Privacy and Data Protection in Simula
Personal data is information that can be linked to you as a person. It could be your name and contact details, but also much other information that can be linked to you more indirectly. The purpose of this declaration is for Simula to provide information about the type of personal data we process and how the people whose data we process can protect their rights under data protection legislation.
Last updated: January 2022
Personal data at Simula
Simula is the controller, the agency which determines the purpose and means of the processing of personal data we use in our operations. This personal data declaration provides details about the processing Simula is responsible for.
Overall responsibility for personal data protection in the Simula Group lies with the CEO of Simula Research Laboratory AS and the Directors of the respective limited companies in the Simula Group.
Simula's processing of personal data is coordinated by Maria Benterud, Head of Administration in Simula Research Laboratory AS (SRL).
The data protection officer for Simula is Simon Gogl, Senior Advisor, Data Protection Services.
SIKT - Norwegian Agency for Shared Services in Education and Research.
Phone: (+47) 53 21 15 73
Simula personal data contact information
- Simula attn. Deputy Managing Director Kyrre Lekve
- Email: email@example.com
Personal data coordinator
- Simula attn. Maria Benterud, Head of Administration SRL
- Email: firstname.lastname@example.org
Personal data officer
- Simon Gogl, Senior Adviser, SIKT
- Email: DPO@simula.no
When does Simula collect personal data?
Simula processes personal data either because there is a statutory basis for this or because we have received consent from the person in question.
We generally process personal data about you in the following situations:
- Your details have been entered into one of our registers.
- You participate in one of our activities.
- You represent one of our commissioners or a party that funds our research.
- You or the company you are employed by is affiliated with us.
- You have been in contact with or collaborated with our researchers.
- You have or will attend one of our courses, seminars, events, workshops or other events.
- You subscribe to one of our newsletters.
- You visit our web page.
- You have applied for a job with us.
- A job applicant has given your name as a reference.
- You have received access to our systems or premises.
- You have been paid remuneration or have received a reimbursement from us.
- You are one of our suppliers or you have submitted a tender to us.
IT infrastructure, classification of data and storage guide
Simula is a group of legal units that has a shared IT infrastructure. At present, part of the infrastructure is operated by external service providers. Processor agreements have been entered into with them, in order to ensure that the personal data processing meets our requirements.
Simula has established guidelines for the storage of data and information. The guidelines include a storage guide explaining how we process, store and manipulate data, based on how the data and information are classified.
Persons we are in contact with – email, phone and archive
Simula processes the personal data of people we are in contact with. We use email, phone, video conferencing and other collaboration tools for our internal and external communication. We store the necessary information about our activities in file and archive systems. Each employee is responsible for deleting personal data they no longer need to keep. Once an employment relationship comes to an end, that person's email account is deleted, but certain relevant emails are normally transferred to his/her colleagues. Personal data must not be sent by email.
Documents that should be preserved will be archived in Simula's systems for this use
The basis for this processing is point (f) of Article 6 (1) of the General Data Protection Regulation (GDPR), which allows us to process the data that is necessary in order to protect a legitimate interest that weighs more heavily than the consideration of each individual's privacy. The legitimate interest is being able to perform our task as companies in the Simula group.
Use of personal data in research
Simula delivers Research, education and innovation. The philosophy of Simula is to make a difference in the fields we operate. That implies engaging with experts in different areas to solve difficult and important problems. From time to time this involves using personal data, in order to validate our models.
We have an agreement with SIKT for the purchase of personal data services for research. SIKT must be notified of all projects that contain personal and health data. It also provides Simula with the following services:
- General information, training and counselling on the processing of personal data and security of personal data in research.
- Assessment of the use of personal data in research projects that have been reported to SIKT, both before, during and at the end of a research project.
- Handling queries from data subjects (participants) in research projects.
- Notification of and, if applicable, assistance with handling personal data breaches and other data protection breaches that are identified in any part of a research project's planning, execution and/or conclusion.
- Data Protection Impact Assessment – DPIA.
