Processing of personal data at Lund University
The University processes personal data within and on behalf of the University in its capacity as an educational provider and research institution and in connection with external engagement with wider society. All processing of personal data at the University aims to support this assignment.
The University applies the General Data Protection Regulation (GDPR) and supplementary legislation.
In the drop-down list below, we have gathered information on how personal data is processed at Lund University.
Personal data refers to any type of information that directly or indirectly can be linked to an identifiable person, such as:
- a name
- a personal identity number
- a picture
- an email address
- an IP address.
The University processes personal data for various purposes within our organisation. Within education, the personal data of students is processed. Within research, the personal data of the research subjects is processed, i.e. research study participants.
Personal data is also processed for employees as well as participants in conferences or other events.
There are also other situations in which the University processes personal data, such as in contacts and collaborations between individuals and other organisations.
In most cases, personal data is collected directly from the individual. This is usually done through contacts between the individual and the University. Occasionally, personal data may also be collected from a third party.
In some cases, the University, as a public authority, is required to disclose personal information to others, for example, when submitting students’ credits awarded to the Swedish Board of Student Finance (CSN) or employees’ and contractors’ salary data to the Swedish Tax Agency.
The personal data that is processed depends entirely on the purpose of the processing in each case.
This may include:
- Contact information such as name, address, telephone number and email address and, where applicable, personal identity number
- Information needed for e.g. support measures for students and staff
- Banking details and other financial information required for making transactions
- Information obtained within the scope of participation in a research study
- Information about credits awarded and other details related to studies
- Information collected during visits to the University’s websites for the purpose of improving user-friendliness, e.g. through cookies
- Information from attending conferences or courses
- Information necessary for appointment or from responding to a vacancy announcement
The University is responsible for ensuring that personal data is protected through appropriate technical and organisational measures. The University shall thus ensure a level of security that is appropriate in relation to any risks associated with the processing of personal data in each case.
The security aspects include making assessments of confidentiality, accuracy and accessibility. For example, technical protection may entail that only authorised persons have access to the data, that the personal data is encrypted or that it is stored in places with special protection.
The personal data is stored only for as long as it are needed to fulfil the purpose of the data processing. In some cases, there may be legislation and other provisions that require that the data be stored for a longer period. When it comes to public documents, personal data is handled in accordance with the Swedish Freedom of the Press Act (1949:105), the Swedish Archives Act (1990:782) and the Swedish National Archives regulations. Accordingly, personal data may be stored for longer or shorter periods and in some cases indefinitely in the University’s archive.
Within the context of its activities, the University may transfer personal data to third countries, i.e. countries outside the EU/EEA. The University will take all reasonable legal, organisational and technical measures necessary to achieve an appropriate level of protection for this personal data.
The GDPR states that individuals have certain rights that you can learn more about below.
These rights include the right to:
- access (register transcript)
- limit personal data
- object to processing
- data portability
The right to access
As an individual, you have the right to request information about the personal data processed by the University about you free of charge once per calendar year.
Contact us via dataskyddsombud [at] lu [dot] se to request a transcript of the personal data we have stored about you. Please specify if you are contacting us as a student, employee, participant in a research project or in some other capacity.
The right to correction
As an individual, you have the right to request a correction of any incorrect personal data about you that is stored at the University. Such a request should preferably be sent to your most immediate contact person, course director, manager or other authorised person.
The University is obliged to correct any incorrect personal data without undue delay.
The right to deletion
As an individual, you have the right to have your personal data deleted in cases where the personal data is no longer needed to fulfil the purpose for which it was collected (the right to be forgotten). There may be provisions stating that certain personal data must not be deleted, in which case such provisions take precedence.
If the personal data has been disclosed to another party, the University shall take any steps reasonable to notify said party that the data has been deleted.
In cases where there are legal impediments to the deletion of personal data, the University will limit the processing of said personal data to the extent required by law.
The right to limit personal data
As an individual, you have the right to request that the processing of personal data be limited only to processing for certain specific purposes.
The right of limitation applies in the following cases:
- If the personal data is incorrect and the University needs time to check the accuracy of the data.
- If the personal data is no longer needed for the University’s activities, but you request that it continues to be stored in case it will be needed to make legal claims.
- If you object to the processing performed by the University, in which case the processing shall be limited until the justification for your objection and the University’s compelling reasons have been weighed.
- If you believe that the University should delete your personal data but the University for some reason is unable to accommodate your request.
The right to object to processing
As an individual, you have the right in some cases to object to the University’s processing of your personal data. If there is no compelling reason for the University to continue to process your personal data, e.g. in order to comply with any legal requirements, the University will then cease the processing.
The right to data portability
When the University processes your personal data in accordance with the legal basis of consent or an agreement, you have the right, under certain circumstances, to retrieve the personal data you provided to us, e.g. in order to transfer the data to another data controller.
Lund University is a public authority and therefore bound by the principle of public access to official documents. This means that everyone has the right to request access to all the information available at the University. The information may contain personal data. If confidentiality does not apply to the personal data in question, in accordance with the Public Access to Information and Secrecy Act (2009:400), the information must be disclosed.
The University also has other duties and obligations that may lead to the disclosure of personal data to other parties, e.g. information that is:
- necessary for performing a task of public interest
- part of the exercise of public authority
- transferred to another party due to a legal obligation.
Personal data may also be disclosed to the University’s collaboration partners, where applicable, e.g.:
- within a research project
- to a supplier
- to another party as a result of an agreement between the University and the individual.
When transferring data to a third party, the University takes all reasonable legal, organisational and technical measures required to ensure protection of the personal data.
In cases that require that specific information be provided concerning the transfer of personal data to another organisation, this information will be provided to the individual.
In all other respects, personal data will not be transferred to a third party without legal justification or obligation.
If you believe that the University’s processing of your personal data is in violation of the GDPR, you have the right to file a complaint with the Swedish Authority for Privacy Protection. For more information on how to file a complaint, please visit their website.
The Swedish Authority for Privacy Protection website (imy.se)
Personal Data Controller:
Lund University, 202100-3211
221 00 Lund
+46 46 222 00 00
If you have questions about the University’s processing of personal data, please contact the relevant manager or person responsible for the project or course in question.
You can also contact our data protection officer using the contact details below.
Data Protection Officer:
221 00 Lund
+46 46 222 00 00
dataskyddsombud [at] lu [dot] se