1. Roles and regulatory conditions

Studentsamskipnaden SiO is a company established by special statue and governed by the Student Welfare Organisation Act (“Lov om Studentsamskipnader LOV-2007-12-14-116” including later amendments).According to this act, SiO aims to address students’ welfare needs at each individual school. A student welfare organisation provides services to students. To a limited extent, a student welfare organisation may also offer services to non-students. Under the Student Welfare Organisation Act, SiO may establish or participate in a company in order to conduct business. Companies in which SiO is a majority shareholder are regarded as subsidiaries. This Privacy Statement applies to SiO and SiO's subsidiaries.This Privacy Statement addresses how personal data collected by SiO is processed, shared and stored in connection with how SiO offers services and communicates with you. This also applies to the use of the SiO handheld device application (the "Mitt SiO" app) and the website www.sio.no

2. Purpose of collecting personal data

In order to offer all our customers good quality services, ensure transparent information and availability of our service offering, as well as to reduce complexity for customers managing their entire customer relationship with SiO, we collect, process and store personal data about our customers. The purpose of the collection is to provide you with an overview of all SiO services and information regarding your student offerings, memberships, applications, agreements and leases through SiO. The SiO services provide you with tools to organize your student life on a digital platform, including services related to student housing, day care, training, health and other student activities. This Privacy Statement describes how we process your personal data to fulfill the stated purpose. It is important that you familiarize yourself with this as you use SiO services, as it requires SiO to process personal data about you.Personal data are processed in accordance with the Personal Data Act, EU’s General Data Protection Regulation, the Accounting Act and any other relevant laws. Where collection, processing and storage is not permitted by law / regulation or specified in the agreement and contract you enter as a customer, we are required to obtain your explicit consent. 

3. Your rights

SiO is obligated to comply with the current privacy laws and regulations. Current regulations give you the right to: 

  • Withdraw and change your consents 
  • Delete personal data 
  • Change incorrect personal data 
  • Access to personal data processed by SiO 
  • Require that the information processed by SiO is transferred to a third party of your choice 
  • Complain to the Data Protection Authorities (Datatilsynet) if you believe that SiO does not comply with legislation and regulation when processing your personal data 

You can edit your personal data and change your consent on My Page (Min Side).

4. What data is collected and processed?

SiO receives data from associated educational institutions, which include all students who pay a semester fee to SiO. These data are stored in our membership register, and include first and surname, date of birth, national identity number/D-number, mobile phone number, e-mail address, educational institution and semester fee. The purpose of collecting the data is to ensure that the allocation of student housing, purchase of training memberships, access to health services etc. is done on fair terms and to validate that customers who pay a semester fee have the right to apply for or use services from SiO. Our legal basis for the processing of these data is the General Data Protection Regulation (GDPR) article 6 no 1 c (legal obligation) and Student Welfare Organisation Act §§ 3, 4 and 5. When you register at sio.no/My Page or download SiO applications, you will be asked to create a user account and provide information such as name, national identity number, address, phone number and e-mail address. Personal data that SiO receives from educational institutions are linked with the information that you have registered. If you are not a student and create a user account, SiO assumes that you intend to establish a customer relationship with SiO. For this reason, we are asking you to provide these personal data when you first register. SiO need this information in order to handle your customer relationship in a correct manner – from the contract start to invoicing and payment follow-up. We process said personal data on the basis of GDPR article 6 no. 1 b (necessary to facilitate or perform a contract with you). Data from the SiO member register is imported into our customer systems based on the services you use. If you do not have a customer relationship with SiO, data will be deleted when you no longer pay a semester fee to SiO. For persons who have a customer relationship with SiO, specifics of the personal data we collect, process and store are described below. 

  • Applicant or tenants in student residence: When you apply for student housing or sign a tenancy agreement, you allow SiO to process and store personal data. The data is stored for 3 years after the requested rental period’s start-up date has passed, or for 3 years after you finish your tenancy if you become a tenant. The legal basis for handling your tenancy or request for a tenancy is GDPR article 6 no. 1 b and f (necessary to facilitate or perform a contract with you and legitimate interests). SiO also needs to process personal information such as contact information and case information to ensure, among other things, a good and safe living environment. This can also be used to ensure that any deviations, disorder and noise are handled in the best possible way for tenants. The basis for our use of personal data for this purpose is justified interest pursuant to GDPR article 6 no. 1 f. Detailed information about processing of personal data for tenants of SiO Housing can be found here. 

