Most important parts of the GDPR

A piece of personal data is a piece of information which may be linked to a living physical person.
The GDPR is applicable to personal data is present in the medium for automated processing (storage media which can be read by a computer) and on physical documents to the extent that such documents are included in a register.

1. Documentation

Before the collection of personal data is begun the personal data controller (SU) must establish for what purpose the personal data is to be collected (why do you need the information), what personal data processing will take place, how long the personal data controller will keep the information (storage time) and with what right will the personal data controller collects and process the information (legal grounds).

The position taken with regard to the above shall be documented and entered into the University register. If you intend to process personal data then you are required, in collaboration with the University administration, to prepare this documentation.

2. Information

In conjunction with the collection, the personal data controller shall provide the subject (the person whose personal data is being collected) with information aimed at explaining his or her rights. Only in certain exceptional cases may this information be provided after collection of the data.

3. Security

From the moment the personal data controller takes possession of personal data belonging to the subject, the data shall be handled in a secure way. Depending on how sensitive the data is and the amount of data processed, it is incumbent on SU to take various comprehensive security measures. This assessment is based on how great the damage would be for the subject if the information was obtained by an unauthorised person. 

Data protection ombudsperson’s contact details

Benita Falenius
E-mail: dso@su.se

Dataskyddsombudet
Stockholms universitet
106 91 Stockholm

Important questions which the controller should be able to answer

  • What personal data is being handled and for what purpose?
  • Whose personal data is being processed?
  • What legal grounds were applied for the different processing functions?
  • How is it ensured that the fundamental principles for personal data processing are adhered to?
  • Is the personal data being managed by someone outside SU on behalf of the department/section?
  • What information is the subject provided with and how?
  • How are the rights of the subject dealt with?
  • How are requests for release managed?