Javascript is not activated in your browser. This website needs javascript activated to work properly.


Questions and answers concerning processing of personal data
Here you will find a summary of frequently asked questions about the processing of personal data.

Questions about personal data

Questions about the legal basis and consent

Questions about data subjects

Questions about IT systems

General questions

What is personal data?

Pursuant to the GDPR, personal data is “any information relating to an identified or identifiable natural person”. Examples of personal data are:

  • name
  • photograph
  • address
  • email
  • grades
  • age
  • personal identity number
  • hair colour
  • shoe size
  • qualifications
  • genome

Who is responsible for personal data processing at Lund University?

Lund University is responsible for all personal data processing within the organisation and is thereby the data controller in the vast majority of cases.

In certain situations, the data processing is managed by a third party which acts as the data processor in that case. The relationship between the processor and the data controller is to be regulated through a written agreement, known as a data processing agreement.

In case of errors and shortcomings in processing, both the data controller and the data processor may be subject to administrative penalties determined in Sweden by the supervisory body, the Swedish Data Protection Authority and imposed by a court. The penalties may be very high (maximum EUR 20 million for a Swedish higher education institution). The Swedish Data Protection Authority is responsible for reviewing the management of personal data and dealing with complaints from data subjects. 

The data protection officer at Lund University is entrusted with reviewing the processing of personal data at the University but also with providing support to employees. As an individual employee, you are expected to process personal data correctly and to know about the rules that apply to your particular work duties. (ta bort?)

When and how are you to process personal data?

You may process the personal data necessary for carrying out the University’s mission: to provide education, research and external engagement. You are also permitted to process personal data necessary to enable you to:

  • comply with laws, ordinances and collective agreements
  • exercise public authority
  • comply with agreements, such as purchasing contracts or collaboration agreements

The processing of personal data is to follow the guidelines below:

  • The processing is to be conducted in a legal, correct and open manner in relation to the data subject.
  • The data is to be correct and up to date.
  • The data is to be processed securely.
  • The data is to be collected for specific, explicitly stated and justified purposes.
  • The data is not to be too extensive in relation to the purpose.
  • The data is not to be stored in the form of personal data for longer than required for processing. 

Remember: You are only permitted to use necessary personal data and you are only permitted to use it for as long as it is needed!

What is “sensitive” personal data?

The GDPR lists particular categories of personal data as extra sensitive and warranting protection. The following are examples of sensitive personal data:

  • Race or ethnic origin
  • Political views
  • Religious or philosophical convictions
  • Membership in a union
  • Health
  • A person’s sex life or sexual orientation
  • Genetic information
  • Biometric data that unequivocally identifies an individual *

*Personal data obtained through the digital processing of e.g. photographs, voice or fingerprints that enables or confirms the identification of a natural person.

In principle, you are never to collect data on people’s religion, sexuality, views or similar unless it is justified by staff and student health, or ethically approved research.

Other types of data that are also to be considered as sensitive for integrity and warranting particular protection are:

  • salary information
  • data on legal offences
  • evaluation data, e.g. information from staff appraisals, information on results from personality tests or personality profiles
  • information concerning a person’s private life
  • details of social circumstances.

Is the personal identity number sensitive data?
Pursuant to article 9 in the GDPR, the personal identity number does not constitute sensitive data. In Sweden, however, legislators have decided in the national complement to the EU’s GDPR (the Swedish Data Protection Act) that personal identity numbers and coordination numbers are data that warrant extra protection. Personal identity numbers are therefore to be exposed as little as possible and only when:

  • the data subject consents to the data processing or
  • the need is clearly justified with reference to the purpose of the data processing or
  • secure identification is important or some other noteworthy reason applies or
  • the processing cannot be completed in any other way, for example by using birth data or partial birth data.

The Swedish Data Protection Authority has exhaustive information on the processing of sensitive personal data:

Go to the Swedish Data Protection Authority website

Does the GDPR affect how you process personal data collected before 25 May 2018?

Yes, the GDPR affects personal data collected before 25 May 2018. As of 25 May 2018, personal data in unstructured information on paper, in emails, text files and online is considered personal data processing. This means that you need to decide whether or not to delete or archive excess information from interviews, evaluations and suchlike. More information on what needs to be archived is available on the Records management page. If you find it difficult to interpret the records management plan, consult the registrar at your organisation.

Go to the Records management page

What is a legal basis?

For all processing of personal data, you need to have a legal basis.

Read more on the Legal basis page

When do you need to use consent as a legal basis for the processing of personal data?

Read more on the Consent page

How should you manage consent for the processing of personal data?

Read more on the Consent page

What applies to children and consent?

