GDPR and ethical review glossary

This is a glossary where you find definitions of key terms in GDPR and the Swedish ethical review legislation.

Note that the term names and definitions represent our understanding of the legislation, and do not constitute legal advice in individual cases. Please consult the legal office of your university if you need assistance.

anonymization

In Swedish: anonymisering

Rendering personal data anonymous in such a manner that the data subject is not or no longer identifiable. When a person cannot be re-identified the data is no longer considered personal data and the GDPR does not apply for further use.

https://www.gdprsummary.com/anonymization-and-gdpr/

compliance

In Swedish: regelefterlevnad

Compliance with GDPR means that an organization that falls within the scope of the GDPR meets the requirements for properly handling personal data as defined in the law.

https://www.gdpreu.org/gdpr-compliance/

controller

In Swedish: personuppgiftsansvarig

The organization (for example a limited company, foundation, association or authority) that determines for what purposes the personal data is processed and how it is processed.

https://gdpr-info.eu/art-4-gdpr/ (7)

data erasure / retention

In Swedish: gallring av data

Data retention rules in the GDPR require any personal data that is collected or processed to be kept only for as long as data are required to achieve the purpose for which the information was collected, although there are exceptions – scientific or historical research for example.

https://gdpr-info.eu/art-17-gdpr/

data subject

In Swedish: registrerad

Any person that can be identified using an identifier, either directly or indirectly. Identifiers can comprise a name, an ID number, location data, or factors specific to the person’s physical, physiological, genetic, mental, economic, cultural, or social identity.

https://gdpr-info.eu/art-4-gdpr/ (1)

data processing agreement

In Swedish: personuppgiftsbiträdesavtal (PuBA)

A data processing agreement (DPA) is a legally binding contract that states the rights and obligations of each party concerning the protection of personal data. Article 28 (3) states: Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. […]

data protection officer

In Swedish: personuppgiftsombud / dataskyddsombud

An organization that processes personal data is in certain cases required to designate a data protection officer (DPO). The role of the DPO is to check that the GDPR is complied with within the organization by means of, for example, conducting checks and providing information.

https://gdpr-info.eu/art-37-gdpr/

direct and indirect personal data

In Swedish: direkta och indirekta personuppgifter

Personally identifiable information (PII) refers to data that can be used to identify, locate, or contact individuals or establishments, or reveal the characteristics or other details about them. PII might consist of direct identifiers, such as the name, social security number or other information that is unique to an individual, or indirect identifiers. Indirect identifiers include uncommon race, ethnicity, extreme age, unusual occupation and other details. Combined with other information, such as state or county of residence, or information available through other sources such as professional directories, direct or indirect identifiers can disclose a respondent’s identity.

https://www.gdpreu.org/the-regulation/key-concepts/personal-data/

extract from the register

In Swedish: registerutdrag

The right of an individual to request an extract from a register from a municipality, authority or company. This register extract shows what information the organization has saved about the individual.

https://www.imy.se/privatperson/dataskydd/dina-rattigheter/ta-del-av-dina-personuppgifter/

In Swedish: Dataskyddsförordningen

Regulation within the EU regarding processing of personal data. According to the GDPR, there has to be a clearly specified purpose for the processing, the processing must be necessary for the purpose and there must be a lawful basis for the processing. All personal data must be protected using technical and other measures.

https://gdpr.eu/

genetic data

In Swedish: genetiska uppgifter

Article 4 (13): ‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question

Recital 34: “Genetic data should be defined as personal data relating to the inherited or acquired genetic characteristics of a natural person which result from the analysis of a biological sample from the natural person in question, in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis, or from the analysis of another element enabling equivalent information to be obtained.”

information security

In Swedish: informationssäkerhet

Personal data processing must be protected by technical and other measures, depending on the consequences that a loss of information, for example, would have. Information classification is one method that can be used to determine what level of protection is necessary and sufficient.

https://www.imy.se/en/organisations/data-protection/this-applies-accordning-to-gdpr/information-security/

lawful grounds, legal basis

In Swedish: rättslig grund

Each instance of personal data processing needs to be based on only one of 6 lawful grounds defined in the GDPR (see below).

