Personal data and data protection

Data protection and privacy is about protecting personal data in accordance with requirements set out in legislation, e.g. GDPR. On this page you can read about privacy and data protection at Stockholm University. The information has been designed by the Data Protection Officer (DPO) at Stockholm University.

Personal data is information through which a natural person can be identified. In order for information to be considered to also constitute personal data, the decisive factor is that the information, individually or in combination with other data, can be linked to a living person. At Stockholm University, personal data is processed within all operations. The University is obliged to protect the personal data that it processes in accordance with the legislation that applies to personal data. The protection of personal data is usually referred to as “data protection”, and the legislation that applies in this area can therefore be summarised as data protection legislation. The overarching regulation is the General Data Protection Regulation, commonly known as the GDPR[i].

The Swedish Data Protection Act[ii] is a complementary national law, and the Ethical Review Act[iii] also contains provisions tied to personal data. In other respects, data protection always accords with the laws and regulations that apply to the University in general. Thus, data protection entails a relatively complex regulatory framework that places demands on all enterprises in relation to how they may handle personal data. There are three overarching requirements: Documentation, Transparency and Security. Below you will find information and recommendations regarding the handling of personal data within Stockholm University’s operations. The information and recommendations have been formulated by the Data Protection Officer at Stockholm University. Read more about the role of the Data Protection Officer under “Roles and responsibilities”.

The Data Protection Officer

At Stockholm University there is a data protection officer (DPO), located at the Legal Department, the Chancellors office. The DPO gives advice to the university and monitors the university’s compliance with the data protection rules and regulations and other data protection provisions. The DPO continuously reports to the vice-chancellor and university director, as well as annually to the university's board.

The DPO shall according to the GDPR be independent in the role and not decide how the personal data controller should manage issues related to data protection. However, the DPO can issue recommendations to the personal data controller based on the officer's knowledge of the legislation in relation to the organization in which the officer operates. According to the European Data Protection Board, if an organization chooses not to follow the DPO's advice, it should document its reasons for doing so. On this page you will find recommendations from the DPO regarding personal data processing within Stockholm University (in Swedish).

Personal data

Personal data refers to all information that can be tied to a living, natural person, either directly or indirectly. Personal data is more than just names, addresses and personal identity numbers. It also includes, e.g., images (photos) and audio recordings of people that are processed/stored in a computer, even if no names are mentioned. Information that indirectly and/or aggregately may entail the identification of a natural person is considered personal data. If they can be tied to natural persons, encrypted, encoded, or pseudonymised data and various types of electronic identities, such as IP addresses, are also considered to constitute personal data. You can read more about the concept of personal data on the website of the Swedish Authority for Privacy Protection (IMY).

Sensitive personal data and data particularly worthy of protection

Which personal data is considered sensitive is stated in the data protection legislation. Sensitive personal data is information about

  • ethnic origin
  • political views
  • religious or philosophical belief
  • membership in a trade union
  • health
  • a person’s sex life or sexual orientation
  • genetic data
  • biometric data that uniquely identify an individual

Personal identity numbers and coordination numbers are not sensitive personal data. However, in the Swedish Data Protection Act, personal identity numbers and coordination numbers have been given special protection and are therefore considered to be particularly worthy of protection. According to the law, personal identity numbers and coordination numbers may only be processed when it is clearly justified with regard to the purpose of the processing, the importance of secure identification, or some other noteworthy reason, or if special law allows it.

Special requirements apply to sensitive personal data and data that is particularly worthy of protection, especially when it comes to the security of the data. Read more about what applies to the processing of sensitive data and data that is particularly worthy of protection on the website of the Swedish Authority for Privacy Protection (IMY).

Processing

Processing means any action that someone in the University takes with personal data. In the GDPR, processing is defined as: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Pseudonymised personal data

Pseudonymised personal data means that an individual’s personal identity number and name have been replaced with a code or similar. The code can be re-linked to their name and personal identity number via a code key. The code key and encoded data should not be kept together. As long as there is a code key that can be used to identify the individuals, the pseudonymised data is still considered personal data and is subject to data protection legislation, even if you do not have access to the code key.

Anonymised data

Pseudonymised data is anonymised when the code key is destroyed and it is no longer possible to tie a person to the data. Anonymised data is not considered personal data and is not subject to data protection legislation. Pseudonymised data that is aggregated could be considered anonymised, provided that it is ensured that it is not possible to trace the individuals to which it relates.

It is important to understand the various roles highlighted in the data protection legislation. To meet the requirements of the legislation, employees at Stockholm University who process personal data must understand and document the role of the University and other parties involved in the processing. The legislation also requires agreements between different roles that clarify the responsibility for personal data processing.

