Privacy Policy for Citizens of the Municipality of Bergen

It is the objective of the City of Bergen that privacy and information security shall form a natural part of the City’s activities.

The City of Bergen shall process personal data about its citizens in a secure, lawful and fair manner. «Processing of personal data» means for instance that the City engages in collection, recording, storage, alignment, structuring and disclosure of information to others. 

This Privacy Policy contains information on how and why the City collects and processes personal data on you as a citizen and user of services. The Policy also contains information on your rights when the City processes personal data about you. 

All processing of personal data in the City is to be based on fundamental principles of data protection. This means that the City must process your personal data: 

In a lawful, fair, correct and transparent manner. 

Based on clearly defined purposes. 

In a manner that restricts data collection to what is strictly necessary. 

In a manner that ensures personal data is not stored longer than is necessary or imposed. 

Confidentially and protected against unintentional changes. 

In an accessible manner. 

In a way that ensures it is kept updated. 

In a responsible manner to make sure your privacy is ensured. 

Want to know more? General Data Protection Regulations (GDPR) Article 5 and the Norwegian Data Protection Authority’s webpages on principles of data protection

What are the data protection regulations and what is personal data?  

Data protection regulations  

The Norwegian data protection regulations consist of the Personal Data Act including any regulations, and the General Data Protection Regulations of the EU. The GDPR was incorporated into Norwegian legislation in July 2018, when the new Personal Data Act entered into force. 

The GDPR applies to all EU/EEA countries and regulates whether and how businesses may process personal data. The Personal Data Act with regulations specifies special Norwegian privacy rules, which apply in addition to the requirements of the GDPR. 

Want to know more? Personal Data Act og the Norwegian Data Protection Authority’s webpages on the Personal Data Act, including the GDPR, and when it applies

Personal Data  

Personal data include any information that can be linked to an individual. This could be, for example, name, identification number, date of birth, telephone number, address, photos, email address, information on financial situation, etc. 

The data protection regulations distinguish between personal data and special categories of personal data (previously called sensitive personal data). Special categories of personal data include information on racial or ethnic origin, religion, health data, sex life or sexual orientation, political opinions, philosophical beliefs or trade union membership, as well as genetic and biometric data. Such special categories of personal data require extra protection. 

Want to know more? GDPR Article 4 (1) and 9 and the Norwegian Data Protection Authority’s webpages on the meaning of personal data

Why do we process personal data about you?  


What is the purpose of data processing? 

The City of Bergen processes personal data when delivering municipal services and/or performing statutory tasks, and to be able to process any queries from you. 

In the event the City of Bergen wishes to process personal data that is not necessary to perform statutory tasks, you will be informed that giving such information is voluntary, and what the purpose of the processing is. This could be, for example, when the City sends out questionnaires that ask for your consent as a basis for processing. 

Want to know more? GDPR article 4 (2) and article 5 (b)

What is the legal basis for processing of your personal data?  

Exercising official authority or required to meet a legal obligation  

In order for the City of Bergen to be able to deliver its services to you, processing of personal data is necessary. For the processing of personal data to be lawful, there must be a legal basis. 

The City is often required by law to offer services to its citizens, and in most cases laws and regulations make up the legal basis for processing your personal data. 

Here are some important laws that govern the City’s processing of personal data (not exhaustive): 

Personal Data Act with Regulations and appurtenant GDPR 

Freedom of Information Act 

Public Administration Act 

Archives Act 

Local Government Act 

Accounting Act 

Electronic Communications Act 

Want to know more? GDPR articles 6 and 9 and the Norwegian Data Protection Authority’s webpages on having a legal basis

Agreement  

In some cases, the City enters into an agreement with you as a citizen, and in such cases the City will often need to process personal data in order to fulfil the agreement. For example, this might be when you buy an annual pass for the City’s swimming pool AdO Arena. The City will then need to record your name, telephone number and email address. This is done so that the City is able to verify that the correct person is using the annual pass, but also to be able to contact you to give you important information on the conditions of the agreement, and to send you an invoice so that you can fulfil your obligations under the agreement. 

