Skip to main content
To KTH's start page

GDPR FAQ

The following are answers to some of the more frequently asked questions.

Missing anything? Please contact the Data Protection Officer at KTH (dataskyddsombud@kth.se) with your questions and/or suggestions.

General Data Protection Regulation in your daily work

The General Data Protection Regulation gives rise to a variety of practical issues - such as what can and cannot be sent via e-mail and what is the correct processing of personal data? Based on the approach of the Royal Institute of Technology (KTH), here are some common scenarios to guide you
through.


The following is currently subject to discussion:

  • Newsletters, e-mail lists and group mails
  • Publishing on external and public websites
  • Consent management
  • Provision of information in connection with the retrieval of personal data directly from anndividual or other source.

Frequently asked questions (FAQ)

What is personal data?

Personal data is information which can be attributed, directly or indirectly, to a physical person such as his/her name, social security number, postal and e-mail addresses, video and audio data. Personal data also includes encrypted or encoded data that can be clearly linked to a certain
person.

What is sensitive personal data?

Sensitive personal data is data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union memberships as well as details of a natural person’s health, sexual life and sexual orientation. Genetic (DNA) and biometric data used to uniquely identify a natural person (such as face or fingerprint data) also belong to this category of sensitive personal data. Such data may never be retained unless under exceptional circumstances.

What is data processing?

Data processing refers to the way in which your personal data is handled, i.e. collected, stored
and dispersed. Under the General Data Protection Regulation, handling personal data is the same as
processing personal data.

What do I do if an individual asks for his/her personal data to be removed?

As an individual, you are legally entitled, subject to certain conditions, to ask for your personal data to be removed from the KTH database.

If you are asked to remove someone’s personal data from the KTH database, please forward the matter to the Data Protection Officer in charge (dataskydd@kth.se).

What do I do if an individual wants to know what personal data is held on him/her?

As an individual, you are legally entitled to know what personal data is held on you and if such data is correct. If someone asks you for an extract from the KTH database, please refer the matter to dataskydd@kth.se.

What is a legal basis?

According to the General Data Protection Regulation, legal basis is the legal and correct way in which to process personal data. In other word, you can never process personal data without a legal basis.

Please note that the removal of personal data is subject to certain conditions. For further information about what can be removed and/or stored, contact the registrar at your school.

When do I require a Personal Data Assistant Agreement?

Under the General Data Protection Regulation, the Data Controller and Data Processor are requiredto enter into a written agreement or a so-called Personal Data Processor Agreement. At KTH, we have our own Personal Data Processor Agreement template. Please contact the Data Protection Officer (dataskydd@kth.se) for further information and assistance.

Do I have to report all my lists and Excel sheets to ?


At KTH, in order to fulfil our data processing obligations, we must register all data processing activities. It is the responsibility of the Data Protection Officer, as appointed by the President of KTH, to maintain and keep updated all data processing lists.

Please report lists here .

Excel sheets do not have to be reported. However, it is important that you report any data processing carried out in connection with a planned or unique activity.