Personal data and the GDPR

Uppsala University's procedure for notification of personal data processing includes all steps that must be taken and is intended to gather all documents (notification, information classification, personal data agreements, any correspondence, etc.) in one and the same file. The following steps need to be considered and managed

• Make an information classification according to the guidelines you find this link (see Appendices 2 and 6). If you have questions about this, you can contact security@uu.se.

• Consider the need for personal data related agreements.

• If the processing is to be carried out on behalf of a third party (e.g. another higher education institution) and that entity determines the means and purposes (“why and how”) or if Uppsala University engages a third party to process personal data, a personal data processing agreement is required. This is common in commissioned research situations or when engaging service providers, e.g. IT services.
• If Uppsala University and one or more other entities jointly carries out processing and the actors jointly decide why and how the personal data processing is to be carried out, there must be an agreement on joint personal data responsibility. This is the usual practice in research collaborations.
• The above mentioned agreements should, in the first instance, be drawn up based on one of
• Sensitive personal data is subject to special provisions in the GDPR and the starting point is that the processing of sensitive personal data is prohibited unless certain protective measures are in place. Ethical review and approval is required before processing of sensitive personal data for research purposes is initiated. If you need an ethics approval, you can contact. Here is a link to questions and answers about ethical approval (in swedish).
• If contemplated research concerns children or otherwise leads to a high risk to the participants' rights and freedoms, e.g. by collecting a large amount of personal data, you should need to carry out a data protection impact assessment (a “DPIA”, see below).

You can reach out to the University’s Data Protection Officer at dataskyddsombud@uu.se for help with your DPIAs. Read more about planning the management of data in .

• At itsupport@uu.se, you can order a secure storage area for research data from one of the University's central services, including ALLVIS, which is described in more detail here.
• The last step in the procedure is the actual notification of the personal data processing steps above (links can be found below). The notification is made on an electronic form where you simultaneously upload other documents that are relevant to the processing (information classification, personal data agreement, ethical decision, etc.).

Report personal data processing here.

Register as a data processor here.

In the following link there is a flow chart to support the process of engaging a processor. Pdf, 29 kB.

Explanation of the flowchart

• In order for a processor to be allowed to process personal data on behalf of the University, the processing must be regulated by an agreement between the Controller the Processor. This agreement is usually referred to as a Data Processing Agreement (DPA). It is the responsibility of the Controller to ensure that a DPA is put in place and that the content is such that the rights of the data subjects are protected. Controller may not engage a Processor who cannot provide sufficient guarantees that the processing is correct and safe and that the processing is only carried out in accordance with Controller 's documented instructions (in the agreement and subsequently). In the absence of an agreement or binding legal act regulating the processing, it is not permitted to engage a Processor (see Article 28(1) and (3) GDPR).
• In some cases, especially when it comes to a Processor that provides the same service to several Controllers, they want to have uniform DPAs and Processor has therefore developed its own agreement text. Whose agreement is used is not decisive, but instead it is the content that must not deviate from the requirement to ensure the rights of the data subjects. It is formally the Controller that is responsible for all processing that takes place through the DPA and it is therefore necessary to carefully review the Processor's draft agreement. The content must not deviate in substance from the Controller's instructions and it must not contain conditions that makes it impossible for the Controller to safeguard the rights of the data subjects, for example by giving the processor the right to process the personal data for its own purposes. If the Controller cannot guarantee the rights of the data subjects, the Processor may not be used (see Article 28(1) and (3) GDPR).
• A first step in determining the level of security that is necessary is to take stock of the categories of personal data covered by the processing. In some cases, it is a clear, well-defined set where there may also be technical measures that make other tasks out of the question. In other cases, the service is less well defined and there may also be reason to suspect that data for which the service is not intended may be processed.

