Data protection policy
Processing of personal data at Uppsala University
Here you will find information about how we, Uppsala University, process personal data, which we need to meet our obligations towards students, partners, suppliers, visitors, staff, etc. We follow the General Data Protection Regulation (GDPR) and adapt our routines continuously so that the processing of personal data for which we are responsible does not violate the rights and freedoms of individuals.
Uppsala University is responsible for all processing of personal data in our activities. On this webpage we explain in greater detail how we process your personal data.
- What does Uppsala University do with personal data?
- What personal data does Uppsala University collect?
- How are your personal data protected?
- Who may access your personal data?
- How long does Uppsala University save personal data?
- Rights under the General Data Protection Regulation
- Transfer of data to third countries
Uppsala University processes personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council, the General Data Protection Regulation. This is often referred to by the abbreviation GDPR.
Uppsala University processes personal data in the pursuit of our mandate as a public authority and university. Our mandate is to provide high-class research and education and to collaborate with society.
All processing of personal data at Uppsala University must be performed as part of our mandate. The processing must have a legal basis. In relation to students, it is often an aspect of the exercise of official authority and in research activities it often occurs in the public interest. Only the personal data required for the purpose may be processed.
As a student or a private individual, you can obtain more detailed information about the processing of your particular personal data by applying for a register extract. You can also contact Uppsala University’s data protection officer (firstname.lastname@example.org).
At Uppsala University, we process your personal data for a number of different reasons. The most common reasons are that you are a student, researcher, participant in a study, employee, participant in a conference or other event, that you are applying for a job, or that you have contacted the University or are cooperating with the University for some other reason.
Generally, we receive most of this information directly from you. In some cases we also collect information from other sources, such as the Swedish Tax Agency or the Swedish Board for Study Support. If so, we inform you in each individual case why we are doing this.
The personal data we process often fall into one of the following categories:
- Contact information such as name, address, telephone number and email address. Personal identity numbers are processed when necessary to reliably establish your identity or to coordinate your data between systems so as to ensure that the information we have about you is consistent.
- Banking and other financial information for payment or invoicing purposes.
- Personal data collected in the context of participation in a research study.
- Information about credits awarded and other information about your studies at Uppsala University.
- Information about how you use our websites, for the purpose of making them more user-friendly, for example via cookies.
- Information about participation in conferences or courses.
- Personal data needed for employment purposes or if you apply for a position with us.
Uppsala University is responsible for ensuring that the processing of personal data is protected by appropriate technical and organisational measures. These measures must be adequate to ensure a security level that is appropriate in relation to the risk that the processing involves. The security aspects include an assessment of confidentiality, accuracy and accessibility to ensure that technical and other safety precautions provide an adequate level of protection. For example, access to data can be restricted to authorised persons, the data can be encrypted, they can be stored in specially protected IT environments and they can be backed up.
Much of the information held by Uppsala University consists of official documents. Official documents are data received, drawn up or held by a public authority. Personal data in a register, for example, can constitute an official document and they can also be public. However, personal data in research activities are often subject to secrecy if they contain sensitive personal data (e.g. relating to health). If anyone requests access to data as an official document, a secrecy check is always conducted under the provisions of the Public Access to Information and Secrecy Act (2009:400). Sensitive personal data are subject to a ‘reversed requirement of damage’ (i.e. the data are secret unless it is quite certain that the disclosure of the data cannot cause suffering or damage to the person to whom the data refer) and is virtually never disclosed.
In addition to this, your data may be used in our work with partners in research projects, or in contacts with suppliers or other parties that need the data because of an agreement with us. We also process data as a matter of public interest, e.g. research, or in our exercise of official authority or because of a legal obligation to which Uppsala University is subject.
A task of public interest is a task that we have to fulfil by law or pursuant to law, but that does not belong directly among our duties as a public authority.
When we transfer personal data to another party, we protect them with the necessary legal, organisational and technical measures.
We never disclose personal data to others unless there is a legal basis for doing so.
We only save your personal data as long as the purpose of the processing requires, or as long as legal provisions require.
- If you are an employee, for example, we process your personal data as long as is necessary to administer the employment relationship.
- If you are a student, we process your personal data as long as you are a student at Uppsala University.
- If you are a participant in a study, we process your personal data as long as is necessary to ensure the quality of the research.
With regard to official documents, personal data in them are treated in accordance with the provisions of the Freedom of the Press Act (1949:105), the Archives Act (1990:782) and National Archives regulations. In many cases, this means that your personal data may be destroyed after a short time, while in others they may be preserved forever in our archive systems (e.g. degree certificates).
We sometimes share personal data with other countries in or outside the EU/EEA (e.g. the United States), mainly in connection with international research projects. In these cases, it is our responsibility to ensure that we or our partners take the legal, organisational and technical measures required to protect your personal data. You have either already been informed of this or will be informed if and when the question arises.
The General Data Protection Regulation gives you, as an individual, certain rights vis-à-vis Uppsala University:
The right of access
You have the right to ask whether Uppsala University is processing your personal data and to receive a free copy of the personal data processed once a year. This is often referred to as a register extract. In connection with such a request, Uppsala University also provides additional information about the processing, such as its purpose, the categories of personal data processed, the expected storage period, etc. We fetch this information from our personal data processing list, which is continuously updated.
The right to rectification
You have the right to ask for your personal data at Uppsala University to be rectified if they are inaccurate. You can do this, for example, by providing a supplementary statement to your contact person, course director, manager or research director at Uppsala University. We are required to rectify inaccurate personal data without undue delay. However, we do not need to correct your data if they are only being processed to document completed research.
The right to erasure
You have the right to have your personal data erased from Uppsala University’s systems as long as they are not an official document. We can erase data if, for example, they are of temporary or little importance, such as if you drop out of your programme. In such cases, the data can be erased after a certain time (retention period).
The right to erasure is severely limited by the regulations on official documents and by the requirements of research or study documentation.
If Uppsala University cannot erase your data for legal reasons, we will limit the processing of your data to include only what is required to meet our obligations under the legal provisions.
The right to restriction of personal data processing
You have the right to request the restriction of our processing of your personal data. This means that we only process your personal data for certain specific purposes. We will restrict the processing in the following cases:
- If you assert that the personal data are inaccurate and we need time to verify the accuracy of the data.
- If you object to processing carried out by us. In that case, the processing will be restricted until your grounds for objecting have been weighed against the obligations to process data to which we may be subject on legitimate grounds.
- If you consider that we should erase your personal data but we are unable to do so for some reason.
The right to object to processing
You have the right to object to our processing of your personal data in certain cases, for example in research or educational activities. We will then discontinue the processing unless we have compelling grounds to continue with it, or if the processing is necessary to exercise legal claims that we may have (e.g. in relation to a party to a contract/supplier).
If you have any questions about data protection, you are always welcome to contact your contact person at Uppsala University, the person responsible for a project or a course, or Uppsala University’s data protection officer (email@example.com).