Privacy Policy - Institute of Marine Research

About this privacy policy

The Institute of Marine Research (IMR) is one of the largest marine research institutes in Europa. IMR is a national advisory research institute, organized as an executive agency directly under the Ministry of Trade, Industry and Fisheries.

In our tasks we often process data about natural persons or identifiable natural persons. We are a controller where we alone, or jointly with others, determine the purposes and means of the processing of personal data.

This privacy policy provides information about our processing and your rights as a data subject.

Please contact us if you have any questions in this regard. Our address is Havforskningsinstituttet, postboks 1870 Nordnes, 5871 Bergen, our telephone number is 55 23 85 00, and our email is post@hi.no.

You are also welcome to contact our Data Protection Officer on email personvernombud@hi.no.

Some of the terms used in this policy are explained in the General Data Protection Regulation (GDPR), article 4.

This is an English translation of our Norwegian privacy policy. If there are any differences, the Norwegian version has the precedence.

What are the purposes of our processing for which the personal data is intended and our basis?

Research and advisory work

The Institute of Marine Research’s main tasks are to provide advice based on research to relevant authorities on aquaculture and the ecosystems, make data and results from the research available, and do research which contributes to a knowledgeable development for the sector in question.

When performing these duties, which are imposed by the public, it is often necessary to process personal data.

This may cover, inter alia, mapping and registering data, performing interviews, research, analyzing, giving statements, advice, reports, sharing and conveying knowledge.

The processing of personal data is based on different grounds, which might be consent, performance of a contract, compliance of a legal obligation, performance of a task carried out in the public interest, research, statistical reasons, legitimate interests etc. These provisions follows of Act on processing of personal data chapter 3 and the GDPR chapter 2.

NSD also assist us in researchprojects. If you are a research object, NSD can for instance, give guidance regarding your rights. Their email is personverntjenester@nsd.no.

Inquiries, payments etc

We process information about you or others when we communicate, or enquiries are being made. This might occur by telephone, email, forms, digital platforms or systems.

This also applies if you sign up or attend courses, subscribe or use our services and so forth.

We also issue invoices, pay allowances etc. which means for example data of names, birth dates, account numbers, is processed. Personal information might also be collected and used regarding procurements.

The data might govern you as a private person, but also if you are an employee in a company, a provider or a vendor.

When browsing our web pages, we use cookies to offer you customized web services and ensure an optimized user experience.

When we administer and govern our institute this way, our basis for processing are mainly the same as in the section Research and advisory work, typically consent, agreement and legitimate interests.

Handling cases and archiving

We handle cases where we make decisions. We also have a duty to keep a post journal. Therefore, personal data might be processed. This is regulated in the Public Administration Act and Freedom of Information Act amongst others.

According to the latter act § 3, case documents, journals and similar registers of an administrative agency are, as a main rule, available for access. This means everybody, for instance, can access the correspondence which that administrative agency has recorded in its journal. However, exemptions from access apply, for example due to a duty of confidentiality.

We also have an obligation to archive. The archives shall be systemized and arranged in such a manner they are information sources presently and for the future. Requirements are set forth in Act on archives, Act on processing of personal data and others.

Job applications

If you apply for a job at our institute, we need to process your information to determine the application. This includes the application, diplomas, certificates, correspondence etc. In addition to an eventual interview, we assess, like contacting your references and so forth.

Basis is agreement, legal obligation, or we have a legitimate interest finding the right candidate for the position. If it is necessary to process special categories of data, the basis is consent or we need to fulfill our employer responsibilities, for instance according to the Equality and anti-discrimination act. We also refer to the Civil servants/state employee act.

Data of our employees

We process data of our employees to be able to perform our tasks and fulfill our obligations.

This cover, inter alia, administration (sharing of information, employment contracts, access cards, salary, allowances, holiday pay, sick pay, salary deductions, register injuries and sicknesses, access to systems), consider applications (absence, off-duty time, special adaptation of the work, leave of absences, permanent appointment, preferential right to new appointment), securing the working environment (fully satisfactory working environment, HSE, planning of work and working hours, breaks, conduct examinations of the working environment) comply with discrimination rules, ensuring freedom of speech at the workplace (for example process notifications), assuring an including, participating work situation (for instance organizing and arranging the work with regard for the individual employee’s capacity), training, development opportunities, offering competence portal, having plans and routines where employees might be mentioned (for example in regards to preparedness and breaches), interacting (physical and digital meetings internally or externally, etc.), control measures in the undertaking (consultations, information, evaluation, access to employees’ e-mail, camera surveillance), consultations of cases and issues, conveying of work and results, feedback and follow-up of your work, termination and ending of employment relationship (written reference, reference, warnings, dismissal, suspension, summary dismissal, voluntarily agreements, resignation, return of property) and reports.

Personal data may be conveyed to internal boards, union representatives, unions/federations, work agencies, committees, NAV, insurance companies, registers, supervisions, joint systems and so forth.
Many of these purposes will apply correspondingly if you are hired through an agency or are a consultant at IMR.

Our basis for the processing is mainly agreement, consent, legal obligation (Working environment act, Civil servants/state employee act etc) and/or our legitimate interests, for research and statistical purposes.

How long do we store your data?

How long we store your data depends on what is necessary in relation to the primary purposes for which they were collected or otherwise processed for, amongst others. However, there might be other reasons we need to store the data longer, for instance if we have a duty to archive, comply with a legal obligation (for example according to the Bookkeeping act or the Working environment act), scientific or historical research purposes and so forth.

Nevertheless, we will always consider if some of the data can be erased, if it can be stored in a manner the data cannot be linked to you without the use of additional information or if the data can be anonymized.

Other information

If we are a controller and processing is carried out on behalf of us, we will enter into data protection agreements with these. In some cases, we might be joint controllers which will be governed by means of separate arrangements.

We can have a duty to disclose personal data to others, typically public authorities based on consent, agreement or a legal obligation.

The personal data originate from you or others, for example different registries.

Where processing is based on your consent, you have the right to withdraw the consent at any time. Withdrawing your consent will not affect the lawfulness of processing based on consent before its withdrawal. 
Where personal data is processed based on a legitimate interest, we have considered that those interests overrides the interests or fundamental rights and freedoms of the data subject.

In some circumstances you have the right to object to our processing of your data. This depends on your situation, the purpose and if the basis for the processing is performing a task carried out in the public interest, in the exercise of official authority or based on legitimate interests (including profiling based on those grounds), amongst others. Where personal data are processed for direct marketing purposes (and profiling in this connection), you might also have the right to object. 

Your rights

You have certain rights when we process your data. These rights might be:

Access to your data

Rectification of your data

Erasure of your data

Restriction of processing concerning you

Object to the processing of your data

Data portability (receive your personal data in a commonly format and transmit those data to another controller)

Lodge a complaint to Datatilsynet (supervisory authority) regarding our processing of your personal data

There are certain conditions and derogations regarding these rights. You may read more about this in the GDPR chapter 3, Act on processing of personal data chapter 4 and at Datatilsynet (the supervisory authority).

If you have any questions or want to use your rights, you will find our contact information in the About section.