Privacy Policy and cookies

BI as data controller determines the purpose of processing personal data. All processing of personal data shall have a specific, explicitly stated purpose that is legitimized in BI's business. This follows from Article 5 (1) (b) of the GDPR, which states that personal data shall be collected for "specific, explicit and legitimate purposes".

Personal data collected is consequently limited to what is necessary to fulfil the purpose of the processing.

Personal data collected for one specific purpose cannot be used for another purpose later. A new assessment must then be made as to whether there is a processing basis for the new purpose.

BI uses many systems in teaching and in following up with students. Information is compiled from these systems and the purpose of this is to improve BI's services through learning analysis, various analyses, and statistics, including the use of prediction models. Information from analysis tools can also be used in research where the conditions of GDPR are met.

In order to process personal data, in addition to the purpose, there must be a lawful basis. The General Requirements for Lawfulness result from GDPR Article 6. For the processing of sensitive personal data, an additional legal basis governed by Article 9 of the GDPR is required. The legal basis must be met before processing of personal data begins.

Necessary to fulfil a contract with you
The purpose of BI's processing of personal data is in line with the contracts we have entered into with you.

Legal obligations
BI processes personal data to fulfil its obligations under law, regulations or government decisions. This includes control and reporting to public authorities such as police, tax, NAV, Database for statistics on higher education (DBH) various supervisory authorities or reporting duty to the Norwegian Centre for Research Data (NSD).

Vital interests
BI can process personal data if it is necessary to safeguard a legitimate interest that weighs heavier than the individual's privacy policy. The vital interest must be legal, defined in advance, real and justified in the business. This can be in connection with international accreditations such as AACBS, EQUIS, AMBA and analyses based on profiling for marketing purposes.

Consent
If no other processing basis is available, BI's processing of personal data will be based on a voluntary, express and informed consent from you.

If you have given your consent to BI, you have the right to withdraw this at any time. If you withdraw your consent, the processing will cease and the personal data will be deleted if the processing is solely based on the consent given. The consent can be withdrawn by sending an e-mail to info@bi.no.

Personal data that is registered and processed about you depends on the role you have at BI. Detailed information on the role can be found in point 4.

It is your role in each individual case when processing personal data that is crucial.

I am:

• Interested and visiting BI’s websites
• Applicant
• Student
• Alumni
• Employed (permanent / temporary) or hired consultant / contractor
• PhD candidate
• Researcher
• Research Participant / respondent
• Student writing a Bachelor or Master's thesis

An individual data subject is a person to whom the personal data can be linked. The processing of personal data shall constitute as little intervention as possible for the individual data subject, based on what is practical, technical and financially possible. As an individual data subject, you therefore have important rights that must be safeguarded.

Right to be informed
All information you need to know about BI's processing of personal data must be included in the privacy statement.

Right to access
You have the right to know what personal data BI processes about you. If you request access, you will receive a copy of your personal data, the purposes for which they have been used and whether the data has been passed on and to whom.

If, in the interest of the protection of other persons or disclosure of breaches of laws and regulations, BI may not give you access if this is necessary and the conditions for it are fulfilled.

• Access request template (pdf)

Right to rectification
If you find that BI has registered incorrect, outdated or incomplete data about you, you have the right to have these rectified or updated.

If the rectification of errors applies to information submitted by others, requests for rectification must be directed to them.

Right to deletion
You have the right to ask us to delete personal data about you. If you wish to have your personal data deleted, please contact personvernombud@bi.no. Upon inquiry, it is important that you justify why you want the personal data to be deleted, and state which personal data you want to be deleted.

Legislation gives BI the opportunity to make exceptions from the right to deletion. For example, when we process personal data to fulfil a legal obligation, or to safeguard important societal interests such as archiving, research, and statistics.

Right to object
You have the right to object to the processing of your personal data under certain conditions, if the processing is based on legitimate or general interest, or the exercise of public authority. Examples are processing that involves direct marketing, profiling or if it occurs in regard to scientific / historical research or statistics.

Right to restriction of processing
In some cases, you may have the right to restrict the processing of your personal data. Restricted processing means that personal information is still stored, but that it cannot be used for anything. You can find more about the right to restriction at the Data Protection Authority.

