Processing of personal data in the case of theses

The European General Data Protection Regulation, together with a number of Swedish laws, places strict demands on work with personal data to be carried out correctly. Here you will find important information for those who intend to use personal data for their independent project.

Things to consider when processing personal data

This page provides a brief overview of the steps that are necessary to handle personal data correctly.

In addition to the rules that apply to personal data, depending on what you intend to process, there may be additional rules to take into account. You should therefore have an overall discussion with your supervisor about what information should be handled and plan accordingly.

Eight steps to consider

Consider the eight steps below to ensure that your processing of personal data is as correct as possible.

The first question is whether it is really necessary to process personal data? The investigation to be carried out may be able to be carried out without processing personal data, in which case this is preferable. If you do not process personal data, the requirements of the General Data Protection Regulation do not apply, which makes the work easier.

Any information that can identify a person

It is important to remember that personal data includes all information that can be directly or indirectly linked to a living person.

This means that it is not only name, social security number, DNA or portrait photo that is personal data, but also a combination of more anonymous data that makes it possible to identify an individual.

Before the practical work begins, it is important to clarify what data is to be collected and why. For those of you who are going to do an independent project, this is not a difficult task, but the purpose of the processing is simply to be able to carry out the examination that is necessary to substantiate your work. But it's important that you think through and formulate the purpose so that you're clear about what information is necessary to achieve it.

If possible, avoid processing sensitive personal data, such as:

  • Ethnic origin
  • Political views
  • religious or philosophical beliefs
  • Trade union membership
  • Genetic and biometric data
  • health, sex life or sexual orientation

GIH has formal responsibility for the processing of personal data that is carried out throughout the organisation, and this also applies to independent projects. Therefore, GIH must be aware of what treatments are taking place. This is done by informing your supervisor about your treatment.

The information you must provide is:

  • Brief description of the purpose of the processing.
  • Description of what personal data is processed.
  • how to inform people and obtain consent.
  • where you will store personal data and consents during the work.

Collected information must be treated securely. It is therefore advisable to store collected personal data in your home directory. Your home directory is the folder on your computer that is named with your name and which is located on a server at GIH. The home directory has sufficient security even for sensitive personal data.

Do not use external storage services

External storage services that are not provided through GIH may not be used for personal data. This applies to Dropbox, Google docs, OneDrive and iCloud. GIH does not have a data processing agreement with these services and therefore secure storage cannot be guaranteed.

Personal data may not be kept for longer than necessary and must be deleted when it is no longer needed. Therefore, the main rule is that you should delete your personal data after your work has been completed, registered in DiVA and you have had your grade registered. At the same time, there may be parts of the information that should be preserved.

During the course of the work, there may be reason to reconsider the original plan, but it is important that there is a basic plan, not least to be able to answer questions from those who have been registered (the people whose data is collected).

Personal data may only be processed if there is a legal basis for the processing. The General Data Protection Regulation (GDPR) specifies a number of grounds that are considered permissible, but in practice only consent can be considered for independent work.

If it is not possible to use consent, you should raise this with your supervisor and the Data Protection Officer to see if there is another solution.

Clarify what consent means

Using consent as a basis means that the data subject gives his or her active consent to the processing. This means that you are talking about:

  • what data you collect.
  • what they will be used for and by whom.
  • the duration of the data.
  • that it is possible to see the collected information.
  • that it is possible to turn to GIH's data protection officer or the supervisory authority with a complaint.

After the data subject has received the information, they can give their consent to the processing and the processing of the data is then permitted. If the data subject has consented to the processing, sensitive data may also be processed. Please note that sensitive data places great demands on the security of the handling.

Retention of consent

You keep the consent yourself during the work, and it is important that you store it so that no unauthorized person can access it or lose it. The data subject has the right to withdraw their consent at any time.

Written consent is preferred

There are no formal requirements in the regulations on how consent should be given and how signatures should be designed. However, you must be able to prove that consent has been given and that it has been clearly informed what the person has given consent to. That is why written consent is a good idea.

For example, in a digital consent management, a checkbox can be created in the web survey or a consent management can be done via email responses.

Consent template

GIH has produced a text for consent management that you can use in both paper form and digitally.

If the previous steps have been performed correctly, this is formally a simple step that does not require any further action. At the same time, in practice, this is the main work.

After the processing has been completed, the thesis has been registered in DIVA and you have had your grade registered, you must delete the personal data material including the consent forms. Only in exceptional cases should the material be archived at GIH, according to what you concluded in Step 5.

Deletion or any archiving must take place no later than one week after the grade has been registered in LADOK.


If you have questions about your personal data processing when writing your thesis, you can contact your supervisor. You can also contact GIH's data protection group by e-mail

On this page

Last modified:18 Dec 2023