Navigated to

Requirements for processing personal data for research purposes

Anything you do with personal data involves processing that data, such as all forms of collection, storage, analysis, disclosure and erasure. When your research involves processing personal data, there are several basic requirements and laws that you must comply with, in particular the General Data Protection Regulation (GDPR).


Basic requirements for processing personal data

When you need to process personal data for research purposes, certain basic requirements must be met for the processing to be lawful:

Legal basis for processing personal data in research

The legal basis for personal data processing in research at Umeå University is “public interest”, as the University’s task of conducting research is established in the Higher Education Act.

As a general rule, consent under the GDPR cannot be used as a legal basis for personal data processing in research. In cases where the Ethical Review Act requires consent, this must be obtained in accordance with that legal framework.

The processing must be necessary

Personal data processing is permitted if it is necessary for carrying out a task in the public interest, i.e. research. This means that:

  • The personal data collected are needed to achieve the purpose of the research.
  • As a researcher, you need to assess how reasonable the available options are. Your assessment should take into account the time, effort and cost involved, and whether the processing contributes to higher quality and reliability in the research results.
  • If the purpose of the research can be achieved equally well, easily and inexpensively without personal data (for example via anonymised data), the processing cannot be considered necessary, and you may not process the personal data for this purpose.
 

In addition to the necessity and legal basis for processing personal data, the basic principles of personal data processing apply.

Read more about personal data on Aktum (UMU ID required)

You must notify your personal data processing

All research projects that process personal data must be notified to the Umeå University personal data processing register.

You can find the personal data processing registration link on Aktum (UMU ID required)

You must notify data subjects that you are processing their personal data

The people whose personal data we process are known as data subjects. The GDPR gives data subjects rights that must be respected, such as being notified of their rights and about the processing of their personal data. The notification must also include information about Umeå University’s obligation to store research data for a certain period after the research has been completed. In projects subject to ethical review, you must notify data subjects in accordance with the requirements of both the Ethical Review Act and the GDPR.

Exemptions from the notification obligation

There are some exemptions to the notification obligation in the GDPR, but they should be used restrictively. One exemption is if it would be impossible or a disproportionate effort to notify data subjects.

Examples of situations that may be covered by the exemption

Examples of when it may be considered impossible or a disproportionate effort to notify data subjects:

  • A major hospital requires all patients attending day procedures, longer hospitalisations and doctors’ appointments to fill in a patient information form giving details of two next of kin. Given the very large number of patients who pass through the hospital every day, it would be a disproportionate effort for the hospital to notify all the people who have been identified as next of kin on the forms filled in by patients. 
  • History researchers trying to trace family lineages via surnames indirectly obtain a large dataset of 20,000 records. The dataset was collected 50 years ago, has not been updated since then and contains no contact details. Given the size of the dataset and, in particular, the age of the data, it would entail a disproportionate effort for researchers to try to trace each of the data subjects in order to notify them. 
 

Data subjects’ right to request restriction of processing

Data subjects have the right to request the restriction of personal data processing or the erasure of personal data. Archiving requirements mean that in many cases personal data processed for research purposes cannot be erased, despite such requests.

Read more on the data subjects’ rights page on Aktum (UMU-ID required).

Template for information about personal data processing in research

Use the template below to inform data subjects about how their personal data are processed in your research project. Always download the latest version of the template as it may have been updated.

Find Umeå University’s template for informing research participants of personal data processing (in Swedish only)

How to use the template

All information contained in the template needs to be included. The information should be comprehensible, meaning that it should be understandable by the average member of the intended target group. You may therefore need to adapt the language to suit the research participants you have in your research project. If changes are made, please contact the University’s legal officers to avoid removing essential information.

This information should be provided regardless of whether the research project has been ethically reviewed or not.

  • The template as a whole is used for personal data processing in research that does not require ethical review.
  • In ethically reviewed projects, pages 1–2 of the template are attached to the Swedish Ethical Review Authority’s template for research participant information.

You may need to carry out an impact assessment

If you are going to process personal data in your research project in a way that poses a high risk to the privacy of the data subjects, an impact assessment should be carried out before processing begins.

An impact assessment is a process to:

  • find out about the risks of processing personal data;
  • draw up procedures and measures to address these risks; and
  • demonstrate that you fulfil the requirements in the GDPR.

Impact assessments must always be carried out in consultation with the data protection officer (DPO). Contact the DPOs via pulo@umu.se.

Examples of when an impact assessment is needed

You need to conduct an impact assessment if:

  • sensitive personal data are processed on a large scale in your research project;
  • datapoints in registers involving many data subjects are linked or merged in a way that the data subjects could not have expected; and
  • the research project processes personal data on a large scale about people who, for whatever reason, are in a disadvantaged or dependent position and are therefore vulnerable such as children, employees, asylum seekers, older people and patients.

Agreements sometimes needed

Data processing agreements (DPAs) are needed when someone processes personal data on behalf of the University, such as a supplier. In research collaborations, the parties most often act independently, meaning that the collaboration would rarely lead to a situation that would require a personal data processor. A DPA is not required in such cases. In most cases, this means that the parties have separate or joint personal data controllers. If the parties have a joint personal data controller in the research project, this must be documented, for example in an agreement.

Read more about personal data processors on the Personal data management page on Aktum (UMU ID required)

Safeguards

Under the GDPR, all personal data processing must be subject to appropriate safeguards. The safeguards must be determined on the basis of the level of protection needed for the personal data being processed. Use your department or project’s information classification and risk and vulnerability analysis to determine the safeguards you can use to protect research data in your project.

Find out more about information classification, risk and vulnerability analysis, and managing research data with a high protection value:

Plan your data management

Security awareness

Report personal data breaches immediately

A personal data breach may pose risks to the individuals concerned and may need to be notified to the Swedish Authority for Privacy Protection (IMY) within 72 hours of its detection. It is therefore vital that you report personal data breaches as soon as they are detected.

Read more about how to report a personal data breach

Do you have a question?

If you have questions about personal data processing, please contact the legal officers at pulo@umu.se (data protection) 


For questions on research data management, please contact the university-wide research data support team.

Contact the research data support team

Latest update: 2025-06-03

You may also be interested in

Närbild på en gammaldags kompass.

Research ethics and good research practice

Conduct research scientifically and in a respectful and ethical manner.

Four bits of a circle illustrating the process of managing research data: planning, organising, making accessible and preserving.

Manage research data

Planning, organising, making accessible and preserving research data.

Illustration, two hands.

Sharing research data in collaborations

Your collaborators and the data you process impact how you may share data.