Privacy Policy

The purpose of Grimstad kommune’s privacy policy is to give residents and other users of the municipality’s services information concerning how the municipality processes personal data which municipalities collect, and the rights that you have as a data subject. We also aim to ensure that you feel confident that Grimstad kommune is processing personal data appropriately and securely. Grimstad kommune’s privacy policy and procedures for handling personal data have been updated in accordance with the EU’s new General Data Protection Regulation (GDPR).

Controller

Grimstad kommune is the controller for personal data which is collected via the municipality’s services.

Data protection officer

You are welcome to contact Grimstad kommune’s data protection officer if you need help or advice concerning any issues relating to personal data.

Contact details:
Marte Aarthun
E-mail: personvernombud@grimstad.kommune.no
Tel.: 97 18 37 79

When you contact us

Please note that e-mail has weaknesses as a means of communication, which means that information sent by e-mail can sometimes go astray. E-mails are like open postcards. You should therefore not send sensitive or confidential information, such as health data or your national ID number, by e-mail. PDF forms for this type of information must be printed out and sent to the municipal authority via ordinary post.

Grimstad kommune provides electronic forms for many of its services, and these forms will gradually be updated so that they can also be used for sensitive or confidential information.

The municipality checks incoming e-mail for viruses, and e-mails that you send the municipality may be stopped by our anti-virus software. If you do not receive a reply to your e-mail, you should contact the municipality by phone. Our e-mail address postmottak@grimstad.kommune.no can be used for simple questions and enquiries, and will normally be answered on an ongoing basis by e-mail.

Matters which require more thorough investigation or which must be archived under the Archive Act are registered as separate cases. Registered cases will be answered by digital communication. In some cases, e-mail will be used, and you can receive a reply by e-mail if you prefer. This only applies to responses which do not contain sensitive or confidential information.

What categories of personal data do we process?

  • Contact details: name, address, telephone number and e-mail address.
  • Identification information: national ID number, D number, gender, citizenship
  • Relationships to others, e.g. spouse, cohabiting partner, child, marital status
  • Health data
  • Data linked to the services that the resident uses, such as kindergarten, school, planning applications, refuse collection, etc.

You can find out more about what is considered to be personal data on the Norwegian Data Protection Authority’s website.

In what ways do we collect your personal data?

  • If you disclose your personal data directly to us, e.g. via a web form on our website
  • We may obtain your personal data from other government agencies, such as the National Registry, the Contact and Opt-out Registry (Kontakt- og reservasjonsregisteret), the Norwegian Labour and Welfare Authority (NAV), the Directorate of Immigration (UDI), the Brønnøysund Register Centre or the County Governor
  • Personal data that is registered by employees of the municipality in connection with case processing and the various services that we provide

Why do we need to obtain personal data about you?

The municipality processes your personal data in accordance with the law in order to perform certain specific tasks:

  • to ensure that you as a resident of the municipality receive the services you are entitled to at different stages of life, e.g. kindergarten places, schooling, health and care services and refuse collection services
  • to provide guidance and carry out checks which the municipality is obliged and authorised to perform.

We also process your personal data for other tasks which fall within Grimstad kommune’s areas of responsibility. For example, we collect certain data in order to prepare statistics concerning the use of our services.

What is the legal basis for processing your personal data?

The municipality’s processing of personal data is first and foremost based in law.

It is not normally possible to opt out of such processing. Some relevant laws are:

  • Education Act
  • Kindergarten Act
  • Municipal Health and Care Services Act
  • Public Administration Act
  • Archive Act

Consent

In some cases, the municipality may process personal data about you based on your consent. In this case, you will be informed what the processing is based on and you will actively be asked to consent to the processing that we perform. For more information on consent, see https://www.datatilsynet.no/rettigheter-og-plikter/overordnet-om-rettigheter-og-plikter/samtykke/. You can withdraw your consent to the processing of your personal data at any time.

Recipients of your personal data

When your personal data is processed by an administrative system which is provided by an external supplier, the municipality will have a data processor agreement with the supplier concerned in order to regulate the security aspects of the processing, and to ensure that data protection is carried out in accordance with applicable laws and regulations.

In some cases, your personal data will be transferred to external recipients. This could for example be NAV, a hospital, the Directorate for Education and Training (in connection with examinations or national tests), etc.

