Legal aspects
On this page you find information about how the General Data Protection Regulation (GDPR) and Swedish legislation apply to research that deal with personal data. You will also learn more about methods for managing and protecting personal data in research.
Frequently asked questions
When do research data contain personal data?
Research data contain personal data when they include information that can directly or indirectly be linked to a living individual. Direct personal information in research might include names or personal identity numbers. Indirect personal data – information that in itself can not identify a person, but when combined with other sources, it could identify someone – might include date of birth, place of residence, or occupation. This additional information can be found in records held by another authority, registry holder, company, or private individual. A code key also counts as additional information.
Note that how difficult it is to access additional information or external data sources does not affect whether the data are considered personal data.
When do research data no longer contain personal data?
When all links to living individuals have been removed.
This may be difficult to achieve retrospectively, once the personal data have been collected. It is often hard to determine whether data are no longer personal, as there may still be supplementary information elsewhere that could reveal identities – such as public records or content online. Laws and regulations may also require that documents that could be used to identify individuals are preserved.
What is the difference between anonymized and pseudonymized data?
Anonymized data are data from which all personal identifiers have been removed so that no individual can be identified. These data are no longer considered personal data.
Pseudonymized data, on the other hand, are those where direct identifiers in the material have been replaced by a pseudonym or code. These can only be linked to individuals by someone who has access to additional information, for instance, a code key. Because that link exists, pseudonymized data are still considered personal data.
Pseudonymization reduces the risk of identification, but data are only considered anonymized once all links to individuals have been irreversibly removed – for example, if the code key is permanently destroyed. Aggregation may also enable anonymization, if categories are broad enough (e.g., grouping exact ages into wide age ranges) to prevent identification using additional data sources.
What counts as pseudonymized research data can vary between quantitative and qualitative research. In quantitative studies, pseudonymization typically means replacing names or personal identity numbers with codes and a code key, stored separately from the data. In qualitative studies, such as interviews, it might involve replacing names with pseudonyms or using more general descriptions for specific job titles or workplaces to reduce identifiability.
Note that laws and regulations differ between countries, so it is important to consider the legal and institutional context when managing research data. Contact your institution’s research data support services or Data Protection Officer for advice on how to handle personal data in research.
Can I delete the original data to enable anonymization?
The General Data Protection Regulation (GDPR) includes a principle of storage limitation, meaning that personal data should not be kept longer than necessary for the original purpose. Once that purpose has been fulfilled, personal data should in theory be deleted. In practice, this is often overridden by archival requirements, which require that data from publicly funded research should be preserved. If you work at a Swedish university or another public organization, the Swedish Archives Act applies to your material. You may be allowed to delete data if there has been a formal decision that allows disposal (gallringsbeslut), often after a retention period of at least 10 years. Some research data must be preserved unchanged for the future. What can be deleted or preserved is governed by the Swedish National Archives’ regulations and your institution’s local policies. Contact your organization’s archivists for advice.
In summary: If you have collected personal data for research, it is rarely possible to fully anonymize them in the short term, as the original data and any code keys usually need to be retained unless a formal disposal decision has been made and the retention period has passed.
What laws govern the processing of personal data for Swedish researchers?
Several laws apply to personal data processing in research, including:
- The General Data Protection Regulation (GDPR), which governs all processing of personal data within the EU/EEA. Processing of personal data in research includes collecting, recording, storing, analyzing, sharing, disclosing, and deleting data.
- The Data Protection Act (SFS 2018:218), which has an unofficial translation, and the Data Protection Ordinance (SFS 2018:219), which complement the GDPR and adapt it to Swedish law.
- The Freedom of the Press Act (SFS 1949:105), which applies as most universities are public authorities, and their data are typically official documents (allmänna handlingar).
- The Public Access to Information and Secrecy Act (SFS 2009:400), which determines whether research data are classified as secret. This legislation also applies to some higher education and research institutions that are not public authorities.
- The Ethical Review Act (SFS 2003:460), which applies to research involving sensitive personal data and some types of human research.
- The Act on Responsibility for Good Research Practice and the Examination of Research Misconduct (SFS 2019:504), which addresses integrity and ethical conduct in research.
- The Archives Act (SFS 1990:782), which requires public authorities to preserve official documents, even if they contain personal data.
Read more about research data and GDPR.
A note on the translation: Where there is an official English translation of a law, the title links to the translation and the SFS number to the original Swedish legislation; where there is no English translation, the title and SFS number link to the original Swedish legislation.
Are research data considered official documents?
Yes, if your research is conducted at a Swedish public authority or another organization subject to the principle of public access to information, research data are typically official documents (allmänna handlingar). Data become official documents if they are held at a public authority, or if they are received, sent, or finalized by the authority. Examples include survey responses, interview recordings, output from laboratory instruments, or register extracts.
