Have you recieved a request from a data subject? Here, you will learn:
What is the data subject’s rights.
How are the data subject’s rights linked to the information duty.
How do you process requests from a data subject.
When Aarhus University, represented by you as a researcher, processes personal data, the person to whom the data pertains (the data subject) has a number of rights.
The purpose of these rights is to strengthen the individual's legal position, among other things by creating openness and security in relation to the processing of personal data, and by providing an opportunity to object to certain forms of data processing.
As a researcher, you must always comply with the information duty, but the other rights do not always apply for research. If, as a researcher, you only process personal data for scientific purposes (i.e. for research), in a number of cases, you are entitled, but not obliged, to reject requests from data subjects concerning their rights. It is important that you inform the data subjects about their rights when you perform your information duty in connection with collecting personal data.
The purpose of the information duty is to create transparency for the data subject about how you process their personal data. When you perform your information duty, you must inform data subjects about their rights. Therefore, before you perform your information duty, you must decide which, if any, of the rights that are exempt when the purpose of the processing is research, you want to give to the data subjects. It may help to use AU's template for the information duty.
Note that once you have informed the data subjects about their rights, you cannot subsequently change your mind about which rights you want to give the data subjects. There must also be a level playing field for all data subjects in the same research project. This means, for example, that you are not allowed to comply with a request from one data subject and reject another.
Unless a data subject specifically requests an oral response, you must always communicate with data subjects in writing. If you communicate orally with a data subject, you must comply with the memo obligation pursuant to section 13 of the Danish Public Sector Act. This means that you are obliged to take notes of the conversation if the content of the conversation is not already recorded in other documents.
If the data subject has sent a request electronically, e.g. by email or via Digital Post, you must also respond to the data subject electronically, if this is possible, and if the data subject does not request otherwise.
You must also make sure that your messages to the data subject are concise, easily accessible and easily understandable. This means that you must use clear and simple language, especially if the information is specifically aimed at children.
However, note that your response must also comply with a number of formal requirements because AU is a government-funded, self-governing institution under public sector administration, and therefore AU is subject to a number of statutory requirements when we communicate with citizens and make decisions that affect them.
When you process a request from a data subject, note that you are making a decision under administrative law. This means that your decision has to meet a number of requirements in the Danish Public Administration Act and the Access to Public Administration Files Act. The templates to help process some of the requests take into account these requirements to some extent, but it is your responsibility to ensure that processing requests from data subjects complies with the legal requirements imposed on the university.
Educational Law has described the requirements of the Danish Public Administration Act for a decision. Read more here.
Read more about the requirements in the Access to Public Administration Files Act on record-keeping and how to organise record-keeping here.
You have a duty to respond to a request from a data subject for access, rectification, erasure etc. without undue delay and by no later than one month after you have received the request.
If you reject a request from the data subject, you must inform the person in question as soon as possible, and by no later than one month after you have received the request. If you reject a request, you must state the reasons for the rejection and advise the data subject that he or she may appeal to the Danish Data Protection Agency.
When you process and respond to a request from a data subject, you must make sure that you do not give unauthorised persons access to the data subject, and that you do not erase information or similar about other people than the data subject who submitted the request.
This is an overview of the rights of data subjects, basis for processing as well as legal bases and conditions for exemptions:
|Right||Basis for processing||Legal basis for exemption||Conditions for exemption||Comments|
|Consent||Scientific research purposes|
|Right of access (Article 15)||Section 22(5) DPA|
|Right to rectification (Article 16)||Section 22(5) DPA|
|Right to erasure (Article 17)||(Art. 17(3)(d) GDPR)||Erasure of personal data is likely to render impossible or seriously impair the achievement of your research objectives/project.||Does not apply if the processing is necessary for scientific research purposes, and erasure will probably make it impossible or seriously impair the achievement of this processing (research), see Art. 17(3)(d).|
|Right to restriction of processing (Article 18)||Section 22(5) DPA|
|Notification obligation (Article 19)||R||R||(GDPR Art. 19(1))|
|Right to data portability (Article 20)|| |
|(GDPR Art. 20(3))|| |
Only relevant when the processing is based on consent or on a contract, see Art. 20(1).
