Kristiania's Privacy Policy

This privacy policy explains how Kristiania University College, Kristiania Professional College and their wholly or partly owned subsidiaries collect or use personal data and the rights related to this processing.

Kristiania University College and Kristiania Professional College work to protect the privacy of our employees, students, research participants and partners. We aim to ensure the correct use and sharing of your personal data, as well as promote a culture of privacy that safeguards the rights of those involved.

Last updated 29th June 2022

Kristiania University College, Kristiania Professional College and their wholly or partly owned subsidiaries(hereinafter collectively referred to as Kristiania, "the college", or "we”/“us”) are to be regarded as a group thatshares certain digital systems. We have introduced advanced security measures, including strictly limited access control, and personal data is shared only when it is legal, necessary, and appropriate.

Personal data is all forms of information and assessments that are directly or indirectly linked to you as an individual. Information that cannot be linked solely to an individual may, in cases where the information occurs together with other data, nevertheless constitute personal data. Examples of personal data include your name, telephone number and email address.

Kristiania processes personal data with respect and care, and in accordance with European Parliament and Council Regulation (EU) 679/2016 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (GDPR) and the Act relating to the processing of personal data (Personal Data Act).

Privacy Policy

Kristiania University College represented by its CEO, is the data controller for the university college's processing of personal data. Kristiania Professional College, represented by its rector, is the data controller for the professional college’s processing of personal data.

Any questions concerning access and deletion must be directed to the data controller at e-mail behandlingsansvarlig@kristiania.no.
All personal data shall be collected for specific, explicitly stated, and justified purposes and shall not be further processed in a manner incompatible with these purposes. As the data controller, Kristiania determines the purpose of the processing of personal data.

At Kristiania, personal data is processed mainly for administrative purposes (e.g., employees and student administration), for archival purposes, for research purposes, and for marketing. We will not process personal data to a greater extent than is necessary to fulfil the purpose of the activities.
Personal data shall be collected and processed on a legal basis:

The processing of personal data is based on a legal obligation, such as the provisions of the Universities and University Colleges Act, the Tertiary Vocational Education Act, the Working Environment Act, the Bookkeeping Act, and the Archives Act.

Processing is necessary to fulfil an agreement with you (for example, a study or employment agreement).

Processing is based on your consent as a person.

Processing must be necessary to carry out an activity that is in the public interest.

For some processing activities, we use legitimate interest as a basis for processing, unless your interests or fundamental rights and freedoms take precedence and require the protection of personal data.

We may process special categories of personal data (such as health information, information about ethnic origin, political opinion, religion, philosophical beliefs, trade union membership, or on sexual relations or sexual orientation) based on your express consent. We may also process special categories of personal data when this is necessary to fulfil obligations/exercise rights in employment law, social security law and social law, or for the sake of important public interests.
Kristiania retains information for as long as is necessary to carry out our tasks and in accordance with the regulations. When you give consent, the retention period is identified in the consent text (but you have the right to withdraw consent at any time).

As a general rule, information will be deleted when this need no longer exists, unless we have a statutory duty to keep it in compliance with other regulations, such as the Archives Act, the Bookkeeping Act or the Universities and University Colleges Act.
The Marketing and Communications Department has day-to-day responsibility for the college's processing of personal data on kristiania.no, unless otherwise stated below. It is voluntary for visitors to the website to provide personal data in connection with services, such as receiving newsletters. The basis for processing is the consent of the individual, unless otherwise specified.
In essence, we process data that you have provided to us based on one of the following reasons:

You have contacted us regarding study programmes, or you are or have been a student/research fellow with us

You have applied for a job with us or have been an employee (permanently or temporarily), a trainee or hired consultant/contractor with us. Read more about the processing of employees' personal data here

You have been a researcher, participant in a research project with us, or somehow contacted Kristiania for research purposes

You are or have been a patient at our student clinic

You have signed up for courses or events

You subscribe to newsletters

You have booked a professional visit with us

You are a visitor at one of our premises

You are or will be our contractual partner

We also process personal data about you indirectly for the following reasons:

We receive data about you from another government agency

A complaint or guidance case contains data about you

A non-conformance report contains data about you

An employee, student, patient, or research participant has named you as next of kin

A job applicant has named you as a reference

When it is allowed for previously collected data to be reused for research or quality assurance purposes

You are an exchange student from a partner college
7.1 Online statistics

Kristiania has a legitimate interest in collecting data about visitors to kristiania.no. Most data are de-identified, except IP addresses. The purpose of this is to compile statistics, which are used to improve and further develop the information offered on the website. Examples of what the statistics show, are how many people visit different pages, how long the visit lasts, which websites the users come from, and which browsers are used.

Forte Digital, Knowit and Publicis Groupe are Kristiania's partners for the development and maintenance of the website. Data collected in connection with the operation of the website is stored on separate servers operated by suppliers. Only Kristiania, Forte Digital, Knowit and Publicis Groupe have access to the data collected. A separate data processing agreement between Kristiania and data processors regulates what data the supplier has access to and how it should be processed.

Siteimprove and Hotjar: Siteimprove and Hotjar gather visitor statistics and usage analysis of our websites. We do this to work with user experience and the quality of our websites. Siteimprove and Hotjar cookies do not collect personal data and are only used for web statistics.

7.2 About cookies and analytical tools

Cookies are text strings that is stored on your device for between one minute and two years when you visit kristiania.no. Cookies are necessary for kristiania.no (and other websites) to work optimally for you, for example in order to make a purchase. Cookies help us to look at the user patterns of those who visit the website so that we can customise it and make it more user-friendly. No data is stored in a cookie that can be linked to your use of the website as an individual.

Cookies are stored on Kristiania:

_ga is stored for two years and is used to differentiate users

_gid is stored for 24 hours and is used to differentiate users

_gat is stored for one minute and is used to process request data

Most modern internet browsers are configured to accept cookies automatically, but you can change these settings yourself in your browser.

Here you can read more about how to accept and delete cookies in your own browser.

