Data protection at Sit
Data controller
The data controller is Sit, c/o Chief Executive Officer.
Enquiries
If you have any questions or wish to communicate with Sit about the processing of personal data, you may e-mail [email protected].
For questions or enquiries relating to services that involve the processing of health information: Get in touch with your contact person at Sit directly.
Your rights
With regard to your personal data, you are entitled to inspection, correction, deletion, limitation of processing, data portability, objections to processing and reservation against automatic decisions, pursuant to articles 15 to 22 of the General Data Protection Regulation. There may be specific conditions in connection with some of these rights.
You are entitled to complain to the Norwegian Data Protection Authority if you believe that our processing of your personal data is not in line with the current rules. See how to complain to the Norwegian Data Protection Authority. The Data Protection Authority recommends that you contact us first, so that our response to you can accompany any complaint.
Information activities and feedback
According to section 1 of the Student Welfare Associations Act, it is the task of these associations to address students’ welfare needs at places of education. Furthermore, section 3 of the Student Welfare Associations Regulations states that the associations shall adapt what they offer to the wishes and needs of the local students.
To be able to provide welfare services in line with this, Sit needs to communicate with you as a student as much as possible. Contact information that we hold about you can therefore be used to send you information about our services, as well as to invite you to give us feedback and evaluations that we can use to develop and improve our services.
The legal grounds for this are Sit’s “legitimate interests” as described in the General Data Protection Regulation article 6 no. 1 f). Our basic evaluation is that the processing is justified and necessary, based on Sit’s assignment as a student welfare association, and we have weighed this up against the data protection interests. You have the right to protest against processing based on legitimate interests pursuant to article 21 of the General Data Protection Regulation and we are then obliged to stop the processing, unless there are unavoidable legitimate grounds that take precedence over the data protection interests.
More information about data protection
The sections below provide you with information about data protection in Sit’s various service areas.
Web analysis and information capsules (cookies)
As an important part of our efforts to make a user-friendly website, we examine the user patterns of those visiting the website. To analyse this data, we use the analysis tool, Google Analytics.
Google Analytics uses information capsules/cookies (small text files that the website stores on the user’s computer), which register the user’s IP address and provide information about the individual user’s movements online.
Examples of the answers provided by these statistics include: the number of visitors to different pages, the duration of visits, the websites the users came from and the browsers used. None of the cookies allow us to link information about your use of the website to you as an individual.
The data collected by Google Analytics is stored on Google’s servers in the USA. The data received is subject to Google’s privacy protection guidelines.
An IP address is defined as personal data because it can be traced back to a specific piece of hardware and, consequently, an individual. Sit uses Google Analytics’ tracking code which anonymises the IP address before data is stored and processed by Google. This means that the stored IP address cannot be used to identify an individual user.
Most modern web browsers, such as Opera, Chrome, Firefox, Safari etc, are set up to accept cookies automatically. If you do not wish to accept cookies, you must change the settings in your browser yourself. Note that changing the settings in this way may mean that many websites, including sit.no, do not work as they should.
The cookies we use on sit.no
Sit.no uses Google Analytics to collect data on visitors. Google Analytics collects technical data such as browser and operating system, as well as information on usage patterns in respect of sit.no.
Google Analytics on sit.no respects "https://en.wikipedia.org/wiki/Do_Not_Track".
__utma: Stores data on users and sessions.
__utmb: Stores data on new sessions and visits.
__utmz: Stores traffic sources and campaigns that explain how a user reached the page.
Read more about Google Analytics' cookies.
In addition, we use:
Drupal.visitor.guest: Stores the selected place to eat for non-logged in users.
How to manage cookies in your browser
On nettvett.no you can read about how to set your browser to accept/decline cookies and get tips on safer use of the Internet.
Searches
Sit stores data on the search terms users use on our websites in Google Analytics. The purpose of storing this data is to improve our information provision. The usage pattern of searches is stored in aggregated form. Only the search terms are stored and these cannot be linked to other data about you as a user, such as your IP address.
