Data processing rules and security of processing

Here you can find information about data processing rules and security of processing in connection with statistical and scientific studies.

Data processing rules

Personal data that is subject to Section 10 of the Danish Data Protection Act concerning statistical and scientific studies may not be included in administrative or specific case processing.

Nor may the data be used as the basis for specific legal or actual measures towards the data subjects concerned, or other persons. Only the results of the scientific or statistical processing of personal data may be used in administrative contexts, and only subject to the provision that the results are used in such a way that it is not possible for individual data subjects to be identified.

As far as possible, the data collected must be processed in a form which makes it impossible to identify the data subjects, for example in an encrypted form or under serial numbers rather than CPR (civil registration) numbers. 

The dissemination of the results of the studies must take place in such a way that it is not possible for third parties to identify individual data subjects.

At the end of a study, the personal data (including biological material) must be erased, made anonymous or destroyed, so that it is not subsequently possible to identify individual data subjects included in the study, unless the data must be retained in accordance with other legislation. Alternatively, data may be transferred for storage in an archive, in accordance with the rules in archive legislation. 

Security of processing

The requirements concerning security of processing are e.g. stated in Article 32 of the General Data Protection Regulation, i.e. that appropriate technical and organisational measures must be implemented to ensure a level of security appropriate to these risks, including, depending on what is relevant:

  • Pseudonymisation and encryption of personal data.
  • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
  • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

On assessing the appropriate level of security, account must be taken in particular of the risks which data processing presents, in particular concerning the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

It must be ensured that any natural person acting under the authority of the data controller or the data processor, and who has access to personal data, only processes this data in accordance with the instructions of the data controller.


Employees who handle personal data must receive instruction and training on what they may do with data/material, and how to protect the data/material.  

Access and authorisations

Access to the personal data must be restricted to individuals who have a justified need to access the data. This must be as few individuals as possible. They should be employees who are not also engaged in ordinary administrative case processing activities involving data subjects whose data is processed for statistical or scientific purposes. Authorisations must specify the extent to which the user may request, input or erase personal data.

At least every six months it must be checked that the authorised persons still fulfil the conditions for access to the data.

Technical access control must be established in the IT systems so that authorised persons have to identify themselves to the system in order to gain access to process data in accordance with the authorisation.

Any rejected attempts to access the IT systems must be registered. If a specific number of consecutive failed access attempts is registered, any further attempts must be blocked.

All use of sensitive personal data must be subject to automated registration (logging). See how to order a network drive with logging. 

Data processors

The use of external data processors to handle personal data must be governed by written data processing agreements. The content of the agreements must comply with Articles 28 and 29 of the General Data Protection Regulation. Among other things, it must be stipulated that the data processors act solely on the instructions of the data controller. This applies, for example, when an external party is used for the statistical processing of the data or for the analysis of biological material. If the external party also uses data processors to perform the work, these are also regarded as data processors for the data controller (subprocessors), and agreements, etc. are required.

The data controller must actively ensure that all data processors and any subprocessors comply with the requirements for security of processing.

External communication links

If personal data is processed on IT equipment outside Aarhus University’s premises (or on equipment which is not part of Aarhus University’s ordinary system), the required security measures must be taken, and special guidelines must be laid down in this respect.

External communication links may only be established if special measures are taken to ensure that unauthorised persons cannot access personal data via these links.

Protection from unauthorised access

At locations where personal data is processed, measures must be taken to protect data from access by unauthorised persons. If the personal data is stored on removable and mobile data equipment, e.g. on USB keys, it must be ensured that unauthorised persons cannot access the data on any portable data equipment that might be lost/stolen. Alternatively, portable data equipment must be stored securely under lock and key, so that unauthorised persons are physically prevented from accessing the media or removing it from the physical location. The same precautions must be taken with regard to data backup copies.

In connection with the repair and servicing of data equipment containing personal data, and when data media is sold or discarded, appropriate measures must be taken to prevent personal data from coming to the knowledge of unauthorised persons. 

Material must be stored and handled in such a way that unauthorised persons cannot gain access to the personal data contained in such material.


Material must be erased or destroyed when it is no longer to be used for the purposes for which it was collected and processed, and by no later than the deadline determined by Aarhus University. When the material is destroyed, it must be ensured that it cannot be misused or disclosed to unauthorised persons. 

Biological material

Biological material must be stored securely under lock and key, so that no unauthorised persons – including cleaning staff and other staff not involved in the scientific/statistical processing of the material – have access to it. 

Biological material must be stored in such a way as to prevent the loss, impairment or accidental or unlawful destruction of the material. Measures may include the installation of necessary temperature alarms on freezers containing biological material.


As far as possible, biological material must be processed in a way which makes it impossible to identify the data subjects, for example under serial numbers rather than the names or CPR (civil registration) numbers of the data subjects.