Application for processing of personal data (GDPR)

The new regulation

As from the 25^th of May 2018 all processing of personal data must be done according to the General Data Protection Regulation, the GDPR. It is binding and applicable. This means that the current Swedish law for processing personal data, Personuppgiftslagen also known as PUL, will no longer be in effect.

For more information see the page for processing of personal data at Uppsala University, link.

The purpose of the GDPR is to standardize European legislation on processing personal data. This will expand the rights of the data subjects and aims to give European citizens control of their personal data as they will get easier access to their data and the rights to correct, remove and erase it from processing.

Personal data

Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing

Processing means any operation or set of operations which is performed on personal data or on sets of personal data (whether or not by automated means) such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Processing of personal data

To ensure Uppsala University’s compliance with the GDPR, all processing of personal data needs to be registered. This also applies to processing that commenced before the 25^th of May 2018. In the next tab you will find an e-form that is to be utilized. To be able to properly fill in the form we recommend that you first read thru the information at the University´s webpage on processing of personal data. There you will find definitions, explanations and various food for thought on processing personal data. Especially the information on lawful basis is important before you start your processing.

The processing of personal data which you will perform shall be according to the demands posed by the regulation, which includes general principles. For the person processing the data they can be translated as:

Identify which lawful basis you have for your processing before it starts.
Define the purpose before the processing starts. The personal data may not be used for other purposes at a later date.
Do not use the personal data for other incompatible purposes.
Only collect the data that is necessary.
Do not collect more data than what is necessary in relation to the purpose.
Make sure the data is correct and updated.
Protect your gathered data.
Erase the data when no longer needed.
Inform the data subjects in an open, transparent and honest way about the processing.

When the processing is concluded your processing of personal data should be unregistered. This applies for example if the purpose has been fulfilled or if, by some reason, the processing no longer is needed.

Rights of the data subjects

All the data subjects who in any way have their personal data processed has the right to know what personal data the University is processing. This information needs to be available at any time during the course of the processing if the data subjects demands it. The data subject also have the following rights: (Please note that this list is not complete.)

The right to be informed that their data is being processed.
To know the purpose and lawful basis of the processing of data.
To know how long the processing will prevail.
The right to complain to the Swedish supervising authority, Datainspektionen.
To get incorrect data corrected.
To erasure.
To object to the processing.
The right to data portability.

For more information about the rights of the data subjects, see here.

Data controller and data processor

Uppsala University is the data controller for the personal data processed at the University and can be held responsible for having processes that are not compliant with the regulation. To be compliant with the regulation and to be able to give the data subjects their rights, Uppsala University needs to know what personal data is being processed and where it is being processed. Therefore, please take great care when filling out the form and try to be as accurate as possible. If you need help you can hoover the mouse pointer over the small question marks that are located after some of the expressions and questions. Doing this will provide you with a short explanation or an example of what is asked for.

Uppsala University may be not the controller but the processor in some cases. This is the case when the University process personal data on behalf of another, the controller. This relation is regulated through a data processing agreement. If this is the case the processing should still be registered, but by the use of a different e-form.

Personal data breach

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. If a personal data breach would occur it is of the most urgent importance that this is reported to the Data Protection Officer. The University has a responsibility to report data breaches to the supervising authority within 72 hours.

More information

For more information on personal data processing and the General Data Protection Regulation it is recommended that you visit the webpage for processing of personal data at Uppsala University. Here you will find information about the obligations of the controller and the rights of the data subjects.

Adequacy of the protection of personal data in non-EU countries, click here

Below you can register personal data processing executed within your work at Uppsala University. On the form below you will find two tabs:

one with information on the data protection regulation, GDPR, and
one where you submit information to register your personal data processing.

1. Contact Details

1a. Controller

Data Protection Officer

E-mail address to Data Protection Officer

1b. Contact person at the Department (or equiv.)

Please submit who the Data Protection Officer can contact about the processing of Data. I.e. the principal investigator (PI).

Department (or equiv.)

E-mail address to the contact person at the Department (or equiv.)

Please submit who the Data Protection Officer can contact about the processing of Data. I.e. the principal investigator (PI).

Phone number to contact person at the Department (or equiv.)

2. Name of the filing system (record)

Name of the filing system (record)

Please submit the name of the Filing System so that the name used is coherent to both the Data protection Officer and the contact person (PI).

3. Purpose of the processing of personal data

The purpose of the processing of personal data

Please submit the purpose of processing the personal data e.g. administrative och economic issues, applications, surveys etc.

4. Categories of data subjects

Categories of data subjects concerned by the processing

Employee's at Uppsala University

Children

Individuals

Students

I you have marked the category concerned by the processing called “Individuals” – please describe the category of data subject

5. Categories of personal data which will be processed

Specify what/which categories of personal data which will be processed

An identification number is for example a social security number or a number for co-ordination. Location data is data which tells where a registered has been located or is located. A determination of position can be executed in different ways, for example by GPS-systems in cellphones and computers. An online identifier is for example an IP-address or an email address.

If you marked the category "Others than above" - please describe the category of data which will be processed

6. Special categories of personal data ("sensitive data")

Specify if special categories of personal data ("sensitive data") will be processed

Special categories of data are more commonly known as ´sensitive data´. This includes data concerning health, ethnic origin, political opinions, religious beliefs, philosophical beliefs, sexual orientation, a person´s sex life, race, genetics, biometrics (where used for ID purposes) and trade union memberships.

If yes - please specify the category/ies of personal data that will be processed

7. The filing systems disclosure to others

Specify if the content of the filing sytem will be disclosed to others

If yes - please specify which recepients the content will be disclosed to

If yes - is there an data processing agreement with the recepients?

If recepients are international organisations and/or individuals or corporations - please describe the recepients.

If yes - please describe in which form the content will be disclosed to others

8. Transfer of personal data to a third country

Specify if the personal data will be transferred to a country outside of the EU/EES

Countries that are a part of the EU: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the UK. Countries that are members of the EEA: All members of the EU and Iceland, Liechtenstein and Norway.

If yes - please specify what/which country/ies

Specify if there exists an adequace decison by the Commission for the third country

9. Time limit for termination of processing the personal data

Specify the time when the processing of personal data is expected to terminate

It is important that the controller specifies the duration of the processing of personal data. If you can give an exact date, please give an estimation or explain how the criteria’s of duration are set.

10. Lawful basis for processing

Specify on which legal basis the processing is made lawful by

Specify which lawful basis the personal data processing is based upon. A processing is legal if the data subject has consented, if the process is necessary for a contract, or when you have to take specific steps to enter a contract. It is also lawful it is necessary to comply with the law - a legal obligation, if the processing is necessary to protect vital interests to protect someone’s life, if the processing is necessary to perform a task of public interest, or if it is for official functions and has a clear basis in law. It can also be lawful to process personal data for legitimate interests unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

11. Security measures

Information classification is done

Description of the technical and organisational security measurements conducted for the processing

What security measurements, technical or organisational, has been implemented to make sure the processing is done in a way that protects the data subjects data, i. e. pseudonymization, anonymization, encrypting.