Checklist how to inform datasubjects while collecting personal data
Checklist and instructions
Örebro University is responsible when our students process personal data within the framework of their studies. As a student at the university, you must state how you intend to use the collected personal data in your work, for example, on your thesis. It applies as long as the data subject has not, for some reason, been provided with information previously; in that case, it should be investigated and documented if this exception is used.
For who
This checklist is for students planning to use personal data in their thesis or projects. The checklist aims to help you produce the information you must provide to the person(s) in question, referred to as “the data subject”, under the GDPR.
It is not sufficient to claim that “I will follow the legal rules regarding the processing of personal data” or similar; information needs to be provided in full when collecting personal data. The information needs to be concise, clear and in plain words, and adapted to the data subject. The data subject also has the right to receive the information orally, if preferred.
Checklist structure
Whether you obtain information directly from a data subject or if you obtain it in another way, the information you must provide to the data subject differs. Directly obtaining information may refer to, via an interview or survey, when registering an account, at a photo opportunity etc. Obtaining information in other ways may refer to collecting grades from databases, cross-referencing addresses against the national registry, collecting information from patient journals etc.
- Joint information, always to be provided – plus information according to below.
- Rules for providing information if personal data are collected from the data subject.
- Rules for providing information if personal data are obtained but not from the data subject.
Instructions explanation
Text written in italics is an explanation or example for that section. You may change the order of the information, its composition and so forth as desired, but ensure not to miss a section. It is also important to use correct and readable language.
Who to contact with questions
Questions regarding the checklist, what they cover and what has been excluded can be brought up with your supervisor or course coordinator or your department’s data protection coordinator.
Joint information
Basic information to be included:
- The data controller’s name and contact details and, when possible, a natural person who can represent the controller.
Örebro University is usually the data controller. However, always confirm that is the case. Sometimes, like in a joint venture, there may be multiple controllers, and our responsibility is collecting information as part of an assignment etc.
A natural person should be responsible, for instance, the student’s course coordinator. - The data protection officer’s name and contact details, email address and phone number.
Check Örebro University’s homepage for information on who is the data protection officer. - The reason for the intended processing of personal data and its legal ground.
When it comes to student projects, consent is the main “go-to” for processing. Describe the intended use briefly in a way that makes the processing of personal data understandable for the data subject. If you are unsure which rules apply, speak with your supervisor or course coordinator. They can contact the legal staff at the Office of Academic Policy or the data protection officer for advice. - Who will get access to or what functions will use the personal data.
Whether only you as a student or perhaps others, like your supervisor or course coordinator, have access or will use the personal data. - If the personal data might be transferred to a country outside of the EU/EES or to an international organisation, it must be clearly stated along with the basis for the transfer.
Note: Publishing on the web does not necessarily constitute a transfer to a third country. However, if published in social media or collecting or using data in a cloud-based service, this is often a transfer that needs to be stated. As it is complicated, it is advisable to seek support from your supervisor or course coordinator in these matters. They can contact the legal staff at the Office of Academic Policy or the data protection officer for advice concerning transfers to third countries.
Information to ensure fair and transparent processing
- The period for which the personal data will be kept, or if this is not possible to state, the factors controlling the length of storage.
For example, the length of the student project or if it is intended to be reused in another project or thesis. If uncertain, discuss it with your supervisor or course coordinator. They can contact the archivist at the Office of Academic Policy for advice. - The right of access to and, when so applies, to get personal data regarding the data subject corrected, erased or restricted in use or object to the processing. If applicable, you must provide information about the right to data portability (easy transferral of information)
Data portability could come into question if, for example, developing a service app. Data portability rights exist so that individuals may easily switch, for example, banks and insurance companies. - If the processing of personal data is based upon consent, you must provide information on the right to withdraw their consent at any given time and how to do this. You must provide information that withdrawing consent does not affect the lawfulness of processing made before the withdrawal.
Information gathered with consent before a withdrawal may continue to be processed. However, you may not collect new information. - The data subject must be informed that they have the right to complain about the processing of their personal data. They may register their complaint either to the data protection officer at Örebro University or directly to the Swedish Authority for Privacy Protection.
- If personal data is a legal or contractual requirement or necessary to enter into a contract, you must provide information about this. The same applies if it is required to provide the data and the possible consequences of not doing so.
For example, if you create an order form within the framework of a student project and specific information is required to finalise an agreement, it must be clearly stated.
Processing for other reasons
If the personal data is intended to be used for other purposes than when collected, the data subject must be informed along with other relevant information mentioned in the fair and transparent processing section.
In addition, information from either 1 or 2 below.
- Rules for providing information if personal data are collected from the data subject
The data subject is to be informed WHEN personal data is being collected, not afterwards. You must provide information before beginning a photoshoot, a test session or an interview. - Rules for providing information if personal data are obtained but not from the data subject
Possible exceptions from the obligation to inform
IF you use an exception, make sure to document it together with at least a short description of why information is not needed.
- If it is impossible to provide the data subject with the information stated by this checklist or “would involve disproportionate effort” regarding data processing for archiving purposes, research and statistical purposes.
The data controller decides what is deemed a “disproportionate effort”. However, practices will emerge once the supervisory authorities have begun their work. - If providing the basic information in the checklist would make it “impossible or seriously impair” achieving the purpose of using the processed data.
For example, a students’ thesis would be impossible to complete.
In the situations mentioned above, Örebro University shall take “appropriate measures” to protect the rights and freedoms of the data subject, including but not limited to making the information publicly available. It could involve publishing information about the planned processing in newspapers, on websites etc. Discuss this matter with your supervisor or course coordinator, who may contact your department’s data protection coordinator for more support.
If no exception exists, you must provide the data subject with the information in part one, stipulating what personal data will be collected and how it will be used.
Appropriate timeframe for information
The timeframe for providing information depends on the situation:
- Within a reasonable time after obtaining the personal data, but no later than one month. In determining what is “reasonable”, consideration may be given to exceptional circumstances regarding how the personal data is used.
- If the personal data collected is to be used to contact the data subject, the information shall be given, at the latest, at the first point of contact.
- If it is possible to foresee a disclosure of personal data to other recipients, the information about this needs to be given, at the latest, when the data are first disclosed.