FAQ on the GDPR

If you don't find the answer to your question here, please post it to dataskyddsombud@ki.se

What is personal data?

Any kind of information that can be linked directly or indirectly to a now living physical person is regarded as personal data. Even images (photos) and sound recordings of individuals can be personal data, even though no names are mentioned. Encrypted data and various types of electronic identities, such as IP number and user accounts, counts as personal data if they can be linked to natural persons.
Encrypted and pseudonymized personal data counts as personal data as long as the code key is stored, regardless of whether the key exists at KI or at another party and even if you do not have the legal right to access it.

You can read more about concepts regarding data protection here.

 

If we only process coded personal data, does GDPR still apply?

Yes, as long as there is a so-called code key saved somewhere, which can be used to identify an individual, pseudonymized (coded) data is personal data and the requirements of GDPR must be adhered to.
However, if the code key is destroyed / deleted and the personal data can never be linked to a specific person, the information is considered anonymous. In these cases, the data does not constitute personal data - and the requirements of the GDPR are not applicable to the process.

What is processing of personal data?

Processing refers to everything that is done with personal data. Examples of processing personal data are: collection, registration, storage, processing, dissemination and deletion.

Who is a controller?

The controller the natural or legal person, public authority, institution or other body that alone or together with others determines the purposes and means of the processing. For personal data processed within KI, where KI has determined the purpose and means of processing, the authority KI is the controller (ultimately the Board of KI). An employee at KI may never be the controller for the processing of personal data performed at KI.

Who is responsible for KI’s compliance with GDPR?

The controller is responsible for ensuring that GDPR is followed within the organization. This means that all KI employees have a responsibility to comply with the requirements and regulations in the GDPR. KI is the responsible body but we all have a responsibility also.

What do I need to do to process personal data in accordance with GDPR?

When personal data is processed, the requirements in GDPR must be followed. Processing of personal data is lawful if it has a legal basis. Once a legal basis for processing of personal data has been established and documented the processing can begin and the other requirements of GDPR must be met, such as the principles relating to processing of personal data and the requirement of informing the data subjects of the processing.

What are the principles relating to processing of personal data?

The principles relating to processing of personal data are:

Lawfulness, Fairness and Transparency - Personal data should be processed lawfully, fairly and in a transparent manner in relation to the data subject.

Purpose limitation - Personal data shall be collected for specified, explicit and legitimate purposes only.

Data minimization - Personal data should be adequate, relevant and not too comprehensive in relation to the purpose.

Accuracy - Personal data should be correct and, if necessary, updated.

Storage limitation - Personal data may not be saved for longer than is necessary for the purpose of the processing.

Integrity and Confidentiality - Technical and organizational protection measures should be in place to ensure the safety of the treatment.

Accountability - The Controller (KI) is responsible for, and must be able to demonstrate compliance with these principles.

Can we publish images from our event in KI's channels?

The legal basis for this processing may be that we perform a task of public interest by publishing the images. As an authority we are tasked to provide information about our activities according to Section 6 of the Authority Regulation.
The persons in the images (data subjects) have rights according to the GDPR. You must inform the data subjects before the event that their personal data, i.e. the photos, may be used to provide information about the event (on the website) and that they can object to this. You must include information on who they should contact. You do not have to collect the names of everyone in the images to comply with the rules of GDPR. But if someone identifies him or herself and wants to exercise his or her rights, then the GDPR apply.

What is meant by a data processing agreement? What should such an agreement include?

A person or organization outside of KI that processes personal data that KI is controller for is to be considered as a processor to KI. When KI intends to use such services, a written data processing agreement must be established between the parties. At KI there are templates (Swedish and English) for these data processing agreements.
Many service suppliers, etc. are sending out new proposals of these agreements that they want to use to comply with GDPR as a processor to KI. Check with the legal department at KI before signing any agreements. In some cases, adaptation of the contract may suffice, in other cases the KI template for data processing agreement might be used.
Contact the legal department to access the template.

How can I store and share personal data?

If you have legal basis for the processing of personal data, you may store personal data on storage and sharing services (personal data will probably not be possible to store on all types of computers, storage and sharing services, especially not sensitive personal data) owned and hosted by KI and which are not synced to cloud services. Of course, like before, you cannot store personal data (or other KI owned information) on external or consumer storage services. The exception is when there are legal basis for the storage outside of KI as in the example above where images can be shared on, for example, social media.

Is it okay to share personal data within the KI?

A principle relating to the processing of personal data is that only those persons who need the personal data to perform their duties should have access to them. This applies regardless of whether the data is sensitive or harmless. You must ensure that the right people has access to the right things. This means that transmission of personal data within KI should be done with care. So-called sensitive personal data may not be sent in plain text via email.

How do I inform subscribers of my newsletter?

You don’t have to ask for consent from KI employees or affiliates who are receivers of the newsletter. However, they should have the opportunity to opt out of the newsletter. Subscribers who are not KI employed or affiliated need to give clear and informed consent that they still want to receive the newsletter.
For future subscribers, refer to KI's information about the processing of personal data within KI, the information will be updated here:
About the site

If personal data has been collected by another part and information has been given to the data subject regarding the processing and their Data Protection Officer (DPO), do KI need to inform the data subject about the processing and refer to KI:s DPO if we process the same information as controllers of the processing?

Yes, since KI is responsible for the processing of personal data in all research that is being carried out by KI, we must provide information about the processing that is being done at KI. This includes information about the DPO at KI.

Do new research projects using data from an earlier project that has already been approved by the ethical review board apply for a new approval?

In most cases, yes, since the purpose of personal data processing often vary between different research projects. The basic rule is that an approval from the ethical review board always needs to be done. Likewise, multiple approvals may be needed within one project if it involves different purposes.

What needs to be done in order to transfer personal data outside of the EU/EEA?

To process personal data within a research study, the regional ethical review board must approve the transfer. If possible, the data subject should be informed about the personal data being sent abroad before giving consent to the processing. The personal data should be pseudonymized (encoded). If another party process personal data on behalf of KI, a data processing agreement must be established between the parties. Note that there might be other agreements that needs to be established as well.
Transfer of personal data to third country or international organizations

Will there be a list of available storage platforms for which different types of data can be stored?

Yes, KI's information security department will perform system classifications that will put the classified systems in different types of security levels. Based on the sensitivity of the information the information can only be handled in systems that meets the requirements that the information entails. This will will hopefully be presented as a list of storage platforms – and which types of information that the system can handle.

Who is entitled to sign a data processing agreement (DPA)?

The right to sign DPA’s follows the order of delegation within your institution or equivalent.

Does existing data processing agreements (DPA) needs to be updated according to the new requirements of the GDPR?

No, if existing DPA’s have been established before GDPR came into force and in accordance with the previous data protection established DPA’s does not need to be updated. However, if you need to establish a new one or update an existing DPA, the new GDPR-adjusted template for DPA’s should be used.

Do we need to update our consents in ongoing research studies?

No. In many cases it is difficult - if not impossible to contact the data subjects for an updated consent. To update consents for an ongoing research project can also negatively impact on the research. If consent has been obtained in accordance with previous data protection rules (Personal Data Act, PuL), new consent will not need to be obtained from the data subject. However, if you will need to collect new consent for a new study, the forms must be adjusted and aligned with the requirements in GDPR.

MG
Content reviewer:
Märta Philp
06-11-2023