Processing of personal data at Kristianstad University
Kristianstad University is the controller of all processing of personal data carried out within the university's organisation. Personal data is processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), hereafter referred to as "GDPR".
The following information explains how personal data that Kristianstad University collects concerning you is processed.
What does Kristianstad University do with your personal data?
Which personal data does Kristianstad University collect?
How do we protect your personal data?
Who may be allowed access to your personal data?
For how long does Kristianstad University store your personal data?
Will your data be transferred to a country outside the EU/EEA?
What are your rights according to GDPR?
What does Kristianstad University do with your personal data?
We process personal data in order to fulfil our responsibilities as a public authority and a higher education institution, i.e. to provide education, conduct research and cooperate with society at large. We also collect data in order to review and develop our operations and to comply with Swedish legislation.
All processing of personal data within the university is carried out to in some way further these purposes. Processing is also required to have a legal basis. In relation to student, processing of personal data is often necessary for the performance of a task carried out in the public interest or as part of the university's exercise of its official authority. Personal data is not further processed in a manner that is incompatible with the purposes for which it was collected.
For more detailed information regarding how your own personal data is processed, as an employee, student or external stakeholder, please contact your line manager, research supervisor, course coordinator or contact person at Kristianstad University. If you feel that you have not received accurate information from the above, please contact the university's Data Protection Officer (DPO).
Which personal data does Kristianstad University collect?
There are a number of different reasons why we process your personal data. The most common reasons are that you are a student, employee or researcher at the university, that you are participating in a conference or other event at the university, that you have applied for a position with us, are a patient at university's dental clinic, are participating in a research study, or make contact or collaborate with the Kristianstad University in some other capacity.
The majority of personal data we collect comes directly from you. Under certain circumstances we also collect data from other sources, such as the Swedish Tax Agency or the Swedish Board of Student Finance (CSN).
The types of personal data we collect depends on the purposes for which it is being processed. These data include the following:
- Contact information such as your name, address, telephone number and email address.
- Your personal identity number, where this is necessary in order to confirm your identity or to coordinate your data across systems in the interests of uniformity.
- Data regarding examination results and other data regarding your studies at Kristianstad University.
- Banking and other financial information necessary to make payments or issue invoices.
- Personal data collected within the framework of participation in research studies.
- Data collected in conjunction with participation in conferences or courses.
- Data required when you are employed or apply for a position at the university.
- Information about device identifier to help give you the best experience of our website, to provide social media features and to analyse our traffic.
- Data that we require about you as a patient at the dental clinic or as a visitor to the student health centre.
How do we protect your personal data?
Kristianstad University, as the controller of your personal data, shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with GDPR. These measures shall be such that they ensure a level of security appropriate to the risks associated with the processing. Security aspects shall include confidentiality, accuracy and accessibility, as well as adequate technical protection. For example, this may relate to restricting access to authorised persons, encryption, storage in specially protected areas and backing up data.
Who may be allowed access to your personal data?
Much of the data we hold falls under the category of official documents. If your personal data is included in an official document, then anyone may request disclosure of that data, unless it is covered by the secrecy provisions of the Swedish Public Access to Information and Secrecy Act (SFS 2009:400).
In addition to this, your data may be shared with the university's research partners, with suppliers and with third parties who require the data as a result of agreements entered into between Kristianstad University and you; in the public interest or in the exercise of official authority; or due to a legal obligation to which the university is subject.
The public interest relates to any task that Kristianstad University is required to perform according to law or based on a legally-binding decision but that cannot be directly linked to the university's exercise of public authority.
Whenever data is transferred to a third party, Kristianstad University will take all reasonable legal, organisational and technical measures required to protect your personal data. You will be informed if we intend to disclose your personal data to other organisations.
Kristianstad University will never disclose your personal data to a third party unless doing so is supported by law.
For how long does Kristianstad University store your personal data?
