To be allowed to process personal data, a legal basis is required. Which basis to use at SLU depends on the operation where personal data is processed. We use the following bases:
Task of public interest
The broadest basis is that processing personal data is necessary in order to fulfil a task of public interest. Public interest must be determined according to Swedish law, which means that the task must be defined in a legal act or in a public authority decision supported by a legal act.
As a public authority, most of what SLU does serves a public interest, but processing must be necessary in order to fulfil that interest. You cannot routinely use public interest as a legal basis for processing personal data – the task must be connected to SLU operations and assignments, and it must be regulated in Swedish law.
Therefore, you have to state which matter of public interest will be fulfilled by processing personal data, and which act or decision that requires SLU perform this task.
Exercise of public authority
Processing is also allowed if it is necessary in order to exercise public authority. This basis is applicable e.g. relating to the examination of students, approving special learning support and handling matters relating to official documents. That is, for actions you normally associate with public authorities. However, it can also be used for other tasks assigned to SLU as a public authority, such as environmental monitoring and assessment.
Note that it is sufficient if the processing is "part of" the exercise of public authority. The processing does not have to be necessary to make a decision, as processing data to provide decision support can be part of the exercise of public authority.
Another basis often used by public authorities is a legal obligation. This basis means that you are allowed to process personal data if it is necessary to fulfil a duty stated in Swedish legislation.
Examples of when such duties follow from Swedish law is, among other things, the Ordinance Concerning the Reporting of Higher Education Studies (the Ladok ordinance) which states that SLU must carry a register of students, or the Swedish Accounting Act. Please note that collective agreements also can constitute such a legal obligation.
This assessment includes a part that may be difficult to carry out alone. If you want to use a legal obligation as support when processing personal data, the data subject must be able to foresee the obligation. This means that the data subject must have access to the provision and foresee that it will mean that their personal data will be processed.
So-called register statutes such as the Ladok ordinance are clear enough, as is the act concerning student finance which regulates the operations of the Swedish Board of Student Finance (CSN).
The Higher Education Ordinance is one example of regulations that steer SLU operations but which are not specific enough to be used for this basis.
If you have trouble with this assessment, contact the data protection officer.
Processing personal data is also allowed if it is required to fulfil or enter into an agreement.
Please note that this is only possible when processing personal data between SLU and the data subject. It is not possible to use an agreement as a basis for processing data if the data subjects in question are not connected to the agreement. For example, it is not possible to use an agreement between SLU and Google as a basis for processing a student's personal data, if they are not connected to the agreement.
In certain exceptional cases, we can also use a basis called legitimate interest.
This basis means that we are allowed to process personal data if we have a justified interest unless the data subject's interest that we do not process their personal data is greater.
As mentioned, this is an exception which requires that processing is not connected to our assignment as a public authority, for example in regard to fundraising. When we use this exception, we must thoroughly assess why our interest is greater than the data subject's.
If you want to use this legal basis, contact the Privacy and Data Protection Function.
Finally, it is allowed to process personal data if the data subject gives their consent. It is vital that their consent is given completely freely, i.e. that there will be no negative consequences should they decline.
For example, you can use consent for participation in a non-compulsory conference, but not for participation in a compulsory course. This means that we can only use consent in relation to our students and employees in exceptional cases.
If you cannot use a service without consenting that your personal data be processed, consent is normally not considered voluntary. In these cases, it is best to use another basis, for example the one regarding agreements above.
Obtained consent must be written and documented. The data subject can revoke their consent at any time. It is rare to use consent for public authority data in relation to students or between employers and employees.