Privacy policy

Source: https://www.lunduniversity.lu.se/about-university/contact-us/privacy-policy Parent: https://www.lunduniversity.lu.se/study/admission-degree-studies/applying-studies-when-apply

Processing of personal data at Lund University

På svenska

Lund University processes personal data in order to provide education, conduct research, and collaborate with the wider society. All processing of personal data at the University aims to support this assignment.

The University applies the General Data Protection Regulation (GDPR) and supplementary legislation.

In the drop-down list below, we have gathered information on how personal data is processed at Lund University.

What is personal data?

Personal data refers to any type of information that directly or indirectly can be linked to an identifiable person, such as:

a name
a personal identity number
a picture
an email address
an IP address.

What personal data does the University collect?

The University processes personal data for various purposes within our organisation. Within education, the personal data of students is processed. Within research, the personal data of the research subjects is processed, i.e. research study participants.

Personal data is also processed for employees as well as participants in conferences or other events.

The University also processes personal data in other situations, such as in contacts and collaborations between individuals and other organisations.

In most cases, personal data is collected directly from the individual. This is usually done through contacts between the individual and the University. Occasionally, personal data may also be collected from a third party.

In some cases, the University, as a public authority, is required to disclose personal information to others, for example, when submitting students’ credits awarded to the Swedish Board of Student Finance (CSN) or employees’ and contractors’ salary data to the Swedish Tax Agency.

The personal data that is processed depends entirely on the purpose of the processing in each case.

This may include:

Contact information such as name, address, telephone number and email address and, where applicable, personal identity number
Information needed for e.g. support measures for students and staff
Banking details and other financial information required for making transactions
Information obtained within the scope of participation in a research study
Information about credits awarded, and other details related to studies
Information collected during visits to the University’s websites for the purpose of improving user-friendliness, e.g. through cookies
Information from attending conferences or courses
Information necessary for appointment or from responding to a vacancy announcement

How is the data protected?

The University is responsible for ensuring that personal data is protected through appropriate technical and organisational measures. The University shall thus ensure a level of security that is appropriate in relation to any risks associated with the processing of personal data in each case.

The security aspects include making assessments of confidentiality, accuracy and accessibility. For example, technical protection may entail that only authorised persons have access to the data, that the personal data is encrypted or that it is stored in places with special protection.

How long is the data stored?

The personal data is stored only for as long as it is needed to fulfil the purpose of the data processing. In some cases, there may be legislation and other provisions that require that the data be stored for a longer period. When it comes to public documents, personal data is handled in accordance with the Swedish Freedom of the Press Act (1949:105), the Swedish Archives Act (1990:782) and the Swedish National Archives regulations. Accordingly, personal data may be stored for longer or shorter periods and in some cases indefinitely in the University’s archive.

Does the University transfer personal data to third countries?

Within the context of its activities, the University may transfer personal data to third countries, i.e. countries outside the EU/EEA. The University will take all reasonable legal, organisational and technical measures necessary to achieve an appropriate level of protection for this personal data.

The GDPR states that individuals have certain rights that you can learn more about below.

These rights include the right to:

The right to access

As an individual, you have the right to request information about the personal data processed by the University about you free of charge.

Contact us via dataskyddsombud [at] lu [dot] se to request a transcript of the personal data we have stored about you. Please specify if you are contacting us as a student, employee, participant in a research project or in some other capacity.

The right to correction

As an individual, you have the right to request a correction of any incorrect personal data about you that is stored at the University. Such a request should preferably be sent to your most immediate contact person, course director, manager or other authorised person.

The University is obliged to correct any incorrect personal data without undue delay.

The right to deletion

As an individual, you have the right to have your personal data deleted in cases where the personal data is no longer needed to fulfil the purpose for which it was collected (the right to be forgotten). There may be provisions stating that certain personal data must not be deleted, in which case such provisions take precedence.

