The browser you are using is not supported by this website. All versions of Internet Explorer are no longer supported, either by us or Microsoft (read more here: https://www.microsoft.com/en-us/microsoft-365/windows/end-of-ie-support).

Please use a modern browser to fully experience our website, such as the newest versions of Edge, Chrome, Firefox or Safari etc.

PULU - A Guide

På svenska

This guide outlines some of the concepts involved in registering personal data processing activities, and clarifies why certain information must be provided.

Under the General Data Protection Regulation (GDPR), a data processing register is a record of all the ways in which personal data is processed within an organisation. This is important because it helps the university keep track of how personal data is used, thereby ensuring compliance with the regulation. 

PULU is Lund University's data processing record for research studies.

Read more about processing records - IMY

Principal Investigator (PI) 

The Principal Investigator (PI) is the person responsible for the research study. If more than one person is responsible, state the researcher who is the main applicant for the project or equivalent here. In the case of a collaborative project involving other higher education institutions, only the PI at Lund University should be stated. 

Responsibility for processing of personal data 

The university is the data controller if it independently decides why and how to carry out a particular processing activity. Where this is not the case, the university may have a joint responsibility with another organisation, such as a higher education institution. In rare cases, the university may also act as a data processor on behalf of another organisation. Agreements should be concluded for collaborative projects and similar activities. 

Read more on Staff pages:  
Read more about responsibility for personal data
Agreements 

Purpose - the objective of the processing  

The GDPR sets out a number of basic principles that data controllers must follow. According to the principle of purpose limitation, the purpose of processing personal data determines which actions may be taken, for example, what personal data may be processed and how it may be used. These purposes must be specific and concrete, and everyone must be able to understand what the processing of personal data entails. Personal data may not be processed for other purposes incompatible with these. In line with the principle of storage minimisation, the purpose of processing must usually be limited in time. 

Example:  We are collecting answers from individuals about breakfast habits in order to determine whether it is healthier to eat fruit or sausages in the morning. 

Read about purpose limitation - IMY

Categories of Data Subjects 

In the context of data protection, the term 'data subject' is used to describe those whose personal data we process. 

In many cases, the ‘Other’ category will be the most common, comprising what could be termed ‘ordinary individuals’. Examples include people who are randomly selected to respond to a survey, people who are recruited through newspaper adverts, and people who happen to be in a particular location. Several categories of personal data may be relevant, so tick all that apply. 

Categories of Personal Data 

Personal data types in the question have been grouped into different categories. Several categories of personal data may be relevant, so mark all that apply.

Example: If you are going to record interviews with named nurses and talk about their physical and mental health, you should check 3 categories:

  • Name
  • Other identifying information (the audio recording)
  • Health data

Are you planning to share personal data to other recipients, such as individuals or organisations outside Lund University? 

Indicate here whether you plan to share personal data to any external recipients who will process them for other purposes  than your studies

In which countries will you process personal data? 

Data processing encompasses every stage of your research, including data collection, analysis, storage, sharing and publication. The GDPR applies regardless of where personal data is processed when data is processed for scientific purposes on behalf of Lund University

It is important to establish where the PI and any other project participants collect and store data, as well as in which countries. If the processing of personal data takes place outside the EU/EEA in so-called third countries, it may mean that you need to take special security measures.

Note that the use of digital tools that manage their data in cloud services may also involve transfer of personal data. Therefore, it is important to determine from the outset which tools are suitable for use in all parts of the work process.

Read more on the staff pages: 
Transfer of personal data outside EU and EEA

Security

Pseudonymised personal data: Data that has been encrypted or coded is still personal data if there is a key that can be used to link it to a person. Therefore, pseudonymised data is still personal data and must be processed in accordance with data protection legislation. Anonymised data can never, or can no longer, be traced back to a living person. When personal data are anonymised, all sources of identification have been removed. Note that if there is a theoretical possibility of identifying a person by, for example, adding together several seemingly anonymised data sets, the set of data should still be considered as personal data. 

Ethical review is also considered one of several safety measures in the processing of sensitive personal data in research.

Read more about guidelines on pseudonymisation - EDPB
Read more about ethical review - Staff Pages  

Digital Services and tools 

The question aims to find out what security measures the tools or digital services you use in your research have to protect personal data.

Internal Tools: The university provides a range of tools for, for example, analysis, processing, and storage of data. If you use internal tools, these are managed by the university, and it is assumed that they meet the requirements for adequate protective measures. 

Please check with servicedesk [at] lu [dot] se (servicedesk[at]lu[dot]se) if a particular tool is suitable for the personal data processing you plan to carry out in your research.

External Tools: If, on the other hand, you use tools that are NOT provided by the university, you need to assess whether the tool is suitable for the processing of personal data involved in your study. Which tools can be used depends on the type of personal data being handled. Some data requires particularly secure solutions. Therefore, specify which external tools you use so that these are documented. Also, feel free to contact your data steward at the faculty for advice on the assessment.

Read more on how to Store and organise -Staff Pages 

 

Contact

You can get advice and guidance on PULU from the university's joint research data support team. The support team includes:

  • Faculty Data Stewards
  • Faculty Library Research Support
  • Archivists.

Submit your question (web form)

Email: support [at] researchdata [dot] lu [dot] se (support[at]researchdata[dot]lu[dot]se)


 

Research and processing av personal data

On this page you can read more about processing of personal data within research 

Last updated: 11 Jul 2025 | maria [dot] hedberg [at] rektor [dot] lu [dot] se