Particularly on consent  

In cases where the City wants to process personal data about you without this being authorised by law, the City can ask for your consent to process the data. In such cases you will be told what the processing is about and actively be asked to consent to such processing. Your consent shall be voluntary and you may withdraw your consent at any time. 

The City will only use consent as the basis for processing when it has no other legal basis for processing of personal data. 

Want to know more? General Data Protection Regulations (GDPR) Article 7 and the Norwegian Data Protection Authority’s webpages on consent

Description of legal basis for each service area  

Below is a brief description of key bases of processing for the City's service areas that process large volumes of personal data with a special need for protection. The list is not exhaustive, and focuses on the service areas where it is expected that the greatest number of data subjects will be interested in receiving information. Further information on individual processing of personal data, for each City Government Department, is available from the City’s processing records. They can be accessed at your request. 

Particularly on day-care centres and schools  

The City of Bergen shall offer its citizens access to day-care centres and schools as part of City services. Processing of personal data in day-care centres and schools will primarily take place as part of offering a statutory service governed by the following legislation (list is not exhaustive): 

Kindergarten Act with regulations 

Education Act with regulations

Particularly on senior citizens and health 

The City of Bergen shall offer its citizens access to health care as part of City services. Processing of personal data in the health sector will primarily take place as part of offering a statutory service governed by the following acts and regulations (list is not exhaustive): 

Personal Health Data Filing System Act 

Health and Care Services Act 

Patients’ and Users’ Rights Act 

Health Personnel Act 

Patient Records Act 

Regulations on Dignified Care for Senior Citizens 

Particularly on work, social affairs and housing  

The City of Bergen offers services to citizens with mental problems and drug addiction, to the intellectually disabled, child welfare services, social services, and social housing services. The processing of personal data to look after the above services will primarily take place as part of exercising official authority, delivering services in the public interest, or fulfilling obligations and exercising special rights in the area. 

Where processing of personal data takes place as part of offering a statutory service, this is primarily authorised in the following acts and regulations (list is not exhaustive): 

Health and Care Services Act 

Patients’ and Users’ Rights Act 

Patient Records Act 

Health Personnel Act 

Child Welfare Act 

Social Services Act 

Mental Health Care Act 

Specialist Health Services Act 

Crisis Centres Act 

Regulations Relating to Physical Security in Crisis Centres 

Regulations Relating to Local Governments’ Health Promoting and Preventive Work in Public Health Clinics and School Health Services 

Regulations Relating to Habilitation and Rehabilitation, Individual Plan and Coordinator 

Regulations Relating to Individual Plan in the Labour and Welfare Administration (NAV) 

Regulations Relating to Measures 

Particularly on culture, diversity and equal opportunities  

The City of Bergen offers its citizens services to facilitate cultural events and contribute to greater diversity and equality. The processing of personal data to look after the above services will primarily take place as part of exercising official authority or delivering services in the public interest. In some cases, consent from, or agreement with, the data subject forms the basis for processing the personal data in question. 

Where processing of personal data takes place as part of offering a statutory service, this is primarily authorised in the following acts and regulations (list is not exhaustive): 

Education Act 

Regulations relating to the Education Act 

Norwegian Nationality Act 

Integration Act 

Social Services Act 

Patients’ and Users’ Rights Act 

What type of personal data do we collect? 

In the City in general  

The City processes different personal data about you depending on the services offered. This might be, for example (list is not exhaustive): 

Contact details such as name, address, telephone number and email address. 

Information that is necessary to identify you, for example national identity number, D number for foreign nationals without a Norwegian national identity number, gender, and nationality. 

Information about your relations with others, for example the name of your spouse, partner, children and/or marital status. 

Information linked to the services that you as a citizen use, for example day-care centre, school, building application, waste management and/or health services. 

Information about the particulars of a case, such as applications and assessments. 

Health information. 

Particularly for day-care centres and schools  

The City offers day-care centres and schools to its citizens. Various specialist systems are used to offer these services, in addition to the City’s central case file and archiving system. Below is a list of types of information processed within the day-care centre and school service areas, in addition to the types of information generally processed by the City (list is not exhaustive): 

Information about the school and grade the pupil belongs to, and about any sub-groups. 