Newsletter
The option to subscribe to newsletters from different services and information sources is open to anyone wishing to receive such information. In order to send emails to the correct individuals, we have to register email addresses.
This data is not shared with other companies and is erased when we are notified that you no longer wish to receive information from us.
Course registration
See separate section below.
Dental care reimbursement
See separate section below.
Sponsor form
On sit.no, we only store the title of the application, e-mail address and the names of attachments. We do not store either content or attachments. This information is not deleted; it remains in a log as a confirmation that an application has been submitted.
Activity support
Here we store the e-mail address, name of organisation, occasion, number of persons, type of support, collection point and date. This information is stored on sit.no and is not deleted automatically. The collected data is not shared with other organisations.
Sit.no user
When you create a new user on sit.no, we ask you to register your place of study, department, name, telephone number, post code, date of birth, gender (optional), e-mail address and password. The collected data is not shared with other organisations.
This data is stored on sit.no for as long as you are an active user. All data is automatically erased after 12 months of inactivity and without prior warning.
Contact form
You may contact us anonymously or choose to provide us with your e-mail address so that we can give you a response to your enquiry. We do not share this data with anyone. The data is stored for three months, after which it is automatically erased.
We ask you not to send sensitive data to us via e-mail or text message.
If you are resident with us
The basis for our processing of personal data
This is the personal data about our residents that we collect: Name, address, date of birth, personal ID number (optional), gender, e-mail address, mobile phone number, information about next of kin, account number, home address, spouse/cohabiting partner, child(ren) and nationality.
The data is collected when you create a user via hybel.sit.no and is registered in our systems for administration of the tenancy. The mobile phone number and e-mail address are transferred to our system for administration, operation and maintenance, where the data is automatically linked to your tenancy.
Where a calling system is used for visitors to the student housing (Gjøvik), the mobile phone number is registered in the system.
The overall purpose of processing the personal data is the administration and operation of student housing. Processing your personal data is essential for the administration of your tenancy, as well as for being able to maintain the workflow of day-to-day operation at all levels. The legal grounds for the processing are the fulfilment of your tenancy agreement.
Disclosure of personal data
The personal data that is registered on hybel.sit.no is held by an external supplier. The supplier’s processing of personal data is regulated by a data processor agreement.
In the event of payment problems, the name, address and date of birth may be transferred to our debt collection company, which is an independent data controller for the data that is transferred.
The name, address and account information is transferred to banks for use in connection with receipts and payments. In the case of return of deposit to foreign students, these may be foreign banks. The banks are independent data controllers for the data that is transferred.
Contractors
Contractors are given access to the system for administration, operation and maintenance, so as to be able to perform guarantee work. These are registered in the system manually and are given their own user names and passwords.
If you use our fitness centres
If you buy membership over the counter
When you buy membership of Sit Idrett, the following personal data is registered: full name, gender, date of birth, mobile phone number, e-mail address and postal code as shown in the national register. This is required to complete the purchase.
On registration, you automatically receive a membership number and a contract number with the date of registration that is linked to your active membership. A membership card number (RF ID) is also entered and all your future visits to the fitness centres will be logged and saved to your membership profile.
Sit Idrett is subject to the “Clean Centre” agreement with Antidoping Norge, in which everyone who wishes to use our centres must give their consent to the anti doping rules. Fulfilment of this agreement also requires the names, signatures, mobile phone numbers and date of consent for all those using the fitness centres.
If you buy a day ticket, no personal data is registered in the membership system, but you are still subject to the “Clean Centre” agreement and must give your consent to this to complete the purchase.
Buying membership on our website www.sit.no
On the website www.sit.no, you create a user profile yourself and register the personal data described above; you must also register your place of study. You must also consent to the fitness centre and anti doping rules in order to complete the registration and purchase, as when buying over the counter. Your personal data is then transferred to our membership system Exceline.
