Processing of personal data

Here, Chalmers provides comprehensive information about many of our various forms of personal data processing. In some cases, Chalmers provides separate information.

Chalmers is responsible for the processing and that it complies with the General Data Protection Regulation (EU) 2016/679 (GDPR).

This information answers questions such as:

  • For what purposes does Chalmers process personal data?
  • What personal data is processed in Chalmers’ organisations?
  • With whom may Chalmers share personal data?
  • What does it mean that Chalmers is subject to the Principle of Public Access to Official Documents?
  • How does Chalmers protect personal data?
  • How long does Chalmers save personal data?
  • What rights does a data subject have?
  • How do I contact Chalmers if I have questions or a request?

Chalmers’ personal data processing

Chalmers processes personal data to fulfil our mission as a university, i.e. in our work to conduct research and educational activities and in collaboration with society at large. Chalmers also processes personal data to review and develop our activities and to comply with Swedish law.

All processing of personal data within the University is done to in some way promote these purposes. The processing of personal data shall have legal support, and only the personal data needed for the purposes in question is allowed to be processed.

Personal identity numbers are only processed when needed to reliably confirm your identity or to coordinate your data between systems to provide you with uniform information.

Bank and other financial information is processed when required to be able to pay out money or pay invoices.

Questions, complaints and information

If you have any questions about Chalmers’ processing of personal data, or would like to request a register extract or have some other request, please contact the Records manager: registrator@chalmers.se Chalmers has also appointed a Data Protection Officer, who can be contacted at: dataskydd@chalmers.se If you believe that Chalmers is not complying with the General Data Protection Regulation, you have the right to submit a complaint to the Swedish Authority for Privacy Protection, which is the supervisory authority: imy@imy.se.

Chalmers’ personal data processing in detail

Chalmers’ activities give rise to many reasons for processing personal data. Personal data processing is done with different purposes and for multiple categories of data subjects. As a university, Chalmers processes the personal data of inter alia students, doctoral students, researchers, participants in studies/research, event visitors, guests, job applicants, company partners and tenderers, alumni, and others who contact the University for one reason or another. Information on the processing of employees’ personal data is provided separately.

For certain purposes, personal data is collected directly from you, the data subject. For other purposes, Chalmers collects and updates personal data from public sources, such as the Swedish Tax Agency or the Swedish Board of Student Finance (CSN).

Chalmers has identified processing of personal data for following groups/categories:

  • Students
  • Research study participants
  • Conference or event participants
  • University visitors
  • Job applicants
  • Borrowers from the library
  • Tenderers and other company partners
  • Alumni
  • Donations
  • Contacts with the university (Newsletters and email)

A description of Chalmers’ various forms of personal data processing is found below. Each form of personal data processing is listed separately for each category of data subject. Chalmers has divided its personal data processing into the ten categories found below. For each category, there is an explanation of that processing form's (i) purpose, (ii) use (actual processing), (iii) legal basis, (iv) retention time, (v) data recipients, and (vi) data sources.

Protective measures and rights of the data subject

Many of the documents managed by Chalmers are considered public documents and are subject to the Principle of Public Access to Official Documents. Personal data found in a public document may therefore be requested and disseminated, unless protected as confidential according to the Public Access to Information and Secrecy Act (2009:400).

Chalmers only saves your personal data for as long as the purpose of processing requires, or as long as required by law. For public documents, the personal data found in these is handled in accordance with the provisions of the Freedom of the Press Act (1949:105), the Swedish Archives Act (1990:782), and the regulations of the Swedish National Archives.

Protective measures

Chalmers is required to ensure that the processing of personal data is protected by appropriate technical and organisational measures. Chalmers actively works to ensure an appropriate level of protection in relation to the risk associated with processing. The security aspects include requirements for confidentiality, accuracy and accessibility, as well as adequate technical protection. Chalmers applies access control, where only authorised individuals have access to data, the data is encrypted to an appropriate extent, the data is stored in specially protected areas, and backups are made of digital materials.

Chalmers also works to ensure that subsequent processing by IT suppliers, collaborative partners and other personal data recipients is done in a legal and protected manner. This is done in part through the establishment of regulations in data sharing and data processing agreements.

Transfer of data to outside of the EU/EEA

Chalmers may transfer personal data to third countries (countries outside of the EU/EEA). This may particularly apply in relation to international research projects, studies abroad, examinations taken abroad, or collaboration with certain international organisations. Depending on where the service providers are located, data may also be transferred outside of the EU/EEA. In connection with any such transfers, the University (together with the receiving party) takes the legal, organisational and technical measures required to ensure an adequate level of protection for your personal data.

Your rights as a data subject

The General Data Protection Regulation provides you certain rights as a data subject. Different rights apply depending on the legal basis for the personal data processing. You always have the right to have incorrect data about you corrected and to object to the processing of your personal data. What rights apply otherwise are indicated by an X in this table.

Consentxx 
Agreementsxx 
Legal obligations   
Basic interestx  
Public interest  x
Legitimate interestx x

Right of access

You have the right to request answers about if and how Chalmers processes personal data about you, and to receive an extract of the personal data being processed free of charge. As a protective measure, Chalmers requires you to verify your identity when making such a request. To request access, please email the registrar registrator@chalmers.se a “request for register extract”.

Right to rectification

You have the right to obtain without undue delay the correction of inaccurate personal data and to have us complete any incomplete personal data. Contact registrator@chalmers.se. Chalmers is not obliged to correct your data if it is only being processed in order to document completed research.

Right to erasure (“right to be forgotten”)

You have the right to have your personal data erased from Chalmers’ systems, provided that the personal data is no longer needed to fulfil the purpose for which it was collected. However, there may be provisions that require Chalmers to retain your data, such as regulations regarding public documents or if the documentation is for research or study purposes.

If Chalmers University of Technology cannot erase your data for legal reasons, we will restrict the processing of your data to only that which is required to fulfil the University’s obligations.

Right to restriction of processing

You have the right to request that the processing of your personal data be restricted, which means that your personal data will only be processed for certain specific purposes. Chalmers restricts processing in the following cases:

If you claim that the personal data is incorrect and the University needs time to check the accuracy of the data.

Chalmers no longer needs the data, but you request that we continue to store it because you need it to exercise your legal rights.

You object to the processing Chalmers is performing. In such case, the processing is restricted until your grounds for objection have been weighed against the University’s legitimate reasons for being compelled to process.

If you feel we should erase the personal data, but we cannot do this for some reason.

Right to object to processing

You have the right to object to Chalmers’ processing of your personal data in certain cases, such as within research or educational activities. The University will then cease processing the data, provided we do not have compelling reasons to continue or processing is required to exercise the University’s legal rights.

Right to withdraw consent

For cases where Chalmers processes data on the legal basis of consent obtained from you, you always have the right to withdraw your consent. Chalmers will then cease the processing for which consent has been withdrawn.

Contact

Records manager: registrator@chalmers.se
Data protection officer: dataskydd@chalmers.se

Links:

Swedish Authority for Privacy Protection, www.imy.se/en/