The rules on sharing personal data differ significantly depending on whom you are sharing data with and on what basis. Here you can read more about the different types of sharing and what you need to be particularly aware of when sharing data. It is also important to follow all the other data protection rules – just as you usually do.
Remember to contact the Technology Transfer Office (TTO) in good time if your method of sharing personal data requires an agreement. Please see the detailed guideline for more advice on this (the guideline is currently only available in Danish).
There are five main types of data sharing that you need to be aware of:
Once you have ensured that you can legally receive and subsequently process personal data, there are two things you need to be aware of before you receive the data:
You should also remember that:
your obligations under data protections rules apply from the moment you come into contact with personal data? This is often earlier than you think.
For example, when you first receive an email address form somebody you’d like to send a questionnaire to, you are already processing personal data. Read more about this on the page about the legal basis for data processing and the information duty.
Researchers often need to further process – or ‘re-use’ – personal data. In order for it to count as re-processing, the following must apply:
As a general rule, you may further process personal data that has already been collected for different research purposes, provided this takes place internally at AU. Please consider whether there are terms and conditions linked to the personal data you wish to further process that prevent this data being further processed. For example, it is possible that you only have ethical approval (from an ethics committee) to use the data for your original purpose, or it is possible that the data was collected on the basis of a valid consent to processing from the data subjects (research participants) and that this consent only covers the original research project.
Before you disclose personal data, you must ensure you have a legal basis to do so. As a general rule, your legal basis for disclosing personal data will be the same as your legal basis for processing personal data on which your research project is based.
For example:
You have collected special categories of personal data (sensitive personal data) using research purposes as your legal basis. This could be data on all the Danish people who have changed religion within the last 10 years. You need to share this personal data with another Danish university who will use it in a specific research project. Because this data was collected using research purposes as a legal basis, you are allowed to disclose the data for use in another research project – in other words, you have a legal basis to disclose the data.
In the example above, the legal basis for disclosure is based on Section 10 of the Danish Data Protection Act (research purposes as a legal basis). Therefore, if you wish to disclose data, you must also comply with the other rules of the statutory order regarding disclosure of personal data; in other words, you must obtain a declaration from the recipient before you share the personal data with them. Download a template for a disclosure declaration here.
Research purposes | Valid consent to data processing | Another legal basis |
You may only disclose data to be used for other research purposes. You must comply with the statutory order regarding disclosure of personal data. | The consent you have obtained determines whether you can disclose the data (which data and to whom). | Whether you can disclose data depends on your legal basis for processing the data. |
Research purposes | Valid consent to data processing | Another legal basis |
You may only disclose data to be used for other research purposes. You must comply with the statutory order regarding disclosure of personal data You must obtain permission from the Danish Data Protection Agency if:
| The consent you have obtained determines whether you can disclose the data (which data and to whom). | Whether you can disclose data depends on your legal basis for processing the data. |
If you share personal data and do not require permission from the Danish Data Protection Agency to do so, you must register this disclosure in the AU record, unless you already did so when you registered your research project. You must submit a copy of the declaration from the recipient / agreement if you are using research purposes as your legal basis. Download a template for a disclosure declaration here.
You can register that you have disclosed personal data using this form.
If you need to share personal data:
Then you need to complete this form from the Danish Data Protection Agency (in Danish) and send it to fortegnelse@au.dk. The Research Data Office will then respond to your enquiry and help you apply for permission.
If you make personal data available you share personal data with a data processor (i.e. an external party) who carries out the processing of personal data in accordance with your instructions and for your purpose.
Before you make personal data available to a data processor, you should – as a minimum – ensure the following:
Three quick facts about transferring personal data to third countries:
Please note! If you need to transfer personal data to a third country, you must always contact the TTO, who will help you establish a legal basis for transferral.
The TTO will help you assess which legal basis for data transferral is most appropriate for your situation. It is important that you contact the TTO in good time before you need to share personal information with a data importer outside the EU/EEA or an international organisation. Please be aware that, in order to transfer data, your research project needs to comply with local policies and procedures. If you have any questions about this, you can contact your local data protection coordinator.
When you transfer data, you need a legal basis to do so. This ensures that the data subjects essentially retain the same rights they have under data protection laws once their data is transferred to countries or organisations outside the EU/EEA, which are not subject to General Data Protection Regulation. There are different ways you can ensure you have a legal basis to transfer data. At AU, your legal basis may be one of the following:
These legal bases must be assessed in the order in which they are listed above. Each legal basis for transferral has its own conditions, so it is not the case that AU can use all these bases in all situations.