Processing of Personal Data
Personal integrity is important for Mälardalen University and the University abides by current legislation regarding personal data, i.e. GDPR, the General Data Protection Regulation. Here you will find information about how personal data collected by Mälardalen University are processed.
Responsibility regarding personal data
Mälardalen University is responsible for personal data regarding the processing of personal data for which the University determines their purpose and funding. The University processes personal data regarding for example processing business matters, for admission to studies at the University, when dealing with administration regarding studies, in alumni activities for the University, the University Administration as well as various types of arrangements and events arranged within the organisation.
Personal data relate to all kinds of information which directly or indirectly can be linked to a living person. This can for example concern names, contact information or personal identity numbers. Photographs of persons are also regarded as personal data.
Certain personal data require extra protection, e.g. personal identity numbers, details of income, and information about social circumstances.
Certain personal data are regarded as being sensitive, e.g. race or ethnicity, political opinions, religious or philosophical convictions, health, information about sexual orientation and genetic information.
Processing of Personal Data
The processing of personal data relates to every measure which includes personal data. The processing can be IT-based/automatic or manual.
Examples of processing are: the collection, registration, storage, handling, issuing, disseminating, coordinating or destruction of personal data.
The General Data Protection Regulation (GDPR)
The purpose of the General Data Protection Regulation is to protect people against violation of their integrity through the processing of their personal data.
The main provision of GDPR is that personal data may be processed if the person registered has been informed of the processing and its purposes, and that the person registered has given consent to the processing. There may also exist other legal grounds than consent, e.g. the exercise of authority.
Exemptions from the requirements of consent
The University may process personal data without the consent of the individual if the processing is necessary in order to:
- fulfil agreements entered into
- satisfy legal obligations
- protect vital interests for the person registered
- carry out work tasks of general interest
- carry out the exercise of authority
The University may also process personal data without consent in cases where the University’s need of processing personal data weighs more heavily than the individual’s need of integrity. Information that processing is being done and the purpose of this must be given even if consent is not needed.
This is how Mälardalen University processes personal data
What personal data does Mälardalen University collect?
At Mälardalen University there are a number of different reasons as to why we process your personal data. The most common reasons are that you are a student, researcher, doctoral student, employee, participant at a conference or event, supplier to the University, are applying for a post at the University or are using the University Library.
You may also have another reason to contact or cooperate with the University.
Most of your personal data are collected by the University directly from you, e.g. via a form where you sign up for an event or when you apply for a course or study programme at the University. In certain cases the data are collected from other sources, e.g. from the Student Loans Agency or the Tax Authority.
What information is dealt with depends on the reason for the processing, but it usually concerns:
- your name
- contact details (address, telephone number, email)
- personal identity number or coordination number (when we need to establish your identity or when coordination with or between systems needs to be done)
- bank information and other financial information that is needed for paying out money or for invoicing
- information about study results or other information concerning studies at the University
- information about how the University websites are used, with the purpose of improving user friendliness, e.g. via cookies
- information about participation in conferences or events and also courses
- personal data needed for an appointment or when you are applying for a post
- personal data collected with the framework of participation in a research study
Personal data of students
The personal data that an applicant submits when applying for admission are registered in the universities' national admissions system (NyA). When an applicant is admitted to a course or study programme, their personal data are transferred to the University’s system for student records (Ladok), which is used for documenting students’ results and to compile statistics for both internal use and for Statistics Sweden (SCB).
The University is responsible for the processing of applicants’ and students’ personal data in the above registers. This processing is regulated in the ordinance of reporting studies etc. at universities and university colleges (1993:1153).
What does Mälardalen University use personal data for?
Mälardalen University processes personal data to fulfil its mission as a government authority and higher education institution and also to finance and conduct research. The University also collaborates with society and provides information about its activities as well as processing personal data in alumni activities at the University.
The University processes personal data to comply with the legislation by which the University is bound, for the purpose of statistics and also to develop and follow up its activities.
The University makes use of several different social media, such as Facebook, LinkedIn and Twitter. In these accounts the University is responsible for personal data that we ourselves publish. For personal data published by others through postings, we are responsible only to the extent that we are able to influence the contents. We strive to remove unsuitable contents.
The University has several official websites, e.g. mdh.se, where information about the University’s activities are published. On these websites the University is responsible for personal data published on the website.
The University processes personal data to fulfil its mission as an employer and also negotiating party with union organisations.
If you use IT resources from Mälardalen University, traces of your activities can be stored for use in the University’s IT security work.
How are your personal data protected?
Mälardalen University will ensure that all processing of personal data will be protected by means of appropriate organisational and technical measures. These measures will ensure a level of security that is appropriate to the risks of any processing. The security aspects include confidentiality, accuracy and accessibility.
Your personal data will be protected by our security infrastructure, authentication, and where necessary encryption or storage in specially protected areas. Personal data in IT systems are regularly backed up.
Who can gain access to your personal data?
