Processing of personal data at Karlstad University
Karlstad University is a public authority governed by the state. The university processes personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and Council, otherwise known as the General Data Protection Regulation (GDPR).
If you have questions about the university’s processing of personal data in specific situations or if you want to exercise any of your data subject rights, please contact the operational representative or project coordinator or course convener. You can also contact the university by e-mail or mail.
- Karlstads universitet, Registrator, 651 88 Karlstad.
You will find contact details for Karlstad University’s data protection officer below, under the heading Data protection officer.
General information about the university’s personal data processing
Karlstad University acts as data controller for the personal data processing that takes place within the scope of university operations.
The main obligation of the university is to provide education, research and development work. This also includes collaborating with the surrounding community and disseminating information about the university’s activities, as well as ensuring that the research results of the university are put to good use.
The purpose of all personal data processing within the university is to support these obligations. The data processing that takes place is based primarily on the following lawful grounds: to carry out a task in the public interest or to carry out duties as an authority, to fulfill a legal obligation, to fulfill a contract, or based on the data subject consenting to the data processing. Other lawful grounds may also apply.
The principle of public access to official documents
Much of the information held by Karlstad University constitutes public documents. As a rule, the documents are registered and, upon request, the documents can be accessed in accordance with the Public Access to Information and Secrecy Act (2009:400), unless a document contains confidential information. In other words, the public has the right to view certain personal data in accordance with the principle of public access. Normally, the university does not have the right to investigate who has requested access to data, as long as it is not of crucial importance for the confidentiality assessment.
The processing of personal data required by the Public Access to Information and Secrecy Act, the Archives Act and the Administrative Procedure Act for proper handling of the university’s public documents, and which is carried out with support of the GDPR, is considered necessary for reasons of important public interest.
What is personal data?
Any information that directly or indirectly identifies a person, for example, name, personal identity number, photo, e-mail address and IP address.
What personal data do we process?
The university processes the personal data of students within the framework of our courses and study programmes. Research involves the processing of personal data of those who participate in a research study.
The university also processes personal data of employees, of participants in conferences or other events, and of Karlstad University Library patrons. There are also other situations where the university processes personal data, such as contacts and collaborations with individuals or other organisations.
In most cases, personal data are collected directly from the individual. This usually takes place through contacts between the individual and the university. In some cases, personal data can also be collected from someone other than the individual him-/herself.
Information to students
Personal data (name, personal identity number, address, telephone number, and email address) as well as information on fulfillment of entry requirements, selection criteria, obligation to pay registration or study fees and admission are stored in the admissions database NYA. Your personal data are processed by the Swedish Council for Higher Education and Karlstad University when we decide whether you fulfill entry requirements and assess your qualifications before selection.
The personal data of each student are stored in the study administrative database Ladok (name, personal identity number, address, telephone number and email address) and in addition to the data processed in NYA, other information such as participation in courses and programmes and examinations, results, grades, transferred credits or recognition of prior experience and degrees obtained are also stored in Ladok. Ladok also needs to store the information Karlstad University needs to supply to Statistics Sweden.
The NYA and Ladok databases are regulated in the ordinance (1993:1153) on reporting study results at higher education institutions. The ordinance allows for data from these databases to be made available to third parties, e.g. other higher education institutions, the Swedish Higher Education Authority, the Swedish Board of Student Finance, and Karlstad Student Union.
Personal data of students are also processed in other study administrative systems necessary to complete courses and programmes.
Information to staff
Personal data are processed in the different staff administration systems to the extent necessary to fulfill employment contracts, adhere to requirements in current legislation and collective agreements and in different additional systems that Karlstad University needs to fulfill its obligations. Data processed include personal data (name, personal identity number, address, telephone number and email address) as well as the form, scope and term of employment, other assignments and management titles, work duties, work hours, side-line occupations, pay, taxes and social security contributions, leave, parental leave, sick leave, medical certificates, membership in labour unions, etc. Data may be made available to third parties, for example to fulfill legal requirements regarding the reporting of taxes and social security contributions. Data are made available to, for instance, the Swedish Tax Agency, Statistics Sweden, the Swedish Agency for Government Employers, the Swedish Social Insurance Agency, the National Government Employee Pensions Board, and labour unions.
Information to participants in conferences and other events
Personal data (name, address, telephone number and email address) and other information supplied in connection with registration are only stored as long as necessary for the administration of the conference or event, i.e. for distribution of information or material and evaluation surveys. Since fees are paid for conferences and other events, invoice data are saved as per current bookkeeping regulations. If you agree to receiving further offers, your data are saved in accordance with the information supplied in connection with this agreement. You can withdraw consent at any time, but this does not affect data processing that took place before withdrawal.
Information to Karlstad University Library patrons
Personal data (name, personal identity number, address, email address and telephone number) are recorded in the library’s user database. Borrowed and returned books are registered, as well as use of the library’s digital environments. If a user does not return books at the end of the borrowing period, a fine may be payable, and personal data may be made supplied to collection agencies and the Swedish Enforcement Authority.
Information to participants in research studies
As a rule, information about the processing of personal data is provided with the invitation to participate in a research study. This often comes in the form of a written information letter describing, among other things, the background and purpose of the study using clear and plain language, together with a separate consent form where you agree to participate in the research study. The information letter contains all the necessary information you need to make an informed decision to participate in the study, including information about personal data processing. If you have questions about how Karlstad University processes your personal data in a research study, please start by contacting the researcher in charge. You will find the contact details in the information letter.
