Privacy Policy for Employees

Personal data refers to all information that identifies or could identify a physical person. In connection with your appointment, we will process a number of items of personal data relating to you. This information is collected from you and from third parties such as the tax authorities, the Norwegian Labour and Welfare Administration (NAV) and former employers.

The following personal data is recorded in our systems:

Identity information:

• name
• age
• gender
• birth number and national identification number
• photo

Contact information:

• residential address
• e-mail address
• telephone number 

Information about third parties:

• contact information for next of kin
• information about your children and their ages

Other types of information:

• bank account number

We collect this information from you. Information such as name, position and work area is considered public information and may be published on our web pages unless the employee actively opts out. 

Based on our appointment process, we will process information from your application and your CV. The same applies to your degree certificates and diplomas, as well as confirmation that reference checks have been performed and our assessments of you. We collect some of this information from you, some from references and some is the result of our own assessments.

Health information

If you become ill, we also have to process information linked to any absence due to illness. In addition to self-certifications and medical certificates from your doctor, this also applies to information that emerges through the statutory follow-up on absence due to illness that we are obliged to carry out pursuant to the Norwegian National Insurance Act and the Norwegian Working Environment Act. We collect some of this information from you, some from your doctor and some will be the result of the assessment conducted by your manager.

On the basis of HSE regulations, it may be necessary to save information about accidents, personal injuries and non-conformity reports. There could also be a need to save information about allergies, including any food intolerance. Information linked to allergies/intolerance is provided by you, while information about accidents, injuries and non-conformity reports can either be provided by you or other employees. 

Trade unions

If you are a member of a trade union and we will be conducting salary deductions for trade union membership fees, we will need to store information about the membership. Such information is either provided by you or the trade union of which you are a member.

CCTV surveillance and access control

In connection with CCTV surveillance at the premises, the school takes recordings that may include your picture. Movement data is processed in connection with access control.

Other types of information/assessments

We store information about your appointment date, job description, minutes from employee appraisals and other follow-up meetings, e.g. in connection with the probationary period. Furthermore, we also store assessments about you, information relating to pay developments and other information linked to your career development with us. In addition to the information we collect from you, the sources for some of this information will be our systems and other employees, including your manager. This could include: recorded working hours, surplus hours, holidays and leave.

We also store information about any bonuses, expenses and reimbursement claims, travel expenses, insurance, pension schemes and credit card agreements. This information originates from you, your manager and our systems.

For positions for which a criminal record certificate is required, such certificates will be stored. This information is provided by you. 

Furthermore, information about leave, retirement and termination of employment (dismissal/termination) will also be stored. This information originates from you, your manager and our systems.

If you fail to fulfil your obligations under the employment relationship, it may also be necessary to store information about warnings and suspensions. Such information will originate from your manager and the HR department.

If you report any misconduct, information about you as the whistle-blower will be stored. Information about you will also be recorded if other employees report misconduct on your part. The name and e-mail address of the whistle-blower will be stored, unless the matter is reported anonymously.  Information about retention periods can be found in the section “How long do we store your personal data for”.

We can use your address and telephone number to send flowers in connection with special occasions unless you actively opt out.

In connection with employee mobility within an Erasmus cooperation, the employee’s name, school e-mail address and mobile number may be transferred to partner schools in the EU/EEA. This is governed by the Erasmus agreement and OLA (Online Learning Agreement). 

We have a legitimate interest in conducting internal questionnaires among employees. Responding is voluntary. The purpose of the questionnaires is to improve working life for our employees.

Here you can find an overview of the most important purposes of processing your personal data.

• We process your personal data in order to fulfil our obligations, as an employer, to you and to the public authorities.

 

• We process information about people who apply to work for us by assessing them as candidates and conducting a recruitment process.

 

• In order to manage the employment relationship and follow up on your working situation, we need to know who you are (your identity) and the qualifications, experience, etc., that you have. We also need to process a number of items of data that are generated based on the work you perform and the follow-up we conduct.

 

• In order to pay salary and other benefits in accordance with the agreement, we need to process various pieces of information about you. This could include your bank account number, personal identification number, timesheets, any deductions of trade union membership fees and any other deductions from salary/holiday pay.

 

• If we want to use your picture to market our business or any of our products/services, we will do so only in cases to which you expressly consent. We would like to make you aware that you can withdraw your consent at any time. If you withdraw your consent, this will not affect brochures, commercials and study programme directories that have already been produced. 

 

• If we wish to use your picture(s) at www.kristiania.no and the intranet, we will do so only in cases to which you expressly consent. We would like to make you aware that you can withdraw your consent at any time.

 

• As part of HR administration and, among other things, to maintain a completely safe and proper working environment we, as an employer, have a duty to follow up on complaints, reports, warnings, etc. We use various items of information that are generated on the basis of your work with us for this purpose.