Right to complain
If you believe that BI has not processed your personal data correctly and lawfully, or if you believe we have breached your rights, you have the right to complain about the processing.

If you believe that BI processes your personal data in violation of regulations or if you wish to avail yourself of your rights, you can send the request to personvernombud@bi.no. The Data Protection Officer shall safeguard the privacy interests of both stakeholders, students and employees at BI. If we do not accept your complaint, you have the opportunity to submit the complaint to the Data Protection Authority. The Data Protection Authority is responsible for verifying that Norwegian organisations / companies comply with the provisions of the Personal Data Act and the Data Protection Regulation when processing personal data.

BI does not disclose personal data about you to third parties, unless there is a valid legal basis or if you have given specific consent to this. This applies to information to (not exhaustive list):

• Norwegian State Educational Loan Fund
• Digital learning systems
• NOKUT- Norwegian Agency for Quality Assurance in Education
• DIKU – Norwegian Agency for International Cooperation and Quality Enhancement in Higher Education
• AACSB - American Accreditation Body
• EQUIS - European Accreditation Body
• AMBA - European Accreditation Body
• BIBSYS - library system supplier
• Norwegian Centre for Research Data (NSD)
• Database for Statistics on Higher Education (DBH)
• Statistics Norway (SSB)
• Norwegian Institute for Studies of Innovation, Research and Education (NIFU)
• The Norwegian Directorate of Immigration (UDI)
• SBIO - The Student Union at BI Norwegian Business School
• The Student Welfare Organisation in Oslo and Akershus (SiO)
• NAV
• Police and tax authorities
• Other educational institutions

BI provides personal data to partners and partner institutions in countries outside the EU / EEA area and to the United States, in addition to countries within the EU / EEA area, when there is a legal basis and necessary guarantees.

BI primarily processes personal data provided by you. If there is a need for additional personal data about you, this will be collected from various public authorities depending on your role and function.

BI keeps data as long as it is necessary to carry out legal obligations, and in accordance with regulations. As a rule, data will be deleted when this need expires, unless we have a legal obligation to keep them according to other regulations, such as the Archives Act, the Accounting Act or the Act relating to Universities and University Colleges.

Personal data at BI are secured by several means. BI regularly performs risk and vulnerability analyses, and tests the security to secure your personal data.

Employees who process your personal data are subject to a duty of confidentiality, and this also applies to employees of subcontractors.

The use of cookies is standard technology. The Electronic Communications Act of 2013, Section 2-7b regulates the use of cookies. A cookie is a small text file that is added to your browser's internal memory. By setting a cookie, we can store information on how you navigate the website and collect useful statistics that we use to improve our website.

Most browsers (Google Chrome, Firefox, Internet Explorer, Safari or Opera) are set to accept cookies automatically, but you can choose to change the settings yourself so that cookies are not accepted. The website will then not work optimally.

• Read more about cookies used on BI's website

BI processes personal data in order to control who has access to the building. This is done by students, employees and others being registered and photographed when they receive access cards. The name, user name, date of birth and possibly the library user number are stored. In addition, some technical information is stored, such as what access is given to the card. Personal data are obtained from the administrative system or personnel and finance system.

Outside main working hours, card users must enter a PIN code. Which card is used on which card terminal and time of the pass are logged when using your PIN code. The information is stored in BI's access control systems. The log is deleted after 90 days.

BI has placed cameras that monitor outdoor areas and entrance areas. The cameras film continuously and the recordings are stored for 7 days before they are deleted.

Users are disabled when they no longer need an access card. Personal data such as name and date of birth are not deleted for students as they can take new courses and employees often return after certain periods when they do not work at BI. If a user has not had an admission card in 1 year, personal data related to access is deleted.

If you wish to use your rights, please contact personvernombud@bi.no. The Data Protection Officer shall safeguard the privacy interests of anyone who is covered by this privacy statement, including applicants, students, alumni, employees, contractors, PhD candidates, researchers, research participants / respondents, students writing bachelor or master theses, as well as stakeholders and visitors to BI’s websites.

The use of e-mail has several weaknesses that can cause confidential information to be lost. Therefore, do not send sensitive or confidential information to us by email.

BI will process your inquiry without undue delay, and at the latest within 30 days. If special circumstances make it impossible for BI to provide a satisfactory answer within the deadline, you will receive a preliminary answer detailing the reason for the delay and the time you can expect an answer.