- Prior consultation and dialogue with the Norwegian Data Protection Authority.
- Development and maintenance of systems for notification and counselling, and an updated notification archive for all research projects.
- Publicly-accessible overview of personal data processing.
Research data that contains personal data must be processed securely at Simula, and must only be available to the people who will be processing the data. Each research project is assessed individually and Simula ensures in each case that personal data is processed in accordance with the law.
The basis for processing personal data in connection with research may be consent or the public interest. This information will be provided in each research project’s listing in the notification archive.
Use of personal data at our knowledge and competence centres
Simula runs several knowledge and competence centres like Simula Learning and Simula Consulting which, process different types of personal data for different purposes. These companies will contact the data subjects directly and provide information about what personal data is processed, the purpose of the processing, how the data is processed, and their rights as data subjects. This will be done by giving the data subjects information directly and by describing the activities on the website.
The basis for processing personal data in these legal units may be consent or the public interest. This will be clear from the different types of processing.
Participants at seminars, conferences, courses and continuing education
When you attend a seminar, conference, course or continuing education at Simula, we register information such as your name, email, workplace, position and related hardware information if you connect a device to our network. When we serve food at one of our events, we also ask questions relating to food allergies or other considerations we need to take. This registration is based on consent. The registration will be deleted once the purpose of the participation is no longer valid.
We organize regular seminars for research communities, master students, users, commissioners, decision-makers and other parties. In addition, some of our units organize regular courses and teaching. Information about these regular courses and continuing education activities can be found on the website of the Simula community that organizes them.
The basis for processing your personal data in connection with participation is point (a) of GDPR Article 6 (1), i.e. consent. You may withdraw your consent at any time by pulling out of the event. The withdrawal of your consent will not affect the lawfulness of the personal data processing that took place before you withdrew your consent.
You must give your email address if you want to subscribe to our newsletter. Your email address will be used to send you the newsletter. Your email address will only be used to distribute the newsletter, and it will not be shared with other third parties. Your email address will be deleted when you unsubscribe from the newsletter.
The basis for processing your email in connection with our newsletter is point (a) of GDPR Article 6 (1), consent. You may withdraw your consent at any time by unsubscribing from the newsletter. The withdrawal of your consent will not affect the lawfulness of the personal data processing that took place before you withdrew your consent.
Data subjects in connection with dissemination activities
Simula takes photos/videos in different situations showing activities involving Simula. People who participate in these activities may have their photos taken, and we use such material in the external dissemination of our research and innovation. The dissemination includes articles on Simula's website that contain photos/videos, posts on our social media channels, brochures, etc. The basis for this processing is point (e) of GDPR Article 6 (1), which allows us to process the information necessary in order to perform a task that is in the public interest.
Media contacts and contacts from influential persons
SIMULA occasionally collects and stores contact details about representatives of the media, influential players, and other relevant contact persons. We do this in order to increase the efficiency of our contact with these groups. In such cases, we obtain information from the internet and ensure that if any data subjects leave their job, they are also deleted from the list of such contacts.
The basis for the processing is point (f) of GDPR Article 6 (1), which allows us to process the data that is necessary in order to protect a legitimate interest that weighs more heavily than the consideration of each person’s rights and freedoms. The legitimate interest is to provide information about our activities in the media and effectively cooperate with influential players.
Visitors to our website
The films we show on simula.no are hosted by the video-sharing services Vimeo and YouTube. YouTube is delivered by Google. When you visit one of our pages with an embedded video, Vimeo and/or Google can store cookies on your device.
As one of our partners, your personal data is included in the applications and tenders we submit, and projects we carry out. You will already have sent us your CV, hourly rate, qualifications, and other necessary information in an application, tender or execution of a project. Your personal data will therefore be stored in application and project folders in our archive and filing system.
Project cooperation and shared results will be visible on our web pages, Nasjonalt vitenarkiv (NVA) and in our academic repository.
