Menu

Javascript is not activated in your browser. This website needs javascript activated to work properly.
You are here

Special provisions in the Personal Data Act

The Personal Data Act (PUL) includes some special provisions concerning informed consent, personal data and what to consider when transferring personal data to a third country. See below for more information on these provisions.

Informed consent

Informed consent means that a person voluntarily, after having received information, accepts the processing of their personal data. The premise is that the person’s consent is needed for processing their personal data in the form of registries or databases. For an agreement to have legal effect under the provisions of PUL, it is required that the person in question received information about the identity of the personal data controller, the purpose of the processing, and other information that the registered person needs to ensure their rights.

Below you will find a template for informed consent. In addition, the University, in consultation with the Swedish Data Protection Authority, has drawn up general information on the processing of personal data for research purposes at Lund University, see below. It can be useful to attach this to the other information with which you will provide the registered persons in your study.

Template for informed consent (Word-document, 82 kB, new window) (in Swedish)

Situations that do not require consent

Consent is not needed if the processing of personal data is required for complying with a legal obligation, an agreement with the registered person, to perform a task of public interest, or in connection with the exercise of public authority.

Other exceptions are also cases in which the interest of the personal data controller or third party outweighs the registered person’s integrity. Note that consent should not be obtained if it is not needed, because consent can be withdrawn.

General information about processing personal data for research purposes at Lund University (PDF 27 kB, new window) 

Sensitive personal data

You are not allowed to process personal data about:

  • Health or sex life
  • Race or ethnic origin
  • Political views
  • Religious or philosophical convictions
  • Trade union membership

Such sensitive personal data may only be processed with the consent from the registered person, or if it is necessary in areas such as health care, labour law, or for a non-profit organisation to register its members.

Sensitive personal data may be processed without consent for research and statistical purposes if the process is approved by a research ethics committee.

Personal identity number

The general rule is that personal identity numbers may not be processed without the consent of the registered person. There are, however, a few exceptions to the general rule, namely, when it is clearly justified in terms of:

  • The purpose of the processing,
  • the importance of secure identification, or
  • other relevant reasons. In these cases, personal identity numbers may be processed without consent.

Transferring personal date to a third country

The new Personal Data Act contains a general prohibition on the transfer of personal data to third countries, which are not part of the EU/EEA or the Council of Europe’s Convention for the Protection of individuals with regard to Automatic Processing of Personal Data.

Online publication of personal data generally requires obtaining consent. The Swedish Data Protection Authority may, however, permit exemptions from this requirement. This may be the case for much of the processing for international research projects which currently still requires the approval of the Data Protection Authority.

Data security

Remember to take the following safety precautions when processing sensitive personal data:

  • systems for access control with personal authorisation must be in place
  • access to personal data should be logged and include user details
  • all transfers via computer communications must be done in an encrypted form
  • storage media that are not archived shall be deleted in such a way that the information cannot be recovered, and
  • premises where computer equipment and storage media are stored should have access protection.

Liability for damages

If personal data is processed in violation of the Personal Data Act, Lund University will be forced to pay damages to the person or persons who have had their integrity violated.

Page Manager:

Contact

For questions about personal data – contact the personal data representative at Lund University:

Johanna Alhem
Legal Counsel
+46 46 222 09 85
johanna.alhem [at] legal.lu.se

Telephone: +46 (0)46-222 00 00 (switchboard)
Mailing adress: Box 117, 221 00 Lund, Sweden
Invoice adress: Box 188, 221 00 Lund, Sweden
Organisation number: 202100-3211

Site manager: staffpages [at] lu.se

About this website