Note that it will result in a large number of websites not functioning optimally if you do not accept cookies. 

7.3 Google Analytics

This website uses Google Analytics, a web analytics service provided by Google, Inc ("Google"). See more about Google Analytics here.

Visits to this website are recorded as anonymous data. The data is used for statistical measurement and analysis to improve the functionality of the website. The data contains non-identifiable personal data. Scripts from the Google Analytics analysis tool are used for this measurement. During your visit, cookies are stored as text files on your computer. 

The data that the cookie collects about your use is sent to Google and stored on the company's servers.

What does Google use the data for? 

Assessing your use of the website 

Create reports for the website owner about site activity 

Create reports to provide other services in connection with website activity and internet usage. 

Google may also transfer this data to third parties if there is a legal obligation to do so, or if such third parties process the data on Google's behalf. Google will not match your IP address with any other data Google may have in its possession. 

Google Analytics' privacy policy gives you the right to refuse to allow Google Analytics to store this visitor data. 

Data received is subject to Google's Privacy Policy.

Do you not want to be tracked? Use Google Analytics Opt-out Browser Add-on

7.4 Double Click Campaign Manager and Adform

Double Click Campaign Manager and Adform use cookies to measure the effect of and display more relevant advertisements. Double Click Campaign Manager and Adform do not record any personal data on the website and the data is anonymised.

Cookies allow you to: 

frequency-control adverts based on activity 

See user behaviour on the website in relation to the direct marketing that takes place 

collect product interest data in order to present more relevant ads 

target adverts to selected customer groups 

7.5 Google Remarketing

In order to make our advertising more relevant to those who have shown interest in our products, Kristiania uses something called Google Adwords Remarketing. This is a service from Google that uses third-party cookies and allows us, through Google's advertising services, to display adverts more relevant to you as a user.

In accordance with Google's privacy policy, no data is collected that can be used to identify individuals. 

You can opt out of these types of adverts by changing your Google Advertising settings.

By using the website, you agree that Google will process data about you in the manner and for the purposes described above.

7.6. Google Tag Manager

Google Tag Manager is used to organise and manage scripts that run on Kristiania's domains. This allows us to manage, distribute and track through marketing pixels on Facebook, Snapchat, LinkedIn, Google ads, Google Adwords, DoubleClick Campaign Manager and Adform.
8.1 Channels in social media

Kristiania advertises through Facebook, Instagram, LinkedIn, Snapchat and TikTok platforms. Marketing pixels are used so that advertising can be targeted at target groups based on visitor patterns on kristiania.no.

By visiting kristiania.no, and consent to cookies, cookies for social media are installed in the browser so that Kristiania can set up targeted advertising.

Kristiania does not sell personal data we access through social media.

Here you can read more about cookies and what personal information is stored:

Facebook

Instagram

LinkedIn

Snapchat

TikTok
9.1 Sending newsletters

Loopify AS is Kristiania's partner for sending newsletters.

Our goal is for the information we send out to be as relevant as possible to the recipient. In order to adapt the information to your wishes and needs, as well as previous education, we ask for, among other things, your name, e-mail, and data about previous education. At the same time, this helps to avoid double email dispatches by avoiding duplicates in the database. We do not disclose the data to others.

A prerequisite for receiving newsletters with promotional content is that you have given your prior consent to this (does not apply to information that is necessary to communicate to you in connection with having applied for a place of study or being a student at Kristiania). You can request to be deleted from the distribution list at any time via behandlingsansvarlig@kristiania.no or unsubscribe via unsubscribe link in the newsletter.

Personal data that appears in communication with you as the recipient of our newsletters is deleted after 2 years if you do not unsubscribe earlier.

9.2 Chat/Telephone/Email/Personal attendance

Kristiania has a legitimate interest in maintaining the quality of customer follow-up. Therefore, chat, call data and emails are stored in our systems. When using chat, only the sender's IP address is logged, in addition to the content of the conversation. If we receive telephone calls, data about the time and duration of the call is stored. At the same time, telephone number data is stored for 30 days, before it is automatically deleted from our systems.

In case of personal attendance, we will log that the visit has taken place and what the purpose of the visit was. This data is used to increase the quality of guides at a later date. If this data is requested to be deleted, this will be done individually if we receive a notification.

E-mails are archived by category after the inquiry is answered. The sender and content in connection with e-mails are handled exclusively by Kristiania and the data is not shared with external actors.  Personal data that appears in communication with you as an applicant is automatically deleted when the admission for the current academic year has ended. Personal data contained in communication with you as a student or former student is stored in accordance with sections 10, 11 and 12 of this privacy policy.

9.3 Follow-up for sales

Once you have chosen a study programme, we will send out order and submission documents, surveys and follow-up emails related to your study and your relationship with Kristiania. We collect this data in order to complete the enrolment, and Kristiania has a legitimate interest in following up you as a student after the selection. This data is stored for two weeks.

If your transaction at our online shop is interrupted, we will send you emails with a reminder of the products you put in your shopping cart. We do this as an additional service, to make the buying experience with us as smooth and easy as possible.

9.4 Reservations in the Central Reservation Register

Kristiania adheres to the current rules for updating with respect to the Central Reservation Register, consent to or reservation against newsletters, and carries out ongoing maintenance of personal data with respect to publicly available sources.
10.1 Purpose and legal basis

We need to process personal data about applicants and students. We do this primarily to safeguard the data subjects’ rights and to fulfil our legal obligations our tasks and obligations under laws and study contracts . The Universities and University Colleges Act §§4-3, 4-15 and 4-16 and the Tertiary Vocational Education Act §§ 9 and 15 allow us to process information about you as an applicant and a student.

The legal basis for the processing of personal data about applicants and students depends on why we need to process your personal data.

For study administrative purposes (including admission to studies) we use a legal obligation, e.g., in the Universities and University Colleges Act (GDPR article 6. no. 1 c) or study contract (GDPR article 6. no. 1 b). In rare cases, we can use the public interest as a legal basis (GDPR article 6. no. 1 e).

