Norwegian Institute of Public Health
Norwegian Institute of Public Health is committed to protecting the privacy of users who access this website and/or any of its
services. Use of the website and/or any of the services offered by Norwegian Institute of Public Health implies the user’s
acceptance of the provisions contained in this Privacy Policy and that their personal data will be
processed as set out herein.
Please note that, although our website may contain links to other websites, this Privacy Policy does not
apply to websites of other companies or organizations to which the website may redirect. Norwegian Institute of Public Health
does not control the content of third-party websites and accepts no responsibility for the content or the
privacy policies of those websites.
Information on data processing (Regulation (EU) 2016/679 and Organic Law 3/2018)
| Data controller | Identity: Norwegian Institute of Public Health |
|---|---|
| Purpose of processing | To provide and manage our IT services. |
| Lawful basis | In general, the lawful basis for processing data will be the consent obtained from the data subject or the performance of the service contract. |
| Recipients | The data will not be disclosed to third parties, unless required by law or necessary to fulfill the purpose of the processing. |
| Data subject rights | Data subjects have the right to exercise their rights of access, rectification, restriction of processing, erasure, portability, and objection by sending their request to our address. |
| Data retention period | As long as the business relationship is maintained or for the years necessary to comply with legal obligations. |
| Complaint | Data subjects may contact the Spanish Data Protection Agency (AEPD) to submit any complaint they deem appropriate. |
| Additional information | You can consult additional and detailed information below under “Privacy questions”. |
Privacy questions
In compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April
2016 (GDPR) and Organic Law 3/2018 of 5 December on the Protection of Personal Data and guarantee of
digital rights (LOPDGDD), we provide you with the following information regarding the processing of your
personal data:
Who is responsible for processing your data?
Identity: Norwegian Institute of Public Health
For what purpose do we process your personal data?
- We process the information you provide to manage our IT services.
- If you contact us with an enquiry, we will process your data to respond.
- If you give us your consent, we may also process your data to send you information about our
activities, products, or services.
How long will we keep your data?
- The personal data provided will be kept while you are a user of our services or wish to receive
information, given that you may object to the processing of your data for promotional purposes at any
time, and thereafter for the periods established to comply with our legal obligations. For accounting
and tax documentation for commercial purposes, the retention period is 6 years, in accordance with
Article 30 of the Commercial Code; and for tax purposes it is 4 years, in accordance with Articles 66
to 70 of the General Tax Law.
What is the lawful basis for processing your data?
The lawful basis for processing your data is the performance of the service contract and the consents
you provide us.
Regarding information submitted by minors under 14 years of age, it is an essential requirement
that it is provided with the consent of the parents, guardian, or the minor’s legal representative so
that the personal data may be processed. If this is not the case, the minor’s legal representative must
notify us as soon as they become aware of it.
To whom will your data be disclosed?
The data will not be disclosed to third parties, unless required by law or necessary to fulfill the
purpose of the processing.
What are your rights when you provide us with your data?
- Anyone has the right to obtain confirmation whether or not we are processing their personal data.
- Data subjects have the right to access their personal data, as well as to request rectification of
inaccurate data or, where appropriate, request erasure when, among other reasons, the data are no
longer necessary for the purposes for which they were collected. - In certain circumstances, data subjects may request restriction of the processing of their data; in
such case, we will only keep them for the exercise or defence of claims. - Also, in certain circumstances and for reasons related to their particular situation, data subjects
may object to the processing of their data. In such case, we will stop processing them, except for
compelling legitimate grounds or for the exercise or defence of possible claims. - Data subjects also have the right to data portability.
- Any data subject has the right not to be subject to a decision based solely on automated processing,
including profiling, which produces legal effects concerning them or similarly significantly affects
them. - Finally, data subjects have the right to lodge a complaint with the competent supervisory authority.
How can you exercise your rights?
By sending us a written request and attaching a copy of a document that identifies you, to our postal
address or email address.
How did we obtain your data?
The personal data we process come from the data subject, who guarantees that the personal data provided
are accurate and is responsible for communicating any changes. Data marked with an asterisk are
required to provide the requested service.
What data do we process?
The categories of data we may process are:
- Identification data
- Postal or email addresses
- Data of legal representatives of legal persons
The data are limited, as we only process the data necessary for providing our services and managing our
activity.
Do we carry out international data transfers?
In providing our services, we use auxiliary companies that process data on our behalf outside the
European Union. These international data transfers are covered by the Standard Contractual Clauses for
data protection adopted by the European Commission, in accordance with the examination procedure
referred to in Article 93(2) of the GDPR.
Do we use cookies?
We use cookies while browsing our website with the user’s consent.
The user can configure their browser to notify them of the use of cookies and to prevent their use.
Please visit our cookie policy.
What security measures do we apply?
We apply the security measures established in Article 32 of the GDPR. Therefore, we have adopted the
necessary security measures to ensure a level of security appropriate to the risk of the data
processing we carry out, with mechanisms that allow us to guarantee the confidentiality, integrity,
availability, and ongoing resilience of processing systems and services.
Some of these measures include:
- Informing staff about data processing policies.
- Performing periodic backups.
- Access control to data.
- Regular verification, evaluation, and assessment processes.
How do we process data on behalf of third parties?
When, in providing our services, we must process personal data for which other entities are the data
controllers, we will do so as data processors, in accordance with Article 28 of the GDPR. Such personal
data processing will be governed by the corresponding data processing agreement.