If you are linked to NTNU and register through the Feide log in on sit.no, your registered personal data on NTNU student web will be automatically transferred to your profile on sit.no and our membership system.
The basis for our collection of personal data
Fitness centre membership is personal and cannot be used by anyone other than the person entering into the agreement. Personal data is therefore registered for identification, to avoid breach of the agreement and any misuse of the membership card. Processing of this personal data is therefore essential for fulfilling the agreement.
Breach of the agreement with Antidoping Norge is also considered to be a breach of the fitness centre agreement.
Personal data linked to a specific active membership is also needed, so that the member is able to book group sessions and other fitness services on our website.
Your contact information (mobile phone number/e-mail address) may be used for providing information about fitness activities that are included in your membership or other relevant information, such as when your membership is about to expire or when you have a place in a group session after being on the waiting list.
Your data and recorded visits may also be used in anonymised form for statistical purposes, such as on gender and age distribution of members and visit statistics for the centres and group sessions.
Your personal data will be stored in our membership system for as long as you remain an active member. All user profiles that have no active membership recorded for the previous five years will be deleted automatically. After six months with no activity your historical data will be deleted.
If you do not wish to give your personal data, you may not become a member of Sit Idrett. In such a case, you may not use the fitness facilities of Sit Idrett.
You can make a reservation against receiving texts and e-mails with marketing content.
Disclosure of personal data
Your data will be stored and processed in the technical systems of external suppliers. Processing of the personal data is regulated in data processor agreements.
If you buy fitness membership that includes subscriptions to the sports clubs NTNUI or DMMHI, your personal data will be transferred to the relevant sports club. This is so that the sports club can maintain an overview of its own membership and also provide membership figures to the Norwegian Confederation of Sports. The sports club is data controller for the data that is transferred.
If you have child(ren) in our kindergartens
The basis for our collection of personal data
Where we refer to "municipality" below, this means Trondheim for kindergartens in Trondheim and Gjøvik for the kindergarten in Gjøvik.
What information do we collect?
In Sit Barn, we collect information about the child(ren)’s and parent’s name, personal ID number, address, e-mail address and telephone number.
How do we collect personal data?
The municipality's admission system for kindergarten places gives the kindergarten’s board and mercantile consultants access to the information placed there by the parents.
Once attendance starts, the kindergartens will also collect personal data directly from the parents, if anything is missing from or has changed in the data we receive from the municipality.
Why do we collect this and what will the personal data be used for?
We are required by law to use the coordinated admission system which is administered by the municipality. The municipality is the data controller for this information. Processing your personal data in this system is essential to be able to apply for kindergarten places in the municipality. The information that Sit Barn receives from the municipality is used for admission and invoicing purposes. Sit Barn is the data controller for the data that it receives from the municipality. We are also responsible for sending information about paid kindergarten subscriptions to the tax authorities.
We enter the names of the child and parents/guardians, along with address, e-mail address, the child’s date of birth and the name of at least one contact person with relationship and telephone number in the kindergarten’s parent network. To be able to create a user on the parent network, we need at least one e-mail address of a parent or guardian. This is a tool that is used in the kindergarten every day. The personal data that is entered and messages that are sent through the parent network are visible to and may be accessed by all employees of the kindergarten. Processing of your personal data in this system is essential so as to maintain the necessary exchange of information and security between the kindergarten and the home.
When is my data deleted?
The day after the child stops attending the kindergarten, information in the parent network becomes invisible to all employees. Only an administrator will have access to the data. The information will be anonymised 6 months after the child’s last day. Pictures are deleted when the kindergarten year ends on 1 September.
Essentially information about individual children is deleted after the child’s leaving date. The kindergarten has no obligation to store public documents pursuant to the Kindergartens Act or the Child Care Act. However, in the case of decisions, plans and assessments relating to children who need special support, copies of these documents will be kept for 10 years for practical reasons.
