Personal data in student projects

When you process personal data as part of your studies, the University of Gothenburg is the data controller. This means that it is the university that is responsible for ensuring that the regulations of the General Data Protection Regulation (GDPR) are followed.

What is personal data?

Personal data is data that directly or indirectly identifies a living natural person. Examples of direct personal data are names, social security numbers or pictures of people. Examples of indirect personal data are job title, workplace, place of residence or information about a person's interests (such as sports, music or other), where the information in itself or in combination with additional information can be linked to a specific person.

When can I process personal data?

You have the right to process personal data if it is necessary for your education. An important purpose of GDPR is to strengthen the individual's privacy and give the individual increased control over their own personal data. Therefore, you must always inform those whose personal data you process.

In certain situations, it may be necessary to process special categories of personal data. More information about what you then must consider is found at the page Special categories of personal data.  

With the help of the checklist on this page, you can ensure that you follow all the requirements of GDPR when processing personal data.

Examples of processing

Examples of when you process personal data are when you:

  • Write an essay or exam project that contains information about living persons.
  • Do work that involves sending out and collecting responses from surveys.
  • Do work in which you film, record audio files or take pictures of persons.
  • Retrieve information about people from websites, databases or other types of registers in order to then use this information in projects carried out within your education.

Checklist for when you process personal data

The checklist below should be used every time you process personal data within your studies. If you have any questions, please contact your supervisor.

More information about GDPR is found on the website for the Swedish Authority for Privacy Protection, IMY.

On our external website, you find information on how the university processes the personal data of registered individuals

Source references and quotes

When writing academic papers, you often need to make references to previous works in the field. This is partly due to other legislation which states that the author must be named in connection with the reference to the work.

You can therefore assume that you may process personal data in the form of quotes and references when you write your paper without having to further consider GDPR. If you only process personal data in the form of quotes and references, you therefore do not need to go through the checklist below.

Security requirements

Personal data must be processed in a sufficiently secure manner so that it cannot be stolen, deleted or changed by mistake. Therefore, make sure to handle the information as securely as possible and do not share the personal data with unauthorized persons (for example, other students, friends or family).

This applies to all processing of personal data that you carry out within your studies. Even if you do not process special categories of personal data, you should apply the security measures described under the page Special categories of personal data.

More about GDPR

Below you find a summary of the main regulations of GDPR and how these affect you when carrying out tasks within your studies. More detailed information is found on the website of the Swedish Authority for Privacy Protection. You can also talk to your supervisor if you have any questions.


If you or your supervisor have any questions, please contact the University's Data Protection Group at