• If it is the case that additional personal data in addition to those that the processing is intended to process will be covered by the processing, it is important that it is clarified what these are. Knowing what will be dealt with is a necessary condition for determining the technical and organisational security measures required (see Articles 24 and 25 GDPR). If it is not possible to determine at all which categories will be dealt with, it is in practice very difficult to determine the necessary measures.
• A data processing impact assessment (DPIA, read more below) before the processing of personal data begins is necessary if sensitive personal data is to be processed, but may also be a requirement if, due to its nature, scope, context and purpose, the processing is likely to result in a high risk to the rights and freedoms of natural persons (Article 35). Consult with the Data Protection Officer to conduct a DPIA.
• A DPIA will identify a series of risks and measures to eliminate or at least reduce them. If, after the own impact assessment, there remains a likelihood of high risk, you can request prior consultation with the Swedish Authority for Privacy Protection (IMY), which can identify and evaluate measures to increase security. If the measures are not sufficient to ensure the security of data subjects resulting from Article 24 GDPR, the processing cannot be carried out.
• If the Processor carries out its processing within the EU/EEA, it is covered by the GDPR and it is not an export of personal data to a third country unless the Processor has a sub-processor outside the EU/EEA. See more about transfers to third countries.

Below follows a description of key terms and concepts that appear in the GDPR.

What is Personal Data?

Personal data is all information relating to a natural person who can be directly or indirectly identified. It does not matter if the person is directly identifiable by the information or if additional information is required for identification.

Examples of personal data includes individual’s name, address, e-mail address, personal identity number, ID card number, telephone number, IP address, photos or a sample code of samples from living persons (note that information about the deceased can in some cases be linked to living persons).

Examples of information that does not count as personal data are corporate identity numbers (except in the case of sole proprietorships, in which case it is considered personal data) and e-mail addresses of legal entities.

What is Sensitive Personal Data?

It is forbidden to process sensitive personal data (or special categories of personal data) unless one or more exceptions are fulfilled. In order for processing of sensitive personal data to be permitted, it must also live up to the fundamental principles and be supported by an additional specific legal basis.

The following categories of personal data are sensitive:

1. Racial or ethnic origin (regarding the use of the term "race" in the GDPR, it explicitly does not mean that the EU or UPPSALA UNIVERSITY accept theories that seek to establish the existence of different human races)
2. Political views
3. Religious or philosophical beliefs
4. Membership in a trade union
5. Health
6. Sex life or sexual orientation
7. Genetic data
8. Biometric data that uniquely identifies a person

What does Processing mean?

Processing is a broad concept and includes everything that can be done with personal data. For example, you can collect, register, store, disclose or delete the data.

Who are the Data Subjects?

Data subject refers to a living person to whom certain personal data relates, i.e. is about.

What is a Controller?

The data controller is the organisation (e.g. public authority, limited liability company, foundation or association) that decides for what purposes certain personal data is to be processed and by what means this is to be done (this is usually described as the controller decides “how and why” certain processing should take place). In other words, it is not the individual manager at a workplace or an employee who is the controller. A natural person can also be the controller, for example in the case of sole proprietorships. Uppsala University is the controller for personal data processing carried out within the framework of the University's activities.

What is a Processor?

A processor is a person or legal entity that processes personal data on of a controller. A processor is always organizationally located outside the controller's organisation. A data processor can be a natural or legal person, public authority, institution or other body. A processor may not determine the purposes of a treatment, but may often have views on how the treatment is carried out.

The basic principles

The GDPR is based on six basic principles that every controller must follow to ensure correct processing of personal data. The rules set high demands on processing of personal data, and potential sanctions in the event of violations of these can be severe. If Uppsala University does not comply with the basic principles of the legislation in its processing of personal data, it will lead to high administrative fines and serious reputational damage for the University. Below you will find information about these basic principles and which must be followed in all personal data processing.

The six basic principles are (they are described in more detail below):

1. The principle of legality, regularity and transparency
2. The principle of purpose limitation
3. The principle of data minimisation
4. The principle of accuracy
5. The principle of storage limitation, and
6. The principle of integrity and confidentiality.

