General Data Protection Regulation (GDPR) - teach and supervise

Principles for processing personal data

Any information that can directly or indirectly be linked to a living person is personal data. This means that personal data are not only things like names and national identification numbers, but also usernames, e-mail addresses, biometrics, physiological data and any combination of data that make it possible to link the information to a living person. All processing of personal data must comply with the principles of the General Data Protection Regulation which states that:

• the processing must be in a lawful, fair and transparent manner in relation to the data subject,
• all information must be accurate and updated,
• all information must be processed in a secure manner,
• the information may only be collected for specific, explicit and legitimate purposes,
• the information may not be too extensive in relation to the purpose, and
• the information may not be used in the form of personal data for longer than what is required for processing.

The first three items, that processing is lawful, and that the data is correct and treated safely can be said to be self-evident, but the latter three constitutes limitations on how we previously processed personal data. In the past, we often gathered what information we were able to get, thinking that we might need the information sometime in the future. However, according to the new regulation, when we gather information, we need to know the purpose in order to ensure that we do not collect more than what is necessary, and we must also know how long we will use the information (even if we may not be able to give an exact end date).

Permitted grounds for processing

In addition to having to comply with all six principles, the processing must also be lawful. There are six permitted grounds for processing, and it is sufficient for one of them to be met for the processing to be allowed.

• Consent - the data subject (at least 13 years old) has given his/her informed consent to the treatment. Consent must be documented and may be revoked at any time.
• Processing is necessary to fulfill an agreement in which the data subject is involved.
• Processing is necessary to fulfill a legal obligation.
• Processing is necessary to protect interests that are of fundamental importance to the data subject.
• Processing is necessary for carrying out a task in the public interest or in the exercise of the official authority vested in the controller.
• Processing is necessary for the purpose of the legitimate interests of a third party (except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject). Note that the possibility of using this reason is heavily restricted to us as a public authority.

In regard to the university, much of our activities fall under the exercise of official authority. (the exercise of authority is used in the regulation in a broader interpretation than normal for those in Sweden and includes what we do within our duties as a public authority). Here, we can find everything relating to education and examination. Furthermore, our research is considered to be in the public interest. The work that our students produce, mainly within the framework of their degree projects, is unlikely to be in the public interest and should preferably be based on consent (more about the student processing of personal data follows). Other grounds may be applicable depending on the circumstances and in case of uncertainty you should contact the Data Protection Officer (dataskyddsombud@lnu.se).