If the personal data has been disclosed to another party, the University shall take any steps reasonable to notify said party that the data has been deleted.

In cases where there are legal impediments to the deletion of personal data, the University will limit the processing of said personal data to the extent required by law.

The right to limit personal data

As an individual, you have the right to request that the processing of personal data be limited only to processing for certain specific purposes.

The right of limitation applies in the following cases:

If the personal data is incorrect and the University needs time to check the accuracy of the data.
If the personal data is no longer needed for the University’s activities, but you request that it continues to be stored in case it will be needed to make legal claims.
If you object to the processing performed by the University, in which case the processing shall be limited until the justification for your objection and the University’s compelling reasons have been weighed.
If you believe that the University should delete your personal data, but the University for some reason is unable to accommodate your request.

The right to object to processing

As an individual, you have the right in some cases to object to the University’s processing of your personal data. If there is no compelling reason for the University to continue to process your personal data, e.g. in order to comply with any legal requirements, the University will then cease the processing.

The right to data portability

When the University processes your personal data in accordance with the legal basis of consent or an agreement, you have the right, under certain circumstances, to retrieve the personal data you provided to us, e.g. in order to transfer the data to another data controller.

Who can access the data?

Lund University is a public authority and therefore bound by the principle of public access to official documents. This means that everyone has the right to request access to all the information available at the University. The information may contain personal data. If confidentiality does not apply to the personal data in question, in accordance with the Public Access to Information and Secrecy Act (2009:400), the information must be disclosed.

The University also has other duties and obligations that may lead to the disclosure of personal data to other parties, e.g. information that is:

necessary for performing a task of public interest
part of the exercise of public authority
transferred to another party due to a legal obligation.

Personal data may also be disclosed to the University’s collaboration partners, where applicable, e.g.:

within a research project
to a supplier
to another party as a result of an agreement between the University and the individual.

When transferring data to a third party, the University takes all reasonable legal, organisational and technical measures required to ensure protection of the personal data.

In cases that require that specific information be provided concerning the transfer of personal data to another organisation, this information will be provided to the individual.

In all other respects, personal data will not be transferred to a third party without legal justification or obligation.

What can I do in case I believe that the University is not handling my personal data correctly?

If you believe that the University’s processing of your personal data is in violation of the GDPR, you have the right to file a complaint with the Swedish Authority for Privacy Protection (IMY). For information on how to file a complaint, please visit their website.

File a complaint – imy.se

Processing personal data for registry-based research

Like other universities and higher education institutions, researchers at Lund University collect data from authorities or other organisations to study population trends. When research is based on registers containing information about large numbers of people, it is not possible to obtain individual consent from everyone.

Below, you can see which registers are used in our research projects. If your data is included in any of these registers, you have the right to request that it be withdrawn from a study.

Registry-based research – a shortcut to societal benefit

Registry-based research can increase our understanding of public health and help improve healthcare services. It can also be used to improve the education system, analyse crime patterns, and prevent security threats.

Registers from the healthcare and education system, for example, contain large amounts of data. This data helps researchers identify connections and patterns.

Since researchers do not need to collect the data themselves, this type of research is faster and less expensive than many other methods. As a result, the findings can benefit society more quickly.

Ongoing registry-based studies at Lund University

You can find information about each study in the Lund University research portal:

How to withdraw from a registry-based study

If you wish to withdraw from a registry-based study at Lund University, please contact the researcher responsible for that specific study.

You can find their contact details via the link to the relevant study under ‘Ongoing registry-based studies at Lund University’ above.

Contact information

Personal Data Controller:\ Lund University, 202100-3211

Postal address:\ Box 117\ 221 00 Lund

Telephone:\ +46 46 222 00 00

If you have questions about the University’s processing of personal data, please contact the relevant manager or person responsible for the project or course in question.

You can also contact our data protection officer using the contact details below.

Data Protection Officer:\ Postal address:\ Lund University\ Box 117\ 221 00 Lund