Any deviations can be reported via this form:

• Notification of nonconformities

BI can revise this privacy statement as a result of our processing of personal data changing or as a result of new personal data legislation. When the privacy statement changes, an updated version will be published on our website.

Last updated 12.06.2019

BI registers and processes personal data in order to offer you customized information, as well as to follow up with your requests for study guidance, desire for more information about a course, or enrolment in an information meeting. When you attend our conferences and fairs, or make use of services on bi.no, the following are stored:

• Personal data such as name, address, date of birth, e-mail address and telephone number
• Consent you have given BI to send you, for example, newsletters and invitations
• Your visits to bi.no, for example IP address, which pages you visit, services you order, seminars you sign up for, and whether you use mobile, PC or tablet

Cookies are used for analysis and statistics purposes when you access BI’s website, in order to improve the website. For more information on using cookies, see point 10 in the general section of the privacy statement.

If you have been to a conference or fair, BI may receive lists from third parties that often arrange such events. BI will then have the opportunity to offer you relevant information based on your preferences. It will always be possible for you to opt out after BI has contacted you, or earlier, by contacting the third party.

BI processes personal data to be able to evaluate your application for programmes and courses, safeguard your rights as an applicant, and fulfil BI's tasks and duties according to the Act relating to Universities and University Colleges. The information is used in connection with admission, to process your application for programmes or courses, send offers for a place in a programme, and to follow up your requests if necessary.

The basis for the processing of personal data is the Personal Data Act and the Privacy Regulation (GDPR) Article 6 (1) (a), (c), (e) and (f), Article 9 (2) (a) and (b), as well as the Act relating to Universities and University Colleges.

BI will process your application on the basis of information and documentation you have submitted. These are personal data such as name, address, email address, telephone number. In addition, there will be information you provide if you apply for a place of study, such as a national ID number, education and competence, possibly former work experience and employer. BI saves the time of the login, IP address and login path, changes in the application that are made at each login, as well as BI's ongoing administrative procedure information. The personal data stored about you can be found in the application web, and you can follow the status of your application.

If necessary, BI can also verify information from relevant external sources, such as the National Diploma Database (NVB), the National Registry, the Norwegian Labour and Welfare Administration, employers and other educational institutions.
When you create an application on our application web, during the application process, cookies will be created in your web browser that store data. BI can also use some information that cannot be directly linked to you as a person through the application process. BI uses this type of information to customize marketing campaigns and provide more relevant information to you as a user.

These are deleted when your application is complete. For more information on using cookies, see point 10 in the general section of the privacy statement.

BI processes personal data about you in order to safeguard your rights as a student and to fulfil our contract with you. BI processes the necessary information for your student progress, and has legal obligations and duties towards you as a student.

The personal information is used for student administration purposes, including performing the necessary administration related to your study programme, creating timetables, registering for exams, student exchange, granting extensions and leaves of absence, issuing diplomas and transcripts etc. In addition, BI will subsequently be able to send out customized course and study offers to facilitate lifelong learning and career development. BI compiles information about your education, experience and areas of interest to give you advice and guidance on how to build your expertise to achieve a degree or reach the career goals you set.

The basis for the processing of personal data is the Personal Data Act and the Privacy Statement (GDPR), as well as Act relating to Universities and University Colleges.

BI will process personal data in connection with the fulfilment of the study contract with you as a student, see GDPR Article 6 no. 1 (b). BI also has legal obligations where it may be necessary to process personal data, cf. Article 6 no. 1 (c), or to carry out tasks in the public interest, cf. Article 6 no. 1(e) of the GDPR. In the case where there is no basis for processing as mentioned, the basis for processing personal data will be based on the fact that the processing is necessary for purposes related to the legitimate interests pursued by BI, unless the fundamental rights of the data subjects precede, cf. Article 6 (1) (f) of the GDPR, paragraph 6. BI may supplement the legal basis of the consent statements for optional and non-legal student services involving processing of personal data in order to safeguard your interests as a student as best as possible, cf. Article 6, no. 1 (a).

