Complying with GDPR
Introduction
The General Data Protection Regulation, or GDPR, is a legislation in the EU that governs the collection and processing of personal data. The main reasons for the introduction of GDPR was to harmonise privacy and data protection laws across the EU member states and to strengthen the rights of individuals within the EU.
Who is the data controller?
According to GDPR, anyone who processes personal data is either a data controller or a data processor. A data controller is any person or entity that determines the purposes and means of the processing. If there are two or more data controllers that jointly decide why and how to process personal data, they are collectively referred to as “joint controllers”. A data processor, on the other hand, is any person or entity that processes personal data on behalf of a data controller.
For data submitted to FEGA Sweden is the data controller typically the institution where the principal investigator is employed. Uppsala university, which is the host institution of FEGA Sweden, is then a data processor who acts on behalf of the principal investigator’s institution.
Before you submit any data to FEGA Sweden, you need to first make clear who the data controller is. This step is critical in order to determine which formal agreements are needed.
Do you have a data processing agreement with us?
To fulfill the requirements of GDPR, you need to make sure that there is a data processing agreement between each data controller and Uppsala University. For convenience, we have already established general data processing agreements with some Swedish universities (see Table 1). If the data controller of your data has not signed a general data processing agreement with us, a new agreement will have to be established. The data protection officer (DPO) at your institution may be able help you with that. If Uppsala University is the only data controller, there is no need of a data processing agreement.
| Data controller | Agreement |
|---|---|
| Karolinska Institutet | ICM 2019/186 |
| KTH Royal Institute of Technology | ICM 2019/189 |
| Linköping University | ICM 2019/192 |
| Lund University | ICM 2019/195 |
| Stockholm University | ICM 2019/204 |
| Swedish University of Agricultural Sciences | ICM 2019/201 |
| Umeå University | ICM 2019/207 |
| University of Gothenburg | ICM 2019/183 |
Data processing on behalf of FEGA Sweden
FEGA Sweden relies on services from the Swedish Science Research Council that involve processing of personal data. This data processing is governed by two separate data processing agreements, ICM 2023/76 [Sunet Distribuerad Lagring] and ICM 2023/76 [Sunet Molnportal], which should be compliant with the general processing agreements listed in Table 1.
Learn more about GDPR
- Research material with personal data – by the Swedish National Data Service (SND)
- The Swedish Authority for Privacy Protection (IMY)
- The General Data Protection Regulation (GDPR)