Privacy and Data Protection

• What is personal data?

Personal data is information that can directly or indirectly identify a person. Directly identifiable personal data is names, personal identification numbers, e-mail addresses, telephone numbers, IP addresses, photographs, voice recordings or other personal attributes. Indirectly identifiable personal data is background information that may make it possible to trace the information back to an individual, e.g. municipality of residence or institutional affiliation combined with information about age, gender, occupation, nationality, etc.

Research projects that will process personal data must be notified to SIKT – Norwegian Agency for Shared Services in Education and Research before the collection of personal data can commence.

• What are special categories of personal data?

Special categories of personal data, also referred to as “sensitive personal data”, require additional protection pursuant to the act.

This includes information relating to:

1. race or ethnic origin
2. political opinions
3. religion
4. philosophical beliefs
5. trade union membership
6. genetical data
7. biometrics (when the purpose of the processing is to unambiguously identify someone)
8. health
9. sexual relationships
10. sexual orientation

Generally speaking, special categories of personal data must not be processed. Exceptions may be made in cases for which there is a special basis to process such information in addition to the basis for processing. Research projects that will process special categories of personal data require to be notified to SIKT and, if applicable, approval from the REC. Please contact the Department of Research Administration and Internationalisation for further guidance.

• What are the relevant regulations relating to data protection in Norway?

In July 2018, the EU General Data Protection Regulation (GDPR) was incorporated into Norwegian law.

The Act relating to the processing of personal data (also known as the Personal Data Act) also includes provisions that adapt or supplement the GDPR in areas where Norway can establish national rules.

• What does “processing” of personal data mean?

Processing of personal data refers to collecting, registering, storing and, if applicable, compiling and disclosing personal data. The data subject (informant or respondent) must have provided informed consent (cf. information letters and consent) before the processing of personal data can commence.

• Who is the data controller?

The Data Controller is the institution/company/other legal person (represented by senior management) that determines the purpose of the processing of personal data and the aids that will be used.

Projects that process anonymous data throughout the entire research process do not need to be notified to SIKT. In order for data to be considered anonymous, it must not be possible to link the data to personal data using a code or link key. 

• When is data anonymous?

Anonymous data is data that cannot be used to identify individuals in any way,

1. either directly through names or personal identification numbers

1. or indirectly through background variables
2. or through name lists/link keys or encryption formulas and codes

In other words, data material is not anonymous if only what is published in the final report, article, master’s thesis or similar is anonymised. Raw data must also be anonymous.

• Here are some of the methods that may be used:

1. Data is recorded only in the form of notes (no audio recordings) in connection with interviews and observations. Ensure that no names or other personally identifying background data are recorded in the data material.
   
   
2. Questionnaires must be collected as paper copies, without names or any indirectly identifying data.
   
   
3. In order for the use of online questionnaires not to be covered by the act, it is important to ensure that the IT solution is completely anonymous (including ensuring that the e-mail/IP address of the respondent cannot be linked to the questionnaire at any time) and that the questionnaire itself does not contain any questions about identifying data. NOTE: All employees and students at Kristiania University College can use Nettskjema, which offers an anonymous solution.
   
   
4. Register data and record data can be used without notifying SIKT, as long as only anonymous data is retrieved. It must not be possible to trace the data back to any individuals in any way. There is a large amount of anonymous  register data available online, including from Statistics Norway, SIKT and Microdata.
   
   

• What does the principle of data minimisation mean?

Data minimisation is a legal personal data protection principle that limits the collection of personal data to only the data that is necessary for the purpose. As a researcher, you must only collect data that is relevant and necessary for the purposes of your research (Personal Data Act, Article 5, part 1C). It is therefore important that you carefully consider whether it is necessary to collect personal data in order to conduct the project investigations. Could anonymous data, i.e. data that cannot be traced back to individuals either directly or indirectly, serve the purpose of the project just as well?

Kristiania University College also recommends that project managers coordinate the collection and facilitate the reuse of data (Open Science).

• Draw up a Data Management Plan

A Data Management Plan (DMP) specifies who the Project Manager is, the project name, project period and key information about the data. The plan will describe which data will be collected, stored, processed and used, including how and by whom, while a research project is ongoing, as well as the storage location, retention period and what happens to the data after the conclusion of the project (whether the data will be deleted/archived/published).