Information about education and occupation. 

Results of surveys and assessments. 

Recordings of sound, images and video. 

Parents’ or guardians’ marital status. 

Information about ethnic origin. 

Particularly for senior citizens and health 

The City offers a host of health services to its citizens in general, as well as nursing homes and similar for senior citizens. Various specialist systems are used to offer these services, in addition to the City’s central administrative systems. Below is a list of types of information processed within the senior citizens and health service areas, in addition to the types of information generally processed by the City (list is not exhaustive): 

Information about next-of-kin. 

Medical records. 

Information about religious beliefs. 

Information about any notes of concern. 

Information about any criminal records. 

Any assessments on the authority to use force. 

Information about reporter (if relevant). 

Information about guardian (if relevant). 

Information about relief worker (if relevant). 

For newly arrived immigrants and refugees the following information is processed in addition (list is not exhaustive): 

Country of origin 

Language 

Residence status 

Booking of interpreter 

Travel information 

Information about racial or ethnic background 

Particularly for work, social affairs and housing  

The City offers services within the work, social affairs and social housing disciplines. Various specialist systems are used to offer these services, in addition to the City’s central administrative systems. Below is a list of types of information processed within the work, social affairs and housing service areas, in addition to the types of information generally processed by the City (list is not exhaustive): 

Medical records 

Information about next-of-kin  

Information about any notes of concern 

Information about any criminal convictions or offences 

Photos 

Video consultations 

Description of events 

Marital status 

Information about family relations 

Social factors 

Ability to work 

Work situation 

Financial information 

Housing benefit 

Information about history of drug use 

Basis for residence in Norway (for non-Norwegian nationals) 

Personal data processed in the case of pregnancy: 

Baby’s father 

Pregnancy due date 

Particularly on culture, diversity and equal opportunities  

The City offers services within the areas of culture, diversity and equal opportunities. Various discipline systems are used to offer these services, in addition to the City’s central administrative systems. Below is a list of types of information processed within the culture, diversity and equal opportunities service areas, in addition to the types of information generally processed by the City (list is not exhaustive): 

Education 

Work experience 

Family relations 

Social factors 

Living conditions 

Legal aspects 

Financial information 

For adult education the following information is processed in addition (list is not exhaustive): 

Student number 

School work and assessments, including test results 

Case details 

Candidate details 

Mapping and assessment of competence 

Absence 

Expert assessment 

Where do we collect the information from?  

From you  

In many cases, the City of Bergen collects personal data from you directly. This might be, for example, when you apply for a City service, or when you use our services. 

From the Contact and Opt-out Register  

The Norwegian Digitalisation Agency has established a central Contact and Opt-out Register, which the City uses to collect your contact details so that we can send you messages and documents electronically. 

Individual citizens must themselves update their details in the Contact and Opt-out Register if they get a new email address or telephone number. 

The Contact and Opt-out Register may contain the following: 

Your cell phone number and email address. 

Information on which digital email box you have selected. 

Language settings for electronic communication. 

Whether you have opted out of electronic communication. 

For further information about this register, see http://eid.difi.no/nb/kontakt-og-reservasjonsregisteret

From other public agencies  

For statutory tasks and services, we may, where necessary, collect information about you from other public agencies or registers. This will typically be the Norwegian Tax Administration, the Norwegian Labour and Welfare Administration (NAV) or the National Population Register. 

Who do we share personal data with  

Transfer of data internally in EU/EEA  

In some cases, your personal data will be transferred to external recipients. They will typically be other public agencies, such as the Norwegian Labour and Welfare Administration (NAV), various hospitals, the Norwegian Directorate of Education and Training, the Norwegian Tax Administration, etc. In many cases where we share personal data with other public agencies, this generally happens because we are under obligation to do so by virtue of an act or regulation. 

The City of Bergen also uses external vendors of various systems and services for the City, and your personal data may be processed in such systems. On many such occasions the external vendor will have access to your data. The City has entered into data processor agreements with the external vendors, which govern the processing of personal data and the safety of processing to ensure that privacy is safeguarded. 

