Privacy Policy

BI Norwegian Business School is responsible for the processing of personal data collected and processed at BI, cf. Article 4 of the EU Personal Data Protection Regulation (GDPR), no. 7. The President has the overall responsibility as data controller, but has delegated her responsibilities to members of her management team.

All processing of personal data must have a specific purpose that is objectively justified in BI's activities (Item 5, no. 1b, GDPR). The collection of personal data is limited to what is necessary to fulfill the purpose of the processing. Personal data collected for one specific purpose cannot subsequently be used for another purpose. A new assessment will then have to be made as to whether there is a legal basis for the new purpose.

Overall, the main purposes of processing activities at BI are:

• Processing applications of admission.
• Student administration; implementation of your participation in courses and studies.
• Implementation of events and activities.
• Ensure good communication and case handling by enquiries to BI.
• Enable targeted guidance and adapted teaching to contribute to students' learning and progression.
• Promote courses and programmes, providing relevant information and guidance to stakeholders.
• Strengthen the mutual relationship between BI and alumni.
• Systematically work to improve the quality of BI's learning, teaching, and learning environment.

Before the processing of personal data can begin, there must be a so-called processing (Item 6, no.1, GDPR). The relevant legal bases at BI are:

Consent: Marketing of courses and programmes is done if you have consented to processing. This consent can be withdrawn or changed on your profile page. In e-mails sent from BI there is a link attached which will take you to this page. You also give your consent to processing by signing up for events and study guidance, but this consent only applies specifically to one occasion.

Fulfilling an agreement: For student administration purposes, the processing basis is that we must fulfill an agreement, namely the study contract between BI and the student.

Fulfilling a legal obligation: Examples of this are control and reporting to public authorities such as the police, NAV, Database for statistics for higher education (DBH), various supervisory authorities or the duty to report to the Norwegian Centre for Research Data (NSD).

Public interest: Examples of this are streaming and recording of lectures, in accordance with the University and College Act. BI Norwegian Business School processes personal data in analyses to enhance the educational offerings on our digital learning platforms and as part of systematic quality work. Other examples include streaming and recording of lectures.

Legitimate interest: In some cases, personal data is processed because BI has a legitimate interest that outweighs the interests of the individual's privacy. Examples of this are:

• Inquiries from students are stored for some time because the information may be relevant at later contacts.
• Analysis purposes, in order to provide students with targeted follow-up to improve study progression.
• Sending out relevant information as follow-up after attending events at BI.
• Alumni relations: Personal data is processed for several mutual purposes that strengthen the relationship between alumni and BI. This helps to strengthen our education, research and reputation, and facilitates that alumni can be engaged in BI by sharing expertise and experiences. The contact with BI can help to strengthen career and professional development, and the cooperation should be sustainable and based on mutual benefit.

BI registers and processes personal data for our applicants, students and alumni, as well as other stakeholders who contact us through our digital channels to get guidance on courses and programmes. Below is an overview of the different types of personal data processed by BI.

General personal data
Examples of this are name, contact details, citizenship, date of birth, e-mail, and employer.

Special categories of personal data
For students, in some cases, it is necessary to process sensitive personal data, such as health conditions (e.g sick leave at graduation), financial circumstances (e.g invoice in default), warnings and complaints. Access to such information is limited to relevant case handlers only. (Item 9, GDPR)

Documentation for applications
When you apply for admission at BI, we store your documentation of previous education and competence. For applications for advanced training, we also store employer information when appropriate.

Information about your education
For students at BI, data that is necessary to complete the education is processed, e.g., completed, and current courses, exam results, work requirements, credits earned, etc. In connection with analyses aimed at improving teaching, learning, and the learning environment, we process information regarding students' activity on BI's digital learning platforms, and in some cases, information about results from upper secondary education. The results of this work are also utilized to provide our students with targeted support related to their academic progress.

Case management and communication
When you contact BI with various requests for information e.g., study guidance or matters related to your studies or applications, the inquiry and related proceedings are stored.

Registrations and orders
When you register for an event or order something from us, such as study guidance or information about when to apply for specific studies, these activities are stored.

Consents and preferences
We store consents, favorites, and subject interests you have given to BI in order to receive relevant communications. You can change your consents and other settings on your profile page at any time. Your profile page can be found through a link in emails you receive from BI.

