have access to relevant personal data about students in Canvas.
11.2 WiseFlow and other providers of digital exam systems
The basis for processing personal data in connection with digital exams is our legal obligation, with a supplementary legal basis in §3(9) and §3(10) of the Universities and University Colleges Act, and §21 and §22 of the Tertiary Vocational Education Act.
At Kristiania, we use the digital exam system Wiseflow for a number of exams. In order for you to complete a digital exam, we send personal data about you to UNIwise, which develops and operates the Wiseflow system. They will have access to this personal data: Feide-ID, graduate number, other exam data from FS, IP address. WISEflow collects all personal data from FS. In addition to WISEflow, Zoom is also used for digital oral exams. We use Zoom provided by Uninett AS in accordance with GDPR and Norwegian data protection legislation. Read more about Uninett’s Zoom here.
You can read more about digital exams here: https://www.unit.no/tjenester/digital-eksamen.
11.4 Microsoft Office365
Microsoft Office 365 is used for data storage for the college’s students and staff. The student can set up an integration with Microsoft Office 365 in Canvas, but no personal data is disclosed from Canvas to this system. Read more about Microsoft Office 365 here.
11.5 URKUND by Ouriginal
We use URKUND to detect plagiarism and cheating during the exam. Data necessary for the processing of cases to detect plagiarism, will be disclosed to the board/committee that deals with cases.
The legal basis (processing basis) for processing data in URKUND is GDPR Article 6, no. 1c (legal obligation) and e (perform a task in the public interest), cf. no. 3b, with a supplementary basis for processing in §3(9) of the Universities and University Colleges Act (exams and grades).
11.6. LinkedIn Learning
Students can voluntarily use LinkedIn Learning, and the college has a legitimate interest in offering this solution as part of their teaching. LinkedIn Learning will help make teaching even more accessible and will support both digital teaching and classroom teaching. When you create a LinkedIn Learning account and sign in with Azure AD, your college username, college email address, and affiliation (e.g., "employee," "student") are shared with LinkedIn Corporation. This is personal data required to securely access the Service. Read more about LinkedIn Learning here.
11.7 Other internet-based teaching tools: voluntary use
Kristiania has a legitimate interest in contacting former students. In line with our strategy, we work actively and purposefully to become a working life university. Among other things, Kristiania ensures that the students have knowledge of working life. All former students are part of Kristiania's alumni network. Being part of an alumni network helps to strengthen a graduate’s career and professional development. The cooperation shall be sustainable and based on mutual benefit.
The following contact data is stored for 10 years after graduation: private email address, name and surname. We will contact you as a former student via your e-mail and ask for your consent to receive customised inquiries and data from Kristiania, such as newsletters with updates from Kristiania or invitations to events organised by Kristiania.
You have the right to request deletion of your personal data or withdraw your consent at any time. Contact firstname.lastname@example.org if you do not want to be contacted after you have completed your studies.
Photographs and video recordings of and from the college premises, teaching rooms, work areas, as well as façades, the cityscape etc. (hereinafter referred to as interfaces) are used for marketing purposes. These are recordings made by own and external photographers. These recordings can be found on the college's website, on social media, printed material etc.
In the case of photo and video recordings, subject is always informed that recordings are being made and consent is obtained. Where recordings are made with individuals and students, consent is obtained through the use of a declaration of consent.
When recording during larger events, or when many people are present, it is announced that photo and video recordings are being made.
Our employees can be filmed in a teaching context. The basis for processing is agreement.
Photos or video recordings may be published in the college's interfaces, such as recordings made where you are part of a larger gathering or event. Photos or video recordings, excluding recordings of lectures, will be stored in the college's database for up to three years.
13.2 Streaming and recording of teaching
In connection with the COVID-19 pandemic and the government’s infection control restrictions, Kristiania will increase the provision of digital teaching to students and also increase the recording and streaming of classroom teaching in order to limit the spread of infection.
Due to the fact that some of our students do not have the opportunity to participate in teaching via real-time online meeting tools (due to either illness or call-out for critical tasks in areas such as the public health service or the National Guard), it is important to be able to see teaching as recordings in order to achieve the teaching purpose. The need for universal facilitation is a factor that is particularly relevant in the current study situation.
Teaching at universities and university colleges is an activity that is in the public interest. In order to fulfil our social mission, it is important to be able now to offer alternative teaching. Public interest will generally be the legal basis when it is necessary to process personal data relating to students in connection with live-streaming and the recording of teaching in classrooms and digitally. The processing of personal data that is necessary to carry out an activity in the public interest is permitted pursuant to Article 6, no. 1e of the GDPR, with a supplementary legal basis pursuant to the Universities and University Colleges Act, §1(3), §3(8) concerning teaching, §4(2) concerning teaching plans, and §4(3) concerning students’ learning environment, as well as the Tertiary Vocational Education Act, §9 concerning the board’s responsibilities, and §15 concerning the learning environment.
