In order to process personal data, you must have a legally valid reason, a so-called legal basis, for why processing should be carried out. For those working at Lund University, there are five legal bases of which the most common ones in education, research, and collaboration are the task of public interest and exercise of public authority
1. Task of public interest
Task of public interest is the most important legal basis for the University, as most of the University’s activities involve research, education, external engagement or the direct support of these activities.
A public task is a task the University has been assigned by the parliament or Government. The Higher Education Act states that the University’s task is to conduct education, research and to “include third stream activities and the provision of information about their activities, as well as ensuring that benefit is derived from their research findings.” When working on these tasks, you are allowed to process personal data that is necessary to carry out these tasks.
Public tasks also include:
- necessary support operations such as governance and management, finance, provision of premises, IT support et cetera.
- contract education
- alumni activities
- public events
- online information
2. Exercise of public authority
You are allowed to process personal data when it is necessary as an element in exercising public authority. The exercise of public authority at the University includes admission of students, examinations or the issuing of degree certificates.
In certain instances, a person can give their consent for the University to process their personal data. Bear in mind that the consent needs to be voluntary, informed and documented. You are not to ask people who are in some way dependent on the University for their consent. This means that as a rule you cannot use consent as a legal basis for staff and students.
4. Legal obligation
If there is a law, ordinance or collective agreement which states that the University must carry out certain tasks, you are allowed to process the personal data that is necessary for them to be carried out. This means, for example, that personal data is to be archived in the same way as other records and documents. It is also to be available as official documents. This does not apply to confidential data.
Legal obligation is a common legal basis within human resources that is to a large degree based on laws, ordinances or collective agreements.
Processing personal data is permitted when it is required to fulfil agreements that the University has entered into or will enter into with an individual.
Sensitive personal data
The processing of sensitive personal data sometimes requires grounds in addition to a legal basis. Above all there is a requirement that it is actually necessary to process the specific data in question. The same applies for the processing of personal identity numbers.
Lund University has an external Data Protection Officer; Secure State Cyber AB and the contact person at Secure State Cyber AB is Sanja Hebib.
Do you have questions regarding data protection - please contact:
dataskyddsombud [at] lu [dot] se (dataskyddsombud[at]lu[dot]se)