The new regulation
As from the 25th of May 2018 all processing of personal data must be done according to the General Data Protection Regulation, the GDPR. It is binding and applicable. This means that the current Swedish law for processing personal data, Personuppgiftslagen also known as PUL, will no longer be in effect.
For more information see the page for processing of personal data at Uppsala University, link.
The purpose of the GDPR is to standardize European legislation on processing personal data. This will expand the rights of the data subjects and aims to give European citizens control of their personal data as they will get easier access to their data and the rights to correct, remove and erase it from processing.
Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data (whether or not by automated means) such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Processing of personal data
To ensure Uppsala University’s compliance with the GDPR, all processing of personal data needs to be registered. This also applies to processing that commenced before the 25th of May 2018. In the next tab you will find an e-form that is to be utilized. To be able to properly fill in the form we recommend that you first read thru the information at the University´s webpage on processing of personal data. There you will find definitions, explanations and various food for thought on processing personal data. Especially the information on lawful basis is important before you start your processing.
The processing of personal data which you will perform shall be according to the demands posed by the regulation, which includes general principles. For the person processing the data they can be translated as:
Identify which lawful basis you have for your processing before it starts.
Define the purpose before the processing starts. The personal data may not be used for other purposes at a later date.
Do not use the personal data for other incompatible purposes.
Only collect the data that is necessary.
Do not collect more data than what is necessary in relation to the purpose.
Make sure the data is correct and updated.
Protect your gathered data.
Erase the data when no longer needed.
Inform the data subjects in an open, transparent and honest way about the processing.
When the processing is concluded your processing of personal data should be unregistered. This applies for example if the purpose has been fulfilled or if, by some reason, the processing no longer is needed.
Rights of the data subjects
All the data subjects who in any way have their personal data processed has the right to know what personal data the University is processing. This information needs to be available at any time during the course of the processing if the data subjects demands it. The data subject also have the following rights: (Please note that this list is not complete.)
The right to be informed that their data is being processed.
To know the purpose and lawful basis of the processing of data.
To know how long the processing will prevail.
The right to complain to the Swedish supervising authority, Datainspektionen.
To get incorrect data corrected.
To object to the processing.
The right to data portability.
For more information about the rights of the data subjects, see here.
Data controller and data processor
Uppsala University is the data controller for the personal data processed at the University and can be held responsible for having processes that are not compliant with the regulation. To be compliant with the regulation and to be able to give the data subjects their rights, Uppsala University needs to know what personal data is being processed and where it is being processed. Therefore, please take great care when filling out the form and try to be as accurate as possible. If you need help you can hoover the mouse pointer over the small question marks that are located after some of the expressions and questions. Doing this will provide you with a short explanation or an example of what is asked for.
Uppsala University may be not the controller but the processor in some cases. This is the case when the University process personal data on behalf of another, the controller. This relation is regulated through a data processing agreement. If this is the case the processing should still be registered, but by the use of a different e-form.
Personal data breach
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. If a personal data breach would occur it is of the most urgent importance that this is reported to the Data Protection Officer. The University has a responsibility to report data breaches to the supervising authority within 72 hours.
For more information on personal data processing and the General Data Protection Regulation it is recommended that you visit the webpage for processing of personal data at Uppsala University. Here you will find information about the obligations of the controller and the rights of the data subjects.
Adequacy of the protection of personal data in non-EU countries, click here