Privacy policy

---

1. Introduction

The Governor of Svalbard is the data controller in most cases where personal data is processed in the company. A data controller is, according to the definition of the General Data Protection Regulation, the one who determines the purpose of the processing and the manner in which the processing is to be carried out.

On this page you can read more about the Governor's activities and tasks.

This privacy policy describes which categories of personal data are collected, used and possibly also shared with our suppliers and what is the purpose and legal basis for the use of personal data.

This privacy policy is supplemented by the police's privacy policy.

2. When does the Governor collect personal information?

The Governor collects personal information when you use our websites or services. The Governor mainly processes personal information that you have provided to us. The personal information that is collected varies depending on which of our services you use. Some services only require the processing of your name and/or email address, while other services require the collection of more information – e.g. personal identification number, photos or health information.

However, the Governor will not process more personal information than is necessary to fulfil the stated purpose of the processing. The Governor may also not process your personal information for purposes other than those for which it was collected, unless you give us consent to other use. More information about purposes and grounds for processing can be found in section 3 below.

Typical situations where the Governor processes your personal data are:

• You have visited our website (sysselmesteren.no)
• You have sent us an application or a complaint, (e.g. application for exemption for intervention in protected cultural monuments, application for a driving license, application for permanent residents to use snowmobiles in national parks, complaints about land use plans)
• You have requested access under the Freedom of Information Act or the Personal Data Act
• You log in and use the Governor's digital services
• You apply for a job with us
• You subscribe to our newsletter
• You have signed up for a clean-up drive, applied to rent a cabin, etc.
• You have applied for a visa, passport, residence or citizenship

The Governor may also in some cases process personal data about you indirectly. Such cases may include, for example:

• The Governor is carrying out supervision or control of a service and your personal data is mentioned in the documents
• A complaint or application received contains information about you
• We receive information about you from another government agency
• A job applicant has listed you as a reference
• You are listed as someone's relative, family member or guardian

3. Purpose and legal basis for the processing of your personal information

3.1 Introduction
The Governor uses your personal information for various purposes and relies on various processing bases (legal bases) to ensure that our use of personal information is in accordance with applicable regulations.

3.2 What is recorded when you use our websites [and digital services]
The Governor offers a news alert service via email. To receive news from the Administrator, you must register an email address on our website (https://www.sysselmesteren.no/en/subscription/ ). The information registered here is used exclusively in connection with email alerts.

3.3 Cookies
The Governor only uses necessary and functional cookies on its website.

Cookies are small data files that are stored on your device when you visit our website. The Governor only uses necessary/essential cookies. These are cookies that are necessary for the Governor's website to function as intended. These cookies pose no security risk to you as a user of the website. None of the cookies used on the Governor's website can identify you personally. We use the following cookies on sysselmesteren.no:

• ASP.NET., ASPXANONYMOUS and AsP.NET are required for the website to function. The cookies are automatically generated when the page loads and are deleted when you close the browser.
• EPiDPCKEY, . EPiServerLogin, __epiXSRF and ArticleViewPort are cookies that are used if you log in to the publishing solution as an EpiServer user. The cookies are deleted when you close the browser. The editlanguagebranch cookie remembers which language you have selected in the editor when you are logged in as an EPiServer user, and this cookie is deleted after two years.
• Google Analytics uses the cookies _ga, _gid and _gat to collect anonymous visitor statistics on the website. These are deleted after two years, 24 hours and 1 minute respectively.
• Leseweb is a tool for reading text on the website. B100Serverpoolcookie is a cookie related to speech synthesis (reading text on the website) and is a unique identifier that is deleted when you close the browser. The cookies that control the visible/hidden control for Leseweb and speed settings, etc. are only generated when you start Leseweb. These are not deleted.
• Cloudfare is used to override security restrictions based on the IP address the visitor comes from. This does not match the user ID, and does not contain personally identifiable information
• Azure
• Application Insights (application analytics tool)
• Authentication (by editors)

Other cookies may occur on pages that retrieve content elements from other websites through iFrames, etc. (e.g. YouTube videos).

3.4 Applications etc.
The Governor processes your personal data when you submit applications for permits, licenses etc. The purpose of processing personal data in these cases is for the Governor to fulfill its role as a public entity in Svalbard. The basis for this purpose is either a legal obligation (e.g. under the Svalbard Environmental Act) or to exercise public authority vested in the Governor.

Typical services are:

• Trip notification
• Cultural heritage management (application for changing cabins, etc.)
• Research applications (RIS portal)
• Hunting permits
• Weapons permit
• Basic rental points
• Driving licence
• Alcohol permits
• Visas, residence permits, passports and citizenship

3.5 What is recorded when you request access?
Via the eInnsyn system, you can request access to documents under the Public Access Act. The Norwegian Directorate for Digitalisation is responsible for eInnsyn and is responsible for the processing of personal data. You also have the option to order documents anonymously. In that case, an email address is all we need. This email address will be stored indefinitely in our systems. If you want your access requests to be stored in "My eInnsyn", you must register and create a user account. At the same time, you must consent to the processing of personal data in "My eInnsyn". The user account stores the email address you register, your access requests, searches and cases you have subscribed to. It is voluntary if you want to store your name and the organisation you represent.

In addition, you can contact us directly to request access. If you request access directly to our archive via email to us, we will collect your email address and name.

3.6 Processing of job applications
If you apply for a job at the Governor, we must process information about you to assess your application. We purchase services from Jobbnorge for our recruitment work. To apply for a job with us, you must create an account with Jobbnorge and at the same time consent to the processing of personal data. Jobbnorge has signed a data processing agreement with us.

