Instructions for the template ‘Information to data subjects’

Last changed: 02 December 2024

On this page, you will find instructions for how to fill in the template used for informing data subjects.

Who is this instruction for?

This instruction is for staff and students at SLU. It is intended to help you compile the information you need to provide when you process personal data.

It is not sufficient to only include a statement such as “SLU complies with the
legislation in force concerning personal data”. You must provide more detailed
information when you collect the data.

The recipient is the person(s) whose personal data you will be using; in these
instructions, this is the data subject. Make sure that the information you provide is clear and concise, and suited to the person who will be reading it.

The data subjects also have the right to request this information orally if they prefer.

How do you collect personal data?

If you collect  personal data directly from the data subjects, read instruction A. This is the case if you are doing an interview or a survey, when someone registers an account or has their photo taken as part of your study.

If you collect personal data in another way than directly from the data subject, read instruction B. This is the case if you export grades from databases, check addresses against the population register or extract patient data from medical records.

How to read this document

The different sections follow the order in which they appear in the legal act.

You can rearrange the sections, or combine sections, but take care not to forget any of the sections that need to be included.

Under some of the headings you will see this text:
The following text must ALWAYS be included:”

This is to make sure you do not forget to include important information, e.g. that the personal data will be processed according to the regulations on official documents. If you want to rephrase this that is ok, but make sure you include this information.

Questions?

If you have any questions about these instructions, please contact dataskydd@slu.se.

Instruction A

Information to provide if you collect personal data directly from the data subject

SLU is obligated to inform the data subject of how we will use the personal data we collect. The recipient of this information is the person(s) whose personal data you will be using; the “data subject”.

This obligation only applies if the data subject does not already know this, e.g. because they have received this information at an earlier stage (this must be documented for the exception to apply).

You must inform the data subject before the personal data is collected. You cannot collect the data first and then inform the data subject. This means that you must inform the data subject before interviewing or photographing them.

Basic information

1. Data controller

You must provide information on the following:

  • name of the data controller;
  • contact details for the data controller;
  • the physical person who represents the data controller.

In most cases, the data controller will be SLU, but you should check this to make sure. If it is a collaborative project with several data controllers involved, someone else may be the controller responsible, and SLU collects the data as part of an assignment.

If a physical person is representing the data controller, this should be someone responsible for e.g. a system or a research project.

2. Data protection officer

You must provide the name, email and phone number of the data protection officer. Information on the SLU data protection officer can be found on the SLU web.

3. Purpose of the processing and legal basis

You must also inform the data subject of the purpose of the processing and what the legal basis is.

At SLU, this could e.g. be a task of public interest such as research, or the exercise of public authority. Give a brief description of how the data will be used, in a way that makes it clear to the data subject how it will be processed. If you are uncertain of what the legal basis is, contact the data protection officer.

The following text must ALWAYS be included:

SLU is a public authority and is obligated to comply with the regulations for official documents, the archives of public authorities and public statistics. Consequently, SLU will also process your personal data as required for SLU to comply with the applicable regulations.

4. Who will have access to the personal data

You must provide information on who will be able to access the data or the
functions that will be using it.

This could e.g. be researchers within a project, everyone at the Division of Human Resources and the Division of Financial Administration, participants in any collaborative projects with other public authorities or private actors.

The following text must ALWAYS be included:

In accordance with the regulations on public documents, SLU may disclose your personal data to anyone who requests a public document that includes your data. This is provided that the data is not subject to non-disclosure.

5. Transferring personal data to a non-EU/EEA country

If the personal data will be transferred to a non-EU/EEA country, or an
international organisation, you must inform the data subject of this. You must also contact dataskydd@slu.se to ensure that there is a legal
basis for transferring the data.

NB. Publishing something on the web does not necessarily constitute a transfer to a non-EU/EEA country. However, posting data on social media often involves the kind of transfer you must inform the data subject of.
Contact dataskydd@slu.se for advice on transferring data to
non-EU/EEA countries and international organisations.

Information to ensure fair and transparent processing

1. Storage time

You must inform the data subject of how long their data will be stored by the
controller, or, if that is not possible, what criteria will be used to determine how long it will be stored.

This could be the length of the research project, archival legislation, other
legislation or a collective bargaining agreement. Check the document management plan.

If you are unsure, contact the Archives, Information Governance and Records Unit for advice.

The following text must ALWAYS be included:

Your personal data will also be stored for as long as required by the Public
Access to Information Act and the regulations on the archives of public
authorities.

