Antingen stödjer din webbläsare inte javascript, eller är javascript inaktiverat. Denna webbplats fungerar bäst om du aktiverar javascript.

The General Data Protection Regulation (GDPR) is the law that applies to the processing of personal data and was introduced by all member states of the EU on 25 May 2018. The regulation stipulates that all processing of personal data carried out must comply with the fundamental principles set out in the General Data Protection Regulation.

The university's responsibilty and the student's responsibility

The university is responsible for students' processing of personal data within the framework of their studies, so-called personal data controller. This means that you as a student have an obligation to ensure that your own personal data processing takes place in accordance with the university's decided rules when working with, for example, essays, assignments and degree projects.

Students' processing of personal data

Processing of personal data within the framework of education may only take place in accordance with the university's rules and guidelines and on the teacher's instructions or after the teacher's/supervisor's approval. Processing of personal data is a broad concept and includes all actions that are carried out with the personal data electronically. Examples of processing are collection, registration, organisation, structuring, storage, processing, alteration, retrieval, reading, use, disclosure, dissemination or otherwise provided, adjustment or combination, restriction, deletion or destruction of personal data.

Sensitive personal data (i.e. both sensitive and personal data that warrants extra protection) may never be processed in first- and second-cycle education.

Personal data

Personal data means any information relating to an identified or identifiable natural person. The decisive factor is that the information, individually or in combination with other data, is capable of identifying a living person. Examples of personal data are personal identity numbers, names, contact details such as email addresses, electronic identities of various kinds such as usernames on social media, as well as image and/or audio recordings. This and other personal data that appears in interview responses, questionnaire responses, images and other collected empirical data are covered by these rules.

Please note that even if you do not know or even have the opportunity to find out who the person is, it may be processing of personal data. It is sufficient that someone can link the data to a natural person for it to be considered as personal data. In order to determine whether a natural person is identifiable, you must consider the possibility of additional information, as well as any means that may reasonably be used to directly or indirectly identify the natural person.

Sensitive personal data

The General Data Protection Regulation lists special categories of personal data that are considered particularly sensitive and therefore have a stronger protection, so-called sensitive personal data. As a general rule, sensitive personal data may not be processed by students during their studies.

Exceptions to this are if your degree project is part of a larger research project, which has an ethical approval from the Swedish Ethical Review Authority. You may also process sensitive and personal data that warrants extra protection during internships (i.e VFU), provided that the placement allows it and that the processing is not part of an essay, presentation or the like.

Sensitive personal data is personal data that reveals:

  • Ethnic origin
  • Political views
  • Religious or philosophical beliefs
  • Trade union membership
  • Health
  • Sex life or sexual orientation
  • Genetic data
  • Biometric data to uniquely identify a natural person

In addition to the information listed above, there are other types of personal data that are particularly worthy of protection according to Swedish Authority for Privacy Protection. These can be, for example:

  • Salary information
  • Data on violations of the law
  • Evaluative data, such as data from performance appraisals, data on the results of personality tests or personality profiles
  • Information relating to someone's private sphere
  • Data on social conditions

Checklist for the processing of personal data