Navigated to

Sharing data that include personal data

Personal data processing is regulated in the EU’s General Data Protection Regulation (GDPR). The location of the recipient affects how you may share research data containing personal data with your collaborators.


Use the brochure for research collaborations

Share the brochure Research collaboration with Umeå University with your collaboration partner so they understand the legal requirements for collaborations.

GDPR regulates how you may process personal data

Processing personal data is regulated in the EU’s General Data Protection Regulation (GDPR). The regulation applies for all EU/EEA Member States and for all personal data processing regardless of context. When research data include personal data that are not covered by confidentiality, you conduct the same assessment regardless of whether the recipient is a public authority or not. The difference in processing depends instead on whether the recipient is located in the EU/EEA or in a country outside this area, known as a third country.

It is usually unproblematic to share research data that contain personal data not classified as secret when your collaborator is located within the EU/EEA.

Read more about what you need to consider when collaborating with different partners

Illustration, five persons in a circle holding hands

Sharing data with Swedish authorities

What to know before collaborating with other Swedish authorities.

Illustration flow chart

Sharing data with companies and organisations in Sweden

What to know before collaborating with companies and organisations in Sweden.

Illustration, a person thinking about places abroad

Sharing data with collaborators in other countries

What to consider when collaborating with a partner abroad.

A person's hand writing on a paper.

Research collaboration agreements

When to have an agreement, rights to research results and certificate templates.

Recipients in third countries or international organisations

The level of protection guaranteed by GDPR may not be diminished when sharing research data that include personal data with collaborators in third countries.

The European Commission has a list of countries that are considered to have a sufficiently high level of protection and with which you may share research data that include personal data in the same way as for EU/EEA countries. Before sharing, you must investigate whether there is a decision from the European Commission that the level of protection for personal data is sufficiently high in the country where your partner is located. This is known as an adequacy decision. If there is no such decision, you must take appropriate safeguards that ensure that the personal data are protected at the same level. The most common is for the University to sign a separate standard agreement developed by the EU Commission, which is called Standard Contractual Clauses and is abbreviated SCC.

Note that international organisations should also be treated in the same way as recipients in third countries when sharing research data that include personal data. 

Read the European Commission’s list of countries with an adequate level of protection (commission.europa.eu)

Data controller and processor

You need to identify the data controller and processor for the data you intend to share. Collaborators may have their own controller responsibility for their processing or they may share controller responsibility. For research collaborations, it is rare that one party is a personal data processor for the other party.

If the parties have joint responsibility for personal data, this must be documented. There are no procedural requirements, but this can take the form of an agreement or by openly reporting the division of responsibilities, for example by the parties clearly describing their shared personal data management in the informational letter provided to research subjects.

Contact the Central Support Team for Research Data Management for assistance in assessing data responsibilities in your project and if joint data responsibility needs to be documented.

Do you have questions about research data?

The University has a cross-functional team that supports you with research data issues in areas such as archiving, legal affairs, IT support, open data, and information security. You can contact the research data support team using the following form:

Contact the research data support team if you have questions

Latest update: 2025-05-26

Read more about research data and collaborations

Illustration, two hands.

Sharing research data in collaborations

Your collaborators and the data you process impact how you may share data.

Illustration: hand holding an ID card in front of a screen.

Process personal data in research

When processing personal data, you need to meet the GDPR requirements.

Four bits of a circle illustrating the process of managing research data: planning, organising, making accessible and preserving.

Manage research data

Planning, organising, making accessible and preserving research data.