Does not apply when the processing is necessary for the performance of a task carried out in the public interest.
See White Paper 1565, p. 350 (scientific purposes
|Right to object (Article 21)||Section 22(5) DPA|
|Automated individual decision-making, including profiling (Article 22)||Not relevant||Not relevant||Research is not a decision in terms of Art. 22(1).|
RED: The rights marked in red are exempt when the processing of personal data is solely for research purposes. If the personal data is also processed for other purposes, e.g. public sector consultancy, as a general rule data subjects have the right of access, the right to rectification, the right to restriction of processing and the right to object.
YELLOW: The rights marked in yellow are not exempt when the processing of personal data is for research purposes. However, the rights are often not exercised if certain conditions are met. Read more about this under the relevant rights below.
GREEN: As a researcher, you always have an information duty to the data subject before you commence the processing of the personal data. This also applies even if you only process the data for research purposes.
If you receive a request from a data subject on one of the above rights, and if you process the data for anything other than research, please contact your local GDPR coordinator before you respond to the request.
As a general rule, data subjects have the right to obtain from the data controller confirmation as to whether or not personal data are being processed and, where this is the case, access to the personal data and additional information, see Article 15 of the General Data Protection Regulation.
However, if you only process the personal data in question for research, the right of access does not apply, and you are not obligated to respond to a request.
If you process personal data for anything other than research, you are obligated to comply with the application. In this case, the data subject has the right to obtain confirmation of whether you are processing data about him or her and to obtain a copy of the data. You may only provide a copy of the personal data relating to the person who submitted the request. This means that you may have to anonymise other people if their data appears in the information you have about the person who submitted the request.
The data subject must also be informed about:
With respect to children, the right of access will depend on a specific assessment of the maturity of the child (see the Danish Data Protection Agency's guidelines on the rights of data subjects (July 2018), p. 26).
Normally, young people can independently ask for access from the age of around 15. If you comply with requests for access from data subjects under the age of 18, the holder of parental authority is still entitled to request access on behalf of the child. This means that both the child and the holder of the parental authority often have the right to access the information processed about the child. However, there may be cases where only the child has the right to access – e.g. when the data are so private and personal that it seems unreasonable that the holder of parental authority (who may not already be familiar with the data) can have access to the data by exercising the right to access. It is up to you as a researcher to make a specific assessment. Contact your local data protection coordinator if you are in doubt.
The Danish Data Protection Agency's guidelines on the rights of data subjects (July 2018, p. 27) state that, in principle, the data subject must have access and/or legal right of access to documents in accordance with the most favourable rules for the data subject in the specific situation. In this respect, it is irrelevant which rules the data subject refers to in the request for access or legal access to documents.
Note that Aarhus University is subject to the Access to Public Administration Files Act. This means that you must assess whether the data subject will be in the best legal position in accordance with the data protection rules or under the Access to Public Administration Files Act.
If you have any questions regarding the processing of cases concerning legal access to documents, please contact the legal team at the Rector's Office.
Personal data must be correct and, if necessary, up-to-date. The data subject therefore has the right, without undue delay, to rectification of inaccurate personal data concerning him or her and, in certain cases, incomplete personal data completed, including by means of providing a supplementary statement. A data subject is only entitled to rectification of incorrect information about himself/herself.
If you only process the personal data in question for research, you are not obligated to comply with a request for rectification from a data subject, see section 22(5) of the Danish Data Protection Act.
Even if you do not have a duty to comply with a request for rectification from a data subject, there may be situations in which you yourself have an interest in correcting inaccurate data.
Normally, there will be 3 situations in which rectification may be relevant - see the table below.
1) You agree that the information is not correct
If you agree that the data is not correct, e.g. because the data is factually wrong (name, age, etc.), in general the data subject is entitled to have the personal data rectified. In some cases, this will also be in your own interest as a researcher.
2) You disagree that the information is not correct
If you do not agree with the data subject that the data are incorrect, you are not obligated to rectify them. For example, you and the data subject may disagree about the correctness of some notes about what has been said in an interview, or what has happened during an observation.
