Data controller or data processor

The content on these pages was updated in July 2022. Note that we regularly update these pages. 

Do you process personal data as a part of your research?  Here you can learn more about: 

  • What data protection role AU has in the project. 

  • What data protection role collaborators and suppliers have. 

  • Whether a data protection agreement is needed. 

It’s important to be familiar with the different data protection roles, because they determine what AU’s duties and obligations are. However, it’s not always easy to figure out which of these roles AU is responsible for in a particular research project. Read on to learn more about the three roles involved in processing personal data under Danish data protection legislation. We’ve included some questions you can answer to help you clarify what role(s) AU is responsible for in your project.  

When you are employed by AU and process personal data in connection with your research, you should be aware that this means that AU is the data controller or data processor. However, you are responsible for ensuring that your project complies with the data protection rules. 

How to analyse the data protection roles in your project

The roles depend on who decides the purposes and means of processing personal data.

  • Purposes: Here you should consider the purposes for which the personal data is being processed. In other words, you should ask yourself why it’s necessary to process the personal data. Read more about the description of the purpose below.  
  • Means: Here you should consider how the personal data is processed. For example, you should consider:
    • what kind personal data is being processed about, and about who.
    • what forms of data processing (collection, analysis, deletion, etc.) are being performed.
    • what systems are being used to process the data, etc.

There are three different roles

In every case, the actual practices in your research project are what determine which of these roles AU has. In other words, what you and other parties involved in the project actually do:

Role 1: Data controller

A data controller is a natural or legal person, public authority, agency or any other body which alone or jointly with other parties determines for which purpose and by which means data may be processed.

In other words, the person or entity which determines the purposes for which and the means by which personal data is to be processed is the data controller. 

Role 2: Joint controller

Where two or more data controllers jointly determine the means and purposes of personal data processing, they are defined as joint controllers. 

Note that a joint data processing arrangement must be concluded between the joint controllers.  

Role 3: Data processor

A natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller (i.e. as instructed by the data controller and without an independent research purpose). In other words, the person or entity that processes data on behalf of someone else is the data processor. This is despite the fact that the data is processed for the other party’s purposes and under their instruction.

Be aware that the data processor and the data controller must enter into a formal data processing agreement. When you work with a data processor, you are responsible for monitoring how the data processor processes personal data to ensure compliance with your/AU’s instructions, as described in the data processing agreement. How you monitor the data processor’s compliance depend on your risk assessment.
Read more about monitoring to ensure data processor compliance in the guide from the Data Danish Authority (in Danish).

What does 'actual practices' mean?

‘Actual practices’ refers to all of the things AU and other parties do in a research project. The actual practices you engage in are what determines how data protection legislation applies to the individual project. 

  • An example of actual practices: AU commissions a supplier (such as a consultancy) to perform analyses of gender and salary levels, the results of which will be used in a research project. The supplier processes precisely the personal data (for example age, sex, address and information about pay) AU asks the supplier to process. The supplier only processes the personal data in order to produce an analysis for AU, and is not authorised to use the data for any other purpose. 
  • The data protection roles in the example: In this example, based on what the parties (AU and the supplier) actually do, AU is the data controller, because AU determines the purposes and means of processing data. The supplier is the data processer, because the supplier only processes personal data for purposes determined by AU and as instructed by AU.

Questions to help you clarify the roles

The following questions can help you clarify which and how many of the three data protection roles are involved in your project:

  • Are there other parties involved?
    • In the example above, the answer is: Yes, the supplier.
  • What is the purpose of processing the data?
    • In the example above, the answer is: For Aarhus University’s research purposes.
  • Does the agreement between you and the other party/parties involve direct or indirect instructions on how the personal data are to be processed? 
    • In the example above, the answer is: Yes.
  • Have you provided the other party with instructions on how to process the personal data? 
    • In the example above, the answer is: Yes.
  • Is it necessary for you to approve all of or the most important steps in the data processing?
  • Is it necessary for you to monitor the performance of the data processing by the other party?
  • Do you have the right to determine the conditions for processing the personal data, for example when they are to be deleted?