General Data Protection Regulation (GDPR) – how it works
The General Data Protection Regulation (which entered into force on 25 May 2018) has significant consequences for the way we process personal data in our activities. We have to provide clear information about who is responsible for all processing of personal data, e.g. storage, communication and calculations, and how this is organised.
We are still allowed to process personal data, but there has to be a clearly specified purpose, the processing must be necessary for the purpose and there must be a lawful basis for the processing. All personal data must be protected using technical and other measures.
Personal data processing must be notified and recorded centrally. You will find links for this under point 5 below.
Data protection policy – here you can read about how Uppsala University processes personal data.
Further information about:
-
Personal data processing in different activities. Information to follow shortly.
-
Any information relating to an identified or identifiable person, e.g.:
-
a name
-
an identification number
-
location data or an online indicator
-
one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
-
Racial or ethnic origin.
-
Political opinions.
-
Religious or philosophical beliefs.
-
Trade union membership.
-
Health.
-
Sex life or sexual orientation.
-
Genetic data.
-
Biometric data that uniquely identify a person.
2. Processing of personal data
‘Processing’ means anything done with personal data, e.g. collection, recording, storage, adaptation, dissemination.
All processing of personal data must have a lawful basis (a legal ground). There are six lawful bases:
-
Consent: must be informed, freely given and given by a positive action.
-
Contract: to perform a contract or at the request of the data subject before entering into a contract.
-
Legal obligation: if the processing of personal data is necessary to comply with other legal provisions.
-
Protection of vital interests: if the processing is necessary to protect someone’s vital interests (e.g. in health care).
-
Task carried out in the public interest or in the exercise of official authority: if the purpose of the processing is deemed to be of public interest (e.g. research, studies) or if the processing is necessary in the work of a public authority.
-
Legitimate interests (balance of interests): if legitimate interests in processing outweigh the interest of protecting an individual’s rights. (This basis cannot be used by a public authority when performing its official tasks.)
4. Personal data processing in different activities
The introduction of the GDPR means that everyone who processes personal data must review their procedures and consider how they can best look after the rights of the people whose personal data they are processing. This does not mean that personal data processing is no longer allowed. Personal data may be processed as long as it is done in the right way.
You may process personal data if the processing meets all the following criteria:
-
The processing is necessary. (The task cannot be performed without personal data.)
-
The processing has a lawful basis.
-
The processing complies with the general principles.
-
The processing is protected by organisational and technical safeguards.
If you would you like to find out more about this, read the information in the roles listed below. Do have a look at the information in role descriptions other than your own. The more knowledge we can spread about the GDPR, the better we can protect individuals’ rights.
-
Financial administrator (staff in financial administration)
-
Course administrator – information to follow shortly.
-
Student – information to follow shortly.
-
Systems manager – information to follow shortly.
-
Communications officer – information to follow shortly.
5. How to provide notification of personal data processing
There are two types of processing. Fill in the right form for registration centrally in the University’s main register (W3D3). The notifications will then be compiled into reports for statistical purposes and other follow-up.
-
The University is the controller: provide notification of your personal data processing here.
-
The University is processing personal data on behalf of another entity: provide notification that you are processor here.
-
If you would prefer to register your processing of personal data in English: please use this link.
Personal data processing must be protected by technical and other measures, depending on the consequences that a loss of information, for example, would have.
Information classification is one method you can use to determine what level of protection is necessary and sufficient. More about information security.
The GDPR provides data subjects with certain rights. In brief, data subjects must be given control over their own data by receiving information about if, when and how their personal data are processed. The GDPR strengthens these rights compared with the Swedish Personal Data Act. In certain cases, data subjects have the right to have their data rectified, erased or blocked. They can also receive their personal data or transfer them to another controller. If you want to exercise your rights, see the contact details below.
8. United Kingdoms’ exit of the European Union (EU)
United Kingdoms’ exit of the European Union (EU), the so called Brexit is a current issue in many of Uppsala universitet’s scope of practices, and particularly in regards to processing of personal data. Currently there is ongoing work to map out the legal consequences of different versions of Brexit along with preparation for the different possible scenarios.
For processing of personal data the exit could result in two different scenarios:
Brexit with a withdrawal agreement: In this scenario, we would have to await the forthcoming legislature to understand how personal data could be transferred to the United Kingdom. A possible inclusion in a withdrawal agreement is that the European Union proclaims that the UK has an adequacy decision. This means that the EU deems the UK to have adequate safeguards in place so that the data processing agreements between a data controller and a data processor are treated the same way, and can have the same form, as a data processing agreement between two European Union member states are. In practice this would entail that the model agreement on processing of personal data provided by the Legal Affair Division would continue to be used in processing where personal data is transferred to the UK.
Brexit without a withdrawal agreement: In this scenario, UK will be a so called third country. This severely limits the possibility to transfer personal data to the UK. Data processing agreements with third countries needs to contain the by the EU decided upon standard contractual clauses (SCC’s) that have been put in place to protect the rights of the data subjects.
This means that previously agreed upon data processing agreements will need to be renegotiated.
As soon as more information is available, this page will be updated accordingly.
If you have questions in general about processing of personal data and Brexit you can pose these to the Data Protection Officer: dataskyddsombud@uu.se
If you have questions about an existing or planned data processing agreement with a party in the UK you can pose these to the Legal Affairs Division: juravd@uadm.uu.se
If you need any help, you are welcome to contact the data protection officer, preferably using the questionnaire.
Contact the data protection officer at Uppsala University by email at dataskyddsombud@uu.se