Frequently asked questions on data protection

Last changed: 11 January 2024

Answers to some frequently asked questions on data protection.

What is personal data?

Personal data is any kind of information that can be linked to an individual, directly or indirectly. This can include photographs and sound recordings that are processed, even if no names are mentioned. Encrypted data and different electronic identities such as IP number and user accounts count as personal data if it can be linked to an individual.

Information about companies is not personal data. The only exception is for sole proprietor companies, where the company registration number and the owner's personal identity number are the same. For such companies, information about the company also counts as personal data.

What is processing of personal data?

Processing is defined as anything you can do with personal data. Examples of processing are collection, registration, storing, handling and dissemination.

When do I have to comply with the rules on processing?

As soon as you process personal data on behalf of SLU, in an automated or partly automated way.

What about SLU students?

The data protection regulation applies to processing carried out by SLU students, if the purpose of the processing has been decided by SLU. This is above all the case when it comes to surveys.

How do I report processing of personal data?

Fill in the form to report processing of personal data.

I keep lists of contact details for those who subscribe to our newsletter, is that allowed? Do I need their consent?

You can keep contact details for your subscribers. According to Section 6 of the Government Agencies and Institutes Ordinance and Chapter 1 Section 2 of the Higher Education Act, higher education institutions are obligated to provide information about their activities. Newsletters is one way of doing this.

As we are obliged by law to inform about our activities, the newsletters are a way of fulfilling a task of public interest and we do not need the consent of the data subjects. However, it must always be possible so cancel a subscription to a newsletter in an easy way. If someone does not want information from SLU, they should not be getting it.

When someone has signed up for a newsletter, we must inform them about how we process their personal data for that purpose. The easiest way of doing this is place a clearly visible link to in your newsletter.

If we advertise products or services in the newsletter, the Marketing Practices Act applies, which means the subscriber must consent in advance to the marketing.

I keep lists of contact details for my work contacts, both in-house and external ones. Is that ok?

Yes, you can keep contact details. As long as contacts with these people are necessary for your work tasks, you can process their personal data.

Do I need to report all my lists and Excel sheets?

No, that is not necessary. The important thing is not the actual document or file, but what you do with the data they contain. In many cases, what you do is part of processing done by your department/division as a whole. Reporting processing is above all important when you plan new activities, or process personal data in a unique way.

Can we demand that students have their cameras on during components that are not compulsory?

No, we cannot as it does not constitute necessary processing.

Can we demand that students have their cameras on during compulsory components?

Yes, but only if it is necessary to assess participation.

Is this affected by whether the component is recorded or not and if it is, if students can be seen/heard (normally not the case when we record)?

Recording is a separate question from camera on or off. The main principle is that there should be no recording of students. If it is only possible to record all participants and not only the host of a meeting, recording is in principle not allowed.


Do I need consent from everyone I'm in contact with?

No. As a public authority, SLU will rarely use consent to process personal data. This is because when we process personal data, it is often because we have a legal obligation to do so. If this is the case, consent should not be used as the legal basis for processing. Read more about legal bases in the data protection manual.