Kristiania University College plans to use the information in the data management plan to keep an overview of the institution’s data registers. This is important to ensure that data storage complies with the GDPR and to ensure that data can be made available and coordinated between projects, as well as for reusing existing data (cf. Open Science).

1. The SIKT digital data management plan can be edited and shared digitally. Please contact the Department of Research Administration and Internationalization for guidance.

1. Projects funded by the EU must adhere to the instructions on data management in the Participant Portal H2020 Online Manual.

Do you plan to share collected data with partners outside of Kristiania University College? Please be aware that the sharing and processing of data are governed by law. Please contact the Department of Research Administration and Internationalization  for important advice.

• Prepare information letters and declarations of consent

If you will be conducting interviews, distributing questionnaires or intend to use other methods to collect personal data for a research project, you will generally have to inform the informant (project participant) of the data collection in advance. This includes providing information about e.g. the purpose of the project, the methods that will be used, which information will be collected and the duration of the project. Read more about the content of information letters on the SIKT website.

If the processing of personal data is legally based on informed consent (GDPR Article 6(1)(a)), after informants have read the information letter, they must be able to freely decide whether or not they wish to participate in the research project. No research must be conducted on individuals or groups without these having explicitly given voluntary and informed consent to participate in the research. The information letter and declaration of consent must be worded using clear and simple language that can be understood by participants. The consent given by the research participant must subsequently be documentable, which, in most cases, would require a written signature on a declaration of consent.

If the processing of personal data is legally based on public interest (GDPR Article 6(1)(e)), you will need to inform anyway data subjects about the nature and purposes of data processing and their rights. Researchers are excepted from providing information letters to data subjects when the data has not been obtained from the data subject and such a notification will be impossible or involve a disproportionate effort (GDPR Article 14(5)(b)).

Use the Kristiania University College templates for information letters and declarations of consent.

• Consider whether you need to conduct a DPIA or RVA analysis

Some research projects need to conduct a data protection impact analysis (DPIA) or risk and vulnerability analysis (RVA analysis).

The necessity of conducting such analyses will depend on the special characteristics of the research project.

As an example, a research project that will process special categories of personal data must conduct a DPIA (GDPR, Article 35).

It is also recommended that some research projects map the probability and consequences of adverse events through an RVA analysis. RVA analyses have a broader scope than data protection impact analyses, as RVA analyses may also consider matters such as infrastructure, budget, available databases, personal safety, etc.

For further information and guidance, please refer to the section on “Assessment of privacy consequences and risks”

• Reporting the processing of personal data to SIKT - Norwegian Agency for Shared Services in Education and Research

Projects that will process personal data must be notified to SIKT. Please note that the duty to report applies even if you will not be publishing any personal data. Processing is considered to occur from the time at which data collection commences until the results have been published. You can notify your project to SIKT here.

Tips:

1. Take the SIKT “duty to notify” test if you are unsure whether your project has a duty to notify.
2. Read the SIKT tips to reduce assessment time. Assessment may take longer for complex projects.
   
   

• The SIKT contact person

The SIKT contact person at Kristiania University College is the person responsible for correct and proper compliance with the legal provisions relating to information security and internal control in the project. The contact person must be employed by the data controller institution.

1. In researcher-led projects (including PhD projects), the contact person will be the Project Manager.
2. In student-led projects (bachelor’s or master’s), the supervisor (or assistant supervisor or subject coordinator at the place of study) will be the contact person. The student cannot be the contact person.
   
   

• Collection of personal data abroad

Researchers and students at institutions in Norway that collect personal data abroad must notify SIKT in the same way as for data collection in Norway.

• Report any changes to SIKT

In the event of any changes relating to the processing of personal data in the research project after the project has been assessed by SIKT, you need to report those changes  for a new assessment.

Further information about the changes that need to be reported can be found here.

• Anonymisation of data

Anonymisation involves processing data in such a way that no individuals can be recognised in the data you are left with. This includes the researcher. In other words, you need to assess your data and decide which data needs to be removed or rewritten.

Anonymisation usually involves:

1. deleting directly identifying data (including link keys/name lists)
2. deleting indirectly identifying data (or reworking such data using general classification of variables such as age, place of residence, school, or similar)
3. deleting (or editing/censoring) audio recordings, photos or video recordings

If you use a data processor, the data processor must also delete any identifying data.

