General principles for personal data processing
Article 5 of the EU’s General Data Protection Regulation (GDPR) includes general principles for how personal data is to be processed. These principles act as guidelines for how you are to process personal data.
Lawfullness, fairness and transparancy
All processing of personal data is to be lawful, fair and characterised by transparency.
Based on this principle, data subjects have the right to request information about what personal data is processed by a data controller, known as a register extract.
Personal data should be collected for specific, explicitly stated, and legitimate purposes.
This means that the purposes for processing personal data must be determined when the data is collected. You may not use personal data that you have access to for a new purpose without determining whether there is a legal basis for the intended processing and any information requirements related to the data subject. If you are unsure, please contact dataskyddsombud [at] lu [dot] se (dataskyddsombud[at]lu[dot]se).
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
This means that you are only to use the personal data that is required for the task in question.
Personal data that is processed must be accurate and, if necessary, updated
This means that if you collect and store personal data, you must, if necessary, ensure that it is kept up to date.
Personal data is not to be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the personal data is processed.
This means that you are not to save personal data for longer than is necessary. When you no longer require the data, it is to be archived (but not saved locally) or erased. There is an exception, however, for archiving and research.
Integrity and confidentiality
Personal data should be processed in a manner that ensures appropriate security for the data, using suitable technical or organizational security measures.
This principle implies that the university, as the data controller, should have a framework for information security. Following this principle also means that personal data, with the aim of ensuring integrity and confidentiality, should be handled in accordance with this framework.
You are responsible for complying with the fundamental principles relating to processing of personal data. You must also be able to demonstrate that you comply with them and how you do so.
This means that not only do you need to comply with GDPR, you also need to demonstrate how you are doing it. This could be done by documenting statements and decisions regarding the personal data you process, store, share and the reasons for doing so in for example for example a processing register, such as PULU for research.
Lund University has an external Data Protection Officer; Secure State Cyber AB and the contact person at Secure State Cyber AB is Sanja Hebib.
Do you have questions regarding data protection - please contact:
dataskyddsombud [at] lu [dot] se (dataskyddsombud[at]lu[dot]se)