The University of Borås is the controller of the university’s processing of personal data. This webpage describes how we process your personal data, what rights you have and how you can enforce them.
If you have any questions or concerns about how we process your personal data, you are welcome to contact your manager, the person responsible for a course or research project or otherwise your contact person. You are also welcome to contact any of the employees who work specifically with data protection questions at the university, see contact details at the bottom of this webpage.
Furthermore the university has a Data Protection Officer. The Data Protection Officer's task is to monitor that the university processes personal data in a legal and safe manner in accordance with the General Data Protection Regulation, GDPR. Contact information for the Data Protection Officer can be found at the bottom of this webpage.
What personal data do we process and why?
The university only process personal data in order to carry out our mission of educating, researching, interacting with the surrounding community, informing about our activities and promoting research results obtained at the university. We also do so for administration and compliance purposes.
The university only process personal data if you have consented to the processing, or if it is necessary for the performance of a contract to which you are a party, compliance with a legal obligation to which the university is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the university.
The university processes personal data about many different categories of persons, for example students, employees, participants in events and research projects, borrowers at the university library, and job seekers. Most personal data is collected directly from you. What personal data we process depends on the purpose of the processing. Examples of the personal data that we process include:
- Personal data that you provide to us on the web, physical forms, in contact with employees at the university via email and letters or using the university's IT systems and services.
- Personal data about attendees to events, such as contact details, in order to be able to communicate with you, and plan and administer the events.
- Personal data about participants in research projects. Participants are informed in detail about the processing of personal data in the specific case.
- Identity and contact details that you provide to us in connection with the application for a library loan card. The data is required to administer loans and purchases.
- Health data to accommodate, for example, requests for special dietary needs at events, special educational support, or student health care services. Usually we ask for your consent before collecting and processing this type of data.
- Personal identification number, if it is clearly justified with regard to the purpose of the processing. We may, for example, process your personal identification number in order to not confuse you with another person or if it is otherwise required to determine your identity.
- Bank details and other financial data in order to be able to send and pay invoices.
- Information that you provide about yourself when applying for a job at the university.
- Personal data required for employment, for example, information about the duration and scope of an employment, job position, salary, union membership, parental leave, sick leave, and electronic identities such as usernames. The data is necessary to be able to fulfil our obligations according to labour laws, collective agreements and contracts of employment. It is also necessary to plan, execute, review and develop the university’s operations.
Processing of students’ personal data
Study documentation and administrative data
The university processes many different categories of personal data about students, for example name, civic registration number, email address, telephone number, postal address registered in the Swedish Population Register, and information related to the studies such as qualifications, participation in programmes, courses and examinations, assignments, study results, and registration and tuition fees. We process this personal data in order to be able to admit you as a student, to communicate with you, to provide education, to document studies, and for other administrative purposes.
Live streaming and recording in teaching situations
In distance learning courses, or courses that otherwise include elements facilitated by streaming and video conferencing technologies, lectures, seminars, and other teaching situations may be streamed over the Internet and/or recorded via audio and video. In these situations, students may appear in picture and/or with their voices in connection with their participation in the course.
Streaming and/or recording is only used when it is deemed important for the students’ learning and the purpose cannot be achieved by reasonable means in any other way that does not involve the processing of students’ personal data (students’ image and voice). As safeguards, appropriate measures are always taken to protect students’ privacy. For example, cameras used by the university are, as far as possible, directed so that students are not visible in picture more than necessary. Questions can also normally be asked in writing, instead of orally, using a chat function in the online learning management system used, or at a specific question time that is not recorded. As a student you may also as a general rule decide for yourself if you want to display your true identity online, and if you want to show yourself in picture using your own webcam.
Streams and recorded teaching situations may be made publically available on the university’s learning management system and other IT systems that are accessible on the Internet. Recordings are further public documents that anyone may access in accordance with the principle of free access to public records. Recording are stored within the EU/EEA, and is used until the recordings are obsolete. Obsolete recordings are stored in the university’s archive forever.
The legal basis for the current processing of personal data (students’ image and voice) is article 6.1 (e) in the GDPR.
The university library’s processing of personal data
Publication of students’ thesis in Digitalt Vetenskapligt Arkiv (DiVA)
In the case of students who have approved the university’s publication of their thesis in DiVA, the name of the student is processed in DiVA. The purpose of the processing is to make the published thesis searchable in the system, and the legal basis for the processing is article 6.1 (e) in the GDPR. The personal data is stored within the EU/EEA, and will be erased if and when the thesis is erased.
Publication of dissertations and other scientific documents
Personal data that you submit about yourself and any co-authors in connection with the publishing of dissertations and other scientific documents in DiVA will be processed in DiVA for the purpose of making the published material searchable. Personal data that may be processed include name, userid/signature, organisation, ORCID-id and email address. The personal data is stored within the EU/EEA, and will be erased if and when the published material is erased.
