Information Security

Dansk

 Information Security Data protection (GDPR) For administrative staff and managers For web editors

For web editors

This website contains useful information for web editors about what you need to be aware of in relation to the General Data Protection Regulation and the information you put on AU’s websites. 

When, as a webmaster, you publish personal data about others on a website, you are considered as the data controller. This means that you are responsible for assessing whether the information should be publicly available on a website. 

It may help to familiarise yourself with how data is classified at AU, so that you know what data you need to be especially careful with. Information about the different types of data

You are generally allowed to display contact information for AU employees (also researchers), for example, but you must ALWAYS have consent to publish contact information about students. Read more about consent

However, whether you can publish personal data on a website will always depend on a specific assessment of the data and the purpose for displaying the data. For example, a valid purpose is to give easy access to contact employees by displaying their name, email and telephone number. 

Note, however, that an employee may subsequently ask you to delete their personal data. If you upload data about an employee manually, for example without using PURE, you must always keep track of exactly where you have uploaded the personal data.

Therefore, always ask yourself:

  • Is there a valid purpose for displaying the data?
  • Is consent required, and do I have it?

Both the assessment of a valid purpose and/or valid consent will always be based on a individual assessment that you must make as the data controller.

Use of images

Find more information about how to use images

Lists of participants

The website may not contain lists of conference participants, workshop participants etc, if you have not obtained the individual participant’s consent to publish personal data such as name. You need to look through all the websites you are responsible for - both old/archieved and new sites, and remove lists of participants if you do not have consent from the participants.   

If the list of participants is going to be published on the website to serve a specific purpose, when you create the event registration form, you must remember to ask for the participants’ consent to let their names appear on the list. Remember to write specifically how long the list will be available on the website.

Files

It is important to know what kind of files you are uploading/have uploaded on your website. Start by assessing the type of data in the file. Read more about classification of data. The file may contain data that should not be made public because this would be in contravention of the law or go against AU’s interests.

  • If the file contains general personal data such as names, titles and contact information of employees, e.g. in minutes of meetings, you may upload the file without consent.
  • If the file contains general personal data about external persons, i.e. persons who are not employed at AU, consent is required from each individual person. Note that students are to be regarded as external persons. PhD students and researchers are to be regarded as AU employees. 
  • If the file contains confidential information or sensitive personal data, the file must not be uploaded to the website.  

Common to all files containing personal data is that they must be deleted from the website when publication of the file is no longer required in relation to the specific purpose.  Therefore, you should consider how long minutes of meetings, for example, should be available. In this connection, you should also be aware that older files may contain information about former employees, and that such files require consent.  

When deleting files, remember to delete the link to the file as well as the uploaded file. A guide is available here (only in Danish). Please note that several sites may contain links to the same file. 

 

Forms

Collecting personal data of employees and external persons (incl. students)

If you collect personal data using a Powermail form on the website, you must do the following:

  1. Ensure that the website is set up so that the data which is exchanged is encrypted (https). Your local web support can help you to set this up: Find your local web support (only in Danish).
  2. Remember to delete any personal data that may be left in TYPO3, when you no longer have a purpose for storing the data/after 30 days at the latest.

Additionally, if you are collecting personal data of external persons (incl. students)

If you are collecting personal data of external persons (incl. students) via powermail forms, you must also collect a consent. 

  1. Inform users of how the personal data is processed. You can use this standard text:
    “By using this form, you accept that Aarhus University stores and processes the personal data you provide to us to [describe the purpose of the collection of personal data]. Your personal data is stored (describe for how long the personal data is stored and whether it is erased/filed after processing). Read more in our privacy policy.”
  2. Use a mandatory field that users have to tick off if they give their consent, based on the text above. In this way, we make sure that we have obtained active consent.

Lists of employees, students etc.

When you create a list of persons, the list must serve a specific purpose, for example to provide easy access to employees’ contact information.

If the list is an extract from PURE, it does not require additional consent to have the list on the website.

However, consent must be obtained before you can publish other types of lists with personal data, e.g. list of students and others who are not employed at AU, on the website.

YouTube videos

YouTube channel owners control the rights to the content displayed on the site. We encourage you to reach out to them directly if you find a video that you'd like to display and/or reference. When displaying a YouTube video in a broadcast or webcast, please provide both an in-screen and verbal attribution by showing the username or real name of the applicable content owner.

Contacting a YouTube channel owner

Clicking on a YouTube username will take you to the main page of the user's channel. From there, you can use YouTube's on-site messaging system to contact the channel owner, as long as you are logged in to your own Google account. Simply click on the 'About' tab, then select 'Send Message' and fill out the electronic form.

Du you have any questions?

If you have a questions regarding protection of personal data in connection with your role as web editor at AU, please contact your local TYPO3 support. Find contact information (ONLY IN DANISH). 
Revised 21.07.2023
-
Webredaktionen, Universitetsledelsens Stab