In addition, any processing of personal data must be supported on a lawful basis (see below); personal data may only be collected for legitimate purposes that are not too generally framed, and the amount of data must be limited to what is necessary for these purposes. This means that data may not be processed in a way that is incompatible with these purposes at a later stage, nor may it be stored longer than necessary for a specific purpose.

As a starting point, the following requirements must be met in order to comply with the law:

1. The processing is necessary (cannot be carried out without the personal data)
2. The processing is processed under a legal basis
3. The processing takes into account the general principles (see below in more detail)
4. The processing is protected by organisational and technical protective measures.

Anyone who processes personal data must be able to demonstrate that the above is followed and how. The above must be observed in all processing, there must be procedures in place to ensure compliance.

Lawfulness, fairness and transparency

Personal data must be processed in a lawful, correct and transparent manner in relation to the data subject.

The requirement that the processing of personal data must be lawful means, among other things, that there must be a legal basis for the processing.

The requirement for correct processing requires that the data subjects are made aware of the processing and the details pertaining to it, i.e. that they are informed in accordance with the GDPR.

The requirement for transparency means, among other things, that it must be clear to a data subject how their personal data is collected and otherwise processed. The data subjects must therefore be provided with information about the processing, for example after requesting a register extract, receive the information in an easily accessible manner that is formulated in clear and unambiguous language.

Purpose limitation

According to the GDPR, all personal data shall only be collected for specific, explicitly stated and legitimate purposes and may not be subsequently processed in a manner that is incompatible with these purposes. The predetermined purposes set the framework for the processing. The purposes must be clear and legitimate and have been determined at the time the personal data was collected. There is no possibility of postponing the determination of purposes to a later date and a purpose cannot be added afterwards.

The determined purposes must be documented in writing, and the data subjects must be informed of the purposes both when the data is collected and otherwise when requested. If the personal data collected is later to be processed for other purposes that are incompatible with the original purposes, the data subjects must also be informed of this. Personal data collected may, under certain conditions, be processed for archival purposes in the public interest, scientific or historical research purposes or statistical purposes without being considered incompatible with the original purposes if appropriate safeguards are in place for the rights of the data subjects.

Relevant purposes may also be specified in legislation in certain cases, and the controller must then comply with those rules. However, regardless of whether the purposes are laid down in a statute or not, it is always the controller who is responsible for, and must be able to demonstrate, that the fundamental principles are followed. It is the controller who is responsible for ensuring that the processing is carried out solely for the specified purposes. In the event of a dispute, it is the data controller who has the burden of proof because it is the controller who primarily determines the purposes.

Data minimisation

The principle of data minimisation means that personal data must be adequate, relevant and not too extensive in relation to the purposes for which it is processed. In other words, it is not allowed to collect personal data for undetermined future needs or "good to have" tasks. Collected personal data may also not be processed if, for example, they are so old that they are no longer relevant for the original purposes.

The fact that the personal data should not be too extensive in relation to the purposes for which they are processed means that they should be limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period during which personal data are retained is limited to a strict minimum. Do not collect more or less personal data, or irrelevant data, than is actually necessary in relation to the purpose of the processing.

It must be possible to explain why different data are needed to fulfil the purposes of the processing. In practice, this may also mean for example that if the controller uses free text fields they should issue written instructions on what information is relevant to provide in the text field. To ensure that personal data is not stored for longer than necessary, Uppsala University shall use deadlines for deletion for regular checks.

Accuracy

Personal data must be accurate and kept up-to-date. Any person who processes personal data must take all reasonable steps to ensure that inaccurate personal data is erased or corrected without delay. If the purpose requires it, the personal data must also be up to date. This means that the controller needs to be active in order to ensure the quality of the personal data and not to wait to act until the data subject exercises his or her right to rectification of e.g. incorrect personal data. The circumstances of each individual case, such as the purposes of the processing, how much personal data is processed and what consequences an incorrect information may have for the data subject are be factors that are considered. Whether it is necessary for the data to be updated should be determined with regard to the purposes of the processing.

