The Swedish Red Cross University (company reg. no. 802002-8695) is the data controller for the processing of personal data.
GDPR
The Swedish Red Cross University processes personal data in accordance with the Regulation (EU 2016/679) of the European Parliament and of the Council. These rules are known as the General Data Protection Regulation, or GDPR, and apply as law in all EU member states. Among other things, it aims to protect the fundamental rights and freedoms of individuals, in particular your right to the protection of personal data.
Any processing of personal data must comply with the basic principles set out in the GDPR:
- Personal data must be managed securely
- No more personal data than necessary for a given purpose may be collected and processed
- Data must not be kept longer than necessary
- Those processing personal data must ensure compliance with the Regulation and must also make written documentation
- Privacy and confidentiality are important
- Transfer to third countries (non-EU/EEA) can only take place in certain cases.
The GDPR also grants individuals a number of rights vis-à-vis the university:
- the right to object
- the right to obtain record extracts
- the right to rectify your data
- the right to have data deleted and be forgotten
What are personal data?
Personal data refers to any information relating to an identified or identifiable natural person. It is crucial that the data, alone or in combination with other data, can be linked to a living person. Typical personal data include personal identity numbers, names, addresses and IP numbers, but even multiple variables that can be jointly linked to a natural person are considered personal data.
The data must be processed in a lawful, fair and transparent manner in relation to the person whose personal data we process, i.e., the data subject (lawfulness, fairness and transparency).
How are personal data processed?
All measures involving personal data are considered to be processing of personal data, from the moment the data is collected until the final deletion or destruction of the data. Examples of personal data processing are, as defined by the GDPR:
- Collection
- Registration
- Structuring
- Storage
- manipulation or alteration
- retrieval
- reading
- use
- disclosure
- dissemination
- erasure or destruction of the personal data
Any processing of personal data carried out must comply with the basic principles set out in the General Data Protection Regulation (Article 5 GDPR). The Swedish Red Cross University must ensure and document that personal data processing fulfils the requirements below:
- Data shall only be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes (purpose limitation).
- Data must be adequate, relevant and not excessive in relation to the purposes for which they are processed (data minimisation).
- Data must be accurate and, if necessary, updated (accuracy).
- Data must not be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the personal data are processed (storage limitation).
- Data shall be processed in a way that ensures appropriate security of the personal data (integrity and confidentiality).
The Swedish Red Cross University is the data controller for the processing of personal data that takes place within the university's activities. This applies not only to the processing carried out by teachers and administrative staff, but, as a general rule, the university is also responsible for the processing of personal data carried out by students in the context of courses and study programmes.
Examples of personal data processing
The printing of personal data on a printer and the sending of e-mails involve the processing of personal data.
If a student processes personal data in their thesis work, processing is subject to the rules of the General Data Protection Regulation, and it is the responsibility of the Swedish Red Cross University to ensure compliance with the rules. However, some exceptions apply. As a general rule, if a student carries out a placement, the placement site serves as data controller when the student performs various tasks at, e.g., schools or health care (just as the placement site serves as data controller when its employees process personal data).
Why does the university process personal data?
The University processes personal data pursuant to the university’s task in the public interest in conducting education, or to comply with laws and regulations. The tuniversity processes personal data to fulfil a task of public interest. In some cases, such as the transfer of personal data outside the EU, the university seeks your consent.
The university processes personal data in order to:
- Ensure that data on applicants for courses and study programmes, completed studies, training certificates and diplomas are retained
- To be able to award degrees
- Carry out summative assessment and plagiarism checks
- Record grades, attendance and other information on completed studies
- To enable teachers and other students to work within a course or programme
- Display the right course information in University channels
- Allocate relevant resources, facilities and materials to students
- Provide study and career guidance
- Create a basis for monitoring and evaluating courses and study programmes
- Student admission decisions
- Communicate with students
- Create and report official statistics
- Investigate and manage disciplinary cases
- Allocate relevant support measures
- Provide information to placement sites
- Manage exchanges with foreign universities and travel grants
- Enable research
- Manage your studies (e.g., grading, booking facilities and other resources)
- Process personal data as necessary for university compliance with the rules on official documents and government archives
- Monitor and evaluate student admissions
The register may also be used for research (see Regulation 2010:595).
How does the university obtain personal data?
The university primarily receives personal data about students from Antagning.se, which is managed by the Swedish Council for Higher Education.
In some cases, the university receives personal data from other institutions if the student has studied previously. The university also receives personal data from students themselves.
Transfer of personal data
Swedish Red Cross University does not disclose personal data to external stakeholders without consent.
In certain cases, the Swedish Red Cross University transfers personal data to other organisations, such as:
- Other universities, in Sweden or the EU, e.g., when a student seeks to transfer credits or to check entry requirements
- The Swedish Board of Student Finance (CSN), when they need the data to authorise or pay student financial aid
- The Swedish Council for Higher Education through universityadmissions.se
- Statistics Sweden (SCB) to produce official statistics
- Other public authorities in Sweden or the EU, to deal with matters relating to professional status qualifications and licences
- University student unions
- The Swedish Research Council, the Swedish Agency for Innovation Systems, the Swedish Research Council for Environment, Agricultural Sciences and Spatial Planning and the Swedish Research Council for Health, Working Life and Welfare.
- Swedish Higher Education Authority
- If a student applies for exchange studies or collaborates with an organisation outside the EU/EEA, the University will transfer personal data to that organisation
Data storage
Personal data in the university's system is stored until the student:
- has completed a course/programme with a final grade, final examination
- has requested to withdraw from the course/programme
When any of the above points are satisfied, account details and other data will be deleted three months after the above event.
However, personal data can be stored for as long as required by the legislation on official documents and archives of public authorities.
The Ladok system for study administration
Ladok is a national system that supports universities and colleges in various study administration processes. Ladok enables universities to fulfil the regulations and follow-up requirements from the government and central authorities. Ladok also enables higher education institutions to produce their own statistics and follow-up of students.
Rights and withdrawal of consent
The Swedish Red Cross University students must provide the university with certain personal data. This is regulated by the Ordinance on the reporting of study results, etc., at universities and university colleges (1993:1153).
Students have the right, under certain circumstances, to have their data erased, rectified, or restricted, and to have access to the personal data processed, as well as the right to object to the processing.
If a student has consented to a specific measure, the student has the right to withdraw consent.
Contact
Questions and comments regarding the university's processing of personal data are directed to the university's data protection officer at dataskydd@rkh.se.
You can also contact the Swedish Authority for Privacy Protection regarding the university’s data processing: datainspektionen@datainspektionen.se or by calling +46(0)8-657 61 00.