The new GDPR (in full) that came into effect May 25, 2018 emphasises the rights of the individual and the responsibility of those who process personal data. Further, it serves to harmonise the regulations within the EU.
GDPR regulates, either completely or partially, the automised processing of personal data, as well as other processing of data that is included or that will be included in a searchable register.
Note that GDPR, unlike PUL (Personuppgiftslagen), does not apply only for personal registers but for all processing, in accordance with the above.
European Union Rules: GDPR refers to the processing of personal data with a link to the EU, either when the entity processing the personal data is established within the EU or when an entity outside the EU offers goods and services to people within the EU or monitors the behaviour of these people in the EU.
Exemption – Private Individuals: Processing by private individuals is not covered.
You can read more about GDPR on Swedish Authority for Privacy Protection. webpage.
The Basic Principles in Brief
You can read more about GDPR on Swedish Authority for Privacy Protection website.
There must be lawful grounds for the processing of personal data. These are listed below. If you are uncertain about any lawful ground for processing, contact the Data Protection Officer at the university.
Lawful Grounds |
Description |
|
Contract |
To fulfill a contract |
For example: employment contract or client contract |
Legal Obligation |
To fulfill a legal obligation |
For example: various Swedish laws related to university procedures and practices |
Exercise of Official Authority |
To carry out our duties as a university |
For example: grade setting or decisions related to an educational matter |
Public Interest |
When the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller |
For example: education, research and collaboration |
Protection of Fundamental Interest |
To protect the interests of an individual |
For example: the data subject cannot provide consent because of a health condition that prevents him/her from doing so |
Consent |
Voluntary, informed and documented consent that can be withdrawn |
For example: involvement in a research project or student thesis |
Weighing of Interests |
When the interests of the individual are weighed against the interests of others |
For example: authorities may not use weighting of interests when they carry out their tasks
|
Read more about Lawful Grounds on Swedish Authority for Privacy Protection website.
Certain personal data, such as criminal conviction, is especially sensitive and as such is protected even more so by GDPR. It may only be processed in special cases. Social Identification Numbers (including the Swedish personnummer), or the Swedish samordningsnummer, are regarded as sensitive personal data and may only be processed upon consent or when it is necessary for the purpose.
Sensitive Personal Data:
Data on Criminal Convictions: Crimes, sentences, punishments or imprisonment.
Read more about sensitive personal data: Swedish Authority for Privacy Protection .
This guide in Swedish:
http://libguides.du.se/personuppgifter
Information from The Swedish Data Protection Agency on their web.
Information about the General Data Protection Regulation (GDPR) in english: European Commission.