When placing orders or processing invoices in our systems, it’s important that we protect individuals’ privacy and comply with current regulations, including GDPR - the General Data Protection Regulation (in Norwegian).

The goal is to ensure that personal data is handled responsibly throughout the entire purchasing process, regardless of who places the order or what is being ordered.

Norsk versjon: Personvern og GDPR ved bestilling

The same routines for safeguarding privacy and complying with GDPR apply when using the purchase request form on Innsida.

Avoid sensitive personal data

Throughout the purchasing process, we should avoid – as far as possible – combining names with any information that could be classified as special categories of personal data. This could, for example, include information about:

• health
• ethnic origin
• political opinions
• religion
• philosophical beliefs
• trade union membership
• sexual activity or sexual orientation
• genetic information
• biometric data used for identification

Examples of situations to be aware of

• Ordering health-related services: If you are ordering services such as appointments with a psychologist for employees, do not include names or other identifying details in the purchase request form or financial system.
• Flower orders: It is acceptable to include the person’s name, address and card text in the order form, but avoid providing more information than necessary. For example, do not include reasons for absence or similar personal details.
  
  • The purchaser or requisitioner can enter the name, address and card text directly in the supplier’s system (e.g. in a product catalogue). However, this information should not be repeated in the financial system. Instead, use initials in Unit4, and register the purchase as, for example, “Flowers for (NN) due to absence”.
• Catering orders: If you collect information about allergies or dietary preferences for an event, this must be kept separate from name lists. This applies both to any attachments uploaded via the purchase request form and to any information sent to the catering provider. Only send an overview of the number of people with different requirements – not who they are.

These are not exhaustive examples. They are meant to illustrate situations where extra care is needed.

Contact

If you have questions about data protection or GDPR, please contact NTNU’s Data Protection Officer (in Norwegian).

For questions about purchasing, get in touch with your local purchaser or requisitioner.