Foto: Melanie Burford
Foto: Melanie Burford

Data Protection Declaration for Trond Mohn Foundation

This data protection declaration describes how the Trond Mohn Foundation (TMS) collects and uses personal data in its operations and sets out your rights if we hold any of your personal data.

1. Which personal data are processed by TMS?
We collect and process the personal data needed to process applications, fulfil contracts and/or comply with Norwegian law. Personal data are only used for the purpose for which they were collected, and TMS does not sell any personal data to other parties. Personal data are only shared with third parties (see section on Sub-processors) if the third party in question is involved in TMS’s processing of applications and contracts.

TMS erases personal data when there are no longer any legitimate grounds for holding them.

1.1. Processing of personal data in conjunction with applications
Personal data in applications is received by e-mail and is processed by TMS’s employees. Applications are shared with and processed by peer reviewers, who evaluate the applications both individually and jointly on expert panels.

TMS’s scientific advisory committee and board also process applications and the personal data they contain. In conjunction with processing applications, TMS creates records of the applicants and peer reviewers that contain personal data. This information is stored together with the applications on the servers of TMS’s supplier of data storage services, see Section 2.2. The applications and records may be shared with TMS’s auditor during audits of TMS’s grant allocation process.

The personal data held by TMS vary depending on the role of the person in question. As a general rule, TMS stores the person’s name, e-mail address, job title, date of birth, educational background and employment history, as well as their role in the project for which funding has been requested or granted.

1.2. Processing of personal data in conjunction with signing and managing grant agreements
The vast majority of the grants awarded by TMS are contributions to projects at public research institutions, which are responsible for any hiring decisions and HR, including processing the personal data of the people working on projects receiving funding from TMS.

In order to ensure compliance with contractual obligations, TMS keeps records of its agreements. These records contain contact details such as the name, e-mail address and employer of the project manager. The agreements and records are shared with TMS’s accountant and auditor.

When signing a grant agreement, the recipient undertakes to send annual update reports to TMS. These reports may contain personal data. The reports are processed by TMS’s employees and are also made available to TMS’s scientific advisory committee and board.

Reports and records are stored with Telecomputing AS and Admincontrol AS; see sections 2.2.1 and 2.2.2.

1.3 Processing of personal data in conjunction with payroll and HR
Employees, members of the board and scientific advisory committee, peer reviewers and other people who receive remuneration from TMS are recorded in the payroll management system used by TMS’s external accountant. These records are needed to meet contractual and statutory requirements, including reporting to the authorities.

2. Sub-processors
The suppliers used by TMS as sub-processors are listed below. These organisations shall be able to document, with certifications, audits or other relevant documentation, that they have good internal procedures in place for data protection and information security.

2.1 Sub-processors involved in running TMS’s website – analysis – security
Note that TMS does not use its website to collect personal data from applicants or employees. TMS’s website may contain links to its Facebook and Twitter pages. The use of these services is governed by the data protection declarations of the companies that supply them.

2.1.1 SYSE AS
Syse AS, Møllegaten 12, 3111 Tønsberg supplies the web hosting services that allow TMS to publish its website on the Internet. TMS has a data processor agreement with SYSE A/S. Only the data that TMS publishes on its website is processed and stored by SYSE A/S.

2.1.2 Tanken Bak AS
Tanken Bak AS, Gamle Drammensvei 196, 1365 Blommenholm supplies TMS with the security service WPvakt, which includes website security monitoring and regular backups of, and upgrades to, TMS’s WordPress website. Tanken Bak AS only processes the data that TMS publishes on its website.

2.1.3 Google Analytics
TMS uses the analysis tool Google Analytics on its website. When someone visits TMS’s website, their IP address is recorded. (An IP address is defined as an item of personal data because it can be traced back to a specific device and thus to an individual.) However, people who visit the website are informed about, and can opt out of, Google Analytics’ use of cookies to collect analytical data.

Google Analytics is designed in such a way that the IP address is only processed anonymously. The information processed is therefore not personally identifiable and cannot be traced back to individuals.

TMS uses Google Analytics to obtain statistical data that it can use to develop and improve the information on its website. The statistical data gives information about the number of people who visit each page, how long their visits last, which websites they have come from, and which browsers and devices (desktop/mobile/tablet) they are using.

2.1.4 Prefer
Prefer AS, Strandgaten 7, 5013 Bergen has developed TMS’s website, and supplies web development services to TMS on an ad-hoc basis. Prefer AS only processes the data that TMS publishes on its website.

2.2 Other sub-processors
TMS purchases IT and accounting services from external suppliers. In the areas where we use sub-processors, we confirm that they are subject to the same obligations with respect to data protection and processing as TMS.

2.2.1 TeleComputing AS
TeleComputing AS, Drengsrudbekken 12, 1371 Asker supplies cloud computing services for running TMS’s office suite and for data storage. TMS uses these services to process and archive personal data electronically. TeleComputing is audited and certified each year by DNV GL in accordance with the standards ISO 9001 Quality management, ISO 27001 Information security management and ISO 14001 Environmental management.

2.2.2 Admincontrol AS
Admincontrol AS, Lille Grensen 7, 0159 Oslo is TMS’s supplier of secure document exchange software, which is used to distribute documents that may contain personal data to boards, committees, peer reviewers and auditors. TMS has a data processor agreement with Admincontrol AS. The agreement stipulates that Admincontrol AS may under no circumstances pass on to third parties any information or data that it obtains through TMS’s use of the service. The service is run on servers in a secure environment and is only administered by authorised personnel who are bound by the above agreement. Admincontrol is certified to the standard ISO 27001:2013 (information security).

2.2.3 Fett Økonomi AS
Fett Økonomi AS, Litleåsveien 41, 5132 Nyborg is a firm of external accountants that supplies accounting services to TMS and hence processes the personal data of anyone who receives a salary, fees or any other form of remuneration from TMS. Fett Økonomi AS processes personal data on behalf of TMS in accordance with the applicable legislation and industry standards. TMS has a data processor agreement with Fett Økonomi AS.

2.2.4 VISMA AS
VISMA supplies the service Expense, which is a web-based solution that allows employees to submit travel and other expenses through their mobile phone or online. Fett Økonomi AS is the licensee and has the contractual agreement with Visma AS. TMS and Fett Økonomi AS have signed an agreement on joint use of the system governing responsibilities, system requirements and the storage of engagement documentation.

3. Rights
Any person whose personal data is held by TMS has a right to access their own personal data. If the personal data are incorrect or incomplete, or if TMS is processing data that it is not entitled to process, the data subject may demand that the information be corrected, erased or replaced. TMS will respond to any such requests free of charge and within 30 days.

4. Data protection officer
TMS considers that there is no requirement for it to have a data protection officer.

5. Contact details
TMS represented by its Managing Director is the data controller for the organisation’s processing of personal data. TMS’s employees shall respond to questions from people whose data are being processed or may be processed by TMS.

– post [@]

Note that we may make changes to our data protection declaration,
in which case the new version will be published on our website.
This document was published on 22 November 2018.