Data subjects

“Data subjects” is the term used to refer to the individuals whose personal data the University processes, i.e., the individuals who are affected by the personal data processing and whose information the University handles in some form. For example, this could be employees and students, research subjects, or contractors, etc. In simple terms, data subjects could be said to be the protagonists of data protection legislation, as it is the data subjects’ data that must be adequately protected and taken care of. Data protection legislation grants data subjects a number of rights, such as the well-known “right to be forgotten” (more on the rights of data subjects below).

Data protection officer

The data protection officer is a representative of the data subjects and thus has an independent role. Most organisations and businesses that process personal data are required by law to appoint a data protection officer. The task of the data protection officer is to supervise the organisation’s compliance with data protection legislation. This can be done partly through controls, but also through information and advice to the organisation. For example, the data protection officer may issue recommendations to the data controller. The data protection officer cannot take over the data controller’s duties in relation to the legislation and exercise a responsibility. In practice, this means that those working at the University need to understand the right with which they carry out personal data processing and ensure that the legislation is complied with by meeting the requirements for documentation, transparency and risk analyses imposed by the legislation.

The Swedish Authority for Privacy Protection

Each Member State must have a supervisory authority to supervise the application of data protection legislation. In Sweden, the Swedish Authority for Privacy Protection (IMY) supervises businesses and organisations that must comply with data protection legislation. Private individuals who are dissatisfied with how a business or organisation processes their personal data can file a complaint with the Swedish Authority for Privacy Protection, and the Swedish Authority for Privacy Protection can make a decision and issue administrative fines if they assess that an organisation or business does not comply with the legislation.

Data controller

The organisation/business that decides why and how personal data is to be processed is the data controller. An organisation/business can be the sole controller or a joint controller together with another enterprise. Responsibility for personal data processing at Stockholm University follows the decision-making and delegation procedures that apply at the University. This means that the President has overall responsibility that is delegated to the various branches of activity within the University, which in turn must ensure that they comply with the regulations.

Joint controller

If the University decides why and how personal data is to be processed together with another party, e.g., in collaboration and research, this entails a joint responsibility for the personal data. In the case of joint responsibility, the legislation requires an agreement between the parties. The legislation’s requirement that an agreement exist is intended to ensure that responsibility and performance are clear; i.e., to whom the data subjects must turn in order to exercise their rights. The University’s legal department provides a template for joint controller agreements (link to Word template).

Sole controller

Sometimes there are flows of personal data between two organisations without the situation involving joint responsibility or someone acting as a data processor on behalf of another party. In these cases, the organisations are solely responsible for their processing (sole controllers). It is important to bear in mind that the purposes of the various processing operations must be compatible with each other in order for the transfer of data from one party to another to be permitted.

Example: When an employer sends personal data to the occupational health service for the purpose of improving the work environment for the employee, and the health care company then processes the data for the purpose of offering care to that individual, the two different organisations have sole responsibility and the purposes of the different processing are still compatible with each other.

Sometimes there may be a request and a reason to regulate the flow of data between two sole controllers in a data sharing agreement. For advice, please contact the university’s legal department (link to “Ask a lawyer”).

Data processor

A business or organisation that processes personal data on behalf of another party and according to that party’s instructions acts as a data processor. A data processor does not have its own purpose for the processing; it only processes data on behalf of another party (i.e., the data controller). A data processor cannot control the processing of personal data or change the purpose of the processing. It always acts on behalf of the data controller. Stockholm University acts as a data processor only in exceptional cases. Typical data processors are suppliers of IT systems and suppliers of so-called cloud services that store and process personal data on behalf of the data controller. If you need a data processing agreement, there are standard contractual clauses for data processing agreements (approved by IMY). Please note that standard contractual clauses may not be changed. This template (link to Word template) can also be used if you need a data processing agreement, and that template can be adapted.

Stockholm University is obliged to keep a register of its personal data processing. The register should not contain the personal data of the data subjects as such, but should contain information about the various forms of personal data processing that occur at the University. According to the legislation, a register must contain:

  • Contact details for the data controller (i.e., contact details of the person who has been delegated responsibility for the personal data processing in question according to a decision-making and delegation procedure)
  • Contact details of the data protection officer
  • The purposes of the processing and the legal basis for it (why the processing takes place and its support in the legislation; read more “here” (link))
  • Description of categories of data subjects (e.g., “students”, “employees”)
  • Description of categories of personal data (e.g., “name and e-mail address”)
  • Categories of recipients to whom the personal data has been or will be disclosed (e.g., IT supplier), if this is possible to specify (e.g. “the Swedish University Computer Network, the Swedish Research Council”)
  • Transfer of data to third countries (which country and the legal basis for the transfer)
  • The period of storage and erasure of the data
  • Description of the technical and organisational security measures applied to the processing in question

Stockholm University’s register

The Legal department at the Chancellors office administers the record of processing activities within the central administration. For access to the central administrations record contact the data protection officer at dso@su.se.

