Why should I report my personal data processing?
According to GDPR, the University is to keep a register of such processing of personal data that takes place wholly or partially automated.
Who is to report personal data processing and does all personal data processing have to be reported?
The University has listed the personal data processing normally foreseeable in its operations at an overall level in the register for personal data processing. Special notification is required in the following situations:
- Each research project in which personal data are processed is to be reported by the responsible researcher.
- Personal data processing in IT systems is to be reported by the system owner.
Registries also are to be held when Umeå University is the personal data processor. Those responsible at Umeå University for the contractual relationship in which processing occurs are to report such processing.
The term IT systems also covers IT services and external cloud services. Only processing of personal data that is fully or partially automated has to be reported.
Examples of fully or partially automated processing are:
- Processing of personal data by computers and IT systems and transfer of personal data to digital format, such as when processing personal data in a searchable register or database or transferring personal data from manual surveys to a database.
- Digital audio and video recordings.
- Personal data are processed and stored digitally, for example in a Word document, Excel document or PDF format.
You do not need to give notice of the end of the personal data processing, but you are to report when it is expected to end. If there is any change in the information you have provided regarding your personal data processing, you can submit updated information. Send and email to pulo@umu.se to receive a special form for this.
As an employee, if you only process personal data within an IT system in a predictable manner with regard to the University's operations, you do not need to report the processing of personal data, but the system owner is responsible for reporting the IT system.
You also do not need to report personal data processing in education and administration if the processing takes place in a predictable manner.
Student assignments do not need to be reported separately; such a report has already been made for all student assignments jointly.
If you are unsure whether to report your processing of personal data, you should contact the Legal Affairs Office via pulo@umu.se to determine whether your processing is to be reported.
How are personal data processing operations reported?
Before reporting your processing of personal data you should read the information on this page as well as checklista inför start av forskningsprojekt (in Swedish) and personal data processing in research if you are going to process personal data in a research project.
You report your personal data processing through this form (the form is in Swedish but your answers can be in English). Since the form cannot be saved while it is completed you are advised to read through the entire form before starting to complete it so that you have all necessary information ready.
The form works best if you use the Chrome browser. Your report is registered in the university's central registry system W3D3.
If you have any questions regarding your report or any other questions regarding personal data management you are welcome to contact pulo@umu.se.
When should my personal data processing be reported?
Before you start a research project, provide an IT system, or start performing tasks as a data processor that require fully or partially automated processing of personal data, you are to notify the data protection officer of such processing.
If, for any reason, you have not reported ongoing personal data processing, you need to submit your notification as soon as possible. If you are unsure whether your ongoing personal data processing has been reported, you can contact the data protection officers at pulo@umu.se.
What happens after my report?
Your report is entered in a register of personal data processing at Umeå University.