PERSONAL DATA PROCESSING IN FINANCIAL MATTERS
This page provides information on how you should process personal data in financial matters.
What is the legal basis?
In general, the legal basis for financial matters is either that there is a legal obligation or that it is in the public interest. This means that in these cases you do not need to ask data subjects for their consent.
What information do I need to provide?
Pursuant to Articles 13 and 14 of the GDPR, you have an obligation to inform the data subject about a number of points.
Tips on how to process personal data in financial matters
Informing the data subject
You need to inform the data subject that you are processing their personal data.
Purchasing and procurement
In simplified procurements when you need to collect personal data, for example references, use the wording of the General Data Protection Regulation in the template for simplified procurement. Be careful in the handling of tenders; try to avoid any unnecessary dissemination of personal data. Do not send personal data to people who do not need it. A similar approach should also apply when placing orders or in direct procurements.
Click here to go to the page Procurement below threshold with notice obligation (opens in the same window)
Issuing customer invoices
When you send customer information that contains personal data to the Finance Division, you should not print a copy of the web form or email to keep for yourself.
Handling financial matters
Do not make or print copies of invoices, travel expense reports or similar if not necessary. The supporting documentation required for the process should be securely handled and erased when no longer required. Do not save copies or printouts for longer than is necessary. Remember that supporting documentation which constitutes accounting information, for example if you have added information to a copy so that it becomes an original document, should be filed and destroyed as per standard procedures.
Paying for conferences or membership fees with a payment method other than invoice or card
If, for example, you need to make a payment prior to a conference without an invoice you must not include unnecessary information. Only the documentation validating the information is required.
All original documentation of decisions is to be officially recorded and filed in accordance with normal routines at each department or faculty office. However, the form with the scholarship recipient’s bank details is considered work material and should not be registered or filed. For example, save it in a separate folder or file only for as long as necessary taking into consideration the period in which scholarship payments are processed by the department/faculty.
Lund University has an external Data Protection Officer; Secure State Cyber AB and the contact person at Secure State Cyber AB is Sanja Hebib.
Do you have questions regarding data protection - please contact:
dataskyddsombud [at] lu [dot] se (dataskyddsombud[at]lu[dot]se)