How do we protect your personal data?
The university undertakes legal, technical and organisational measures to protect your personal data against, for example, unauthorised or unlawful processing and against accidental loss, destruction or damage. The purpose of the measures is to ensure an appropriate level of security taking into account the type of processing and the risks for the rights and freedoms of persons.
The measures includes, for example, steps to ensure that only authorised persons have access to the personal data, encryption or pseudonymisation of data, i.e. to render the data unreadable for other than authorised persons, and storing data on high-level protection storage areas. It may also include entering into agreements with suppliers that govern how the suppliers are allowed to process personal data.
Who has access to your personal data?
As a general rule, your personal data will only be accessible by the employees at the university who needs them in order to be able to carry out their work. In addition, central administrative staff at the university may access your personal data if necessary, for example in terms of troubleshooting and support.
The vast amount of information at the university is however public documents. This means that if your personal data is part of a public document anyone may access it in accordance with the principle of free access to public records.
In addition to this, your personal data may be transferred to government agencies and other authorities such as the Swedish Board of Study Support (CSN), the Swedish Migration Agency (Migrationsverket), Statistics Sweden (SCB), the Swedish Council for Higher Education (UKÄ), the Swedish Tax Agency (Skatteverket), the Swedish Social Insurance Agency (Försäkringskassan) and other universities. Your personal data may also be shared with suppliers, partners and other third parties that have a legitimate need for the data.
The university only shares your personal data with third parties if it is necessary and you have approved of it or we otherwise may do so by law. When transferring personal data to third parties, the university usually takes appropriate measures to protect your personal data.
Where do we process your personal data?
Your personal data is normally processed within the EU/EEA. In some cases, however, the data may be processed outside the EU/EEA, for example, by partner universities, research partners or suppliers. Regardless of in which country the data is processed, the university takes measures to protect it in accordance with the requirements of the GDPR.
Personal data may only be processed outside the EU/EEA if the EU Commission has decided that the country in question has an adequate level of protection or after appropriate safeguards have been taken. Examples of safeguards are binding corporate rules, standard data protection clauses and Privacy Shield. You are welcome to contact us if you want a copy of a certain safeguard.
How long do we store your personal data?
We do not process your personal data longer than necessary with regard to the purpose of the processing and legal requirements. Examples of such legal requirements can be found in the Archives Act, which include disposal notice periods that govern how long the university is required to keep different types of information. Often these rules state that information is to be kept for two to five years or forever.
The university’s website
The university's website uses so-called "cookies". Cookies are small text files that are created and stored on your device when you visit our site and contain information about the visit.
Right of access
The university is transparent with how we process your personal data. If you want to know what personal data we process about you, you can request a copy of the personal data and information about the processing free of charge once per year.
A request for a copy of your personal data and information about the processing should include your name and personal number, and be signed with your own signature. Send your request to:
University of Borås
Archive and registry
501 90 BORÅS
The copy of your personal data and information about the processing will be sent by registered letter to your postal address registered in the Swedish Population Register.
Please keep in mind that as a student or an employee at the university, you can usually log in to the university’s IT systems and services to see what data we process about you. You can also contact the responsible function or person at the university to get more information about the processing, for example the human resources department.
Right to withdraw consent
If you have consented to a certain processing of your personal data, you may withdraw your consent at any time. We will then not continue to process your personal data. Usually, this does not however affect information that has already been made public.
Rights in relation to individual automated decision making and profiling
You are entitled not to be subject to automated decision making, including profiling, i.e. decisions taken technically without human intervention. The university does not make such decisions.
Right to data portability
You have a right, under certain circumstances, to receive your personal data in a structured, commonly used and machine-readable format to transmit those data to another controller.
Right to rectification
You are entitled to have your personal data changed or supplemented if they prove to be incorrect or incomplete.
As a student or an employee at the university, you can often change your own data by signing in to the respective IT systems or by contacting the university administrators.
Right to restriction of processing
You have a right, under certain circumstances, to have the processing of your personal data restricted or terminated.
Right to erasure
You have a right, under certain circumstances, to have your personal data erased.
Right to object
You have a right to lodge a complaint with the supervisory authority, the Swedish Data Inspection Authority (Datainspektionen)
More information about your rights
Read more about your rights on the Swedish Data Inspection Authority webpages.
If you have any questions or concerns about how we process your personal data, you are welcome to contact your manager, the person responsible for a course or research project or otherwise your contact person. You are also welcome to contact any of the employees who work specifically with data protection questions at the university by sending an email to email@example.com.
University of Borås
501 90 BORÅS
Tel. +46 (0)33-435 40 00
Data Protection Officer