Skip to main contentorganic-down

PRIVACY POLICY

PRIVACY POLICY

1. Why do we process personal data?

At the Student Welfare Organisation in Stavanger (SiS), we aim to ensure that you, as a student, have the best possible experience during your studies. As a student at the University of Stavanger, BI Stavanger, VID Stavanger, the Art School in Stavanger, Noroff Stavanger, and the School of Leadership and Theology, you can use our services when you pay the semester fee. Our offerings include student housing, health services with psychologists, therapists, and health nurses, cafés on campus, daycare, and a sports center. To enable you to use our services, communicate with us, and similar activities, it often requires us to process some personal data about you.

We also process personal data related to you if you are applying for a job with us, are a customer, or use our facilities.

This privacy statement is intended to provide you with information about why, on what legal basis, and for how long we process your personal data. You will also be able to read about your rights as a registered individual at the bottom of section 13.

SiS, through the managing director, is the data controller for our processing of personal data.

If you are unsure about anything, have questions or comments related to this privacy statement, contact us at sis@studentensbeste.no.

2. What is personal data and a legal basis for processing?

Personal data is any information and assessments that can be linked to you as an individual. This can include your name, email address, national identity number, and address. It can also be an IP address, a photo or video recording, purchase and payment history, or which training sessions you have attended. As long as the information or assessment can be traced back to you, it is considered personal data.

As a business, we are subject to a number of obligations under the law when we process your personal data. This includes, among other things, that we are required to have a legal basis for doing anything with your personal data. Under the General Data Protection Regulation, which is to be understood as Regulation (EU) 2016/679 hereafter referred to as GDPR, there are six different legal bases for processing under Article 6.

The processing must either be based on consent (GDPR Art. 6 (1) letter a) or be necessary to fulfill a contract (GDPR Art. 6 (1) letter b), a legal obligation (GDPR Art. 6 (1) letter c), protect vital interests (GDPR Art. 6 (1) letter c), perform a task in the public interest or exercise official authority (GDPR Art. 6 (1) letter e), or safeguard legitimate interests (GDPR Art. 6 (1) letter f).

If it concerns special categories of personal data, which include personal data such as political opinions, health information, and information about a physical person's sexual relationships or sexual orientation, we must also have a specific basis for processing these under GDPR Article 9.

3. SiS Housing

3.1 Creating an account in the UniAlltid system

To process housing applications, you must create a profile in the UniAlltid system. There are four different ways to register:

  1. Manual user registration: by creating a user manually, you provide us with information such as first name, last name, and email address.
  2. Login via your Google account: we collect your name and email address if you use this login method.
  3. Login via your Facebook account: we collect your name and email address if you use this login method.
  4. Login via your Apple account: we collect your name and email address, if you choose to display it, if you use this login method.

If you use third-party accounts, we encourage you to be aware that this type of login may result in you sharing login data with the provider. We therefore ask you to familiarize yourself with the relevant third party's privacy statements. We emphasize that we only collect the personal data mentioned above if you choose to use simple login via a third party.

The purpose of registration is to give you access to UniAlltid, which is the tool we use to manage applications and rental agreements. This processing occurs so that we can obtain the necessary information to possibly enter into an agreement with you, making the legal basis for processing GDPR Art. 6 (1) letter b.

3.2 Housing application

In UniAlltid, you can submit a housing application. We will then process your personal data such as name, email, phone number, address, nationality, information about relatives, which educational institution you belong to, study start and end, information about children and cohabitant, housing preferences, and health information that appears from documentation for accommodation needs if this is attached. The processing is necessary for us to assess your housing application and to possibly enter into an agreement with you as a registered individual. The legal basis for processing is therefore GDPR Art. 6 (1) letter b, contract.

We process personal data as long as it is necessary to achieve the purpose. Health information provided in connection with accommodation needs is deleted upon allocation of housing. You can delete your information and user account in UniAlltid at any time if you do not have a rental agreement with us.

3.3 Waiting list

If you end up on a waiting list, the application and personal data resulting from it will be stored for a period until you receive a response on whether you are allocated housing. The legal basis for managing the waiting list is GDPR Art. 6 (1) letter b, contract. If you are not allocated housing, the application is deleted on July 22.

3.4 As a tenant with SiS Housing

3.4.1 What personal data do we process about you as a tenant and on what basis

When you have been allocated housing, it will be necessary for us to manage the rental agreement. We then use the personal data you provided in the application to enter into a written contract with you and issue invoices for rent.

We need to communicate with you as a tenant. For this purpose, we use your personal data such as email address and SMS. Furthermore, we can communicate with you in the housing portal UniAlltid.