consent (In Swedish: samtycke)
The data subject has consented to the personal data processing. Such consent is valid only if the data subject has been given adequate information about the research before consenting to it (“informed consent”). Their consent must always be documented. Article 4 (11).
contract (In Swedish: avtal med den registrerade)
The data subject has a contract or is to enter into a contract with the data controller.
legal obligation (In Swedish: rättslig förpliktelse)
There are laws and rules that oblige the data controller to process certain personal data in its activities.
protection of vital interests (In Swedish: skydda grundläggande intressen)
The data controller must process personal data in order to protect a data subject who cannot give their consent, for example if they are unconscious.
public interest (In Swedish: myndighetsutövning och uppgifter av allmänt intresse)
The data controller must process personal data in order to carry out its duties as an authority or to carry out a task in the public interest. Article 6.
legitimate interests (In Swedish: intresseavvägning; ibland “berättigat intresse”)
The data controller may process personal data without the data subject’s consent if the data controller’s interests outweigh those of the data subject and if the processing is necessary for the purpose in question. Note that Swedish authorities are not allowed to use legitimate interests as a legal basis for processing of personal data in order to carry out their tasks. The reason for this exception is that Swedish authorities are only allowed to process personal data in accordance with Swedish law.

personal data

In Swedish: personuppgift

Any information relating to an identified or identifiable person (a person who can be identified, directly or indirectly), e.g.: a name, an identification number, location data, an online indicator or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

personal data breach

In Swedish: personuppgiftsincident

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

https://gdpr-info.eu/art-4-gdpr/ (12)

processing of personal data

In Swedish: personuppgiftsbehandling

Anything done with personal data, e.g. collection, recording, storage, adaptation, dissemination.

https://gdpr-info.eu/art-4-gdpr/ (2)

processor

In Swedish: personuppgiftsbiträde

An entity that processes personal data on behalf of a data controller.

https://gdpr-info.eu/art-4-gdpr/ (8)

pseudonymisation

In Swedish: pseudonymisering av personuppgifter

The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

https://gdpr-info.eu/art-4-gdpr/ (5)

public authority

In Swedish: myndighet

Any authority which has a legal mandate to govern, administrate a part or aspect of public life, such as all branches of the executive power of a state, province, municipality etc.

https://en.wiktionary.org/wiki/public_authority

research subject information

In Swedish: forskningspersonsinformation

The information that is given to a research participant before he or she consents to participate in the research project.

rights of data subjects

In Swedish: registrerades rättigheter

The GDPR provides data subjects with certain rights. In brief, data subjects must be given control over their own data by receiving information about if, when and how their personal data are processed. The GDPR strengthens these rights compared with the Swedish Personal Data Act. In certain cases, data subjects have the right to have their data rectified, erased or blocked. They can also receive their personal data or transfer them to another controller.

https://gdpr-info.eu/chapter-3/

security of processing

In Swedish: säkerhet i samband med behandlingen

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

https://gdpr-info.eu/art-32-gdpr/

sensitive personal data

In Swedish: känslig personuppgift

Racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation, genetic data, biometric data that uniquely identify a person.

transfer of personal data to a third country

In Swedish: överföring av personuppgifter till tredje land

Personal data is made available to someone outside the EU/EEA.

https://www.imy.se/en/organisations/data-protection/this-applies-accordning-to-gdpr/transfer-of-data-to-a-third-country/

Ethical review glossary

ethical approval

In Swedish: etikgodkännande

If special category data, or sensitive personal data, is going to be processed in a research project in Sweden, an ethical approval from the Swedish Ethical Review Authority is required.

https://etikprovningsmyndigheten.se/en/initial-application/

renewal of ethical permit

In Swedish: ansökan om ändring av etiktillstånd

Renewal of an ethical permit has to be done if, e.g., data will be used for another purpose than stated in the original application.

https://etikprovningsmyndigheten.se/en/amendments/

Swedish ethical review act

In Swedish: Etikprövningslagen; egentligen Lag (2003:460) om etikprövning av forskning som avser människor

The Swedish act concerning the Ethical Review of Research Involving Humans (2003:460).

https://www.riksdagen.se/sv/dokument-lagar/dokument/svensk-forfattningssamling/lag-2003460-om-etikprovning-av-forskning-som_sfs-2003-460

GDPR glossary