Within human resources, personal data is processed for both staff and non-employees. It may relate to, for example, recruitment, salary reviews or rehabilitation matters. When you process personal data within the area of human resources you must make sure you comply with the data protection legislation but also other applicable laws and regulations (for example, the Archives Act, and Public Access to Information and Secrecy Act).
Examples of non-employees whose personal data is processed in the area of human resources:
- Applicants for positions at Lund University
- Non-employees receiving payment for work, for example guest lecturers and external experts in the recruitment of lecturers
- Non-employees who are paid for travel or expenses
- Study and trial subjects
- Former employees receiving payments
- Student representatives on committees, boards and advisory boards
You must have a legal basis for processing personal data. The most common legal basis in the area of human of resources is legal obligation, namely something that the University must do to comply with a law, ordinance, other provision or collective agreement. In these cases, you are permitted to process any necessary personal data.
In staff recruitment, through the advertising of vacancies and processing of applications, another legal basis applies, namely consent. Their consent is managed in the Varbi recruitment system, but if you receive applications outside the system you must inform and request consent from the applicant.
What information do I need to provide to data subjects?
New and current staff receive standardised information from their employer about Lund University’s processing of their personal data. This means you do not need to inform employees every time you process their personal data.
Those applying for a position via the Varbi recruitment system will receive the information in the system.
There are cases where you must inform the person whose personal data you are processing. This is the case, for example, for non-employees receiving any form of payment from the University.
Support and tools
dataskyddsombud [at] lu [dot] se
- Personal data controller – the organisation responsible for processing your personal data. In all but a few cases, Lund University is always the personal data controller.
- Data subject – the person whose personal data you collect and/or process.
- Data protection officer – the role and function responsible for Lund University’s compliance with the GDPR.
- The EU’s General Data Protection Regulation (GDPR) - The Swedish translation of GDPR is “Dataskyddsförordningen”.
- Data Protection Act – the Swedish national complement to the EU’s GDPR.