What is personal data?
Who is responsible for personal data processing at Lund University?
When and how are you to process personal data?
What is "sensitive" personal data?
Does the GDPR affect how you process personal data collected before 25 May 2018?
How are we to process personal data in everyday work?
How are contact details for next of kin to be managed?
How are you to inform the data subjects?
What rights do data subjects have?
As a manager of an IT system that processes personal data, what do I need to do?
Does Lund University need to apply the GDPR outside of Sweden?
Personal data is “any information relating to an identified or identifiable natural person”. Examples of personal data are name, photographs, address, email, grades, age, personal identity number, hair colour, shoe size, qualifications and genome.
Lund University is responsible for all personal data processing within the organisation and is thereby the data controller in a vast majority of cases. In certain situations, the data processing is managed by a third party. That third party acts as the data processor in that case.
You may process the personal data necessary for carrying out the University’s remit and to enable you to:
- comply with laws, ordinances and collective agreements
- exercise public authority
- comply with agreements, such as purchasing contracts or collaboration agreements.
Personal data is:
- to be processed in a legal, open, correct and secure manner
- to be correct
- to be collected for specific, explicitly stated and justified purposes
- not to be too extensive in relation to the purpose
- not to be stored for longer than required for processing.
The GDPR lists special categories of personal data as extra sensitive and warranting protection. The following are examples of sensitive personal data:
- race or ethnic origin
- political views
- religious or philosophical convictions
- membership in a union
- a person’s sex life or sexual orientation
- genetic information and
- biometric data that unequivocally identifies an individual. *
*Personal data obtained through the digital processing of for example photographs, voice or fingerprints that enables or confirms the identification of a natural person.
In principle, you are never to collect data on people’s religion, sexuality, views or similar unless it is justified by staff and student healthcare, or ethically approved research.
Other types of data also to be considered as sensitive for integrity and warranting special protection are:
- salary information
- data on legal offences
- evaluation data, for example information from staff appraisals, information on results from personality tests or personality profiles
- information concerning a person’s private life
- details of social circumstances.
Is the personal identity number sensitive data?
No, but even so we are to exercise extra caution with them. Personal identity numbers are only to be exposed when:
- the data subject consents to the data processing, or
- the need is clearly justified with reference to the purpose of the data processing, or
- secure identification is important or some other noteworthy reason applies, or
- the processing cannot be completed in any other way.
Yes. All personal data that is still processed is to fulfil the requirements of current legislation. This is so even if it has been collected previously.
- Use common sense.
- Only use the personal data that is necessary.
- Process the personal data only for as long as it is needed
- Be cautious with personal data sent via email.
- When you email multiple recipients, use BCC (undisclosed recipients) instead of CC. It can be useful to create mailing lists in Epic or listserver.lu.se.
- Avoid collecting or storing personal data in free services with which the University does not have an agreement. Examples of services with which LU has no agreement are:
- Dropbox and Google docs. Use LU Box instead for non-sensitive personal data
- Google forms. Use Sunet Survey instead for non-sensitive personal data or create online forms in Drupal and Typo3
- Doodle. Use the calendar function in the University’s email system instead.
Employees’ next of kin
You can process the contact details of employees’ next of kin with reference to the University’s staff welfare management. This means that it is voluntary for staff members to provide details of their next of kin, but you do not need documented consent from the next of kin.
Students’ next of kin
For students, it is not possible to refer to a purpose that gives you the right to process contact details for next of kin. This means that if you wish to collect this data, you need to ask the next of kin for their consent.
- Do not collect more data than necessary. As a rule, a name and telephone number are enough. Making a note of the relationship between the staff member and their next of kin may, for example, reveal their sexual orientation: this is a personal detail that is not to be processed.
- Store "next of kin lists" securely. Only the manager, deputy manager and equivalent should have access to them.
- It is not your responsibility to inform the next of kin if something has happened to an employee or student; this is the responsibility of the police and the healthcare service.
Employees and students will receive standardised information from the University on the processing of their personal data within the framework of their work and studies.
Research projects in which personal data is processed take care of the information to be provided and any consent required from data subjects.
Regarding external engagement, recruitment of students and employees, the person collecting the personal data is responsible for ensuring that the data subjects are informed and provide their consent where required.
- receive information on what personal data the University processes and for what purpose
- withdraw their consent if processing is based on consent. As an employee, you must provide information on how data subjects are to proceed if they wish to withdraw their consent
- request correction of personal data
- file a complaint about how the personal data is used. As an employee, you must provide the data subject with information on how to proceed if they wish to file a complaint.
NB! As the university is a public authority, both the principle of public access to information and the Archives Act apply to personal data.
You need to ensure that the system is administrated and reported in compliance with the university’s system administration model, based on the process model PM3.
The General Data Protection Regulation (GDPR) applies to personal data processing that is linked to the EU,. This is either because the organisation processing personal data is established in the EU or that an organisation outside the EU is offering goods and services to people within the EU or monitoring their behaviour here. This means that the GDPR is applicable to personal data processing carried out within the framework of Lund University’s activities, as the University is established in the EU. This applies regardless of whether the processing is carried out within or outside the EU and regardless of the citizenship or domicile of the people in question.
It is sometimes claimed that the GDPR “only applies to EU citizens” or “only to people who live in the EU”. These claims are thus incorrect regarding Lund University’s personal data processing.
You can read more about this on the Swedish Authority for Privacy Protection's website by clicking here on this link (opens in the same window).
As a rule, the recording of work meetings and discussions entails the processing of personal data. In accordance with data protection legislation, this processing is only permitted if it is necessary to record the meeting or discussion in order for the University to carry out its assignment to educate, research and collaborate. Due to the pandemic, meetings and discussions at the workplace are often held using real-time streaming services such as Teams. As a rule, such meetings and discussions should only be recorded if they would have been recorded when held at the physical workplace.
Consent should not be sought as the employee is deemed to be in a position of dependence vis-à-vis the University.
For questions about personal data and data protection, please contact:
Data Protection Officer, Legal Counsel
dataskyddsombud [at] lu [dot] se
+46 46 222 04 26
- Personal data controller – the organisation responsible for processing your personal data. In all but a few cases, Lund University is always the personal data controller.
- Data subject – the person whose personal data you collect and/or process.
- Data protection officer – the role and function responsible for Lund University’s compliance with the GDPR.
- The EU’s General Data Protection Regulation (GDPR) - The Swedish translation of GDPR is “Dataskyddsförordningen”.
- Data Protection Act – the Swedish national complement to the EU’s GDPR.