Personal data and health data must not be stored for longer than is necessary to complete the research project. When the project is finished, the Project Manager will be responsible for ensuring that research data is deleted or anonymised, unless long-term storage has been authorised by the REC/SIKT.

You are generally permitted to store anonymous data material after the conclusion of the project, as the GDPR does not apply to anonymous data. Nevertheless, you must always ensure that you have reworked the data material sufficiently to ensure that no individuals can be recognised. However, there are still some cases in which you will be required to delete the full data material. This applies, for example, if you have promised the sample selection that the data material will be deleted or when data owners, such as Statistics Norway, require you to delete the complete data material upon completion of the project.

Please note that you are not required to delete personal data in publications/theses. Personal data can generally be published, provided you have a scientific justification and you have obtained consent from participants. Please also refer to the Norwegian Data Protection Authority’s guide to anonymisation.

• Anonymization of data

The Project Manager must consider whether to anonymzse personal data at the end of the project. The processing of anonymized data is not covered by the GDPR and the data can therefore be stored and retained for reuse (pursuant to the Open Science and FAIR principles).

• Deletion of data

At the end of the project, the Project Manager must ensure that personal data is deleted if there is no requirement for storage beyond the project period, e.g. in the event of prior approval from the REC, legal requirements or requirements from the external funder of the research.

The deletion requirement applies to all data in which the identity of the data subject is directly or indirectly available.

• Final report to SIKT

The Project Manager must submit a final report to  SIKT/REC when the project has finished and, if applicable, confirm that personal data has been anonymized or deleted. Upon completion of a student project, the final report must be submitted immediately after examination.

Student projects (at both bachelor’s and master’s level) must adhere to the principles that apply to research projects.

Some key points relating to the responsibilities of students have been listed below and are based on the internal guidelines for the collection of data in student projects (adopted by the Rector Office on 22/11/2021). The student must consider the cases in which these principles will apply.

1. The student will not collect personal data in connection with student projects, thereby avoiding the duty to notify SIKT.
   
   
2. The student will, subject to supervision from their academic supervisor, learn to collect anonymous data. This means that the student will:
   – Not take audio recordings during interviews. A voice is considered personal data.
   – Be able to conduct interviews by phone or Zoom without recording the conversation or making records of personal data.
   – Use online forms with anonymous settings.
   – Consider using anonymous data that is available through existing databases (such as Statistics Norway, SIKT, etc.)
   
   
3. Students will never collect health information or other special categories of personal data that require e.g. REC approval and the use of the Service for Storage of Sensitive Data (TSD). This also applies if the materials and data will be subsequently anonymised.
   
   
4. The student will, subject to supervision from their academic supervisor, adhere to the FAIR principles, which state that research data must be findable, accessible and reusable.
   
   
5. The student will, together with their academic supervisor, consider whether the student project can be included as a sub-project in larger research projects that include personal data or health information.
   
   

In exceptional cases, personal data may be collected in connection with master’s theses. Such exceptions must be authorised by the academic supervisor. The following applies in these cases:

1. The student, supervised by their academic supervisor, must consider which data is adequate and relevant to the purpose of the project and limit the collection of data accordingly (principle on data minimisation).
   
   
2. The student, supervised by their academic supervisor, must prepare a data management plan and conduct a risk assessment on the project’s information security.
   
   
3. The student, supervised by their academic supervisor, must draw up a declaration of consent and an information letter for their student project.
   
   
4. The student, supervised by their academic supervisor, must submit a notification form to SIKTno later than 30 days before processing is scheduled to commence. The student must list their academic supervisor as the point of contact with SIKT.
   
   
5. The student must never process special categories of personal data. It should therefore not be necessary to conduct a data protection impact assessment (DPIA) or report the project to the REC.
   
   
6. The student will be subject to a duty of confidentiality relating to personal data processed in a student project: Please see Section 5 the National Research Ethics Committees’ general research ethics guidelines and Section 4-6 of the University College Act concerning the Student’s Duty of Confidentiality.
   The exception from this duty of confidentiality is cases where you identify matters for which you have a legal duty to avoid serious criminal offences.
   
   
7. When the student project is finished, the student must ask the academic supervisor, who acts as the point of contact with SIKT, to submit a final report if the student project was registered with SIKT.
   
   
8. The student, supervised by their academic supervisor, will consider whether personal data will be anonymised or deleted if there are no requirements for retention beyond the project period.

