Register processing of personal data

Last changed: 19 June 2024

As data controller, SLU must be able to demonstrate that we process personal data in a manner that complies with the General Data Protection Regulation (GDPR). This means we need to keep records of all our processing operations, describing how the processing is carried out.

Responsibilities and types of processing

Four different types of processing can be registered. For each type, someone is designated as responsible for registering the processing. This does not mean that the person responsible is the person who has to register. However, those responsible must ensure that all staff at the department/division/unit  know that registration is a requirement. The person responsible is also responsible for ensuring that the annual audit is carried out.

System

The maintenance manager of a system is responsible for registering it. ‘System’ means an IT system that stores or otherwise processes personal data. A system may have several purposes and all purposes must be stated when registering.

Other processing

Processing that does not take place solely in an IT system must be registered as the type 'Other processing'. Examples of other processing include processing that takes place by storing personal data in restricted folders. Heads of department, heads of unit or administrative managers at the departments are responsible for ensuring that this type of processing is registered.

Research projects

Heads of department are responsible for ensuring that research projects are registered. If a research project, at any stage, processes the personal data of research subjects, it must be registered even if the final result does not contain personal data. For example, work that includes contact details of research subjects for conducting interviews must be registered. On the other hand, projects that only contain contact details of research partners/organisations should not be registered.

Independent projects

Supervisors of independent projects (degree projects) are responsible for ensuring that these projects are registered if, at any stage, they involve processing personal data. This applies even if the final result does not contain personal data. For example, processing that involves contact details for conducting interviews must be registered.

Register new processing or view registered processing 

Fields on the registration form marked with * are mandatory. The registration form is only available in Swedish - ask a colleague for help if necessary.

Register new processing of personal data

View registered processing of personal data

 

Processing you do not need to register

Some of the processing you do is likely part of more comprehensive processing which has already been registered. This is above all the case for processing that concerns

  • human resources
  • financial administration
  • newsletters
  • student administration, grades etc.
  • supporting documents for conferences and events
  • skills supply
  • scholarships
  • contact details for staff
  • contact details for professional networks.

If you are not sure whether you need to register a processing activity, you should always register it to be on the safe side. You can find more information on the frequently asked questions page.

Sensitive personal data

Sensitive personal data is data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.