Search

Other search services

Courses and programmes Syllabus Welcome letters Staff Job vacancies

General information about the GDPR and training materials

The General Data Protection Regulation (GDPR) applies throughout the EU and aims to create a uniform and equivalent level of protection of personal data so that the free flow of data within Europe is not impeded.

What is personal data?

Personal data is any kind of information that can be linked to a living person. This may include name, address and social security number. Photos of people are also classified as personal data. Yes, even audio recordings stored digitally can be personal data even if no names are mentioned in the recording. A company number is often not personal data but can be if it is a sole proprietorship. The registration number of a car can be personal data if it can be linked to a natural person, while the registration number of a company car used by several people may not be personal data.

What is meant by sensitive personal data?

The GDPR distinguishes between "ordinary" personal data and sensitive personal data. Sensitive data includes, for example, information about your health, ethnic origin, political opinions and sexual orientation. Health data can include sick leave, pregnancy and doctor's visits. Normally, it is forbidden to handle such personal data, but there are exceptions to the prohibition. Sensitive data must also be protected more than other data.

What personal data do we collect?

The University processes personal data for various purposes within our operations. In education, students' personal data is processed. In research, participants in research studies are processed in the personal data of research studies.

Personal data is also processed in relation to employees and participants in conferences or other events. There are also other situations where the University processes personal data, such as contacts and collaborations between individuals and other organisations.

In most cases, personal data is collected directly from the individual. This is usually done through contacts between the individual and the university. In some cases, the personal data may also be collected from someone other than the individual himself.

In some cases, the University as a public authority is required to disclose personal data to others. This involves, for example, submitting students' study results to the Central Board of Student Financial Aid (CSN) or employees' and contractors' salary information to the Swedish Tax Agency.

The personal data that is processed depends entirely on the purpose of the processing in the individual case. This can include:

  • Contact information such as name, address, telephone number and e-mail address and, where applicable, social security number
  • Information needed, for example, for assistance measures for students and employees
  • Bank and other financial data for financial transactions
  • Data collected in the context of participation in a research study
  • Information about study results and other information related to studies
  • Information collected when visiting the University's websites in order to improve their user-friendliness, for example through cookies
  • Information when participating in conferences or courses
  • Information needed for employment or application for employment

How is personal data protected?

Mid Sweden University is responsible for ensuring that personal data is protected by appropriate technical and organisational measures. The University thus ensures a level of security that is appropriate in relation to any risks associated with the processing of personal data in the individual case.

The security aspects include assessment with regard to confidentiality, accuracy and availability. Technical protection may mean, for example, that only authorised persons have access to the data, that the personal data is encrypted or that it is stored in specially protected areas.

Data Processing Agreement

The General Data Protection Regulation requires that you sign a personal data processing agreement when someone else processes personal data on behalf of Mid Sweden University. For example, this may be relevant when we purchase a service. 

Template for Data Processing Agreement (PUBA)

Documentation of treatments and impact assessments

According to the General Data Protection Regulation, all personal data processing must be documented. Mid Sweden University therefore keeps a list of its personal data processing in accordance with Article 30 of the GDPR. The list includes information on the purpose of the processing, the categories of personal data and data subjects concerned, the duration of the data and the security measures applied.

Where the planned processing of personal data is likely to pose a high risk to the rights and freedoms of natural persons, a data protection impact assessment shall be carried out in accordance with Article 35 of the GDPR. Such an impact assessment (DPIA) involves identifying and analysing risks and identifying appropriate measures to reduce or eliminate the risks before treatment begins.

GDPR education

General Data Protection Regulation (GDPR) initial training

Undergraduate education


General Data Protection Regulation (GDPR) undergraduate education

Knowledge films about GDPR from the Swedish Authority for Privacy Protection

  1. Purpose and scope of the GDPR
  2. Basic concepts of GDPR
  3. The basic principles of the GDPR
  4. Rights of the data subject
  5. Legal bases of the GDPR
  6. Sensitive and other particularly protective personal data
  7. Data Controller and Data Processor under GDPR
  8. Third country transfer under GDPR
  9. Security in connection with the processing of personal data
  10. Personal data breaches
  11. GDPR Impact Assessment Requirements

 

 

 

 

The page was updated 3/19/2026