In particular concerning research

Here you can find information about what you have to be aware of if your research involves personal data - both regular and sensitive personal data. 

Before start-up of the research project

1. Do you process personal data?

If you are going to process personal data in connection with a research project, database/biobank you must register it internally at AU before you begin processing personal data. You must complete and submit a notification form.

Every research project, database/biobank must have a contact person who is responsible for the personal data internally. This means that this person is responsible for compliance with the GDPR and Danish Data Protection Act (databeskyttelsesloven), any related rules and regulations, for every data processing action.    

The Data Protection Unit receives the internal notification, registers the project, database/biobank and confirms the registration by issuing a statement including the requirements for processing of personal data and the security of processing. The Data Protection Unit keeps an overview up to date of the projects and databases/registers, i.e. any processing of personal data at AU. As a researcher you are obliged to inform the Data Protection Unit, if changes are made.

Are you in doubt? 

If you are in doubt whether or not you process personal data, send an email to   

If you are working on a research project for which a notification ought to have been submitted, send an email to  

Please be aware of the following

  • If the personal data relates to a person who died more than ten years ago, the data is not subject to the rules. 
  • If you need to move your project fra a private notification to AU's notification, send an email to  
  • If you have changes to an existing notification, send an email to   

2. What is the purpose of the personal data processing?

If you process personal data, be aware of the purpose of the collection/processing of the data.

  • Consider the necessity of the amount and type of personal data. What personal data is necessary, considering the purpose?
  • Take the authority aspect into account. Do you need to obtain consent, or do you have another form of authority?
  • Prepare text for information to informants/respondents/data subjects. You must disclose the purpose of the processing, the legal basis for the processing, contact details and recipients of the personal data.  

Are you in doubt?

If you are in any doubt, please contact the Technology Transfer Office at

3. Will you share personal data with others?

If you are to exchange collected personal data with colleagues, companies or organisations outside AU during the course of your project, you must have clarified whether this concerns disclosure, or whether you are required to draw up a data processing agreement. 

Are you in any doubt?

If you are in any doubt, please contact the TTO team at     

During the research project

4. Notify the informants

Notify the informants of the collection of personal data when collecting the data. 

Obtain consent, if necessary, either as authorisation (in accordance with the General Data Protection Regulation) or in accordance with other requirements. 

Are you in doubt? 

If you are in doubt, you can contact TTO at  

5. Make sure you store personal data secure

Find information about the storage solutions for personal data.

Make sure that only the persons for whom, according to the purpose of the data collection (the research project), access is necessary have access to the data. 

Personal data should be made anonymous or pseudonymised in the course of the project if you no longer require the identity of the informants. If personal data is made completely anonymous, it will no longer be subject to the rules.    

Are you in doubt? 

Are you in doubt about which storage solution to choose, you can contact your local IT support. 

6. Disclosure of the data responsibility

The disclosure of data must be in accordance with the purpose, and as a general rule, the informants must be notified of the disclosure when the data is collected.

Find more information about disclosure of personal data. 

Are you in doubt? 

if you are in doubt, you can contact TTO at  

7. Enquiries from data subjects

Find information about the rights of data subjects.

Are you in doubt? 

You can contact AU's Data Protection Officer, if you have questions regarding the rights of data subjects. 

8. If a security breach happens

Please notice that all security breaches must be reported to AU. 

Der er tale om et brud på persondatasikkerheden, når bruddet fører til en hændelig eller ulovlig tilintetgørelse, tab, ændring, ubeføjet videregivelse af eller adgang til personoplysninger, der sendes, lagres eller på anden måde behandles, hvad enten behandlingen foregår fysisk eller elektronisk.  

How to report a security breach. 

Are you in doubt? 

If you are in doubt about whether or not it is a security breach, you can contact AU's Data Protection Officer. 

After the research project

9. Storing of personal data in 'final form'

Do not store personal data for longer than necessary with regard to the purpose for which the data was collected. Research data must be stored for at least five years after the latest publication of results based on the data, and this period must therefore be deemed to be necessary for the purpose. 

Store read about the storage solutions.

Data must be transferred to the Danish National Archives if there is an archiving purpose.

10. If you wish to transfer the data responsibility to others

If you wish to transfer the data responsibility to another organisation (e.g. another university), you must apply for this, and as a general rule the informants must be informed of this when the data is collected. 
Read more about the disclosure of personal data. 

Are you in doubt? 

If you are in doubt, send an email to  

Expected case processing time for the record of processing activities in research

  • New registrations to the record of processing activities: Within 3 weeks of notification
  • Updates to existing registrations: Within 2 weeks of receiving changes
  • Guidance on notification to the record of processing activities: Within 1 week of receiving the request  
  • Assistance in applying to the Danish Data Protection Agency: Within 2 weeks of receiving the form
  • Registration of disclosure: Within 2 weeks of receiving the internal notification