  • Member of SiO Athletica: When you sign a training agreement, SiO will process and store personal data related to your customer relationship pursuant to GDPR article 6 no. 1 b and f (necessary to facilitate or perform a contract with you and legitimate interests). In this regard, we will also store information about which training classes you are registered for, PT appointments and similar. When you contact SiO, we will store and use your personal data such as contact details and case details. If you choose to share your health information with us, eg. when freezing your membership, we treat this information on the basis of your consent according to the GDPR article 6 no. 1 a and article 9 no. 2 a. Read more about storage and deletion of personal data in section 6.The use of workout history for insight and follow-up: We store and use information about your workout activity as part of managing your membership. This includes, among other things, date, time for your visit to our center, registered passages, which center you have visited, participation in group classes, courses, PT-lessons and rental of courts/equipment. The purpose of this processing is to show you statistics and insights on MyPage so you can easily track your progress, as well as provide you with relevant and personal follow-ups, eg. reminders if it has been a long time since you last exercised or invitations to provide feedback after a session. The data will also help to improve and further develop our services.The legal basis for this is our legitimate interest pursuant to the GDPR article 6 no. 1 f in providing a relevant and motivational service as well as improving the services for our members. We have assessed that this processing won’t entail a disproportionate interference with your privacy. Note that insights and statistics relating to your membership on MyPage is part of the regular service to our members. Your right to have your personal data deleted is still safeguarded, see section 13. Data about your membership is stored for up to 6 months after you terminate your customer relationship.  

  • SiO healthcare users: Services covered by the health care legislation are processed in accordance with this legislation and are kept separate from SiO's other data. SiO will process your personal data on the basis of GDPR article 6 no. 1 b and c, as well as article 9 no. 2 h (agreement with you, legal obligation and necessary to provide healthcare), in conjunction with health legislation (including the Norwegian Patient Records Act and the Health Personnel Act). Users of advisory services and courses will through registration consent pursuant to GDPR article 6 no. 1 a and b and article 9 no. 2 a, to SiO processing their personal data. Helsenorge.no receives national identity numbers from the SiO member register.  to ensure that students that have paid a semester fee to SiO get access to digital services from SiO Health at Helsenorge.no. 

  • User of personal data in SiO's kindergartens: Admission to SiO’s kindergartens takes place through the Oslo Municipality's Care Systems and follows the municipality's guidelines. In order to administer the kindergarten places, invoice for services and report information to the tax authorities according to Norwegian Law, SiO receives personal data from Oslo commune. This includes name, address, phone number, e-mail address and national identity number, processed on the basis of GDPR article 6 no. 1 c (legal obligation) and eg. the Norwegian Kindergarten Act. 

  • Use of chatbot on sio.no:  When you use the chatbot on sio.no, we collect and process certain information in order to provide answers to your questions. We collect the date and time of the conversation, the user's message (input to the chatbot), as well as technical information about the browser, device, and operating system. This information is used to generate responses to your questions using artificial intelligence (Natural Language Understanding) based on SiO’s knowledge base. The data is not used to train or improve the core AI model. We may use aggregated and anonymized data to improve the service and make the information on sio.no more accurate. All conversations are anonymized. Users are assigned a random identifier. Information recognized as a national ID number, birth number, email address, or credit card number is automatically anonymized. The legal basis for processing is our legitimate interest pursuant to GDPR Article 6(1)(f).

  • SiO may collect information about your use of the user account, geographical location, IP address, information from cookies and diagnostics data. 

  • SiO will occasionally send out surveys to customers who have registered their SiO email address for the purpose of receiving feedback on our services. 

  • Consents are administered in MyPage on sio.no 

We store history about whether or not  you are opening og clicking on links on digital campaigns, email, text messages and logged-in activity on My Page. You can, at any time, request that your history is deleted by contacting us by using the help and contact form on sio.no. Data is automatically deleted in accordance with section 6 on archiving and deleting personal data. SiO uses cookies. We use Google Analytics to collect information about your activities in SiO services. We use Google Analytics at sio.no. This information is used for statistics and data analysis purposes, and to improve your user experience by providing your user preferences and information when using the SiO services. The information from Google Analytics can be aggregated and anonymized and linked to you as a user. You can read more about cookies here: sio.no/snarveier/om-sio/cookies (in Norwegian). 

Retention of accounting records for all services: SiO is required by law to retain accounting records regarding your purchases and transactions with us. The legal basis for such processing is the GDPR article 6 no. 1 c and accounting regulations. 