Kristiania has a legitimate interest in processing personal data in some cases, for example when using an access card in our buildings. This interest must outweigh the interests of individual’s privacy (GDPR Article 6 (1) (f)),

We can obtain your consent (GDPR article 6. no. 1 a) for some processing activities, but we rarely use this basis. This can happen, for example, if we want to publish your photos on our website.

For special categories of personal data (for example health data) the legal basis is article 9 (2) a (consent), b (within areas of employment law/social security law), g (public interests).

As a general rule, your personal data related to admission and studies is stored in Kristiania's databases for as long as is necessary to carry out our legal obligations and our contracts with you, and in accordance with the regulations, with certain exceptions.

10.2 Application and admission processing

The purpose of collecting and storing your personal data is to process your application for admission to a study programme or course at Kristiania. The legal basis is our legal obligation under The Universities and University Colleges Act / the Tertiary Vocational Education Act.

You create an application profile and an application on our application portal, or in EVUweb, a web application for FS (for continuing education).

EVUweb is linked to the study administration system Common Student System (Felles Studentsystem, FS). This means that data registered in EVUweb is stored in FS. Data in FS is reported in various contexts to a number of parties / companies. See the privacy statement for FS.

When you submit your application, we will process this and the data you have entered, such as your name, address, telephone number, national identity number, e-mail address and password, data about your previous education and any work experience, with associated documentation, as well as any name of the employer with contact details (if you have provided it in cases where it is relevant).

In some cases, we will process health data related to your study situation (if you have provided it in cases where it is relevant). The legal basis for the processing of health data is the Norwegian Personal Data Act and the GDPR Article 9, no. 2 a), b) and g).

Kristiania can collect and store data from other sources if necessary for the application process and will also store admission case processing data.

We use Feide, which is the national solution for secure login and data sharing within the education sector. With Feide, users get secure and correct access to a variety of digital services with one username and password. Feide is developed and supplied by Sikt AS, who will have access to your FEIDE name and IP address. This is required to perform support and fix bugs in the service.

The personal data we have stored about you can be viewed in the application, and you can also correct the data there. In the application portal you can also see the status and the result of the case processing of your application.

When the applicant has become a student at Kristiania, the personal data is transferred to the Common Student System (Felles Studentsystem, FS), which is a study administrative system. A number of applications are associated with the study administrative system FS. That means that data entered into these applications is also stored in FS. Data in FS is reported in various contexts to a number of parties/enterprises. Read more about the processing of your personal data in FS.

As a general rule, your personal data is stored in the Common Student System (FS) forever. There are some exceptions:

Personal data related to actions you take in Studentweb, including your IP address, and for example whether you register for or withdraw from the exam, is stored for 365 days before it is deleted.

Personal data relating to sanctions cf. §3(7)(8), 4(8)(1) to (3) or 4(10)(3) of the Universities and University Colleges Act, are automatically deleted from the Common Student System six months after the sanction period has expired.

If Kristiania receives information that you are dead, we will delete your contact data. Any applications for admission, teaching and examination messages will be withdrawn.

Sensitive personal data is stored for a maximum of six years before it is deleted.

Access to personal data to applicants and students is limited by the need to safeguard their interests as an applicant/student at Kristiania. Persons with access can be employees in the student administration, academic staff, and managers.

10.3 Student register and student data

Personal data about you as a student is processed in our student administrative systems. In order to administer you as a student, it is necessary for us to process the following data:

Identity data (e.g., name, national identity number (11 digits), student number, D-number)

Contact data (e.g., address, telephone number, the college’s and private email addresses)

Employer and employer's address, if necessary

Information about previous education

Work experience, if any

Health conditions (e.g., in connection with extensions of leave of absence and facilitation)

Study contract

We can save your applications (e.g., for leave of absence, extension of exam time, etc.)

Warnings, complaints

Information on debt collection (if relevant)

Individual decisions in which the student is involved

In addition, data about the courses and studies you complete, as well as exam results (grades), is recorded and stored. This data is stored in the Common Student System (FS). The basis for this processing is legal obligation, provided by the Universities and University Colleges Act and the Tertiary Vocational Education Act.

Kristiania will send you important information regarding your studies both via the school and private e-mail address, and via SMS. This is so that you will notice important messages from us.

Kristiania uses Studentweb, a web application that allows you as a student to perform a number of study administrative tasks, such as semester registration. Studentweb also gives you access to the data that Kristiania has stored about you in the student administrative system Common Student System (FS), such as contact data and exam results. Studentweb is linked to the student administrative system Common Student System (FS). This means that data registered in Studentweb is stored in FS. Read more about the processing of your personal data in FS.

We collect the contact data of active and former students at Kristiania (private e-mail and private mobile phone number) from the central Common Contact Register (KORR), pursuant to the GDPR’s Article 6, no. 1 c), e), and §4(15) of the Universities and University Colleges Act. It is therefore important that you have correct data always registered here.

You can check and update data relating to yourself in Studentweb via My Profile or directly via the central Common Contact Register by logging in using BankID. The data is not disclosed to unauthorized persons.

This is data that Kristiania is required to keep in accordance with national decisions on archiving. The data is not disclosed to unauthorized persons.

If your employer pays for your education and wants data about your exam results, the college cannot disclose this data without your consent as a student.

We use student data (grades, study progression, drop-out, etc.) for statistical purposes internally. Student data is anonymised. We have a legitimate interest in using student data for internal analysis.

Students' personal data is transferred to a number of digital systems in order to provide students with the necessary services, such as library services, copy/print servers, room booking and welfare services.

10.4 Follow-up of active students

Contact data, guidance, data about health conditions and study progression will be processed in order to safeguard the individual student and study progression. This data is processed by the Student Administration pursuant to Article 6, no. 1 c) of the GDPR and §4(15) of the Universities and University Colleges Act and the Tertiary Vocational Education Act. Data is registered and stored in the Common Student System (FS), Kristiania's internal document management system and/or in our electronic archive system.