Jobbnorge deletes applications after a certain period of time depending on whether you have been interviewed, got the job or not.

The Governor will process your personal data when you apply for a job with us. For this purpose, the Governor will collect your name, email address, telephone number and personal identification number and other information you provide in the application. The basis for processing this information is the Governor's legitimate interests. The Governor will have a legitimate interest in receiving relevant information about the applicant in order to be able to assess which candidate is best suited for the advertised position. The Governor will only request relevant information, so that this interest takes precedence over the interest of the registered (job applicants).

All applicant lists are transferred and stored in Public 360 - the Governor's case management and archive system.

3.7 Applications to participate in a cruise, rent a cabin, etc.
In connection with applications to participate in a marine litter clearing cruise or applications to rent a cabin, the Governor will process your personal data. In these cases, the personal data will be collected from you as the applicant. Categories of personal data that are processed are name, telephone number, email address, names of people in the travel party (when renting a cabin). The basis for processing in these cases is the Governor's legitimate interests. The Governor must be able to process the applicants' personal data in order to be able to administer the cabin rental business and cruises.

In addition, the Governor may process your personal data when this is required by law (for example, accounting and bookkeeping rules or other legal obligations).

3.8 What is recorded when the Governor processes a case where you are mentioned in the documents?
What personal data the Governor processes about you in cases where you are mentioned in the documents depends on the type of case. In some cases, a name and email address (contact information) are sufficient, while in other cases it is necessary to process a larger amount of personal data, including sensitive personal data such as health information. As mentioned at the outset, the Governor will never collect more personal data than is necessary for the purpose of the processing. Nor will the Governor use collected personal data for purposes other than those originally intended for collection.

The information in this type of case will most often come from you, but it happens that the Governor obtains personal information from public sources – for example, the population register, the population register in Svalbard, the property register, etc. The case manager in the specific case will be able to provide you with further details about what personal information is being processed and where it was obtained from.

4. How does the Governor disclose personal information? 

The Governor may share personal information with third parties if the case processing requires it.

An example of when personal information is shared with third parties is in cases that the Governor's Department for Cultural Heritage Management handles. Several of these cases are referred to the Directorate for Cultural Heritage for assessment.

The Governor will never sell or rent personal information to marketing actors or unaffiliated third parties.

In rare cases, the Governor may need to transfer personal data out of the EU/EEA area. The reason for this is that the Governor has suppliers domiciled in so-called third countries, such as the USA. In a case where the Governor is dependent on extraordinary support to restore certain services, it cannot be ruled out that support personnel in third countries have access to personal data. The Governor emphasizes that this happens extremely rarely, and that measures have been taken to minimize this risk, including by having agreed that data centres in Europe will be used rather than data centres in the USA.

5. How long does the Governor store your personal information?

The Governor is subject to the Archives Act, which has been applicable to Svalbard since 2001. The Archives Act contains provisions on the storage period and deletion of archival material. How long personal information is stored depends on the purpose for which the personal information was collected. Certain personal information, which is classified as subject to archiving, will be archived for posterity and thus not deleted. In other cases, e.g. personal information in connection with job applications, this will be deleted 12 months after the recruitment process has been completed. To find out what applies in your case, we recommend that you contact us.

In some cases, you can request that your personal data be deleted. You can read more about this right to deletion or the "right to be forgotten" on the Norwegian Data Protection Authority's website.

6. Your rights

6.1 Introduction
As a registered person whose personal data is processed, you have several rights under the Personal Data Protection Regulations. 

If you wish to exercise one of your rights or have any questions, you can contact the Governor at firmapost@sysselmesteren.no. Contact information for the Data Protection Ombudsman is personvernombudet@sysselmesteren.no.

You can also complain to the Norwegian Data Protection Authority. 

6.2 Rights
The right to access means that you can, among other things, ask the Governor what personal data is stored about you and request information about the processing. You can also request a copy of the personal data about you under certain conditions.

If you believe that the personal data the Governor processes about you is incorrect, or that it gives an incorrect picture as presented, you can ask the Governor to correct or supplement the information, as best as technically possible.

In certain situations, you can ask the Governor to delete your personal data. You can also demand that the Governor restrict the processing of your personal data, e.g. while we process other requests from you.

In some situations, you have the right to object to the processing of personal data that is based on the Governor's legitimate interests. The Governor will then stop the processing activities, unless there are compelling reasons that precede your objection.

If the processing of your personal data is based on your consent, you may withdraw this at any time. However, this does not affect the lawfulness of the processing activities carried out up to the time of withdrawal of consent.

7. How does the Governor secure your personal information? 

The Governor has implemented appropriate security measures to protect the security of your personal information – both online and offline. These measures vary in scope and strength depending on how sensitive the personal information we collect is and the state of the technology. The Governor also has measures in place to ensure that suppliers who process personal information on our behalf have adequate security guarantees in place.

Suppliers who process personal information on our behalf act as data processors. Often, these are suppliers of various IT services. Data processors can also be ministries or directorates that provide services that the Governor uses in case processing.

All external suppliers must sign a data processing agreement with the Governor.

8. Contact information for questions or complaints

If you have questions or wish to file a complaint about privacy matters, you can contact the Governor at firmapost@sysselmesteren.no.

You also have the right to complain to the Norwegian Data Protection Authority. See more information about contact information here.

You can contact our data protection officer by email at personvernombudet@sysselmesteren.no if you have questions about what personal data we process and how this personal data is used. You can request access to what personal data we have about you, you can request to have personal data that is incorrect corrected or receive information about what rights you have.

The data protection officer can provide advice, and the officer can take the matter further within the organization. The data protection officer is obliged to maintain confidentiality.