How long will your personal data be stored for? 

We will store your personal data for as long as is necessary for the purpose for which the data was collected. This means for example that personal data which we process based on your consent will be deleted if you withdraw your consent. Personal data which we process in order to fulfil a statutory obligation will be stored for as long as is required by the relevant legislation, e.g. in accordance with provisions laid down in the Archive Act.

Data protection

Under the Personal Data Act, we have a responsibility to ensure that all personal data that we hold about you is adequately protected.

We will ensure that only those who need to gain access to the data we hold about you as part of their official duties will be able to do so. We will also ensure that personal data can only be altered or erased by people with the necessary authority. We will ensure that the personal data is available as and when necessary to enable us to fulfil our responsibilities in order to provide you with the best possible service. We regularly review our procedures to ensure that our security is as good as possible at all times. If we discover that a procedure is not working as intended, we will rectify the matter.

Privacy and confidentiality

All municipal employees are subject to a confidentiality obligation. The municipality’s employees are obliged to prevent unauthorised persons from gaining access to or knowledge of personal data about you, unless you have consented to such access. The confidentiality obligation is particularly strict as regards certain services and areas.

Your rights under the Personal Data Act and the Personal Data Regulation

You are entitled to access your data

You can contact the municipality and your executive officer in the municipality. You can ask to be told what personal data the municipality has registered about you, what it is used for, and where it has been obtained from. This applies to both electronic and manual registers. You are entitled to receive a response within 30 days. Requests for access can be sent to postmottak@grimstad.kommune.no.  See also the Guidelines for access to personal data concerning students.

You are entitled to have inaccurate information corrected

If you discover inaccurate information about you, you can ask us to correct it. We are normally also required to correct incomplete or inaccurate information on our own initiative. However, please contact us if you discover any errors in information about you, and we will correct it as soon as possible.

You are entitled to require data about you to be blocked or erased

We will erase or block data which is no longer required for the original purpose of the registration. If you believe that the municipality has registered data about you which does not need to be registered, you can ask for the data to be deleted. This does not apply if the data must be retained under other legislation, such as the Accounting Act or the Archive Act.

You have the right to limit the processing of data about you

You can ask us to limit how we process data about you.

You have the right to object

You can object to us processing data about you.
Find out more on the Norwegian Data Protection Authority’s website about your rights in connection with the deletion and correction of your personal data.

You are entitled to receive a copy of your data in a digital format

This is called the right to data portability. Under certain circumstances, you have the right to receive data which you have given us in a digital format. You are also entitled to receive data transferred to another enterprise or organisation if you so wish. The right to data portability only applies to data which you have given us.

Right to complain to the Data Protection Authority

If you believe that our processing of personal data does not correspond with what we have described here or that we have breached applicable personal data legislation in any other way, you can complain to the Data Protection Authority. You will find details on how to contact the Data Protection Authority on their website: www.datatilsynet.no

You are entitled to exercise your rights free of charge

You can request access to or deletion of your data or exercise any other rights you have under applicable data protection legislation free of charge, unless your request is clearly unjustified or exaggerated. If we decline your request, it is us who must prove that your request is unjustified or exaggerated.

Right of access to data by parties under the Public Administration Act

If you contact us with a complaint, we will normally refer to or enclose your communication when we contact the party your complaint concerns. You can ask us not to disclose your identity when we communicate with the other party. However, there are strict conditions which must be met in order to refuse a party access in a case if they request such access. The municipality is therefore unable to guarantee anonymity in connection with such requests.

Access by the press and the general public under the Freedom of Information Act

The general rule under the Freedom of Information Act is that administrative bodies’ case documents are publicly available. This means that the press and others who request access will be able to gain access to the municipality’s case documents. Your communication with us will therefore also be publicly available, regardless of the form in which it is sent. However, the municipality handles certain documents which contain confidential information. These documents will be exempt from public disclosure. Internal documents may also be exempt from public disclosure if there is a legal basis for doing so. However, they are not exempt from disclosure simply because they are internal documents.

Cookies

Cookies are small text files which are placed in your web browser’s memory. They provide us with statistics which we use to improve our website and the digital services we provide.
See the overview of cookies which we use on our website.

