Javascript is not activated in your browser. This website needs javascript activated to work properly.
You are here

General principles for personal data processing

Article 5 of the EU’s GDPR includes general principles for how personal data is to be processed. These principles act as guidelines for how you are to process personal data.

Data minimisation

“Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.”

This means that you are only to use the personal data that is required for the task in question.

Storage limitation

“Personal data is not to be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the personal data is processed.”

This means that you are not to save personal data for longer than is necessary. When you no longer require the data, it is to be archived (but not saved locally) or erased. There is an exception, however, for archiving and research.

Read more about archiving on the Records management page

Using existing personal data

“Personal data is to be collected for specified, explicit and legitimate purposes.”

This means that you cannot use personal data to which you have access for a new purpose without reviewing the legal basis and informing the data subject. If you are unsure, contact the University’s data protection officer.

Personal data is to be kept up to date

 “Personal data is to be accurate and, where necessary, kept up to date.”

This means that if you collect and store personal data you must ensure that it is kept up to date.

Personal data is to be archived

The exception to the principle of storage limitation for archiving means that Swedish laws and regulations on archiving are to be followed. Personal data is to be archived in the same way and according to the same regulations as all other information.

The principle of public access to official records applies

The Swedish Data Protection Act states that the Freedom of the Press Act and Fundamental Law on Freedom of Expression apply. This means that laws and regulations about official documents and confidentiality also apply to personal data.

Page Manager:


dataskyddsombud [at] lu [dot] se

GDPR glossary

  • Personal data controller – the organisation responsible for processing your personal data. In all but a few cases, Lund University is always the personal data controller.
  • Data subject – the person whose personal data you collect and/or process.
  • Data protection officer – the role and function responsible for Lund University’s compliance  with the GDPR.
  • The EU’s General Data Protection Regulation (GDPR) - The Swedish translation of GDPR is “Dataskyddsförordningen”.
  • Data Protection Act – the Swedish national complement to the EU’s GDPR.

Telephone: +46 (0)46-222 00 00 (switchboard)
Mailing adress: Box 117, 221 00 Lund, Sweden
Invoice adress: Box 188, 221 00 Lund, Sweden
Organisation number: 202100-3211

Site manager: staffpages [at] lu [dot] se

About this website