Information from marketing activities
BI has various marketing activities for potential applicants to BI. Information you provide by participating in such activities will be recorded and may be used in communication to you about courses and studies if you have given us consent to do so.

Digital information
When you visit bi.edu we store your IP address, which pages you visit, and whether you use mobile, PC or tablet. If you submit an application for admission, we save changes to the application that are made at each login. You can read more about which cookies are used on BIs websites here.

The most extensive use of personal data concerns study execution, application processing and marketing of courses and programmes.

Marketing of courses and programmes
We use data stored about you to customise content and ensure that we provide you with correct and relevant information, provided that you have consented to this. We use general contact information and interests you have provided, such as campus, subjects, favorites or level of study. We also use previous information from study history, study selection tools and activity on our websites for this purpose.

An example of marketing activity is Studieomaten. By using this online service, you consent to BI registering your personal information and responses, as well as communicating with you regarding this. Your answers are anonymised, while your personal results are made available to you through a unique website. All data is deleted after 12 months.

Processing applications for admission
BI processes personal data in order to assess your application for studies and courses. If necessary, BI can also verify information from relevant external sources, such as the National Diploma Database (NVB), the National Population Register, NAV, employers, and other educational institutions.

Student administrative purposes
BI processes necessary information for the implementation of your study condition and has statutory tasks and duties towards you as a student. Examples of this are the creation of a schedule, enrollment for exams, exchanges, granting extensions and leave, documenting educational results, printing diplomas and transcripts, and the like. When you are a student, we communicate with you through the Student Portal and e-mail. BI compiles information about your education, experience, and professional areas of interest to give you advice and guidance on how to best complete your studies and build competencies to achieve a degree or reach your career goals.

Follow up orders
We also use personal data to follow up your requests for, for example, ordering study guidance, registering for an information meeting or other events.

Customizing web page content
When visiting our websites, cookies are used for analysis and statistical purposes, in order to improve the website, provide you with customised content and so forth. If you wish to object to this, you can easily do so in the cookie banner which appears when visiting our website.

Analytical purposes
In some cases, BI processes personal data for analysis purposes.
One example is analyses in order to provide students with targeted and personalised follow-up related to their learning and academic progression being students at BI. Personal data processed for this purpose is contact details, demographic data, activity on BIs learning systems, achievement of work requirements and academic results from previous and ongoing education. The target groups are prepared using simple selection criteria, statistics and more advanced predictive analysis. It is possible to make a reservation against this, see point 7.

BI conducts learning analytics, defined as the use of data about learning for learning, in its systematic efforts to improve teaching, learning, and the learning environment. For these types of processes, data about your activity on BI's digital learning platforms is used, and sometimes additional background information about you as well as your academic results. The analyses can, for example, be used to evaluate the educational value of learning platforms or delivery formats, or to support faculty in their systematic quality work. If learning analytics are used for targeted support of individual students, you will be informed in advance. It is possible to opt out of one or more types of processing for learning analytics purposes, see point 7.

We also use personal data from stakeholders and existing students for segmentation and profiling in the marketing of our courses and studies. The purpose is to be able to offer more targeted content to our stakeholders which they perceive as relevant.

Communication with alumni
BI Alumni is a network for former students, which aims at strengthening and maintaining their relationship with BI. Alumni receive information about our alumni activities, such as tailored invitations to academic and social events, research news and updates regarding BI. Alumni may also receive requests for collaboration, such as participating in seminars, mentoring programs and to boards, councils and committees.

BI uses an external supplier for its alumni portal. Personal data is stored in the database of this provider, with whom we have a Data Processing Agreement, and which also is covered by this privacy statement.

The processing of personal data shall constitute as little interference as possible for you, based on what is possible practically, technically and economically. As a registered user, you therefore have important rights that must be safeguarded.

Right to information
All information you need to know about BI's processing of personal data should be included in the privacy statement.

Right to reservation
If you have agreed to receive marketing material from us, we will use your data to offer you more relevant and targeted communication. You can easily change your consents and preferences via the link "My Profile", which you will find in the e-mails you receive from BI.

We also process personal data in order to be able to offer targeted and personalised guidance in choosing higher education, improve our students' user experience and to further develop our programmes and services. If you wish to opt out of analysis in this regard, you can contact us via chat or e-mail: info@bi.no.

