Skip to content

Processing of personal data – for researchers

When initiating a new research project, you need to know how personal data may be processed in research. On this webpage, we’ve collected basic information on requirements and issues when processing personal data in research. Remember that the data controller is always responsible for how and why personal data is processed.

For research, the data controller could be a university, a regional executive board, a municipal committee or another organisation like a company. The data controller is responsible for informing and instructing you on processing personal data in research.

More information about data controllers is found below.

Personal data is any data relating to an identified or identifiable natural person. The crucial factor is whether the data alone or in combination with other data, can be linked to a living person. Here are some examples of personal data:

  • name
  • address
  • personal identity number

The following can also be personal data:

  • photographs
  • audio and video recordings
  • GPS coordinates
  • biometric data, such as information with physical or behavioural characteristics, fingerprints and movement patterns.

Even if a specific data point cannot be linked directly to a person, it might be combined with other data that would make it possible to link the aggregated data to a person. For example, data is personal data if there is a code key that allows someone to be identified.

Personal data

It can be difficult to determine whether a research project will involve the processing of personal data. This is why it is important that the data controller carefully considers questions regarding personal data before beginning a research project.

If personal data is made anonymous in such a way as no one can be directly or indirectly identified, it is referred to as “anonymised”. The General Data Protection Regulation (GDPR), which regulates the processing of personal data, does not regulate anonymised data.

It can be very difficult to anonymise data in a way that that no longer makes them personal data.

Sensitive personal data is data revealing:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • membership in trade unions
  • data concerning health
  • data concerning a person’s sex life or sexual orientation
  • genetic data
  • biometric data for the purpose of uniquely identifying a person.

The general rule is that it is prohibited to process sensitive personal data, but GDPR does allow exceptions. One such exception is if processing is necessary for research purposes. This does require, however, that certain conditions are met.

As with all processing of personal data, as a researcher you should contact the data controller if you plan to process sensitive personal data.

Sensitive personal data

Personal data relating to criminal convictions and offences are not sensitive personal data as defined by GDPR, but there is strong protection for this type of information. Personal data relating to criminal convictions and offences is data about someone having

  • committed a crime
  • been convicted or been found not guilty in a criminal court
  • been the subject of coercive measures in a criminal investigation, such as detention, travel ban or seizure
  • suspected for a specific crime.

In general, only public authorities may process personal data relating to criminal convictions and offences but there are some exceptions. As with all processing of personal data, as a researcher, you should contact the data controller if you plan to process personal data relating to criminal convictions and offences.

Personal data processing is everything done when personal data is processed, such as when personal data is:

  • collected
  • saved
  • shared/released
  • sorted
  • published
  • stored
  • deleted

Collecting personal data can include questionnaires or interview surveys or collecting data from databases.

The General Data Protection Regulation (GDPR) is intended to protect fundamental rights and freedoms, particularly the individual’s right to protection of their personal data. GDPR went into effect throughout the European Union in May 2018 with the aim of creating a consistent and equal level of protection for personal data without impairing the free flow of information within the EU and the EEC.

Fundamentally, GDPR derives from basic human rights. The right to privacy is also protected in several other regulations. The individual’s right to respect for their privacy and family life is regulated in the European Convention for the Protection of Human Rights and Fundamental Freedoms and other regulations.

The EU has also adopted a statute on the fundamental rights that regulate such things as the right of protection for personal data. The Swedish constitution also protects personal privacy.

The purposes and scope of GDPR


Data controller

The data controller is normally the one who determines for what purpose the personal data may be processed and the means of the processing. For example, the data controller can be a company, a foundation, an association or a state, regional or municipal authority.

For research at higher education institutions, the university or university college is most often the data controller and not the manager or the vice-chancellor at the workplace or an employed researcher.

An individual researcher is only in a few cases the data controller, such as if the person conducts research within the framework of an individual company.
All personal data processing must comply with GDPR.

As an individual researcher, you may only process personal data in accordance with the instructions you have received from the data controller. You should always contact the data controller before processing personal data.

Data controllers and data processors

Data protection officer

In some cases, the data controller must appoint a data protection officer. This applies to all public bodies, such as public higher education institutions.

The role of the data protection officer is to provide information on GDPR, provide advice on GDPR and monitor that everyone in the organisation complies with GDPR. For this reason, turn to the data protection officer when questions arise about personal data processing in your research.

Data protection officers

What rules apply and who does what?

General rules on personal data processing are found in GDPR. These are supplemented by regulations in the Data Protection Act and several register regulations that regulate how personal data may be processed in specific types of organisations.

IMY is the supervisory authority as stipulated in GDPR and the Data Protection Act. We are tasked with reviewing and implementing applications of the data protection rules. As such, we are empowered to review how personal data is processed in research.

One example of when we have done so is IMY’s decision on data security and processing of personal data in connection with research.

Decision on data security in connection with research (In Swedish)

Approval is required from the Swedish Ethical Review Authority when sensitive personal data and personal data relating to criminal convictions and offences is processed within research.

Swedish Ethical Review Authority

There are also other regulations to consider within certain types of research, such as the rules on clinical medical trials.

Permission, approval and control from the Swedish Medical Products Agency


About the information on this page

If the information in English is different from the Swedish version of this page, the Swedish version applies.

Latest update: 31 August 2023
Page labels Data protection