Register research in which AU is data controller

Here, you can register your research project, where AU is data controller, to Aarhus University's record of research projects.

Guide

Here you can find a written guide on how to register your research via the notification form.

Instructions

Here you can find a copy of the instructions you receive after registration.

1. Introduction

To have your research registered in the AU record, we need information about you and your research purpose.

Please note that:

• It is your responsibility to ensure that the information is correct and in accordance with the actual circumstances of your research project

• In some cases, you will have to elaborate on the information you give us. This will be stated on the form.

• Your registration is only submitted once you have completed all parts of the registration form and clicked 'submit'. You will then receive a copy of the registration at the email address you provided on the form.

• Your project will not be registered until you have been assigned a serial number and received a confirmation letter from the register.

• The confirmation letter is only documentation that your project has been included in the AU record. It is not an approval of your research.

2. Contact Person

1. Name of contact person

2. AU ID of contact person (example: AUXXXXXX)

3. AU email address of contact person

4. Faculty/unit

5. Department/school/centre

6. Internal file no./reference (e.g. local project number, Statistics Denmark project number etc.)

3. Project information

7. Project title

8. Purpose of the project

9. Is it a main project or a sub-project (sub-study)?

Main project (go to question 10)

Sub-project (sub-study) (fill in question 9a)

(9a) State the title and serial number of the main project

10. Start date for processing personal data

11. End date for processing personal data

When evaluating how long you will need to process personal data, you must also include any possible storage period according to the rules in other legislation or, for example, the rules on the responsible conduct of research. Document your evaluation and store it with your other project material.

5. Information obligation

18. Are you providing an information obligation to the data subjects in your project?

Yes – Please move on to the next tab (tab 6 "Data sources and security")

No – Read the information below and go to the next question on this tab

As a general rule, the General Data Protection Regulation (GDPR) requires that individuals be informed when their personal data is being processed, including details about the processing. However, if the following conditions are met, it may be permissible to exempt the project from the obligation to inform the data subjects:

- Does the project use personal data that was not collected directly from the participants?
- Does the project process personal data about a large number of individuals?
- Would fulfilling the information obligation for each individual require a disproportionate effort?

When completing the fields in this tab, please note that the information will be published in an overview on au.dk titled "Overview of projects exempted from the information obligation at Aarhus University." It is therefore important that the information is understandable to the general public and not confidential.

To help potentially registered individuals understand whether the project may include them, it is important that question 13 (category of data subjects) is described precisely.

Here is an example of an overly broad description of data subjects and a more precise one:

- Imprecise description: Adults over 18 years of age
- Precise description: Adults aged 18–65 who were hospitalized in the Central Denmark Region with pneumonia during the period 2000–2025

19. Are you using the exemption from the information obligation cf. the General Data Protection Regulation art. 14, stk. 5, litra b?

Yes

No – Please eleborate in 19a below

19a. Elaborate why you are not using the exemption from the information obligation

Disclosure of Project Information

When using the exemption from the information obligation, you must ensure that compensatory measures are in place, for example by making information about the project’s processing of personal data publicly available.

Some of the information you provide for the record will therefore be published on au.dk on a page titled “Overview of projects exempted from the information obligation at Aarhus University.”

The information that will be published includes:
-Faculty [Question 4]
-Department [Question 5]
-Title of the research project [Question 7]
-A description of the purpose of the personal data processing [Question 8]
-Categories of data subjects included in the project [Question 13]
-Types of personal data processed in the research project [Questions 14–17]
-Contact information for the research project [Question 21]
-Source of the data [Question 22]
-Any recipients of personal data [Questions 25–27]
-Any transfers to third countries [Question 29]

20. Does the project have a seperate website, where data subjects can find information about the purpose of the project or something like that? lignende?

Yes – Please elaborate in 20a below

No

20a. Insert website website URL here

21. Contact information for the research project

6. Data sources and security

Data sources

State the data sources in your research project. State where you collected the personal data.

22. Which data sources are you using?

From the data subject (the person whose data is being processed)

From the data subject and other sources (elaborate in question 18a below)

From sources other than the data subject (elaborate in question 18a below)

22a. Elaborate

Security of processing

The measures you should take to protect personal data depend on the type of data in question, the numbers involved, and who you process data about. Example:
• Technical measures, such as storing the data on a secure server, encryption and pseudonymisation.
• Organisational measures, such as rights management and training.

23. What measures have you taken/are you planning to take to protect the personal data?

7. Sharing

State here whether you need to share personal data with others who are not employees at AU. Remember that you must have an agreement with the party with whom you will be sharing personal data. The Technology Transfer Office ([email protected]) can help you negotiate the agreement. Contact them well in advance of the start of the project.

If you are using a research machine, for example the research machine at Statistics Denmark, note that you are using a data processor for AU. The same applies for other suppliers, e.g. Rambøll when using SurveyXact.

24. I will be sharing personal data with:

One or more independent data controllers (elaborate in question 25)

One or more joint data controllers (elaborate on question 26)

One or more data processors (elaborate in question 27)

I will not be sharing personal data with anyone outside AU (go to tab 8 "Authorisation requirements")

25. State the independent data controller(s)

26. State the joint data controller(s)

27. State the data processor(s)

28. State the agreement number(s)

9. Basis for processing

Processing personal data requires that you have a valid legal basis for processing the data (legal authority).

32. On what legal basis are you processing personal data?

Scientific research purpose (section 10 of the Danish Data Protection Act with Article 6(1)(e) and Article 9(2)(j) of the General Data Protection Regulation, or Article 6(1)(e) of the General Data Protection Regulation.

Valid consent to data processing given by the data subject under data protection law (Article 6(1)(a) and/or Article 9(2)(a) with Article 6(1)(a) of the General Data Protection Regulation).

Other (elaborate in question 32a below)

32a. Elaborate

Other lawful purposes of the processing of personal data

In some cases, you may have several lawful purposes for the processing of personal data, such as research, education or dissemination. If so, answer question 33.

33. Do you have any other lawful purposes than the research purpose for the processing of personal data?

Yes, (answer questions 33a and 33b)

No (go to the next tab)

33a. What is/are your other purpose(s) in relation to the processing of personal data?

33b. What is/are your legal basis/bases in relation to the processing of personal data?

Don't fill this field!

Here, you can register your research project, where AU is data controller, to Aarhus University's record of research projects.

Guide

Instructions

Register a research project for which AU is data controller (pID: 1443382)

Please note that:

Data subjects

Types of personal data

Disclosure of Project Information

Data sources

Security of processing

Third country or international organisation

Biological material

Publishing personal data

Other lawful purposes of the processing of personal data

Do you need help?