Skip to main content
It looks like you're using Internet Explorer 11 or older. This website works best with modern browsers such as the latest versions of Chrome, Firefox, Safari, and Edge. If you continue with this browser, you may see unexpected results.

General Data Protection Regulation (GDPR): Security & Transfer

Suitable Security Measures

The following questions can be helpful in the evaluation of what security measures are required:

  • How sensitive is the data?
  • What risks are there?
  • What kind of technology can be used?
  • What are the costs involved?
  • Will the data be transferred over the Internet?
  • Will the data be transferred to a non-EU/EEA country?

Examples of Measures:

  • Physical security such as lock, locker and authorised access to premises.
  • Rights of access to digital storage.
  • Password protected and, where relevant, encrypted storage.
  • Coding or encryption of data, where the key is kept separately. This is also called pseudonymisation.
  • Logs of how the data has been/is being processed.
  • Back-ups.
  • Protection against damaging programmes.
  • Encrypted transfer of data.
  • Policies and procedures for those who will process data.
  • Deletion or archiving after processing completed, in accordance with the guidelines that are in place for storage or deletion.

For more information about security measures, see Swedish Authority for Privacy Protection.

Choice of Storage

Here you can find information about storage options that the university can offer.

Central Server

The university provides catalogues in a central server in the form of personal home catalogues (H:) for employees and students, as well as shared storage spaces (L: ) for employees. Shared storage spaces are created upon an order sent to support@du.se. All information that is stored in these is backed up on a daily basis and is protected by IT support.

Local Storage on a Computer

Information can also be stored locally on a computer’s hard drive (C:). Information that is stored locally on a computer is not backed up automatically. If information is stored in this way, then the user him-/herself must ensure that it is protected.

Other Mobile Devices

The university provides employees with mobile devices such as smart telephones, tablets, external hard discs, memory cards and USB memory sticks. Information that is stored on these is not backed up automatically. If information is stored on these, the user him-/herself must ensure that it is protected.

Cloud Storage Service

Cloud storage is a form of storage on the Internet: examples of cloud storage services are Dropbox, Google Drive, Microsoft OneDrive, Apple iCloud, Box, Evernote. At present, the university does not have a contract with any cloud provider and cannot take responsibility for information that is stored in a cloud. Current guidelines at the university mean that this type of service must only be used for information that is less significant and that does not include personal data.

Transfer over the Internet

Personal data that is sensitive in terms of personal integrity must be protected against unauthorised access when it is transferred over the Internet – for example, by email. An alternative can be encrypted transfer.

Transfer Outside the EU/EEA

The transfer of personal data to non-EU/EEA countries (also termed Third Countries) is only permitted under certain conditions.

Decision on sufficient level of protection: If the EU Commission has determined that a third country can ensure an adequate level of protection, then personal data can be transferred there without any special permission.

Appropriate protection measures: For example, standard agreement clauses or legally binding company regulations.

Special situations and individual cases: for example, consent.

Read more about when transfer to a third country (non-EU/EEA country) is possible:  Swedish Authority for Privacy Protection.

In Swedish