Processing of personal data at Linnaeus University
On this page you will find information on how we at Linnaeus University process your personal data. If you have any questions, you will find contact information at the bottom of this page.
Linnaeus University is responsible for making sure that all processing of personal data that takes place within its activities is correct and follows the Data Protection Ordinance (DFS) (General Data Protection Ordinance, GDPR): The European Parliament and Council’s Ordinance EU 2016/697).
A personal data ombudsman has been appointed to organise the work with GDPR. The personal data ombudsman leads a working group with members of staff from different departments and offices that handle large quantities of personal data. This group consists of representatives from IT, communications, human resources, office of student affairs, and also have access to legal expertise.
How Linnaeus University processes personal data collected through our website Lnu.se
Responsibility for personal data
Linnaeus University’s board has responsibility for the processing of personal data on the website Lnu.se.
Elisabeth Engström is personal data ombudsman at Linnaeus University.
Purpose of processing
Linnaeus University processes your personal data when you:
Register for a course, programme, conference or other event arranged by Linnaeus University or apply for a position. Linnaeus University stores information in order to be able to administer and carry out follow-ups on courses, programmes, and events.
Transfer of personal data
Your personal data may also be handed out to those who need to take part of the information in connection to handling of electronic documents, who have their basis in fulfilling an agreement with you, a legal obligation, a task of public interest, or a task in connection to exercise of public authority where processing of the information is necessary.
Right to request information
You have the right to request information about the personal data about you that is processed by Linnaeus University, regardless of whether this data has been collected through the website or in other way.
Personal data on social media
Linnaeus University may process personal data also on social media like, for instance, Facebook, Twitter, etc. Since posts on the public authority’s “platforms” are classified as public documents these will also be archived – however, normally only temporarily.
Linnaeus University does not pass on personal data to a third party. However, note that companies that provide platforms for communication – like, for instance, Facebook – as a rule have their own terms and conditions for how personal data is stored.
How your personal information is processed in the chatbot
Conversations in the chatbot are anonymized ongoingly so that personal information (name, personal id number, email address etc.) are removed. The anonymized conversations can only be seen by a limited group of certified chatbot administrators. The conversations are saved for a few months with the purpose of improving the chatbot. After that the conversations are deleted and then only general data about each chat is retained, eg. date, time and URL where the chat was started from. IP address is not saved at all.
Information to you as a student at Linnaeus University
During your studies, Linnaeus University will process data about you in different study administrative systems. This takes place primarily in the admissions register NyA where personal data like name, personal identity number, address, phone number, and email is stored. Other information that must be available is qualification, selection criterion, admission, etc.
Another important administrative tool is the study register Ladok. In addition to data about name, personal identity number, address, phone number, and email, also study results, participation on course/programme, credit transfers, grades, and data about exam, etc. will be stored.
In the ordinance (1993:1153) that, among other things, regulates how studies at universities and university colleges are presented, there are regulations concerning NyA and Ladok. According to the ordinance, data from the registers may be handed out to, for instance, other higher education institutions, SCB, and CSN.
A third important system is the learning platform MyMoodle. In addition to data about name, social security number and IP address, your student identity, study results / grades for assignments in the current course, activity logs and things you have created in the course, such as messages in forums, are also stored there.
Information to you who take part at an event at Linnaeus University
In order to be able to arrange seminars, public defenses of doctoral theses, conferences, etc., personal data like name, personal identity number, address, phone number, and email must be collected when registrations take place for the events. This data is only stored as long as necessary.
As a participant you may be photographed and filmed as part of Linnaeus University’s arrangement and this material may then be used in digital or printed form. This can be in advertising and brochures, press photos, and on our website. The material may also be used when we inform about the university’s activities. When the material is out of date it will be removed, however, in some cases, in accordance with legal requirements, it may be archived as part of the documentation on the higher education institution.
If you do not wish to be photographed and filmed or if you have any questions, contact the communications office at Linnaeus University via email on Kommunikationsavdelningen@lnu.se or call the switchboard on +46722-28 80 00.
Regulations for how we may process your personal data
Linnaeus University is a public authority and is commissioned to carry out education, research, and collaboration with society. In order to make this commission possible, we must process personal data, but it is also required by Swedish law and a condition for a legally sound exercise of public authority, and in order to know that you are you through a unique identifier.
