General Data Protection Regulation (GDPR) - teach and supervise

Step 6 - Obtain consent, inform the data subjects and collect the necessary personal data

Personal data may only be processed if there is a legal basis for the treatment. The General Data Protection Regulation specifies a number of grounds that are considered admissible, but for a degree project, it is in practice only consent that may be used (if it is not possible to use consent, you should discuss this with your supervisor and the Data Protection Officer to see if another solution can be found). Using consent as a basis means that the data subject gives his or her active consent to the processing. This means in practice that you clearly describe what information you want to collect, what it is to be used it for and by whom, how long the data will be used, that there is a possibility to request to see the collected the information and that it is possible to contact the Data Protection Officer or Datainspektionen with complaints. After the data subjects have read the information, he /she can consent to the treatment and the processing of the data is then permitted. It is important to know that consent must be documented and stored so that it can be presented upon request, and that the data subject is entitled to withdraw his / her consent at any time. If the data subject has agreed to the treatment, sensitive data may also be processed (note that sensitive data imposes high security requirements in the processing).

Permitted grounds for processing

The General Data Protection Regulation only permits the processing of personal data if there is a legal basis for processing. For student essays, consent is normally the appropriate basis. Consent means that the data subject accepts that the information is processed (this requires that the data subject is at least 13 years old, otherwise, the custodian's consent is required) and in order for this to be done properly, he or she must have knowledge of what information will be used and for what purpose. The consent must also be voluntary, and it should be done in such a way that it is documented and can be displayed as needed. It is also important to remember that a consent can be revoked at any time by the data subject and the data will normally no longer be allowed to be processed. Exceptions may exist if, for example, the material has been published, filed or processed with another legal basis. In cases of uncertainty, the Data Protection Officer should be contacted. 

Informing the data subject

At the time of collection, the data subject will receive information about the data collected. This is easy in cases where the data is collected directly from the data subject, but the requirement normally also applies when retrieving data from another source (see section on exemption from the information obligation below). Information shall be provided about:

• the purpose of the treatment,
• the legal basis for the treatment (usually consent),
• how long the information will be used,
• who will use the data,
• that the university is the controller and as such responsible for processing,
• that the data subject has the right to access the data and have errors corrected,
• that there is a data protection officer that can be accessed via dataskyddsombud@lnu.se and,
• that the data subject can contact Datainspektionen with any complaints that the university and the data subject cannot resolve.

The purpose is simply stated the purpose of the work and is to be described in a simple and easily accessible manner (see Step 2 ). There is no need for lengthy explanations, a brief description should suffice, of what you intend to use the information collected for. The data subject has the right to know what the collected data will be used for and the person collecting and processing personal data has a duty to clearly state the purpose of the work. The matter of legal basis applies to which of the grounds described in the 6th article of the regulation that applies but for the degree work, as mentioned above, usually no other basis than consent applies. No lengthy descriptions are needed, but the information about the various points must be clear and to the point. 

Exemptions from the obligation to provide information

If personal data that has already been collected will be processed, it may be possible not to inform the data subject on two occasions. The first occasion is when the data subject is already informed, i.e. the data was previously collected for scientific use, which is in line with the treatment to be carried out through the degree project. Personal data collected for scientific treatment at the university can thus be reused without the data subject being informed again of each new use as long as information about this has been made at the original collection.

The second occasion is when it is impossible or would cause a disproportionate effort to inform. Perhaps there are personal data needed for the work, but no contact details. It may then be possible to process the data without informing the data subject, but there must be a balance between the difficulty of informing and the amount of risk that the data subject may be exposed to in order to determine what is a disproportionate effort. In cases of uncertainty, the Data Protection Officer should be contacted.

Although there may be occasions when you do not need to inform the data subject, this only applies to the obligation to inform and the other rules for the processing still apply.

The rights of the data subject

The person whose data is being processed has a number of rights that are important to consider. As mentioned, this applies to the right to receive information about what the data will be used for (the purpose of the processing), what information is collected, how long the data will be kept (or what determines how long), and the right to access the data that is registered about their own person. Furthermore, the data subject also has the right to object to the treatment, have incorrect information corrected, revoke consent (without giving any reason), and the data subject is also entitled to complain to Datainspektionen if he or she considers the treatment to be incorrect.

The right to delete data or restrict a treatment is not an absolute right and there may be reasons to not comply with such a request. For a degree project, for example, it may be the case that when a work has been published and the data archived for future research purposes it could be damaging if the information was erased. In cases of uncertainty about what to delete and what to keep, the Data Protection Officer should be contacted. In general, the processing of personal data should be transparent and clear to the data subject and, whenever possible, we should respect the wishes of the data subject.