Processing of personal data at Stockholm University

Stockholm University processes personal data in order to fulfil its statutory task as a public authority and university, primarily as an education provider and research institution. The University collects and processes personal data for various purposes. In general, the University collects and processes personal data in the following areas:

Employees

The University processes personal data in connection with the recruitment process, during the employment and to some extent also after the employment has ended. This processing of personal data is done in order for the University to meet its needs for skills supply, to fulfil the employment contract or to meet certain legal requirements, for example to administrate salary payments and otherwise handle personnel matters. 

Students

The University processes personal data relating to students, for instance for the administration of courses and programmes, for examinations and for issuing diplomas after completion of a programme. After completion of studies, personal data may be processed, for example, in connection to the University's alumni activities or in any publications approved by the student. When applying for admission to a programme, personal data is registered in the universities' national admission systems. Upon admission, the personal data is transferred to Ladok, which is the University's study documentation system. In addition to documenting student results in Ladok, the data is compiled in order to produce internal statistics and to report to Statistics Sweden in accordance with the Ordinance (1993:1153) on the Registration of Studies at Universities and University Colleges. 

Research

Much research is conducted at Stockholm University and the University is involved in a large number of international and national collaborations. The University collects and processes personal data within various research projects. The categories of personal data that are processed depend on the purpose of the various research projects. When participating in a study, the research subject receives information from the lead researcher about the study and how the personal data is processed.

Events

Stockholm University collects and processes personal data in preparation of and at various events, such as conferences and other events organised by the University attended by both staff and external participants. In general, the University uses this personal data to provide participants with practical information, such as the time and place of a conference. In addition, the information may be used to communicate with participants after the conference. 

Newsletters, quality assessments and surveys

The University provides information about its activities and regularly conducts quality assessments and surveys as part of its mission pursuant to law and regulation (cf. e.g. the Higher Education Act (1992:1434), Chapter 1, Sections 2 and 4). Personal data is therefore processed in connection with newsletters to inform about the University's activities and when conducting surveys aimed at strengthening the quality of the University's education and research. 

Stockholm University only processes personal data where there is a legal ground for it, relying on one of the legal bases in Article 6 of the General Data Protection Regulation. At the University, the most common legal basis for the processing of personal data is a task of public interest in accordance with Article 6(1)(e), due to the University's statutory task of conducting education and research and collaborating with the surrounding community (cf. the Swedish Higher Education Act (1992:1434), Chapter 1, Section 2). Other legal bases applied for the processing of personal data at Stockholm University are primarily the exercise of public authority (Article 6(1)(e)), compliance with a legal obligation (Article 6(1)(c)) and performance of a contract (Article 6(1)(b)).

Stockholm University only processes personal data when it is necessary for the purpose of the processing. Most of the personal data processed is collected directly from the data subject (the individual whose personal data the University is processing). In some cases, the University also collects personal data from other parties. For example, data is collected from the Swedish Council for Higher Education (UHR) for the admission of students and, for employees, certain personal data is collected from the Swedish Tax Agency. 

In general, the University processes the following personal data:

• Name, address, telephone number, e-mail address and for secure identification: social security number. This personal data is processed, for example, when applying for a job at the University, for application and admission to one of the university's educational programmes, participation in conferences and events, or when booking university premises. 
• Bank details and other financial information for financial transactions. 
• Information regarding study results and other information about students for educational administration.
• Digital data, such as traffic data, data needed for connection to the University's network, location data and other forms of communication data, including IP addresses and data related to devices (computers, phones and tablets as well as technical data on device type and operating system) are processed to ensure accessibility to platforms and digital applications and to ensure that the University's network services meet the right performance and security requirements based on the University's systematic information security work, laws and regulations.   

Sensitive personal data

Some personal data are inherently sensitive and are given stronger protection under the General Data Protection Regulation. Such personal data are data on:

• ethnic origin
• political opinions
• religious or philosophical beliefs
• trade union membership
• health
• a person’s sex life or sexual orientation
• genetic data
• biometric data for the purpose of uniquely identifying a natural person.

Sometimes the University needs to process sensitive personal data within its mission. For example, processing of sensitive personal data is necessary in cases related to rehabilitation, support for students with disabilities or in research projects.  

The University adopts specific safeguards when processing sensitive personal data. Examples of such specific safeguards are encryption, two-step verification, strict access management, pseudonymisation and ethical review for research projects.

The University works continuously with security measures to protect its business information, including the personal data processed. The University works systematically and continuously with information security and follows given standards in the field. The University adopts security measures for the protection of personal data through, for example, policies and technical measures such as encryption methods, firewalls and password protection. 

As a starting point, only employees at Stockholm University who need the personal data in their work may access the data. In addition, central administrative staff at the University have access to personal data when necessary, for example for troubleshooting and support.

Personal data may also be disclosed to authorities such as the Swedish Board of Student Finance (CSN), the Swedish Migration Agency, Statistics Sweden, the Swedish Higher Education Authority, the Swedish Tax Agency and the Swedish Social Insurance Agency, as well as to other authorities and organisations, such as other higher education institutions and universities, with which the University cooperates. Personal data may also be shared with providers of digital services and systems that the University uses to conduct its activities. When the University engages such external suppliers for handling of information and personal data processing, the processing activities are regulated through a data processing agreement.

