Use the brochure for research collaborations
Share the brochure Research collaboration with Umeå University with your collaboration partner so they understand the legal requirements for collaborations.
GDPR regulates how you may process personal data
Processing personal data is regulated in the EU’s General Data Protection Regulation (GDPR). The regulation applies for all EU/EEA Member States and for all personal data processing regardless of context. When research data include personal data that are not covered by confidentiality, you conduct the same assessment regardless of whether the recipient is a public authority or not. The difference in processing depends instead on whether the recipient is located in the EU/EEA or in a country outside this area, known as a third country.
It is usually unproblematic to share research data that contain personal data not classified as secret when your collaborator is located within the EU/EEA.
Read more about what you need to consider when collaborating with different partners
Sharing data with Swedish authorities
What to know before collaborating with other Swedish authorities.
Sharing data with companies and organisations in Sweden
What to know before collaborating with companies and organisations in Sweden.
Sharing data with collaborators in other countries
What to consider when collaborating with a partner abroad.
Research collaboration agreements
When to have an agreement, rights to research results and certificate templates.
Recipients in third countries or international organisations
The level of protection guaranteed by GDPR may not be diminished when sharing research data that include personal data with collaborators in third countries.
The European Commission has a list of countries that are considered to have a sufficiently high level of protection and with which you may share research data that include personal data in the same way as for EU/EEA countries. Before sharing, you must investigate whether there is a decision from the European Commission that the level of protection for personal data is sufficiently high in the country where your partner is located. This is known as an adequacy decision. If there is no such decision, you must take appropriate safeguards that ensure that the personal data are protected at the same level. The most common is for the University to sign a separate standard agreement developed by the EU Commission, which is called Standard Contractual Clauses and is abbreviated SCC.
Note that international organisations should also be treated in the same way as recipients in third countries when sharing research data that include personal data.
Read the European Commission’s list of countries with an adequate level of protection (commission.europa.eu)
Data controller and processor
You need to identify the data controller and processor for the data you intend to share. Collaborators may have their own controller responsibility for their processing or they may share controller responsibility. For research collaborations, it is rare that one party is a personal data processor for the other party.
If the parties have joint responsibility for personal data, this must be documented. There are no procedural requirements, but this can take the form of an agreement or by openly reporting the division of responsibilities, for example by the parties clearly describing their shared personal data management in the informational letter provided to research subjects.
Contact the Central Support Team for Research Data Management for assistance in assessing data responsibilities in your project and if joint data responsibility needs to be documented.
Do you have questions about research data?
The University has a cross-functional team that supports you with research data issues in areas such as archiving, legal affairs, IT support, open data, and information security. You can contact the research data support team using the following form:
Contact the research data support team if you have questions