 

• In order for us to fulfil the requirements set down in the Norwegian Bookkeeping Act, we need to store information to document bookkeeping. This primarily refers to information related to pay but can also include overviews of hours (timesheets), bonuses, etc.

 

• CCTV surveillance and access cards contribute to safety at school premises and the school may process various items of personal data relating to you in this context.

 

• We also process your personal data in order to organise registrations for both mandatory and voluntary meetings, such as all-hands meetings via digital platforms.

 

• Because it is necessary to perform your work tasks (this applies, for example, to the use of digital solutions such as Zoom and Panopto). 

The legal basis for the processing of personal data relating to employees is Article 6 no.   1 a), b), c), e), f), Article 9 no. 2 a) b), Article 88 of the Norwegian Personal Data Act and the General Data Protection Regulations. This includes:

• that this is necessary to fulfil the employment contract we have entered into with you
• that we are required to do so through legislation (such as the Norwegian Working Environment Act, the Norwegian Archives Act, the Norwegian University and University College Act, the Norwegian Vocational College Act and the Norwegian Accounting Act)
• that we, as a business, have a legitimate interest that exceeds the privacy disadvantages incurred by you (such balancing of interests will be available in writing)
• that you have consented to the processing of your personal data – with the exception of the publishing of photographs, consent is not frequently used as the basis for processing – that any consent is provided in writing

Internally

We store information in electronic and physical employee folders. Information is available only to the HR department, the finance department and your immediate manager. Only employees who require access to personal data in an official capacity will be given such access. Information about your name and school contact details is available to other employees.

Data processors

We use a number of data processors that process personal data about our employees on our behalf. Below you can find an overview of the most important categories of such data processors with which we have agreements:

Businesses that help us with payroll:

• Tieto Evry supplies Unit 4 Enterprise Resource Planning (ERP), see the Privacy Policy
• Maksit, see the Privacy Policy

 

Businesses that help us with various systems, such as the HR system, recruitment system and contract system:

• CatalystOne Solutions AS, our HR-system supplier
• Recruitment Manager, see the Privacy Policy
• ReachMee, see the Privacy Policy
• Canon Scrive, see the Privacy Policy
• Simployer AS, see the Privacy Policy
• Microsoft Office 365, see the Privacy Policy
• TimeEdit

 

Other partners 

Businesses that may receive information in connection with recruitment:

• Semac background check in connection with recruitment, see Semac’s Privacy Policy.
• Samtext Norway AS – translation agency that censors personal data on degree certificates and diplomas, see Samtext Norway AS’ Privacy Policy
• NOKUT – the Norwegian Agency for Quality Assurance in Education – turbo assessment and advisory services, see Privacy Policy.
  
  

In order to manage our pension and insurance schemes, relevant information is shared with Pareto Forsikringsmegling, including Sparebank1, Protector Forsikring, Europeiske Reiseforsikring and DNB.

We use Avonova for our occupational health service. Relevant information may be shared with Avonova in situations where this is necessary, see Avonova’s Privacy Policy.

In connection with the disbursement of pay, relevant personal data will be shared with our banking partner Nordea Bank AB, Norway Branch, see Nordea’s Privacy Policy.

When you travel in connection with work, information about your travel will be processed by BCD Travels AB, see BCD Travels AB’s Privacy Policy.

The Visma Purchasing Portal is one of the employee advantages available to our employees, with discounts for various companies. Employees register independently to take advantage of the discounts, see Visma’s Privacy Policy.

Euroflorist is used when ordering flowers for employees through the discount agreement with Visma Purchasing Portal. In connection with gifts for employees, we use our partner IDÉ House of Brands. See Euroflorist’s Privacy Policy and IDÉ’s Privacy Policy.

  

Group  

Kristiania Professional College, including ESMOD and the Bårdar Academy, are wholly-owned subsidiaries of Kristiania University College and we share a range of personal data. As a Group, we share the same digital systems, including in relation to administration. Nevertheless, we have introduced strict access control and personal data is shared only when strictly necessary and appropriate. 

  

Public authorities  

Public authorities may require us to disclose personal data relating to our employees. For us, this is particularly relevant in relation to the Norwegian Labour and Welfare Administration (NAV), the Norwegian Tax Administration, the Norwegian Labour Inspection Authority and the Government Pension Fund. In relevant cases, the Norwegian Directorate of Immigration may also receive personal data relating to our employees.

Disclosure of data from FS for research or statistical purposes.