Will personal data be transferred to the EU/EEA?  

The City of Bergen strives to ensure that all personal data it processes shall only be processed within the EU/EEA. In some cases, however, personal data will be transferred beyond the EU/EEA, to so-called third-party countries. If so, a valid basis for transfer must exist. 

For how long do we store your personal data?  

The City will store your personal data for as long as it is necessary to achieve the purpose for which the personal data was collected and processed. This means that personal data we process to fulfil statutory obligations will be stored for as long as required by the legal authority. For example, provisions of the Archives Act may influence how long your personal data is stored. In the event the City processes your personal data based on your consent, we will delete your data if you withdraw your consent or in accordance with the period for which consent was given. 

What are your rights?  

Access to personal data  

When the City processes your personal data, you have the right to know what data is processed, what it is used for, and how long it will be stored. 

Want to know more? General Data Protection Regulations (GDPR) Article 15 and the Norwegian Data Protection Authority’s webpages on this right

Rectification of personal data 

If the City’s information about you is incorrect, you have the right to have it rectified. This also applies if the City has incomplete information about you. 

Want to know more? General Data Protection Regulations (GDPR) Article 16 and the Norwegian Data Protection Authority’s webpages on rights

Erasure of personal data 

You may have the right to have your personal data erased. If you think that the City processes information about you that is not necessary, you may request this information to be erased. This does not apply if the data must be stored in accordance with other legislation, for instance the Archives Act. 

Want to know more? General Data Protection Regulations (GDPR) Article 17 and the Norwegian Data Protection Authority’s webpages on this right.

Restricted processing of personal data 

In certain cases, you can demand that processing of your personal data shall be restricted. This might be, for example, if you think your personal data is incorrect, and it will take time for the City to assess it. 

Restriction of data processing means that personal data that is collected, can no longer be processed, but can still be stored, until the assessment of what to do about the personal data is completed, and any necessary actions, for example to rectify the personal data, have been completed. 

Want to know more? General Data Protection Regulations (GDPR) Article 18 and the Norwegian Data Protection Authority’s webpages on this right

Data portability 

For some forms of processing, you may have the right to data portability. This means that you can demand that your personal data be transferred from the City of Bergen to some other party. However, there are several exceptions to this right. This right does not apply if the City processes your personal data in order to perform a task which is in the public interest, or the City exercises official authority. 

Want to know more? General Data Protection Regulations (GDPR) Article 20 and the Norwegian Data Protection Authority’s webpages on this right

Objection to processing of personal data  

You may object to the City processing your personal data. Your right does not apply in cases where the City processes your personal data to fulfil an agreement you have with us, or if the City is under legal obligation to process the data. 

Want to know more? General Data Protection Regulations (GDPR) Article 21 and the Norwegian Data Protection Authority’s webpages on this right

Complaint  

You may complain to the Norwegian Data Protection Authority if you are dissatisfied with how the City processes your personal data or you think such processing violates privacy rules. Information on how to proceed with a complaint can be found on the webpages of the Norwegian Data Protection Authority. You may contact the Data Protection Officer of the City of Bergen for assistance – see contact details below under «Data Protection Officer». 

How to exercise your rights 

Requests to exercise one or more of your rights can be submitted to: 

Email: innbyggerservice@bergen.kommune.no 

Letter: City of Bergen, P.O. Box 7700, N-5020 Bergen 

Mark your request: «Privacy Policy – Rights».  

The City may ask you to confirm your identity or submit further information before it can process your request. The City will do this to be certain you are who you claim to be, and that it is not someone else pretending to be you. 

When you contact the City of Bergen, we will respond to your request as soon as possible, and as a rule within 30 days. 

As a rule, all City case documents may be accessed. Therefore, please do not send emails to the City with information you do not wish to be known to the public. 

Under the Archives Act, the City has an obligation to keep an official journal. This journal will show all correspondence to and from the City. The City’s post journal can be found here: https://www.bergen.kommune.no/omkommunen/offentlig-innsyn/offentlig-journal

Want to know more? General Data Protection Regulations (GDPR) Article 12 and the Personal Data Act Section 12

Automated processing  

Automated decisions  

At present, the City has no case handling/decisions based wholly on automated processing. 

