Personal data management

On these pages you will find information about the processing of personal data and what you need to consider when handling personal data.

The General Data Protection Regulation (GDPR) is the common law in the European Union (EU) that regulates how personal data may be processed. The overall purpose of GDPR is to ensure and strengthen the individual's right to their privacy, which places demands on the person who processes personal data.

What is your responsibility as an employee? 

As an individual employee, you need to handle personal data correctly and know the rules that apply to your specific duties. Among other things, you need to know:

  • the basics and principles of personal data processing;
  • what a personal data breach is and how to report it;
  • what information needs to be provided to the data subjects; and
  • the requirement to notify certain processing operations to the University register for personal data processing.

For those who work only in a system that uses personal data, it is important to know what applies, but you do not need to know the same level of detail as the system operator or the system owner.

Go directly to: 

Reporting personal data processing

What is a personal data breach? 

Want to know more about personal data management? 

Checklista inför start av forskningsprojekt (in Swedish)

What is a personal data breach?

Reporting a personal data breach

A personal data breach is a security incident involving personal data. For example, personal data may have been

  • destroyed or altered;
  • lost; or
  • have fallen into the wrong hands.

It does not matter whether the incident has happened unintentionally or on purpose; it is a personal data breach regardless.

A personal data breach can involve a hacker attack in which personal data from a system is stolen, for example. It could also involve something as simple as someone losing a mobile phone, internal staff not authorised to see personal data being given access to such data or an email containing personal data being sent to the wrong person.

A personal data breach may pose risks to the person whose personal data are involved and may need to be reported to the Swedish Authority for Privacy Protection within 72 hours of its discovery. This underscores the importance of reporting a personal data breach as soon as it is detected.

Want to know more about GDPR?

In our FAQ, you can read basic information about GDPR.

These pages also contain detailed information:

For researchers, there is a checklist before starting a research project, that guides you in handling personal data, among other things.

The Legal Affairs Office regularly hold training sessions focusing on GDPR. If you have any special concerns, you are always welcome to contact us.

Contact information

Data Protection Officer

Marit Juselius

Tobias Nyström

Email to

Report personal data breaches to

Checklist for research projects

Internal Education and network

Legal Affairs Office