General Data Protection Regulation (GDPR) – how it works

The General Data Protection Regulation (which entered into force on 25 May 2018) has significant consequences for the way we process personal data in our activities. We have to provide clear information about who is responsible for all processing of personal data, e.g. storage, communication and calculations, and how this is organised.


We are still allowed to process personal data, but there has to be a clearly specified purpose, the processing must be necessary for the purpose and there must be a lawful basis for the processing. All personal data must be protected using technical and other measures.


Personal data processing must be notified and recorded centrally. You will find links for this under point 5 below.

Data protection policy – here you can read about how Uppsala University processes personal data.


Further information about:

  1. Personal data and sensitive personal data

  2. Processing of personal data

  3. Lawful/legal basis

  4. Personal data processing in different activities. Information to follow shortly.

  5. Notification of personal data processing

  6. Technical safeguards

  7. Individuals’ rights

  8. Contact details

1a. Personal data

  • Any information relating to an identified or identifiable person, e.g.:

  • a name

  • an identification number

  • location data or an online indicator

  • one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

1b. Sensitive personal data

  • Racial or ethnic origin.

  • Political opinions.

  • Religious or philosophical beliefs.

  • Trade union membership.

  • Health.

  • Sex life or sexual orientation.

  • Genetic data.

  • Biometric data that uniquely identify a person.

2. Processing of personal data

‘Processing’ means anything done with personal data, e.g. collection, recording, storage, adaptation, dissemination.

3. Lawful basis

All processing of personal data must have a lawful basis (a legal ground). There are six lawful bases:

  1. Consent: must be informed, freely given and given by a positive action.

  2. Contract: to perform a contract or at the request of the data subject before entering into a contract.

  3. Legal obligation: if the processing of personal data is necessary to comply with other legal provisions.

  4. Protection of vital interests: if the processing is necessary to protect someone’s vital interests (e.g. in health care).

  5. Task carried out in the public interest or in the exercise of official authority: if the purpose of the processing is deemed to be of public interest (e.g. research, studies) or if the processing is necessary in the work of a public authority.

  6. Legitimate interests (balance of interests): if legitimate interests in processing outweigh the interest of protecting an individual’s rights. (This basis cannot be used by a public authority when performing its official tasks.)

4. Personal data processing in different activities

The introduction of the GDPR means that everyone who processes personal data must review their procedures and consider how they can best look after the rights of the people whose personal data they are processing. This does not mean that personal data processing is no longer allowed. Personal data may be processed as long as it is done in the right way.

You may process personal data if the processing meets all the following criteria:

  • The processing is necessary. (The task cannot be performed without personal data.)

  • The processing has a lawful basis.

  • The processing complies with the general principles.

  • The processing is protected by organisational and technical safeguards.

If you would you like to find out more about this, read the information in the roles listed below. Do have a look at the information in role descriptions other than your own. The more knowledge we can spread about the GDPR, the better we can protect individuals’ rights.

5. How to provide notification of personal data processing

There are two types of processing. Fill in the right form for registration centrally in the University’s main register (W3D3). The notifications will then be compiled into reports for statistical purposes and other follow-up.

  1. The University is the controller: provide notification of your personal data processing here.

  2. The University is processing personal data on behalf of another entity: provide notification that you are processor here.

  3. If you would prefer to register your processing of personal data in English: please use this link.

6. Information security

Personal data processing must be protected by technical and other measures, depending on the consequences that a loss of information, for example, would have.

Information classification is one method you can use to determine what level of protection is necessary and sufficient. More about information security.

7. Rights of data subjects

The GDPR provides data subjects with certain rights. In brief, data subjects must be given control over their own data by receiving information about if, when and how their personal data are processed. The GDPR strengthens these rights compared with the Swedish Personal Data Act. In certain cases, data subjects have the right to have their data rectified, erased or blocked. They can also receive their personal data or transfer them to another controller. If you want to exercise your rights, see the contact details below.

8. Contact us

If you need any help, you are welcome to contact the data protection officer, preferably using the questionnaire.

Contact the data protection officer at Uppsala University by email at