10.5 Registration of compulsory attendance

Some courses have compulsory attendance, where the college needs to register and check your attendance. Each course description specifies whether there is compulsory attendance. This processing is based on the Regulations concerning admission, courses, degrees and examinations at Kristiania University College, the Regulations relating to admissions, studies, and examinations at Kristiania Professional College, §4(15) of the Universities and University Colleges Act, and the Higher Vocational Education Act.

10.6 Access control

In order to give students access to college buildings via a student card, the college must process the students' photo, name and affiliation (e.g. "student"). The photo on the student card is stored in FS, and is also transferred to the student ID app, if the student chooses to use it. Read more about the student ID app here.

10.7 Who can access personal data about you?

We share information from FS with a number of organisations in accordance with the University and University Colleges Act and the Higher Vocational Education Act, including:

Statistics Norway

Lånekassen (“The Norwegian State Educational Loan Fund”)

Database for Higher Education (DBH)

Norwegian Agency for Quality Assurance in Education (NOKUT)

You can read more about who we share your personal data from FS with here.

About HKDir/DBH and the Student Barometer Survey.

Universities, university colleges and professional colleges have a legal obligation to disclose data to the Database for Higher Education (DBH). From 1 July 2021, DBH became part of the Directorate of Higher Education and Expertise (HKDir). Kristiania discloses data to HKDir/DBH based on GDPR, Article 6 no. 1 c, with a supplementary legal basis in the University and University Colleges Act, Section 2-1 no. 4 or the Tertiary Vocational Education Act, section 42. This applies to universities, university colleges and professional colleges.

NOKUT, which runs the Student Barometer, obtains data from DBH based on the GDPR, Article 6 no. 1 e, a task carried out in the public interest. You can read more about the survey in NOKUT’s privacy policy here.

Disclosure of data from FS for research or statistical purposes.

We occasionally receive inquiries from various agencies and institutions requesting information about applicants, current and former students for research purposes or for statistics. Such inquiries must always refer to a legal basis/grounds in order to be the subject of an assessment. A check is performed to ensure that there is a legal basis that allows for access and that it takes precedence over general provisions of the GDPR. The legal basis for the sharing of personal data is public interest, cf. GDPR, Article 6 no. 1 e. This basis is subject to a supplementary legal basis in Norwegian law, which is usually established in the University and University Colleges Act, the Higher Vocational Education Act and/or Section 8 of the Norwegian data protection law.

Which personal data we share depends on the research or statistics project but may include personally identifiable data (e-mail address and telephone number) and indirect personally identifiable data (such as programme of study, gender, age, admission criteria and examination results). Some projects do not collect direct personally identifiable information. It is possible to opt out of such processing by sending an e-mail to behandlingsansvarlig@kristiania.no. Examples of organisations we share data with include:

NIFU - Nordic Institute for Studies in Innovation, Research and Education. NIFU implements specialist candidate surveys/candidate surveys funded by the Ministry of Education and Research. We disclose personal data relating to your qualifications with us (bachelor's and master’s degrees). The data transfer goes via DBH.

Statistics Norway.

The period for which your personal data is retained by the recipients depends on the research or statistics project or your consent.

We also disclose personal data to the following third parties

10.8 Student welfare organisations

If you have paid the semester fee for the current semester or been granted a right to study in the last two months, the Student Welfare Organisation can access personal data about you from Kristiania. This is so that they know that you are a student and that you are entitled to student discounts on the student welfare services. The Student Welfare Organisation can access your national identity number (11 digits), your name, when you last paid the semester fee and the ID of your student card. The legal basis is Article 6. no. 1 of the GDPR (our legal obligations), with a supplementary legal basis in Sections 4 and 5 of the Student Welfare Organisation Act.

10.9 Norwegian Directorate of Immigration (UDI)

If you are not registered with a permanent residence permit in Norway, Kristiania will prepare a report about you regarding study progression and part-time work permits. You will receive the report in paper format from the college, and then you yourself give it to the Norwegian Directorate of Immigration (UDI). Read more in the UDI regulations.

10.10 The Norwegian State Educational Loan Fund (Lånekassen)

In order for you not to have to document that you are a student, that you have graduated and received results from partial studies abroad, the Norwegian State Educational Loan Fund receives this personal data about you directly from FS at the college. They also receive data about your national identity number/D-number (11 digits) and which university/college you are admitted to as a student. The legal basis is the GDPR Article 6, no. 1 c (our legal obligations), with a supplementary legal basis in §21 of the Student Financial Aid Act.

10.11 The Norwegian Diploma Registry (Vitnemålsportalen)

The Diploma Registry retrieves the students' national identity number (11 digits, possibly D-number or S-number), connection to the college, and exams the student has taken and passed, directly from the college's databases. The Diploma Registry ensures that the results shared are correct. Read more about the Diploma Registry here.

10.12 RUST – the National Student Exclusion Register

Excluded students are registered in RUST – the National Student Exclusion Register. The data is transferred to RUST pursuant to §3(7)(8), § (4)(8) (1-3), §4(10)(3) and §4(12) (1-3) of the Universities and University Colleges Act. When the sanction period has expired, personal data and data about the decision are automatically deleted from the register.

10.13 Supervised professional training locations

Supervised professional training locations receive the following personal data necessary for entering into and fulfilling the supervised professional training agreements: name of student, personal identification number, e-mail address, telephone number and salary (if applicable).

10.14 Sikt AS

Sikt AS processes personal data on behalf of Kristiania.

Sikt supplies and develops the Common Student System (FS) and processes personal data on behalf of Kristiania. Employees at Sikt who need it for their work, have access to your personal data in order to perform support and any error correction in FS.

It is possible to log in to the application portal and Studentweb with the login solution Feide, which is developed and delivered by Sikt AS. Employees at Sikt AS, who need it for their work, have access to your FEIDE name and IP address. This is in order to perform support and any bug fixes in the service.

You can read more about who we share your personal data from FS with here.
11.1 Canvas (digital learning environment system)

Canvas is a learning platform used by administration and teaching staff to support the implementation of teaching and exams. Canvas is used to communicate academic feedback to students from academic staff and for dissemination of messages between students.

