In situations where you are in contact with BETTEReHEALTH personal data concerning you may be recorded in our database. This document describes the practical aspects of our personal data protection policy related both to research activities and events, and to our use of online services and the transfer of personal data to external system suppliers and service providers. Finally, we set out the rights you have to inspect, and to challenge our processing of, your personal data.
BETTEReHEALTH is an EU H2020 funded project and consists of a consortium of partners. The project coordinator is SINTEF Digital that is a research division of SINTEF AS (Org. no. NO 919 303 808).
The person ultimately responsible for all personal data processed at SINTEF is our CEO and President Alexandra Bech Gjørv. You can contact SINTEF at the following:
Postal address: P.O.Box 4760, Torgarden, 7465 Trondheim, NORWAY
Office address: Strindveien 4, 7034 Trondheim, NORWAY
Tel.: +47 400 05 100 (switchboard)
If you have any questions about our processing or your personal data, please contact SINTEF’s Personal Privacy Coordinator Jan Wåge (tel.: +47 400 05 100).
Personal privacy in connection with research and development (R&D) projects
SINTEF is responsible for ensuring that personal data obtained as part of our research and development projects are processed in compliance with the 2018 Norwegian Personal Data Protection Act (personopplysningsloven) and the General Data Protection Regulation (GDPR) which applies in both EU and EEA countries. Personal data utilised in our projects comprises information that we obtain from our clients, users, research and commercial partners, individuals who participate in our projects as survey informants and respondents, human research subjects, and from the datasets that we use in our research.
Sikt Data Protection Services acts in the role of SINTEF’s Personal Data Protection Officer. SINTEF makes active use of the systems provided by the Data Protection Services to our project managers and management teams. All projects that process personal data must apply for approval from the Data Protection Services in compliance with prevailing legislative requirements and ethical principles governing research. Our projects in the fields of health and medicine are similarly also assessed and approved by the Norwegian Regional Committees for Medical and Health Research Ethics (REC) pursuant to prevailing legislation.
All projects that utilise personal data are obliged to prepare a data processing plan that sets out how personal data are handled in compliance with legislation throughout a project’s lifetime and during the long-term archiving of research data. We obtain the written consent of persons that provide us with personal data in connection with our projects. Consent is given on the understanding that their participation is voluntary and after they have been informed of their legal rights.
The security measures built into our information systems, our procedures and requirements linked to the transfer of personal data, and our responsibilities to anonymise or delete personal data once a project has been completed, are assessed in advance and monitored by Sikt Data Protection Services. If you require more information, please visit the website www.nsd.no/en/data-protection-services
Information security, with particular focus on the correct processing of personal data, is a key consideration at SINTEF and is safeguarded by our internal control system and project risk assessment procedures. SINTEF has prepared complete internal control documentation in compliance with the requirements and guidelines for personal data processing stipulated by the NDPA.
In the event of our use of data taken from existing registers, large volume data sets, online data sets, or in situations where we make use of sensitive personal data, a more comprehensive risk assessment is carried out in the form of a Data Protection Impact Assessment (DPIA).
Personal data acquired via use of our online services/websites
SINTEF does not acquire personal data such as dates of birth, national insurance numbers, or data linked to personal credit/debit cards. Examples of data that we collect include: a) company names, b) the names of contact representatives, c) company/invoicing addresses, d) telephone numbers and e-mail addresses and e) information related to your use of the website in question such as the subsidiary pages you visited, your browser settings and IP address. The personal data for the registry website user account will be deleted after 5 years without any activity.
How does SINTEF acquire information?
SINTEF acquires information using forms available on our websites. Provision of such information is voluntary. If you choose not to provide personal data, we may be prevented from allowing you access to the product or service in question. Examples of forms:
- Contact information form
- When you want to try out a product or service
- When you purchase a product or service using our websites
- When you register to take part in webinars, courses and conferences
- When you download documents such as e-books
- When you subscribe to receive our newsletters or blogs via e-mail
The aims of acquiring this information are:
- to enable us to provide access to our products and services
- to enable us to send you relevant information
- to enable us to contact you to offer our products and services
The BETTEReHEALTH website (www.betterehealth.eu) uses information capsules/cookies.
- Own site (session handling)
- Matomo Analytics
Matomo Analytics is used to track activity of the users of our websites. All data is treated anonymously and SINTEF is not permitted to use such data to identify individual persons and their use of our websites.
The “Share” function can be used to forward links to the website via e-mail, or to share content on social media platforms such as Facebook or Twitter. We do not log information about tips, although such data may be used occasionally to post tips on social media platforms. However, we cannot guarantee that these platforms do not log these data. Due care must thus be taken when using all such services. If you use the e-mail function, we only use the submitted e-mail addresses to forward said e-mails. The addresses are not stored.
Distribution of personal data to other parties
Data processing agreements are entered into with the data processors that administer systems on our behalf. Thus, personal data linked to research and development projects may reach third parties that for the most part comprise the system suppliers of electronic questionnaires that are used in said projects. These suppliers are responsible for ensuring that the systems function as they should. The data recorded, and the way in which they are secured, stored and deleted is strictly regulated by the provisions set out in the relevant data processing agreements. Suppliers must document all their procedures and recognise that they have a clearly stipulated legal responsibility to adhere to the data processing agreements they enter into and to process all personal data in compliance with requirements set out in the Norwegian Personal Data Protection Act and the GDPR. The data processing agreements ensure that that we safeguard information security at all stages of processing.
The rights of clients and users during personal data processing by SINTEF
Clients, users and participants in research or other activities for which SINTEF has responsibility have the right to request to inspect, correct or delete their personal data currently being processed. Such parties also have the right to request that limits be placed on processing and, under certain conditions, to object to processing. You will find more information about the rights of individuals on the NDPA’s website at https://www.datatilsynet.no/rettigheter-og-plikter/den-registrertes-rettigheter/
Those who wish to exercise their rights must contact SINTEF either by phone or e-mail. We will respond to your enquiry as soon as possible and no later than within 30 days. Before you can exercise your rights in relation to SINTEF, we will ask you to confirm your identity or provide other necessary information. We do this in order to ensure that we only provide access to your personal data to the right person and not to someone who may be impersonating you.
You are entitled at any time to withdraw your consent to have your personal data processed by us. As well as contacting us by e-mail or telephone, you will also be able to cancel your subscription to our newsletters by following the cancellation link accompanying each newsletter.
If you believe that our processing of personal data fails to comply with the policy set out here, or that we have contravened personal privacy legislation by some other means, you may submit a complaint to the NDPA. You will find information about how to contact the NDPA and how to report contraventions of personal privacy legislation on the organisation’s website at www.datatilsynet.no
If any amendments are made to the regulations governing the processing of personal data, this may result in changes to the information provided in this policy. Updated information will be made available on our website.