Research data and GDPR
What is the GDPR?
The General Data Protection Regulation (GDPR) is an EU regulation that governs all processing of personal data within the EU/EEA. Its purpose is to protect individuals’ fundamental rights and freedoms – particularly their right to privacy – and to ensure a consistent level of data protection across all EU/EEA countries. The regulation came into force in 2018.
Although the GDPR applies uniformly across the EU/EEA, it allows individual countries to introduce additional rules through national legislation. As a result, data protection rules and practices for processing personal data can vary between European countries, which is important to consider in international research collaborations.
One example is the processing of sensitive personal data for research purposes. GDPR requires that “appropriate safeguards” are in place under national law for processing such data but does not specify what those safeguards should be. In Sweden, a key safeguard is the requirement for approval from the Swedish Ethical Review Authority (Etikprövningsmyndigheten) before processing sensitive personal data for research. This is mandated by Swedish law, but other countries may require different safeguards.
When does the GDPR apply?
GDPR applies whenever personal data are processed within the EU/EEA, regardless of where the data originate.
In research, data processing is considered to occur within the organization carrying out the processing. It does not matter where the data were collected – for example, they may have been collected in another country. Similarly, your physical location while you work with the data does not affect whether GDPR applies; the relevant factor is that the processing is carried out by an organization established in the EU/EEA.
What laws govern the processing of personal data for Swedish researchers?
Several laws apply to personal data processing in research, including:
- The General Data Protection RegulationOpens in a new tab (GDPR), which governs all processing of personal data within the EU/EEA. Processing of personal data in research includes collecting, recording, storing, analyzing, sharing, disclosing, and deleting data.
- The Data Protection Act (SFS 2018:218)Opens in a new tab, which has an unofficial translationOpens in a new tab, and the Data Protection Ordinance (SFS 2018:219)Opens in a new tab, which complement the GDPR and adapt it to Swedish law.
- The Freedom of the Press ActOpens in a new tab (SFS 1949:105Opens in a new tab), which applies as most universities are public authorities, and their data are typically official documents (allmänna handlingar).
- The Public Access to Information and Secrecy ActOpens in a new tab (SFS 2009:400Opens in a new tab), which determines whether research data are classified as secret and cannot be disclosed. This legislation also applies to some higher education and research institutions that are not public authorities (see the appendix to the legislation in Swedish).
- The Ethical Review Act (SFS 2003:460)Opens in a new tab, which applies to research involving sensitive personal data and some types of human research.
- The Act on Responsibility for Good Research Practice and the Examination of Research MisconductOpens in a new tab (SFS 2019:504)Opens in a new tab, which addresses the responsibility of researchers and research principals to practise integrity and ethical conduct in research.
- The Archives Act (SFS 1990:782)Opens in a new tab, which requires public authorities to preserve official documents, even if they contain personal data.
A note on the translation: Where there is an official English translation of a law, the title links to the translation and the SFS number to the original Swedish legislation; where there is no English translation, the title and SFS number link to the original Swedish legislation.