Kristiania uses Canvas for teaching purposes. This means that Instructure, which develops and operates Canvas, will have access to your name, your role in the organisation, your username and your student email address, data taken from the Common Student System FS (such as name, email, course and study programme), student submissions and when the submissions occurred, individual feedback from teachers, debate contributions (forum) and various types of messages/notifications.

In principle, sensitive personal data is not processed in Canvas, but may be stated in student responses or dialogues.

Most of the personal data in Canvas is registered and managed by the data subjects. Data in Canvas is deleted when the student leaves the college.

Kristiania is committed to, and interested in, providing students with high quality and continuous education. Kristiania therefore has a legitimate interest in processing the student activity logs from Canvas. These logs are pseudonymised and processed using a machine learning algorithm that predicts and helps limit college drop-out rates.

We have a legitimate interest in developing and improving our study programmes so that our students are educated to the needs of the labour market and society. Kristiania therefore enters into agreements with external partners for, among other things, the development of specific study programmes as well as teaching. This is done through agreements with teaching staff and guest lecturers. In such cases, they will have access to relevant personal data about students in Canvas.

11.2 WiseFlow and other providers of digital exam systems

The basis for processing personal data in connection with digital exams is our legal obligation (Article 1 e GDPR), with a supplementary legal basis in §3(9) and §3(10) of the Universities and University Colleges Act, and §21 and §22 of the Tertiary Vocational Education Act.

At Kristiania, we use the digital exam system Wiseflow for a number of exams. In order for you to complete a digital exam, we send personal data about you to UNIwise, which develops and operates the Wiseflow system. They will have access to this personal data: Feide-ID, graduate number, other exam data from FS, IP address. Wiseflow collects all personal data from FS. WiseFlow is used for:

Preparation, administration, assessment and archiving of digital exams.

Submission, evaluation and archiving of exam answers.

Keeping copies of the students' exam results, including the examiners' comments.

In addition to Wiseflow, Zoom is also used for digital oral exams. We use Zoom provided by Sikt AS. Read more about Sikt’s Zoom here.

You can read more about digital exams here.

11.3 Frame.IO

In some subjects, Frame.IO is used for submission of assignments. Each student must create an account in Frame.IO and approve their terms of use and privacy policy.

11.4 Microsoft 365

Microsoft 365 is used for data storage for the college’s students and staff. The student can set up an integration with Microsoft 365 in Canvas, but no personal data is disclosed from Canvas to this system.We create a user account for all IT users in Kristiania. The user account is linked to your name and the school's email address. Read more about Microsoft 365 here.

11.5 URKUND by Ouriginal

We use URKUND to detect plagiarism and cheating during the exam. Data necessary for the processing of cases to detect plagiarism, will be disclosed to the board/committee that deals with cases.

The legal basis (processing basis) for processing data in URKUND is GDPR Article 6, no. 1c (legal obligation) and e (perform a task in the public interest), cf. no. 3b, with a supplementary basis for processing in §3(9) of the Universities and University Colleges Act (exams and grades).

11.6. LinkedIn Learning

Students can voluntarily use LinkedIn Learning, and the college has a legitimate interest in offering this solution as part of their teaching. LinkedIn Learning will help make teaching even more accessible and will support both digital teaching and classroom teaching. When you create a LinkedIn Learning account and sign in with Azure AD, your college username, college email address, and affiliation (e.g., "employee," "student") are shared with LinkedIn Corporation. This is personal data required to securely access the Service. Read more about LinkedIn Learning here.

11.7 Other internet-based teaching tools: voluntary use

As part of the implementation of effective teaching, Kahoot, Mentimeter, Padlet and various other systems available via the internet can be used. These systems may process personal data, and the individual student must approve the individual system's terms of use if they wish to participate in this part of the teaching. It is completely voluntary to use such systems.

Transfer of personal data to third countries when using digital learning solutions

Some digital learning solutions are cloud-based. Although in most cases the corresponding data centers are based on the European soil, some personal data processed in such solutions may be available outside the EEA (e.g., in the USA). This means that if you use such solutions, your personal information may be transferred to third countries. Such transfers are covered by appropriate safeguards. Kristiania uses standard data protection clauses adopted by the European Commission for the transfer of personal data. Read more in section 20 of this privacy notice.
Kristiania has a legitimate interest in contacting former students. In line with our strategy, we work actively and purposefully to become a working life university. Among other things, Kristiania ensures that the students have knowledge of working life. All former students are part of Kristiania's alumni network. Being part of an alumni network helps to strengthen a graduate’s career and professional development. The cooperation shall be sustainable and based on mutual benefit.

The following contact data is stored for 10 years after graduation: private email address, name and surname. We will contact you as a former student via your e-mail and ask for your consent to receive customised inquiries and data from Kristiania, such as newsletters with updates from Kristiania or invitations to events organised by Kristiania.

Kristiania uses an external partner to send newsletters and your personal data is stored in the database of this provider. The partner is subject to a data processing agreement in accordance with applicable legislation and this Privacy Policy. Personal data is not shared with others. Your e-mail address will be deleted if you unsubscribe from the newsletter. If you have other active consents, the email address will be stored as long as these are active.

You have the right to request deletion of your personal data or withdraw your consent at any time. Contact behandlingsansvarlig@kristiania.no if you do not want to be contacted after you have completed your studies.
13.1 Marketing

Photographs and video recordings of and from the college premises, teaching rooms, work areas, as well as façades, the cityscape etc. (hereinafter referred to as interfaces) are used for marketing purposes. These are recordings made by own and external photographers. These recordings can be found on the college's website, on social media, printed material etc.

In the case of photo and video recordings, subject is always informed that recordings are being made and consent is obtained. Where recordings are made with individuals and students, consent is obtained through the use of a declaration of consent.

When recording during larger events, or when many people are present, it is announced that photo and video recordings are being made. 

Our employees can be filmed in a teaching context. The basis for processing is agreement.