2. Rights of the data subject

You must inform the data subject of their right to access their personal data and, when possible, have it rectified or deleted, limit the processing of it or object to the processing. You must also inform the data subject of the right to data portability, meaning that it should be easy to transfer their data to a different system.

Many aspects are governed by other legislation. For example, requesting
rectification of data in a research project is difficult, and if documents have been archived it is not possible at all, legally or practically. Data portability is rarely applicable in SLU operations, but are primarily intended to make it easier for consumers to change their bank or insurance company.

Withdrawing consent

If the use of personal data is based on consent, you must inform the data subject of their right to withdraw this consent and how to do this. You must also let them know that withdrawing consent does not affect the use of personal data that has already been collected – any processing of that data is still legal.

This means you can continue to use information collected based on consent, up till when the consent is withdrawn. You must not, however, collect new data.

Filing a complaint

You must inform the data subject of their right to file a complaint regarding the use of their data. Such a complaint can be submitted either to the SLU data protection officer or directly to the supervisory authority, the Swedish Authority for Privacy Protection. You can use the text below.

Comments

If you have any comments on the processing of personal data at SLU, contact
dataskydd@slu.se, 018-67 20 90.

If you are not happy with the answer provided by SLU, you can take your
complaint to the Swedish Authority for Privacy Protection,
imy@imy.se or 08-657 61 00.

Read more about the Swedish Authority for Privacy Protection.

Legal obligation to provide personal data

If personal data must be submitted because a legal act or an agreement requires it, you must inform the data subject of this. This also applies if someone is obliged to submit the data and not doing so will have consequences.

This will usually only apply to the university administration.

Automated decision-making

If any automated decision-making takes place based on the personal data
submitted, you must inform the data subject of this. One example of automated decision-making is the weighting of merits for admission to a degree programme.

You must also explain, at least briefly, what the logic behind the decision is, what automated decision-making involves and its foreseeable consequences.
This will usually only apply to the university administration.

3. Other purposed

If SLU intends to use the personal data for another purpose than that for which it was originally collected, you must inform the data subject of this. This must be done before the data is used for the new purpose. You must also provide any other information that is relevant according to the section on securing fair and transparent processing.

Instruction B

Information n to provide if you collect personal data from a source other than the data subject

SLU is obligated to provide information on how we will use the personal data we collect. This also applies when we collect data from another organisation, or when we use data we already have access to elsewhere, for example in Ladok or NyA. It is the person(s) whose personal data you will be using, the “data subject”, that should be informed.

This obligation only applies if the data subject does not already know this, e.g. because they have received this information at an earlier stage (this must be documented for the exception to apply).

There are some exemptions from the duty to inform – see below.

Exemptions from the duty to inform

If any of these exemptions are used, make sure to document it together with a brief justification.

1. For example, if it is not possible to give the information listed in this
instruction, or if it would involve a disproportionate effort. This may be the case primarily when personal data is used for archiving, research and statistics.

What constitutes a disproportionate effort is decided by the data controller, but once the supervisory authority starts carrying out its reviews, a best practice will be established.

2. If providing the basic information is likely to make it impossible or significantly more difficult to fulfil the purpose of the processing, this would likely be defined as disproportionate effort.

Another example is if it would make it impossible to carry out a research project.

In such cases, SLU must instead take “appropriate measures” to protect the rights, freedoms and legitimate interests of the data subject. You are welcome to discuss this with the data controller.

3. Yet another example is if, according to law, we must register or disclose data and this processing has appropriate measures in place for protecting the legitimate interests of the data subject.

A typical example of this is Ladok – registering data there is a legal requirement.

4. Or, it could be that personal data needs to remain confidential due to a legal obligation of secrecy, for example in the case of issues related to national security.

When must the data subject receive this information?

If no exemption is applicable, SLU is obligated to provide the information
contained in this instruction. This is to be done at different points in time,
depending on the situation:

  • Within a reasonable time after receiving the personal data, but at the latest within one month. When assessing what is reasonable, any special circumstances relating to the processing may be taken into account.

  • If the personal data will be used to contact the data subject, the information must be given no later than when the data subject is first contacted.

  • If it is likely that the data will be disclosed to another recipient, the information must be given no later than when the data is disclosed for the first time.

Basic information

1. Data controller

You must provide information on the following:

  • name of the data controller
  • contact details for the data controller
  • the physical person who represents the data controller.

In most cases, the data controller will be SLU, but you should check this to make sure. If it is a collaborative project with several data controllers involved, someone else may be the controller responsible, and SLU collects the data as part of an assignment.

