GDPR and personal data

Research data containing personal information, or personal data, refers to any research material that contains data that, on their own or in combination with other data, can be linked to a living individual. All processing of personal data is regulated by the European Union's General Data Protection Regulation (GDPR). This page provides a brief introduction to the legislation and key concepts. Practical guidance and tools can be found in SND’s Handbook for data containing personal information.

The GDPR applies throughout the EU/EEA, regardless of the origin of the personal data. Its purpose is to safeguard individuals’ rights and freedoms, particularly in relation to privacy. The term processing includes a broad range of actions; from collection, registration, storage, and analysis to disclosure, dissemination, and erasure.

Personal data includes direct identifiers such as name, personal identity number, e-mail address, or a photograph of a person. It also includes indirect identifiers such as address, IP number, vehicle registration number, or any other information that could be linked to an individual, especially in combination with other data. The concept of personal data is very broad, and the more sensitive the data, the stronger the protections that must be in place.

Sensitive personal data are particularly sensitive in relation to the fundamental rights and freedoms of individuals and require specific protection, as their processing could cause significant risks to the individual. These include, data about a person's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for the purpose of identifying a human being, health-related data, and data concerning a person’s sex life or sexual orientation.

Before sensitive personal data may be legally processed in a research project, the project must always have an approved ethical review from the the Swedish Ethical Review Authority.

Legal basis 

All processing of personal data must have a legal basis under the GDPR to be lawful. Article 6 of the regulation outlines six legal bases. In research, the most common legal basis is public interest, but consent may also be used.

However, caution is needed when relying on consent as a legal basis in research. The GDPR requires that for consent to be a valid as a legal basis, it must be freely given, specific, informed, and unambiguous. There must be no imbalance of power or dependence between the person giving consent and the party requesting it. For example, it may be difficult to obtain valid consent if a doctor is recruiting their own patient into a research project.

It is also important not to confuse consent as a legal basis under GDPR with informed consent to participate in research. In the example above, the patient must provide informed consent to participate in the research project, but the legal basis for processing the personal data under GDPR would be public interest.

Fundamental principles 

All processing of personal data must comply with the fundamental principles set out in Article 5 of the GDPR. Adhering to these principles is a crucial part of ensuring lawful and responsible data processing.

The following principles apply:  

  • Lawfulness, fairness and transparency: Lawfulness requires a valid legal basis for the processing. Fairness means that processing must be proportionate – you must not collect more data than necessary or use them in ways unrelated to your purpose. Transparency requires that individuals are clearly informed about how their data will be used.
  • Purpose limitation: Data must be collected for specified, explicit and legitimate purposes, and not further processed in a way that is incompatible with those purposes.
  • Data minimization: Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.  
  • Accuracy: Data must be accurate and kept up to date. Inaccurate data must be corrected or erased, and the systems used for processing and storage must support this.  
  • Storage limitation: Data must not be kept in a form which makes it possible to identify the data subjects for longer than necessary. Exceptions apply for archiving purposes in the public interest, scientific or historical research, or for statistical purposes.  
  • Integrity and confidentiality: Data must be processed in a secure manner to protect against unauthorized or unlawful processing, as well as against accidental loss, destruction, or damage.  
  • Accountability: The data controller shall be responsible for, and must be able to demonstrate compliance with all the above principles. This can include developing a data protection policy, implementing privacy-by-design measures, informing data subjects, and conducting Data Protection Impact Assessments (DPIAs) for high-risk processing activities. 

When it comes to sensitive personal data, the general rule is that all processing is prohibited. In order to process sensitive personal data lawfully, in addition to a legal basis under Article 6, the processing must also fall under one of the exceptions listed in Article 9 of the GDPR.

You can read more about these core principles on the website of the Swedish Authority for Privacy Protection (IMY).

The information requirement 

A key aspect of the GDPR is that research participants, or data subjects, must be informed about how their personal data will be processed. This is known as the information requirement. The information must be clear, easy to understand, and easily accessible.

At a minimum, the following must be provided:

  • the legal basis for processing
  • the purpose of the processing
  • the identity of the data controller.

It is also important to include:

  • a contact person
  • contact details of the data protection officer, if applicable
  • information on how data subjects can request the deletion of their personal data.

In some cases, exemptions from the information requirement may apply – for example, if providing the information would involve a disproportionate effort. This may be the case in registry-based research. 

 

Key terms

Data Protection Officer (DPO)

Monitors compliance with the GDPR within the organization, for example by carrying out audits and providing information and advice within the organization. 

Data controller

A natural or legal person, public authority, institution or other body which, alone or jointly with others, determines the purposes and means of processing personal data. The data controller is responsible for how research data containing personal data are processed.

In publicly funded research in Sweden, the research principal – for example, the university – is typically the data controller. 

Joint controllers

Where two or more controllers jointly determine the purposes and means of processing, they are joint controllers under Article 26 of the GDPR.  

Data processor

Processes research data containing personal data on behalf of the data controller. A data processor may be a natural or legal person, public authority, institution or other body. The relationship between a data controller and a data processor must always be regulated by a Data Processing Agreement.

A data processor could be, for example, another party involved in collecting or analyzing data, such as a research infrastructure provider or a company. A data processor is always external to the data controller’s organization and operates under a mandate to process personal data on behalf of the controller. 

Data Processing Agreement (DPA)

An agreement between a data controller and a data processor. It ensures that both parties comply with the GDPR, are aware of their obligations and responsibilities towards one another and towards the data subjects, and that they document and can demonstrate compliance (accountability).