Personal data about you as a student are mainly processed in BI's student administrative system. These include:

• Personal information (e.g. name, national identity number, student number, d-number, gender, citizenship)
• Contact information (e.g. address, email address, phone number)
• Next of kin (e.g. spouse, parents, dependants)
• Financial conditions (e.g. outstanding invoice, past due invoice)
• Health conditions (e.g. in connection with extensions and leaves of absence)
• Application with documentation
• Study Contract
• Application for leave, extension of examination time, etc.
• Warning
• Complaint
• Document your educational results

BI wants to learn more about how we can best support students throughout their studies. Consequently, we analyse learning outcomes and student progression. BI looks at exam results, number of logins on the student portal and learning activities such as handing in assignments. The result of the analyses benefits students in that BI can provide better follow-up and more adapted guidance through their studies.

BI uses many systems in teaching and in following-up with students. Information is compiled from these systems. The purpose of this is to improve BI's services by making available dashboards and reports to employees. Access to these will be restricted according to need. In addition, the information can be used to adapt advisory services to the individual student. BI also analyses the use of activity data in their learning platforms, in order to see connections between how faculty use systems and how this affects active use for students. Information from analysis tools can also be used in research where the conditions of the GDPR are met.

BI has legal obligations to ensure that students' knowledge and skills during the course of the programme are tested and evaluated in an impartial and professional manner. BI uses DigiEx for digital exams and URKUND to uncover plagiarism. Information that is necessary for the processing of cases that will reveal plagiarism, offenses or irregular data activity will be handed over to the relevant committee. This means that necessary information in connection with complaints and cheating cases will be handed over to BI's complaints board.

If your employer pays for your education and wants information about your exam results, BI will only disclose this information upon your consent as a student.

BI Alumni is a network for former students at BI. Your personal information in BI's alumni register is processed for purposes that will strengthen and maintain the relationship between you and BI. This is done by custom inquiries and information. For example, processing personal data is necessary for BI Alumni to contact you with:

• General member information
• Invitations to academic events organized by BI and BI's partners
• News from BI. This can be, for example, a newsletter with research news and updates from BI
• Invitations to social and cultural events organized by BI and BI's partners
• Invitations to participate in alumni networks, networking and social media groups
• Requests for collaboration (for example, for seminars and conferences, mentors, interviews, collaborators, participation in boards, councils and committees)
• Requests to participate in surveys (for example, studies on BI's course offerings, relevant cooperation opportunities, etc.)
• Post-graduate courses relevant to your background and exclusive offers for alumni members
• Information about opportunities and services available to you

The Privacy Regulation (GDPR) Article 6 (f) states that the processing of personal data may take place when it is necessary for the controller to safeguard a legitimate interest and the interest of the data subject's privacy does not exceed that interest. To strengthen our education, research and reputation, BI is interested in our alumni being affiliated with us. Contact with BI can help to strengthen career and professional development, and the collaboration must be sustainable and based on mutual benefit.

BI uses an external partner to send out newsletters and the personal data provided is stored in the database by this supplier. The partner is subject to a data processing agreement in accordance with applicable law and this privacy statement. Personal data are not shared with others. Your email address will be deleted within 6 months if you unsubscribe. If you have other active consents, your email address will be stored as long as these are active.

You can withdraw your consent at any time and delete information about interests through a separate profile page. This profile page is available through a link at the bottom of our newsletter.

For more information on using cookies, see point 10 in the general section of the privacy statement.

The purpose of processing personal data is to manage salaries and personnel responsibilities, system access, and hiring necessary staff. The processing of personal data is necessary to fulfil a mutual employment agreement. BI processes personal data about you in order to manage the employer's personnel and financial responsibilities, such as payroll, tax deductions, an overview of working hours, absence, holidays and leave of absence.

The basis for the processing of personal data on employees is Article 6 (1) (a), (b), (c) (c) (3) (b) or (f), Article 9 (2) (a) or (b), Article 88, and the Working Environment Act (GDPR).

Personal data about employees are mainly processed in BI's personnel and finance system (Agresso). BI has a legitimate interest in retaining information that can document the employment relationship. This means that the information is not deleted, but stored in this system. When you leave BI, your personal folder is reviewed and only necessary data are stored. BI will continue to store data about who has worked in the organisation, how long and in what position. Payroll information will also be stored as this is relevant in, for example, pension context.

