Notification form for AU's records, where AU is the data controller for a database or a biobank

Dataansvarlig - biobanker og databaser

Notification form - biobanks and databases

Expected case processing time for the record of processing activities in research


  • New registrations to the record of processing activities: Within 3 weeks of notification
  • Updates to existing registrations: Within 2 weeks of receiving changes
  • Guidance on notification to the record of processing activities: Within 1 week of receiving the request  
  • Assistance in applying to the Danish Data Protection Agency: Within 2 weeks of receiving the form
  • Registration of disclosure: Within 2 weeks of receiving the internal notification

 


EXPLANATIONS

AU ID, name, AU email address, faculty/unit and department/school/centre

The Data Protection Unit needs this information so that they can contact you about your registration.

As a contact person, you must be able to answer questions about data protection issues in relation to your research project. 

Is it a biobank or a database?

Indicate whether it is a biobank or a database, so that this is clear from AU's record.   

Name(s) of the biobank/database

Indicate name(s), so that the biobank/database can be identified.    

The purpose of the biobank/database

Specify the purpose of the biobank/database. Consider, as a minimum: 

  • What is the purpose of the biobank/database?
  • Within which scientific field should it be possible to use the biobank/database for future research?
  • Why is processing of personal data necessary to meet the purpose of the biobank/database?

The purpose must be specified so that it is clear to the data subjects (the persons whose personal data are being processed). However, that said, it may be difficult to determine the precise purpose because the future research activities may be of a different nature.  

Number of natural persons whose data you are processing

Enter the number of natural persons whose data you are processing in your project. If you do not know this number, you should indicate why it is not possible to specify an exact number.

Example: Around 2,000 persons are added to the biobank/database yearly.  

Start date and end date for processing personal data

Start date for processing

Indicate when you expect to start processing personal data. Note that collection is also processing. For example, if you receive email addresses for use in sending out questionnaires. In this example, the start date for processing personal data would usually be when you receive the email addresses.

End date for processing

Indicate when you expect to stop processing personal data. If you base your processing on consent, you are obligated to stop processing personal data at the time you have specified to your participants (the data subjects). If your legal basis for processing personal data is 'scientific research purposes', you can change the end date for processing along the way if you need to continue processing personal data to meet your research purpose. However, you must remember to inform the Data Protection Unit about any changes, so that the record can be updated to reflect these.

Remember that you are obligated to store data for at least five years after your most recent publication in accordance with the rules on responsible conduct of research. This storage is part of the research purpose. Read more about storing data. 

When your project ends, your processing of personal data must as a rule end too. This can be done in several ways:

  • You can irreversibly anonymise the data.
  • You can erase the data.
  • You can have the data transferred to the Danish National Archives.
  • You can legitimately disclose the data to another recipient under certain specific circumstances. Note that you are not allowed to keep a copy of the data afterwards, unless your copy alone contains irreversibly anonymised data.

  

Type of personal data

There are different categories of personal data. Indicate the category of personal data and also specify (in headings) which types of personal data you intend to process.

Example 1: Ordinary personal data: Contact information, gender, age, etc.

Example 2: Sensitive/special categories of personal data: Health data, political orientation, trade union affiliation, etc.   

Category of data subjects

Indicate the category(ies) of persons whose data you intend to process. It is important to consider who you are processing personal data about, because the category of data subjects may require that you take special measures to protect personal data or change your style of language when addressing your data subjects.

Examples of categories:

  • Patients
  • Relatives
  • Children and young people under 18
  • Children
  • Adults
  • Deceased*
  • Landowners, etc.

*Remember that personal data about deceased persons is protected for 10 years. 

Do you intend to use data processors?

Indicate whether you will be using a data processor for physical storage of biological samples, for example, or for storing a cohort on the data processor's server.

Also state the data processor’s name, address, CVR no. and contact information of a contact person.  

Do you intend to disclose data, including non-biological material and/or biological material, and possibly transfers to third countries (outside the EU/EEA)?

Disclosure may only take place if the recipient is an independent data controller or a joint controller.

In some situations, you will need prior approval from the Danish Data Protection Agency if you want to disclose biological material or personal data to a third country (outside the EU/EEA). The Data Protection Unit can help you apply for approval.   

Have collaboration agreements and/or data protection agreements been entered into?

You have to indicate whether the necessary agreements have been entered into with external actors because many of the agreements are required under data protection law.   

What initiatives have you taken to protect the personal data?

How you must protect personal data depends on the type of data in question, the numbers involved, and whose data you process.

Technical measures: For example, storage on a secure server, encryption, pseudonymisation, etc.

Organisational measures: For example, rights management, training, etc.    

What data sources are you using?

Specify whether you will collect the data from the data subjects or through other actors, such as registers, biobanks, etc. 

On what legal basis do you base your processing of personal data?

Processing personal data requires that you have a valid legal basis for processing the data.

Read about the two valid legal bases for processing. 

Remember that you cannot change your basis for processing along the way.