When you are going to process personal information, you must make sure that 1) you have the legal basis to process the information and 2) you use the most appropriate legal basis. The General Data Protection Regulation contains several different legal bases for the processing of personal information. The most relevant for SDU in this context are:
- On the basis of a contract with the data subject
- The legal obligations of the data controller
- A task in the public interest or the exercise of official authority (research activities, student administration, HR management, pictures at a graduation, pictures at a professional event/conference, etc.)
- Consent
As a general rule, the processing of sensitive personal information is prohibited, but there are a number of exceptions. If you need to process sensitive information, you are encouraged to contact SDU RIO so that they can guide you on the correct legal basis in the specific case.
If, for example, you process personal information about students as part of an examination, you are welcome to do so as it is part of SDU’s exercise as an official authority. If you are in doubt about the legal basis for the processing of personal information, you can always contact SDU RIO.
In general, it applies to the processing of information as part of your employment that you have an obligation of secrecy and may not access systems (and/or information) if you do not have a clear need for it as part of your work.