The browser you are using is not supported by this website. All versions of Internet Explorer are no longer supported, either by us or Microsoft (read more here: https://www.microsoft.com/en-us/microsoft-365/windows/end-of-ie-support).

Please use a modern browser to fully experience our website, such as the newest versions of Edge, Chrome, Firefox or Safari etc.

Research

På svenska

Registration of Personal Data Processing

All research projects involving the handling of personal data must be reported to PULU. This also applies if you have previously reported your research project.

This is primarily a matter of public trust and the university's credibility. People participating in research projects must be able to trust that the university handles their personal data in accordance with existing laws and regulations. There are also legal requirements for the university to maintain a register of all personal data processing. The requirement for a register has existed for a long time, but with the introduction of GDPR, the requirements for the register have been tightened across Europe. If the university does not meet the requirements, we may be subject to fines.

How to proceed:

  • To report your research project, log in and complete the PULU form.
  • When you complete the PULU form, a case is created in the Diariet/W3D3, which can be managed by an administrator at your institution or equivalent. This administrator is usually a registrar or a person authorized in the Diariet/W3D3.
  • Click the "Save form as PDF" button to keep a personal copy of your registration.
  • Then click the "Submit" button. Your registration number will be displayed as a receipt in your browser. Save this registration number so that you have access to it if needed.

Log in to PULU and create a case in W3D3

Concept resource about PULU

Registration of Personal Data Processing within Research

The legal basis for personal data processing within research is almost always that it is carried out in the public interest. This means that it is permitted to process personal data if it is necessary for a research project.

Remember:

  • In certain cases, there is a requirement for ethical approval, for example if you are processing sensitive personal data. You can read more about ethical approval by clicking here (link opens in same window).
  • If a party outside the University is engaged for data processing, for example a supplier of IT services, there is to be a personal data processing agreement in place. You can read more about personal data processing agreements by clicking here (link opens in the same window).
  • Personal data is to be stored in a secure manner. If you need to share data with colleagues this is also to be done in a secure manner.
  • The Archives Act and principle of public access to information also apply to research data.

What personal data can be processed?

Depending on the purpose of the research project, you decide what type of personal data is to be processed. It is only permitted to collect and process personal data that is necessary for the implementation of the research project.

Data that is completely anonymised is not personal data and therefore the data protection legislation does not apply to it. The data is to be completely unidentifiable. This means that there is no key and that it is not possible to identify the individuals, even though it is possible to put together the different data that is being processed.

NB. If the data is linked to individuals when it is collected and not anonymised until a later stage, the data protection legislation applies up to the point when the data is completely anonymised.

Consent/permission

As a rule, in research projects where data is collected directly from participants they are to give their consent or permission to be involved. This consent is somewhat different to consent in accordance with the data protection legislation.

If a participant changes their mind and no longer wants to take part, this does not automatically mean that the participant has the right to have their data deleted in accordance with the GDPR. Data that is a basis for a research publication is to be saved for reasons of research ethics, even though there are participants who have withdrawn their consent. However, you are neither to use the data for analyses or publications in the future nor collect further data on the participant. If it is possible to remove the data relating to a participant who has withdrawn their permission, this is to be done. Remember that the Archives Act applies. Even though a participant withdraws their consent, it is possible that the data relating to this person is to be archived.

Information for participants in research projects

The data protection legislation contains requirements for providing certain information to the people whose data you process. This also applies to participants in research projects. The participants are to receive the information before they give their consent. You can read more about information for data subjects by clicking here (link opens in the same window).

NB. This only includes the information required in accordance with the data protection legislation. Naturally, the participants are to be provided with other information about the research project.

There are certain occasions when you do not have to inform the participants that you are processing data about them:

  • Survey data: If you use data from a research database, as the participants have already been informed.
  • Register data: If it would be too difficult, for example because you do not have access to the participants’ contact details.

Security

One way to increase security and protect the people whose personal data is processed in a research project is to pseudonimize the data. Pseudonymization means that the people have been coded and that there is a key to which someone in the project has access. Pseudonymized data is personal data and all the requirements in the data protection legislation apply.

If something happens to personal data

If something happens to personal data that “leads to unintentional or illegal destruction, loss or changes, or to unauthorised disclosure or unauthorised access”, this is to be reported to the Data Protection Authority.

In practical terms a personal data incident can occur, for example, when someone has forgotten papers or a USB stick on a train, or an unauthorised person has for some reason gained access to a database. It is also an incident when data is lost or unintentionally deleted.

Report the personal data incident to infosak [at] lu [dot] se (infosak[at]lu[dot]se)

DPO certificate

For some research projects, funders request a certificate that Lund University has appointed a data protection officer. Lund University is in the process of generating such a certificate regarding Secure State Cyber AB. 

Contact

Lund University has an external Data Protection Officer; Secure State Cyber AB and the contact person at Secure State Cyber AB is Sanja Hebib.

Do you have questions regarding data protection - please contact:

dataskyddsombud [at] lu [dot] se (dataskyddsombud[at]lu[dot]se)

Log in

Log in to PULU
Does your research project involve handling personal data? If so, it must be reported to PULU (Personal Data at Lund University).

Last updated: 23 Jun 2025 | maria [dot] hedberg [at] rektor [dot] lu [dot] se