Register project to the record

If you need to process personal data in connection with a research project, a database or a biobank, it must be registered in AU’s internal record before you start. Here you can find information about the record and register your project. 



What is a record?

Pursuant to the rules of the General Data Protection Regulation, Aarhus University (AU) is obligated to maintain a record of all personal data processing activities performed by the university in the role of data controller or data processor.

The purpose of maintaining such a record is to ensure that AU has an overview of all personal data processing activities carried out by AU when AU is either the data controller or the data processor.

The university is also obligated to submit its record to the Danish Data Protection Agency upon the Danish Data Protection Agency’s request, so that the Agency can oversee data controllers and/or data processors.

There are only two formal requirements for the record: it must be written and it must be electronic. These requirements ensure adherence to the principle of accountability: you need written documentation to demonstrate accountability.

Who is required to register processing activities in the record?

As a researcher employed at AU, you are responsible for ensuring that AU meets all data protection obligations in your research project. As an institution, AU is either a data controller or a data processor. However, it's your responsibility as a researcher to ensure an adequate level of data protection in your research project.

If you are responsible for processing personal data in a research project, you must ensure that the project has been registered in AU's record. Register your project using a notification form. 

What should be registered in the record?

The information to be registered in the record falls into two general categories.

  • Information that must be registered pursuant to the rules in the General Data Protection Regulation.
  • Information that the Data Protection Unit needs in order to help you manage your registration in the record.

Below is an outline of the information that the Data Protection Unit needs from you in order to register your research project and ensure compliance with the requirements in the General Data Protection Regulation.

What are my obligations towards the record?

As the contact person linked to a registration in the record, as a minimum you have the following obligations towards the record:

You must be able to answer/examine questions about data protection issues in relation to the processing of personal data.

You must contact the Data Protection Unit at fortegnelse@au.dk:

  • if the processing of personal data that you registered changes. For example, if the number of data subjects changes, or if you include new data sources or other external actors. Remember to state the relevant serial number if the processing of personal data continues for longer than the end date for processing that we have received from you. It is important that you inform us about what has happened to the data when you stop processing personal data, and if the contact person/contact information changes, for example if:
    • you go on leave, including maternity/paternity leave
    • your employment at AU ceases
    • you change job internally at AU

You must inform the Data Protection Unit separately about any disclosures of personal data by using this form.

Can I see the information I have registered in the record?

Contact the Data Protection Unit at fortegnelse@au.dk and ask for a copy of the information that has been registered with you as the contact person. Remember to indicate the serial number(s) you received in the confirmation letter.

What is AU's role?

AU's role in your research project depends on how processing of personal data is to take place.

Generally speaking, AU can have three roles:

Data controller

The natural or legal person, public authority, agency or other body which alone or jointly with other parties determines for which purpose and by which means data may be processed.    


Joint controller

If two or more data controllers jointly determine the means and purposes of personal data processing, they are defined as joint controllers.   


Data processor

A natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller (i.e. as instructed by the data controller and without an independent research purpose).


Expected case processing time for the record of processing activities in research


  • New registrations to the record of processing activities: Within 3 weeks of notification
  • Updates to existing registrations: Within 2 weeks of receiving changes
  • Guidance on notification to the record of processing activities: Within 1 week of receiving the request  
  • Assistance in applying to the Danish Data Protection Agency: Within 2 weeks of receiving the form
  • Registration of disclosure: Within 2 weeks of receiving the internal notification