Why does VKM have responsibilities regarding personal data?

Processing other people’s personal data is about showing fundamental respect for privacy and the right to decide over one’s own personal data, as set out in Article 8 of the European Convention on Human Rights (ECHR) and Section 102 of the Norwegian Constitution. To "process" such data is use personal data. Examples of such processing are when VKM collects, registers and organises data, compiles data with other data, or stores or discloses data.

When VKM processes personal data, we usually act as the “controller”. This means that VKM (through the Director) is subject to responsibilities and obligations under the Personal Data Act and the General Data Protection Regulation (GDPR) relating to the personal data that we hold.

VKM processes personal data in a lawful and secure manner. Personal data must be well-protected at VKM.

Why does VKM process personal data?

VKM processes data about you in order to fulfil our statutory obligations within areas such as food safety and environmental scientific assessments.

Data are processed in order to run the organisation. We process correspondence in the form of e-mail and telephone calls, and process and archive data in administrative, filing and archive systems. We process data in connection with public procurements and employment, and through lists of meeting and seminar participants, as well as the intranet. We secure our premises and administrative systems, partly by preparing lists of people who have had access to our premises and activity logs in administrative systems, CCTV surveillance, and in connection with administration, improvements and tasks relating to the website vkm.no.

Laws and regulations when we process personal data

VKM processes personal data under the provisions of various legislation, including the Personal Data Act, the General Data Protection Regulation, the Working Environment Act, the Civil Servants Act and the Archive Act.

We collect and process data either because we have a basis in law or a regulation to do so, or because we have obtained the consent of the person that the data concerns (the data subject).

How VKM obtains personal data

The manner and method that VKM uses to collect personal data depends on the origin of the data.

As with most public sector organisations, VKM must to some extent process personal data in connection with case administration, meetings and visits, the exchange of e-mail and telephone calls, as well as public invitations to tender.

VKM processes personal data concerning its employees in order to administer salaries and personnel responsibilities. The necessary data is registered to enable the payment of salaries, such as salary level, time recording, tax percentage, tax municipality and trade union membership. Other data concerning employees may include the person’s job description and organisation of the work. We use this data to regulate the employment relationship and to perform our role as an employer. Registration, storage and archiving in this area take place in accordance with the Working Environment Act, the Civil Servants Act, the General Data Protection Regulation, the Personal Data Act and applicable archive legislation.

Personal data at vkm.no

Use of cookies

Cookies are small text files which are stored in your browser when you open a website. Under Section 2-7b of the Act on electronic communication (the E-com Act), you are entitled to be told and approve what information is stored about you, what the information is used for, and who is using it. You can control which cookies you allow. For more information, see How to manage cookies at Nettvett.no.

The following cookies are used on vkm.no:

• SiteVisionLTM: Used to guarantee that the form displayed is from this website and is not fake. The cookie will be deleted when the browser window is closed
• JSessionId: Used to track the pages on the website that you visit. It is for example used to highlight links that you have clicked on in a different colour to those you have not clicked on. The cookie will be deleted when the browser window is closed.
• Google analytics_ga: Used by the Google Analytics web analysis tool to distinguish users and user sessions. The cookie is saved for 14 months. We use Google Analytics for traffic measurement and analysis concerning our website. We have a separate data processing agreement with Google, which governs how they process personal data.
• __gat: Used to improve the performance of the Google Analytics web analysis tool. The cookie is saved for 10 minutes.
• _gid: Used by the Google Analytics web analysis tool to distinguish between different users. The cookie is saved for 24 hours.
  Newsletters and news feeds
  Those who wish to can subscribe to attend various seminars and events on vkm.no. You enter your e-mail address yourself. We use MailChimp as the processor and only use the e-mail address to distribute information about the event. You can unsubscribe at any time. The e-mail address will then also be deleted from MailChimp. The address will also be deleted if it is no longer in use. We have a separate data processing agreement with MailChimp, which governs how the company processes personal data.

Contact forms

Information that you enter on the various contact forms at vkm.no is forwarded to the appropriate department here at VKM as an e-mail. We accept and reply to e-mail via Outlook. Personal data that you provide in e-mails that you send us is covered by what is considered to be archival under the Archive Act and the Archive Regulations, and such enquiries will be stored in the Public 360 archive system. In this context, we process personal data such as name, address, telephone number, e-mail address and other relevant information. This registration, storage and archiving takes place in accordance with applicable archive legislation.

Never use e-mail to send sensitive information to VKM!

Media enquiries

Media enquiries sent to VKM may be logged. We do this so that we can follow up and make sure you receive answers to your questions, and to keep a record of media enquiries. Logging is based on the consent of the people who contact us. We enter the name and contact details of the person who contacts us, what the enquiry concerns and who has replied to what. If you do not wish information about you and your enquiry to be logged, or you would like us to delete personal data, please let us know either via vkm@vkm.no or by telephone directly to the press officer.

Who has access to personal data?

VKM employees who are responsible for administering VKM’s tasks in their respective areas will have access to personal data from forms or surveys relating to the task concerned.

Data acquired in connection with case administration and business operations will be available to employees who have had case responsibility.

How VKM protects personal data

VKM stores personal data in a number of databases. Access to these databases is strictly access- and need-based.

VKM is subject to the requirements concerning the appropriate processing of personal data in the General Data Protection Regulation, the Personal Data Act and the aforementioned laws. There are strict conditions regarding the processing of personal data and VKM is careful to protect data concerning individuals.

Our employees are subject to a confidentiality obligation. Breaches of the confidentiality obligation are punishable by law.

How long does VKM retain personal data?

The storage period, etc. depends on the basis for the data; see above.

Data that we collect through consent-based surveys are stored in accordance with the relevant consent and basis.

Who does VKM disclose personal data to?

Some processors, particularly subcontractors who provide computer systems, software and technical solutions, will sometimes have access to personal data. These are known as "processors" and are sometimes given access to personal data in order to supply and upgrade systems and correct errors in our systems. There are strict conditions regarding such access, and the work is carried out under the strict supervision of VKM. The suppliers concerned are subject to a confidentiality obligation.

It is important that the data gathered contain accurate and complete information. If you believe that data that has been recorded about you are inaccurate or incomplete in spite of this, you can normally ask for them to be corrected, or deleted.

If you believe that data that has been registered about you in a consent-based survey is inaccurate or incomplete, you can ask for it to be corrected. In such cases, you should contact the project leader for the project concerned.

Contact VKM/FHI’s data protection officer

You can contact the data protection officer by sending an e-mail to personvernombud@fhi.no, by calling 53 20 40 82 or by sending a letter to the Data Protection Officer, Norwegian Institute of Public Health, PO Box 222 Skøyen, 0213 Oslo.

The Norwegian Data Protection Authority receives complaints

If you believe that VKM is processing personal data in an unlawful manner, you can contact the Norwegian Data Protection Authority via their website: How to complain to the Norwegian Data Protection Authority.