Personvernerklæring

Nordlys Læringshus AS

Privacy Policy

1. Introduction and Company Information

This Privacy Policy explains how Nordlys Læringshus AS collects, uses, stores, shares, and protects personal data when you interact with us, including when you visit our website, contact us, enroll in our services, or otherwise engage with our school.

Data Controller: Nordlys Læringshus AS
Address: Storgata 12, 0155 Oslo, Norway
Email: [email protected]
Phone: +47 22 45 78 31

As a school, we process personal data relating to students, parents or guardians, applicants, employees, contractors, and other individuals who contact or use our services. We are committed to protecting privacy and handling personal data in a lawful, fair, and transparent manner.

2. Data Collection and Processing

We may collect and process the following categories of personal data:

  • Identification data: name, date of birth, national identity number or equivalent where necessary, student ID, and contact details.
  • Contact data: address, email address, phone number, and emergency contact details.
  • Educational data: enrollment information, attendance records, grades, assessments, learning support needs, disciplinary records, and communication related to education.
  • Financial data: billing information, payment records, and information necessary for tuition or fee administration.
  • Technical data: IP address, device information, browser type, and usage data when you use our digital services.
  • Special category data: where necessary and permitted by law, we may process health information, learning support needs, or other sensitive information relevant to a student’s welfare and education.
  • Communication data: correspondence with us by email, phone, forms, or other channels.
  • Employment and recruitment data: CVs, qualifications, references, background information, and other information provided in job applications.

We generally collect data directly from the individual concerned, from parents or guardians, from public authorities where permitted, or from third parties such as previous schools, healthcare professionals, or service providers when necessary and lawful.

3. Purpose of Data Processing

We process personal data for the following purposes:

  • to provide educational services and manage student enrollment;
  • to administer teaching, assessment, attendance, and student support;
  • to communicate with students, parents, guardians, staff, and other relevant parties;
  • to ensure student safety, welfare, and safeguarding;
  • to comply with legal and regulatory obligations applicable to schools;
  • to manage billing, payments, and accounting;
  • to recruit and manage employees and contractors;
  • to operate and improve our website, systems, and internal processes;
  • to prevent fraud, misuse, and unauthorized access;
  • to handle inquiries, complaints, and requests;
  • to maintain records and archives as required by law or legitimate operational needs.

4. Legal Basis for Processing

We process personal data only where we have a valid legal basis. Depending on the context, our legal bases may include:

  • Performance of a contract: where processing is necessary to provide educational services or manage employment or supplier relationships;
  • Legal obligation: where processing is required to comply with applicable laws, regulations, or official requests;
  • Legitimate interests: where processing is necessary for our legitimate interests, such as school administration, security, communication, and service improvement, provided these interests are not overridden by your rights and freedoms;
  • Consent: where we rely on your consent, for example for certain optional activities, marketing communications, or specific processing of sensitive data where required by law;
  • Vital interests: where processing is necessary to protect the vital interests of a person, such as in an emergency;
  • Public interest or official authority: where applicable to educational or safeguarding obligations under law.

Where we process special category data, we do so only when a specific legal condition applies and additional safeguards are in place.

5. Data Sharing and Third Parties

We may share personal data with third parties only when necessary and lawful. Such recipients may include:

  • IT and cloud service providers;
  • payment processors and accounting providers;
  • communication and administrative service providers;
  • public authorities, regulators, or law enforcement where required by law;
  • health, welfare, or support professionals involved in a student’s care, where appropriate and lawful;
  • external advisors such as auditors, lawyers, or consultants;
  • other schools or educational institutions, where relevant to transfers, references, or educational continuity;
  • emergency contacts and guardians in situations affecting student safety or welfare.

We require third parties to protect personal data and to process it only according to our instructions or their own legal obligations.

6. Data Transfer to Third Countries

In some cases, personal data may be transferred to or accessed from countries outside Norway, the EEA, or the European Union. This may occur when we use international service providers or when support services are located abroad.

When such transfers take place, we ensure that appropriate safeguards are in place, such as:

  • an adequacy decision by the relevant authorities;
  • standard contractual clauses or equivalent transfer mechanisms;
  • additional technical and organizational safeguards where necessary;
  • other lawful transfer mechanisms permitted under applicable privacy law.

7. Storage Duration

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law, contract, or legitimate operational needs.

  • Student records: retained for the period required by educational, accounting, and archival obligations.
  • Financial records: retained for the period required by accounting and tax laws.
  • Communication records: retained for as long as needed to handle the matter and for reasonable follow-up.
  • Recruitment data: retained for the recruitment process and, where permitted, for a limited period thereafter unless you request deletion or consent to longer retention.
  • Consent-based data: retained until consent is withdrawn or the purpose no longer applies.

When data is no longer needed, we delete, anonymize, or securely archive it in accordance with applicable requirements.

8. User Rights

Subject to applicable law, you may have the following rights regarding your personal data:

  • Right of access: to obtain confirmation and a copy of the personal data we process about you;
  • Right to rectification: to request correction of inaccurate or incomplete data;
  • Right to erasure: to request deletion of personal data in certain circumstances;
  • Right to restriction: to request that we limit processing in certain situations;
  • Right to data portability: to receive certain data in a structured, commonly used, machine-readable format and, where technically feasible, have it transmitted to another controller;
  • Right to object: to object to processing based on legitimate interests or direct marketing, where applicable.

These rights may be limited where processing is necessary for compliance with legal obligations, the establishment or defense of legal claims, safeguarding obligations, or other lawful grounds.

9. Withdrawal of Consent

Where we rely on your consent to process personal data, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

If you withdraw consent, we will stop the relevant processing unless we have another lawful basis to continue. You can withdraw consent by contacting us using the details below.

10. Right to Complain

If you believe that our processing of personal data is not compliant with applicable privacy laws, you have the right to lodge a complaint with the relevant supervisory authority.

In Norway, this is typically the Norwegian Data Protection Authority (Datatilsynet). We encourage you to contact us first so that we can try to resolve your concern directly.

11. Data Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, misuse, alteration, or disclosure. These measures may include:

  • access controls and role-based permissions;
  • password protection and authentication measures;
  • encryption where appropriate;
  • secure storage and backup procedures;
  • staff confidentiality obligations and training;
  • monitoring and incident response procedures;
  • regular review of security practices and vendor safeguards.

Although we take reasonable steps to protect personal data, no system can be guaranteed to be completely secure.

12. Contact Information

If you have questions about this Privacy Policy, wish to exercise your rights, or need further information about our data processing practices, please contact us:

Nordlys Læringshus AS
Storgata 12, 0155 Oslo, Norway
Email: [email protected]
Phone: +47 22 45 78 31

13. Changes to Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, legal requirements, or operational needs. The updated version will be published with a revised effective date where appropriate.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data.

4/10/2026 Hjem