In the event of payment default, personal data such as name, address, national identity number, email address, phone number, account number, invoice amount, KID number, and information about outstanding amounts are shared with the debt collection agency Lowell.

If there is a lack of payment or other default that qualifies for eviction, we will send your name, national identity number, address, and description of the situation to the enforcement officer. The enforcement officer assists with the forced eviction of tenants.

If you are unfortunate and lock yourself out, you can get help from Securitas to unlock the door for a fee. You will then need to identify yourself with an ID card, and your name and address will be reported to us for invoicing.

The processing mentioned above is necessary to fulfill the rental contract we have entered into with you, making the legal basis for processing GDPR Art. 6 (1) letter b, contract.

If you want parking, a list with names and registration numbers is created for those who have been granted a parking permit. This is to enable control of the parking spaces. The legal basis will then be GDPR Art. 6 (1) letter b, contract.

We have a legitimate interest in ensuring that house rules are followed. In case of a breach of the rental contract, we can therefore issue a warning to you. Storing the warning is a legitimate interest we have as a landlord, namely to document such incidents. The name, address, and a description of the basis for the warning are then stored. The legal basis for storing warnings is GDPR Art. 6 (1) letter f, balancing of interests.

In common areas, you have the opportunity to send content from your devices to a deployed TV using Chromecast. When using this service, personal data is sent to Google, which includes system activity and usage data (details about how you use the functionality on the cast device, including the apps and domains you cast from). This offering is a legitimate interest we have, namely to facilitate the use of common areas as social arenas. You can read more about how long Google processes personal data here.

3.4.2 How long do we process personal data about you as a current and former tenant

The rental contract is stored for 3.5 years and invoices for 5 years after the rental agreement has ended, in accordance with the Accounting Act.

Other personal data is processed as long as it is necessary to achieve the purpose. If there are circumstances that make it relevant to store the data to establish, assert, or defend legal claims, we will store the personal data until such cases are concluded, in accordance with GDPR Art. 17 (3).

4. SiS Health

4.1 Course registration

SiS organizes various courses that you can register for via our website. By registering for a course, you must give permission for us to process personal data such as name, email address, gender, phone number, which educational institution you belong to, and study information. The legal basis for this processing is GDPR Art. 6 (1) letter a, consent. The personal data is used to manage course registration and is anonymized when the course is completed.

4.2 Individual and tour conversations

If you want an individual or tour conversation, you can book this through the Aspit appointment booking form. You will then need to provide your name, national identity number, phone number, email address, and address in the form. The personal data is used to set up an appointment and send you reminders. If you choose to conduct the appointment via video, the Confrere tool is used. The legal basis is GDPR Art. 6 (1) letter b, contract. Since health information is processed, which is considered a special category of personal data, the specific basis for processing is GDPR Art. 9 letter h.

The mentioned personal data, as well as information and assessments that emerge during the conversation, are stored in a patient record system called PsykBase. All businesses providing healthcare are legally required to establish patient record systems. These are requirements that follow from the Health Personnel Act §§ 39 and 40, the Patient Records Act Chapter 2, and the Patient Records Regulations. The legal basis is GDPR Art. 6 (1) letter c, legal obligation. We store the data as long as it is necessary to fulfill the purpose.

4.3 Conversation therapy

If you wish to book an appointment for conversation therapy, we will process personal data such as name, national identity number, email address, and information that follows from the form you submit via Norse. We use this personal data to set up an appointment and send reminders. The legal basis is GDPR Art. 6 (1) letter b, contract. Since health information is processed, which is considered a special category of personal data, the specific basis for processing is GDPR Art. 9 (2) letter h.

The mentioned personal data, as well as information and assessments that emerge during the treatment, are stored in a patient record system called PsykBase. All businesses providing healthcare are legally required to establish patient record systems. These are requirements that follow from the Health Personnel Act §§ 39 and 40, the Patient Records Act Chapter 2, and the Patient Records Regulations. The legal basis is GDPR Art. 6 (1) letter c, legal obligation. We store the data as long as it is necessary to fulfill the purpose.

We also have a collaboration with Cope, which offers video consultations with a psychologist. If you use this service, Cope will be the data controller, and you can read more about how they process personal data here.

4.4 Assisted self-help

To offer you the Assisted Self-Help tool, we need to process personal data about you. Primarily, when ordering an assessment conversation, we will process your name, national identity number, phone number, email address, and address to set up the appointment. When you use Assisted Self-Help, your therapist at SiS will have access to data in the tool to provide you with the best possible follow-up. You can also read more about privacy in Assisted Self-Help here. Since health information is processed, which is considered a special category of personal data, the specific basis for processing is GDPR Art. 9 (2) letter h.

