Skip to main content

General Data Protection Regulation (GDPR): Introduction

Background

The new GDPR (in full) that came into effect May 25, 2018 emphasises the rights of the individual and the responsibility of those who process personal data. Further, it serves to harmonise the regulations within the EU.

GDPR Basics

GDPR regulates, either completely or partially, the automised processing of personal data, as well as other processing of data that is included or that will be included in a searchable register.

  • Automised processing refers to automised data processing: for example, in IT systems, databases, emails, social media, or sound and picture recordings, and on webpages.
  • Automised data processing to some extent refers to manually processed personal data: for example, questionnaires on paper that are also registered in a database.
  • Manually processed data can be affected if there is connection to a searchable register.

Note that GDPR, unlike PUL (Personuppgiftslagen), does not apply only for personal registers but for all processing, in accordance with the above.

European Union Rules: GDPR refers to the processing of personal data with a link to the EU, either when the entity processing the personal data is established within the EU or when an entity outside the EU offers goods and services to people within the EU or monitors the behaviour of these people in the EU.

Exemption – Private Individuals: Processing by private individuals is not covered.

You can read more about GDPR on The Swedish Data Protection Authority webpage.

The Basic Principles in Brief

  • Lawfulness: There must be a lawful basis for the processing.
  • Accuracy: The data must be accurate and up-to-date.
  • Transparency: Registered subjects must know what data is being processed and how.
  • Purpose Limitation: Data may be collected only for specific, explicitly stated and legitimate purposes. The data can be processed for the purpose of archiving that is of public interest or for historic research purposes or for statistical purposes.
  • Data Minimisation: The personal data that is processed must be adequate, relevant and not too extensive in relation to the purpose.
  • Storage Limitation: Personal data may only be retained for as long as it is needed for the purpose. After this, the data must be deleted or made anonymous if another regulation does not require archiving. Data may be stored for a longer period for the purpose of general interest, scientific or historical research purposes, or statistical purposes.
  • Integrity and Confidentiality: Data must be protected against unpermitted and unauthorised processing, loss and damage by way of the use of adequate technical and organisational measures.
  • Accountability: It must be clear that there is compliance with regulations. This can be done by way of clear information to the data subjects, a record of current processing, documentation about various considerations that have been made, and updated internal guidelines.

You can read more about GDPR on The Swedish Data Protection Authority website.

What lawful grounds are there for processing?

There must be lawful grounds for the processing of personal data. These are listed below. If you are uncertain about any lawful ground for processing, contact the Data Protection Officer at the university.

Lawful Grounds

Description

 

Contract

To fulfill a contract

For example: employment contract or client contract

Legal Obligation

To fulfill a legal obligation

For example: various Swedish laws related to university procedures and practices

Exercise of Official Authority

To carry out our duties as a university

For example: grade setting or decisions related to an educational matter

Public Interest

When the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

For example: education, research and collaboration

Protection of Fundamental Interest

To protect the interests of an individual

For example: the data subject cannot provide consent because of a health condition that prevents him/her from doing so

Consent

Voluntary, informed and documented consent that can be withdrawn

For example: involvement in a research project or student thesis

Weighing of Interests

When the interests of the individual are weighed against the interests of others

For example: authorities may not use weighting of interests when they carry out their tasks

 

 

Read more about Lawful Grounds on The Swedish Data Protection Authority website.

Special Rules for Sensitive Personal Data

Certain personal data, such as criminal conviction, is especially sensitive and as such is protected even more so by GDPR. It may only be processed in special cases. Social Identification Numbers (including the Swedish personnummer), or the Swedish samordningsnummer, are regarded as sensitive personal data and may only be processed upon consent or when it is necessary for the purpose.

Sensitive Personal Data:

  • Racial or ethnic origin,
  • Political opinions, religious or philosophical beliefs,
  • Membership in a trade union,
  • Health, sex life or sexual orientation,
  • Genetic data,
  • Biometric data.

Data on Criminal Convictions: Crimes, sentences, punishments or imprisonment.

Read more about sensitive personal data: The Swedish Data Protection Authority.

In Swedish

Datainspektionen

Information from The Swedish Data Protection Agency on their  web.

European Commission

Information about the General Data Protection Regulation (GDPR) in english: European Commission.