Finance and personal data
Personal data processing is frequent in financial matters in connection with external invoices, the awarding of scholarships, and procurements. When you process personal data you must ensure you comply with the current data protection legislation but also with laws and regulations on disclosure, archiving and accounting.
What is a legal basis?
You must have a legal basis in order to process personal data.
Read more about the legal basis and consent on the pages:
What information do I need to provide?
Pursuant to Articles 13 and 14 of the GDPR, you have an obligation to inform the data subject about a number of points.
Tips on how to process personal data in financial matters
Shortcuts on the page:
- Information for data subjects
- Purchasing and procurement
- Issuing customer invoices
- Handling financial matters
- Paying for conferences or membership fees with a payment method other than invoice or card
- Handling scholarships
You need to inform the data subject that you are processing their personal data.
Purchasing and procurement
In simplified procedures, when you need to collect personal data, for example references, use the wording of the General Data Protection Regulation in the template for simplified procedures. Be careful in the handling of tenders; try to avoid any unnecessary dissemination of personal data. Do not send personal data to people who do not need it. A similar approach should also apply when placing orders or in the direct procurements.
When you send customer information which contains personal data to the Division of Finances you should not print a copy of the web form or email to keep yourself.
Do not make or print copies of invoices, travel receipts or similar if not necessary. Documentation required for processing should be securely processed and erased when longer required. Do not save copies or printouts for longer than is necessary. Remember that documentation which constitutes accounting information, for example if you have added information to a copy so that it becomes an original document, should be filed and destroyed as per standard routines.
If you need, for example, to make a payment before a conference without an invoice you must not include unnecessary information, only the documentation validating this information.
All original documentation of decisions is to be officially recorded and filed in accordance with normal routines at each department or faculty office. However, the form with the scholarship recipient’s bank details is considered work material and should not be registered or filed. For example, save it in a separate folder or file only for as long as necessary taking into consideration the period in which scholarship payments are processed by the department/faculty. When you delete the form, do so securely, for example by shredding it.
dataskyddsombud [at] lu [dot] se
- Personal data controller – the organisation responsible for processing your personal data. In all but a few cases, Lund University is always the personal data controller.
- Data subject – the person whose personal data you collect and/or process.
- Data protection officer – the role and function responsible for Lund University’s compliance with the GDPR.
- The EU’s General Data Protection Regulation (GDPR) - The Swedish translation of GDPR is “Dataskyddsförordningen”.
- Data Protection Act – the Swedish national complement to the EU’s GDPR.