Storage limitation

Personal data may not be stored in a form that enables identification of data subjects for longer than necessary for the intended purposes. When the personal data is no longer needed for those purposes, it must be deleted or de-identified (100 % anonymized). To ensure that personal data is not retained for longer than necessary, the processor should put in place time limits and procedures for deletion or de-identification.

Collected personal data may, under certain conditions, be stored for a longer period of time for archival purposes in the public interest, scientific or historical research purposes or statistical purposes if there are appropriate safeguards for the rights of the data subjects.

The GDPR also requires the controller to provide information to the data subjects about, among other things, the period during which the personal data will be stored or, if this is not possible, the criteria used to determine this period. This applies regardless of whether the personal data comes from the data subject or not, i.e. whether it has been obtained from someone else. The same information must also be provided if the data subject requests a register extract.

Integrity and confidentiality

Personal data must be protected, inter alia, against unauthorized or unlawful processing and against accidental loss, destruction or damage. Anyone who processes personal data must therefore utilize appropriate technical and organizational measures to protect it. Personal data must be processed in a manner that ensures appropriate security and confidentiality of the personal data and in a manner that prevents unauthorized access to and use of personal data and the equipment used for the processing.

In this context, privacy is a security principle, which means that personal data should not be altered or destroyed by mistake, either by an unauthorized person or by the process used.

Confidentiality as a security principle means that the information should not be made available or disclosed to unauthorized persons or through the process. Both concepts are part of general information security.

Accountability

The controller or processor who processes personal data is responsible for compliance with the rules and principles of personal data processing and must be able to demonstrate how they are followed. There are several ways to demonstrate this, for example by having clear information to the data subjects, documenting the processing that is going on in the organization and which considerations have been made, and having documented internal guidelines for data protection, a data protection policy. The Data Protection Officer (DPO) reviews the organization’s compliance with the regulation and internal guidelines, which is also a way to meet the accountability requirement.

Performance of a task in the public interest (Article 6(1)(e))

The processing of personal data is permitted if it is necessary for the performance of a task carried out in the public interest. In order for processing to be performed in the public interest, it must be based in a legal act. This means that the task follows from a statute or from a decision issued pursuant to a law or statute. Examples of tasks that are in the public interest are the activities research and education (see Chapter 1, Section 2 of the Higher Education Act (1992:1434)) archiving and production of statistics for government agencies. It can also be tasks carried out by government agencies with the aim of fulfilling an explicit assignment by the Riksdag or the Government (“regleringsbrev”, etc.).

In the context of research activities, it is usually this legal basis that is the legal basis for processing of personal data.

Exercise of official authority (Article 6(1)(e))

Processing of personal data is also permitted if it is necessary as part of the controller's exercise of official authority. The exercise of public authority means that an agency has a task with decision making par over individual citizens. This includes, for example, in cases where a decision is made that an individual should receive a certain benefit or right, or decisions that benefit the individual or decisions that are burdensome (e.g. graduation at a university). All exercise of public authority must be based on law, ordinance or other statute.

Performance of a contract (Article 6(1)(b))

Processing may be based on the fact that the processing is necessary for the performance of a contract to which the data subject is a party or to carry out measures requested by the data subject prior to entering into such an agreement. An example of this is the UU’s processing of personal data relating to the University's employees, recruitment and personnel administration systems for invoicing and salary calculation.

Consent of the data subject (Article 6(1)(a))

Personal data may only be processed under this legal basis if consent has been acquired from the person to whom the personal data relates. The GDPR sets special requirements for consent, including that it must be voluntary. This means that an individual cannot consent to a personal data processing where he or she is in a position of dependence on the person who intends to processes the personal data. Since Uppsala University is a public authority, it is normally not permitted to use consent as a legal basis for personal data processing, as individuals are a weaker party than a public authority.

The data subject's consent to processing of personal data should not be confused with consent given by individuals to participate in research in connection with the ethical review of a research project. While consent is necessary in connection with ethical review of research, consent is not normally used as a legal basis for processing personal data by public authorities, including the University.

