Processing of personal data

Personal data is all kinds of information that can be linked to a person who is alive, such as information about names, social security numbers, e-mail addresses and photographs.

The principle of public access to official documents applies to Swedish authorities, including universities. This means that everyone has the right to request access to information held at the university. The information may contain personal data. Unless confidentiality applies to the personal data in question according to the Public Access to Information and Secrecy Act (2009:400), the information must be disclosed. 

In some cases, the University as a public authority is required to disclose personal data to other authorities. This involves, for example, submitting students' study results to the Central Board of Student Financial Aid (CSN) or employees' and contractors' salary information to the Swedish Tax Agency.

Personal data may also be disclosed to the University's partners, for example within a research project, to a supplier or to another party as a result of an agreement between the University and the individual.

In the event of a transfer to another party, the University will take all reasonable legal, organisational and technical measures that may be required to protect the personal data.

The personal data is stored for as long as it is needed to fulfil the purpose of the processing. The information is preserved when the regulations for archives and public documents state it. Which information is retained and which is deleted/destroyed is stated in the authority's archive report.

In its activities, the university may transfer personal data to a third country, that is, to countries outside the EU/EEA, in which case special legislation applies. All reasonable legal, organizational, and technical measures required to achieve an appropriate level of protection for this personal data are then taken.

The General Data Protection Regulation states that individuals have a number of rights. Not all of these are applicable to Mid Sweden University, but if you wish to exercise your rights, please contact dataskyddsombud@miun.se.

Right to erasure of personal data – the right to have your data erased is also known as the “right to be forgotten.” This means that you have the right to contact a company, authority, or anyone who processes your personal data and request that your data be deleted.

Right to have incorrect data rectified – you have the right to contact companies, authorities, and organizations that process your personal data and request that incorrect data about you be corrected. You also have the right to supplement missing personal data with relevant information held by the data controller.

Right of access (data extract) – the right of access means that you can contact companies, authorities, or other entities to find out whether they process personal data about you. If they do, you are entitled to receive a copy of the personal data as well as information about how it is used. Request a data extract.

Right to information about how your personal data is handled – the right to information means that you should generally receive information both when data is collected and when you request it. If something happens to your personal data that may negatively affect you, you have the right to be informed.

Right to restriction – the right to restrict the processing of your personal data means that in certain specific situations, you have the right to demand that the processing of your personal data be limited. One example is if you believe that personal data about you is incorrect and you have requested correction. While the matter is being investigated, you may also request that the processing of the relevant personal data be restricted.

Right to object – in certain cases, you have the right to object to the data controller’s processing of your personal data. The right to object applies when personal data is processed to perform a task carried out in the public interest, as part of official authority, or based on a balancing of interests. If an objection is made, we as a public authority must demonstrate that we have compelling reasons to continue using your data.

Your rights when decisions are made automatically – when decisions are made automatically, the data controller must inform you that the decision is automated, give you the right to have the decision reviewed by a real person, and give you the opportunity to contest the decision.

Right to data portability – you may also request that your personal data be transferred to another data controller, for example another company if you want to use their services instead. The data controller is only required to transfer the data to another company if it is technically feasible.

If you believe that our processing does not comply with data protection legislation, you also have the right to lodge a complaint with the Swedish Authority for Privacy Protection, which is the supervisory authority.

• General Data Protection Regulation (EU 2016/679)
• To the Swedish Authority for Privacy Protection pages about the General Data Protection Regulation

The personal data controller is Mid Sweden University. If you have any questions about our personal data management, please contact the University's Data Protection Officer

Comments on our handling of personal data can be submitted to the Swedish Authority for Privacy Protection.