The legal basis for processing personal data
In order to process personal data, you must have a legally valid reason, a so-called legal basis, for why processing should be carried out. For those working at Lund University, there are five legal bases.
Short cuts on the page:
- Legal obligation
- Exercise of public authority
- Public task
- Sensitive personal data
- Support and tools
If there is a law, ordinance or collective agreement which states that the University must carry out certain tasks, you are allowed to process the personal data that is necessary for them to be carried out. This means, for example, that personal data is to be archived in the same way as other records and documents and is also to be available as official documents. This does not apply to confidential data.
Legal obligation is a common legal basis within human resources that is to a large degree based on laws, ordinances or collective agreements.
You are allowed to process personal data when it is necessary as an element in exercising public authority. The exercise of public authority at the University includes admission of students, examinations or the issuing of degree certificates.
A public task is a task the University has been assigned by the parliament or Government. The Higher Education Act states that the University’s task is to conduct education, research and to “include third stream activities and the provision of information about their activities, as well as ensuring that benefit is derived from their research findings.” When working on these tasks, you are allowed to process personal data that is necessary to carry out these tasks.
Public tasks include:
- necessary support operations such as governance and management, finance, provision of premises, IT support etc.
- contract education
- alumni activities
- public events
- online information
Public task is the most important legal basis for the University, as most of the University’s activities involve research, education, external engagement or the direct support of these activities.
Processing personal data is permitted when it is required to fulfil agreements that the University has entered into or will enter into with an individual.
In certain instances, a person can give their consent for the University to process their personal data. Bear in mind that the consent is to be voluntary, informed and documented. You are not to ask people who are in some way dependent on the University for their consent, which means that as a rule you cannot use consent as a legal basis for staff and students.
The processing of sensitive personal data sometimes requires grounds in addition to a legal basis. Above all there is a requirement that it is actually necessary to process the specific data in question. The same applies for the processing of personal identity numbers.
dataskyddsombud [at] lu [dot] se
- Personal data controller – the organisation responsible for processing your personal data. In all but a few cases, Lund University is always the personal data controller.
- Data subject – the person whose personal data you collect and/or process.
- Data protection officer – the role and function responsible for Lund University’s compliance with the GDPR.
- The EU’s General Data Protection Regulation (GDPR) - The Swedish translation of GDPR is “Dataskyddsförordningen”.
- Data Protection Act – the Swedish national complement to the EU’s GDPR.