In order to process personal data, you must have a legally valid reason, a so-called legal basis, for why processing should be carried out. For those working at Lund University, there are five legal bases.
Legal basis for processing personal data
1. Legal obligation
If there is a law, ordinance or collective agreement which states that the University must carry out certain tasks, you are allowed to process the personal data that is necessary for them to be carried out. This means, for example, that personal data is to be archived in the same way as other records and documents. It is also to be available as official documents. This does not apply to confidential data.
Legal obligation is a common legal basis within human resources that is to a large degree based on laws, ordinances or collective agreements.
2. Exercise of public authority
You are allowed to process personal data when it is necessary as an element in exercising public authority. The exercise of public authority at the University includes admission of students, examinations or the issuing of degree certificates.
3. Public task
A public task is a task the University has been assigned by the parliament or Government. The Higher Education Act states that the University’s task is to conduct education, research and to “include third stream activities and the provision of information about their activities, as well as ensuring that benefit is derived from their research findings.” When working on these tasks, you are allowed to process personal data that is necessary to carry out these tasks.
Public tasks include:
- necessary support operations such as governance and management, finance, provision of premises, IT support et cetera.
- contract education
- alumni activities
- public events
- online information
Public task is the most important legal basis for the University, as most of the University’s activities involve research, education, external engagement or the direct support of these activities.
Processing personal data is permitted when it is required to fulfil agreements that the University has entered into or will enter into with an individual.
In certain instances, a person can give their consent for the University to process their personal data. Bear in mind that the consent needs to be voluntary, informed and documented. You are not to ask people who are in some way dependent on the University for their consent. This means that as a rule you cannot use consent as a legal basis for staff and students.
You can read more about consent on the Consent page, which you will reach by clicking on this link (opens in the same window)
Sensitive personal data
The processing of sensitive personal data sometimes requires grounds in addition to a legal basis. Above all there is a requirement that it is actually necessary to process the specific data in question. The same applies for the processing of personal identity numbers.
Lund University has an external Data Protection Officer; Secure State Cyber AB and the contact person at Secure State Cyber AB is Sanja Hebib.
Do you have questions regarding data protection - please contact:
dataskyddsombud [at] lu [dot] se (dataskyddsombud[at]lu[dot]se)