Read about the rights of data subjects and when these rights can be exercised. As in all exercise of public authority, we must always strive to ensure these rights and to accommodate any requests from a data subject.
The first time a data subject wants to exercise their rights, it should be free of charge. If a request is obviously unreasonable or unfounded, for example if someone repeatedly requests to exercise a right, SLU may charge a reasonable fee to cover administrative costs. We can also refuse a request. However, this option only applies under certain circumstances, and must be approved beforehand by the data protection officer.
If you have any questions on the rights of data subjects, contact email@example.com.
The right to access
The first right, and perhaps the most important one, is the right to access. The data subject has a right to find out if SLU is processing their personal data, access the data and have the following information:
- The purpose of the processing (according to the register managed by the data protection officer).
- The categories of personal data processed.
- Any third parties that have or may be granted access to the personal data.
- For how long SLU is planning to store the data, or the criteria that will determine how long it will be stored.
- What rights the data subject has when it comes to processing. These rights are described in more detail below.
- The right to file a complaint with the Swedish Authority for Privacy Protection.
- What sources the personal data has been collected from, if it was not collected from the data subjects themselves.
The data subject also has the right to a free copy of the personal data, in an accessible format. If someone requests additional copies, we can charge a fee for this.
The right to rectification
The data subject has the right to request that their personal data be corrected without undue delay. If necessary, the data subject also has the right to supply additional personal data.
The right to erasure
Another central right is the right to be erased. The data subject has the right to have their data deleted from SLU's registry without undue delay. This right can be exercised under the following circumstances:
- The data is no longer needed for the purpose of the processing. This can be the case e.g. if an employee has left SLU.
- The legal basis for the processing is consent, and the data subject withdraws their consent. If there is no other legal basis for the processing, the data should be deleted.
- The data subject objects to processing carried out as part of the exercise of public authority or in the public interest. Unless SLU has very good reasons for continuing the processing, the data should be deleted.
- If personal data is processed to be used in direct marketing, the data should be deleted immediately if the data subject requests it.
- If the personal data has been processed in an unlawful way.
- If there is a legal requirement to delete the data.
If SLU has made public personal data that we are required to delete, we must take all reasonable measures to inform other parties processing the data that the data subject has requested that they be deleted. Any third parties must also be informed that they should delete al links, copies or replications of the data concerned.
The above does not apply if the processing of personal data is necessary for one of the following reasons:
- Exercising the right of freedom of expression and information.
- Carrying out a legal obligation according to EU or Swedish legislation.
- Carrying out a task in the public interest.
- Carrying out a task that is part of the exercise of public authority.
- For reasons in the public interest in the area of public health.
- For archiving purposes in the public interest, or for scientific, historical or statistical purposes, if deleting the data would make the archiving impossible or significantly more difficult.
- To exercise the legal claims of SLU, a student or an employee.
The right to limitation
Limitation of personal data is a right that sounds somewhat abstract, but simply put means ensuring that data only is stored and not processed in any other way.
Provided the data subject consents, the data may be processed anyway – if it is necessary to exercise a legal claim, or on important grounds of public interest for Sweden or the EU.
A data subject has the right to request that the processing of their data be limited if one of the following applies:
- The data subject believes that the data is incorrect, and SLU needs time to verify this.
- The processing is unlawful, but the data subject requests limitation rather than erasure.
- SLU no longer requires the data, but the data subject needs it to exercise a legal claim.
- The data subject has objected to the processing. Until it has been determined whether SLU's reasons for processing outweigh the data subject's reasons for limiting processing, the processing should be limited.
If processing is limited in accordance with paragraph 1 above, SLU must inform the data subject before the processing is terminated.
The right to data portability
If the data subject has provided SLU with their personal data, they have the right to a copy of it in a commonly used and machine-readable format.
This right will rarely be relevant to SLU operations. If a data subject wishes to exercise this right, contact firstname.lastname@example.org.
The right to object to processing
The data subject has the right, at any time, to object to the processing of their personal data if the processing is done in the public interest or is part of the exercise of public authority. The processing must then be terminated, unless SLU can prove that there are reasons for continuing the processing that outweigh the data subject's interests, rights and freedoms. SLU may also continue the processing if it is necessary to exercise a legal claim.
If the processing is done for scientific, historical or statistical purposes, it may continue if it is necessary to carry out a task in the public interest.
The data subject must be informed about this right in a clear manner, separate from other information. This must be done the first time SLU communicates with the data subject, at the latest. If appropriate, we can give this information at an earlier point in time.
We are obligated to report rectification, deletion and limitation of processing.
Provided it does not involve a disproportionate effort, SLU must also inform all parties that have received personal data from us of any rectification, deletion or limitation of processing. If the data subject requests information about who has received their personal data, SLU must provide that information.
- Terms and concepts in data protection