Data protection policy at Örebro University
This is a translation of a Swedish document. In the event of a discrepancy, the Swedish-language version shall prevail.
Processing of personal data at Örebro University (ORU) is in accordance with the European Parliament’s and the Council’s Regulation (EU) 2016/679, otherwise known as the General Data Protection Regulation (GDPR).
Personal data controller
ORU is ORU is the controller of the personal data processing that takes place within the scope of the university’s operations.
ORU processes personal data to fulfil ORU’s mandate as a government authority and university, that is, to provide education, research and collaboration with society.
All processing of personal data at ORU must be performed as part of our mandate. The processing must have a legal basis. Only personal data needed for this purpose shall be processed.
As an employee, student or outside stakeholder, you may obtain more detailed information about the processing of your personal data by contacting your course leader, manager or research leader or your contact person at ORU. If you find that you have not received enough information from them, contact the data protection officer at Örebro University .
What personal information does ORU collect?
At ORU there are various reasons why the authority may process your personal data: you are a student, researcher, participant in a study, employee, participant in a conference or other event, you are applying for or have applied for a position, or have in some other way contacted or are collaborating with the university.
In general, most of this information that ORU processes has been collected by ORU directly from you. In some cases, we also collect information from other agencies, such as the Swedish Council for Higher Education (UHR), Swedish Tax Agency or Swedish Board of Student Finance (CSN).
What information ORU processes depends on the reason associated for processing, for example:
- Contact information such as name, address, phone number and email address.
- Your personal identity number is processed when it is needed to ensure your identity or to match up your personal data between various data systems.
- Bank and other financial information for payment or invoicing.
- Personal data collected within the framework of participation in a research study.
- Information about study results or other information about your studies at ORU.
- Information via cookies about how you use our web-based systems, to improve your user experience.
- Information on participation in conferences and courses.
- Personal data needed for purposes of employment at ORU or if you apply for a position.
Information for students
In the admissions register, NyA, identity data (name, personal identity number, address, phone number and email address) is saved as well as data on eligibility/entry requirements, selection criterion, obligation to pay application and tuition fees, and admission is stored. Your personal data is processed by UHR and ORU when we assess whether you meet the entry requirements and when we evaluate your qualifications prior to selection.
In the Ladok student register, each student’s identity data (name, personal identity number, address, phone number and email address) and, in addition to those data processed in NyA, data on participation in courses, study programmes and examinations; study result; grades; transfer of credits awarded for courses and study programmes or other activities; and degrees are stored. The student register shall, in addition, contain such data that is required to facilitate the transfer of data by Örebro University to Statistics Sweden (SCB).
Provisions on the NyA and Ladok registers are laid down in the Ordinance (1993:1153) concerning the Reporting of Higher Education Studies. Disclosure of data from these registers may be made to third parties, e.g. other higher education institutions (HEI) or the Swedish Board of Student Finance (CSN) per the list provided in the ordinance.
Processing of data concerning you as a student also takes place in other study administrative systems that are essential for effecting your course or study programme.
When you are no longer studying at ORU, we process your personal data in the manner required by law, and in any publications that you have approved. Your personal data may also be processed in the ORU alumni register, our database for future contacts.
Information for employees
Personal data is processed in various HR systems to the extent necessary to honour employment contracts and to meet criteria in current legislation and collective agreements. Personal data is also processed in various systems otherwise needed for ORU to exercise its prescribed responsibilities.
Categories of personal data processed include identity data (name, personal identity number, address, phone number and email address), form and scope of employment, term of employment, additional assignments and management positions, workload plans, secondary employment, salaries, taxes and social security contributions, absence, doctor’s certificates, trade union memberships etc. Disclosure of data to third parties may be made, for instance in compliance with legal requirements such as the reporting of taxes and social security contributions. Organisations to which disclosures are made include the Swedish Tax Authority, Statistics Sweden (SCB), Swedish Agency for Government Employers, Swedish Social Insurance Agency, Swedish Higher Education Authority (UKÄ), National Government Employee Pensions Board (SPV), and trade unions.
A confidentiality assessment will take place before any disclosure.