Right of access
You have the right to know what personal data BI processes about you. If you request access, you will receive a copy of your personal information, for what purposes it has been used and whether the information has been passed on and to whom. For the protection of other persons or the detection of violations of laws and regulations, BI can in some cases deny access. Access request template (pdf).

Right to rectification
If you discover that BI has registered incorrect, outdated or incomplete information about you, you have the right to have this corrected or updated. If correction of errors applies to information submitted by others, inquiries about errors must be directed to the source.

Right to erasure
You have the right to request that we delete your personal data. If you wish to have your personal data deleted, please contact us on chat or e-mail: info@bi.no. The legislation gives BI the opportunity to make exceptions to the right to erasure. For example, this would be the case when we process personal data to fulfill a statutory task, or to safeguard important social interests such as archiving, research and statistics.

Right to objection
You have the right to object to our processing of your personal data under certain conditions, if the prosessing is based on a legitimate or public interest or exercise by public authorities. Examples include processing that involves marketing, profiling or if it is done for the purpose of scientific/historical research or statistics.

Right to restriction
In some cases, you may have the right to request that the processing of your personal data be restricted. Limited processing means that the personal data is stored but cannot be used for any purposes.

Right to complain about processing
If you believe that BI has not processed your personal data in a correct and lawful manner, or that we have not been able to comply with your rights, you have the option of complaining about the processing. In this case, you can turn to personvernombud@bi.no. The data protection officer shall safeguard the privacy interests of both stakeholders, students and employees at BI. If we do not comply with your complaint, you have the opportunity to advance your complaint with the Data Protection Agency. The Data Protection Agency is responsible for controlling that Norwegian companies comply with the provisions of the Personal Data Act and the General Data Protection Regulation when processing personal data.

BI primarily processes personal data you have provided yourself, through inquiries to BI, applications, registration for events and newsletters, as well as searches and other actions on our website, such as ordering various services. Data used specifically for analytical purposes is collected, among other methods, through automatic retrieval of activity data from BI's digital learning platforms.

To introduce BI to potential new students, BI collaborates with external partners who organize educational fairs and conferences. These may share participant lists with us, with the consent of the participants. BI will then follow up providing relevant information about the study options, and you can withdraw your consent to this at any time.

Decisions on exclusion due to false diplomas, disruptive behavior, gross violations of confidentiality, cheating and unfitness are recorded in Register of excluded students (RUST), which is managed by Directorate for ICT and community services in higher education and research (UNIT). Through RUST, BI securely receives information about sanctions that apply to our applicants or students. See more details about this in the Privacy Policy for RUST.

In some cases, BI shares personal data with other actors, where this is necessary, and a valid legal basis exists. This applies to information for (not exhaustive list):

• Public authorities such as NOKUT, NAV, the Norwegian State Educational Loan Fund, the Directorate of Immigration (UDI), Statistics Norway (SSB), Database for higher education (DBH), Sikt, police and tax authorities, the Directorate for International cooperation and Quality enhancement in Higher Education (DIKU).
• Digital learning systems used by BI in teaching.
• Accreditation institutions such as NOKUT, AACSB, EQUIS and AMBA.
• BI's Board of Appeal, in cases of complaints and fraud.
• BI Student Organization (BISO) and the student welfare organizations in Bergen, Oslo, Stavanger and Trondheim.
• Other educational institutions.

BI provides the necessary personal data concerning exchange students to partner institutions. BI safeguards the requirements for European data protection security, and in cases where partners are located outside the EU/EEA, the necessary guarantees exist before the transfer takes place.

BI retains information for as long as necessary and in accordance with the regulations. Information will be deleted when the need expires, unless we are legally obliged to store it due to other regulations, such as the Archives Act, the Bookkeeping Act or the University and College Act.

Personal data is retained for a certain period of time in order for BI to be able to follow up those who contact us in a comprehensive manner. After this time, the purpose is considered achieved and the data is automatically deleted as follows:

• Inquiries to BI: Stored for 3 years, or as long as the registered student is an active student at BI.
• Attendance at BI events: Stored for 3 years, or as long as the registered student is an active student at BI.
• Consent to marketing has a duration of 5 years. If you have not renewed your consent within that time, it will cease.

If you have not been a student at BI, all your personal data will be deleted when there are no longer inquiries or consents related to you.

Research projects at BI have their own set purposes, and the personal data collected is assessed based on the necessity to fulfill this. Information about respondents collected for one purpose cannot be used for other purposes without consent.