Information to users of the university’s computer network
When you connect to Karlstad University’s computer network, all network traffic is logged and analysed. This includes storing user names and IP addresses. The purpose of this to ensure that all services meet set requirements regarding laws and regulations as well as performance and security, both for you as a user and for Karlstad University’s resources.
Information to users of any of the university’s public web services
Personal data, including IP address, are registered on the web server used for the public web services to ensure accessibility.
How do we protect the personal data?
The university is responsible for ensuring that personal data are protected by appropriate technical and organisational measures. The appropriate level of security is determined in relation to any risks in connection with the processing of personal data in an individual case. When the university transfers personal data to another party, the university is responsible for taking the legal, organisational and technical measures required to protect your personal data.
For example, technical and organisational protection could mean that only authorised persons have access to the data, that the data are encrypted, that they are stored in specially protected IT environments, and that the data are backed up.
How long do we store personal data?
We only save your personal data for as long as it is needed for the purpose of the data processing. However, in some cases there are laws and other regulations requiring that the data are stored for a longer period.
With regard to public documents, personal data included in them are treated in accordance with the provisions of the Freedom of the Press Act (1949:105), the Archives Act (1990:782), the Swedish National Archives’ regulations and the university’s information management plan. In some cases, this means that personal data are stored for archival purposes for longer than required to fulfill the original purpose of the processing in the university archives.
Who has access to the personal data?
Employees at Karlstad University who need access to personal data in order to carry out their work tasks are allowed access.
In addition to the disclosure of personal data that Karlstad University is required to do as a result of the principle of public access to official documents, the University is obliged to transfer certain personal data to other authorities, such as the Swedish Government Offices, the Swedish National Audit Office, the Swedish Agency for Government Employers, the Swedish Board of Student Finance, and Statistics Sweden. This is required in order to coordinate and monitor the activities and operations of public authorities and to ensure that public funds are used correctly.
Personal data may also be disclosed to the university’s partners, for instance, within a research project. In cases where it is required that specific information is provided regarding personal data being transferred to another organisation, the individual will be provided with this information.
Karlstad University uses data processors for different types of IT services. The data processors who are hired may only process personal data in accordance with the purposes and instructions provided by the university regarding the processing. Furthermore, the processors and their personnel will never have access to more data than necessary in order to fulfil the service covered by the agreement with the university. Personal data processing run by a data processor is regulated by a so-called data processing agreement between the university and the data processor.
Transfer of personal data to a third country outside of the EU/EEA
The university may transfer personal data to a third country, i.e. a country outside of the EU/EEA. In such cases, special requirements of the GDPR apply. The university is responsible for taking the legal, organisational and technical measures required to achieve an appropriate security level to protect these personal data. Specific information may be given in individual cases to those whose personal data are subject to such a transfer.
The data subject’s rights according to the General Data Protection Regulation
The GDPR gives you, as an individual, a number of rights in relation to Karlstad University. The university normally handles requests within a month. In order to meet a request, the identity of the individual must be confirmed.
However, Karlstad University would like to emphasise that authorities must comply with the regulations that apply to public documents, public access and confidentiality, recording of documents, archiving and erasure. This means that your rights may be limited in cases where personal data are processed as part of the university’s obligations as a public authority.
Right to access records
You have the right to request information about the personal data relating to you that the university processes. Contact us via e-mail or mail if you wish to access your personal data held by the university. Please specify if you have come in contact with us as a student, employee, as part of a research project or other capacity.
- Karlstads universitet, Registrator, 651 88 Karlstad.
Right to rectification
If you believe that your personal data are incorrect or incomplete, you can request that inaccurate information be rectified or that missing personal data be added.
Right to object
When Karlstad University processes personal data to carry out its duties as an authority or to carry out other tasks of public interest, you have the right to object to the data processing at any time. If the university cannot prove that there are compelling, justified reasons for continuing to process the data, the university must cease its processing.
Right to limitation of processing
In certain cases, for example if you have objected to the data processing, you have the right to demand that the processing of your personal data be limited. By requesting a limitation, you have, at least for a certain period of time, the opportunity to stop Karlstad University from using the data other than to, for example, defend legal claims. You can also prevent the authority from deleting the data, for example if you need the data to claim damages.
Right to erasure (‘right to be forgotten’)
In certain cases, you can request that the data relating to you be erased. However, when your personal data are needed for Karlstad University to fulfil its obligations or if they appear in a public document, Karlstad University will not be able to delete the data.
Right to data portability
When the university processes your personal data with the support of the lawful grounds of consent or contract, you will in certain cases have the right to be given and to use your personal data elsewhere, for example, by transferring the data to another data controller.
Data protection officer
Karlstad University is a public authority and has thereby, in accordance with article 37 of the General Data Protection Regulation, designated a data protection officer. Conny Claesson is Karlstad University’s Data Protection Officer and responsible for managing compliance with the GDPR. The university’s Deputy Data Protection Officer is Niklas Nikitin.
You can contact Karlstad University’s Data Protection Officer by e-mail or mail if you wish to exercise your data subject rights or if you have questions regarding the university’s processing of your personal data.
- Karlstads universitet, Registrator, 651 88 Karlstad.
Lodge a complaint with the Swedish Authority for Privacy Protection
If you believe that the university’s processing of your personal data infringes the GDPR, you have the right to file a complaint with the Swedish Authority for Privacy Protection (IMY). More information on how to submit a complaint can be found on the Swedish Authority for Privacy Protection’s website.