You must later be able to prove that consent has been given by the person whose personal data you are processing. Consent must also be given through a statement or an unambiguous affirmative action (an active act). This requires for example ticking a box, choosing setting options or some other behavior that clearly shows consent. A form that is filled in by the person who is going to consent can be a good idea.

The consent must be given after the data subject has received information about the planned processing of personal data. Among other things, you must inform the data subject that they have the right to withdraw their consent at any time, the purpose of the processing and how long it is expected to last.

A person who processes personal data on the basis of consent must be able to demonstrate that valid consent has been given by the data subject.

Each new processing requires a new consent from the data subject. If the consents do not meet the requirements of the regulation, you must obtain new ones in order for the processing to be lawful.

In summary, consent is not the legal basis UU uses for processing of personal data in research.

However, it is conceivable that UU can use consent in the processing of personal data to distribute e.g. a newsletter.

Compliance with a legal obligation (Article 6(1)(c))

Personal data may be processed if it is necessary for compliance with a legal obligation that the controller is obliged to comply with. In such cases, the basis for the processing must follow from either EU- or Swedish law. An example of a legal obligation is the accounting obligation set out in the Accounting Act (1999:1078).

General comments

The list of legal bases in Article 6 is exhaustive and it is therefore necessary to find support in one of them in order for a processing to be lawful. It may happen that several grounds apply to one and the same treatment. If none of the legal grounds listed in the provision are applicable to the processing, it is not legal and may therefore not be carried out.

All processing of personal data must also comply with the fundamental principles of Article 5 of the GDPR. The principles mean, among other things, that personal data may only be collected for legitimate, specific and not for general purposes. The amount of data must be limited to what is necessary for them purpose. The data may not subsequently be processed in a manner that is incompatible with these purposes nor be kept for longer than necessary. The GDPR also states that the person who processes personal data must be responsible for and be able to demonstrate that they comply with the provisions of it (accountability). Anyone who processes personal data must therefore have procedures in place to ensure that they are followed. This means that the procedures developed for Uppsala University must be followed in every processing of personal data.

The European Commission may decide that specific countries have a so-called "adequate level of protection" for personal data. Article 45 of the GDPR states that the transfer of personal data to countries that have been assessed as having an adequate level of protection is permitted and must be handled under the GDPR as if it were within the EU/EEA.

At present, twelve countries are fully or partially affected by an adequacy decision:

1. Andorra
2. Argentina
3. Canada (partially)
4. Faroe Islands
5. Guernsey
6. Israel
7. Isle of Man
8. Japan
9. Jersey
10. New Zealand
11. Switzerland
12. United Kingdom
13. South Korea
14. Uruguay
15. United States (but only for companies and organizations certified under the Trans Atlantic Data Privacy Framework (TADPF or DPF)).

The adequate level of protection in the countries concerned is monitored on an ongoing basis, and countries that are subject to decisions or are under investigation may vary over time.

Which companies and organizations are certified in TADPF can be found here. Please note that only private actors can be certified.

Article 46 GDPR sets out a number of mechanisms that allow the transfer of personal data to third countries that are not covered by adequacy decisions. Mechanisms may used on the condition that protection of the legal rights of the data subjects and effective legal remedies in the third country to which the personal data are transferred are secured. This requires a very complex assessment of the legal order in the host country. The exporter responsible for the data must also have also taken appropriate safeguards to protect the processing.

The European Commission's Standard Contractual Clauses (SCCs) is the mechanism that is usually used as a transfer mechanism for transfer of personal data to third countries. Read more about the SCC below. In some cases, agreements between public actors can be an instrument.

The European Commission' s Standard Contractual Clauses (SCCs) consist of the implementing decision setting out the reasons for the introduction of the new standard contractual clauses, and an appendix containing the actual terms of a contract to be signed by the affected parties.

The SCCs contain conditions concerning, among other things, the purpose, scope of the contract, specification of the transfer, basic principles of processing, principles regarding sub-processors, data subjects’ rights, liability, supervision and documentation. In other words, it is a very comprehensive set of contractual requirements.

