Notification form - data controller

Here you can register your research project where AU is data controller to AU's notification form. 

This site is updated in May 2021. Please note, we will update these sites regularly.   

AU as data controller

AU as data controller

Expected case processing time for the record of processing activities in research

  • New registrations to the record of processing activities: Within 3 weeks of notification
  • Updates to existing registrations: Within 2 weeks of receiving changes
  • Guidance on notification to the record of processing activities: Within 1 week of receiving the request  
  • Assistance in applying to the Danish Data Protection Agency: Within 2 weeks of receiving the form
  • Registration of disclosure: Within 2 weeks of receiving the internal notification



AU ID, name, AU email address, faculty/unit and department/school/centre

The Data Protection Unit needs this information so that they can contact you about your registration.
As a contact person, you must be able to answer questions about data protection issues in relation to your research project.    

Project title

Indicate the title of the project in such a way that the research project can be clearly identified.     

Purpose of the project

Provide information about the purpose of processing personal data in your research project. Consider, as a minimum:

  • What is the research purpose?
  • Why is it necessary to process personal data to meet the purpose(s) of your research?
  • Will the personal data be used for other research within the same scientific field?

Your description does not have to be identical to descriptions you have submitted in connection with applications for funding, etc. Your focus here is your research purpose for processing personal data.

Your description should be sufficiently detailed to make it clear and transparent to participants (the data subjects) what the processing of personal data will contribute to the research. However, that said, in research it can be difficult to determine the precise purpose because a research project often develops and changes along the way.

Purpose of the project Is the project a main project or a sub-study?

The following factors can help determine whether your project is a main project or a sub-study:

  • Your project is a main project if you intend to process personal data for a single purpose, and if you do not intend to involve new actors (such as another data processor).
  • Your project is a sub-study if you have a main project from which smaller projects have sprung with their own, independent sub-purposes, or if other actors are involved than those in the main project. If you are registering a sub-study, you should provide the serial number of the main project, so that the projects can be linked together in the record.          

Number of natural persons whose data you are processing

Enter the number of natural persons whose data you are processing in your project. If you do not know this number, you should indicate why it is not possible to specify an exact number or which factors are included in your "count" (see the example).

Example: The entire Danish population aged 15-65 years in the period 1980-2000.    

Start date for processing personal data

Indicate when you expect to start processing personal data.

Note that collection is also processing. For example, if you receive email addresses for use in sending out questionnaires. In this example, the start date for processing personal data would usually be when you receive the email addresses.

End date for processing personal data

Indicate when you expect to stop processing personal data.

If you base your processing on consent, you are obligated to stop processing personal data at the time you have specified to your participants (the data subjects).

If you base your processing on ‘scientific research purposes’, you can change the end date for processing along the way. However, you must remember to inform the Data Protection Unit about any changes, so that the record can be updated to reflect these. 

Remember that you are obligated to store data for at least five years after your most recent publication in accordance with the rules on responsible conduct of research. This storage is part of the research purpose. Read more about storing data. 

When your project ends, your processing of personal data must as a rule end too. This can be done in several ways:


  • You can irreversibly anonymise the data.
  • You can erase the data.
  • You can have the data transferred to the Danish National Archives.
  • You can legitimately disclose the data to another recipient under certain specific circumstances. Note that you are not allowed to keep a copy of the data afterwards, unless your copy alone contains irreversibly anonymised data.



Type of personal data

There are different categories of personal data. Indicate the category of personal data and also specify (in headings) which types of personal data you intend to process.

Example 1: Ordinary personal data: Contact information, gender, age, etc.

Example 2: Sensitive/special categories of personal data: Health data, political orientation, trade union affiliation, etc.     

Category of data subjects

Indicate the category/categories of persons whose data you intend to process. It is important to consider who you are processing personal data about, because the category of data subjects may require that you take special measures to protect personal data or change your style of language when addressing your data subjects.

Examples of categories:

  • Patients
  • Relatives
  • Children and young people under 18
  • Children
  • Adults
  • Deceased*
  • Landowners, etc.

*Remember that personal data about deceased persons is protected for 10 years. 

Sharing of personal data, including transfers to third countries (outside the EU/EEA)

Sharing of personal data requires an external actor from outside AU.

There are three types of data sharing:

  • Disclosure: is when you share personal data with other data controllers (both independent and joint controllers).
  • Making available: is when you share personal data with a data processor.
  • Transfer: is when you share personal data with actors outside the EU/EEA. A transfer can be an instance of disclosure and/or of making available.

Remember that this also applies to "read-only access" where the recipient only has access to view the personal data, for example via a VPN solution.

AU's record must contain information about with whom you share data, and what type of sharing is involved (disclosure, making available or transfer).

In the case of a transfer, specify the recipient of the personal data and the basis for the transfer. The Data Protection Unit will also use this information to help you assess whether the transfer requires prior approval from the Danish Data Protection Agency.

Data sharing is subject to special rules and requires written agreements, written documentation or written declarations. You therefore have to contact TTO if you are collaborating with external actors. 

Disclosing biological material or publishing personal data in a recognised scientific journal

Indicate whether you are to disclose personal data in the form of biological material or in connection with the publication of personal data in a recognised scientific journal, so that the Data Protection Unit can help you assess whether these activities require prior approval from the Danish Data Protection Agency.  

Have collaboration agreements and/or data protection agreements been entered into?

You have to indicate whether the necessary agreements have been entered into with external actors because many of the agreements are required under data protection law.   

If a data processing agreement has been made, please indicate the agreement number from TTO or state where the agreement can be requested. If you do not know the agreement number, please indicate this.

What initiatives have you taken to protect the personal data?

How you must protect personal data depends on the type of data in question, the numbers involved, and whose data you process.

Technical measures: For example, storage on a secure server, encryption, pseudonymisation, etc.

Organisational measures: For example, rights management, training, etc.    

What data sources are you using?

Specify the source of the personal data, i.e. whether you will collect the data from the data subjects or through other actors, such as registers, biobanks, etc.    

Will a research biobank/research database be created in connection with your research project?

If you are processing biological material, you have to indicate whether a research biobank or a research database will be created, or whether processing will be of short duration and therefore not require this.

You should also indicate what will happen to the biological material once the research project has been completed.

Remember that a research biobank is based on a specific research project, and that the biobank may not be used for other projects.

If the personal data is to be passed on to a biobank or a database for use for future, unspecified research, you must ensure that the biobank/database in question is registered separately in AU's record if AU is the data controller. 

On what legal basis do you base your processing of personal data?

Processing personal data requires that you have a valid legal basis for processing the data.

Read about the two valid legal bases for processing.

Remember that you cannot change your basis for processing along the way.