Personal data processed with consent
In some cases, consent is obtained. This applies to participation in research projects, questionnaire studies, student projects, reports, conferences and other collaboration with the surrounding society. Consent may be given verbally or. Children under 13 must have parental approval for their consent.
Consent must be voluntary and possible to revoke.
Information for participants in conferences and other events
Personal data (name, personal identity number, address, phone number and email address) and other data provided when you sign up for an event is only stored for as long as it is necessary for the administration of the conference or event, i.e. for mailing of information and material as well as evaluation surveys. If ORU charges a fee for conferences and other events, invoicing data is stored in accordance with current accounting regulations. If you have given your consent to receiving further offers, your data will be stored in accordance with the information supplied at the time of consent. You can withdraw your consent at any time. A withdrawal of consent will however not affect any processing prior to the withdrawal. For events that require registration or that are open to the public, such as fairs, conferences and open lectures etc, the university may also publish pictures on its website or other information material.
Information for borrowers at the University Library
Personal data (name, personal identity number, address, phone number and email address) is registered in the library borrower’s register. In the borrower’s register, books on loan and returned books are registered. The use of the library’s digital environments is logged. If the borrower does not return the books after the return date, overdue fines may be issued, and personal data may be transferred to debt collection agencies and the Swedish Enforcement Authority.
How is your personal data saved?
Personal data is kept for as long as is necessary for the specific purpose of the processing and in accordance with applicable law and ORU’s information management plan. In some cases, data is processed in cloud services outside ORU. ORU may transfer personal data to third countries outside the EU/EEA, primarily regarding international research projects.
Personal data in public official documents are processed accordance with the provisions of the Freedom of the Press Act (1949: 105), the Archives Act (1990: 782) and the National Archives’ regulations. If there is no decision on weeding, this data shall be kept according to the Archives Act.
How is your personal data protected?
ORU is responsible for ensuring that the processing of personal data is protected by appropriate technical and organisational measures. These measures must be adequate to ensure a security level that is appropriate in relation to the risk that the processing involves. The security aspects include confidentiality, accuracy, accountability and accessibility as well as an adequate level of protection. For example, access to data can be restricted to authorised persons, the data can be encrypted, it can be stored in specially protected environments, and it can be backed up. Personal data incidents must be reported to ORU’s data protection officer.
Who may access your personal data?
Much of the information kept at ORU is defined as official documents. If your personal data can be found in an official document, anyone who requests access to this document can view your personal data, unless the Public Access to Information and Secrecy Act (2009:400) prevents this.
In addition, your personal data may be disclosed to ORU’s partners during research projects, to suppliers, or to other parties that need access to this data in accordance with an agreement between ORU and yourself, due to information of public interest, as part of the exercise of public authority, or due to ORU’s legal obligation to do so.
A task in the public interest is a one that ORU must provide according to law, or according to decisions based on laws, but which is not directly part of ORU’s mandate as a government authority. An example of a task in the public interest is a picture from the campus area or of activities at the university.
When transferring personal data to another party, ORU takes all legal, organisational and technological precautions necessary to protect your personal data.
ORU will only transfer personal data to other parties if there is a legal basis for this.
According to GDPR, you have the right without charge to access all collected data about you that is processed, and if necessary, to have erroneous data corrected. You also have the right to have your personal data erased, restricted as well as to raise objections to the processing of your personal data. You may also register a complaint with the Swedish Data Protection Authority, who is the supervisory authority.
A request for the above must be in writing, include your name and personal identity number, and be signed by you. Send your request to ORU’s data protection officer.
If you do not personally collect the extract from the registry at ORU, the extract will be sent to your registered place of residence so that we can ensure that the information comes directly to you. Proof of identity will be checked.
More information (offered in both Swedish and English) on GDPR and information sessions can be found on Inforum / Stöd och service / Informationssäkerhet, and on the Swedish Data Protection Authority's website.
If you have questions on the University's processing of personal data, please contact our data protection officer, see contact details below.
Controller Örebro University
Data Protection Officer
You can read more about processing of personal data and the General Data Protection Regulation (GDPR).
Swedish Data Protection Authority
The Personal Data Act, Swedish Data Protection Authority