1.1 Background

On 25 May 2018, the General Data Protection Regulation replaced the more than 20 year old Data Protection Directive. Over the years, information technology has developed rapidly, particularly in terms of  the collection and processing of personal data, where companies like Google (founded in 1998) and Facebook (founded in 2004) have grown to become two of the world's largest and most profitable companies selling personal data as their main source of revenue. The protections granted to the individual through the previous Data Protection Directive (in Sweden with the Personal Data Act (PUL)) proved insufficient and therefore, the EU has adopted the new General Data Protection Regulation, which aims to strengthen protection of the personal integrity and establish a uniform regulatory framework for the whole of the EU.

The person or organization handling personal data for persons within the Union shall, regardless of whether the treatment is carried out within or outside Europe, respect the fundamental rights and freedoms of the individual,  in particular, their right to the protection of personal data. What this means in practice for our university and for us as employees is what we aim to convey in this text. The regulation applies to all the processing of personal data; therefore, it is important that we understand the rules governing our work, regardless of, we are responsible for processing or simply handle personal data as a part of our daily work.