We will only store your personal data for as long as is necessary to fulfil the purposes of processing, or for as long as we are required to do so by applicable legislation.
- If you are a student, we will process your personal data for as long as you are studying at Kristianstad University. Once you are no longer a student at Kristianstad University, we will only process your personal data in the manner prescribed by law and in any publications to which you have provided your consent.
- If you are an employee, we will process your personal data for as long as necessary to administer our employment relationship.
- If you are a participant in a research study, we will process your personal data for as long as necessary to ensure the quality of the research.
With regard to official documents, personal data contained therein are processed in accordance with the provisions of the Swedish Freedom of the Press Act (SFS 1949:105), Swedish Archives Act (SFS 1990:782) and regulations issued by the Swedish National Archives. In many cases, this may mean that your personal data is archived by Kristianstad University for anything between five years and indefinitely.
Will your data be transferred to a country outside the EU/EEA?
Kristianstad University may transfer your personal data to a third country (a country outside the EU/EEA). Kristianstad University will then take all reasonable legal, organisation and technical measures that may be necessary to achieve an adequate level of protection for your personal data. You will also be informed of this. Personal data may also be transferred to third countries in conjunction with outsourced IT services, although Kristianstad University will only do this if the security of the data can be guaranteed.
What are your rights according to GDPR?
The General Data Protection Regulation provides you as the data subject with a number of rights in relation to the controller, Kristianstad University.
Right of access
You have the right to obtain confirmation from Kristianstad University as to whether or not personal data concerning you is being processed, and to receive a copy of personal data concerning you that we are processing. For any further copies requested, we will charge a reasonable fee based on administrative costs. In conjunction with such a request, the university shall provide additional information on the purposes of the processing, the categories of data concerned and, where possible, the envisaged period for which the personal data will be stored, etc.
Right to rectification
You have the right to request the rectification of inaccurate personal data being processed by Kristianstad University. For example, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement to your contact person, course coordinator, line manager or research supervisor at Kristianstad University. Kristianstad University is obliged to rectify your personal data without undue delay. Kristianstad University is under no obligation to rectify your data if it is only being processed to document completed research.
Right to erasure ('right to be forgotten')
You have the right to request the erasure of your personal data from our system when it is no longer required to fulfil the purposes for which it was collected.
Your right to erasure is greatly restricted by legislation and regulations on official documents, as well as by requirements to document research and/or education. We are able to erase data that is of temporary or minimal significance. The data can then be weeded out after a set period of time.
If we are prevented from erasing your data for legal reasons, we will restrict processing of your personal data to the purposes necessary to meet the university's legal obligations.
Right to restriction of processing
You have the right to request the restriction of processing of your personal data, meaning that we will ensure that we only process your personal data for certain specific purposes. Kristianstad University will restrict processing under the following circumstances:
- If you contest the accuracy of your personal data, and Kristianstad University requires time to assess the accuracy of the data.
- We no longer need the data but you request that we continue to store it because you need it for the establishment, exercise or defence of legal claims.
- If you have objected to the processing being carried out by the university, in which case processing will be limited pending the verification of whether the legitimate grounds of the university override yours as the data subject.
- If you believe that we should erase your personal data but we are unable to do so for some reason.
Right to object
Under certain circumstances, you have the right to object to processing of your personal data by us, for example in research and education activities. We will then cease processing unless we can demonstrate compelling legitimate grounds to continue doing so, or if processing is necessary for the establishment, exercise or defence of legal claims (e.g. with regard to a contractual relationship/supplier).
Questions/Contact details
If you have any questions or concerns regarding data protection relating to specific personal data, your initial recourse is to the person responsible for a given project or course. You are also welcome to contact Kristianstad University's Data Protection Officers, jurisconsults Maria Gustavsson and Linda Olsson, via e-mail: dataskyddsombud@hkr.se.
If you have any complaints about our processing of your personal data, you have the right to direct these to the Swedish Authority for Privacy Protection.