The parties, the controller and the processor must comply with the requirements in the SCCs in order to be able to apply them and it will not be possible.

Logical structure of the SCC

The SCCs are established with four static modules adapted for different scenarios:

1. Module 1 for transfer from controller to controller
2. Module 2 for transfer from controller to processor
3. Module 3 for transfer from processor to processor
4. Module 4 for transfer from processor to controller.

The starting point is that the parties identify their roles as either controller, processor or sub-processor. They must then assess who is the data exporter and who is the data importer. This is especially important because it decides which modules are to be selected for the agreement. To get help with merging the modules and discussing the relationship between the parties, please contact the Legal Department: juravd@uu.se.

Once the parties agree on the SCC modules applicable to the transfer in question and they make the assessment that they can be fulfilled, an agreement based on these can be signed.

One particular challenge is that the parties must be able to guarantee the integrity of the personal data in relation to the legal requirements of national authorities for access to data held by the data importer.

National laws and procedures of the data importer

In clause 14 of the SCCs, the parties must guarantee, inter alia, that they:

- ”… has no reason to suspect that the laws and procedures of the receiving third country applicable to the processing of personal data by the data importer, including any requirements to disclose personal data or measures to grant access to public authorities, prevent the data importer from complying with its obligations under those clauses.'

The issue of such a guarantee presupposes that the parties understand the risks that the legal system of the recipient country allows national authorities to access the personal data. The parties have an obligation to investigate any suspicion that national laws could threaten data privacy for concerned data subjects. Any national laws, in order to be acceptable, must be consistent with the spirit of the EU Charter's protection of human rights and freedoms. The clause refers in this context to Article 23 GDPR which allows certain exceptions for national security, defence and public security, etc. The parties must assess whether restrictions on the said rights would then be part of a necessary and proportionate measure in a democratic society.

The parties must have a very high level of knowledge of all the circumstances of the transfer and must document their assessments in order to make it available to a supervisory authority upon request.

The work required of the SCC by the parties and the risk associated with third-country transfers should be set against the benefits that cooperation with the third-country party may bring to the data exporter.

The GDPR contains a number of legal exceptions that in certain limited situations allow for third-country transfers of personal data. Article 49 GDPR regulates when transfers of personal data may be made in specific individual situations, such as through explicit consent from data subjects (remember that consent should not normally be used by public authorities), when the transfer is made in the data subject's own interest, to comply with contractual conditions or for an important public interest. Article 49 assumes that the transfer is necessary, which is a strict requirement, and that it is not made repetitively. Exceptions from general rules must always be applied with caution and strictly.

A DPIA must be documented, and at the UU the finalized DPIA shall be added to the central processing register (see above) concerning the related processing activity. The register is kept by the Data Protection Officer.

The DPIA shall answer if:

1. there is a significant risk that human rights and freedoms may be violated (see below).
2. the processing involves profiling of data subjects, the results of which are then used to automatically categorize or evaluate individuals.
3. extensive sensitive personal data and/or criminal record data are included in the processing.
4. the processing involves extensive collection of personal data.

The persons carrying out the DPIA must determine whether the processing can be carried out under safe, legal and reasonable circumstances by assessing whether:

1. the way in which the processing is carried out entails risks to the quality, authenticity or integrity of the data.
2. the chosen method continuously monitor that the processing is going as planned.
3. identified risks of the treatment can be properly counteracted.
4. those who actually process the personal data are familiar with the procedures for reporting personal data breaches.

If the data subjects are exposed to risks that cannot be remedied, a request for prior consultation must be submitted to the Swedish Authority for Privacy Protection.

When you submit the DPIA through the automatic procedure in the link below, the Data Protection Officer will automatically be notified and will contact you if it is necessary to request prior consultation with the Swedish Authority for Privacy Protection.