Mälardalen University is a government authority and as such much of the information at the University constitutes public documents. If your personal data appear in a public document, anyone requesting such a document can read your personal data, unless restricted by the duty of confidentiality in accordance with the Public Access to Information and Secrecy Act (2009:400).
In addition to this, your details may be disclosed to collaboration partners in research projects, to suppliers and other parties needing to receive such information as a consequence of an agreement between the University and yourself, on account of information of general interest as part of the exercise of authority, or on account of a legal obligation which the University has.
There is a structured control of access in the University’s activities. Only staff working with an assignment that concerns or includes your personal data is able to access your personal data. Other staff do not have access to your personal data.
The University has dedicated IT staff for dealing with systems, allocation of access rights, backups as well as infrastructure.
When transferring information to other parties the University takes all the reasonable measures that may be required to protect your personal data. If the University plans to disclose information about you to other organisations you will receive information about this.
Mälardalen University will not transfer personal data to other parties without legal support.
For how long does Mälardalen University store personal data?
The University stores your personal data for as long as the purpose and processing require this, or as long as is required by current legislation.
- If you are an employee we process your personal data as long as is required to administer your employment situation.
- If you are a supplier or carry out assignments for the University we process your personal data as long as is required to fulfil the current agreement.
- If you are a student we process your personal data as long as you are a student at the University.
- When you are no longer a student at the University, we process your personal data in the way required according to the law, and in any events and publications to which you have consented.
- If you are a participant in a study within the scope of the University’s activities we process your personal data as long as is required to guarantee ongoing research.
For public documents, personal data are dealt with in accordance with the current Archives Act (1990:782) and also the Fundamental Law on Freedom of Expression (1949:105) as well as the National Archives’ regulations. In cases where public documents are to be disposed of, this is governed by the University’s document processing plans as well as disposal decisions.
Personal data in public documents are in many cases saved between five years and permanently in the University archives.
Personal data to a third country
Mälardalen University may transfer personal data to a third country outside the EU/EES in connection with student exchanges and also international research projects. In such cases you will be informed that a transfer to a third country will be made when you submit your information to the University.
Mälardalen University will take all reasonable legal, organisational and technical measures necessary to achieve an adequate level of protection of your personal data, regardless of whether they are processed within the EU or in a third country.
Your rights according to the General Data Protection Regulation
The General Data Protection Regulation gives you as an individual a number of rights regarding your personal data. If you wish to exercise your rights or if you have any questions concerning the processing of your data, you may contact the University’s Data Protection Officer, email firstname.lastname@example.org.
Transcripts from registers
You have the right to request answers as to whether the University processes data about yourself. You also have the right to receive a free copy of the personal data that are processed.
If you wish to make repeated requests for transcripts, Mälardalen University will charge a fee to cover the administrative costs of these.
When a request for a transcript is being processed, the University will also give information about the processing, purpose, legal foundation of the processing and also anticipated storage periods.
The right to rectification
You have the right to request that inaccurate personal data concerning you be rectified. If your personal data are incomplete you can request that these be completed.
The University has no obligation to rectify your data if they form part of a completed research project.
The right to be forgotten
You have the right to have your personal data erased from the University’s systems if your personal data are no longer necessary to fulfil the purposes for which they were collected.
If your personal data have been disclosed to another party, the University will take all reasonable measures to inform these parties of your request for erasure.
You also have the right to request that individual personal data be erased, e.g. if you appear on a picture on a website for which the University is responsible, or if your email address is on a distribution list for newsletters.
There may be legal requirements and other provisions which require that the University retains your personal data, e.g. the regulations concerning public documents or documentation of studies or research.
The right to restrict processing
You have the right to request the restriction of your personal data, which means that the University will ensure that personal data are processed only for specific purposes. Mälardalen University will restrict processing in the following cases:
- If you inform us that your personal data are incorrect and the University needs time to check the accuracy of the data.
- If the University no longer needs the data, but you request that they continue to be stored since you need these to satisfy legal obligations.
- If you dispute a processing carried out by the University. In such cases the processing is restricted until a balance has been achieved between your reasons for the objection and the University’s compelling legitimate reasons.
The right to object to processing
You have the right to submit objections to Mälardalen University processing your personal data in certain cases, e.g. in research or educational activities. The University will then discontinue the processing unless we have compelling reasons to continue with it, or if the processing is required to satisfy legal obligations.
Comments about the University’s processing of your personal data
You have the opportunity to submit comments about the University’s processing of your personal data. You may also send a report to the Swedish Data Protection Authority, which is a supervisory authority. If you wish to claim damages you may submit your claim to the University or initiate proceedings in a public court.
Mälardalen University’s Data Protection Officer
The Data Protection Officer's task is to ensure that the GDPR is followed within the organisation.
Please contact the Data Protection Officer if you have any questions regarding the processing and protection of personal data, or if you wish to exercise your rights in accordance with the General Data Protection Regulation.
Data Protection Officer: Ann-Marie Alverås Lovén