Personal data processing at Jönköping University (GDPR)
Jönköping University (hereinafter JU) is an independent foundation university characterised by internationalisation and an entrepreneurial spirit. JU is composed of a foundation and its six wholly-owned subsidiaries. The foundation and its subsidiaries are each individually responsible for how personal data is processed.
JU processes personal data for its assignments as an education provider and research institution and in cooperation with the surrounding society.
What personal data is processed at JU?
In education, students’ personal data is processed and in research, the personal data of research participants is processed. JU processes only the personal data necessary for the purpose of the activity.
In most cases, personal data is collected directly from the individual. This usually happens by contact between the individual and JU. In some cases, the personal data may also be collected from someone other than the individual themselves, for example from a government register.
Examples of personal data that JU processes:
- Contact information such as name, address, phone number and email for communication.
- Personal identity codes are processed when it is necessary for JU to confirm identity.
- Bank and other financial information are processed for payments or invoices.
- Personal details of voluntary participants in research studies.
- Study results and study-related information are documented in study records.
- Information on the use of JU websites is collected to improve user-friendliness, for example with cookies.
- The personal data needed for the recruitment and employment process.
The legal bases for the processing of personal data
The processing of personal data by JU is always based on a legal basis. Examples of legal bases include:
- Exercise of authority and duty in the public interest (JU must process personal data in order to perform official duties)
- Legal obligation (laws, rules and regulations require JU to process personal data)
- Contract (individuals, who have a contract or are about to enter into a contract with JU)
- Balancing of interests (when the interests of JU outweigh those of the individual and if the processing is necessary for the purpose, e.g. transfers within the JU Group)
- Consent (the individual has agreed to the processing of personal data)
Principle of public access to official records and personal data
Much of the information available at JU is public documents. Upon request, public documents shall be published, provided that the documents do not contain information covered by confidentiality in the Public Access to Information and Secrecy Act (2009:400). In other words, personal data may be disclosed in accordance with the principle of public access. JU does not normally have the right to investigate to whom the documents are disclosed or what they will be used for, as long as they are not of decisive importance for the confidentiality assessment.
How is personal data protected?
Controllers at JU shall ensure that personal data are protected by appropriate technical and organisational measures. The level of security is determined in relation to the risks to the rights and freedoms of individuals. For example, protection may mean that only authorised persons have access to the data, encryption of the data, storage in specially protected IT environments, or backup of the data.
For how long is personal data saved?
Personal data are retained for as long as they are necessary to achieve the purpose of the processing. However, in some cases there may be legal requirements or other rules that require the data to be retained for a longer period.
Who can access the personal data?
JU employees have access to the personal data necessary for the performance of their duties.
JU is subject to statutory accounting requirements, for example, students' academic results are reported to the Swedish Board of Student Finance (CSN) and employees' salary information to the Swedish Tax Agency.
Personal data may be shared with partners, for example within the framework of a research project or to manage exchange students to and from other higher education institutions. When there is a requirement to inform the person concerned that their data has been transferred to another organisation, such information is provided.
The general public, such as individual citizens, has the right to access JU’s public documents. Personal data may be disclosed in accordance with the principle of public access to official records, unless the personal data is covered by the provisions on confidentiality in the Public Access to Information and Secrecy Act (2009:400).
JU uses service providers for different types of IT services. When the service providers process personal data on behalf of JU, they become JU processors. Providers engaged by JU may process personal data only in accordance with the purposes and instructions provided by JU. The processor and those acting under the management of the processor may never take on more tasks than necessary for the performance of the service covered by the contract with the university.
Personal data to third countries — non-EU/EEA
When cooperating with foreign higher education institutions and organisations, JU may need to transfer personal data to countries outside the EU/EEA. In such circumstances, specific requirements of the General Data Protection Regulation apply. JU is responsible for taking the necessary measures to achieve an appropriate level of protection for this personal data. Specific information may be provided in each case to those whose personal data are subject to such a transfer.
Rights of individuals
The General Data Protection Regulation gives individuals a number of rights. JU handles an individual’s request within one month. In order to comply with a request, the identity of the individual must be verified.
The rights of individuals may be restricted, for example when JU is legally obliged to process personal data or when the processing of personal data is necessary as part of JU's exercise of public authority.
Right of access
You have the right to request information on what personal data JU processes about you. To request an extract of your personal data, please contact us by email. Please specify whether you have been in contact with us as a student, employee, within a research project or otherwise.
Right to rectification
You have the right to request that your personal data be corrected if it is incorrect. You can do this, for example, by submitting a supplementary statement to your contact person, course leader, manager or research manager.
Right to object to processing
You have the right to object to the processing of your personal data by JU. If the JU cannot demonstrate that there are compelling or legitimate reasons to continue processing the data, the processing must cease.
Right to restriction of processing
You have the right to request that the processing of your personal data be restricted by allowing the personal data to be processed only for specific purposes. By requesting a restriction, you have the opportunity to temporarily stop JU from using the data other than for defending legal claims, for example. You can also prevent JU from deleting data, for example, if you need the data to claim damages.
Right to erasure (right to be forgotten)
You have the right to have your personal data erased if it isn’t necessary for original legitimate purposes, or to comply with legislation.
The right to erasure is restricted, for example, by the rules and regulations for public documents and the requirements for documentation of research or studies.
If there are legal impediments to the erasure of your data, JU will instead limit the processing of your data to what is strictly necessary to comply with legal obligations.
Right to data portability
When JU processes your personal data on the legal basis of consent or agreement, you can in some cases obtain personal data concerning you for use elsewhere, for example by transferring the data to another controller.
If you have questions about JU’s personal data processing
For personal data processing questions, you can contact your JU contact person, project or course coordinator, or for more general questions, JU's Data Protection Officer (DPO).
Complaints to the Swedish Authority for Privacy Protection (IMY)
If you believe that your personal data is being processed in violation of the General Data Protection Regulation, you have the right to file a complaint with the Swedish Authority for Privacy Protection. Further information on how to file a complaint can be found on the Swedish Authority for Privacy Protection's website.