• For academic staff, information about teaching and exam results is processed, as well as information on academic roles that are used in annual workload compensation arrangements in BI's student administration system.
• For part-time lecturers and external examiners, data on teaching and grading assignments in BI's student administration system are processed, among other things, as a basis for salary payments.
• For exam supervisors, personal data on exam supervisors’ assignments in BI's student administration system are processed as a basis for salary payments.

The personal folder contains information about, for example:

• Employment contract
• Non-disclosure agreements
• Documents on pensions and wage placement
• Special agreements in the employment relationship
• Documentation of placement in academic positions
• Documentation related to resignation
• Warnings
• Leave of Absence

To fulfil the requirements BI has as employer for paying wages, creating user access in IT systems and physical access to BI's premises, it is necessary to process the following information (not an exhaustive list):

• Name
• Address
• Phone
• E-mail address
• National identity number
• Account number
• Salary
• Taxation
• Association to the employee union / association. This is necessary because BI manages the payment of union fees for employees and ensures that this is reported as a deduction item to the authorities.

Information about name, position and work area is considered to be public information and can be published on BI’s website. A portrait photo of you as an employee is published upon your approval.

Before the start of a research project at BI, the project must have a defined purpose and which personal data are necessary to fulfil the purpose must be clarified. The legal basis must also be clarified in order for the processing to be legal. Personal data you collect for a research purpose, as a rule, cannot be used for other purposes without consent.

Personal data are processed in accordance with the Personal Data Act §§ 8-10, cf. the personal data protection regulation (GDPR) articles 5, 6 and 9, and article 89. The Personal Data Act provides access to processing personal data for research purposes, provided that the privacy of the participants is safeguarded through technical and organisational measures implemented by the data controller, that the privacy implications have been assessed, and the data protection officer has been consulted where necessary.

BI has an agreement with the Norwegian Centre for Research Data (NSD) for advice on privacy issues in research, and all research projects containing personal data must be reported to and assessed by NSD. As a researcher, and before processing personal data, a risk assessment must be carried out. This will help prevent unwanted incidents, or deficiencies in the processing of personal data. Measures should be implemented regarding the research data that are in proportion to actual risk based on the risk assessment. Key elements of the risk assessment are the scope of the project, the sensitivity of the information, the risk related to where the information is processed and stored, and the duration of the project.

Cristin (Current Research information system in Norway) is a database for research results and information for documentation of scientific activity. If the project of a researcher affiliated with BI contains personal data, this will appear in the description of the project in Cristin.

In relation to publishing, results and projects will be available on the national research information system Cristin. Personal information processed is:

• Name
• Address
• E-mail
• National identity number
• Phone number

Information that is necessary for treating cases where irregularities or offenses are revealed will be disclosed to the relevant committee. This means that the necessary information in connection with individual cases related to, for example, scientific dishonesty will be submitted to the Research Ethics Committee.

Even though all reporting from the project is anonymous, the project must nevertheless be reported to NSD if, during the work on the project, personal data are processed electronically.

Research projects at BI have a defined purpose, and which personal data are collected is assessed on the basis of the necessity to fulfil this. As a general rule, data about you collected for a specific purpose may not be used for any other purpose without your consent.

Personal data is processed in accordance with the Personal Data Act §§ 8-10, cf. the personal data protection regulation (GDPR) articles 5, 6 and 9, and article 89. The Personal Data Act provides access to processing personal data for research purposes, provided that the privacy of the participants is safeguarded through technical and organizational measures implemented by the data controller, that the privacy implications have been assessed, and the data protection officer has been consulted where necessary.

Personal data may be directly or indirectly identifiable and in many cases de-identified. This distinguishes the degree of recognition that the personal data has. De-identified data are personal data where name, national identity number and other direct personal characteristics have been removed and replaced by a number or code (link key) so that the information cannot be directly linked to an individual.

Anonymous data are data in which the name, national identity number and other personal characteristics have been removed, so that the data can no longer, directly or indirectly, be linked to an individual. Anonymous data are therefore not considered personal data. For data to be completely anonymous, there must no data that can identify an individual, such as name, national identity number or other de-identified data. Partially anonymized data are de-identified when name, national identity number, place of residence, etc. have been replaced by a number, code or a fictitious name. If there is a code/ scrambling key that can re-identify the person, it is considered personal data and falls within the privacy policy.

