Data protection and information security
Legal basis for processing
Choose the right legal basis for processing data.
When you are about to process personal data, you need to ensure:
- You have a legal basis to process the data.
- You use the most appropriate legal basis.
In the GDPR, there are several different legal bases for processing personal data.
- On the basis of a contract with the data subject.
- Legal obligations of the data controller.
- A task in the public interest or the exercise of official authority (research activities, programme administration, staff administration, images for a graduation, images for an academic event/conference, etc.)
- Consent.
Processing sensitive personal data is generally prohibited, but there are a number of exceptions. If you need to process sensitive data, you are encouraged to contact SDU RIO so that they can guide you on the correct legal basis for processing in the specific case.
For example, if you process personal data about students as part of organising an exam, you are allowed to do so as it is part of SDU's exercise of public authority.
In general, when processing data as part of your employment, you have a duty of confidentiality and may not access systems (and/or information) unless you have a clear need to do so as part of your work.
Not sure?
You must contact SDU RIO if you are in doubt about the legal basis for the processing of personal data.
Do you have any questions?
The GDPR and Information Security Coordinators are your local contact and advisor for day-to-day data protection and information security at SDU.