Information Security

Dansk

 Information Security Data protection (GDPR) Data protection (GDPR): Personal data and research Sharing personal data

Sharing personal data

This page was updated in June 2025. Please note that we regularly update these pages.

Do you need to share personal data as part of your research project? Here you can learn more about: 

  • what it means to share personal data.
  • which rules you need to be aware of when you share personal data with others. 

The rules on sharing personal data differ significantly depending on whom you are sharing data with and on what basis. Here you can read more about the different types of sharing and what you need to be particularly aware of when sharing data. It is also important to follow all the other data protection rules – just as you usually do.

Remember to contact the Technology Transfer Office (TTO) in good time if your method of sharing personal data requires an agreement. Please see the detailed guideline for more advice on this (the guideline is currently only available in Danish).

There are five main types of data sharing that you need to be aware of:

  1. Receiving personal data: When you receive personal data from another data controller to use in your research.
  2. Further processing of personal data: When you process (i.e. use) personal data that has already been collected (by AU) for a new research purpose.
  3. Disclosing personal data: When you share personal data with other data controllers.
  4. Making personal data available: When you share personal data with a data processor. 
  5. Transferring data: When you transfer personal data as part of research collaborations to people outside the EU/EEA or to an international organisation.

1. Receiving personal data

Once you have ensured that you can legally receive and subsequently process personal data, there are two things you need to be aware of before you receive the data:

  • The data controller may have set conditions that determine how you are allowed to process the personal data.
  • As a recipient, you may be asked to sign a declaration to confirm that the processing of personal data is necessary for your research purposes.

You should also remember that:

  • you are only allowed to receive and subsequently process the personal data that is necessary for your research (the principle of data minimisation).
  • you are only allowed to process personal data for your specific research purpose unless you have the authority (a legal basis) to process the data for other purposes and there are no other terms/conditions that prevent this.
  • you may only give other people from AU access to the personal data if it is relevant and necessary for them (e.g. other members of your research group).
  • all employees who process personal data must be instructed in the processing of personal data, including requirements for secure processing.
  • you are only allowed to process personal data for as long as it is relevant for your research purpose.
  • you must consider whether you can comply with the duty of disclosure to the data subjects. Read about the duty of disclosure when collecting personal data indirectly.

Did you know that...

your obligations under data protections rules apply from the moment you come into contact with personal data? This is often earlier than you think.

For example, when you first receive an email address form somebody you’d like to send a questionnaire to, you are already processing personal data. Read more about this on the page about the legal basis for data processing and the information duty.

2. Further processing of personal data

Researchers often need to further process – or ‘re-use’ – personal data. In order for it to count as re-processing, the following must apply:

  1. The personal data must have already been collected by AU.
  2. The personal data must only be further processed internally at AU. If the data needs to be shared with people not employed at AU, this counts as another form of sharing, which you can read more about in other sections.
  3. The data must be used be used for a purpose that is different from yet compatible with the original purpose (as a general rule, this condition is met if the purpose is for research).
  4. There are no conditions linked to the personal data that prevent it being further processed. 

As a general rule, you may further process personal data that has already been collected for different research purposes, provided this takes place internally at AU. Please consider whether there are terms and conditions linked to the personal data you wish to further process that prevent this data being further processed. For example, it is possible that you only have ethical approval (from an ethics committee) to use the data for your original purpose, or it is possible that the data was collected on the basis of a valid consent to processing from the data subjects (research participants) and that this consent only covers the original research project.

3. Disclosing personal data

When you share personal data with another data controller, it is a disclosure. Before you disclose personal data, there are a number things you need to be aware of.

A. Know your legal basis for processing

When you disclose personal data, you must first ensure that you have a legal basis for the disclosure. The legal basis for disclosure will generally be the same as the legal basis on which you have based the processing of personal data in your research project.

For example:

You have collected special categories of personal data (sensitive personal data) using research purposes as your legal basis. This could be data on all the Danish people who have changed religion within the last 10 years. You need to share this personal data with another Danish university who will use it in a specific research project. Because this data was collected using research purposes as a legal basis, you are allowed to disclose the data for use in another research project – in other words, you have a legal basis to disclose the data.

In the example above, the legal basis for disclosure is based on Section 10 of the Danish Data Protection Act (research purposes as a legal basis). Therefore, if you wish to disclose data, you must also comply with the other rules of the statutory order regarding disclosure of personal data; in other words, you must obtain a declaration from the recipient before you share the personal data with them. Download a template for a disclosure declaration here.

In addition to the legal basis for processing, you must also be aware of whether the personal data is ‘general’ or ‘special’ categories. See here what applies to the different categories:

Ordinary personal data

Research purposes

Valid consent to data processing

Another legal basis

You may only disclose data to be used for other research purposes.

You must comply with the statutory order regarding disclosure of personal data.

The consent you have obtained determines whether you can disclose the data (which data and to whom).

Whether you can disclose data depends on your legal basis for processing the data.

Special categories of (sensitive) personal data and/or information on criminal convictions and offences

Research purposes

Valid consent to data processing

Another legal basis

You may only disclose data to be used for other research purposes.

You must comply with the statutory order regarding disclosure of personal data

You must obtain permission from the Danish Data Protection Agency if:

  1. You are sharing the data with somebody outside the EU/EEA or an international organisation.
  2. You are sharing biological material. 
  3. You are sharing data in order to publish in a recognised scientific journal or similar publication.

The consent you have obtained determines whether you can disclose the data (which data and to whom).

Whether you can disclose data depends on your legal basis for processing the data.

