GDPR and research-based public sector consultancy

When you are involved in public sector consultancy, you should be aware that, depending on the assignment, it may include personal data. It is not always straightforward to assess whether this is the case. Therefore, ask yourself the following questions to find out whether you will be processing personal data when you perform a public sector consultancy task:  

1. Does the task involve natural persons? 
2. Are you dealing with information that, in itself or in combination with other information, could lead to a natural person? 
3. Have you fully thought through the context of information? For example, depending on the circumstances, a GPS coordinate could lead to information about a natural person if the co-ordinates are on the person’s farm field. By finding the field, it is possible to find the physical person, e.g. via online address services, the land registration system, etc.  
4. What is your legal basis for processing personal data in research-based public sector consultancy? 

When you process personal data in connection with research-based public sector consultancy, you must have a legal basis for such processing. Basically, the University Act allows AU to conduct public sector consultancy. This authority is exercised through a number of specific agreements with ministries and their agencies. Therefore, when AU provides research-based public sector consultancy, it is part of AU's work as a university and thus exercising its authority.

When determining your basis for processing, you should consider the following:  

• What is AU’s role in terms of data protection law? 
• What types of personal data will I be processing? 
• Am I only processing personal data for the purpose of the public-sector consultancy, or do I have other purposes, e.g. 'research' or 'teaching', beyond the public-sector consultancy task?  

When you have determined AU’s role, you can decide whether AU has an independent basis for processing. If AU is the data controller, you will have to ensure, on behalf of AU, that AU has independent legal authority for the processing. However, if AU is the data processor, the processing will be based on the authority's (the ministry’s or agency’s) basis for processing. 

If AU is the data controller, you must know the types of personal data in order to assess what possible bases for processing there are. Finally, you must know whether you are solely processing personal data for the public sector consultancy task, or whether you are also processing personal data for other purposes, e.g. research. If you have multiple purposes, you must ensure a basis for processing for each of your purposes.  

Examples of a basis for processing of personal data in connection with research-based public sector consultancy: 

Note that this depends on the specific circumstances for the processing. 

• Ordinary personal data: Article 6(1)(e) or (c) of the General Data Protection Regulation. 
• Special categories (sensitive) of personal data: Article 9(2)(f), cf. Article 6(1)(c) of the General Data Protection Regulation. 
• Data about criminal offences: Section 8(1) of the Danish Data Protection Act.  
• Civil reg. no.: Section 11(1) of the Data Protection Act.