Other departments must administer their own record regarding the processing of personal data that takes place within the administration of the department, within research projects and within student projects. Each department is responsible for having its own up-to-date record. The record is to be held in Swedish and departments can use the Excel template Registerförteckning institution, provided by the legal department, for this purpose. The register must be stored at the department, available in electronic format and kept up to date. Upon request, it must be made available to the university’s data protection officer and the Swedish Authority for Privacy Protection. Contact the data protection officer when you have questions regarding the university’s record of processing activities at dso@su.se.

The data protection legislation sets out a number of requirements and main principles that the university needs to follow when processing personal data.

  • The principle of legality, fairness and transparency - The processing of personal data must comply with data protection legislation and be carried out in a transparent manner in relation to the data subject.
  • The principle of purpose limitation - Personal data may only be processed for specified, clearly stated and legitimate purposes.
  • The principle of data minimisation – Only the personal data that is necessary to achieve the purpose may be processed.
  • The principle of accuracy - Personal data must be accurate and up-to-date.
  • The principle of storage limitation - Personal data may not be stored longer than necessary.
  • The principle of integrity and confidentiality - Personal data must be handled securely and be adequately protected.
  • The principle of accountability – The University must as a controller be able to demonstrate compliance with the principles

Legality

In order for personal data processing to be lawful, there must first and foremost be a legal basis for the processing.

Legal basis

Data protection legislation requires that there is support in one of the GDPR’s defined legal bases for the processing of personal data. The department responsible for the personal data processing must know and document the legal basis for their processing. At the University, five main legal bases are applied, of which the performance of a task carried out in the public interest (Art. 6(1)(e) of the GDPR) is the most common basis for the University’s processing of personal data.

Data of public interest – Art. 6(1)(e) of the GDPR

The GDPR stipulates that personal data processing is lawful if it is necessary for the performance of a task carried out in the public interest, which must be established either by Union law or by the law of a Member State. Therefore, the task of public interest must always be based on a law, ordinance or other mandate given to the University by the Swedish Parliament or the Government, such as appropriation directions.

Chapter 1, Section 2 of the Higher Education Act (1992:1434) states that the University's mission is to conduct education and research and that the University’s mandate shall include collaboration for mutual exchanges with the surrounding community, as well as ensuring that the knowledge and expertise found at the University bring benefit to society. Much of the activities at a higher education institution are based on this mandate, which thus forms the basis for handling the personal data that is necessary to be able to carry out the task.

Examples of public interest missions:

  • Research and collaboration
  • Necessary support activities, such as governance and management, finance, provision of premises, IT support, etc.
  • Contract education
  • Public events
  • Newsletters

Legal obligation – Art. 6(1)(c) of the GDPR

If there is a law, statute or collective agreement that states that the University must process certain data, you are allowed to process the personal data that is necessary to be able to fulfil this duty with the support of this legal basis (legal obligation).

Examples of legal obligations can be found in the Ordinance [1993:1153] on the Reporting of Studies, etc. at Universities and University Colleges (the Ladok Ordinance). It states, inter alia, that:

  • The University must document certain information about each student (Chapter 2, Section 3).
  • the purposes for which data in the study register may be used (Chapter 2, Section 2), and
  • to whom the University may disclose data from the study register by virtue of the ordinance (Chapter 2, Section 6).

Exercise of public authority – Art. 6(1)(e) of the GDPR

You are allowed to process personal data when it is necessary as part of the exercise of public authority. For example, at the University, the exercise of public authority corresponds to the admission of students, examination, or the issuance of degree certificates.

Agreement – Art. 6(1)(b) of the GDPR

It is permitted to process personal data when it is necessary for the fulfilment of an agreement that the University has entered into or will enter into with an individual.

Consent – Art. 6(1)(a) of the GDPR

On certain occasions, an individual can give their consent for the University to process their personal data. Keep in mind that consent must be voluntary, informed and documented. You should not ask people who are dependent on the University for their consent. This means that, as a rule, you cannot use consent as a legal basis for employees and students. A common misconception is that consent is always required to process personal data, but in many cases it is not appropriate or even possible to rely on consent. Moreover, if the processing of personal data can be carried out with the support of some other legal basis, consent may not be used. Therefore, consider one of the other legal bases in the first place.

In case of a personal data breach

According to the GDPR a personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. If a security breach involving personal data occurs, the personal data breach must be documented and, in cases where the data breach is likely to lead to a risk for the data subjects, it must be reported to the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) within 72 hours. The university may also need to inform the registered, for example, if there is a risk of identity theft or fraud.

The Data Protection Officer (dso@su.se) must be kept informed of the personal data incident and provides support as needed. In case of a personal data breach the university must fill out the template regarding a personal data breach (in Swedish only Word, 161 kB.) and send it to the Data Protection Officer. On the Swedish Privacy Agency's website, you can read more about what a personal data incident is and when an incident must be reported to IMY: www.imy.se

Last updated: 2024-12-18

Source: Division for legal affairs