Notification form - data processor

Here you can find the internal notification form. Please fill out the form to register a research project where AU is data processor for an external data controller.  


AU som databehandler

AU as data processor

Expected case processing time for the record of processing activities in research


  • New registrations to the record of processing activities: Within 3 weeks of notification
  • Updates to existing registrations: Within 2 weeks of receiving changes
  • Guidance on notification to the record of processing activities: Within 1 week of receiving the request  
  • Assistance in applying to the Danish Data Protection Agency: Within 2 weeks of receiving the form
  • Registration of disclosure: Within 2 weeks of receiving the internal notification

 

This site is updated in May 2021. Please note, we will update these sites regularly.   

EXPLANATIONS

AU ID, name, AU email address, faculty/unit and department/school/centre

The Data Protection Unit needs this information so that they can contact you about your registration.

As a contact person, you must be able to answer questions about data protection issues in relation to the processing activities you perform on behalf of the data controller.   

Information about the data controller

You must provide sufficient information about the data controller for unique identification.   

The data processing agreement

In addition to any collaboration agreement, a data processing agreement must be established in accordance with the requirements of the General Data Protection Regulation. The agreement is a legal requirement, and you have to enter into the agreement before you start processing personal data on behalf of the data controller. TTO will help you prepare a data processing agreement.

Indicate the agreement number from TTO. Alternatively, enclose a copy of the data processing agreement. 

What processing should AU carry out for the data controller?

Indicate how AU (through you) will be processing personal data.

When you process personal data for the data controller, it is important that you keep track of the processing activities you carry out. For example, perhaps the service AU provides is merely to store data, or perhaps it is to enrich or analyse data.  

Indicate a subject title

Indicate a subject title. For example, the title of the research project in which you process personal data or a subject title that describes the service you provide.

What is important is that the subject title you choose uniquely identifies the processing activity.   

Type of personal data

There are different categories of personal data. Indicate the category of personal data and also specify (in headings) which types of personal data you intend to process.

Example 1: Ordinary personal data: Contact information, gender, age, etc.

Example 2: Sensitive/special categories of personal data: Health data, political orientation, trade union affiliation, etc.

Category of data subjects

Indicate the category(ies) of persons whose data you intend to process. It is important to consider who you are processing personal data about, because the category of data subjects may require that you take special measures to protect personal data or change your style of language when addressing your data subjects.

Examples of categories:

  • Patients
  • Relatives
  • Children and young people under 18
  • Children
  • Adults
  • Deceased*
  • Landowners, etc.

*Remember that personal data about deceased persons is protected for 10 years.  

Start date and end date for processing personal data

Start date for processing

Indicate when you expect to start processing personal data. Note that collection is also processing. For example, if you receive email addresses for use in sending out questionnaires. In this example, the start date for processing personal data would usually be when you receive the email addresses.

End date for processing

Indicate when you expect to stop processing personal data. If you base your processing on consent, you are obligated to stop processing personal data at the time you have specified to your participants (the data subjects). If your legal basis for processing personal data is 'scientific research purposes', you can change the end date for processing along the way if you need to continue processing personal data to meet your research purpose. However, you must remember to inform the Data Protection Unit about any changes, so that the record can be updated to reflect these.

Remember that you are obligated to store data for at least five years after your most recent publication in accordance with the rules on responsible conduct of research. This storage is part of the research purpose. Read more about storing data.

When your project ends, your processing of personal data must as a rule end too. This can be done in several ways:

  • You can irreversibly anonymise the data.
  • You can erase the data.
  • You can have the data transferred to the Danish National Archives.
  • You can legitimately disclose the data to another recipient under certain specific circumstances. Note that you are not allowed to keep a copy of the data afterwards, unless your copy alone contains irreversibly anonymised data.

Sub-processors

As a data processor, you can agree with the data controller to use a sub-processor for parts of the service/processing of personal data that you are to carry out on behalf of the data controller.

State the name, address and CVR no. of the sub-processor, as well as contact information for a contact person at the sub-processor.    

Transfers to third countries (outside the EU/EEA)

As a data processor within the EU, you are subject to the data protection rules, even if the persons whose personal data you are processing are not citizens of the EU/EEA.

Note that special rules apply to transferring personal data to recipients outside the EU/EEA. TTO can help you establish a legal basis for such transfers in connection with setting up the data processing agreement.  

What initiatives have you taken to protect the personal data?

How you must protect personal data depends on the type of data in question, the numbers involved, and whose data you process.

Technical measures: For example, storage on a secure server, encryption, pseudonymisation, etc.

Organisational measures: For example, rights management, training, etc.

Note that there may be special requirements for processing security in the data processing agreement. In other words, there may be predetermined measures (technical as well as organisational) that you have to take.