The mentioned personal data, as well as information and assessments that emerge during the treatment, are stored in a patient record system called PsykBase. All businesses providing healthcare are legally required to establish patient record systems. These are requirements that follow from the Health Personnel Act §§ 39 and 40, the Patient Records Act Chapter 2, and the Patient Records Regulations. The legal basis is GDPR Art. 6 (1) letter c, legal obligation. We store the data as long as it is necessary to fulfill the purpose.

4.5 Health nurse

4.5.1 Consultation

You can drop by for a consultation with a health nurse for guidance and conversations. Personal data such as name, date of birth, and information that emerges during the conversation will be processed and stored in the patient record. The purpose of the processing is to provide you with proper healthcare in accordance with the Health Personnel Act § 4.

Before March 2020, we had physical patient records that we keep in a locked archive. After March 2020, personal data is documented in the electronic health record system CGM. Storing personal data in a patient record is a legal requirement that follows from the Health Personnel Act §§ 39 and 40, the Patient Records Act Chapter 2, and the Patient Records Regulations. The legal basis is GDPR Art. 6 (1) letter c, legal obligation. Since health information is processed, which is considered a special category of personal data, the specific basis for processing is GDPR Art. 9 (2) letter h. We store the data as long as it is necessary to fulfill the purpose.

4.5.2 Self-test for sexually transmitted diseases

If you take a self-test for sexually transmitted diseases, we need to process some personal data about you to be able to contact you with the result and ensure follow-up in case of a positive test. You must therefore provide information such as name, national identity number, phone number, date of the test, and whether you want a consultation appointment with a health nurse when you submit the self-test. The test is delivered and analyzed at the Department of Medical Microbiology at Stavanger University Hospital. When we have the result, we will contact you.

If you test positive, we will forward your name, national identity number, and the type of medication you should have to Apotek1 Madla. We do this so that you can receive the correct medication to treat the sexually transmitted disease.

In the case of a positive gonorrhea test, we will, in collaboration with Stavanger University Hospital, refer you to the Dermatology Clinic, SUS, for treatment and follow-up.

The purpose of the processing mentioned above is to provide you with proper healthcare in accordance with the Health Personnel Act § 4. The legal basis for processing is GDPR Art. 6 (1) letter c, legal obligation. Since health information is processed, which is considered a special category of personal data, the specific basis for processing is GDPR Art. 9 (2) letter h.

In the case of a positive test, we also assist with contact tracing, i.e., contacting previous sexual partners to encourage them to get tested. We will then process personal data about previous sexual relationships. The legal basis will then be GDPR Art. 6 (1) letter c, legal obligation, as it follows from the Communicable Diseases Act § 3-6 that contact tracing should be conducted in case of suspected transmission of infection. Since health information is processed, which is considered a special category of personal data, the specific basis for processing is GDPR Art. 9 (2) letter h.

Storing personal data in a patient record is a legal requirement that follows from the Health Personnel Act §§ 39 and 40, the Patient Records Act Chapter 2, and the Patient Records Regulations. The legal basis is GDPR Art. 6 (1) letter c, legal obligation. We store the data as long as it is necessary to fulfill the purpose.

5. SiS Café

5.1 Competitions

To participate in our competitions in the cafés, you will need to provide your name and phone number. This is used to contact the winner of the competition. The legal basis here is GDPR Art. 6 (1) letter a, consent. Personal data is deleted when a winner is selected and contacted.

5.2 Catering and corporate customers

If you order food for a company/business, we store personal data such as name, email address, and if the order is from the University of Stavanger, department affiliation. We have a legitimate interest in processing personal data to manage the purchase and store the data for use in future orders. Personal data is stored for the lifetime of the business. The legal basis is GDPR Art. 6 (1) letter f.

5.3 Video surveillance

For security reasons, we have video surveillance in our store. We have strict, written routines related to the use of video surveillance. Only the store manager and IT manager have access to the recordings, and this can only happen if they are connected to the same network as the camera systems. Logging in should only occur if there is suspicion of criminal activity. Video surveillance is a legitimate interest we have as a business, so the legal basis is GDPR Art. 6 (1) letter f. Recordings are generally stored for 7 days before being automatically deleted.

In the investigation of criminal acts or accidents, video surveillance recordings are provided to the police in accordance with the regulations on video surveillance in businesses, and the legal basis will then be GDPR Art. 6 (1) letter c. If it is likely that recordings will be handed over to the police, the recording is kept for up to 30 days.

