Contact
Personal data breaches must be reported through the IA system.
Read about the rights of data subjects. As in all exercise of public authority, we must strive to ensure these rights are respected and accommodate any requests from a data subject.
The first time a data subject wants to exercise their rights, it should be free of charge. If a request is obviously unreasonable or unfounded, for example if someone repeatedly requests to exercise a right, SLU may charge a reasonable fee to cover administrative costs. We can also refuse a request. However, this option only applies under certain circumstances, and must be approved beforehand by the data protection officer.
If you have any questions on the rights of data subjects, contact dataskydd@slu.se.
The first right, and perhaps the most important one, is the right to access. The data subject has a right to find out if SLU is processing their personal data, access the data and have the following information:
The data subject also has the right to a free copy of the personal data, in an accessible format. If someone requests additional copies, we can charge a fee for this.
The data subject has the right to request that their personal data be corrected without undue delay. If necessary, the data subject also has the right to supply additional personal data.
Another central right is the right to be erased. The data subject has the right to have their data deleted from SLU's registry without undue delay. This right can be exercised under the following circumstances:
If SLU has made public personal data that we are required to delete, we must take all reasonable measures to inform other parties processing the data that the data subject has requested that they be deleted. Any third parties must also be informed that they should delete al links, copies or replications of the data concerned.
The above does not apply if the processing of personal data is necessary for one of the following reasons:
Limitation of personal data is a right that sounds somewhat abstract, but simply put means ensuring that data only is stored and not processed in any other way.
Provided the data subject consents, the data may be processed anyway – if it is necessary to exercise a legal claim, or on important grounds of public interest for Sweden or the EU.
A data subject has the right to request that the processing of their data be limited if one of the following applies:
If processing is limited in accordance with paragraph 1 above, SLU must inform the data subject before the processing is terminated.
If the data subject has provided SLU with their personal data, they have the right to a copy of it in a commonly used and machine-readable format.
This right will rarely be relevant to SLU operations. If a data subject wishes to exercise this right, contact dataskydd@slu.se.
The data subject has the right, at any time, to object to the processing of their personal data if the processing is done in the public interest or is part of the exercise of public authority. The processing must then be terminated, unless SLU can prove that there are reasons for continuing the processing that outweigh the data subject's interests, rights and freedoms. SLU may also continue the processing if it is necessary to exercise a legal claim.
If the processing is done for scientific, historical or statistical purposes, it may continue if it is necessary to carry out a task in the public interest.
The data subject must be informed about this right in a clear manner, separate from other information. This must be done the first time SLU communicates with the data subject, at the latest. If appropriate, we can give this information at an earlier point in time.
We are obligated to report rectification, deletion and limitation of processing.
Provided it does not involve a disproportionate effort, SLU must also inform all parties that have received personal data from us of any rectification, deletion or limitation of processing. If the data subject requests information about who has received their personal data, SLU must provide that information.
Personal data breaches must be reported through the IA system.