Especially about online studies
The online students have weekly online gatherings together with the teacher and the other students. Streaming and recording of each gathering is made available to students afterwards. Recording of online teaching is an important part of the online teaching. The recordings can be used for repetition or by students who do not have the opportunity to participate directly. It is carried out in accordance with the relevant curriculum that determines whether it is necessary and appropriate to record online teaching. We need to perform streaming and recording of online studies in order to fulfil our agreement with you as an online student.
Consent will generally not be the legal basis for the processing of personal data relating to students in connection with digital teaching, with some exceptions. The recording of online teaching that will be published openly on the internet (outside of the university college’s teaching platform, which requires login in order to view recordings) requires consent from anyone who can be identified through audio or images.
For this reason, we encourage academic staff to record and share recordings from real-time teaching via online meeting tools, under the following conditions:
- It will be possible for students not to appear/be heard in the recording by not turning on the microphone/image from the webcam. It must be possible for questions to be asked in chat.
- Recordings from teaching, where the students can be identified, must only be available during the relevant semester.
- Recordings from teaching are only shared with students in the relevant class.
We use Zoom for recording and streaming digital teaching. When a student logs in using their Feide user account, their first name, last name and college e-mail address will be sent to Uninett AS, which provides Zoom to the college. We use Panopto to produce, store and distribute video recordings for use in teaching. When using Zoom for teaching, it is generally voluntary for students to participate with images, audio or video during the streaming of teaching. This is configured by the student with settings when connecting to the streamed teaching and can be changed by the student at any time for as long as the streaming takes place. It is also voluntary to send text via the chat function. It is sometimes necessary to share an image and/or sound in order to meet teaching requirements. Read more about Uninett’s Zoom here.
13.3 Streaming and recording non-teaching digital events
The legal basis depends on the type of event. Cf. §1(3) of the Universities and University Colleges Act, Kristiania shall, among other things, "contribute to distributing and disseminating results from research and academic and artistic development work", and "facilitate for the institution's employees and students to participate in public debate". If it is an event with such a purpose, the basis for processing is the public interest, with a supplementary legal basis in §1(3) of the Universities and University College Act. It may be our legitimate interest that the event is recorded. Our need to record must then be assessed against the rights of the participants.
We use Zoom for recording and streaming digital events. When using Zoom for digital events, it is generally voluntary for the public whether they want to participate with the use of image and/or sound during the streaming of the event. This is configured by the public with settings when connecting to the event and can be changed at any time during the streaming.
The speaker consents to recording by initiating the recording themselves, or it may be necessary to achieve the purpose of the agreement with the speaker. If anyone other than the speakers can become part of the recording, information must be provided in advance or at the beginning of the event that Kristiania is recording it, and that questions and comments from the auditorium using audio and video will become part of the recording.
If you would like photos or video recordings of you, as specified in §12.1 - §12.3, should be deleted, please contact the data controller email@example.com. Note that when using images on printed materials (for marketing), it will not be possible to have this deleted after it has been used. For photos or video recordings used in digital interfaces, deletion will be possible.
14.1. Within the EU/EEA
Kristiania transfers personal data about students because it is necessary in order to fulfil the purpose of the student contract, and in accordance with Article 6, no. 1 a), b), c) of the GDPR, as well as the Universities and University Colleges Act and the Tertiary Vocational Education Act.
The purpose of the transfer of data is to facilitate both the exchange of students between the partner college and Kristiania, and the individual students' studies in the partner college.
The following categories of data are transferred:
- Nationality, name, date of birth and photo
- Study programmes, basic education, diplomas, the college’s contact data and previous professional experience
- The college’s e-mail address
- Contact data for the person to contact in case of emergency
14.2. Outside the EU/EEA
Kristiania transfers personal data about students because it is necessary in order to fulfil the purpose of the student contract, and in accordance with Article 6, no. 1 a), b), c) of the GDPR, as well as the Universities and University Colleges Act.
The purpose of the transfer of data is to facilitate both the exchange of students between the partner college and Kristiania, and the individual students' studies in the partner college.
The following categories of data can be transferred, depending on an exchange programme and partner college countries:
- Nationality, name, date of birth,
- Study programmes, basic education, diplomas, language test results and previous professional experience
- The college’s e-mail address
- Motivation letter in internal exchange application
Kristiania ensures that the level of protection that will be achieved in practice is actually the same as in the EU/EEA, all factors taken into account. The EU Commission has determined that a certain number of countries outside the EU/EEA have an adequate level of data protection. Transfers to these countries will not require additional security measures.