We occasionally receive inquiries from various agencies and institutions requesting information about teaching staff and researchers for research purposes or for statistics. Such inquiries must always refer to a legal basis/grounds in order to be the subject of an assessment.  A check is performed to ensure that there is a legal basis that allows for access and that it takes precedence over general provisions of the GDPR. The legal basis for the sharing of personal data is public interest, cf. GDPR, Article 6 no. 1 e. This basis is subject to a supplementary legal basis in Norwegian law, which is usually established in the Section 8 of the Norwegian data protection law.

Which personal data we share depends on the research or statistics project but may include courses (s)he teaches in or the school name. It is possible to opt out of such processing by sending an e-mail to behandlingsansvarlig@kristiania.no. Examples of organisations we share data with include:

• NIFU - Nordic Institute for Studies in Innovation, Research and Education.
• Statistics Norway.
  
  

The period for which your personal data is retained by the recipients depends on the research or statistics project or your consent.

Your privacy when joining the canteen scheme  

If you want to participate in the lunch scheme in Oslo, Kristiania will share your personal data (email address, position percentage, and canteen affiliation) with our two canteen operators Toma and  4Service gruppen AS.

If you want to participate in the lunch scheme in Bergen, Kristiania will share your personal information (full name) with our canteen operator Sammen. 

The purpose of the processing of personal data is to offer you a discount/refund on food in our canteens.  

The legal basis for processing and sharing personal data is a legitimate interest. Kristiania has a legitimate interest in arranging the lunch scheme for employees, so that employees get a discount on food and we can gather in the canteens and meet colleagues for pleasant conversations. 

Read more about your privacy when joining the canteen scheme (English below). 

 

Systems related to specific roles at Kristiania 

Due to your position at Kristiania, you may be required to use various IT services to perform your work. These IT services can store personal information about you. It depends on the service, and what function you have at Kristiania. 

Many of these services develop a user profile on you. Some services may also log your activity for various reasons, such as security, operational or service development considerations. 

Some employees will be registered in systems used in connection with their specific position in order for them to perform their duties: Feide, Common Student System (CSS), the Canvas (Instructure) learning portal, Zoom, the video recording service Panopto and similar systems. This processing is necessary for the fulfilment of the employment contract, cf. (GDPR) Article 6, no. 1 b).   

When social media is used, the guidelines applicable to the social media service shall apply. When the school is a joint data controller together with a service provider, information about this will be provided in the service.  

 

Quality work 

As part of quality work, Kristiania will process information about courses and course evaluation from students that may contain indirectly personally identifiable information about academic staff. Staff characteristics that can be linked to specific course leaders can emerge from the students' answers in free text fields.   

Personnel characteristics will never be published and shall only be stored for internal use with limited access. This processing is necessary for the fulfilment of our legal obligations in accordance with art. 6 (1) (c) GDPR with a supplementary legal basis in the University and University Colleges Act §4-3 on the learning environment and Regulations on control of the quality of education in higher education (studietilsynsforskriften) §4-1 (“Requirements for the systematic quality work”). 

 

Zoom and Panopto in particular 

Participation with images and/or sound during the streaming is normally required when using Zoom for teaching, meeting and conference activities. This is managed by the employee through settings at the time of connecting and can be changed completely by the employee at any time. When an employee logs in using their Feide user account, their first name, last name and school e-mail address will be sent to Sikt AS, which supplies Zoom for the school. We use Panopto to produce, store and distribute video recordings for use in teaching. These processing activities are necessary for fulfilment of the employment contract in accordance with art. 6 (1) (b) GDPR. 

We will store personal data relating to you for as long as necessary for our processing and in accordance with the retention requirements set down in laws and employment contracts. For as long as the employment relationship remains in force, it is necessary for us to store a range of information relating to you, but we will delete much of this information when the employment relationship comes to an end. In connection with CCTV surveillance, recordings are stored for seven days. In connection with access controls, movement data is stored for 14 days.

You can find an overview of how long we store your personal data for in the table below. For other documents, we are subject to the archiving obligations set down in the Norwegian Archives Act. This also applies after the employment relationship has come to an end.

General rule: all documents relating to employees must be stored in the respective employee folder and be subject to restricted access.

Deletion: When the document has been drawn up (and signed, if applicable), the document must be deleted from the PC and any e-mail dialogue must also be deleted. Any paper notes must be shredded.

Below you can find an overview of the different document types and the rules applicable to storage and retention (applies to both documents and the separate personal data contained therein). No other documents are stored in connection with the employment relationship. 

