GDPR and research-based public sector consultancy

Depending on the assignment, public sector consultancy may include personal data. See what you need to be aware of with regard to research-based public sector consultancy and GDPR.  

What is research-based public sector consultancy?

“Research-based public sector consultancy is an umbrella term for a variety of services universities perform for the Danish state and others. The services range from research within a certain field to specific emergency-response and consultancy tasks. 

Research-based public sector consultancy could be: 

  • Research within a certain field. This may be research into labour market conditions or research into the water quality in Danish rivers. 
  • Emergency response within a specific field. This may be facilities and activities in response to epidemics of animal diseases or oxygen depletion in Danish waters. 
  • Consultancy within a specific area. This may be environmental and business-economic consequences of a bill on agricultural fertiliser or the consequences for transport of a bill for a new motorway." 

Source: Ministry of Higher Education and Science 

Do you process personal data?

When you are involved in public sector consultancy, you should be aware that, depending on the assignment, it may include personal data. It is not always straightforward to assess whether this is the case. Therefore, ask yourself the following questions to find out whether you will be processing personal data when you perform a public sector consultancy task:  

  1. Does the task involve natural persons? 
  2. Are you dealing with information that, in itself or in combination with other information, could lead to a natural person? 
  3. Have you fully thought through the context of information? For example, depending on the circumstances, a GPS coordinate could lead to information about a natural person if the co-ordinates are on the person’s farm field. By finding the field, it is possible to find the physical person, e.g. via online address services, the land registration system, etc.  
  4. What is your legal basis for processing personal data in research-based public sector consultancy? 

Determination of the basis for processing

When you process personal data in connection with research-based public sector consultancy, you must have a legal basis for such processing. Basically, the University Act allows AU to conduct public sector consultancy. This authority is exercised through a number of specific agreements with ministries and their agencies. Therefore, when AU provides research-based public sector consultancy, it is part of AU's work as a university and thus exercising its authority.

When determining your basis for processing, you should consider the following:  

When you have determined AU’s role, you can decide whether AU has an independent basis for processing. If AU is the data controller, you will have to ensure, on behalf of AU, that AU has independent legal authority for the processing. However, if AU is the data processor, the processing will be based on the authority's (the ministry’s or agency’s) basis for processing. 

If AU is the data controller, you must know the types of personal data in order to assess what possible bases for processing there are. Finally, you must know whether you are solely processing personal data for the public sector consultancy task, or whether you are also processing personal data for other purposes, e.g. research. If you have multiple purposes, you must ensure a basis for processing for each of your purposes.  

Examples of a basis for processing of personal data in connection with research-based public sector consultancy: 

Note that this depends on the specific circumstances for the processing. 

  • Ordinary personal data: Article 6(1)(e) or (c) of the General Data Protection Regulation. 
  • Special categories (sensitive) of personal data: Article 9(2)(f), cf. Article 6(1)(c) of the General Data Protection Regulation. 
  • Data about criminal offences: Section 8(1) of the Danish Data Protection Act.  
  • Civil reg. no.: Section 11(1) of the Data Protection Act.