Photos or video recordings may be published in the college's interfaces, such as recordings made where you are part of a larger gathering or event. Photos or video recordings, excluding recordings of lectures, will be stored in the college's database for up to three years.

13.2 Streaming and recording of teaching

Kristiania offers digital teaching to students. During the pandemic, Kristiania has also increased the recording and streaming of classroom teaching in order to limit the spread of infection. We received positive feedback from students and will continue to use the recording and streaming of teaching in the future.

Due to the fact that some of our students do not have the opportunity to participate in classes in real time, it is important to be able to watch the teaching sessions as recordings in order to achieve the learning purpose. It is also a part of our systematic work within universal facilitation .

Teaching at universities and university colleges is an activity that is in the public interest.  In order to fulfil our social mission, it is important to be able now to offer alternative teaching. Public interest will generally be the legal basis when it is necessary to process personal data relating to students in connection with live-streaming and the recording of teaching in classrooms and digitally. The processing of personal data that is necessary to carry out an activity in the public interest is permitted pursuant to Article 6, no. 1e of the GDPR, with a supplementary legal basis pursuant to the Universities and University Colleges Act, §1(3), §3(8) concerning teaching, §4(2) concerning teaching plans, and §4(3) concerning students’ learning environment, as well as the Tertiary Vocational Education Act, §9 concerning the board’s responsibilities, and §15 concerning the learning environment.

Especially about online studies

The online students have weekly online gatherings together with the teacher and the other students. Streaming and recording of each gathering is made available to students afterwards. Recording of online teaching is an important part of the online teaching. The recordings can be used for repetition or by students who do not have the opportunity to participate directly. It is carried out in accordance with the relevant curriculum that determines whether it is necessary and appropriate to record online teaching. We need to perform streaming and recording of online studies in order to fulfil our agreement with you as an online student.

Consent will generally not be the legal basis for the processing of personal data relating to students in connection with streaming and recording of classes, with some exceptions. The recording of online teaching that will be published openly on the internet (outside of the university college’s teaching platform, which requires login in order to view recordings) requires consent from anyone who can be identified through audio or images.

For this reason, we encourage academic staff to record and share recordings from real-time teaching via online meeting tools, under the following conditions:

It will be possible for students not to appear/be heard in the recording by not turning on the microphone/image from the webcam. It must be possible for questions to be asked in chat.

Recordings from teaching, where the students can be identified, must only be available during the relevant semester.

Recordings from teaching are only shared with students in the relevant class.

We use Zoom for recording and streaming digital teaching. When a student logs in using their Feide user account, their first name, last name and college e-mail address will be sent to Sikt AS, which provides Zoom to the college. We use Panopto to produce, store and distribute video recordings for use in teaching.  When using Zoom for teaching, it is generally voluntary for students to participate with images, audio or video during the streaming of teaching. This is configured by the student with settings when connecting to the streamed teaching and can be changed by the student at any time for as long as the streaming takes place. It is also voluntary to send text via the chat function. It is sometimes necessary to share an image and/or sound in order to meet teaching requirements. Read more about Sikt’s Zoom here.

13.3 Streaming and recording non-teaching digital events

The legal basis depends on the type of event. Cf. §1(3) of the Universities and University Colleges Act, Kristiania shall, among other things, "contribute to distributing and disseminating results from research and academic and artistic development work", and "facilitate for the institution's employees and students to participate in public debate". If it is an event with such a purpose, the basis for processing is the public interest, with a supplementary legal basis in §1(3) of the Universities and University College Act. It may be our legitimate interest that the event is recorded. Our need to record must then be assessed against the rights of the participants.

We use Zoom for recording and streaming digital events. When using Zoom for digital events, it is generally voluntary for the public whether they want to participate with the use of image and/or sound during the streaming of the event. This is configured by the public with settings when connecting to the event and can be changed at any time during the streaming.

The speaker consents to recording by initiating the recording themselves, or it may be necessary to achieve the purpose of the agreement with the speaker. If anyone other than the speakers can become part of the recording, information must be provided in advance or at the beginning of the event that Kristiania is recording it, and that questions and comments from the auditorium using audio and video will become part of the recording.

If you would like photos or video recordings of you, as specified in §12.1 - §12.3, should be deleted, please contact the data controller behandlingsansvarlig@kristiania.no. Note that when using images on printed materials (for marketing), it will not be possible to have this deleted after it has been used. For photos or video recordings used in digital interfaces, deletion will be possible.
Universities and colleges are required to cooperate with educational institutions in other countries in order, among other things, to be able to offer higher education at a high international level, according to the Universities and University Colleges Act §§ 1-3, first paragraph, letter h) and 1-1, letter a). The Study Supervision Regulation §§ 2-2 (8) and 2-1 (2) establishes that accredited study offers / institutions have schemes for international student exchange.

International educational cooperation / student exchange is considered an «important public interest». Kristiania transfers personal data about students because it is necessary to perform a task in the public interest and in accordance with GDPR Article 6 (1) e.

Kristiania Professional College uses an agreement with the individual student in accordance with GDPR Article 6 (1) b as a legal basis for the transfer of students' personal information for the purpose of student mobility.

The purpose of the transfer is to facilitate the exchange of students between the partner school and Kristiania and the individual students' studies in the partner school.

14.1. Within the EU/EEA

Kristiania seeks to share as little information as possible. As a general rule, the following categories of data are shared with partner schools:

Nationality, name, date of birth and photo

Study programmes, basic education, diplomas, the college’s contact data and previous professional experience

The college’s e-mail address

Contact data for the person to contact in case of emergency

14.2. Outside the EU/EEA

Kristiania seeks to share as little information as possible. What kind of information our partner institutions need depends on an exchange programme and partner school country. As a general rule, the following categories of data are shared with partner schools:

Nationality, name, date of birth,

Study programmes, basic education, diplomas, language test results and previous professional experience

The college’s e-mail address

Motivation letter in internal exchange application

In connection with this type of student mobility, your personal information will be transferred to the partner school outside the EU / EEA area.