Processing security  

How do we take care of your personal data?  

The City is responsible that your personal data is processed in a secure manner. The City of Bergen safeguards your data in various ways, for example through access control, firewalls, and regular training of personnel. In addition, the City has emergency preparedness plans to help limit any possible damage if something should go wrong. 

Our technical security solutions are to ensure that: 

Unauthorised persons do not get access to your data. 

Your data is available when needed. 

The data cannot be changed or manipulated after they have been recorded. 

The organisation and systems are resilient and have the ability to restore normal conditions quickly in case of unexpected disruption. 

Cookies  

Our use of cookies  

The City’s webpages use cookies so that we may provide you with customised web services and ensure a positive user experience. A cookie is a small text file that is stored on your device. 

Read more about the cookies we use here: https://www.bergen.kommune.no/hvaskjer/tema/personvern/informasjonskapsler

Processing log for personal data  

What is a processing log for personal data?  

The City of Bergen has an obligation to log any processing of personal data by the City. This means that the City must keep a log of all its processing of personal data in a processing log. 

The City strives to be transparent in its processing of personal data and therefore grants access to the processing logs when requested to ensure this. In some cases, the City has reason to exempt parts of the log from public view, for instance for security reasons. Thus, some parts of the logs that can be accessed may be exempt from public view, so the log will not appear to be complete. 

City of Bergen processing logs  

Information about all processing of personal data taking place in the City is available from personal data processing logs. The City of Bergen has established one log for each City Government Department. 

The logs contain the following information about the processing of personal data: 

Who is responsible for processing in the City of Bergen. 

Which area of activity the processing concerns. 

What the processing concerns. 

Purpose of the processing. 

Categories of data subjects whose personal data is processed. 

Categories of personal data processed. 

Information on the origin of the data. 

Information on categories of who, if anyone, receives personal data from the City. 

Description of the City’s basis for processing, and any supplemental legal basis. 

Information about central systems used in processing, 

Information about planned deadlines for erasure of personal data. 

Information on any particularly relevant technical and organisational security measures. 

Information on whether processing is expected to entail a high privacy risk. 

Information on any data processors who process personal data on behalf of the City. 

Name and contact details of joint Data Controller, where relevant. 

Name of any third country or international organisations personal data is transferred to, where relevant. 

Description of necessary guarantees in the event of transfer to third countries or international organisations, where relevant. 

Any comments from the City Government Department. 

If you need information listed in the City's personal data processing logs, you may contact the City and request to be sent a copy of the log in question. 

 

Send the request to: 

Email: innbyggerservice@bergen.kommune.no 

Letter: City of Bergen, P.O. Box 7700, N-5020 Bergen 

Mark your request: «Privacy Policy – Rights» 

Who is the Data Controller?  

Data Controller  

The Data Controller is the person who determines the purposes and means of the processing of personal data.  

In the municipality of Bergen, the Data Controller is the City Council. 
However, the day-to-day responsibility for personal data processed by the municipality's various fields of responsibility, is vested in the Chief Executive of each individual City Government Department. 
This responsibility is delegated from the City Council by power-of-attorney, and can be further delegated in accordance with the structure of power-of-attorney in the municipality of Bergen.

Data Controller’s contact details  

Email: postmottak@bergen.kommune.no 

Letter: City of Bergen, P.O. Box 7700, N-5020 Bergen 

Telephone: 55 56 55 56 

See City of Bergen’s webpages for more information. 

Data Protection Officer  

Data Protection Officer’s role 

The City of Bergen has a Data Protection Officer that you may contact if you have any queries about the City’s processing of personal data. The Data Protection Officer has an independent role, whose duty it is to ensure the City processes personal data in accordance with privacy rules and regulations. 

You can read more about the Data Protection Officer here

Data Protection Officer’s contact details  

You may contact the Data Protection Officer of the City of Bergen at 

Email: personvernombud@bergen.kommune.no