The Data Protection Unit needs this information so that they can contact you about your registration.
As a contact person, you must be able to answer questions about data protection issues in relation to your research project.
Indicate whether it is a biobank or a database, so that this is clear from AU's record.
Specify the purpose of the biobank/database. Consider, as a minimum:
The purpose must be specified so that it is clear to the data subjects (the persons whose personal data are being processed). However, that said, it may be difficult to determine the precise purpose because the future research activities may be of a different nature.
Enter the number of natural persons whose data you are processing in your project. If you do not know this number, you should indicate why it is not possible to specify an exact number.
Example: Around 2,000 persons are added to the biobank/database yearly.
Start date for processing
Indicate when you expect to start processing personal data. Note that collection is also processing. For example, if you receive email addresses for use in sending out questionnaires. In this example, the start date for processing personal data would usually be when you receive the email addresses.
End date for processing
Indicate when you expect to stop processing personal data. If you base your processing on consent, you are obligated to stop processing personal data at the time you have specified to your participants (the data subjects). If your legal basis for processing personal data is 'scientific research purposes', you can change the end date for processing along the way if you need to continue processing personal data to meet your research purpose. However, you must remember to inform the Data Protection Unit about any changes, so that the record can be updated to reflect these.
Remember that you are obligated to store data for at least five years after your most recent publication in accordance with the rules on responsible conduct of research. This storage is part of the research purpose. Read more about storing data.
When your project ends, your processing of personal data must as a rule end too. This can be done in several ways:
There are different categories of personal data. Indicate the category of personal data and also specify (in headings) which types of personal data you intend to process.
Example 1: Ordinary personal data: Contact information, gender, age, etc.
Example 2: Sensitive/special categories of personal data: Health data, political orientation, trade union affiliation, etc.
Indicate the category(ies) of persons whose data you intend to process. It is important to consider who you are processing personal data about, because the category of data subjects may require that you take special measures to protect personal data or change your style of language when addressing your data subjects.
Examples of categories:
*Remember that personal data about deceased persons is protected for 10 years.
Indicate whether you will be using a data processor for physical storage of biological samples, for example, or for storing a cohort on the data processor's server.
Also state the data processor’s name, address, CVR no. and contact information of a contact person.
Disclosure may only take place if the recipient is an independent data controller or a joint controller.
In some situations, you will need prior approval from the Danish Data Protection Agency if you want to disclose biological material or personal data to a third country (outside the EU/EEA). The Data Protection Unit can help you apply for approval.
You have to indicate whether the necessary agreements have been entered into with external actors because many of the agreements are required under data protection law.
How you must protect personal data depends on the type of data in question, the numbers involved, and whose data you process.
Technical measures: For example, storage on a secure server, encryption, pseudonymisation, etc.
Organisational measures: For example, rights management, training, etc.
Specify whether you will collect the data from the data subjects or through other actors, such as registers, biobanks, etc.
Processing personal data requires that you have a valid legal basis for processing the data.
Remember that you cannot change your basis for processing along the way.