For system owners

If you are the system owner of a system which processes personal data, your system must comply with the rules in the General Data Protection Regulation (GDPR) and the Danish Data Protection Act. In addition to knowledge about the legislation, you must also be familiar with AU’s policies and guidelines in this area. Find more information here.

Data processing agreements

If you are the system owner of a system that contains personal data which is exchanged with external data processors, a written agreement between AU and the external data processor is required. This may be in connection with operational, hosting or cloud solutions or other purchased consultancy services. Read more about data processing agreements.

Record of personal data processing activities

AU must have an overview of all personal data processing activities. This information must be gathered in a record of processing activities.

If you are responsible for a new system as system owner, and therefore responsible for a new personal data processing activity, before you start the processing activity you must contact AU’s Data Protection Unit and inform them about the processing activity by writing an email to the following email address:

Impact assessment

As a system owner, if you can answer ‘yes’ to at least one of the questions below, you must prepare an impact assessment.

  • Is it likely that there is a high risk to natural persons’ rights and freedoms in connection with processing of personal data?
  • Have ‘new technologies’ been taken into use? And are new technologies such as robots, biometric and genetic methods used in a new way in relation to the processing of personal data?
  • Is a systematic and comprehensive assessment of personal matters relating to natural persons taking place which is based on automatic processing including profiling?
  • Is sensitive personal data processed to a large extent and who does it include? E.g. children, older people, students, people suffering from mental illness etc, in large quantities, a large number of people, long duration including permanent, over a large geographical area.
  • Have there been any changes in the processing activities which thereby increase the risk?
  • Is it a joint application/IT system or processing platform with more data controllers who have planned a shared form of processing across AU?
  • Are the descriptions for and allocation of rights for persons who process personal data in the system undefined?

By preparing an impact assessment, you can decide, on an informed basis, whether or not to start the processing of personal data despite the risks identified in the impact assessment.    

If you have questions concerning the impact assessment, please contact the data protection officer by email using the following email address:

Advance approval from the Danish Data Protection Agency

In some situations, AU is obliged to obtain advance approval from the Danish Data Protection Agency of future processing of personal data. If you have questions, please contact the data protection officer at this email address:

Obligations in relation to the users

As system owner, you are responsible for ensuring that the system users receive the necessary instructions on how to use the system and information about the rules and obligations connected to the use of the system. You can find additional information under 'Clean-up/updating'.

Rights of the data subjects

As system owner, it is relevant to uncover in advance which rights the system in question must be able to comply with. Read more about the rights of data subjects.


As system owner, you are also responsible for ensuring that the system is updated in relation to the personal data which is being processed. This obligation will typically be transferred to the users of the system, and it is therefore important that the users are informed on an regular basis about their tasks and obligations as well as changes in general.

Security breach

As system owner, you are the primary person and involved if a security breach occurs on your system. Maybe you discover the error yourself, or you are informed by a system user, or you are contacted by a person outside your organisation or by a supplier. When that happens, you must report the security breach by using this form or by contacting the local IT support team.