What you may or may not do with such research data is governed by laws such as the Public Access to Information and Secrecy Act, the Data Protection Act, the Archives Act, and rules from the Swedish National Archives. You can normally find guidance on how to apply these regulations to your work in your organization’s internal policy documents, for example, in its document management plan.
As a general rule, raw data collected by, produced by, or received in a Swedish research project must be retained and preserved as they are official documents. There are additional legal requirements for preserving research data for, for example, audits or investigations into research misconduct. See the question about deleting original data above.
Research data that are official documents may only be deleted after the retention period has expired and with a formal disposal decision. Contact your research data support or your organization's archivists to find out what applies to your material.
Read more about research data as official documents.
Can I promise research subjects/participants that their data will not be shared?
Not unconditionally. As research data from public authorities are generally considered official documents, they can be requested under the principle of public access to official documents. Even if research participants have been informed otherwise, each request for access to the research data undergoes a secrecy assessment. If the data are not protected by a secrecy provision, they must be disclosed. The principle of public access to official documents is mandatory and non-negotiable, so you cannot promise that personal data will never be shared.
This does not mean the data will be openly shared; official documents are not automatically public and openly accessible. Data with personal information are often subject to a secrecy provision under the Public Access to Information and Secrecy Act, so any request for disclosure will be assessed. However, it is neither the researcher nor the research participant who decides if data are confidential – that decision is based on a legal assessment.
Do I need consent from research participants?
Different types of consent apply to different situations in research. They serve different purposes, so it is important to know what type of consent must be received from participants and what it means if their consent is withdrawn.
- Ethical research consent: Most research involving human participants requires voluntary, informed consent in line with research ethics guidelines and good research practice.
- Informed consent under law: For example, research covered by section 4 of the Ethical Review Act, clinical trials, or the use of biological samples under the Biobanks Act.
- GDPR consent: Although consent can be a legal basis for processing personal data under GDPR, research usually relies on public interest as the legal basis – not consent. Therefore, you rarely need GDPR consent to process personal data in research, but you usually do need ethical consent from participants.
Read more about lawfulness and legal basis for processing personal data in research.
What information do I need to provide to the research participants?
In many cases, the data controller must inform participants about how their personal data, and which personal data, will be processed. This is a fundamental right under the GDPR. The information must include who is the data controller, the legal basis, and purpose of the processing.
There are exceptions to the right to be informed – for example, if it is impossible or would require disproportionate effort to inform research participants. This may be the case in register-based research where the researcher has no access to identifiable data and cannot contact the research subjects.
Who can I share my research data with?
It depends on what you want to share and why. Do you plan to share research data with a collaborator outside of your organization or will you deposit data in a repository? The legal considerations depend on your purpose for sharing the data and, generally speaking, public authorities should assess each request for disclosure of the data individually, in line with the Public Access to Information and Secrecy Act.
Research data that contain personal information may not be published openly, unless specific legal exceptions apply. Contact your local research data support team, legal adviser, or Data Protection Officer for advice.
Read more about sharing research data containing personal information.
A journal wants access to data supporting my publication – what should I do?
Sharing data that contain personal information with a journal requires the same type of legal assessment as any other request for disclosure of official documents. The request must be reviewed in accordance with the Public Access to Information and Secrecy Act. Your organization's registrar, archivist, research data support team, legal advisers, or Data Protection Officer can help with the process.
Read more about sharing research data containing personal information.
Can I share data with a third country outside the EU?
Yes, but a few extra steps are required. First, the same legal assessment must be conducted as for any other data sharing. If the data can be shared, the transfer itself must be secure – for example, not by regular e-mail. Examples of transfers of personal data to a third country include:
- E-mailing documents with personal data to recipients outside the EU/EEA;
- Using a data processor based outside the EU/EEA;
- Giving non-EU/EEA users access, for example reading rights, to personal data stored in the EU/EEA;
- Storing personal data in a cloud service based outside the EU/EEA.
Chapter V of GDPR governs international data transfers. Always consult a legal adviser or Data Protection Officer to clarify what is permitted.
Does the GDPR apply to data collected outside the EU?
Yes, the GDPR applies if the data controller or processor is based in the EU/EEA, or if the research is intended for individuals within the EU/EEA – even if the data were collected outside the EU/EEA.
If the personal data in my research are already published, do they still count as personal data?
Yes. When you process personal data for research purposes, the processing is assessed based on the individual research context. This means that your research counts as new processing under the GDPR. You must have a valid legal basis and specify the purpose of the processing, regardless of whether the data were previously published.
My research data contain personal information, but only about the creators of other works. Can I publish them openly?
Yes, because naming the creators of a work is a legal obligation under the Swedish Copyright Act (SFS 1960:729). This provides a legal basis (legal obligation) and purpose for the data processing involved in publishing the information.