Kristiania ensures that the level of protection that will be achieved in practice is actually the same as in the EU/EEA, all factors taken into account. The EU Commission has determined that a certain number of countries outside the EU/EEA have an adequate level of data protection. Transfers to these countries will not require additional security measures.

In some cases, and in the absence of an adequacy decision, Kristiania may use the necessary guarantees in accordance with the GDPR’s Article 46, no. 2, or exceptions in accordance with Article 49, no. 1 c (because this is necessary for the conclusion or performance of a contract concluded in the interest of the student between Kristiania and the partner school).
To improve security in and at our premises, electronic access control and video/camera surveillance are used. This data is stored for 7 days before it is deleted. Motion data from access control is stored for 14 days.

We have a legitimate interest in preventing dangerous situations from occurring, facilitating the investigation of offences and ensuring the safety of employees and students.

Several CCTV cameras have been installed at the entrance to various buildings used by the University College and the Professional College. CCTV is used both for monitoring with and without the possibility of recording. Where there is CCTV, signage has been set up informing you that CCTV is in use. CCTV is mainly employed at the entrances and/or along the façades of the buildings. No audio is recorded during camera surveillance.

Access control is also a measure aimed at ensuring the safety of employees and students on the premises. In that connection, we store data about the use of access cards at different terminals installed in the buildings. We do not use the access control system to track the movements of employees and students.
The purpose of the processing of personal data about employees is to fulfil legal obligations and agreements. The legal basis for the processing of personal data relating to employees is the Personal Data Act and the GDPR’s Article 6, no. 1 a), b), c), e), f), Article 9, no. 2 a), b), and Article 88. Read more here.
Are you a student writing a master's or bachelor's thesis or a researcher? You can find all the necessary information about privacy in research here.

The legal basis

GDPR Article 89 (1) allows personal data to be processed for scientific or historical research purposes or statistical purposes if it is subject to appropriate safeguards to ensure the data subject's rights and freedoms. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation.

The legal basis for the processing of personal data in connection with scientific research is:

Article 6 (1) a (consent of the participant) or

Article 6 (1) e, when the project is to be regarded as a task in the public interest. For the processing of personal data in the public interest, a supplementary legal basis is required in national legal provisions. The supplementary legal basis is the Norwegian Personal Data Act § 8.

In addition, for the processing of special categories of personal data (health data, information on ethnic origin, sexual relations, or other sensitive personal data), one of the conditions in GDPR Article 9 (2) must be met. For scientific research purposes, the legal basis will as a general rule be:

Article 9 (2) a (express consent of the participant) or

Article 9 (2) j when "the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes". This is also in accordance with the Norwegian Personal Data Act § 9 which allows the processing of special categories of personal data without consent, if this is necessary for scientific research purposes and the public interest that the processing takes place clearly exceeds the disadvantages for the data subject.

The General Guidelines for Research Ethics, drawn up by national research ethics committees, state that consent is the main rule when researching people or with regard to data and material that can be linked to individuals. The consent shall be informed, express, voluntary and documentable. Consent requires competence to consent. Vigilance must be exercised to ensure real voluntariness where the participant is in a dependency relationship with a researcher or is in an unfree situation. Consent may be withdrawn at any time during the implementation of the research project.

Bachelor's and master's theses

Bachelor's and master's theses are considered research projects. If student intends to write a student assignment where it is appropriate to use personal data, different requirements apply, and a student must have permission before (s)he can start the thesis. All students have a responsibility to familiarise themselves with Kristiania's guidelines for processing personal data in research. Read more about privacy in research here.

NSD/SIKT

Kristiania has an agreement with the Norwegian Centre for Research Data (NSD, a part of SIKT - The knowledge sector's service provider) for advice on data protection issues in research. Health research projects must have prior ethical approval from the Regional Committee for Medical and Health Research Ethics (REK), in addition to a basis for processing in the GDPR.

All projects that process personal data will be assessed by NSD/Sikt. Researchers cannot initiate data collection, conduct interviews or send out surveys until the correct permission has been obtained. Read more on Sikt's website.

What personal information is collected and how long it is stored?

The personal data to be registered is assessed on the basis of what personal data is necessary to achieve the purpose of the research project. The main rule is that there should never be a greater degree of personal identification than is necessary for the purposes of the research project, according to the principles of data minimization and purpose limitation. The personal information can be pseudonymized or anonymised if possible.

Pseudonymized data is personal data where the name, national identity number and other direct person-specific characteristics have been removed and replaced by a number or code (link key), so that the data cannot be directly linked to an individual.

Anonymous data is data where names, national identity numbers and other unique personal characteristics have been removed, so that the data can no longer, directly or indirectly, be linked to an individual. Anonymous data is therefore not considered personal data.

Personal data collected for a research purpose cannot be used for other purposes without consent.

Information about what personal information is collected in each research project, as well as the purpose, the legal basis, how personal information is to be secured, who is to be shared with, how long it is stored, etc. must be made available through consent / privacy statement for each specific project.

Researchers, students and supervisors who have access to personal data have a duty of confidentiality.

Personal data shall not be stored for longer than is necessary to carry out the research project. If there is a need for storage beyond the period specified at the start of the project, new consent must be obtained, or an exemption must be sought.

Read more about data protection in research at Kristiania.
18.1 Information about how Kristiania processes personal data in logs from IT systems.

The legal basis for processing personal data in logs is our legal obligation to safeguard data protection and ensure daily operation of IT systems.

The purpose of logging the activity in IT systems is to administer systems, ensure stable operation and detect and resolve undesirable incidents.

The logs are categorised as:

operational logs – logs that are normally stored in the IT systems of Kristiania University College or its partners, and which contain data about the technical status of a solution but may also contain data about logins and other activities related to people.

application logs – logs from services that may contain data that identifies people and activities in applications.

Kristiania has general operational logs and application logs in its IT systems.
There are also flow logs, which contain data about which devices are communicating and how much data is being sent. This means that most of the activities performed by users of the systems will leave digital traces.