Legal basis for processing and legal basis for transfer of personal data

In some cases, a disclosure also involves a transfer. This is the case if the person/entity who is to receive the personal data is domiciled in a third country (outside the EU/EEA) or if the recipient is an international organisation. Read more about the transfer basis in section 5 and remember to contact TTO.

B. Remember to risk assess your recipient

When you are going to share personal data, it is important that you have considered this in your risk assessment. You must both risk assess the act of disclosing the information to ensure that the disclosure takes place in a good and secure manner, and you must risk assess the recipient. You can find a template for risk assessment of your research project here.

C. Do you need permission?

Before you disclose personal data, it must be reported to AU's record of processing activities. It varies whether it 'just' needs to be registered internally at AU, or whether it also requires permission from the Danish Data Protection Agency.

If you are going to disclose personal data that does not require a permit from the Danish Data Protection Agency, you must report the disclosure to the record, unless you have already reported it when you registered your research project. You must submit a copy of the disclosure declaration/agreement if your legal basis for processing is ‘scientific research purposes’. 

You can see in the table under pt. A, whether you need a permit based on your chosen legal basis for processing. Permission is necessary if you are to disclose personal data:

  • to a recipient (data controller) outside the EU/EEA
  • in the form of biological material
  • for publication in a recognised scientific journal or similar.

If you need a permit, you must fill out the Danish Data Protection Agency's form and send it to fortegnelse@au.dk. The Research Data Office will then respond to your enquiry and help you apply for the permit. 

It is important that you do not disclose personal data until you have received permission from the Danish Data Protection Agency. You should be aware that permissions from the Danish Data Protection Agency are associated with a number of conditions that you must comply with. If you have any questions about the terms, you can contact your GDPR coordinator.

Did you know that...

  • it is a good idea to consider whether you will need to disclose personal data when you first establish your legal basis for processing data – so that you are not limited by your choice of legal basis later on? Read more on the page about the legal basis for data processing and the information duty.

4. Making personal data available

If you make personal data available you share personal data with a data processor (i.e. an external party) who carries out the processing of personal data in accordance with your instructions and for your purpose.

Before you make personal data available to a data processor, you should – as a minimum – ensure the following:

  1. that you have completed a risk assessment of the data processor and the data processing that they will conduct.
    You can find a risk assessment form here, which you can use to risk-assess the data processor and the data processing.
     
  2. that you have entered into a data processing agreement in accordance with Article 28(3) of the General Data Protection Regulation. The Technology Transfer Office (TTO) can help you set up a data processing agreement with the data processor. As a general rule, a data processing agreement should be made with each individual data processor. However, AU has a number of agreements in place with different suppliers who provide services across the university. Provided you use one of these suppliers within the terms of AU’s agreement with them, a data processing agreement will already be in place to cover their services. You are welcome to contact the system owner if you have questions about the data processing agreement.
     
  3. that you regularly monitor (audit) the data processor in accordance with the data processing agreement and your risk assessment. How and how often you audit/inspect the data processor depends on your risk assessment and the level of auditing/inspection set out in the data processing agreement. In 2021, the Danish Data Protection Agency published guidelines of monitoring data processors (in Danish), which is a useful tool when establishing the form and method of auditing. 
     
  4. that you know whether the data processor will process the personal data inside or outside the EU/EEA.
     
  5. that the data processor is listed in the AU record. You can register the data processor by using this form. Remember to submit a copy of the data processing agreement or the agreement number.

5. Transferring personal data

Three quick facts about transferring personal data to third countries:

  1. A third country is a country that is not part of the EU/EEA
  2. Transferring personal data is the same as disclosing, making available or sharing personal data with a joint data controller/importer outside the EU/EEA or with an international organisation
  3. You must have a legal basis to transfer data in accordance with General Data Protection Regulation. The legal basis to transfer data is in addition to the legal basis to process data.

Please note! If you need to transfer personal data to a third country, you must always contact the TTO, who will help you establish a legal basis for transferral.

The TTO will help you assess which legal basis for data transferral is most appropriate for your situation. It is important that you contact the TTO in good time before you need to share personal information with a data importer outside the EU/EEA or an international organisation. Please be aware that, in order to transfer data, your research project needs to comply with local policies and procedures. If you have any questions about this, you can contact your local data protection coordinator.

Read the following information before you contact the TTO

When you transfer data, you need a legal basis to do so. This ensures that the data subjects essentially retain the same rights they have under data protection laws once their data is transferred to countries or organisations outside the EU/EEA, which are not subject to General Data Protection Regulation. There are different ways you can ensure you have a legal basis to transfer data. At AU, your legal basis may be one of the following:

  1. The recipient is covered by an adequacy decision
  2. You have entered into an agreement using a standard contractual clause (SCC)
  3. One of the following exceptions applies:
    • The transfer is a one-off transfer based on consent that complies with data protection laws
    • The transfer is a one-off transfer which is necessary for reasons of public interest
    • The transfer is a one-off transfer from a public registry

These legal bases must be assessed in the order in which they are listed above. Each legal basis for transferral has its own conditions, so it is not the case that AU can use all these bases in all situations.

Did you know that...

the rules on sharing personal data also apply to “read only access”, where the recipient can only see the personal data on a screen, for example using a VPN?

Video: Having a clear legal basis for transferring personal data ensures that we can collaborate with third countries In this video, Carsten Bøcker Pedersen, professor of economics at CIRRAU, talks about the processing of personal data and explains how AU’s university-wide solution for establishing a legal basis makes it possible to share personal data with third countries. Among other things, this enables AU to collaborate with universities in the USA.

Do you need help?

Contact your local data protection champion if you have questions.
Revised 27.10.2025
-
Webredaktionen, Universitetsledelsens Stab