Read more on the Consent page

What applies to past consent?

Read more on the Consent page

How are we to process personal data in everyday work?

  • Use common sense and use as a starting point how you would like your own personal data to be processed.
  • Data minimisation: only use the personal data that is necessary.
  • Storage limitation: process the personal data only for as long as it is needed. Destroy, delete or archive personal data that you no longer need.
  • Be cautious with personal data sent via email.
    Read more about processing personal data on the Emails page
  • When you email multiple recipients, use BCC (undisclosed recipients) instead of CC. It can be useful to create mailing lists in Epic or Remember that consent for mailings is required for people who are not LU employees or students.
  • Avoid collecting or storing personal data in free services with which the University does not have an agreement. Examples of services with which LU has no agreement are:
    • Dropbox and Google docs. Use LU Box instead for non-sensitive personal data
    • Google forms. Use Sunet Survey instead for non-sensitive personal data or create online forms in Drupal and Typo3
    • Doodle. Use the calendar function in the University’s email system instead.

How are contact details for next of kin to be managed?

Lund University regularly collects contact details for employees’ and students’ next of kin. Read more below about what applies to employees and students respectively.

Employees’ next of kin
You can process the contact details of employees’ next of kin with reference to the University’s staff welfare management. This means that it is voluntary for staff members to provide details of their next of kin. For the employees who wish to provide details of their next of kin, you do not need documented consent from the next of kin.

Students’ next of kin
For students, it is not possible to refer to a purpose that gives you the right to process contact details for next of kin. This means that if you wish to collect this data, you need to ask the next of kin for their consent. Remember that consent must be voluntary, informed and documented.


  • not to collect more data than necessary. As a rule, a name and telephone number are sufficient. Making a note of the relationship between the staff member and their next of kin may, for example, reveal their sexual orientation: this is a personal detail that is not to be processed.
  • Store "next of kin lists" securely. Only the manager, deputy manager and equivalent should have access to them.
  • It is not your responsibility to inform the next of kin if something has happened to the employee or student; this is the responsibility of the police and the healthcare service.

How are you to inform the data subjects?

Articles 13 and 14 of the GDPR require comprehensive information to be provided to all those whose personal data is processed, regardless of the purpose or legal basis for the processing.

Employees and students will receive standardised information from the University on the processing of their personal data within the framework of their work and studies. This information is to cover all processing of personal data for these two categories that takes place within the University’s activities.

As previously, research projects in which personal data is processed take care of the information to be provided and any consent required from data subjects.

Read more about processing personal data in research here

With regard to external engagement, recruitment of students and employees, the person collecting the personal data is responsible for ensuring that the data subjects are informed and provide their consent where required.

Read more about processing personal data within these areas on the following pages:

Basic information on how the University processes personal data can be found on

A complete list of the points on which you must provide information is available on the Information for data subjects page

What rights do data subjects have?

Data subjects have the right to:

  • withdraw their consent at any time. As an employee, you must provide information on how data subjects are to proceed if they wish to withdraw their consent. (Withdrawal of consent applies to future processing, not the processing that has taken place before the withdrawal).
  • have access, request correction or deletion of personal data or limitation of processing of data concerning the data subject.
  • file a complaint about how the personal data is used. As an employee, you must provide the data subject with information on how to proceed if they wish to file a complaint.

Basic information on how the University processes personal data is available on

A complete list of the points on which you must provide information is available on the Information for data subjects page.

As a manager of an IT system that processes personal data, what do I need to do?

You need to ensure that the system is administrated and reported in compliance with the University’s system administration model, based on the process model PM3.

Read more on the IT systems page

Where do I turn for information and support?

You can turn to the University’s data protection officer for support and advice by contacting the officer via email dataskyddsombud [at] lu [dot] se 

Questions on data processing agreements are to be addressed to the Legal Division:

Go to the Legal Division page

Page Manager:


dataskyddsombud [at] lu [dot] se

GDPR glossary

  • Personal data controller – the organisation responsible for processing your personal data. In all but a few cases, Lund University is always the personal data controller.
  • Data subject – the person whose personal data you collect and/or process.
  • Data protection officer – the role and function responsible for Lund University’s compliance  with the GDPR.
  • The EU’s General Data Protection Regulation (GDPR) - The Swedish translation of GDPR is “Dataskyddsförordningen”.
  • Data Protection Act – the Swedish national complement to the EU’s GDPR.

Telephone: +46 (0)46-222 00 00 (switchboard)
Mailing adress: Box 117, 221 00 Lund, Sweden
Invoice adress: Box 188, 221 00 Lund, Sweden
Organisation number: 202100-3211

Site manager: staffpages [at] lu [dot] se

About this website