General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) begins to apply on 25 May 2018 and replaces the Swedish Personal Data Act (PuL).
The overall objective is to ensure and strengthen the individual’s right to his or her private life through the protection of personal data. This means that the individual, when KTH in any way processes his or her personal data, has the right to insight into how and why the information was processed and can upon request have that information transferred to a different external party (companies, authorities, etc.).
GDPR entails a tightening of the rules in PuL, but also sets some new requirements.
How is KTH preparing for GDPR?
KTH is in the midst of conducting various activities to adapt to GDPR. The list of activities can be found here.The list is constantly updated.
The President’s decisions regarding data protection officers (in Swedish):
If you have questions, please contact KTH’s
Requirements that KTH must meet
KTH must ensure that the individual’s rights are ensured in every phase of a processing of personal data, regardless of how. We do so by:
- Being able to present, in a clear and easy-to-understand manner, how KTH processes personal data.
- The personal data always being processed on lawful grounds.
- Being able to justify why KTH gathers, processes and stores personal data and where we have obtained the information. There must be a clear purpose of the processing.
- Ensuring that the personal data is relevant and not too extensive in relation to the purpose of the collection, processing and storage.
- Keeping the personal data accurate and updated.
- Not storing personal data than necessary with regard to the purpose. What is removed and saved is stated by (Sw. Dokumenthanteringsplan).
- Implementing technical and organisational measures to ensure adequate protection so that the personal data is not at risk of ending up in the wrong hands or being manipulated.
- Working actively with data protection, including making sure that the systems, cloud services or other places we use to gather, process or save personal data are designed so that the GDPR is upheld. This may be e.g. functions that make it impossible for more personal data than necessary being collected.
KTH must be able to show that this is complied with, e.g. through regular self-checks, instructions and documentation.
There must always be lawful grounds for all processing of personal data. The most common lawful grounds KTH follows are:
- that the processing is necessary to be able to perform a task of public interest or for the exercise of authority, e.g. examine students.
- that the processing is necessary to fulfil an agreement or a legal obligation, e.g. international students and the investigation of work-related injuries.
- consent from the person registered (data subject), e.g. in recruitment and registration for conferences.
What rights does the individual have?
The individual has several rights that KTH must respect:
- Right to information – the individual must receive information when the personal data is processed and in certain special situations, such as unauthorised access (so-called personal data breaches).
- Right to correction – must be given the opportunity to correct, complete and adjust his or her own personal data.
- Right to deletion (“right to be forgotten”) – in some cases, the individual has the right to have his or her data deleted.
- Right to limited processing – in some cases, the individual has the right to request that processing is limited. This can take place by the personal data being tagged to thereby in the future be processed only for certain limited purposes.
- Data portability – under certain circumstances, the individual has the right to take out and transfer the personal data to a different location (e.g. a different organization).
- In some cases, the right to make objections to further processing.
- The right to not be subject to a decision that has a legal effect through an automated decision-making (including profiling) if there is not an exception in another law or consent has been granted.
- Complaints and damages – the individual has the right to file complaints with KTH and the Swedish Data Protection Authority.
If you would like to know more
General information is available on the(Sw. Datainspektionen).
An infograph about GDPR is available.
Afrom the Swedish Association of Local Authorities and Regions on GDPR.