Disclosure of personal data
We use Vigilo as supplier of our parent network. Personal data in our parent network will be stored by them and this is regulated by a data processor agreement.
As a kindergarten, we are subject to specific legislation relating to disclosure of information to public authorities. As far as possible, this will occur with the parent or guardian’s consent in each case.
Orders from our cafes
When goods and services are ordered from Sit Kafe, this is the personal data that we register: name, e-mail address, address and telephone number.
The purpose of processing the personal data is so as to be able to provide the goods and services ordered and for invoicing. The legal grounds for the processing are the fulfilment of purchase agreements and compliance with the provisions of the Bookkeeping Regulations sections 5-1-1 and 5-1-2.
Processing of the personal data is essential for the purpose and applicable legislation.
The personal data must be kept for at least 5 years, pursuant to section 13 of the Bookkeeping Act.
If you participate in one of our courses
When you register for one of our courses, you give your name, e-mail address, telephone number and study programme.
The purpose of collecting the personal data on registration is to have an overview of course participants and contact information for sending out reminders and course material.
When you register for a course you order a service from us. Processing of the personal data is necessary to be able to provide you with this service. The legal grounds for the processing are therefore the fulfilment of the agreement.
Course registration is done in a system provided by an external supplier, where the processing of personal data is regulated by a data processor agreement.
Registration information is deleted at the end of every term.
The data is not divulged to others, except in the case of public authorities with legal authority to obtain the information.
Contacting our health personnel
Information registered during the visit is name, personal ID number, address, telephone number, place of study, what the interview is about, topics that you raise, solutions and advice given by the nurse/adviser and what happens next.
Health personnel have a documentation obligation pursuant to the Health Personnel Act chapter 8, section 39. The legal grounds for processing the personal data are therefore the legal obligation. During the interview you will receive information about the purpose of keeping records and that this is a statutory requirement. If you do not wish to give personal information, no memorandum will be written of the interview/event.
We keep the case records for up to 10 years before they are deleted from our case record system.
The records are kept in a system provided by an external supplier, where the processing of personal data is regulated by a data processor agreement.
The information is not divulged to others, except in the case of public authorities with legal authority to obtain the information.
Sit Psychosocial health service
You are given information about data protection when you contact Sit Psychosocial health service.
Mitt Sit App (Android and iOS)
We aim for our app to be your secure access to the services we have created to create space for a meaningful student life.
Login
When you use the app for the first time, you must log in. You can then use your Feide user, or create a new one. For the app, we currently only use name and email address, but this may change as we add new services. We will update this text as it happens, along with the necessary consents.
Payment
When you use the app for the first time, we create a unique customer number for you. This customer number is linked to your user account (name, email), and only this customer number is used against our partners when you shop and pay in the app. You are therefore not identifiable to anyone other than us.
Storage of payment card: If you choose to save your payment card for later use, the information is only stored with our provider. Sit only has access to parts of the card number in order to give you the opportunity to delete the card.
Our partners:
Munu has our checkout solutions, product catalogs etc., and it is from them that we source the products you can choose from in the app. When you choose to buy something, the customer number, order number and amount are sent to them.
Dintero is the provider that makes payment via Vipps and (in a later version) cards available to us.
Vipps is a payment solution provider, and they get their customer number and amount from us. Furthermore, you have your own agreement with Vipps, with the data that you have given them permission to have about you. This does not affect our services, nor do we get customer data back from them.
Marketing and Tracking
We do NOT share user data or statistics with any external partners. Dot. You and your data must be safe with us.
Future changes
This app will be in constant development, and services and the need for data around them may change. This text will therefore be updated if and when new functionality is added to the app. As long as we are not required to store data - such as financial transactions in accordance with Bookkeeping Act - we will also strive to ensure that you, as a user, can withdraw any consent you have previously given us at any time.