You are here: Information Security Data protection (GDPR) In particular concerning research

In particular concerning research

Here you can find information about what you have to be aware of if your research involves personal data - both regular and sensitive personal data. 


Before start-up of the research project

1. Do you process personal data?

If you are going to process personal data in connection with a research project you must register the project internally at AU before the project starts. You must complete and submit a notification form concerning your research project when it includes personal data.

Every research project must have a contact person who is responsible for the personal data internally. This means that this person is responsible for compliance with the Danish Act on Processing of Personal Data (Persondataloven), any related rules and regulations, for every data processing action.  

 

The legal staff at Rector’s Office receives the internal notification, registers the project and confirms that the project is registered by issuing a statement including the requirements for processing of personal data and the security of processing. In addition to registering projects, the legal staff keeps an overview up to date of the projects and databases/registers, i.e. any processing of personal data at AU.

Are you in doubt? 

If you are in doubt whether or not you process personal data, send an email to legal@au.dk

If you are working on a research project for which a notification ought to have been submitted, send an email to legal@au.dk. 

Please be aware of the following

  • If the personal data relates to a person who died more than ten years ago, the data is not subject to the rules. 
  • If you need to move your project fra a private notification to AU's notification, send an email to legal@au.dk. 
  • If you have changes to an existing notification, send an email to legal@au.dk. 

2. What is the purpose of the personal data processing?

If you process personal data, be aware of the purpose of the collection/processing of the data.

  • Consider the necessity of the amount and type of personal data. What personal data is necessary, considering the purpose?
  • Take the authority aspect into account. Do you need to obtain consent, or do you have another form of authority?
  • Prepare text for information to informants/respondents/data subjects. You must disclose the purpose of the processing, the legal basis for the processing, contact details and recipients of the personal data.  

Are you in doubt?

If you are in any doubt, please contact the Technology Transfer Office at tto@au.dk.

 



3. Will you share personal data with others?

 

If you are to exchange collected personal data with colleagues, companies or organisations outside AU during the course of your project, you must have clarified whether this concerns disclosure, or whether you are required to draw up a data processing agreement. 

Are you in any doubt?

If you are in any doubt, please contact the TTO team at tto@au.dk.     

During the research project

4. Notify the informants

Notify the informants of the collection of personal data when collecting the data. 

Obtain consent, if necessary, either as authorisation (in accordance with the General Data Protection Regulation) or in accordance with other requirements. 

Are you in doubt? 

If you are in doubt, you can contact TTO at tto@au.dk.  

5. Make sure you store personal data secure

Find information about the storage solutions for personal data.

 

Make sure that only the persons for whom, according to the purpose of the data collection (the research project), access is necessary have access to the data. 

Personal data should be made anonymous or pseudonymised in the course of the project if you no longer require the identity of the informants. If personal data is made completely anonymous, it will no longer be subject to the rules.    

Are you in doubt? 

Are you in doubt about which storage solution to choose, you can contact your local IT support. 

6. Disclosure of the data responsibility

 

The disclosure of data must be in accordance with the purpose, and as a general rule, the informants must be notified of the disclosure when the data is collected.

Find more information about disclosure of personal data. 

Are you in doubt? 

if you are in doubt, you can contact TTO at tto@au.dk.  

7. Enquiries from data subjects

Find information about the rights of data subjects.

Are you in doubt? 

You can contact AU's Data Protection Officer, if you have questions regarding the rights of data subjects. 

8. If a security breach happens

Please notice that all security breaches must be reported to AU. 

Der er tale om et brud på persondatasikkerheden, når bruddet fører til en hændelig eller ulovlig tilintetgørelse, tab, ændring, ubeføjet videregivelse af eller adgang til personoplysninger, der sendes, lagres eller på anden måde behandles, hvad enten behandlingen foregår fysisk eller elektronisk.  

 

How to report a security breach. 

Are you in doubt? 

If you are in doubt about whether or not it is a security breach, you can contact AU's Data Protection Officer. 

After the research project

9. Storing of personal data in 'final form'

Do not store personal data for longer than necessary with regard to the purpose for which the data was collected. Research data must be stored for at least five years after the latest publication of results based on the data, and this period must therefore be deemed to be necessary for the purpose. 

Store read about the storage solutions.

 

Data must be transferred to the Danish National Archives if there is an archiving purpose.

10. If you wish to transfer the data responsibility to others

 

If you wish to transfer the data responsibility to another organisation (e.g. another university), you must apply for this, and as a general rule the informants must be informed of this when the data is collected. 
Read more about the disclosure of personal data. 

Are you in doubt? 

If you are in doubt, send an email to legal@au.dk. 


1442617 / i40