The personal data is processed in accordance with Articles 5, 6, 9 and 89 GDPR. The Personal Data Act provides access to the processing of personal data for research purposes, provided that the privacy of the participants has been safeguarded, that privacy consequences have been assessed and that the Data Protection Officer has been consulted where necessary. BI has an agreement with the Norwegian Centre for Research Data (NSD) for advice on privacy issues in research.

The personal data may be directly or indirectly identifiable and, in many cases, de-identified. A distinction is made on the degree of recognition that the personal data has. De-identified information is personal information in which the name, birth number and other directly identifiable characteristics have been removed and replaced by a number or code, so that the information cannot be directly linked to an individual. If there is a link key that can re-identify the person, it is considered personal data and falls within the General Data Protection Regulation.

Anonymous information is information that cannot be linked to an individual. Therefore, it is not considered personal data.

BI's policy is that all research projects that process personal data should be evaluated by NSD. The researcher may collect personal data through several methods, including surveys, interviews, observations, video and audio recordings, etc. where research participants are present. The researcher may also obtain permission from other companies to disclose personal data in their research that this company has collected. BI may also grant permission for personal data to be transferred between research institutions. There must then be sufficient guarantees that the conditions of the General Data Protection Regulation are met.

In research, it is primarily consent that is used as a legal basis. The consent can be withdrawn at any time during the implementation of the research project.

Personal data shall normally not be stored longer than is necessary to carry out the research. If consent is required and the personal data must be stored longer than the original consent gives the right to, a new consent must be obtained or an exemption must be applied for. Personal data shall normally be deleted or anonymized at the end of the project.

If you are a research participant, you have the right to access, rectification and erasure. There are certain limitations in the rights of data subjects when information is used for research, cf. section 17 of the Personal Data Act.

If you as a student are to write an assignment where it is appropriate to use personal data, you have a responsibility to familiarise yourself with BI's guidelines. You can find all the information you need about this at the Student Portal.

Personal data at BI is secured with several measures. BI regularly performs risk and vulnerability analyses, and tests security to secure your personal data.

Employees who process your personal data are subject to a duty of confidentiality, and this also applies to employees of subcontractors.

BI processes personal data in order to control who has access to the buildings. This is done by registering and photographing students, staff and others when they receive an admission card. The name, user name, date of birth and, if applicable, user number of the library are stored. In addition, some technical information is stored, such as which accesses are granted for the card. The personal data is collected from the student administration user system or the personnel and financial system.

Outside of working hours, card users must enter a PIN code. Which card is used on which card terminal as well as the time of its passage are logged when a PIN code is applied. The information is stored in BIs access control systems. The log is deleted after 90 days. Users are deactivated when they no longer have access cards. Personal data such as name and date of birth are not deleted for students as they can take new courses and employees often return after various periods not working at BI. If a user has not had an access card for 1 year, personal data related to access will be deleted.

BI has placed cameras that monitor outdoor areas and entrance areas inside and outside. The cameras film continuously, and the recordings are stored for 7 days before being deleted.

Users are deactivated when they no longer have access cards. If a user has not had an access card for 1 year, personal data related to access will be deleted.

If you have questions about privacy or wish to exercise your rights, please contact us on chat or e-mail: info@bi.no. BI will process your request without undue delay, and at the latest within 30 days.

If particular circumstances make it impossible for BI to provide a complete response within the deadline, you will receive a preliminary response with information about the reason for the delay and the time you can expect a response.

The Master Quiz is part of BI's marketing campaigns, where you can find out more about which master programme is right for you. When you take the Master Quiz, you agree to BI registering your personal data and answers, as well as communicating with you in connection with this. Your personal results are made available to you via a unique website, as well as via a link to this website which we will send to you by e-mail and/or SMS. 

The programmes our Master Quiz suggests are based on your answers to the quiz. It is not entirely conclusive, but intended as a starting point for further reflection and a contribution towards a decision about the choice of master's programme. 

All data from the survey itself is deleted after three years if you choose not to become a student at BI. If you become a student with us, the data will be deleted three years after you have ended your study contract. 

We process your data to be able to offer you targeted and personalised guidance in choosing higher education, to improve our students' user journey and to further develop our programmes and services. If you wish to object to analysis in this regard, you can contact us via chat or e-mail: info@bi.no.