In some cases, and in the absence of an adequacy decision, Kristiania may use the necessary guarantees in accordance with the GDPR’s Article 46, no. 2, or exceptions in accordance with Article 49, no. 1a (personal data may be transferred to third countries if the student has expressly consented to it).
To improve security in and at our premises, electronic access control and video/camera surveillance are used. This data is stored for 7 days before it is deleted. Motion data from access control is stored for 14 days.
We have a legitimate interest in preventing dangerous situations from occurring, facilitating the investigation of offences and ensuring the safety of employees and students.
Several CCTV cameras have been installed in various buildings used by the University College and the Professional College. CCTV is used both for monitoring with and without the possibility of recording. Where there is CCTV, signage has been set up informing you that CCTV is in use. CCTV is mainly employed at the entrances and/or along the façades of the buildings. No audio is recorded during camera surveillance.
Access control is also a measure aimed at ensuring the safety of employees and students on the premises. In that connection, we store data about the use of access cards at different terminals installed in the buildings. We do not use the access control system to track the movements of employees and students.
The purpose of the processing of personal data about employees is to fulfil legal obligations and agreements. The legal basis for the processing of personal data relating to employees is the Personal Data Act and the GDPR’s Article 6, no. 1 a), b), c), e), f), Article 9, no. 2 a), b), and Article 88. Read more here.
The personal data is processed in accordance with §8-§10 of the Personal Data Act, cf. Article 5, 6, 9 and 89 of the GDPR, and Article 89 of the GDPR, and the Health Research Act.
Bachelor's and master's theses are considered research projects. If you as a student intend to write a student assignment where it is appropriate to use personal data, different requirements apply, and you as a student must have permission before you can start the thesis. All students have a responsibility to familiarise themselves with Kristiania's guidelines for processing personal data in research. As a student, you will find all the information you need here.
The Personal Data Act provides access to the processing of personal data for research purposes, provided that the privacy of the participants is safeguarded through technical and organisational measures initiated by the data controller, that privacy consequences have been assessed and a data protection officer/adviser has been consulted, where necessary.
Kristiania has an agreement with the Norwegian Centre for Research Data (NSD) for advice on data protection issues in research. Health research projects must have prior ethical approval from the Regional Committee for Medical and Health Research Ethics (REK), in addition to a basis for processing in the GDPR.
All projects that process personal data will be assessed by NSD. Researchers cannot initiate data collection, conduct interviews or send out surveys until the correct permission has been obtained. Read more on NSD's website.
The personal data to be registered is assessed on the basis of what personal data is necessary to achieve the purpose of the research project. As a general rule, personal data collected for a research purpose cannot be used for other purposes without consent.
The General Guidelines for Research Ethics, drawn up by national research ethics committees, state that consent is the main rule when researching people or with regard to data and material that can be linked to individuals. The consent shall be informed, express, voluntary and documentable. Consent requires competence to consent. Vigilance must be exercised to ensure real voluntariness where the participant is in a dependency relationship with a researcher or is in an unfree situation. Consent may be withdrawn at any time during the implementation of the research project.
Researchers, students and supervisors who have access to personal data have a duty of confidentiality.
Fixed routines have been established for processing personal data. The main rule is that there should never be a greater degree of personal identification than is necessary for the purposes of the research project, cf. the principles of data minimisation and purpose limitation. The personal data may be de-identified or anonymised if possible.
- De-identified data is personal data where the name, national identity number and other direct person-specific characteristics have been removed and replaced by a number or code (link key), so that the data cannot be directly linked to an individual.
- Anonymous data is data where names, national identity numbers and other unique personal characteristics have been removed, so that the data can no longer, directly or indirectly, be linked to an individual. Anonymous data is therefore not considered personal data.
Personal data shall normally not be stored for longer than is necessary to carry out the research project. If there is a need for storage beyond the period specified at the start of the project, new consent must be obtained, or an exemption must be sought.
18.1 Information about how Kristiania processes personal data in logs from IT systems.
The legal basis for processing personal data in logs is our legal obligation to safeguard data protection and ensure daily operation of IT systems.
The purpose of logging the activity in IT systems is to administer systems, ensure stable operation and detect and resolve undesirable incidents.
The logs are categorised as:
- operational logs – logs that are normally stored in the IT systems of Kristiania University College or its partners, and which contain data about the technical status of a solution but may also contain data about logins and other activities related to people.
- application logs – logs from services that may contain data that identifies people and activities in applications.
Kristiania has general operational logs and application logs in its IT systems.
There are also flow logs, which contain data about which devices are communicating and how much data is being sent. This means that most of the activities performed by users of the systems will leave digital traces.
The data exists in the logs as part of a larger digital log activity. They are obtained from a variety of systems, where central machines ensure reliable traffic between users and the systems.