The Public Access to Information and Secrecy Act regulates that the information that is processed by the university becomes public documents, providing transparency for the public about the university’s activities. Documents are journalised and if your personal data is part of a public document, Linnaeus University shall, if requested to do so, hand out this document unless it is comprised by secrecy according to The Public Access to Information and Secrecy Act (2009:400).
All processing must have a lawful basis and it is only personal data that is necessary for the purpose that may be processed. In, for instance, The Archives Act (1997:782) and The Swedish National Archives there are regulations concerning when personal data should be stored or deleted.
What personal data is processed and why
Data that directly or indirectly can be linked to a physical, living person like, for instance, contact information: name, personal identity number, email, IP address, address, or a photograph of you.
We need your personal data for different reasons and in different contexts; this can be as a student, researcher, member of a research project, employee, job applicant, as participant at one of our events, or other contact with the university. Linnaeus University stores the information to be able to administer and carry out follow-ups for courses, programmes and events.
When we are to hand out information on study results and other information linked to studies.
It can also be in cases where students’ or employees’ personal data is needed in order to provide support.
For economic transactions, bank details and other related economic data is required.
Protection of personal data
In order for the processing of your personal data to be reliable, Linnaeus University must make sure that the data is protected by suitable organisational and technical measures. It must be guaranteed that the personal data is comprised by adequate protection where it is not possible to manipulate the data or there is a risk that it may end up in the wrong hands.
For how long will your personal data be stored
As a rule, personal data is stored only for as long as it is deemed necessary for the university’s activities. For public documents where personal data is processed in accordance with The Freedom of the Press Act (1949:105), The Archives Act (1990:782), and The Swedish National Archives regulations, the data is stored for a shorter or longer period of time, and when required stored for all eternity in Linnaeus University’s archives.
- As a student, your personal data will be processed for as long as you are connected to Linnaeus University. Two years after the course’s closing date, the personal data that should not be stored will be deleted.
- As long as you are an employee at Linnaeus University, your personal data will be processed and stored. When the employment has expired, the personal data that is not public documents will be deleted.
- As a participant in a research study, your personal data will be processed for as long as it is required according to current research regulations. Legal, organisational, and technical safety measures protecting your personal data are also in place.
Information security work
The university is engaged in ongoing information security work and the aim of this work is to protect the public authority’s information, regardless of whether it is processed by individuals or with the help of our different IT systems. Citizens, companies, and other public authorities should feel confident that the university processes, and when appropriate, stores its information in a correct and secure way.
The objectives of the information security work are to guarantee:
- Correctness; information and systems should be in expected and correct condition
- Accessibility; information and systems should be accessible to authorised users
- Confidentiality; only authorised users should have access to information and systems
- Traceability; that it is possible to track how and when information has been processed and communicated.
In order to achieve these objectives, the university carries out systematic information security work, handled by an information security team. Since a large part of the information handling is done with support from information technology, an important part of the information security work is to carry out continuous risk and vulnerability analyses of all the university’s IT systems (IT components).
Transfer of personal data
As a rule, personal data is collected directly from you but there are also occasions when we collect or hand out data to other public authorities like, for instance, students’ study results to CSN and wage data for employees to The Swedish Tax Agency.
Your personal data may also be handed out to those who need to take part of the information in connection to handling of electronic documents, who have their basis in fulfilling an agreement with you, a legal obligation, a task of public interest, or a task in connection to exercise of public authority where processing of the information is necessary.
Personal data on social media
Linnaeus University may process personal data also on social media like, for instance, Facebook, Twitter, etc. Since posts on the public authority’s “platforms” are classified as public documents these will also be archived – however, normally only temporarily.
Linnaeus University does not pass on personal data to a third party. However, note that companies that provide platforms for communication – like, for instance, Facebook – as a rule have their own terms and conditions for how personal data is stored.
Data to third country outside the EU/EES
In some cases, in connection to international research projects and IT services used in the university’s activities, personal data is transferred to a third country, but this is only done in cases where the university can guarantee the security of the data. In these cases there are legal, organisational, and technical measures that protect the personal data.
Rights according to the Data Protection Ordinance
According to the Data Protection Ordinance you have certain rights concerning the processing of your personal data. You have the right to request information, the right to request correction of false information, the right to request deletion of information, the right to limit use of personal data, and the right to object to processing.
More information
For more information on processing of personal data and the Data Protection Ordinance, see The Swedish Data Protection Authority’s website www.imy.se. There you will also find information on how to contact The Swedish Data Protection Authority in case you have complaints concerning how Linnaeus University processes your personal data.