GDPR: Check whether you need approval from the Danish Data Protection Agency to share your research data!
In some cases, you may need separate approval from the Danish Data Protection Agency to share sensitive personal data or data about criminal offences in connection with your research. Read more about when you need to apply for approval.
If your research collaboration involves you sharing sensitive personal data or data about criminal offences, please be aware that, in some cases, you may need to obtain separate approval from the Danish Data Protection Agency to share this type of information.
You require separate approval from the Danish Data Protection Agency in the following cases:
- You are sharing the data with an independent data controller outside the EU/EEA
- You are publishing the data in a recognised scientific journal
- You are sharing human biological material (such as tissue or blood).
Data Protection Officer Søren Broberg Nielsen from AU’s Data Protection Unit encourages all researchers to be particularly aware of the need to get approval from the Danish Data Protection Agency.
“In our experience, many researchers are surprised that they need to apply for approval from the Danish Data Protection Agency before they publish an article in a scientific journal, for example, even though they have pseudo-anonymised all the sensitive personal data. But it’s actually the Danish Data Protection Agency that decides whether the data subject is sufficiently protected before the personal data is published”, says Søren Broberg Nielsen.
He also underlines that it is only necessary to get approval from the Danish Data Protection Agency in cases where the legal basis for processing sensitive personal data and/or data about criminal offences is scientific research purposes – in other words, in cases where the researchers have not had to obtain consent to use the data.
The Data Protection Unit helps researchers to apply
AU has a Data Protection Unit that helps researchers apply for approval from the Danish Data Protection Agency. One of the researchers who has received help is Cecilia Ramlau-Hansen. She is a professor at the Department of Public Health and conducts research on the effects of endocrine-disrupting chemicals on the fetus. Whilst collaborating on a research project with a colleague at Yale University, she needed approval from the Danish Data Protection Agency to share sensitive personal data with a data controller outside the EU/EEA.
“As a researcher, it can be a bit difficult to keep track of the rules regarding which permissions you need and when. So, if you are conducting a research project that involves sensitive personal data, my advice is to contact the AU Technology Transfer Office and Data Protection Unit. I always get good advice from them, and, if you need a collaboration agreement, they take care of the necessary legal documents,” says Cecilia Ramlau-Hansen.
How to apply
Complete this form (in Danish only), which contains all the information the Danish Data Protection Agency needs to process your application. Send the form to AU’s Data Protection Unit at email@example.com, who will help make sure that all the information is correct.
Read more about sharing personal data on AU’s GDPR webpage
Once the Danish Data Protection Agency has given its approval, the Data Protection Unit at AU will ensure that this approval is registered in AU’s record of research projects that process personal data. But it is worth paying close attention to the exact terms of the approval.
“When it grants approval, the Danish Data Protection Agency also imposes certain terms for the sharing of personal data, and these terms can vary depending on the specific project. It is the responsibility of the individual researcher to comply with these terms,” says Søren Broberg Nielsen.
Facts: Do you speak GDPR?
Personal data: Any data that can be attributed to a natural person.
Data Protection Unit: The AU unit run by the data protection officer.
Data controller: The person who decides why and how the personal data should be processed. In a research context, the data controller is typically Aarhus University.
Disclosure (a type of data sharing): When personal data is shared with another, independent data controller for the latter’s purpose.
Scientific research purposes as a legal basis (Forskningshjemmel): Using scientific research purposes as a legal basis for processing personal data – this avoids the need to obtain separate consent from research participants.
Danish Data Protection Agency: The central independent authority in Denmark which monitors compliance with data protection legislation.
Sensitive personal data: Data about a person’s race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetics or biometrics (if processed solely to identify a human being), health, sex life or sexual orientation.