6. SiS Daycare

6.1 Children's personal data

At SiS Daycare, we strive to give children's personal data special protection in accordance with privacy regulations. We process a large set of data that can provide a comprehensive and detailed picture of a child's development and the child's academic and social behavior, which makes us more aware of this. Only those with a service need have access to the personal data, we use passwords where data is stored digitally, and the daycare folder is locked in a physical archive to protect it from unauthorized access. You can be sure that your child's personal data is safe with us at SiS Daycare.

6.2 Application

Sola Municipality is responsible for the admission process for daycares in the municipality. It is through coordinated admission that we receive applications and allocate daycare places. The documentation we receive from Sola Municipality is used to assess and allocate daycare places at SiS Daycare.

Once the child has been allocated a place, we are responsible for processing personal data related to guardians and children. The legal basis for assessing and allocating daycare places is GDPR Art. 6 (1) b, as the processing is necessary to enter into an agreement for a place at SiS Daycare.

6.3 When allocated a daycare place

When the child has been allocated a place in our daycare, there are a number of personal data that we must process about the child and you as a guardian to manage the daycare place. To enter into an agreement for a daycare place, you as guardians must provide names and personal numbers, the child's name and personal number, contact information, address, and information about family relationships. It is necessary for us to process this information to enter into an agreement for a daycare place, contact you if needed, and send out invoices. These processes occur to fulfill the agreement for a daycare place, making the legal basis GDPR Art. 6 (1) letter a.

We want you to see how the children are doing in daycare. Therefore, we take photos and videos of the children that we share with you, provided you have consented to the processing by giving permission through the consent form. The legal basis is therefore GDPR Art. 6 (1) letter a, consent. We emphasize that you can withdraw your consent at any time if you change your mind.

It is only if you have consented that we share your contact information with other guardians, for example, in connection with contact during leisure time. The legal basis is GDPR Art. 6 (1) letter a, consent.

We keep track of who is present in the daycare at any given time and planned absences. This is partly to have an overview in case of an incident or crisis, but also so that we can plan staffing needs. This processing is a legitimate interest we have, and the legal basis is therefore GDPR Art. 6 (1) letter f, balancing of interests.

As a daycare, we are subject to a number of legal obligations under the Daycare Act and the Child Welfare Act. This means that we are legally required to document matters related to the children, such as the child's interests, preferences, development, health, matters related to accommodation and follow-up. Furthermore, as a daycare, we are legally required to provide information to the social services, the municipal health and care services, and child welfare. The processing of personal data in such cases will therefore be based on GDPR Art. 6 (1) letter e, as this occurs as part of performing tasks in the public interest. Where special categories of personal data are processed, for example, matters related to the child's health, the Daycare Act § 47 a, allows us to do this when it is necessary to perform tasks under the law. All personal data related to the child is stored in the daycare folder, which is kept in a locked filing cabinet.

6.4 When are personal data deleted?

As a private actor, SiS Daycare is not subject to any legal obligation to store the daycare folder and other documentation collected and prepared about the child. Therefore, most personal data is deleted when the child finishes daycare.

However, we have chosen to store selected documentation prepared in connection with legal requirements as long as it is necessary for the intended purpose. The storage is a legitimate interest we have to document compliance with the regulations and further ensures that the registered individual has access to the information even after the agreement for a daycare place has ended. The legal basis is GDPR Art. 6 (1) letter f, balancing of interests.

Invoices are stored for 5 years, and the agreement for a daycare place is stored for 3.5 years in accordance with the Accounting Act § 13 before they are deleted.

6.5 Student interns

If you are a student intern placed with us at SiS Daycare in connection with your early childhood education, this means that we must process personal data such as name, study information, and phone number to manage the internship. Furthermore, matters related to the internship, such as suitability, strengths, and weaknesses, are documented to prepare an evaluation report that is sent to the University of Stavanger. The legal basis is GDPR Art. 6 (1) letter e, as this occurs as part of performing tasks in the public interest. Additional grounds will be the Daycare Act § 51. We store the personal data as long as it is necessary to fulfill the purpose.

7. SiS Sports Center

SiS Sports Center has its own privacy statement which you can find here.

8. For job applicants

If you have applied for a job at SiS, there are a number of personal data we must process to assess whether you are the right candidate for us. This will include personal data that follows from the application, CV, diplomas, and other documents you provide to us when applying for the position. This will typically be name, address, email address, phone number, statements from references, and internal assessments. The legal basis will be GDPR Art. 6 (1) letter b, as the processing is necessary to take steps at your request before a possible contract is entered into.

