GDPR and ethical review glossary
This is a glossary where you find definitions of key terms in GDPR and the Swedish ethical review legislation.
In Swedish: anonymisering
Rendering personal data anonymous in such a manner that the data subject is not or no longer identifiable. When a person cannot be re-identified the data is no longer considered personal data and the GDPR does not apply for further use.
In Swedish: regelefterlevnad
Compliance with GDPR means that an organization that falls within the scope of the GDPR meets the requirements for properly handling personal data as defined in the law.
In Swedish: personuppgiftsansvarig
The organization (for example a limited company, foundation, association or authority) that determines for what purposes the personal data is processed and how it is processed.
data erasure / retention
In Swedish: gallring av data
Data retention rules in the GDPR require any personal data that is collected or processed to be kept only for as long as data are required to achieve the purpose for which the information was collected, although there are exceptions – scientific or historical research for example.
In Swedish: registrerad
Any individual person who can be identified, directly or indirectly, via an identifier such as a name, an ID number, location data, or via factors specific to the person’s physical, physiological, genetic, mental, economic, cultural or social identity.
data processing agreement
In Swedish: personuppgiftsbiträdesavtal (PuBA)
A data processing agreement (DPA) is a legally binding contract that states the rights and obligations of each party concerning the protection of personal data. Article 28 (3) states: Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. […]
data protection officer
In Swedish: personuppgiftsombud / dataskyddsombud
An organization that processes personal data is in certain cases required to designate a data protection officer (DPO). The role of the DPO is to check that the GDPR is complied with within the organization by means of, for example, conducting checks and providing information.
direct and indirect personal data
In Swedish: direkta och indirekta personuppgifter
Personally identifiable information (PII) refers to data that can be used to identify, locate, or contact individuals or establishments, or reveal the characteristics or other details about them. PII might consist of direct identifiers, such as the name, social security number or other information that is unique to an individual, or indirect identifiers. Indirect identifiers include uncommon race, ethnicity, extreme age, unusual occupation and other details. Combined with other information, such as state or county of residence, or information available through other sources such as professional directories, direct or indirect identifiers can disclose a respondent’s identity.
extract from the register
In Swedish: registerutdrag
The right of an individual to request an extract from a register from a municipality, authority or company. This register extract shows what information the organization has saved about the individual.
GDPR General Data Protection Regulation
In Swedish: Dataskyddsförordningen
Regulation within the EU regarding processing of personal data. According to the GDPR, there has to be a clearly specified purpose for the processing, the processing must be necessary for the purpose and there must be a lawful basis for the processing. All personal data must be protected using technical and other measures.
In Swedish: genetiska uppgifter
Article 4 (13): ‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question
Recital 34: “Genetic data should be defined as personal data relating to the inherited or acquired genetic characteristics of a natural person which result from the analysis of a biological sample from the natural person in question, in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis, or from the analysis of another element enabling equivalent information to be obtained.”
In Swedish: informationssäkerhet
Personal data processing must be protected by technical and other measures, depending on the consequences that a loss of information, for example, would have. Information classification is one method that can be used to determine what level of protection is necessary and sufficient.
lawful gound, legal basis
In Swedish: rättslig grund
Each instance of personal data processing needs to be based on only one of 6 lawful grounds defined in the GDPR (see below).
consent (In Swedish: samtycke)
The data subject has consented to the personal data processing. Such consent is valid only if the data subject has been given adequate information about the research before consenting to it (“informed consent”). Their consent must always be documented. Article 4 (11).
contract (In Swedish: avtal med den registrerade)
The data subject has a contract or is to enter into a contract with the data controller.
legal obligation (In Swedish: rättslig förpliktelse)
There are laws and rules that oblige the data controller to process certain personal data in its activities.
protection of vital interests (In Swedish: skydda grundläggande intressen)
The data controller must process personal data in order to protect a data subject who cannot give their consent, for example if they are unconscious.
public interest (In Swedish: myndighetsutövning och uppgifter av allmänt intresse)
The data controller must process personal data in order to carry out its duties as an authority or to carry out a task in the public interest. Article 6.
legitimate interests (In Swedish: intresseavvägning; ibland “berättigat intresse”)
The data controller may process personal data without the data subject’s consent if the data controller’s interests outweigh those of the data subject and if the processing is necessary for the purpose in question. Note that Swedish authorities are not allowed to use legitimate interests as a legal basis for processing of personal data in order to carry out their tasks. The reason for this exception is that Swedish authorities are only allowed to process personal data in accordance with Swedish law.
In Swedish: personuppgift
Any information relating to an identified or identifiable person (a person who can be identified, directly or indirectly), e.g.: a name, an identification number, location data, an online indicator or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
personal data breach
In Swedish: personuppgiftsincident
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
processing of personal data
In Swedish: personuppgiftsbehandling
Anything done with personal data, e.g. collection, recording, storage, adaptation, dissemination.
In Swedish: personuppgiftsbiträde
An entity that processes personal data on behalf of a data controller.
In Swedish: pseudonymisering av personuppgifter
The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
In Swedish: myndighet
Any authority which has a legal mandate to govern, administrate a part or aspect of public life, such as all branches of the executive power of a state, province, municipality etc.
research subject information
In Swedish: forskningspersonsinformation
The information that is given to a research participant before he or she consents to participate in the research project.
rights of data subjects
In Swedish: registrerades rättigheter
The GDPR provides data subjects with certain rights. In brief, data subjects must be given control over their own data by receiving information about if, when and how their personal data are processed. The GDPR strengthens these rights compared with the Swedish Personal Data Act. In certain cases, data subjects have the right to have their data rectified, erased or blocked. They can also receive their personal data or transfer them to another controller.
security of processing
In Swedish: säkerhet i samband med behandlingen
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
sensitive personal data
In Swedish: känslig personuppgift
Racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation, genetic data, biometric data that uniquely identify a person.
transfer of personal data to a third country
In Swedish: överföring av personuppgifter till tredje land
Personal data is made available to someone outside the EU/EEA.
Ethical review glossary
In Swedish: etikgodkännande
If special category data, or sensitive personal data, is going to be processed in a research project in Sweden, an ethical approval from the Swedish Ethical Review Authority is required.
renewal of ethical permit
In Swedish: ansökan om ändring av etiktillstånd
Renewal of an ethical permit has to be done if, e.g., data will be used for another purpose than stated in the original application.
Swedish ethical review act
In Swedish: Etikprövningslagen; egentligen Lag (2003:460) om etikprövning av forskning som avser människor
The Swedish act concerning the Ethical Review of Research Involving Humans (2003:460).