Search

Other search services

Courses and programmes Syllabus Welcome letters Staff Job vacancies

Checklist – basic principles and responsibilities in the processing of personal data

The checklist refers to the processing of personal data about employees at Mid Sweden University.

Determine the purpose

  • Is the purpose specific, clear and documented?
  • Is the processing necessary to achieve the purpose?

Document the purpose in writing.

 Establish a legal basis

  • Which legal basis under Article 6 GDPR supports the processing?
  • If sensitive personal data is processed – what support under Article 9 is available?
  • Has the legal basis been established before the start of the processing?

 Document the legal basis of the list referred to in Article 30.

 Ensure accurate and clear information

  • Have the data subjects been informed about the processing?
  • Is the information easily accessible and understandable?
  • Is it clear the purpose, legal basis, storage period and rights?

Is there a procedure for handling requests for register extracts or corrections?

 Data minimisation and accuracy

  • Is only the data that is necessary processed?
  • Is there a risk that "good to have" data is collected?
  • Is the data up to date and up to date?
  • Are there procedures for correction and updating?
     

Security and risk management

  • Have the risks to the rights and freedoms of data subjects been identified and assessed?
  • Are permissions properly restricted?
  • Are technical protection measures sufficient?
  • Are there organisational protective measures (procedures, instructions, training)?
  • Is a data processing agreement in place if an external party processes data?
  • Is personal data transferred to countries outside the EU/EEA?
  • If yes – is there valid transfer support under Chapter V GDPR?

Storage and thinning

  • Is there a fixed storage period?
  • Is the storage period documented?
  • Are there practical thinning routines?
  • Has consideration been given to the Archives Act and rules on public documents?

Documentation (Accountability)

  • Is the treatment included in the University's list according to Article 30?
  • Are the purposes, categories, beneficiaries and security measures documented?
  • Have important assessments and considerations been documented?
  • Can the business demonstrate compliance with GDPR principles?

Assess Impact Assessment (DPIA) Needs

  • Does the treatment involve systematic monitoring?
  • Is sensitive data processed to a greater extent?
  • Are new technologies used?
  • Can the processing involve a high risk to the rights of the data subject?

Has the DPIA been carried out and documented before the treatment started?

The page was updated 3/19/2026

Content owner:

Digitalization and Services (DOS)