Legal basis and information duty

Legal basis for processing personal data

As a researcher at AU, you need a valid legal processing basis if you want to process personal data. In practice, this means that you need a legal basis pursuant to the General Data Protection Regulation and possibly the Danish Data Protection Act or other, special legislation.  

On what legal basis you can base your processing of personal data depends on the type of processing. If you want to process personal data for research purposes, you may base your processing on one of the following legal bases:  

As a general rule, you can choose freely between these two processing bases. However, you should be aware that you cannot change the basis for processing along the way; that would be poor data processing practice. It is therefore important that you think thoroughly about how you want to process personal data before you start processing personal data.  

How to determine the legal basis for processing personal data in your research

SCIENTIFIC RESEARCH PURPOSES

CONSENT


SCOPE

Personal data may be processed if the processing takes place exclusively for scientific or statistical purposes, and if the processing is necessary for the research.     

Please note that scientific research purposes cannot be used as a legal basis for the processing of personal data in an educational context.

Personal data may be processed for the specific purposes to which the data subjects have given their consent. 


CONDITIONS

Processing has to:  

  1. take place within a recognised scientific field or for statistical purposes 
  2. be necessary for the research 

Consent has to:  

  • be given freely 
  • be specific 
  • be informed 
  • be an unambiguous indication of the data subject’s wishes 
  • be withdrawable 
  • be communicated in clear and easy-to-understand language in an easily accessible form 

Find more information about consent.


DOCUMENTATION REQUIREMENTS

You may be required to meet and document the information duty.  

A template is available to help you meet your information duty in research projects that use 'scientific research purpose' as the legal basis for processing personal data.  

Remember to save a copy of the document.  

Consent must be documented. Therefore, you should obtain written consent. You can use the AU consent form.  

You also have to document that the data subjects have received the information required for the consent to be valid as well as the information required to meet the information duty. You can use the AU form to meet the information duty.     


PARTICIPANTS' (DATA SUBJECTS') RIGHTS

If your legal basis for processing personal data is 'scientific research purposes', many of your data subjects' rights can be derogated from. They can be derogated from because there are special exemptions for research and because there are special rules that protect the data subjects.   

As a general rule, data subjects can exercise all of their rights under the General Data Protection Regulation. If data subjects want to exercise their rights, you have to make an individual assessment based on the specific circumstances. 

Data subjects are also entitled to withdraw their consent. This means that you must stop processing their personal data.   


DISCLOSURE OF DATA WITHIN THE EU/EEA (NOTE: DOES NOT INCLUDE MAKING AVAILABLE TO DATA PROCESSOR)

You can disclose personal data for use in other research without the approval of the Danish Data Protection Agency within the EU/EEA by making a disclosure declaration. You can use the AU form for this.

You may only disclose personal data if you have the data subjects' consent to do so.


DISCLOSURE OF DATA OUTSIDE THE EU/EEA (NOTE: DOES NOT INCLUDE MAKING AVAILABLE TO DATA PROCESSOR)

You may only disclose personal data to a recipient outside the EU/EEA if you have received the Danish Data Protection Agency's approval to do so.  

See here for more information.     

You may only disclose personal data to a recipient outside the EU/EEA if you have the data subjects' consent to do so. Note that there are special requirements for the information to be provided to the data subjects about the transfer.    


DISCLOSURE OF BIOLOGICAL MATERIAL (NOTE: DOES NOT INCLUDE MAKING AVAILABLE TO DATA PROCESSOR)

You may only disclose personal data in the form of biological material for other research if you have received the Danish Data Protection Agency's approval to do so.  

See here for more information.     

You may only disclose personal data in the form of biological material for other research if you have received the Danish Data Protection Agency's approval to do so. 


PUBLICING PERSONAL DATA

You may only disclose special categories (sensitive) of personal data with a view to publishing if you have received the Danish Data Protection Agency's approval to do so. Disclosure of general personal data with a view to publishing can take place if necessary, and the personal data is pseudonymised. See here for more information.   

You may only disclose personal data with a view to publishing if you have the data subjects' consent to do so.    


HOW TO REFER TO YOUR LEGAL BASIS

  • Processing of ordinary personal data: Article 6(1)(e) of the General Data Protection Regulation. 
  • Processing of sensitive personal data: Section 10 of the Danish Data Protection Act, cf. Article 6(1)(e) of the General Data Protection Regulation.
  • Processing of ordinary personal data: Article 6(1)(a) of the General Data Protection Regulation. 
  • Processing of sensitive personal data: Article 9(2)(a) and Article 6(1)(a) of the General Data Protection Regulation. 

Information duty

When collecting personal data, you must generally notify the relevant people (data subjects) that you are processing their personal data. The purpose of the information duty is to create transparency about how you process their personal data.  

You must always meet the information duty when collecting personal data directly from data subjects. 


Indirect collection of personal data   

 

When collecting personal data indirectly, e.g. in register-based research or from social media, in some cases you need not meet the information duty, i.e. if meeting the information duty proves impossible or would involve a disproportionate effort.  

When assessing whether notifying the data subjects would involve a disproportionate effort, you should balance: 

  • The data subject's interest in being made aware of information about the processing, and 
  • The difficulties in fulfilling the information duty.  

In your assessment, you could focus on:  

  • The number of people 
  • The age of the personal data  
  • The compensatory measures, e.g. that you will publish on the research project website how you will process the personal data, and 
  • The significance of the different interests (the interests of the data subject compared with research as an important public interest) given the data being processed
  • How intrusive your processing of personal data is for the individual data subject. 

If you come to the conclusion that meeting the information duty would involve a disproportionate effort, you must instead protect the rights of the data subjects in another way. You can do this by publishing information on how you will process the personal data, e.g. on the research project website or in a profile on social media.