Instructions for information to the data subject
When collecting personal data, certain information must be provided to the data subject. The data subject is the individual who gets his/her personal data processed i.e. the person(s) whose personal data you will use.
The information to the data subject shall be provided if the personal data is collected directly from the data subject (according to article 13 in GDPR), for example, by questionnaire or interview. The data subject also needs to be informed about the processing if personal data is collected from a source other than the data subject (according to article 14 in GDPR), such as the tax authority or SCB. Keep in mind that the information given to the data subject must be written concisely, using a clear and plain language.
If personal data is collected directly from the data subject.
If personal data are collected from the data subject, KI shall, when collecting the personal data, provide information on at least the following:
1. The controller of the processing
The identity and contact details of the the controller. When KI has determined the purpose and means for the processing of the personal data, KI is the controller. In some situations, however, there may be joint controllers for the data processing.
Text example: "Karolinska Institutet (KI) is the controller for the processing of your personal data. Your contact person for this processing is: (name of the person who is responsible for the department / research project that collects the personal data, name, e-mail address and telephone number).”
2. Contact information to KI's Data Protection Officer
Contact information should include name, e-mail address and telephone number.
Text example: "Contact information to KI's Data Protection Officer Mats Gustavsson firstname.lastname@example.org 08-524 864 73"
3. The purpose of the processing of personal data.
This description of the purpose should be concise in order for the data subject to easily understand how, and why his or her personal data will be processed.
4. The legal basis for personal data processing.
For KI, an example may be that the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Research is an example of processing that goes under the legal basis public interest.
The following text must always be included: "KI is a public authority and is thereby obliged to comply with, among other things, the rules on public documents, public authority archives and public statistics. KI will therefore also process personal data in the manner required to comply with other applicable legislation."
5. Recipients or categories of recipients who will receive the information.
This includes information if KI intends to transfer personal data to a third country i.e. a country outside of EU/EEA and what risks the transfer could lead to.
Transfer of personal data within KI does not need be a part of the information given to the data subject.
The following text must always be included: "Since KI is a public authority your personal data and other information about you can become subject of a request from the public in accordance with the Public Access and Secrecy Act, before an extradition KI will perform a secrecy examination."
6. The period during which personal data will be stored at KI.
If this is not possible, specify the criteria used to determine this period. This will be found in the document management plan.
This text must be a part of the information regarding the current storage time for personal data processing: "Your personal data is handled in accordance with regulations regarding public authority archives."
7. Access, correction, deletion
That the data subject has the right to access and, as far as possible, rectification of or deletion of personal data or to restrict the processing relating to the data subject or objection to the processing. When applicable the data subject also needs to be informed about their rights to data portability (that the collected personal data may be transferred to another controller). Many of the rights of the data subject are governed by other legislation. For example, the Archive Act prevents existing archived documents from being corrected. Likewise, there is a low possibility of requesting rectification in a research project.
8. Right to withdraw consent
If the processing is based on a consent, the data subject shall be informed that there is a right to withdraw the consent at any time and how this can be done.
9. The right to lodge complaints regarding the processing of personal data.
Either to KI's Data Protection Officer or directly to the Swedish Authority for Privacy Protection (IMY), preferable both.
Example of text: "If you have any comments or complaints on how KI's process your personal data, please contact us at email@example.com.
If you are not satisfied with KI's answers you can contact the Swedish Authority for Privacy Protection (IMY) with complaints regarding KI's processing of your personal data, firstname.lastname@example.org or 08-657 61 00."
10. Requirements by law or contract
If your personal data has to be given to KI for KI to comply with a law or agreements in a contract, or is necessary to close an agreement, you must inform the data subject about it. The same applies if the data subject is required to provide the personal data and if not giving them to KI leads to consequences.
This situation mostly occurs within the university administration.
11. Automated decision making
If the processing will include automated decision making or profiling, you must provide information about this. You must also provide at least some information about the logic behind, what it means that automated decisions are being made in and what predictable consequences such processing has.
12. Further treatment
If KI intends to process the personal data further for another purpose than it was first collected for, KI shall, prior to further processing, inform the data subject about these purposes and any other information that can be relevant to comply with the requirements above.
Examples of text that may be used related to research: "Collected personal data may be used in future research projects at KI that has been approved by the Ethical Review Board. If this is the case, you will be contacted before further processing begins.
This requirement shall not apply where and insofar as the data subject already has this information. This could be the case if the data subject by itself can control the processing and his or her personal data that is being processed by the controller.
If personal data has not been obtained from the data subject
If personal data has not been obtained from the data subject, KI shall provide him/her with information about the processing. The information shall be provided
- within a reasonable period of time after the personal data has been received, but within one month.
- If the personal data is going to be used for communication with the data subject the information should be given at the same time as the first interaction with the data subject, or
- If a transfer of the personal data is being predicted, at latest when the personal data is being transfered for the first time.
When the data is obtained, KI shall, provide information on at least the following in addition to the information that must be provided if the personal data are collected from the registered person directly (the information above, 1-12):
1. What source the data came from and, if applicable, whether they originate in publicly available sources, such as SCB or the tax authority.
2. What personal data or categories of personal data that has been collected
This requirement shall not apply where and insofar as:
- The provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
- Obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests; or
- Where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy