Guide for HR staff on handling requests for access to information

These guidelines supplement AU’s general guidelines regarding the rights of data subjects.

To clarify which HR staff are responsible for handling requests for access to information, contact the HR partner manager at the faculty in question.

If the request concerns access to HR-related information, as a general rule, the request is handled by HR without the involvement of the Rector’s Office. HR must then acknowledge the request by email without delay and inform the requester when they can expect to receive a reply regarding the request for information. Requests from a data subject for access under the GDPR must, in accordance with Article 12 (3) be replied to without undue delay and no later than one month after receipt of request. If the request is complicated, the deadline for a response may be extended by two months.

If a request concerns multiple administrative areas, HR must contact the Rector’s Office, Att. the secretariat and the legal team, who will handle the response.

If it is unclear what type of information is being requested, the requester must be asked to clarify the request.

What does the data subject's right of access mean?

There are no formal requirements for the data subject’s freedom of information request. The request may be oral or written, and there is no requirement to expressly state that the request is a request for access.

The right of access entails:

that the data subject has the right to see the personal data that AU processes about him or her
that the data subject has the right to receive various information about the data processing performed by AU

What information must you provide to the data subject?

If you receive a request for access, the data subject has the right to receive this information.

HR personal data is registered in the following systems, among others:

MitHR
WorkZone
SLS
Outlook
Secure drives

You may want to contact your local system superuser to ensure all relevant information is sent to the data subject.

Remember to check with your manager to make sure that there is no additional information outside the central systems that has not yet been registered yet. If there is additional HR information outside these systems, this must be submitted to HR and included in the access request response.

You can give the data subject access to their information by providing them with copies of original documents, files, etc. Alternatively, you can copy the information about the data subject into a new document. The most important thing is that you provide the data subject with an accurate copy of the data itself.

The Rector’s Office sends the requested information. However, if the request concerns HR information alone, HR sends the information via e-Boks.

Only information about the data subject may be disclosed. If the copies, etc. contain information about other persons, you must block it out or otherwise remove it. This applies regardless of whether you provide access by handing over copies of original documents, etc. or whether you copy the information into a new document.

Additional information about how AU processes the data

When responding to the data subject's request for access, you must provide the data subject with additional information about how AU processes their data. To do so, include the website link to Information for employees about Aarhus University's use of personal data in the employment relationship.

Exceptions to the right of access

In special cases, you may deny a request for access if the information about the data subject can be exempted according to the rules in sections 19-29 and 35 of the Danish Freedom of Information Act.

Non-employees

If the request for access to HR data is received from a non-employed employee, the following information must be provided instead of Information for employees about Aarhus University's use of personal data in the employment relationship in the reply:

Information about the purposes of the processing.
Information about the categories of personal data concerned. This means that you must inform the data subject whether the data collected by HR is general personal data or special categories of personal data (sensitive personal data).
Information about the recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular if the recipients are located in third countries or are international organisations. The information given to the data subject should as far as possible include the specific recipients, and it will therefore not be sufficient to inform that personal data will be disclosed to, for example, "public authorities" if you are able to provide more specific information.
Information about how long HR will retain the personal data or, if this is not possible, the criteria used by HR to determine this period.
Information to the data subject to the effect that he or she has the right to request rectification, erasure or restriction of processing, that the data subject has the right to object to the processing in specific situations, and that the data subject has the right to lodge a complaint about the processing with a supervisory authority (the Danish Data Protection Agency or the National Board of Justice).
Information about the source of the personal data. However, this only applies if the personal data in question has been collected from another source than the data subject.
If you transfer personal data to unsecure third countries or international organisations and appropriate data protection safeguards are in place, you must inform the data subject of these safeguards.

See also the Danish Data Protection Agency's guidelines on data subjects' rights (content mainly in Danish).