Skip links
Asker International School

GDPR

GDPR Policy

(Date reviewed May 2025)

Introduction

Protecting the privacy of our students, parents, and staff is fundamental to AIS. Our data handling practices are governed by the EU General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act (Personopplysningsloven, LOV-2018-06-15-38), which supplements the GDPR within Norway. This policy outlines how we collect, process, store, and share personal data and your rights in relation to that data.

Our Commitments

AIS commits to the following principles:

  • We never sell personal data.
  • We never advertise on our digital platforms.
  • Student work online is by default private.
  • We implement and maintain security measures to protect data.
  • We are transparent about how we use data.
  • Our digital partners are GDPR-compliant.
  • We only process personal data when we have a valid legal basis for doing so.

Legal Basis for Processing Personal Data

AIS processes personal data under the following legal bases (Article 6 of the GDPR and §1 of the Norwegian Personal Data Act):

  • Legal obligation: Compliance with national laws and regulations (e.g. education laws, health reporting).
  • Public interest: Processing necessary for tasks carried out in the public interest, such as education.
  • Contractual necessity: To fulfill employment or enrolment contracts.
  • Legitimate interests: Where necessary for administrative purposes, provided this does not override individual rights.
  • Consent: For specific activities such as publishing images or using third-party apps, we obtain clear parental or staff consent.

What Data We Collect and Why

Staff

  • Name, contact details, national ID number, next of kin, bank information.
  • Employment documentation: CV, references, certifications, police certificate (destroyed upon receipt).
  • Processed to fulfill employment contracts and for safety, payroll, and HR compliance.

Students

  • Name, date of birth, contact information, school records, medical information, learning assessments, support documentation.
  • Internal documentation on the social and learning environment
  • Data may be shared with public authorities (e.g. Barnevernet) when legally required, without parental consent. Other services (e.g. PPT) require explicit parental consent.
  • Used to provide appropriate education, support, and legal compliance.

Parents

  • Name, contact details, address, payment/billing information.
  • Used for communication, billing, and school operations.

How We Use Personal Data

We use personal data to:

  • Provide education and learning support.
  • Maintain communication with families and staff.
  • Fulfill legal obligations.
  • Monitor and improve our services and educational provision.
  • Provide secure access to internal systems.

Digital Platforms and Partners

As of May 2025, our digital partners include:

All are confirmed to be GDPR-compliant. We ensure that data processed through third-party services remains within secure environments and where applicable, under Standard Contractual Clauses for international data transfers.

Transfers Outside the EEA

Some of our service providers may process data outside the European Economic Area. When this occurs, AIS ensures that appropriate safeguards are in place, such as:

  • The European Commission’s Standard Contractual Clauses (SCCs).
  • Providers located in countries with an adequacy decision from the EU Commission.

Your Rights Under GDPR and Norwegian Law

You have the following rights under the General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act:

  • Right to Access – You can request access to the personal data we hold about you.
  • Right to Rectification – You can request that inaccurate or incomplete data be corrected.
  • Right to Erasure (“Right to be Forgotten”) – You may request that your personal data be deleted under certain conditions, including when:
    • The data is no longer necessary for the purpose for which it was collected.
    • You withdraw your consent (where consent was the legal basis) and there is no other legal ground for processing.
    • You object to processing and there are no overriding legitimate grounds.
    • The data has been unlawfully processed.
    • The data must be deleted to comply with a legal obligation.
    • The data was collected in connection with offering information society services to a child.

Please note that the right to erasure is not absolute. Your request may be denied if the data is required for legal compliance, public interest tasks, or for scientific/historical research where deletion would seriously impair those purposes.

  • Right to Restriction of Processing – You may request that processing of your data be limited in specific situations, such as when you contest its accuracy or object to its processing.
  • Right to Object – You have the right to object to the processing of your personal data based on legitimate interests or public interest, including profiling.
  • Right to Data Portability – You can request to receive your personal data in a structured, commonly used, and machine-readable format, and to have it transferred to another controller where technically feasible.
  • Right to Withdraw Consent – If your data is being processed based on consent, you may withdraw that consent at any time. This will not affect the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, please contact our data protection lead.

Data Retention

AIS retains personal data only as long as necessary for its intended purpose and in accordance with applicable Norwegian laws (e.g. Arkivloven, Forvaltningsloven). When no longer required, data is securely deleted or anonymised.

  • Staff records: Stored up to 10 years after employment ends (based on employment law)
  • Student records: Stored for up to 5 years after leaving the school
  • Financial records: Stored for 5 years (per Bokføringsloven)

Data Security

AIS implements technical and organizational measures to ensure data is protected from unauthorized access, loss, or misuse. This includes:

  • Encrypted systems
  • Access controls
  • Staff training
  • Regular reviews of our security protocols

School Communication Systems

AIS may collect personal information through email, SMS, WhatsApp, and similar communication platforms. This data is handled with the same care and security as other personal data and only used for school-related purposes.

Advertising and Marketing

AIS does not allow advertising on any of our platforms and does not share data for advertising or marketing purposes.

Policy Updates

This policy is reviewed annually and updated as needed. Significant changes will be communicated via email or school newsletter.

Contact and Data Protection Lead

If you have questions or wish to exercise your rights, please contact our Data Protection Officer (DPO):

Name: Robert Browne
Email: [email protected]

 

AIS creates information from our staff, our students and our parent body. The data collected is necessary to our operation and organisation and is not gathered to fulfill any other purpose or personal or financial gain.

Special categories of data (e.g. health, religion, ethnicity, learning difficulties) are only collected when strictly necessary and processed under GDPR Article 9(2).

Staff members

AIS collects personal data on our staff such as home address, personal number, next of kin and bank account details. The school also requires a police certificate (also known as a criminal records check) which is destroyed upon receipt. The school also keeps a folder of information which may contain copies of qualifications, references and a copy of a curriculum vitae.

Students

AIS collects personal data such as school reports, medical data, home addresses, next of kin and possibly information from previous institutes and schools. The school also has internal documentation on the social and learning environment.

This information can be solicited by external organisations such as child services or local pedagogical services. Child services can solicit the information without parental consent. Pedagogical services require parental consent before the information can be shared.

Parents

AIS collects personal data such as contact information (phone, mail, other), home address and banking information.

The school does not share information with third party organisations unless parental consent is provided, or legal grounds exist where the school is obliged to submit data.

School mail system

The school may collect information that has been communicated and  shared by parents or other organisations electronically such as through our mail service or through other means such as sms or other multimedia messaging services such as Whatsapp.

AIS primarily uses gathered information to further our educational provision and improve what we do in school. Any other data collection is done in accordance with national or local requirements.

For example we use this information to:

  • Allow students to access internal systems such as the school curriculum and online lessons and resources.
  • Provide staff and students with a digital platform for storing and sharing information.
  • Notify parents via reporting and other similar ways that provide them with information on student progress and development.

No.

Just contact the school. The best way is to mail [email protected]. You can also ring or just drop in if you have a question.

As a parent, student, or staff member, you have the following rights under GDPR:

  • Right of access (to see what data we hold about you).

  • Right to rectification (correct inaccurate information).

  • Right to erasure (in certain cases, e.g. when data is no longer necessary).

  • Right to restriction of processing.

  • Right to data portability (for data you have provided).

  • Right to object to certain processing.

  • Right to lodge a complaint with Datatilsynet (www.datatilsynet.no).

Requests may be sent to [email protected]. You can also ring or just drop in if you have a question.