Search

Other search services

Courses and programmes Syllabus Welcome letters Staff Job vacancies

Basic principles and responsibilities for the processing of personal data

This page describes the basic principles and requirements according to the General Data Protection Regulation (GDPR) when processing personal data about employees at Mid Sweden University, including former employees and job applicants, as well as the university's responsibility for documentation and risk assessments.


In order for personal data processing to be lawful, there must first and foremost be a legal basis for the processing.

Legal basis for processing employees' personal data

In order for the processing of personal data to be lawful, it must be supported by one of the legal bases specified in the General Data Protection Regulation.

At Mid Sweden University, the following legal bases are primarily relevant when processing personal data about employees, former employees and job applicants:

Task carried out in the public interest or in the exercise of official authority (Article 6(1)(e))

Since Mid Sweden University is a government agency, a large part of the personnel administration is based on the fact that the processing is necessary to perform a task of public interest or as part of the exercise of public authority. This may concern, for example, employment administration, registration, processing of cases and fulfilment of requirements under higher education legislation.

Legal obligation (Article 6(1)(c))

Processing may be necessary to comply with obligations under law, such as work environment legislation, tax rules, accounting requirements or rules on public documents.

Agreements (Article 6(1)(b))

Certain processing is necessary for the performance of an employment contract or to take steps prior to entering into an agreement, for example in connection with recruitment or payment of salary.

Consent (Article 6(1)(a))

Consent must be used restrictively in employment relationships because there is a position of dependency between employer and employee. This may be relevant in exceptional cases, for example when publishing photographs or other voluntary participation that is not necessary for the employment.

In addition, the processing of sensitive personal data, such as data on health, requires special support under Article 9 of the General Data Protection Regulation.

The legal basis must always be determined before the processing begins and documented in the University's list of personal data processing.

All personal data processing must also comply with the basic principles set out in the General Data Protection Regulation, these principles can be seen as the core of the General Data Protection Regulation. The principles apply to all personal data processing, and it is important that everyone working at MIUN understands and applies them. Furthermore, other principles and provisions in the General Data Protection Regulation and other supplementary legislation must also be met and complied with.

Legality, regularity and transparency

The personal data must be processed in a lawful, correct and transparent manner in relation to the data subject.

Purpose limitation

The personal data shall be collected for specific purposes and not subsequently processed in a manner that is incompatible with those purposes. That is, you must state why the processing is necessary for the purpose supported by the legal basis. Stating "administration", "research" or "financial system" is not detailed enough, as the data subject cannot make the assessment of what the processing entails.

The basic idea is that the data subject should be able to predict what will happen to their information when you process it. The data may then only be processed for purposes compatible with the purpose for which it was collected.

Archiving, processing for statistical purposes and scientific research purposes are not considered incompatible with the original purpose. For this reason, data from population registers and health care can be used in research, for example.

Data minimisation

The personal data should not be too extensive in relation to the purposes for which they are processed. This means that you may only collect data that you know you will use and that is required to fulfil the purpose, when the purpose is fulfilled, the data must either be deleted or deleted.

Correctness

The personal data must be accurate and, if necessary, up-to-date. You are expected to take reasonable steps to ensure that personal data that is inaccurate is erased or corrected without delay.

Storage minimization

Personal data may not be stored in a form that enables identification of the data subject for a longer period than is necessary for the specified purposes. There is an exception here that states that personal data may be stored for longer periods if it is necessary for archiving purposes, statistics or scientific research purposes.

Privacy and confidentiality

The personal data must be processed in a manner that ensures appropriate security. This includes protection against unauthorised or unlawful treatment and against accidental loss, destruction or damage. This can be achieved through both technical measures (e.g. the use of firewalls, encryption, pseudonymization, backup, anti-virus protection, secure authorization, etc.) and organizational measures (e.g. internal procedures, instructions, guidelines, separate management, etc.).

Accountability

The controller must be able to take responsibility and be able to demonstrate that these principles are complied with and how this is done.

Documentation and list of personal data processing operations

The controller must be able to demonstrate compliance with the basic principles for the processing of personal data. This means, among other things, a requirement to document personal data processing.

Mid Sweden University therefore keeps a list of its personal data processing in accordance with Article 30 of the General Data Protection Regulation. The list shall provide an overview of how personal data is processed within the business and contains, among other things, information on the purpose, categories of personal data, recipients, storage periods and security measures applied.

The list is an important tool to ensure structure, transparency and compliance in the handling of personal data.

Data protection impact assessment

Where the processing of personal data is likely to entail a high risk to the rights and freedoms of natural persons, a data protection impact assessment must be carried out before the processing begins, in accordance with Article 35 of the GDPR.

An impact assessment means that the planned processing is analysed from a data protection perspective, that risks are identified and assessed, and that appropriate technical and organisational measures are established to reduce or manage the risks. Impact assessments are a key tool to ensure that personal data is processed lawfully and securely, in particular in the case of new or modified processing operations. 

More information and templates for needs assessment and impact assessments

The page was updated 3/19/2026

Content owner:

Digitalization and Services (DOS)