The Data Protection Unit needs this information so that they can contact you about your registration.
As a contact person, you must be able to answer questions about data protection issues in relation to the processing activities you perform on behalf of the data controller.
You must provide sufficient information about the data controller for unique identification.
In addition to any collaboration agreement, a data processing agreement must be established in accordance with the requirements of the General Data Protection Regulation. The agreement is a legal requirement, and you have to enter into the agreement before you start processing personal data on behalf of the data controller. TTO will help you prepare a data processing agreement.
Indicate the agreement number from TTO. Alternatively, enclose a copy of the data processing agreement.
Indicate how AU (through you) will be processing personal data.
When you process personal data for the data controller, it is important that you keep track of the processing activities you carry out. For example, perhaps the service AU provides is merely to store data, or perhaps it is to enrich or analyse data.
Indicate a subject title. For example, the title of the research project in which you process personal data or a subject title that describes the service you provide.
What is important is that the subject title you choose uniquely identifies the processing activity.
There are different categories of personal data. Indicate the category of personal data and also specify (in headings) which types of personal data you intend to process.
Example 1: Ordinary personal data: Contact information, gender, age, etc.
Example 2: Sensitive/special categories of personal data: Health data, political orientation, trade union affiliation, etc.
Indicate the category(ies) of persons whose data you intend to process. It is important to consider who you are processing personal data about, because the category of data subjects may require that you take special measures to protect personal data or change your style of language when addressing your data subjects.
Examples of categories:
*Remember that personal data about deceased persons is protected for 10 years.
Start date for processing
Indicate when you expect to start processing personal data. Note that collection is also processing. For example, if you receive email addresses for use in sending out questionnaires. In this example, the start date for processing personal data would usually be when you receive the email addresses.
End date for processing
Indicate when you expect to stop processing personal data. If you base your processing on consent, you are obligated to stop processing personal data at the time you have specified to your participants (the data subjects). If your legal basis for processing personal data is 'scientific research purposes', you can change the end date for processing along the way if you need to continue processing personal data to meet your research purpose. However, you must remember to inform the Data Protection Unit about any changes, so that the record can be updated to reflect these.
Remember that you are obligated to store data for at least five years after your most recent publication in accordance with the rules on responsible conduct of research. This storage is part of the research purpose. Read more about storing data.
When your project ends, your processing of personal data must as a rule end too. This can be done in several ways:
As a data processor, you can agree with the data controller to use a sub-processor for parts of the service/processing of personal data that you are to carry out on behalf of the data controller.
State the name, address and CVR no. of the sub-processor, as well as contact information for a contact person at the sub-processor.
As a data processor within the EU, you are subject to the data protection rules, even if the persons whose personal data you are processing are not citizens of the EU/EEA.
Note that special rules apply to transferring personal data to recipients outside the EU/EEA. TTO can help you establish a legal basis for such transfers in connection with setting up the data processing agreement.
How you must protect personal data depends on the type of data in question, the numbers involved, and whose data you process.
Technical measures: For example, storage on a secure server, encryption, pseudonymisation, etc.
Organisational measures: For example, rights management, training, etc.
Note that there may be special requirements for processing security in the data processing agreement. In other words, there may be predetermined measures (technical as well as organisational) that you have to take.