5. How does SiO use your data?

SiO has a legal obligation to inform students paying a semester fee about offers and services they have the right to utilize. We may therefore contact you with information about SiO and SiO’s services. The legal basis for the processing is the General Data Protection Regulation (GDPR) article 6. no 1c (legal obligation) and the Student Welfare Organisation Act §§ 3, 4 and 5. Data collected by SiO, data disclosed by the customer and data produced in an ongoing customer relationship are used to fulfill our agreements with you and to develop and improve our services. Further, SiO uses the data to provide offers and communications in accordance with the consent you have given. You may withdraw your consent at any time, and we will delete the data that was stored in connection with the associated consent. 

We may: 

  • Use your contact information to send you information and to invite you to participate in customer satisfaction surveys related to your use of SiO's services. 
  • Provide offers on SiO's products and services through digital channels such as e-mail and phone, and direct through SiOs digital platforms such as website and apps. 
  • Use your personal data and information about your use of the service anonymized to help us make decisions about sales, marketing and product development. 

6. Archiving and deletion of personal data

When you no longer pay a semester fee to SiO and no longer use SiO's services, SiO keeps personal data for a limited period after a customer relationship has been terminated. Then all information about you will be deleted, excluding necessary information required to comply with the Accounting Act (“Bokføringsloven”) and any other special legislation (i.e. “Pasientjournalloven”).The deletion takes place automatically and is controlled every six months by the data controller. (The deletion will be made after the deadline for paid semester fee). 

7. Data controller

In accordance with the Personal Data Act, SiO holds the role as a data controller. CEO of SiO has the authority to act as a data controller on behalf of SiO and SiO's subsidiaries. Data processing responsibilities for the various services can be delegated to the head of the relevant service area.If information is provided to you to SiO's service providers, the service provider will be the data processor for this information and SiO will handle the responsibility of the data processor's handling of personal data through data processing agreements. 

8. Which entities are SiO sharing data with (disclosure)?

SiO may in certain cases, regulated by law, disclose information to the authorities. SiO does not share your personal data for commercial or marketing purposes without your prior consent. 

9. Which third parties are processing your data (data processors)?

SiO may use subcontractors to deliver, develop and improve SiO services. These subcontractors are not allowed to use personal data for other purposes. Subcontractors are regarded as data processors while SiO remains as the data controller. SiO are required to enter into data processing agreements with all data processors who receive / process / store personal data from SiO. 

10. Security

We utilize security software and measures to keep your information safe when transferred from you through the internet to our servers.All information and all files uploaded to SiO services will be encrypted by uploading to our cloud service. Your account and bank details are also encrypted before it is stored in our databases. 

11. Social Media

SiO publishes news on LinkedIn, Facebook, Instagram, Snapchat and Tiktok. SiO will not post personal data in these locations. However, we will use customer feedback to further develop our services.Social media features are operated by either a third party or directly on our site. Your use of such third party features is subject to the privacy statement of the company that supplies these features. 

12. Changes

SiO may change the terms of consent and privacy statement to comply with new legal requirements and due to changes in our own practices for collecting and processing personal data.In case of changes that require consent, you will be asked to agree to new terms when you log in to sio.no before the changes are made. Information about other changes will be provided on www.sio.no

13. Your rights

As a SiO user, you can rest assured that SiO takes responsibility for protecting your personal data. You can trust that we collect, use and protect your personal data in a safe and secure manner.SiO guarantees: 

  • To be open about how we collect, store and process your personal data 

  • To only use your personal data for the purpose we have collected for 

  • Not to collect or process more information about you than we need in order to offer you SiO services or otherwise have consented to 

As a registered user of SiO, you have the right to 

  • access your personal data 

  • have your data changed, deleted or disclosed, if this is not in violation of other laws. 

You can control your consent and choice on My Page (Min Side) when logged in to sio.no. When you are logged in, you have access to your personal data and customer history. You can get access to any other stored information by contacting SiO Customer Service. SiO Customer Service should also be contacted if you require personal data changed, deleted or disclosed to third parties. 

Questions about the processing of your personal data?

  • If you have any questions regarding SiO’s data processing, contact SiO Customer Service by sending a message here.
  • If you have an inquiry for SiO's data protection officer, please contact personvernombud@sio.no.

For complaints regarding SiO personal data processing, please contact: Norwegian Data Protection Authority (Datatilsynet).