Handling email with personal data

When you handle mails containing personal data as an employee of Aarhus University, it is important that you comply with the university’s personal data processing policy for email. Find the policy here. 


You are allowed to send and save so-called neutral mails in your inbox.

Neutral mails are defined as mails which include no personal information other than the names of employees referred to in connection with their professional role in a case or project. General or concrete anonymised guides, meeting minutes, course material, general projects, etc.

If necessary, you can email sensitive and/or confidential personal data internally at AU.

As a general rule, you should try to avoid sending sensitive and/or confidential personal data in emails.

You are allowed to send emails containing unencrypted sensitive and/or confidential personal data to other persons at AU. Internal email addresses are basically ones ending in au.dk.

You are NOT allowed to send unencrypted sensitive and/or confidential personal data to persons outside AU. That is persons who do not have an email adresss ending in au.dk.

You should at the same time deal with emails with this kind of content immediately – either by filing them or by deleting them when they have been read.

You should avoid copying sensitive and/or confidential personal data from systems such as STADS, PeopleXS and WorkZone in order to email it.

Emails containing sensitive personal data must be deleted from your mailbox no later than 30 days after receiving/sending the email.

Emails with sensitive personal data must be deleted no later than 30 days after receiving the email. This is necessary because AU’s email and calendar system is not intended for the storage of sensitive personal data. 

Emails with general personal data must be deleted when there is no longer a legitimate purpose storing the email.

If you send an email containing sensitive and/or confidential personal data, you need to delete the email from the folder ‘Send items’. If you receive an email with sensitive and/or confidential personal data, you need to delete the email from your inbox. As of 1 November 2018, a so-called Outlook policy will be implemented in all AU mailboxes which will automatically empty the ‘Deleted Items’ folder every 30 days.

Remember to use a secure form of communication if you need to send sensitive and/or confidential personal data to recipients outside AU.

If you need to send sensitive and/or confidential personal data to external recipients, i.e. recipients outside AU, you must use a secure form of communication, e.g.:

  • virk.dk (only in Danish)
  • AU's secure email solution (only in Danish)
  • e-boks

Regarding receiving sensitive and/or confidential personal data

When you require a student, employee or private individual to send you sensitive and/or confidential personal data for use in the university’s case processing, your request should be worded neutrally in terms of how the data is to be submitted. The sender of the data will hold the sending risk in terms of how the data is submitted.

If you nevertheless receive sensitive and/or confidential personal data via ordinary email, it is important that you do not just reply to the email and include the full original text in your email. Before replying, you must ensure that sensitive and/or confidential data has been removed from the email.

Concerning unsolicited applications by email in particular

Find guidelines for handling applications and supporting documents.

Email signature for emails containing personal data

If you send an email containing personal data, you must insert the following text as standard in your email signature.  

“Please note that this email contains personal data. You must ensure that this data cannot be accessed by anyone else without good reason, and that it is deleted immediately when it is no longer required in relation to the purpose for which it was sent.”