As a researcher at AU, you need a valid legal basis for processing if you want to process personal data. In practice, this means that you need authority (a legal basis) pursuant to the General Data Protection Regulation and possibly the Danish Data Protection Act or other special legislation.
The type of processing determines on what legal basis you can base your processing of personal data. If you want to process personal data for research purposes, you may base your processing on one of the following legal bases:
NB! There may be other lawful bases for processing for some processing activities.
As a general rule, you can choose freely between these processing bases. However, note that you cannot change the basis for processing along the way; that would be poor data processing practice. It is therefore important that you think thoroughly about how you want to process personal data before you start processing personal data.
Note that there may be special requirements in specific legislation within different subject areas. If you have any questions, please contact your local data protection coordinator.
Personal data may be processed if the processing takes place exclusively for scientific or statistical purposes, and if the processing is necessary for the research.
Please note that scientific research purposes cannot be used as a legal basis for the processing of personal data in an educational context.
Valid consent to data processing has to:
Find more information about vaild consent to data processing.
Valid consent to data processing must be documented. Therefore, you should obtain written consent. You can use the AU consent form.
You also have to document that the data subjects have received the information required for the consent to be valid as well as the information required to meet the information duty. You can use the AU form to meet the information duty.
As a general rule, data subjects can exercise all of their rights under the General Data Protection Regulation. If data subjects want to exercise their rights, you have to make an individual assessment based on the specific circumstances.
Data subjects are also entitled to withdraw their valid consent to data processing. This means that you must stop processing their personal data.
You can disclose personal data for use in other research without the approval of the Danish Data Protection Agency within the EU/EEA by making a disclosure declaration. You can use the AU form for this.
You may only disclose special categories (sensitive) of personal data with a view to publishing if you have received the Danish Data Protection Agency's approval to do so. Disclosure of general personal data with a view to publishing can take place if necessary, and the personal data is pseudonymised. See here for more information.
When collecting personal data, you must generally notify the relevant people (data subjects) that you are processing their personal data. The purpose of the information duty is to secure transparency for the data subject about how you will process their personal data.
When complying with your information duty, you must clearly state your purpose for processing the personal data. Therefore, you should consider whether you need to process the personal data for one or several purposes, e.g.
You may have several bases for processing (legal authority) if you process personal data for several purposes. From the example above, it could be that you are going to process the personal data for a research purpose based on the research authority, while your processing of personal data for an educational purpose is based on valid consent to data processing from the data subject under data protection law, etc.
As a researcher, you can collect information about data subjects (research participants, informants, subjects, etc.) either directly or indirectly. The way in which you collect personal data will determine whether you are obligated to comply with your information duty, and also how you can choose to comply with it (read more in the section "Help to comply with your information duty" below).
It is important that you always comply with the information duty when collecting personal data directly from data subjects (e.g. through questionnaires, personal interviews, etc.).
When collecting personal data indirectly, e.g. in register-based research or from social media, in some cases you need not comply with your information duty. You can do this if it is impossible to comply with the information duty, or if you assess that it would require a disproportionate effort.
When assessing whether notifying the data subjects would involve a disproportionate effort, you should balance:
In your assessment, you could focus on:
If you come to the conclusion that meeting the information duty would involve a disproportionate effort, you must instead protect the rights of the data subjects in another way. You can do this by publishing information on how you will process the personal data, e.g. on the research project website or in a profile on social media.
AU has made a number of templates that you can use to comply with your information duty, regardless of your choice of basis for processing. You can decide for yourself how you will comply with your information duty, so the templates are only intended as inspiration, and you are not bound by them.
If the templates do not match your specific target group, or the way you otherwise communicate with the data subjects, you are welcome to comply with your information duty in other ways. For example, you can integrate the information duty in your other information material (see examples below). The most important thing is that it must be transparent for the data subject and that you comply with the requirements for content, language and form.
Note that there are specific requirements for the information you need to give the data subject to comply with your information duty. You may want to use AU’s templates to check what information you need to remember.
There are also requirements for the way you provide the information. The information duty requires that you provide the information:
Provide the information in writing, or, if appropriate, electronically. If the data subject so requests, the data may be given orally, provided that the data subject's identity can be confirmed in some other way (e.g. presentation of an ID card).
Text example: Complex and long: The purpose of this notification is to explain and provide information about the manner in which Aarhus University processes personal data pursuant to Articles 13 or 14 of the General Data Protection Regulation. Moreover, this notification is also to inform you of the rights conferred by the Regulation, including the exemptions from such rights as determined in national legislation pertaining to the personal data of the data subject for research purposes. Short and clear language: Aarhus University has to inform you about how we process your personal data. You can also read about your rights when we process your personal data for research purposes here. |
Researchers come into contact with or receive information about data subjects (research participants, informants, subjects, etc.) in many different ways. For example:
The way in which, as a researcher, you want to communicate with the data subjects (and thus comply with your information duty) can vary depending on whether you receive the data from the person in question or from others, the type of contact you use, your research method and habits, etc.
There are examples here of how you can comply with the information duty and integrate it into your other information material. Naturally, you will have to choose the way that makes the most sense and is most transparent for the data subjects in the specific situation.