Responsibility for personal data
The University usually processes personal data in the capacity of a personal data controller. However, there are occasions when the University processes personal data as a joint personal data controller, and, to a limited extent, occasions when the University has an assignment as a personal data processor for someone else.
The University’s obligations according to data protection legislation are different depending on the responsibilities of the role the public authority has for specific processing. It is therefore important to be able to assess whether the University is the personal data controller, joint personal data controller or the personal data processor for specific personal data processing.
Personal data controller
The University is personal data controller if the public authority independently decides why and how specific processing of personal data is to be carried out.
Joint personal data controller
The University is joint personal data controller if the public authority decides why and how the processing is to be carried out with others, e.g. another university.
Personal data processor
The University is personal data processor when the public authority processes personal data as an assignment for others, i.e. the University processes the personal data according to the other party’s instructions. Considering the University’s tasks to conduct education, research and external engagement, it should be unusual for the public authority to act as personal data processor for someone else.
It is the responsibility of the University, and other organisations that are involved in the processing, to determine who has which role.
There is a checklist that can be used as support for the assessment (opens in new widow).
Lund University has an external Data Protection Officer; Secure State Cyber AB and the contact person at Secure State Cyber AB is Sanja Hebib.
Do you have questions regarding data protection - please contact:
dataskyddsombud [at] lu [dot] se