1. Academic supervisors in student projects will provide students with the necessary training in data protection, research ethics and information security before students are able to start their student projects.
2. The academic supervisor will train students to collect anonymous data. Anonymous health data may be collected, but the academic supervisor must ensure that students exercise caution when addressing serious health challenges.
3. The academic supervisor has a duty to consider whether a proposed student project is subject to the Norwegian Health Research Act. If the project is subject to the Norwegian Health Research Act, the project cannot be implemented without being part of a larger research project.
4. At Kristiania University College, student projects must never process special categories of personal data, including health data. The academic supervisor must be aware that student projects should not necessitate approval from REC, registration in the ClinicalTrials database or the use of the Service for Storage of Sensitive Data (TSD). It should also not be necessary to conduct a data protection impact assessment (DPIA). The academic supervisor is responsible for providing the student with clear information about this.
5. In exceptional cases, academic supervisors may authorise student projects that include the collection of personal data. This does not apply to the collection of special categories of personal data (including health data), which is not permitted.

In these cases, the academic supervisor will be responsible for:

• Supervising the student with regard to the principle of data minimisation (limiting the collection of unnecessary data).
• Supervising the student with regard to the preparation of a data management plan and conducting risk assessments on the information security in the project.
• Supervising the student with regard to the preparation of declarations of consent and information letters for the student project.
• Ensuring that the student has reported the project to SIKT and listed the academic supervisor as the point of contact no later than 30 days before data collection is due to commence.
• Supervising the student with regard to the duty of confidentiality in connection with research projects. Please see Section 5 the National Research Ethics Committees’ general research ethics guidelines and Section 4-6 of the University College Act concerning the Student’s Duty of Confidentiality.
  The exception from this duty of confidentiality is cases where you identify matters for which you have a legal duty to avoid serious criminal offences.
• When the project is finished, the academic supervisor and the student must consider whether personal data should be anonymised or whether such data must be deleted if there are no requirements for retention beyond the project period.
• Ensuring that the student submits a final report to SIKT when the project has finished. It is important to ensure that this is done, as Kristiania University College could otherwise end up with a non-conformity notice.

Here you can find an overview of the responsibilities of project managers. Certain duties can be delegated to project members. Not all of these items apply to all projects, but must be considered on a case-by-case basis. 

1. The Project Manager must consider whether the research project can be conducted without including personal data.
2. The Project Manager must consider which data is adequate and relevant to the purpose of the project and limit the collection of data accordingly (data minimisation principle). Kristiania University College recommends that project managers collaborate on and coordinate the collection of personal data for multiple projects.
3. The Project Manager must consider whether the research project is subject to the GDPR and should be therefore be notified to SIKT
4. If the research process will involve the processing of personal data, the Project Manager must notify SIKT no later than 30 days before processing is scheduled to commence.
5. The Project Manager must create a data management plan for the processing of data in the project. Please use the SIKT digital data management plan and contact the Department of Research Administration and Internationalization if you require assistance.
6. The Project Manager must inform the Pro-Dean of Research and the Department of Research Administration and Internationalization before notifying SIKT or applying to REC, and must be able to present the application and report form upon request from the Research Manager.
7. The Project Manager is responsible for ensuring data access control in the event that there is a need for confidentiality in connection with the processing of personal data in the project.
8. The Project Manager must ensure that relevant and necessary documentation requirements are met in the project.
9. If SIKT recommends conducting a Data Protection Impact Assessment (DPIA) pursuant to Article 35 of the GDPR, the Project Manager will be responsible for involving the Pro-Dean of Research, the Department of Research Administration and Internationalization and the Data Protection Officer to ensure that a DPIA is carried out prior to commencement of the project. Kristiania University College employees have free access to DRAFTIT’s digital DPIA solution.  SIKT can also conduct DPIAs for a fee, but this must be approved by the Pro-Dean of Research.
10. The Project Manager must consider whether the research project is subject to the Norwegian Health Research Act  and whether there is therefore a duty to notify the Regional Committee for Medical and Health Research Ethics (REC).
11. If the project is subject to the Norwegian Health Research Act, the Project Manager must submit an application for prior approval to the Regional Committee for Medical and Health Research Ethics (REC).
12. If the project includes clinical trials, the Project Manager must register the project via the ClinicalTrials.gov website. Further information can be found in the “Health Research” section.
13. The Project Manager must draw up a declaration of consent and information letter for the research project.
14. The Project Manager must submit a final report to SIKT when the project has been completed, if SIKT has been notified of the project.
15. The Project Manager must submit a final report to REC when the project has been completed, if REC has been notified of the project.
16. The Project Manager must properly delete all data when the project has been completed.