In principle, the logs are not disclosed, as they are intended as technical operational logs to ensure stable operation and to detect undesirable or abnormal incidents. They can be disclosed to the police or to the prosecuting authority on the basis of a court order. The director of the college may request that logs be disclosed as part of security measures in accordance with Articles 32 and 33 of the GDPR.
All logs from the IT systems are collected in a central log reception, where they are processed and deleted according to the guideline determined by the director of IT and digitalisation.
Logs are only available to those in the IT department who operate the central log reception. Those who need access to search the logs must have a service need and such searches will also be logged. Everyone in the IT department has signed a non-disclosure agreement.
Kristiania's primary legal basis for processing personal data and health data related to the student clinic will be consent. Kristiania processes personal data about patients in accordance with the quality requirements of the Archives Act, the Patient Records Act, the Health Personnel Act and the Health Research Act. Read more about the student clinic here.
19.1 Data processed at the student clinic
Data about patients is stored in a digital patient record. It contains data about names, national identity numbers and contact data, as well as data about diagnosis, the course of a disease, treatment, information provided and other matters that may be of importance.
The personal data processed is assessed on the basis of what personal data is necessary in order to carry out an examination and provide treatment. As a general rule, data about you that has been collected for a particular purpose, cannot be used for any other purpose without your consent. Reuse of the data may occur for quality assurance purposes and for other purposes that are not incompatible with the original purpose.
Both the student who treats you and the supervisor are subject to a duty of confidentiality.
Data is collected in the form of conversations, examinations, treatment, observations, etc. Data may also be collected from other therapists, such as a GP or hospital, or from next of kin. In order for Kristiania to collect data from others, consent is generally required.
As a general rule, data registered about patients at Kristiania is only disclosed to the person to whom the data applies.
Kristiania has established guidelines for how medical records should be processed, stored and who can access them. The medical records data is stored electronically in a separate system.
Medical records must be stored until they are no longer assumed to be needed. When this is no longer the case, as a general rule, the medical records must be shredded in a satisfactory manner.
20.1 Right to information and access
You also have the right to see/gain access to all personal data registered about you at Kristiania. You also have the right to obtain a copy of personal data about you, if you wish.
20.2 Right to correction
You have the right to have incorrect personal data about you corrected. You also have the right to have incomplete personal data about you supplemented. If you believe that we have registered incorrect or inadequate personal data about you, please contact us. It is important that you justify and possibly document why you think your personal data is incorrect or inadequate.
20.3 Right to restriction of processing
In some cases, you may have the right to demand that the processing of your personal data be restricted. Restriction of personal data means that the personal data is still stored, but that the possibilities for further use and processing are restricted.
If you believe that your personal data is incorrect or inadequate, or have objected to the processing, you have the right to demand that the processing of your personal data be temporary or restricted. This means that the processing will be restricted until we have corrected your personal data or have been able to assess whether your objection is justified.
In other cases, you may also require a more permanent restriction of your personal data. In order to have the right to demand restriction of your personal data, the conditions of Article 18 of the GDPR must be met. If we receive a request from you for restriction of personal data, we will consider whether the conditions of the law are met.
20.4 Right to deletion
In some cases, you have the right to require us to delete personal data about you. The right to deletion is not an unconditional right, and whether you have the right to deletion must be considered in light of the Personal Data Act and the GDPR. If you wish to have your personal data deleted, please contact us. It is important that you justify why you want your personal data deleted, and if possible also state which personal data you wish to have deleted. We will then consider whether the legal conditions for requiring deletion have been met. Note that in some cases the law allows us to make exceptions to the right to deletion. For example, this will be the case when we need to store the personal data in order to fulfil a task we are required to perform by the Universities and University Colleges Act, or to safeguard important societal interests such as archiving, research and statistics.
20.4 Right to object
You may have the right to object to the processing if you have a special need to stop the processing of your personal data. Examples include if you have a need for protection, a confidential address, or similar. The right to object is not an unconditional right, and it depends on what is the legal basis for the processing and whether you have a special need. If you object to the processing, we will consider whether the conditions for objection are met. If we find that you have the right to object to the processing and that the objection is justified, we will stop the processing and you will also be able to demand deletion of the data. Note that in some cases, we may nevertheless make exceptions to deletion, for example if we need to store the personal data in order to fulfil a task we are required to perform pursuant to the Universities and University Colleges Act, or to safeguard important public interests.
20.5 Right to complain about the processing
If you believe that we have not processed your personal data in a correct and lawful manner, or if you believe that we have not been able to fulfil your rights, you have the option to complain about the processing. You can contact us via firstname.lastname@example.org or the data protection officer via email@example.com.
If we do not comply with your complaint, you have the opportunity to lodge an appeal with the Norwegian Data Protection Authority. The Norwegian Data Protection Authority is responsible for ensuring that Norwegian enterprises comply with the provisions of the Personal Data Act and the GDPR when processing personal data.