The municipality collects de-identified data concerning visitors to the municipality’s website. The aim of this is to produce statistics which we use to improve and develop our website. Examples of questions which the statistics give us answers to are: how many visitors visit different pages, how long the visit lasts, which websites the users come from, and which web browsers are they using?

This website uses Google Analytics, an analytics service provided by Google Inc. (“Google”). Google Analytics uses what are known as cookies, or text files, which are stored on your computer, and enable Google to analyse how you use the website, in order to make it possible to offer the best possible website. Cookies are small pieces of data which generate information about your use of the website (including your IP address). The data is sent to one of Google’s servers in the USA, where it is stored. If necessary, Google can also send the information to third parties, provided this is permissible under applicable law or if it is a third party which is processing the data on behalf of Google. However, your IP address will never be linked to any other data which is collected by the municipality.

This website also uses Vizzit, an analytics service from Vizzit.se. This service uses what are known as cookies. Cookies are small text files which are placed in your browser’s internal memory. They provide us with statistics (including which pages are visited, which searches are performed, etc.) which we use to improve our website and the digital services we provide. Data obtained via Vizzit is not disclosed to third parties  

You can stop cookies from being placed on your computer by changing your browser settings. However, you should be aware that this can sometimes prevent some of the website’s functions from working. By using our website, you consent to Google processing the data they have collected about you in the manner and for the purpose that is described above.

“Did you find what you were looking for” feedback function

At the bottom of some articles on the website, you will find a function where you can give feedback on whether or not you found the information you were looking for. We use this feedback to improve the content of our website. If you use this function, a cookie will be placed on your computer. This cannot be used to trace the message back to you. The feedback you send us will be stored in our database.

The function is not used for questions and answers, and we therefore ask you not to enter questions which you want answers to here. Please do not enter sensitive information, as the function is not secure (encrypted).

Chatbot – Kommune-Kari

We use a chatbot called “Kommune-Kari”, which is provided by Sem & Stenersen Prokom AS, as a digital customer services assistant on our website.

Kommune-Kari gives website visitors answers to questions about the municipality’s services and other relevant services. The aim is to enable residents to serve themselves, improve response times and service levels, and help make the municipality’s services more cost-effective.

Nature of the processing

Registration of questions from users, processing of questions, presentation of answers, storage of chatlogs and collation of data for statistical purposes.

The supplier uses chatlog and chat statistics for quality assurance purposes and to enable the further development of the solution. The supplier also uses examples of chat dialogues for information or marketing purposes. In this case, it is obliged to anonymise the data that it uses.

Personal data that is processed

The solution stores all questions from the user and Kommune-Kari’s reply in a chatlog.

Kommune-Kari asks the user to chat anonymously and not to disclose personal data.

However, if the user does disclose personal data, the data will be automatically anonymised wherever possible. This solution automatically detects and anonymises selected data every hour. The anonymisation process involves data masking using coding, so that the data in the chatlog is not visible. The following data is automatically anonymised:

  • All numbers consisting of more than 6 digits
  • Health data
  • Gender
  • Information on sexual orientation
  • Information on political preferences
  • Geolocation

The user’s IP address will automatically be masked in the solution, regardless of the anonymisation process described above, and is therefore never stored in the form of plain text.

The following metadata are stored concerning chat:

  • Time (date and time)
  • The user’s platform (desktop, tablet or mobile phone)
  • The user’s web browser (type and version)

A limited number of the controller’s employees have access to the chatlog.

For how long is data stored?

The chatlog and any content which is not already masked will be stored for 21 days before it is automatically erased. After erasure, it will not be possible to reconstruct chat dialogue in the chatlog. Only data about the intention that the chatbot has given an answer to will be retained. This forms the basis for statistics and billing.

Users’ rights

  • Right of access: The user can download a copy of all chat data. This function is available via the ? icon and when the chat is closed.
  • Right to correction and erasure (Forget me): The user can delete the entire chat dialogue at any time. This function is available via the ? icon and when the chat is closed.
  • Right to data portability: The user can download a copy of all chat data. This function is available via the ? icon and when the chat is closed.
  • Right to limited processing and right to object to processing: The user can delete the entire chat dialogue at any time. This function is available via the ? icon and when the chat is closed.