For candidates who are not selected, the information is stored until the recruitment process is completed, unless you have consented to us retaining the information for a given period in accordance with GDPR Art. 6 (1) letter a.

9. SiS on social media

The Student Welfare Organisation in Stavanger and its sub-departments have pages on social media such as Facebook, Instagram, YouTube, and Vimeo. By having a page on these platforms, it means that we will collect some personal data about you if you follow or interact with us through these services. This includes your name and other information that follows from your profile and free text field if you choose to contact us on these platforms.

We have a legitimate interest in marketing our business and services on social media, so the legal basis is GDPR Art. 6 (1) letter f, legitimate interest. The processing occurs as long as we have a presence on these platforms and you as a registered user have an account. Here, the responsibility for processing will be shared, so the actors who own the platforms, such as Meta Platforms Ireland and Google IrelandLimited, will primarily be responsible for processing your personal data.

10. Event support

You can apply for support if you want to organize an event aimed at strengthening the social student environment. If you submit an application for support, you must provide personal data such as name, educational institution, email address, phone number, event information, account holder's name, and account number for payment. It is necessary for us to process this information to assess and possibly grant support. We use Freshdesk to process the applications. The legal basis is GDPR Art. 6 (1) letter b, contract.

Approved applications are stored for 3.5 years as secondary documentation in accordance with the Accounting Act § 13. Applications that are not granted are deleted when the decision to reject is made.

11. Whistleblowing service

You can submit a report via our website using a form where you can choose whether to include your name and email address along with the report or only submit a report. We then process personal data such as name, email address, and information that emerges from the free text field. If the report concerns the managing director, the report is sent in paper form. You can also choose whether to include your name and email address or only submit the report. We have strict routines around the processing of reports, and only those with a service need have access to the information.

The legal basis is that we have a legitimate interest in ensuring that all our visitors have a good experience when they visit us, and therefore we welcome feedback on any critical incidents that we can address. The legal basis for this processing is GDPR Art. 6 (1) letter f, balancing of interests. The name of the whistleblower (unless reported anonymously) and what is reported can be stored for the lifetime of the business, but other personal data is sought to be anonymized.

12. Your rights

You can always contact us if you want more information about how we process your personal data or have questions related to this.

When we process your personal data, you will also have a number of rights that you can exercise at any time, which you can find more information about here.

12.1 Right to information and access

You have the right to receive information about how your personal data is processed, and this privacy statement should contain that information. If you wish, you can contact us to access all the personal data we have registered about you in our systems. Furthermore, you can request a copy of all the personal data we have registered.

12.2 Right to withdraw consent

If the legal basis we have for processing your personal data is consent, you are free to withdraw it at any time. You do not need to provide a reason for why you want to withdraw your consent.

12.3 Right to rectification/correction

You have the right to have incorrect personal data about you rectified/corrected. You also have the right to have incomplete personal data about you supplemented. If you believe we have registered incorrect or incomplete personal data about you, we ask you to contact us. It is important that you justify and possibly document why you believe the personal data is incorrect or incomplete.

12.4 Right to erasure

If you wish to have your personal data erased, we ask you to contact us. It is important that you justify why you want the personal data to be erased, and if possible, also specify which personal data you want to be erased. We will then assess whether the conditions for requesting erasure are met. Some personal data we are legally required to process, for example, under the Accounting Act, so we cannot delete them.

12.5 Right to object

You have the right to object to the processing of your personal data when the legal basis is, among other things, rooted in GDPR Art. 6 (1) letter f. If we determine that you have the right to object, we will stop processing the personal data, and you will also be able to request their deletion.

12.6 Right to restriction

In certain cases, you may have the right to request that the processing of your personal data be restricted. Restriction of personal data means that the personal data is still stored, but the possibilities for further processing are limited. If you believe that the personal data is incorrect or incomplete, or have raised an objection to the processing (see the section on the right to object), you have the right to request that the processing of your personal data be temporarily restricted. This means that the processing is restricted until we have possibly corrected your personal data or have assessed whether your objection is justified.

12.7 Right to complain about the processing

If you believe that we have not processed the personal data correctly and legally, or if you believe that we have not been able to uphold your rights, you have the opportunity to complain about the processing. You can find information on how to contact us below.

You also have the opportunity to submit the complaint to the Data Protection Authority. The Data Protection Authority is responsible for ensuring that Norwegian businesses comply with the provisions of the Personal Data Act and GDPR when processing personal data.

You can find updated information on how to contact the Data Protection Authority at www.datatilsynet.no .

13. Contact information

If you wish to contact us, send an email to sis@minsis.no.

Last updated: 24 June 2026
PRIVACY POLICY | SiS