The Data Protection Unit needs this information so that they can contact you about your registration.
As a contact person, you must be able to answer questions about data protection issues in relation to your research project.
Indicate the title of the project in such a way that the research project can be clearly identified.
Provide information about the purpose of processing personal data in your research project. Consider, as a minimum:
Your description does not have to be identical to descriptions you have submitted in connection with applications for funding, etc. Your focus here is your research purpose for processing personal data.
Your description should be sufficiently detailed to make it clear and transparent to participants (the data subjects) what the processing of personal data will contribute to the research. However, that said, in research it can be difficult to determine the precise purpose because a research project often develops and changes along the way.
The following factors can help determine whether your project is a main project or a sub-study:
Enter the number of natural persons whose data you are processing in your project. If you do not know this number, you should indicate why it is not possible to specify an exact number or which factors are included in your "count" (see the example).
Example: The entire Danish population aged 15-65 years in the period 1980-2000.
Indicate when you expect to start processing personal data.
Note that collection is also processing. For example, if you receive email addresses for use in sending out questionnaires. In this example, the start date for processing personal data would usually be when you receive the email addresses.
Indicate when you expect to stop processing personal data.
If you base your processing on consent, you are obligated to stop processing personal data at the time you have specified to your participants (the data subjects).
If you base your processing on ‘scientific research purposes’, you can change the end date for processing along the way. However, you must remember to inform the Data Protection Unit about any changes, so that the record can be updated to reflect these.
Remember that you are obligated to store data for at least five years after your most recent publication in accordance with the rules on responsible conduct of research. This storage is part of the research purpose. Read more about storing data.
When your project ends, your processing of personal data must as a rule end too. This can be done in several ways:
There are different categories of personal data. Indicate the category of personal data and also specify (in headings) which types of personal data you intend to process.
Example 1: Ordinary personal data: Contact information, gender, age, etc.
Example 2: Sensitive/special categories of personal data: Health data, political orientation, trade union affiliation, etc.
Indicate the category/categories of persons whose data you intend to process. It is important to consider who you are processing personal data about, because the category of data subjects may require that you take special measures to protect personal data or change your style of language when addressing your data subjects.
Examples of categories:
*Remember that personal data about deceased persons is protected for 10 years.
Sharing of personal data requires an external actor from outside AU.
There are three types of data sharing:
Remember that this also applies to "read-only access" where the recipient only has access to view the personal data, for example via a VPN solution.
AU's record must contain information about with whom you share data, and what type of sharing is involved (disclosure, making available or transfer).
In the case of a transfer, specify the recipient of the personal data and the basis for the transfer. The Data Protection Unit will also use this information to help you assess whether the transfer requires prior approval from the Danish Data Protection Agency.
Data sharing is subject to special rules and requires written agreements, written documentation or written declarations. You therefore have to contact TTO if you are collaborating with external actors.
Indicate whether you are to disclose personal data in the form of biological material or in connection with the publication of personal data in a recognised scientific journal, so that the Data Protection Unit can help you assess whether these activities require prior approval from the Danish Data Protection Agency.
You have to indicate whether the necessary agreements have been entered into with external actors because many of the agreements are required under data protection law.
If a data processing agreement has been made, please indicate the agreement number from TTO or state where the agreement can be requested. If you do not know the agreement number, please indicate this.
How you must protect personal data depends on the type of data in question, the numbers involved, and whose data you process.
Technical measures: For example, storage on a secure server, encryption, pseudonymisation, etc.
Organisational measures: For example, rights management, training, etc.
Specify the source of the personal data, i.e. whether you will collect the data from the data subjects or through other actors, such as registers, biobanks, etc.
If you are processing biological material, you have to indicate whether a research biobank or a research database will be created, or whether processing will be of short duration and therefore not require this.
You should also indicate what will happen to the biological material once the research project has been completed.
Remember that a research biobank is based on a specific research project, and that the biobank may not be used for other projects.
If the personal data is to be passed on to a biobank or a database for use for future, unspecified research, you must ensure that the biobank/database in question is registered separately in AU's record if AU is the data controller.
Processing personal data requires that you have a valid legal basis for processing the data.
Remember that you cannot change your basis for processing along the way.