• Norwegian Agency for Shared Services in Education and Research (SIKT)

The Norwegian Agency for Shared Services in Education and Research  (SIKT) has access to data materials comprising thousands of datasets, to which you can request access. Some datasets are also available online. Read more at the SIKT search portal.

• Microdata.no

Microdata.no is a web page subject to SIKT, which facilitates the use of register data for research. Kristiania University College subscribes to microdata.no and can enrol users, subject to certain conditions. Users must be Kristiania employees or master’s degree or doctoral students. Such users may use microdata.no to prepare statistical results and analyses. Enrolment and access for employees will be valid for a period of 24 months, while enrolment for master’s degree and doctoral students will be valid for 12 months. Employees should contact the Department of Research Administration and Internationalization for further administrative guidance. Master’s degree students will receive guidance from their academic supervisors.

• Statistics Norway

Statistics Norway lends out microdata for research projects (subject to payment) and holds data relating to individuals, organisations and companies. Read more on the Statistics Norway website.

Researchers/students who research information that has been made available online must report the project to SIKT if they process personal data.

• Examples

Processing of personal data may include:

1. saving screenshots/documents from open and closed discussion forums that include usernames of discussion participants
2. using direct quotes from websites. Quotes are searchable and can therefore be linked back to identifiable persons.

• Data minimisation and privacy disadvantages

Due to the large volume of data that can be accessed via online research, it is important to take into account how data collection can be minimised. Researchers should reflect upon the following:

1. Which data is not necessary to conduct the project, but may be collected together with necessary data.
2. Which measures can be taken to minimise such data.
3. Which type of forums data is collected from and how public do users consider these forums to be.
4. How sensitive the data is and the degree to which the data is of a private nature
5. Are the internet users considered vulnerable groups

As a general rule, data subjects should be furnished with information about the project and consent to participate in the study should be obtained. In certain cases, exceptions may be granted, such as when taking public interest into account as a basis for processing.

Further information about online research can be found on the SIKT website.

Online research is also associated with several ethical challenges. For further information about this, please refer to the NESH Research Ethics guidelines for online research.

• Prior approval from the Regional Research Ethics Committees (REC).

All research projects that are subject to the Norwegian Health Research Act are required to obtain prior approval from the regional Research Ethics Committee (REC). The REC approves applications pursuant to the Norwegian Research Ethics Act and the Norwegian Health Research Act.

Submission assessment: If you are unsure whether the project is required to obtain prior approval from REC, you can submit a submission assessment, which will provide REC with a basis for further guidance.

• How do I assess whether my project requires prior approval from REC?

Projects that must be pre-approved by REC:

1. Medical and health research projects
2. General research biobanks
3. Other research projects that require dispensations from the duty of confidentiality pursuant to Section 13d of the Public Administration Act and Section 29-1 of the Healthcare Professionals Act.

 Activities are not subject to REC approval:

1. Exploratory treatment for which the primary purpose is to provide healthcare to individual patients
2. Quality assurance and evaluation are part of the health service. In the Ministry of Health and Social Care’s guide to the Health Research Act, quality assurance is defined as projects, investigations and evaluations for the purpose of checking that diagnostics and treatment provide results that are in line with expectations. Read more about the characteristics emphasised by REC in assessing quality assurance vs. project disclosure. 
3. Establishment of health registries without any links to a specific research project
4. Technological and methodological development projects that use biological materials without any personal data being linked to the materials
5. Use and disclosure of de-identified and/or anonymous data from one or more (linked) central/statutory health registers, unless otherwise stipulated in the regulations applicable to the registers
6. Use of other anonymous data and assessment of health condition Anonymous data refers to data for which names, national identity numbers and other individual characteristics have been removed so that the data can no longer be linked to an individual. The register owner is responsible for the anonymisation of data.

 

Further information about REC approvals can be found here

 

• How do you apply to the REC?