In summary “human rights and freedoms” are the right to life, liberty and security of person; prohibition of slavery and servitude; prohibition of torture and cruel, inhuman or degrading treatment; equality before the law; the right to impartial judicial review; prohibition of arbitrary detention; the right to protection of privacy and correspondence; the right to personal freedom of movement; the right to property; the right to freedom of religion, opinion and expression, as well as the right to freedom of association and assembly.

Click here to make a DPIA using an electronic procedure.

The requirement that a report must be made to IMY aims to quickly and appropriately remedy and reduce the risk of the data subjects suffering physical, material or immaterial harm. Such harm may include, for example, loss of control over one's own personal data, restriction of the rights of data subjects, discrimination, identity theft, fraud, damage to reputation or financial loss.

Upon discovery of a personal data breach, Uppsala University shall, without undue delay and always within 72 hours, submit a report to IMY. If it is not possible to provide all the information within 72 hours, it can be divided up and provided at different times as it becomes available. It is important to provide IMY with as much information as possible as quickly as possible. The notification is always made by the Data Protection Officer.

If the University assesses cannot submit a notification at all within 72 hours, it must inform IMY about this and state the reasons for the delay.

In cases where the University is a processor, the controller must be notified without undue delay after becoming aware of the personal data breach. The relevant personal data processing agreement that regulates the processing that the processor performs on behalf of the controller regulates in more detail what obligations the processor has in the event of a personal data breach.

According to the GDPR, a notification must contain information about:

1. The type of incident in question.
2. The categories of persons who may be affected.
3. How many people the incident affects.
4. What consequences the incident may have.
5. What measures have been taken to counteract any negative consequences for the data subjects.

If you contact it-incident@uu.se with a feared personal data breach, these are the questions you should be able to answer, or investigate.

Information to those who may be affected

If the breach is likely to result in a high risk to the rights and freedoms of the data subjects, they must be informed of the personal data breach without undue delay. The purpose of informing the data subjects is to enable them to take precautionary measures. Whether the data subjects need to be informed is decided by the Data Protection Officer.

Whether the incident is likely to pose a risk to the data subjects and the seriousness of the risk should be assessed on the basis of the nature, scope, context and purpose of the processing. The evaluation of whether the personal data processing entails a high risk must be carried out objectively. According to the GDPR, high risk refers to a particular risk of detrimental impact on the rights and freedoms of the data subjects. This assessment is made by the Data Protection Officer after the notification has been made to this email address: it-incident@uu.se.

When Uppsala University considers that there is an obligation to inform the data subjects the information must contain:

• a clear and unambiguous description of the nature of the personal data breach;
• the name and contact details of the Data Protection Officer or other contact points where further information can be obtained.
• the assessed likely consequences of the personal data breach;
• a description of the measures taken or proposed by the controller to address the personal data breach, including (where appropriate), measures to mitigate its potential adverse effects.

However, Uppsala University does not need to inform the data subjects if any of the following circumstances apply:

• if the university has implemented appropriate technical and organizational safeguards and these measures have been applied to the personal data affected by the personal data breach, in particular those that are intended to make the data unreadable to all persons who are not authorized to access the personal data, such as encryption;
• if the university has taken additional measures to ensure that the high risk to the rights and freedoms of data subjects is unlikely to arise anymore.
• If it would involve a disproportionate effort. In this case, the University must instead inform the public or take a similar measure through which the data subjects are informed in an equally effective manner.

Documentation requirements

All personal data breaches must be documented, in particular the circumstances surrounding the personal data breach, its effects and the corrective measures taken. The documentation is crucial for the University to be able to demonstrate to IMY that the authority has taken the necessary measures to live up to the obligations that follow from the GDPR.

The documentation can be used as a basis for how safety in the business can be improved. It can then be ensured that the necessary measures have been taken to prevent new and similar incidents.

Notification of personal data breaches

If you suspect or discover a personal data breach, it is important that you notify it-incident@uu.se as soon as possible so that the IT Division can investigate and, if necessary, report this to the Data Protection Officer and potentially IMY.

Please headline your email with PERSONAL DATA BREACH and be clear with your contact details so that the Data Protection Officer can get in touch with you.