Simula makes its results available in NVA. Publications you have co-authored with our researchers are registered here. We link the authors’ names and publication addresses to the publication in NVA. We register several types of personal data in the system for academic and administrative staff with roles in NVA.
The basis for this processing is point (f) of GDPR Article 6 (1), which allows us to process the data that is necessary in order to protect a legitimate interest that weighs more heavily than the consideration of each individual's privacy. The legitimate interest is being able to perform our tasks.
Contact persons from the client/source of funding, suppliers and providers
As the contact person of the client/source of funding or supplier, we store contact details regarding your workplace, like your email, telephone, and position. Such information will be found in documents that we store in our archive and filing system.
When competing for projects, we are happy to provide documentation of our reference projects, including the client's contact details. We therefore occasionally give the details of your workplace to a third party who represents the client.
The basis for this processing is point (f) of GDPR Article 6 (1), which allows us to process the data that is necessary in order to protect a legitimate interest that weighs more heavily than the consideration of each individual's privacy. The legitimate interest is being able to perform our task as a research institute.
Applicants for positions at Simula
If you apply for a job with Simula, we need to process information about you in order to review your application. The hiring process entails processing the data you furnish in the documents you send us, including your application, CV, diplomas and certificates. In addition to interviews, Simula may perform its own checks, which typically involve talking to the applicant’s references.
Simula uses the Greenhouse application portal to manage applications for our job vacancies.
In order to review the documentation submitted, conduct interviews and call references, the basis for the processing is point (b) of GDPR Article 6 (1). This provision allows us to process personal data when necessary in order to take action on the applicant’s behalf before entering into an agreement. By applying for a position and uploading documents, it is our position that the applicant is asking us to review the documentation submitted, conduct interviews, and call references, with a view to entering into an employment agreement.
If we perform any other checks, for example contacting someone who has issued a certificate, but is not listed as a reference, the basis for processing in connection with such checks is point (f) of GDPR Article 6 (1), which allows us to process the data that is necessary in order to protect a legitimate interest that weighs more heavily than the consideration of each person’s rights and freedoms. The legitimate interest in finding the right candidate for the position.
You do not need to provide special categories of personal data in your application or at the interview. However, you may choose to do so. If you state that you have a disability that requires adaptation to the workplace or the employment relationship, our basis for processing will be point (a) of GDPR Article 6 (1), i.e. your explicit consent, see point (a) of Article 9 (2). You can withdraw this consent at any time. The withdrawal of your consent will not affect the lawfulness of the personal data processing that took place before you withdrew your consent.
Job applications are kept in the Greenhouse application system. Applications are deleted 6 months after a position is filled. Lists of applicants and recommendations are transferred to the case and archive system. If we hire you, your application will be transferred to your personnel file.
Employees, students and members of Grundergarasjen
Based on the different positions they hold, Simula employees, students and members of Grundergarasjen are registered in different IT systems and services that are either operated by Simula itself or by external suppliers. All employees are registered in our central systems, such as the ERP system, the HR system, ERP system, the HR system, access systems, and other systems required to maintain compliance with regulatory and legal requirements. In addition, employees, students and members of Grundergarasjen are registered in specific systems associated with their role in order to be able to perform work for Simula. Information about how we process personal data about our employees at Simula can be found in the GDPR policy, which is available to our employees on the intranet.
Simula processes personal data about its employees in order to perform pay administration, and personnel tasks, and for each employee to be able to do the job they were hired to do. The legal basis for the processing is point (b) of GDPR Article 6 (1) (performance of a contract) and point (c) of Article 6 (1) (compliance with a legal obligation). This means in order to fulfil the employment agreement with you as an employee and in order to meet our statutory obligations.
Recipients of remuneration and reimbursements
The information needed to disburse remuneration must be registered in the pay system. This includes the person’s remuneration, tax rate, tax municipality, a copy of their passport (for foreign citizens without a work permit in Norway), expenses to be reimbursed, per diems, and bank account number. Expenses can also be reimbursed as supplier disbursements. Information about the person's name, address and bank account number, and documentation of what is being reimbursed will then be stored in the invoice processing system.
