Complying with GDPR

Introduction

The General Data Protection Regulation, or GDPR, is a legislation in the EU that governs the collection and processing of personal data. The main reasons for the introduction of GDPR was to harmonise privacy and data protection laws across the EU member states and to strengthen the rights of individuals within the EU.

Who is the data controller?

According to GDPR, anyone who processes personal data is either a data controller or a data processor. A data controller is any person or entity that determines the purposes and means of the processing. If there are two or more data controllers that jointly decide why and how to process personal data, they are collectively referred to as “joint controllers”. A data processor, on the other hand, is any person or entity that processes personal data on behalf of a data controller.

For data submitted to FEGA Sweden is the data controller typically the institution where the principal investigator is employed. Uppsala university, which is the host institution of FEGA Sweden, is then a data processor who acts on behalf of the principal investigator’s institution.

Before you submit any data to FEGA Sweden, you need to first make clear who the data controller is. This step is critical in order to determine which formal agreements are needed.

Do you have a data processing agreement with us?

To fulfill the requirements of GDPR, you need to make sure that there is a data processing agreement between each data controller and Uppsala University. For convenience, we have already established general data processing agreements with some Swedish universities (see Table 1). If the data controller of your data has not signed a general data processing agreement with us, a new agreement will have to be established. The data protection officer (DPO) at your institution may be able help you with that. If Uppsala University is the only data controller, there is no need of a data processing agreement.

Table 1: General data processing agreements with Uppsala University
Data controller Agreement
Chalmers University of Technology ICM 2019/180
Karolinska Institutet ICM 2019/186
KTH Royal Institute of Technology ICM 2019/189
Linköping University ICM 2019/192
Lund University ICM 2019/195
Stockholm University ICM 2019/204
Swedish University of Agricultural Sciences ICM 2019/201
Umeå University ICM 2019/207
University of Gothenburg ICM 2019/183

Data processing on behalf of FEGA Sweden

FEGA Sweden relies on services from the Swedish Science Research Council that involve processing of personal data. This data processing is governed by two separate data processing agreements, ICM 2023/76 [Sunet Distribuerad Lagring] and ICM 2023/76 [Sunet Molnportal], which should be compliant with the general processing agreements listed in Table 1.

Learn more about GDPR