The browser you are using is not supported by this website. All versions of Internet Explorer are no longer supported, either by us or Microsoft (read more here: https://www.microsoft.com/en-us/microsoft-365/windows/end-of-ie-support).

Please use a modern browser to fully experience our website, such as the newest versions of Edge, Chrome, Firefox or Safari etc.

Research

På svenska

Processing of personal data within research

The lawful ground for personal data processing within research is almost always that it is carried out in the public interest. This means that it is permitted to process personal data if it is necessary for a research project.

Depending on the purpose of the research project, you determine which types of personal data need to be processed. Collecting and processing personal data is only permitted when it is necessary for carrying out the research project.

Fully anonymized data is not considered personal data and is therefore not subject to data protection legislation. In such cases, the data must be completely de-identified. This means that no key exists and individuals cannot be identified, even if different pieces of information are combined.

NB. If the data is linked to individuals when it is collected and not anonymised until a later stage, the data protection legislation applies up to the point when the data is completely anonymised.

Registration of Personal Data Processing in PULU

All research projects involving the handling of personal data must be reported to PULU. 

This is primarily a matter of public trust and the university's credibility. People participating in research projects must be able to trust that the university handles their personal data in accordance with existing laws and regulations. There are also legal requirements for the university to maintain a register of all personal data processing. If the university does not meet the requirements, we may be subject to fines.

Are you unsure about data protection and personal data? Read more here: 
Frequently asked questions

How to register your research project/study

  • To report your research project, click on the link to the PULU form below.
  • When you complete the PULU form, a case is created in the registration system/W3D3, which can be managed by an administrator at your institution or equivalent. This administrator is usually a registrar or a person authorized in the registration system/W3D3.
  • Click the "Save form as PDF" button to keep a personal copy of your registration.
  • Then click the "Submit" button. Your registration number will be displayed as a receipt in your browser. Make a note of this reference number so that you can refer to it if necessary. 

Report your research in PULU

PULU - A guide

Information for participants in research projects

Before you begin processing personal data in a research project or study, the individuals whose data is to be processed must be informed of this. In some cases, information must be collected directly from the participant, whilst in others, personal data must be collected from sources such as registers and databases, or from news reports and social media. As a researcher, you are responsible for ensuring that this is done in a manner that complies with the GDPR and protects individuals’ privacy. Under the GDPR, it is essential that the data subject understands the information and their rights. 

The University has developed templates, based on Article 13 of the General Data Protection Regulation (GDPR), which you may use and adapt to suit your project.

If you collect personal data directly from the data subjects, use template A

Template A – directly from data subject (Word, 107 kB)

If you collect personal data from another source, use template B

Template B – from another source (Word, 107 kB)

Consent/permission

In research projects where data is collected directly from participants, they must, as a rule, give their consent or approval to take part in the project or study. This consent is distinct from consent under data protection legislation. Please contact the data management support team at your faculty for information on how consent/approval for participation in research should be formulated. 

You can also write to  support [at] researchdata [dot] lu [dot] se (support[at]researchdata[dot]lu[dot]se)

If a participant changes their mind

If a participant changes their mind and no longer wishes to take part, this does not automatically mean that they are entitled to have their data erased under the GDPR. Data forming the basis of a research publication must be retained so that the results can be validated and the research can otherwise be conducted in accordance with good research practice. This applies even if some participants have withdrawn their consent. However, you must not use that data for future analyses or publications, nor, of course, collect any further data on that participant. If it is possible to delete data relating to a participant who has withdrawn their consent, this must be done.

Please remember that the Archives Act applies. Please note, even if a participant withdraws their consent, it is possible that data relating to that person will still need to be archived.

Security

A way to increase security and protect the individuals whose personal data is processed in a research project is to pseudonymize the data. Pseudonymization means that the individuals are assigned codes, and that someone within the project has access to a key that links these codes to real identities. Pseudonymized data is still considered personal data, and all requirements under data protection legislation continue to apply. 

If something happens to personal data

If something happens to personal data that “leads to unintentional or illegal destruction, loss or changes, or to unauthorised disclosure or unauthorised access”, this is to be reported to the Data Protection Authority.

In practical terms, a personal data breach can occur, for example, when someone leaves a document or a USB stick on a train, or when unauthorised persons gain access to the database for some reason. A breach can also occur when data is lost, is unavailable for extended periods, or is deleted unintentionally.

Report the personal data breach to dataskyddsombud [at] lu [dot] se (dataskyddsombud[at]lu[dot]se)

Also bear in mind that

  • In some cases, ethical approval is required, for example if you are handling sensitive personal data.
    Read more about ethical approval
  • If an external party is engaged to handle data, for example an IT service provider, a data processing agreement must be in place.
    Data Processing Agreements
  • Personal data is to be stored in a secure manner. If you need to share data with colleagues, this is also to be done in a secure manner. Here you will find information about storage solutions at Lund University and about information security: 
    IT services and storage, in Swedish
  • The Archives Act and the principle of public access also apply to research data. Read more about the management of research data here:
    Research data management

Contact

Lund University has an external Data Protection Officer; Secure State Cyber AB and the contact person at Secure State Cyber AB is Sanja Hebib.

Do you have questions regarding data protection - please contact:

dataskyddsombud [at] lu [dot] se (dataskyddsombud[at]lu[dot]se)

Report research

Report your research in PULU
Does your research project involve handling personal data? If so, it must be reported to PULU (Personal Data at Lund University).

Last updated: 8 Apr 2026 | ann-sofie [dot] zettergren [at] sambib [dot] lu [dot] se