Access to the information is limited through access control to the pay system, invoice processing system, general ledger, and reporting tools.
Under the Bookkeeping Act, Simula is under an obligation to keep accounting documentation regarding disbursements for 5 years after the end of the financial year. Simula's clients may request that they be kept for longer. This information is provided in the contracts for each project. At Simula, accounting documents are deleted 15 years after the end of the financial year.
The basis for this processing is point (f) of GDPR Article 6 (1), which allows us to process the data that is necessary in order to protect a legitimate interest that weighs more heavily than the consideration of each individual's privacy. The legitimate interest is being able to disburse remuneration and reimbursements and to comply with the Accounting Act and documentation requirements towards commissioners.
Visitors to our locations
Simula has several locations, and cameras are installed at some of these outside the entrance doors. The reason for this is to:
- Prevent break-ins, theft and vandalism
- Prevent attacks against our buildings and facilities.
- Protect our employees and guests.
- Facilitate the entrance of guests
At KA23, the staff at the reception can see images from the camera which is a Defigo service provided by AWS (Amazon Web Services) server park. The server which is used to process data from Norwegian customers is located in Stockholm. All communication between the intercom unit, the control unit and the AWS server is encrypted. Defigo uses the security service from AWS, Intrusion Detection System (IDS) which proactively detects, disables and alerts you to attacks.
The data is stored in the cloud and is deleted at the end of the customer relationship, or if a user deletes their own user account. Beyond that, access logs are stored for 30 days. Access to surveillance data is highly restricted, and storage and deletion follow current legislation and recommendations.
At certain locations, the visitor's name, company and the name of the person they are visiting are registered in the building owner's visitor management system. The data for the access control in Kristian Augusts gate 23 (KA23) is stored locally on a PC in the operating room basement in KA23, ie it is not cloud-based. All user history will be deleted after 30 days. There is a card reader on the door to the operating room, and the server is password protected.
The basis for this processing is point (f) of GDPR Article 6 (1), which allows us to process the data that is necessary in order to protect a legitimate interest that weighs more heavily than the consideration of each person’s rights and freedoms. The legitimate interest is to secure access to the premises.
According to personal data legislation, data subjects have more rights when dealing with those of us who process data:
- You are entitled to a reply without undue delay, and at the latest within one month.
- You can ask for a copy of all of the information we process about you.
- You can ask us to correct or supplement data that is incorrect or misleading.
- In certain situations, you can ask us to delete information about yourself.
- In some situations, you can also ask us to limit the processing of your data.
- If we process your data because of our activities or based on a weighing of interests, you have the right to object to our processing of your data.
- If we process your data based on consent or a contract, you may ask us to transfer your data to you or to a different controller.
- You can appeal our processing of your personal data.
Simula is under an obligation to provide general information about the personal data we process. Research managers, project managers and data managers on research projects, registers, and teaching and programme measures at Simula must further ensure transparency about the use of the personal data.
As an individual, you generally have the right to information about what data has been registered about you, and the right to access the data. If you believe that the information registered about you is incorrect, you can ask for it to be corrected. In certain situations, you can ask us to delete information about yourself. In that case, please contact the project manager of the research project in question. You may withdraw your consent to participate in research projects at any point, and without giving an explanation.
Note that some limits have been placed on the rights to access, correction and limitation of processing, pursuant to section 17 of the Personal Data Act. The ability to demand destruction, deletion or surrender will not apply if the material or data have been anonymised. You may exercise your rights by contacting Simula as the controller, or our personal data officer.
We hope that you let us know if you believe that we are not complying with the rules of the Personal Data Act. Please contact us initially via the contact or channel that you have already established with us. You can also contact our personal data officer if you need advice or guidance. The personal data officer has a duty of secrecy if you want to discuss something in confidence.
You can file a complaint about our processing of personal data. Such a complaint must be sent to the Norwegian Data Protection Authority. If you believe that Simula is processing personal data illegally, you can contact the Authority via their web page.