The basic principles
The GDPR is based on six basic principles that every controller must follow to ensure correct processing of personal data. The rules set high demands on processing of personal data, and potential sanctions in the event of violations of these can be severe. If Uppsala University does not comply with the basic principles of the legislation in its processing of personal data, it will lead to high administrative fines and serious reputational damage for the University. Below you will find information about these basic principles and which must be followed in all personal data processing.
The six basic principles are (they are described in more detail below):
- The principle of legality, regularity and transparency
- The principle of purpose limitation
- The principle of data minimisation
- The principle of accuracy
- The principle of storage limitation, and
- The principle of integrity and confidentiality.
In addition, any processing of personal data must be supported on a lawful basis (see below); personal data may only be collected for legitimate purposes that are not too generally framed, and the amount of data must be limited to what is necessary for these purposes. This means that data may not be processed in a way that is incompatible with these purposes at a later stage, nor may it be stored longer than necessary for a specific purpose.
As a starting point, the following requirements must be met in order to comply with the law:
- The processing is necessary (cannot be carried out without the personal data)
- The processing is processed under a legal basis
- The processing takes into account the general principles (see below in more detail)
- The processing is protected by organisational and technical protective measures.
Anyone who processes personal data must be able to demonstrate that the above is followed and how. The above must be observed in all processing, there must be procedures in place to ensure compliance.
Lawfulness, fairness and transparency
Personal data must be processed in a lawful, correct and transparent manner in relation to the data subject.
The requirement that the processing of personal data must be lawful means, among other things, that there must be a legal basis for the processing.
The requirement for correct processing requires that the data subjects are made aware of the processing and the details pertaining to it, i.e. that they are informed in accordance with the GDPR.
The requirement for transparency means, among other things, that it must be clear to a data subject how their personal data is collected and otherwise processed. The data subjects must therefore be provided with information about the processing, for example after requesting a register extract, receive the information in an easily accessible manner that is formulated in clear and unambiguous language.
Purpose limitation
According to the GDPR, all personal data shall only be collected for specific, explicitly stated and legitimate purposes and may not be subsequently processed in a manner that is incompatible with these purposes. The predetermined purposes set the framework for the processing. The purposes must be clear and legitimate and have been determined at the time the personal data was collected. There is no possibility of postponing the determination of purposes to a later date and a purpose cannot be added afterwards.
The determined purposes must be documented in writing, and the data subjects must be informed of the purposes both when the data is collected and otherwise when requested. If the personal data collected is later to be processed for other purposes that are incompatible with the original purposes, the data subjects must also be informed of this. Personal data collected may, under certain conditions, be processed for archival purposes in the public interest, scientific or historical research purposes or statistical purposes without being considered incompatible with the original purposes if appropriate safeguards are in place for the rights of the data subjects.
Relevant purposes may also be specified in legislation in certain cases, and the controller must then comply with those rules. However, regardless of whether the purposes are laid down in a statute or not, it is always the controller who is responsible for, and must be able to demonstrate, that the fundamental principles are followed. It is the controller who is responsible for ensuring that the processing is carried out solely for the specified purposes. In the event of a dispute, it is the data controller who has the burden of proof because it is the controller who primarily determines the purposes.
Data minimisation
The principle of data minimisation means that personal data must be adequate, relevant and not too extensive in relation to the purposes for which it is processed. In other words, it is not allowed to collect personal data for undetermined future needs or "good to have" tasks. Collected personal data may also not be processed if, for example, they are so old that they are no longer relevant for the original purposes.
The fact that the personal data should not be too extensive in relation to the purposes for which they are processed means that they should be limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period during which personal data are retained is limited to a strict minimum. Do not collect more or less personal data, or irrelevant data, than is actually necessary in relation to the purpose of the processing.
It must be possible to explain why different data are needed to fulfil the purposes of the processing. In practice, this may also mean for example that if the controller uses free text fields they should issue written instructions on what information is relevant to provide in the text field. To ensure that personal data is not stored for longer than necessary, Uppsala University shall use deadlines for deletion for regular checks.
Accuracy
Personal data must be accurate and kept up-to-date. Any person who processes personal data must take all reasonable steps to ensure that inaccurate personal data is erased or corrected without delay. If the purpose requires it, the personal data must also be up to date. This means that the controller needs to be active in order to ensure the quality of the personal data and not to wait to act until the data subject exercises his or her right to rectification of e.g. incorrect personal data. The circumstances of each individual case, such as the purposes of the processing, how much personal data is processed and what consequences an incorrect information may have for the data subject are be factors that are considered. Whether it is necessary for the data to be updated should be determined with regard to the purposes of the processing.
Storage limitation
Personal data may not be stored in a form that enables identification of data subjects for longer than necessary for the intended purposes. When the personal data is no longer needed for those purposes, it must be deleted or de-identified (100 % anonymized). To ensure that personal data is not retained for longer than necessary, the processor should put in place time limits and procedures for deletion or de-identification.
Collected personal data may, under certain conditions, be stored for a longer period of time for archival purposes in the public interest, scientific or historical research purposes or statistical purposes if there are appropriate safeguards for the rights of the data subjects.
The GDPR also requires the controller to provide information to the data subjects about, among other things, the period during which the personal data will be stored or, if this is not possible, the criteria used to determine this period. This applies regardless of whether the personal data comes from the data subject or not, i.e. whether it has been obtained from someone else. The same information must also be provided if the data subject requests a register extract.
Integrity and confidentiality
Personal data must be protected, inter alia, against unauthorized or unlawful processing and against accidental loss, destruction or damage. Anyone who processes personal data must therefore utilize appropriate technical and organizational measures to protect it. Personal data must be processed in a manner that ensures appropriate security and confidentiality of the personal data and in a manner that prevents unauthorized access to and use of personal data and the equipment used for the processing.
In this context, privacy is a security principle, which means that personal data should not be altered or destroyed by mistake, either by an unauthorized person or by the process used.
Confidentiality as a security principle means that the information should not be made available or disclosed to unauthorized persons or through the process. Both concepts are part of general information security.
Accountability
The controller or processor who processes personal data is responsible for compliance with the rules and principles of personal data processing and must be able to demonstrate how they are followed. There are several ways to demonstrate this, for example by having clear information to the data subjects, documenting the processing that is going on in the organization and which considerations have been made, and having documented internal guidelines for data protection, a data protection policy. The Data Protection Officer (DPO) reviews the organization’s compliance with the regulation and internal guidelines, which is also a way to meet the accountability requirement.
