Sharing personal data

Disclaimer: This text has not been revised in 2021. New information will be available soon.

This page provides information about what you need to be aware of when you want to share personal data with external actors from outside Aarhus University.


Sharing of personal data requires an external actor from outside AU. There are three types of data sharing:

  • Disclosure: is when you share personal data with other data controllers (both independent and joint controllers).
  • Making available: is when you share personal data with a data processor.    
  • Transfer: is when you share personal data with actors outside the EU/EEA. A transfer can be an instance of disclosure and/or of making available.    

Remember that this also applies to "read-only access" where the recipient only has access to view the personal data, for example via a VPN solution.


How to disclose personal data within the EU/EEA

Step 1:

Obtain a written declaration with grounds from the recipient, which as a minimum includes the following:

  • That the personal data is specifically necessary for the recipient’s study.
  • That the personal data will be used solely for statistical or scientific purposes.
  • That, at the end of the study, the personal data will be deleted, made anonymous or destroyed.
  • That the personal data will not subsequently be disclosed to any third party.
  • That the results will be disseminated in such a way that it is not possible to identify individual persons.

Download Word template - declaration.


Trin 2:

Complete the form regarding disclosure of personal data  

NB! The form should NOT be used 

  • When disclosure is for processing outside the territorial scope of the General Data Protection Regulation (e.g. in the USA).
  • When the disclosure concerns biological material.
  • When the disclosure takes place with a view to publication in a recognised scientific journal or similar publication.

Instead, you must obtain permission from the Danish Data Protection Agency (Section 10(3) of the Danish Data Protection Act). You can do this by:

  1. completing this form (ONLY IN DANISH)
  2. and then sending it to fortegnelse@au.dk (Data Protection Unit, AU), which is responsible for contact with the Danish Data Protection Agency. 

Step 3:

Any other permits

Requirements may be made under special legislation concerning e.g. notification and obtaining permission from other government agencies and institutions, such as the Danish National Committee on Health Research Ethics. 

Please contact the TTO team at tto@au.dk if you are in any doubt. 

How to make personal data available to a data processor

INFORMATION WILL BE AVAILABLE SOON

Disclosure to third countries (outside the EU/EEA)

When you enter into agreements, you must know where the personal data will be stored, and where the recipient is registered. If the personal data is stored on a server in a third country, or if a company in a third country has access to personal data located in Denmark, you are obliged to ask whether the company has secured the right to transfer personal data to the country in question. 

Please contact the TTO team at tto@au.dk if you are to disclose personal data to third countries.


Any other permits

Requirements may be made under special legislation concerning e.g. notification and obtaining permission from other government agencies and institutions, such as the Danish National Committee on Health Research Ethics. 

Please contact the TTO team at tto@au.dk if you are in any doubt.