As a public authority, the University is obliged to disclose public documents not covered by the secrecy provisions in the Public Access to Information and Secrecy Act (2009:400) to anyone who requests them. A public document may contain personal data. Before a public document is released, a confidentiality assessment is carried out in accordance with the aforementioned act. If there is an applicable secrecy provision, the information is not disclosed. Stockholm University only shares personal data with others if it is necessary and there is legal support for it. The University will not unlawfully disclose personal data to other parties.

Stockholm University stores personal data for as long as there is a legal basis and a purpose for the personal data processing. As the University must comply with the rules on official documents in accordance with the Freedom of the Press Act (1949:105), the Archives Act (1990:782) and the National Archives' regulations, personal data may be stored for a longer or shorter period of time and in some cases perpetually in the University's archives. When there is no purpose or legal basis for processing or retaining personal data, it will be deleted.

The University mainly processes personal data within the EU/EEA. However, the University may in some cases transfer information to a country outside the EU/EEA. This may happen, for example, if the University uses a processor who, either itself or through a sub-processor, is established or stores information in a country outside the EU/EEA. Note that the processor may only access the information that is relevant for the purpose. The processor's obligations towards Stockholm University are regulated by a data processing agreement.

Stockholm University may also transfer personal data to third countries outside the EU/EEA in other cases, in particular in the context of international research collaborations and student exchanges. 

The University adopts all reasonable legal, organisational and technical measures necessary to achieve an adequate level of protection for the personal data it processes when transferring personal data outside the EU/EEA.

The General Data Protection Regulation gives data subjects a number of rights.

A request to exercise a right is free of charge. If the request is manifestly unfounded or excessive, the University may either charge a reasonable fee or choose not to fulfil the request, provided that the University can demonstrate that the request is unfounded or excessive. 

Normally, the University will respond to a request within one month at the latest. However, the handling of a request may take up to three months if the volume or complexity of the case so requires. In this case, the University will inform the requesting party of the delay. 

To get help with any of the rights listed below, please contact the administrative department, institution (centre, institute or equivalent) where your personal data are processed. If you do not know where to turn, you can contact the University via the Central Registry Services: registrator@su.se

The right to access

You have the right to obtain confirmation as to whether Stockholm University is processing your personal data. If the University is processing your personal data, you have the right to request access to this data and receive further information about the processing, such as the purpose of the processing, categories of personal data processed, foreseen storage period, etc.

The right to rectification

You have the right to request that your personal data at Stockholm University is rectified if it is incorrect. In such cases, the University is obliged to correct your personal data without undue delay. You also have the right to have incomplete personal data completed, if the missing data is relevant for the purpose of the processing. 

The right to object

When Stockholm University processes personal data for the performance of a task carried out in the public interest or in the exercise of official authority, you have the right to object to the processing. The University may then only continue to process the data if there are compelling legitimate reasons why the data must be processed, or if the processing is necessary to safeguard the University's interests. 

Objecting to personal data processing in newsletters and surveys  

Former students can unsubscribe from newsletters and requests to participate in surveys by logging into LADOK and removing their email address from there. Others who consider that communications and requests from the University are not relevant to them can contact the part of Stockholm University from which the communication originated and object to the processing. The University will then consider the objection and whether the University needs to continue the processing for compelling legitimate reasons or to safeguard its interests (see above under the heading The right to object). 

The right to restriction

In some cases, you have the right to request that the processing of your personal data be restricted. Restriction means that the data is flagged so that it may only be processed for certain limited purposes in the future. Stockholm University can restrict processing in the following cases: 

• If you claim that the personal data is inaccurate and the University needs time to verify the accuracy of the data. 
• If the processing is unlawful and you oppose the erasure of your personal data and instead request a restriction of its use.
• If the University no longer needs the personal data for the purposes of the processing, but you need it to establish, exercise or defend legal claims.
• If you have objected to processing relating to your particular situation and pending verification of whether the University's legitimate grounds outweigh your legitimate grounds.

The right to erasure

According to the General Data Protection Regulation, Stockholm University is obliged to delete personal data without undue delay if any of the following grounds apply:

• The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
• The University processes your data based on your consent, you withdraw your consent, and the University has no other legal basis for the processing. 
• You object to the handling of your processed personal data.
• Stockholm University has processed your personal data unlawfully (i.e., without a legal basis).
• Your personal data must be deleted in order for Stockholm University to fulfil a legal obligation. 

If Stockholm University has shared your personal data with third parties and the University is obliged to delete this personal data, the University shall take reasonable steps to inform these other controllers processing your personal data that you have requested the deletion of your data.

Stockholm University retains personal data in accordance with the Freedom of the Press Act, the Swedish Archives Act and the National Archives’ regulations. This means that the University cannot fulfil a request to delete data that is archived in the University's archives.

The right to data portability

When Stockholm University processes your personal data based on consent or performance of an agreement, you have the right to obtain the personal data you have provided to the University in order to use the personal data elsewhere. 

If you believe that Stockholm University is processing your personal data in violation of the General Data Protection Regulation, you have the right to submit a complaint to the Swedish Authority for Privacy Protection (IMY):
ww.imy.se