BI's policy is that all research projects that process personal data must be assessed by NSD. Researchers can obtain personal information through several methods, for example in the form of questionnaires, interviews, observations, video and audio recordings, where research participants are present. Researchers can also obtain permission from other organisations to obtain personal data from them. BI can also grant permission for the transfer of personal data between research institutions. There must then be sufficient guarantees regarding the storage of personal data, and other conditions in the privacy policy must be fulfilled.

In research, it is primarily consent that is used as a legal basis. Consent can be withdrawn at any time during the research project.

Personal data should not normally be stored longer than is necessary to carry out the research. If consent is required and the personal data are to be kept longer than the original consent gives the right, a new consent must be obtained or an application for an exemption must be sought.

Personal data shall normally be deleted or anonymised upon completion of the project.

If you are a research participant, you are entitled to access, rectification and deletion. There are some limitations on the data subjects' rights when information is used for research, cf. section 17 of the Personal Data Act. You will find an overview of the rights you have under point 5 in the general part of the privacy statement.

If you are writing a student assignment where you need to use personal data, certain preconditions exist, and you, as a student, must obtain permission to use personal data before you can start the assignment. The most commonly used methods are interviews and questionnaires. All students have a responsibility to familiarize themselves with what guidelines BI has for processing personal data in research. As a student, you will find all the information you need inside the student portal here (log in): https://portal.bi.no/exam-and-supply/requestion/personalinformation/

All tasks that process personal data will be assessed by the Norwegian Centre for Research Data (NSD). Students cannot start collecting, interviewing or sending out surveys until the correct permission has been given. For more information on research participants, see item 4 on roles in the general part of the privacy statement.

How BI Norwegian Business School is processing personal data during your exchange studies WITHIN the European Union/European Economic Area

BI Norwegian Business School will transfer personal data of students as deemed necessary to fulfil the purpose of the student contract, and as allowed in The General Data Protection Regulation (EU) 2016/679 (GDPR), Norwegian Personal Data Act (2018) and Act relating to Universities and University Colleges.

Purpose of the transfer
The purpose of the transfer is to regulate the exchange of personal data of the students between Partner school and BI Norwegian Business School.

Categories of data
The Personal data transferred concern the following categories of data:

• Nationality, surname, first name, date and place of birth, gender, copy of passport, photograph, personal details, any element concerning his/her school life, follow-up program, email address at BI Norwegian Business School
• Contact details of the person to contact in case of emergency
• CV and research area
• Username and password
• Initial education, diploma, school contact details, previous professional experience
• Curriculum follow-up; attendance, grades, internships
• Student scholarship; disability

Both parties undertake to adopt all measures necessary to ensure that the data is collected and processed in conformity with the provisions of the applicable national legislation and in accordance with European laws governing the processing of personal data, including GDPR.

How BI Norwegian Business School is processing personal data during your exchange studies OUTSIDE the European Union/European Economic Area

BI Norwegian Business School will transfer personal data of students as deemed necessary to fulfil the purpose of the student contract, and as allowed in The General Data Protection Regulation (EU) 2016/679 (GDPR), Norwegian Personal Data Act (2018) and Act relating to Universities and University Colleges.

Purpose of the transfer
The purpose of the transfer is to regulate the exchange of personal data of the students between Partner school and BI Norwegian Business School.

Categories of data
The Personal data transferred concern the following categories of data:

• Nationality, surname, first name, date and place of birth, gender, copy of passport, photograph, personal details, any element concerning his/her school life, follow-up program, email address at BI Norwegian Business School
• Contact details of the person to contact in case of emergency
• CV and research area
• Username and password
• Initial education, diploma, school contact details, previous professional experience
• Curriculum follow-up; attendance, grades, internships
• Student scholarship; disability

The European Commission has determined that a selected number of countries outside EU/EEC has an adequate level of data protection. Transfer to these countries will not require additional safeguarding of personal data:
https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en

If BI Norwegian Business School is transferring personal data to countries outside EU/EEC special safeguards of the personal data is required. The purpose of obtaining the safeguards is to ensure that the personal data that is transferred has the same level of security as if the transfer had been inside EU/EEC. In order to ensure an adequate level of security BI Norwegian Business School has the following privacy addendum that will be used when exchanging students outside the EU/EEA.

• Privacy addendum (pdf)