1. What is a privacy notice?
A privacy notice describes what personal data is processed, how it is processed, who is responsible for the processing, what your rights are, and who you can contact about your personal data. This privacy notice describes how UiO processes your personal data when you use USIT’s services and is a supplement to UiO’s general privacy notice, which is available here
2. The purpose of, and legal basis for, processing personal data in USIT’s Services
2.1 Purpose
The purposes for which your personal data is processed in USIT’s Services are:
- Contact
- User administration
- Secure authentication
- Invoicing
- Security purposes
- Service quality
- Uptime
- Troubleshooting
- In some cases purposes linked to financial reporting
2.2 Legal basis
For purposes related to USIT’s Services’ need to ensure correct invoicing and that it can contact you in connection with projects you administer or in connection with the administration of your user in the service(s), this will be in connection with our duty to deliver the service to you and/or your institution in accordance with the service and data processor agreement. The legal basis for this processing is, therefore, Article 6(1)(b) of the General Data Protection Regulation (GDPR).
For purposes related to financial reporting, the basis for processing is Article 6(1)(b) of the GDPR in combination with the regulations for financial management in the State. Your data may be processed for this purpose if you are named as a contact person, invoice recipient or otherwise in an agreement with USIT’s Services.
For purposes related to secure authentication, this will be based on USIT’s legitimate interest in making the service(s) secure and avoiding misuse. The legal basis for this processing is, therefore, Article 6(1)(f) of the GDPR. When your personal identification number is processed it is stored in encrypted form and, therefore, in the opinion of USIT, the subject’s interests do not override the data controller’s interests in relation to this processing. In the opinion of USIT, the conditions of Section 12 of the Norwegian Personal Data Act are also met since there is an objective need for secure authentication and no other equally good methods exist for achieving the same purpose.
For purposes related to further security, service quality, uptime and troubleshooting, this is based on USIT’s legitimate interests in improving, error correction and detecting critical situations in the service by facilitating the necessary logging of data during use. The legal basis for this processing is, therefore, Article 6(1)(f) of the GDPR. Security is a recognised legitimate interest and a prerequisite for the delivery of sound services. In the opinion of USIT, the subject’s interests do not override the data controller’s interests in relation to this processing.
3. What personal data do we process about you in USIT’s Services?
USIT’s Service only processes data about you for the purposes and on the legal bases specified under clause 2 of this privacy notice, unless otherwise is specified in the data processor agreement entered into with your organisation.
3.1 The data that can be processed:
- Full name
- National identification number
- Telephone number (project owners only)
- Log data about, inter alia, logins, time spent and VM components
- Information about customer contacts, authorised signatories and invoice recipients
The data is obtained from you and via use of the service. Personal identification numbers are received from the Norwegian Digitalisation Agency upon logging in. The Norwegian Digitalisation Agency is the data controller for this processing. For further information, see: http://eid.difi.no/nb/sikkerhet-og-informasjonskapsler.
USIT receives logging in details from UNIT and UNINETT upon logging in with FEIDE.
4. How long do we store your personal data?
Your data is held for as long as it is required to fulfil the purposes listed in clause 2. Data about you as a user of USIT’s Services and log data will be retained for as long as you are linked to a project in USIT’s Services. Information about customer contacts, authorised signatories and invoice recipients will be retained for up to 10 years.
5. Who can receive personal data about you?
As of today’s date, personal data is not disclosed to any third parties. Should this change in the future, this notice will be updated before such disclosure takes place.
6. Security relating to your personal data
UiO regularly conducts risk and vulnerability analyses of the computer systems we use in order to protect your personal data. Information security is a top priority in USIT’s Services and USIT regularly conducts risk and vulnerability analyses and assessments of the in-built data protection in the service(s). Security is always a priority and ongoing process.
7. Your rights
You have the right to be informed how USIT processes your personal data. This duty to inform is satisfied by this privacy notice.
You also have the following other rights:
- Right of access
- Right to rectification
- Right to restriction of processing
- Right of erasure (right to be forgotten)
- Right to object to processing
8. Contact
The University of Oslo (UiO) is the data controller for personal data in USIT’s services. You can contact us at behandlingsansvarlig@uio.no.
You can also contact UiO’s data protection officer at personvernombud@uio.no.