If a physical person is representing the data controller, this should be
someone responsible for e.g. a system or a research project.

2. Data protection officer

You must provide the name, email and phone number of the data protection officer. Information on the SLU data protection officer can be found on the SLU web.

3. Purpose of the processing and legal basis

You must also inform the data subject of the purpose of the processing and what the legal basis is.

At SLU, this could e.g. be a task of public interest such as research, or the exercise of public authority.

Give a brief description of how the data will be used, in a way that makes it clear to the data subject how it will be processed. If you are uncertain of what the legal basis is, contact dataskydd@slu.se.

The following text must ALWAYS be included:

SLU is a public authority and is obligated to comply with the regulations for official documents, the archives of public authorities and public statistics. Consequently, SLU will also process your personal data as required for SLU to comply with the applicable regulations.

4. What personal data will be collected

State the data that will be collected, such as personal identity number, name or email address.

5. Who will have access to the personal data

You must provide information on who will be able to access the data or the
functions that will be using it.

This could e.g. be researchers within a project, everyone at the Division of Human Resources and the Division of Financial Administration, participants in any collaborative projects with other public authorities or private actors.

The following text must ALWAYS be included:

In accordance with the regulations on public documents, SLU may disclose your personal data to anyone who requests a public document that includes your data. This is provided that the data is not subject to non-disclosure.

6. Transferring personal data to a non-EU/EEA country

If the personal data will be transferred to a non-EU/EEA country, or an
international organisation, you must inform the data subject of this. You must also contact dataskydd@slu.se to ensure that there is a legal basis for transferring the data.

NB. Publishing something on the web does not necessarily constitute a transfer to a non-EU/EEA country. However, posting data on social media often involves the kind of transfer you must inform the data subject of.

Contact dataskydd@slu.se for advice on transferring data to non-EU/EEA countries and international organisations.

Information to ensure fair and transparent processing

1. Storage

You must inform the data subject of how long their data will be stored by the controller, or, if that is not possible, what criteria will be used to determine how long it will be stored.

This could be the length of the research project, archival legislation, other
legislation or a collective bargaining agreement. Check the document management plan.

If you are unsure, contact the Archives, Information Governance and Records Unit for advice.

The following text must ALWAYS be included:

Your personal data will also be stored for as long as required by the Public
Access to Information Act and the regulations on the archives of public
authorities.

2. Rights of the data subject

You must inform the data subject of their right to access their personal data and, when possible, have it rectified or deleted, limit the processing of it or object to the processing. You must also inform the data subject of the right to data portability, meaning that it should be easy to transfer their data to a different system.

Many aspects are governed by other legislation. For example, requesting
rectification of data in a research project is difficult, and if documents have been archived it is not possible at all, legally or practically. Data portability is rarely applicable in SLU operations, but are primarily intended to make it easier for consumers to change bank or insurance company.

Withdrawing consent

If the use of personal data is based on consent, you must inform the data subject of their right to withdraw this consent and how to do this. You must also let them know that withdrawing consent does not affect the use of personal data that has already been collected – any processing of that data is still legal.

This means you can continue to use information collected based on consent, up till when the consent is withdrawn. You must not, however, collect new data.

Filing a complaint

You must inform the data subject of their right to file a complaint regarding the use of their data. Such a complaint can be submitted either to the SLU data protection officer or directly to the supervisory authority, the Swedish Authority for Privacy Protection. You can use the text below.

Comments

If you have any comments on the processing of personal data at SLU, contact dataskydd@slu.se, 018-67 20 90.

If you are not happy with the answer provided by SLU, you can take your
complaint to the Swedish Authority for Privacy Protection, imy@imy.se or 08-657 61 00.

Read more about the Swedish Authority for Privacy Protection at
https://www.imy.se/other-lang/in-english/.

Source

You must inform the data subject from where the personal data has been collected and whether it comes from a publicly available source.

Examples of publicly available sources are official statistics, data from the Swedish Tax Agency/population register etc.

Automated decision-making

If any automated decision-making takes place based on the personal data
submitted, you must inform the data subject of this. One example of automated decision-making is the weighting of merits for admission to a degree programme. You must also explain, at least briefly, what the logic behind the decision is, what automated decision-making involves and its foreseeable consequences.

This will usually only apply to the university administration.

3. Other purposes

If SLU intends to use the personal data for another purpose than that for which it was originally collected, you must inform the data subject of this. This must be done before the data is used for the new purpose. You must also provide any other information that is relevant according to the section on securing fair and transparent processing.