You are here: Information Security Data protection (GDPR) For secretaries

For secretaries

This page contains useful information for secretaries concerning what you need to be aware of in relation to the General Data Protection Regulation (GDPR).


Confidentiality instructions regarding HR administration tasks

AU's email policy for handling emails with personal data

Guidelines concerning material from liaison committees (SU) and occupational health and safety committees (AMU)

The following material from liaison committees, occupational health and safety commitees, etc. may not contain information about trade union affiliation when the material is published on AU’s websites, unless the persons in question have given their express consent. 

  • Lists of members
  • Agendas
  • Minutes
  • Other meeting documents

Under Article 9(1) of the General Data Protection Regulation, information concerning trade union affiliation is sensitive personal data. Since it is not necessary to state trade union affiliation in conjunction with lists of members, agendas, minutes and other meeting documents on AU’s websites, trade union affiliation may not be specified.

Affiliation concerns the trade union which the union representative represents (is a member of), and the trade union(s) nominating the person to e.g. the liaison committee.

This type of information must therefore be removed from all existing lists of members of liaison committees, occupational health and safety groups, agendas, minutes, etc. available on AU’s websites.

Examples of storage of personal data

Own personal data, employment contract, etc. 

As a general rule, you may do as you wish with your own personal data, and therefore it may be kept in e.g. a binder in your office. It is a good idea to mark the binder as ‘Private’.  


Project descriptions containing the names and positions of collaborative partners.

You may store personal data for as long as necessary for the purpose for which the data was collected. This means that you may store the project description for as long as you are working with it or on the subsequently approved project. After this, it must be deleted. If the project is not approved, and you wish to retain the project description for any later applications, you must make it anonymous so that it does not contain personal data. In the case of sensitive personal data, other rules apply to storage (storage for a maximum of 30 days).


Articles and reports which contain names, email addresses, job titles, tel. nos., etc. 

In the case of published articles and reports, these may be retained. If the articles and reports have not yet been published, this will depend on the purpose of storing them.  


Other employees’ travel expenses

Documents and receipts containing personal data may only be saved until the settlement has been approved. After this, the documents are stored electronically in the travel expense settlement system and must be deleted from the mailbox and from network drives, etc.   


Final contracts for research and consulting projects

You must send final contracts for research and consulting projects to tto@au.dk (Technology Transfer Office at AU Research Support and External Relations).


Accounting documents

As a general rule, accounting documents must be stored for five years. For specific projects, accounting documents may be required to be stored for longer. If the documents contain information additional to the details entered in REJSUD/Indfak, it is recommended that this information be attached. 

Once a document has been scanned and attached to e.g. a travel expense report, it may be discarded. If the scanning proves to be illegible, a solemn declaration will be valid documentation. 


Work-related lists - e.g workwear, office location, lending of work equipment 

Work-related lists may be saved to the shared drive (O drive) with a description of purpose. The lists must be kept up-to-date and must be deleted when they are no longer needed.  


Private lists - e.g. birthday lists and breakfast bread lists  

Initiatives among colleagues of this nature are voluntary and are deemed to be private. They are therefore not subject to the data protection rules.

It is recommended that the lists clearly state that participation is voluntary. The lists must be kept up-to-date and must be deleted when they are no longer needed. The lists may be saved to the shared drive (O drive) or on the personal drive (U drive). 

Information to web editors regarding protection of personal data

Information about the use of pictures and videos with persons

1444520 / i40