When you collect personal data, you should, as a rule, inform the data subjects about the processing of their personal data. The requirement to inform the data subject is called the information duty.
The purpose of the information duty is to establish transparency for the data subject about how you process their personal data. Among other things, this consist of providing information about AU’s role (data controller or joint data controller), why you process the data subject’s personal data, the legal basis etc.
Most of the information you provide when complying with your information duty, you will need when conducting your risk assessment and registering to the record of processing activities.
The way in which you collect the personal data affects whether you are obliged to perform your Information, but also how you can comply with it. As a researcher, you can collect information about the data subjects (research participants, informants, subjects, etc.) either directly or indirectly.
It is important that you always comply with the information duty when collecting personal data directly from data subjects (e.g. through questionnaires, personal interviews, etc.).
When collecting personal data indirectly, e.g., in register-based research or from social media, in some cases you need not comply with your information duty. You can do this if it is impossible to comply with the information duty, or if you assess that it would require a disproportionate effort.
When assessing whether notifying the data subjects would involve a disproportionate effort, you should balance:
In your assessment, you could focus on:
If you come to the conclusion that meeting the information duty would involve a disproportionate effort, you must instead protect the rights of the data subjects in another way. You can do this by publishing information on how you will process the personal data, e.g. on the research project website or in a profile on social media.
AU has made a number of templates that you can use to comply with your information duty, regardless of your choice of basis for processing. You can decide for yourself how you will comply with your information duty, so the templates are only intended as inspiration, and you are not bound by them.
If the templates do not match your specific target group, or the way you otherwise communicate with the data subjects, you are welcome to comply with your information duty in other ways. For example, you can integrate the information duty in your other information material (see examples below). The most important thing is that it must be transparent for the data subject and that you comply with the requirements for content, language and form.
Below, you can read about what you need to consider when providing the information text (the duty of disclosure) to the data subject.
When complying with your information duty, you should be aware that there are specific requirements to the content of the information you have to provide to the data subject. You can use AU’s templates, which you will find above, to check what information you need to remember, or read below:
1) Who is responsible for the processing of personal data and how to get in touch with AU/you?
You must inform the data subject that it is AU (and possibly other data controllers), who are responsible for and process personal data. In addition, you should state who the responsible researcher is, and how to get in touch with AU, you and the Data protection officer.
2) Why do you process the personal data and what is the legal basis for your processing?
You must clearly state your purpose for processing the personal data. Therefore, you should consider whether you need to process the personal data for one or several purposes, e.g.,
You may have several bases for processing (legal bases) if you process personal data for several purposes. From the example above, it could be that you are going to process the personal data for a research purpose based on the research authority, while your processing of personal data for an educational purpose is based on valid consent to data processing from the data subject under data protection law, etc. You must inform the data subject about the legal bases. If you base a processing of personal data on a valid consent to processing, remember to give information about the possibility to withdraw the consent.
3) Which personal data will be processed?
You must provide information about the types of personal data you are processing. You must also state where you have collected the personal data if you have collected it from others than the data subject (see indirect collection).
4) Will you share personal data with others?
if it is necessary for you to share personal data with others, you must, as a minimum, be able to provide information about the category of recipient (e.g., other research institutions). If you already know who you will be sharing with, you must state this.
If you need to share personal data with a recipient outside the EU/EEA or an international organisation, there are special obligations that you should be aware of. Here, it may be a good idea to look at AU's template for information duty.
5) How long is it necessary to process the personal data?
You must state how long you will process the personal data, including storage, but you do not have to be able to say a precise date. Here, it may be a good idea to look at AU's template for duty of disclosure LINK?????. Or find more information about storing peronal data.
6) Which rights does the data subject have and how can the data subject file a complaint?
When you process personal data the data subjects have some rights. It is important for the data subjects to know which rights to be able to exercise them. Therefore, you must inform the data subjects about their rights.
You should also state how the data subjects can file a compliant to the Data Protection Agency, Datatilsynet if they do not agree with the way you process their personal data.
There may be other things than the requirements of the data protection rules that are relevant to inform the data subject about. Soon you can read more about how to reconcile the requirements of research ethics and the information duty.
There are also requirements for the way you provide the information. The information duty requires that you provide the information:
Provide the information in writing, or, if appropriate, electronically. If the data subject so requests, the data may be given orally, provided that the data subject's identity can be confirmed in some other way (e.g., presentation of an ID card).
Text example: Complex and long: The purpose of this notification is to explain and provide information about the manner in which Aarhus University processes personal data pursuant to Articles 13 or 14 of the General Data Protection Regulation. Moreover, this notification is also to inform you of the rights conferred by the Regulation, including the exemptions from such rights as determined in national legislation pertaining to the personal data of the data subject for research purposes. Short and clear language: Aarhus University has to inform you about how we process your personal data. You can also read about your rights when we process your personal data for research purposes here. |
Researchers come into contact with or receive information about data subjects (research participants, informants, subjects, etc.) in many different ways. For example:
The way in which, as a researcher, you want to communicate with the data subjects (and thus comply with your information duty) can vary depending on whether you receive the data from the person in question or from others, the type of contact you use, your research method and habits, etc.
There are examples here of how you can comply with the information duty and integrate it into your other information material. Naturally, you will have to choose the way that makes the most sense and is most transparent for the data subjects in the specific situation.
MANGLER DER NOGET TEKST HER - JF DEN DANSKE TEKST???