Processing personal data

The university deals with personal data as part, and in support, of the university's mission as a provider of higher education, a research institution as well as in liaison with the larger society, that is, the "third assignment". The intention of all processing of personal data at university is to support this mission.

Any information that can be directly or indirectly linked to an identifiable person, such as their name, social security number, image, email address and IP address.

The university processes personal data for various purposes within our mission. In education, students' personal data is processed. Research involves researchers processing personal data of subjects, that is, those who participate in a research study.

Personal data of employees as well as participants in conferences or other events is also processed. There are also other situations where the university processes personal data, such as contacts and collaborations between individuals and other organizations.

In most cases, personal data is collected directly from the individual. This usually happens through contact between the individual and the university. In some cases, collection of personal data may occur from someone other than the individual.

In some cases, the university, as a public authority, is required to disclose personal data to others. For example, in order to leave students’ study results to the Central Student Support Commission (CSN) or employees' and contractors' salary information to the Swedish Tax Agency.

What personal data is processed depends entirely on the purpose of the processing in each individual case. This may include:

• Contact information such as name, address, telephone number and email address and, if applicable, personal identification number,
• Information needed, for example, for student and employee assistance measures,
• Bank details and other financial data for financial transactions,
• Information obtained within the framework of participation in a research study,
• Information about study results and other information related to studies,
• Information collected during visits to university websites in order to improve their user-friendliness, e.g. through cookies,
• Information when attending conferences or courses, or
• Information required for employment or when applying for employment.

The university is responsible for protecting personal data by applying appropriate technical and organizational measures. The university thus ensures a level of security that is in keeping with the associated risks concerning processing personal data.

Security aspects include risk assessment with regard to confidentiality, integrity and availability. Technical security controls may include, for example, ensuring only authorized persons have access to the information and that personal data is encrypted or stored in protected locations.

The University of Gothenburg is a public authority, which demands that the publicity principle applies to the university. This means that everyone has the right to request access to any information the university holds. That information may contain personal data. Disclosure will occur, unless privacy rules pursuant to the Public Information and Privacy Act (2009: 400) applies to the personal data in question.

The university also has other tasks and duties that may result in the disclosure of personal data to other parties. This may be, for example, information needed to perform a task of public interest, which forms part of exercising of authority or because of a legal obligation.

The university may also provide personal data to partners, for example, as part of a research project, to a supplier or to another party because of agreements between the university and data subjects.

Upon transfer to another party, the university undertake all reasonable legal, organizational and technical measures that are required to protect personal data. In cases regarding transferring personal data to another organization, the university provides the data subject with required information about the transfer.

In addition, transfer of personal data is prohibited unless there is a legal obligation to do so.

Personal data is stored for only as long as needed to fulfil the purpose of processing. In some cases, there may be laws and other provisions that require retention of information for a longer period.

In the case of public documents, handling of personal data is in accordance with the Press Freedom Regulation (1949:105), the Archives Act (1990:782) and the National Archives Act. This may entail that personal data is stored for longer or shorter periods and in some cases forever in the university's archives.

The university may transfer personal data to third countries, i.e. to non-EU/EEA countries. Under such conditions, special legislation applies. Under such circumstances, the university will take all reasonable legal, organizational and technical measures required to achieve an appropriate level of protection for personal data. In each case, the data subject receives specific information regarding the transfer.

The General Data Protection Regulation states that the data subject has certain rights.

Right of access (register extract)

As data subject, you are entitled to request information regarding what personal data the university holds on you, free of charge, once per calendar year. To do so, please contact us at dataskydd@gu.se. If possible, please specify if you have been in contact with us as student, staff, in a research project, or something else.

Right to rectification

As data subject, you are entitled to request that personal data concerning you, held by the university, is corrected if it is not correct. To exercise this right, send a request to your nearest contact person, course manager, line manager or other authorized person. The university is required to correct erroneous personal data without undue delay.

The right to be forgotten

As data subject, you are entitled to have personal data concerning you erased when it is no longer needed for the purpose it was collected. There may be other legislation that supersedes this rule, which means that personal data cannot always be allowed to be erased.

In case of disclosure of personal data to another party, the university shall take reasonable steps to notify this party about the erasure. In cases where there are legal barriers to erasure of personal data, the university will limit the processing of this data only to the extent of legal requirements.

The right to limitation of personal data

As data subject, you are entitled to request that the processing of personal data concerning you be limited to certain specific purposes only. The right to limitation can be exercised in the following cases:

• If personal data is incorrect and the university needs time to inspect the accuracy of the data.
• If personal data is no longer required for the university's activities, but the you request further retention due to legal action.
• If you oppose processing performed by the university. The processing is limited in that case until a balance is reached between the reasons of the data subject and the university's compelling legitimate reasons.
• In the event that you requests that the university delete personal data concerning you, but for some reason, the university cannot accept this.

Right to object to processing

In some cases, you may object to the processing of your personal data. If there are no compelling reasons for the university to continue processing the personal data, such as for meeting legal requirements, then the university will cease processing.

Right to data portability

You have the right to get your personal data from the university or to ask us to transfer your data to another controller. This only applies to personal data that you have given to us and when we are processing your data based on your consent or when processing is necessary for the performance of a contract.

If you have concerns about the university’s personal data rights practices you can lodge a complaint to the supervisory authority, Swedish Authority for Privacy Protection.

Information on how to proceed with a complaint is available on their website