1. In the CRIStin research documentation system, you will be able to find your personal ID, which must be registered on your personal card with the REC. Your CRIStin ID must be registered on your personal card in the REC application portal before the application is submitted to the REC.
2. When/if the project is approved by the REC, the project will be automatically created in CRIStin (via the SPREK portal, which is the REC register of REC-approved research projects). At the same time, the Project Manager will receive an e-mail containing a link to the project. No duplicates of REC-approved projects may be created in CRIStin.
3. Changes to REC-approved projects must be registered in CRIStin so that REC has access to the changes. How to edit a health project from REC in CRIStin.

• Submit a final report to REC

When the project has been concluded, the Project Manager must submit a final report to REC using a separate form. Information about the form can be found in the REC case portal.

• Health research and the duty to notify SIKT

The GDPR stipulates that all processing of personal data must have a legal basis for processing set down in the GDPR. The fact that the project has been registered with REC does not preclude registration with SIKT.

• Clinical trials must be registered in ClinicalTrials

Clinical trials must be registered in the European portal for Clinical Trials before the trial starts. Subsequent registration after the trial has started is not possible. The purpose of registration includes providing an overview of and transparency in relation to ongoing clinical trials for patients, healthcare personnel, authorities and research communities. Most medical journals require such registration in order to publish the results of clinical trials. More about Clinical Trials from the ICMJI.

Public registration of clinical trials will contribute to a greater degree of transparency in relation to ongoing clinical trials and will thereby increase participation in clinical trials and provide opportunities for access to experimental treatment. Chapter 8, Section 39 of the Norwegian Health Research Act clarifies that the Research Manager and Project Manager are responsible for ensuring transparency in relation to the research.

• Population-based health trials

The Regulations relating to population-based health trials govern the collection and processing of health data and human biological material in population-based health trials. Section 1-2 outlines the scope of application of the regulations.

A risk assessment is a tool used to identify adverse events and the risk of these occurring.

The Project Manager must conduct a risk assessment before personal data is processed in a research project. The Project Manager must also conduct a risk assessment in the event of changes to conditions that could affect information security, for example changes to processing or the threat situation.

There are different types of risk assessments: 

1. An assessment of risk (for example in the form of an RVA) must always be conducted.
2. The assessment of data protection impact (DPIA) must be conducted when required by law.

NOTE! An RVA does not replace a DPIA when a DPIA is required. 

• Risk and vulnerability assessment (RVA)

This is the most extensive risk assessment. Before the project can process personal data, a risk and vulnerability assessment (RVA) must always be conducted in order to identify whether information security is appropriate and, if applicable, which measures must be taken in order to ensure appropriate information security. The RVA must also help prevent adverse events or shortcomings in the processing of personal data.

Key factors that are considered in an RVA are project scope, data sensitivity, the threat situation in relation to the environment in which the data is processed and stored and the duration of the project.

Use the Kristiania template for RVA assessments. 

Important: For projects that use external data processors, the data processors must enter into data processing agreements with the data controller institution. The data controller institution must then have conducted an RVA of the project prior to entering into a data processing agreement, as the data processing agreement would otherwise not be valid.

• Data protection impact assessment (DPIA)

Article 35 of the GDPR requires data protection impact assessments to be conducted prior to projects of a particularly invasive nature. For example, projects that process special categories of personal data at a large scale, processing of health data for research purposes without consent from the data subject, etc.

Read more about when DPIAs must be conducted. In borderline situations in which the Project Manager decides not to conduct a DPIA, this decision must be justified by the Project Manager. 

A data protection impact assessment must always be prepared as a collaboration between the Pro-Dean of Research, the Kristiania Data Protection Officer, the Department of Research Administration and Internationalization and the Project Manager.

All Kristiania University College employees can use the DRAFTIT digital solution to create a data protection impact assessment (DPIA) and pre-DPIA without incurring additional costs. If you do not have access to the DPIA module in Draftit, please send an e-mail to personvernombud@kristiania.no. Further training on DPIAs in Draftit has been published in the “GDPR” folder on the Kristiania intranet, under “Important tools”.

Read more about conducting DPIAs here. The Norwegian Data Protection Authority has created an extensive checklist, which addresses what you should consider when conducting a DPIA (PDF)

• Prior discussion with the Norwegian Data Protection Authority

Article 36 of the GDPR requires a prior discussion to take place with the Norwegian Data Protection Authority in cases where a data protection impact assessment (DPIA) has been conducted but it is found that processing could entail a high risk to the rights and freedoms of data subjects.

Read more about prior discussions with the Norwegian Data Protection Authority.