It’s important to be familiar with the different data protection roles, because they determine what AU’s duties and obligations are. However, it’s not always easy to figure out which of these roles AU is responsible for in a particular research project. Read on to learn more about the three roles involved in processing personal data under Danish data protection legislation. We’ve included some questions you can answer to help you clarify what role(s) AU is responsible for in your project.
When you are employed by AU and process personal data in connection with your research, you should be aware that this means that AU is the data controller or data processor. However, you are responsible for ensuring that your project complies with the data protection rules.
The roles depend on who decides the purposes and means of processing personal data.
In every case, the actual practices in your research project are what determine which of these roles AU has. In other words, what you and other parties involved in the project actually do:
A data controller is a natural or legal person, public authority, agency or any other body which alone or jointly with other parties determines for which purpose and by which means data may be processed.
In other words, the person or entity which determines the purposes for which and the means by which personal data is to be processed is the data controller.
Where two or more data controllers jointly determine the means and purposes of personal data processing, they are defined as joint controllers.
Note that a joint data processing arrangement must be concluded between the joint controllers.
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller (i.e. as instructed by the data controller and without an independent research purpose). In other words, the person or entity that processes data on behalf of someone else is the data processor. This is despite the fact that the data is processed for the other party’s purposes and under their instruction.
Be aware that the data processor and the data controller must enter into a formal data processing agreement. When you work with a data processor, you are responsible for monitoring how the data processor processes personal data to ensure compliance with your/AU’s instructions, as described in the data processing agreement. How you monitor the data processor’s compliance depend on your risk assessment.
Read more about monitoring to ensure data processor compliance in the guide from the Data Danish Authority (in Danish).
‘Actual practices’ refers to all of the things AU and other parties do in a research project. The actual practices you engage in are what determines how data protection legislation applies to the individual project.
The following questions can help you clarify which and how many of the three data protection roles are involved in your project: