The content on this page was updated in October 2022. Note that we regularly update these pages.
When processing personal data for your research, you must keep track of:
Data protection (GDPR) only applies to personal data.
Personal data is information about a natural person, i.e. a human being. Personal data is information that in itself or in combination with other information could lead (be attributed) to a natural person.
When you are conducting research, it will often be necessary to process personal data in order to complete the research. Data protection regulation distinguishes between different types of personal data. The rules that apply to the processing of personal data depend on the type(s) of personal data being processed. Some personal data requires a higher level of protection because the processing of such personal data can constitute a special risk to the data subjects.
Therefore, you will need to clarify which type(s) of personal data you are processing. There are 4 types:
General personal data is all information that is not 1) information about criminal convictions and offences, and 2) special categories of personal data (sensitive personal data).
Criminal convictions and offences should be understood broadly. This means that the data listed below is included:
Special categories of personal data, commonly referred to as sensitive personal data, is information that requires special protection under data protection regulations, as the information is more likely to represent a risk to the rights and freedoms of the data subject. Below is an exhaustive list of sensitive personal data. You will also find examples of information that falls under different areas, as well as examples of the consequences that data subjects may be exposed to if their personal data falls into the wrong hands.
Information that says something about one of the following areas is considered a special category of personal data (sensitive personal data):
Confidential information is not defined in the General Data Protection Regulation (GDPR). Nevertheless, the concept of confidential information is used in a Danish context to refer to data that requires greater protection without necessarily being a special category of personal data (sensitive personal data).
Take particular note of the difference between anonymised data and pseudonymised personal data. Processing pseudonymised personal data constitutes processing of personal data. However, anonymised data is not covered by the general data protection regulation.
Read more about the different concepts:
Data subject is the term used in Danish data protection law to describe natural persons whose data is being processed. Data subjects have many aliases within research, e.g. informant, research subject, research participant, patient, etc.
The purpose of determining the category of data subjects is to ensure that AU, as data controller, is aware of any special conditions that apply.
If the data subject is a child, a patient, an elderly person, etc., they may be considered members of a particularly vulnerable group of people. This will place demands on how you communicate when carrying out your duty of disclosure, on any special aspects you need to take into account in your risk assessment, on whether you can obtain valid consent pursuant to data protection law, etc.
The category of data subject can be specified in many ways, e.g.
When processing personal data, you must consider the number of people you are processing data on.
The purpose of assessing the number of data subjects is partly to ensure that you have an overview of your processing, and partly that number of data subjects may be important in relation to assessing the risks associated with processing and the obligations under data protection law.
By default, you should therefore specify the exact number of persons whose data you are processing. Sometimes it is not possible to give an exact number. Instead, consider how to describe the number of data subjects, e.g. 'All Danes aged 15-25 years in the period 1989-2003'.