In such cases, you can instead add a supplementary statement to the disputed information stating that the data subject does not agree with the accuracy of the information, and making it clear what the data subject considers is correct.
3) The data is a subjective or academic assessment
There may be situations in which a data subject does not agree with your academic or subjective assessments. In these cases, the data subject does not have the right to rectify content, e.g. your subjective assessments of the relevant content. Instead, you can add/note the data subject's point of view to your information.
Note your duty of notification if you comply with a request for rectification.
In certain cases, the General Data Protection Regulation gives the data subject the right to have data concerning him or her erased without undue delay.
Under article 17(3)(d) of the General Data Protection Regulation, the data subject does not have the right to erasure if the processing of personal data is necessary for scientific research purposes, and if the erasure of data is likely to render impossible or seriously impair the achievement of the objectives of the processing.
*Note that storage in accordance with responsible conduct of research is considered part of the research purpose, and therefore the data subject does not necessarily have the right to erasure, even though you have completed your research project.
Note your duty of notification if you comply with a request for erasure:
If you only process the personal data in question for research, you are not obligated to comply with a request for restriction of processing, see section 22(5) of the Danish Data Protection Act. ]
If you process personal data for anything other than research (e.g. public sector consultancy), the data subject has the right to have his or her personal data restricted if one of the following circumstances applies:
Restriction of the processing of personal data entails that you mark stored personal data with the aim of limiting their processing in the future, see Article 4(3) of the General Data Protection Regulation. If you comply with a request for restriction, you must therefore mark the personal data in such a way that it will not subject to any other processing other than storage in the future. For example, you can move the data to another processing system, so that they are not incorporated into your research project in the future.
You may then only perform other processing than storage if the data subject has consented to it, or if the other processing is done with a view to the establishment, exercise or defence of legal claims.
Furthermore, you may use the restricted data if this is necessary to comply with other statutory obligations, e.g. the rules in the Access to Public Administration Files Act on access to documents.
If you grant legal right of access to information that is subject to restricted processing, you must inform the third party who receives the information that the information is subject to restricted processing. You must also inform the person concerned of the reason for the restricted processing.
Note your duty of notification if you comply with a request for restriction of processing.
If you comply with a request for rectification, erasure or restriction of processing of personal data, you must also notify any recipients, e.g. data processors or collaboration partners, unless this proves impossible or is disproportionately difficult.
If, in connection with a request for rectification, erasure or restriction of processing of personal data, the data subject so requests, you have a duty to inform the data subject about to whom you have disclosed the data, e.g. a research institution with which you are collaborating.
A phrase has been inserted in the relevant templates in which you just have to write the names of the recipients.
The right to data portability refers to the data subject's right to receive the personal data concerning him or her. The right entails, firstly, that the data subject has the right to receive his/her personal data in a structured, commonly used and machine-readable format. In this situation, the right to data portability supplements the right to access, while a special feature of data portability is that it makes it easy for data subjects themselves to administer and further use personal data.
Secondly, the right to data portability entails that the data subject has the right to have the personal data transmitted directly from AU to another data controller, e.g. another research institution, if this is technically possible.
If you only process the personal data in question for research, you are not obligated to comply with a request for data portability from a data subject, see Article 20(3) of the General Data Protection Regulation. You also have no obligation to comply with a request for data portability if you base your processing on the research authority, see section 10 of the Danish Data Protection Act.
The right to data portability only applies if you base your processing on consent or on a contract with the data subject, and if the processing is made automatically (electronically).
The right to object entails that the data subject at any time has the right to object against otherwise lawful processing of his/her personal data on the grounds of his or her particular situation.
If you only process the personal data in question for research, you are not obligated to comply with an objection against processing, see section 22 (5) of the Danish Data Protection Act.
The right to object applies only if your basis for processing is a task in the public interest, see Article 6(1)(e) of the General Data Protection Regulation.
Research into algorithms, etc., which can support automated decision-making, does not mean that you/AU make decisions that have legal effect or significantly affect the data subject in some similar manner. This right therefore does not apply when you only process personal data for research purposes.