If the request concerns access to HR-related information, as a general rule, the request is handled by HR without the involvement of the Rector’s Office. HR must then acknowledge the request by email without delay and inform the requester when they can expect to receive a reply regarding the request for information. Requests from a data subject for access under the GDPR must, in accordance with Article 12 (3) be replied to without undue delay and no later than one month after receipt of request. If the request is complicated, the deadline for a response may be extended by two months.
If a request concerns multiple administrative areas, HR must contact the Rector’s Office, Att. the secretariat and the legal team, who will handle the response.
If it is unclear what type of information is being requested, the requester must be asked to clarify the request.
There are no formal requirements for the data subject’s freedom of information request. The request may be oral or written, and there is no requirement to expressly state that the request is a request for access.
The right of access entails:
If you receive a request for access, the data subject has the right to receive this information.
HR personal data is registered in the following systems, among others:
You may want to contact your local system superuser to ensure all relevant information is sent to the data subject.
Remember to check with your manager to make sure that there is no additional information outside the central systems that has not yet been registered yet. If there is additional HR information outside these systems, this must be submitted to HR and included in the access request response.
You can give the data subject access to their information by providing them with copies of original documents, files, etc. Alternatively, you can copy the information about the data subject into a new document. The most important thing is that you provide the data subject with an accurate copy of the data itself.
The Rector’s Office sends the requested information. However, if the request concerns HR information alone, HR sends the information via e-Boks.
Only information about the data subject may be disclosed. If the copies, etc. contain information about other persons, you must block it out or otherwise remove it. This applies regardless of whether you provide access by handing over copies of original documents, etc. or whether you copy the information into a new document.
When responding to the data subject's request for access, you must provide the data subject with additional information about how AU processes their data. To do so, include the website link to Information for employees about Aarhus University's use of personal data in the employment relationship.
In special cases, you may deny a request for access if the information about the data subject can be exempted according to the rules in sections 19-29 and 35 of the Danish Freedom of Information Act.
If the request for access to HR data is received from a non-employed employee, the following information must be provided instead of Information for employees about Aarhus University's use of personal data in the employment relationship in the reply:
See also the Danish Data Protection Agency's guidelines on data subjects' rights (content mainly in Danish).