Application for processing of personal data (GDPR)

  • The new regulation

    As from the 25th of May 2018 all processing of personal data must be done according to the General Data Protection Regulation, the GDPR. It is binding and applicable. This means that the current Swedish law for processing personal data, Personuppgiftslagen also known as PUL, will no longer be in effect.

    For more information see the page for processing of personal data at Uppsala University, link.

    The purpose of the GDPR is to standardize European legislation on processing personal data. This will expand the rights of the data subjects and aims to give European citizens control of their personal data as they will get easier access to their data and the rights to correct, remove and erase it from processing.

     

    Personal data

    Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

     

    Processing

    Processing means any operation or set of operations which is performed on personal data or on sets of personal data (whether or not by automated means) such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

     

    Processing of personal data

    To ensure Uppsala University’s compliance with the GDPR, all processing of personal data needs to be registered. This also applies to processing that commenced before the 25th of May 2018. In the next tab you will find an e-form that is to be utilized. To be able to properly fill in the form we recommend that you first read thru the information at the University´s webpage on processing of personal data. There you will find definitions, explanations and various food for thought on processing personal data. Especially the information on lawful basis is important before you start your processing.

    The processing of personal data which you will perform shall be according to the demands posed by the regulation, which includes general principles. For the person processing the data they can be translated as:

    • Identify which lawful basis you have for your processing before it starts.

    • Define the purpose before the processing starts. The personal data may not be used for other purposes at a later date.

    • Do not use the personal data for other incompatible purposes.

    • Only collect the data that is necessary.

    • Do not collect more data than what is necessary in relation to the purpose.

    • Make sure the data is correct and updated.

    • Protect your gathered data.

    • Erase the data when no longer needed.

    • Inform the data subjects in an open, transparent and honest way about the processing.

    When the processing is concluded your processing of personal data should be unregistered. This applies for example if the purpose has been fulfilled or if, by some reason, the processing no longer is needed.

    Rights of the data subjects

    All the data subjects who in any way have their personal data processed has the right to know what personal data the University is processing. This information needs to be available at any time during the course of the processing if the data subjects demands it. The data subject also have the following rights: (Please note that this list is not complete.)

    • The right to be informed that their data is being processed.

    • To know the purpose and lawful basis of the processing of data.

    • To know how long the processing will prevail.

    • The right to complain to the Swedish supervising authority, Datainspektionen.

    • To get incorrect data corrected.

    • To erasure.

    • To object to the processing.

    • The right to data portability.

    For more information about the rights of the data subjects, see here.

    Data controller and data processor

    Uppsala University is the data controller for the personal data processed at the University and can be held responsible for having processes that are not compliant with the regulation. To be compliant with the regulation and to be able to give the data subjects their rights, Uppsala University needs to know what personal data is being processed and where it is being processed. Therefore, please take great care when filling out the form and try to be as accurate as possible. If you need help you can hoover the mouse pointer over the small question marks that are located after some of the expressions and questions. Doing this will provide you with a short explanation or an example of what is asked for.

    Uppsala University may be not the controller but the processor in some cases. This is the case when the University process personal data on behalf of another, the controller. This relation is regulated through a data processing agreement. If this is the case the processing should still be registered, but by the use of a different e-form.

    Personal data breach

    A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. If a personal data breach would occur it is of the most urgent importance that this is reported to the Data Protection Officer. The University has a responsibility to report data breaches to the supervising authority within 72 hours.

    More information

     

    For more information on personal data processing and the General Data Protection Regulation it is recommended that you visit the webpage for processing of personal data at Uppsala University. Here you will find information about the obligations of the controller and the rights of the data subjects.

     

    Adequacy of the protection of personal data in non-EU countries, click here

     

  • Below you can register personal data processing executed within your work at Uppsala University. On the form below you will find two tabs:

    • one with information on the data protection regulation, GDPR, and

    • one where you submit information to register your personal data processing.

  • 1. Contact Details

  • 2. Name of the filing system (record)

  • 3. Purpose of the processing of personal data

  • 4. Categories of data subjects

  • For example participants in a survey
  • 5. Categories of personal data which will be processed

  • 6. Special categories of personal data ("sensitive data")

  • 7. The filing systems disclosure to others

  • I.e. in physical or electronic formats.
  • 8. Transfer of personal data to a third country

  • A list of countries with an adequacy decision is found in the information tab.
  • 9. Time limit for termination of processing the personal data

  • The mandatory date of expiry is ment to encourage a recurrent evaluation of the needs for processing personal data.
  • 10. Lawful basis for processing

  • Scientific work at Uppsala University is regarded to as "Common interest".
  • 11. Security measures

  • Information classification is performed by Uppsala University / Security Division