Remove registration of processing of personal data from the record

This page was updated in January 2023. Please note that we regularly update these pages.

Do you no longer need to process personal data? Here you can learn more about:

  • how you can cease processing personal data.
  • how to remove your project/research purpose from the record.

When you have completed your research project, you must find out whether it is still necessary to store personal data in accordance with the rules regarding responsible conduct of research or according to the rules in the special legislation. 

If you still need to process personal data

If you need to continue storing (and thus process) personal data for your research purpose in accordance with the rules on responsible conduct of research or pursuant to rules in the special legislation, you will still be processing personal data. Therefore, you must continue to comply with appropriate security measures, and your project must still be registered in the AU record.

If it is no longer necessary to process personal data

If you do not need to continue storing personal data in accordance with the rules on responsible conduct of research or pursuant to rules in the special legislation, you will need to decide on what to do with data. As a general rule, you have 5 options:

Please be aware that it is not always optional. For instance you can be required to archive personal data according to the Danish Archives Act or the termination can be determined by contractual obligations or by legal obligations.


How to remove your project from the record

When you have finalized the processing of personal you must then remove your research project/research purpose from the record. To do this, send an email to fortegnelse@au.dk with the following information:

  • The serial number which you received in the confirmation letter from the Data Protection Unit.
  • Information about which of the 5 options you have chosen.

How to anonymise personal data

In order for personal data to be considered anonymous, it must not be possible to identify individual persons on the basis of the data alone or in combination with other information. 

In other words, you have to factor in that other people may have access to information which, together with the anonymous data, makes it possible to return to the original person identification in full or in part. Anonymisation must be irrevocable. 

Personal data that has been adequately anonymised is not covered by the GDPR, and thus does not impose any legal requirements for the system where it has been saved. There is no longer a need for a documented time limit for when and how data is to be deleted. It would be a good idea to anonymise data if, for example, open access is required for research data.

These four points must, as a minimum, be met in order for Aarhus University to consider the data as anonymised: 

  • Remove all external/unique identifiers - including numbers as well. 
  • Dates and times must either:
  • Be removed
  • Replaced by calculated time periods, e.g. 'admission 16/6 2019 - readmission 27/8 2019' can be changed to 'readmission: 73 days’
  • ‘Blurred’ by moving dates and times in parallel by a random number of days (e.g. +/-10 days) at individual level, e.g. 'admission 16/6 2019 ' can be changed to 'admission 11/6 2019' and 'readmission 27/8 2019' can be changed to 'readmission 22/8 2019'
  • Remove all text fields - replace with categories, for example. 
  • Reduce to the absolute fewest possible data fields/variables. 

Note that adequate anonymisation will usually be impossible in connection with qualitative data.  

There are different interpretations of when personal data is anonymous, and there is no absolute distinction, but rather a case-by-case assessment of risk and reasonableness.