Key concepts


What is meant by the processing of personal data is everything you do with personal data. For example, collect, receive, annotate, record, photograph, film, record, store, read, modify, edit, organise, compile, copy, delete, print, publish, send, or otherwise transmit.

The General Data Protection Regulation applies to all processing of personal data that is digital. This also includes processing that is partly digital, for example when personal data is collected in a paper survey, which is then transferred to Word.

In addition, the General Data Protection Regulation applies to the completely paper-based processing of personal data, if the personal data is included or will be included in a manual register that is searchable.

Personal data

What is meant by personal data is all information that alone, or in combination with other data that you or someone else has access to, directly or indirectly, can be linked to a natural person who is alive.

Examples of common personal data are names, Swedish personal identification numbers, and telephone numbers. Photos and videos of people are personal data. Even a person's voice is usually personal data even if no names are mentioned on the recording.

Electronic identities such as IP number, email address, signature, username and pseudonym on the web and in social media are personal data.

Number combinations and designations of various kinds, such as card numbers, passport numbers, case numbers and registration numbers, can be personal data if they can be linked to a natural person, while designations that belong to things used by several may not be personal data.

Limited liability companies or other legal entities' organisation numbers are not personal data. On the other hand, organisation numbers are personal data in the case of sole traders, since the organisation number is then the same as the Swedish personal identification number.

Some titles and positions may be personal data, such as the Vice-Chancellor of the University of Borås. Life descriptions or descriptions of methods and selections in studies can also be personal data if participants can be directly or indirectly identified.

Personal data that has been encrypted, that is, made unreadable to anyone other than those who have access to a so-called code key, is still personal data.

Sensitive personal data

The GDPR distinguishes between "common" personal data and sensitive personal data. Sensitive personal data is prohibited from processing except in exceptional cases, and it must then be protected more than other personal data.

Sensitive personal data within the meaning of the GDPR is any data that reveals ethnic origin, political opinions, religious or philosophical beliefs and trade union membership. Genetic data, biometric data, such as facial recognition photos, as well as data on sexual life, sexual orientation and health are also considered sensitive personal data.

Health data is common and includes, for example, data on food allergies, sick leave, visits and examinations in healthcare, illness or other physical or mental illness, pregnancy, special needs and functional variations.

Read more about sensitive personal data

Personal data meriting extra protection

Personal data that is not sensitive may still merit extra protection. With the exception of personal identification numbers, there are no special rules for how personal data meriting extra protection may be processed. This means that such data may be processed on the same legal basis as “ordinary” personal data. However, they must be protected more than other personal data.

Unlike sensitive personal data, there is no definition in law of which data merits extra protection. Examples of personal data that the Swedish Authority for Privacy Protection considers to be extra worthy of protection are Swedish Authority for Privacy Protection, certain information about salary, protected personal data, confidential information, information about violations of the law, information about social conditions, information that is close to the private sphere and descriptions and values of personal qualities.

The data subjects

Another commonly used concept in the GDPR that is important to know is the data subjects. The data subjects are those whose personal data are processed. Depending on the context, it can be, for example, employees, students, users of a particular thing, research participants, children, etc.