The data exists in the logs as part of a larger digital log activity. They are obtained from a variety of systems, where central machines ensure reliable traffic between users and the systems.

In principle, the logs are not disclosed, as they are intended as technical operational logs to ensure stable operation and to detect undesirable or abnormal incidents. They can be disclosed to the police or to the prosecuting authority on the basis of a court order. The director of the college may request that logs be disclosed as part of security measures in accordance with Articles 32 and 33 of the GDPR.

Logs are only available when needed to ensure the availability and security of the respective systems. Those who need access to search the logs must have a service need and such searches will also be logged. Everyone in the IT department has signed a non-disclosure agreement.
Kristiania's primary legal basis for processing personal data and health data related to the student clinic will be consent. Kristiania processes personal data about patients in accordance with the quality requirements of the Archives Act, the Patient Records Act, the Health Personnel Act and the Health Research Act. Read more about the student clinic here.

19.1 Data processed at the student clinic

Data about patients is stored in a digital patient record. It contains data about names, national identity numbers and contact data, as well as data about diagnosis, the course of a disease, treatment, information provided and other matters that may be of importance.

The personal data processed is assessed on the basis of what personal data is necessary in order to carry out an examination and provide treatment. As a general rule, data about you that has been collected for a particular purpose, cannot be used for any other purpose without your consent. Reuse of the data may occur for quality assurance purposes and for other purposes that are not incompatible with the original purpose.

Both the student who treats you and the supervisor are subject to a duty of confidentiality.

Data is collected in the form of conversations, examinations, treatment, observations, etc. Data may also be collected from other therapists, such as a GP or hospital, or from next of kin. In order for Kristiania to collect data from others, consent is generally required.

As a general rule, data registered about patients at Kristiania is only disclosed to the person to whom the data applies.

Kristiania has established guidelines for how medical records should be processed, stored and who can access them. The medical records data is stored electronically in a separate system.

Medical records must be stored until they are no longer assumed to be needed. When this is no longer the case, as a general rule, the medical records must be shredded in a satisfactory manner.
As a general rule, Kristiania does not transfer personal data to third countries, with some exceptions.

Kristiania uses a number of cloud-based solutions, such as Software as a Service (SaaS) solutions. This means that personal data processed in such solutions can be transferred to third countries outside the EEA (e.g., the USA) from where the cloud is administered.

Personal information can also be transferred to third countries in connection with student exchanges. Read more about this in part 14.

Kristiania uses standard data protection clauses adopted by the European Commission, or exceptions in accordance with Article 49 no. 1 GDPR for the transfer of personal data.

You have the right to receive a copy of standard data protection clauses if they are used to transfer your personal information to third countries.
21.1 Right to information and access

You are entitled to receive information about how Kristiania processes your personal data. This privacy policy is intended to contain the information you are entitled to receive.

You also have the right to see/gain access to all personal data registered about you at Kristiania. You also have the right to obtain a copy of personal data about you, if you wish.

21.2 Right to correction

You have the right to have incorrect personal data about you corrected. You also have the right to have incomplete personal data about you supplemented. If you believe that we have registered incorrect or inadequate personal data about you, please contact us. It is important that you justify and possibly document why you think your personal data is incorrect or inadequate.

21.3 Right to restriction of processing

In some cases, you may have the right to demand that the processing of your personal data be restricted. Restriction of personal data means that the personal data is still stored, but that the possibilities for further use and processing are restricted.

If you believe that your personal data is incorrect or inadequate, or have objected to the processing, you have the right to demand that the processing of your personal data be temporary or restricted. This means that the processing will be restricted until we have corrected your personal data or have been able to assess whether your objection is justified.

In other cases, you may also require a more permanent restriction of your personal data. In order to have the right to demand restriction of your personal data, the conditions of Article 18 of the GDPR must be met. If we receive a request from you for restriction of personal data, we will consider whether the conditions of the law are met.

21.4 Right to deletion

In some cases, you have the right to require us to delete personal data about you. The right to deletion is not an unconditional right, and whether you have the right to deletion must be considered in light of the Personal Data Act and the GDPR. If you wish to have your personal data deleted, please contact us. It is important that you justify why you want your personal data deleted, and if possible also state which personal data you wish to have deleted. We will then consider whether the legal conditions for requiring deletion have been met. Note that in some cases the law allows us to make exceptions to the right to deletion. For example, this will be the case when we need to store the personal data in order to fulfil a task we are required to perform by the Universities and University Colleges Act, or to safeguard important societal interests such as archiving, research and statistics.

21.5 Right to object

You may have the right to object to the processing if you have a special need to stop the processing of your personal data. Examples include if you have a need for protection, a confidential address, or similar. The right to object is not an unconditional right, and it depends on what is the legal basis for the processing and whether you have a special need. If you object to the processing, we will consider whether the conditions for objection are met. If we find that you have the right to object to the processing and that the objection is justified, we will stop the processing and you will also be able to demand deletion of the data. Note that in some cases, we may nevertheless make exceptions to deletion, for example if we need to store the personal data in order to fulfil a task we are required to perform pursuant to the Universities and University Colleges Act, or to safeguard important public interests.

21.6 Right to complain about the processing

If you believe that we have not processed your personal data in a correct and lawful manner, or if you believe that we have not been able to fulfil your rights, you have the option to complain about the processing. You can contact us via behandlingsanvarlig@kristiania.no or the data protection officer via personvernombud@kristiania.no.

If we do not comply with your complaint, you have the opportunity to lodge an appeal with the Norwegian Data Protection Authority. The Norwegian Data Protection Authority is responsible for ensuring that Norwegian enterprises comply with the provisions of the Personal Data Act and the GDPR when processing personal data. 
Questions about personal data should be addressed to the data protection officer at personvernombud@kristiania.no.

Any questions concerning your rights, for example, access and deletion must be directed to the data controller at behandlingsansvarlig@kristiania.no.
Kristiania may revise this privacy policy if there are changes to our processing of personal data or because of new personal data legislation. When the privacy policy changes, an updated version will be published on our website.