Document	Retention period	Comments
Recruitment
CV	Stored for the duration of the employment relationship. Deleted when the employee leaves.
Application	Stored for the duration of the employment relationship. Deleted when the employee leaves.
Certificates	Stored for the duration of the employment relationship. Deleted when the employee leaves.
Confirmation of reference checks	Stored for the duration of the employment relationship. Deleted when the employee leaves.
Degree certificates and diplomas	Stored for the duration of the employment relationship. Deleted when the employee leaves.
Agreements
Employment contract	Stored for the duration of the employment relationship. May be retained for longer if dictated by a legal obligation or legitimate interest.
Role description	Stored for the duration of the employment relationship. May be retained for longer if dictated by a legal obligation or legitimate interest.
Amendment letter Individual agreements entered into after the employee has joined the company.	Stored for the duration of the employment relationship. May be retained for longer if dictated by a legal obligation or legitimate interest.
Pay verification letter	Stored for the duration of the employment relationship. May be retained for longer if dictated by a legal obligation or legitimate interest.
Additional duties	Stored for the duration of the employment relationship. May be retained for longer if dictated by a legal obligation or legitimate interest.
Supplementary agreements	Stored for the duration of the employment relationship. Deleted when the employee leaves.
Commission assessments	Stored for the duration of the employment relationship. Deleted when the employee leaves.	Refusals are stored until a new commission assessment has been approved.
Leave	Leave that has been granted will be stored for the duration of the employment relationship. May be retained for longer if dictated by a legal obligation or legitimate interest.
Warnings	Retained for five years, unless specific new circumstances (e.g. new warnings or other misconduct) indicate that they should be retained for longer.
Follow-up plan (Sick leave)	Stored for the duration of the employment relationship. Deleted when the employee leaves.
Course certificates	Stored for the duration of the employment relationship. Deleted when the employee leaves.
Employee appraisals	Retained for up to ten years, but always deleted when an employee leaves.
Misconduct warnings	Stored for the duration of the employment relationship. May be retained for longer if dictated by a legal obligation or legitimate interest.	Any warnings that are clearly baseless must be deleted immediately.
Other

Right to information and access 

You are entitled to receive information about how Kristiania processes your personal data. This privacy policy is intended to contain the information you are entitled to receive. 

You also have the right to see/gain access to all personal data registered about you at Kristiania. You also have the right to obtain a copy of personal data about you, if you wish. 

Right to correction 

You have the right to have incorrect personal data about you corrected. You also have the right to have incomplete personal data about you supplemented. If you believe that we have registered incorrect or inadequate personal data about you, please contact us. It is important that you justify and possibly document why you think your personal data is incorrect or inadequate. 

Right to restriction of processing 

In some cases, you may have the right to demand that the processing of your personal data be restricted. Restriction of personal data means that the personal data is still stored, but that the possibilities for further use and processing are restricted. 

If you believe that your personal data is incorrect or inadequate, or have objected to the processing, you have the right to demand that the processing of your personal data be temporary or restricted. This means that the processing will be restricted until we have corrected your personal data or have been able to assess whether your objection is justified. 

In other cases, you may also require a more permanent restriction of your personal data. In order to have the right to demand restriction of your personal data, the conditions of Article 18 of the GDPR must be met. If we receive a request from you for restriction of personal data, we will consider whether the conditions of the law are met. 

Right to deletion 

In some cases, you have the right to require us to delete personal data about you. The right to deletion is not an unconditional right, and whether you have the right to deletion must be considered in light of the Personal Data Act and the GDPR. If you wish to have your personal data deleted, please contact us. It is important that you justify why you want your personal data deleted, and if possible also state which personal data you wish to have deleted. We will then consider whether the legal conditions for requiring deletion have been met. Note that in some cases the law allows us to make exceptions to the right to deletion. For example, this will be the case when we need to store the personal data in order to fulfil a task we are required to perform by the Universities and University Colleges Act, or to safeguard important societal interests such as archiving, research and statistics. 

Right to object 

You may have the right to object to the processing if you have a special need to stop the processing of your personal data. Examples include if you have a need for protection, a confidential address, or similar. The right to object is not an unconditional right, and it depends on what is the legal basis for the processing and whether you have a special need. If you object to the processing, we will consider whether the conditions for objection are met. If we find that you have the right to object to the processing and that the objection is justified, we will stop the processing and you will also be able to demand deletion of the data. Note that in some cases, we may nevertheless make exceptions to deletion, for example if we need to store the personal data in order to fulfil a task we are required to perform pursuant to the Universities and University Colleges Act, or to safeguard important public interests. 

Right to complain about the processing 

If you believe that we have not processed your personal data in a correct and lawful manner, or if you believe that we have not been able to fulfil your rights, you have the option to complain about the processing. You can contact us via behandlingsanvarlig@kristiania.no or the data protection officer via personvernombud@kristiania.no. 

If we do not comply with your complaint, you have the opportunity to lodge an appeal with the Norwegian Data Protection Authority. The Norwegian Data Protection Authority is responsible for ensuring that Norwegian enterprises comply with the provisions of the Personal Data Act and the GDPR when processing personal data.