Register a processing of personal data
As a result of GDPR KI needs to keep a record over the processing activities regarding personal data that is being done at KI. Therefore, all processing activities needs to be registered through a form. The registration of processing activities will be done in different ways depending on your area of work, see the sections below for more detailed information.
It can be difficult to distinguish one processing activity from another. An advice is to follow the structure and names in systems or business processes as closely as possible. You can also collect processing activities that is similar to each other, has the same purpose, concerns similar categories of personal data, is being done in the same IT-systems into one processing activity and report it as one.
Research: All research group leaders at KI must report the processing activities that is being carried out by their research group.
Education and Administration: If you work with education or administration at KI, you will only need to register processing activities that is being done outside of KI central systems. Although, this only applies if the activity is planned to last for more than three months. The responsibility to make sure that processing activities are registered lies with unit heads and managers.
Should every individual spreadsheet that contains personal data be registered?
The registration should be done for different types processing activities concerning personal data. For spreadsheets and other types of documents that are available in many similar versions can in most cases be regarded as one processing activity and can therefore be combined and reported as one single processing activity. To combine different documents and report it as one processing activity requires that the personal data and purposes are similar in the different documents.
The research group leader is responsible for the research and therefore also for determining the level at which the registration should be made. The registration itself may be delegated to someone else within the research group. Everyone with a KI-ID may register processing activities.
If you work with education or administration at KI, you will only need to register processing activities that is being done outside of KI central systems. Although, this only applies if the activity is planned to last for more than three months. The responsibility to make sure that processing activities are registered lies with unit heads and managers.
What personal data processing activities should the directors of education, doctoral education and the head of administration report?
These roles are responsible for registering personal data processing activities that are being performed outside of the KI central systems. In some situations, registration may be unnecessary, for example if the processing activity is very limited, does not process any sensitive/special categories of personal data, and will only pertain for a very short period.
How do I report processing of personal data?
The registration of processing of personal data will be done through an electronic form. As soon as the form is completed, this will be communicated. You can be preventative and start to describe what types of processing activities that is being carried out within your area of work even though the form is not yet completed.
It can be difficult to distinguish one processing activity from another. An advice is to follow the structure and names in systems or business processes as closely as possible. You can also collect processing activities that is similar to each other, has the same purpose, concerns similar categories of personal data, is being done in the same IT-systems into one processing activity and report it as one.
Documents
Data protection officer
If you have questions not covered in the instructions, contact the legal unit at KI