When Aarhus University uses your personal data for research, as the data controller we are responsible for protecting your rights to confidentiality and privacy.
This page has information about how Aarhus University processes your personal data, about your rights, our legal basis, your protection and how long we store the information.
Perhaps you have already been informed about the processing of your personal data in a specific research project. If so, the information regarding the specific project takes precedence. Consider the information on this page as a supplement.
Personal data is any type of information that can be attributed to a specific person, even if the person can only be identified if the data is combined with other information.
For example, personal data can be civil registration numbers, registration numbers, a picture, a fingerprint, a voice, patient records or biological material. Personal data can be sensitive and non-sensitive. Read more about the definitions on the Danish Data Protection Authority's website. (In Danish only)
In research, studies and analyses based on personal data are crucial for developing solutions and research breakthroughs that can contribute to a sustainable society. Examples include disease prevention, treatments, climate, welfare, well-being, economy and much more.
Information comes from different sources when Aarhus University processes personal data for research. We can receive personal data in two ways:
You will find that Aarhus University often obtains information directly from you and combine this with information we receive from others.
In research, we generally process personal data on one or more of the bases for processing below. As the data controller, AU must decide which basis for processing to apply in the individual project.
We process your personal data on the basis of:
Either
Article 6(1)(e) of the General Data Protection Regulation, because the processing is necessary for the performance of a task carried out in the public interest. In this situation, we do not ask for your consent to the processing of your personal data.
or
Article 6(1)(a) of the General Data Protection Regulation, if you give your legal consent to the processing of your personal data.
We process your personal data on the basis of:
Either
Article 9(2)(j) of the General Data Protection Regulation, in conjunction with section 10(1) of the Data Protection Act and Article 6(1)(e), as it is necessary to process the information for scientific research purposes. In this situation, we do not ask for your consent to the processing of your personal data.
or
Article 9(2)(a) of the General Data Protection Regulation and Article 6(1)(a), if you give your legal consent to the processing of your personal data.
We only process CPR numbers when it is necessary for unique identification, cf. section 11(1) of the Data Protection Act.
Sometimes, special rules may apply in addition to the general data protection rules. For example, in some research projects we will be obligated to comply with the regulations of the Health Act or other legal regulations in order to process personal data legally.
If we process your personal data on the basis of legal consent under data protection legislation, we will only process the data you have given us permission to process, and you can revoke your consent at any time. However, this will not affect the processing that took place before you revoked your consent.
Sharing knowledge is essential for research, and researchers collaborate across disciplines, universities and national borders. We make sure that we only share your personal data on a legal basis. If business partners are located outside the EU/EEA, we make sure to establish a transfer basis that guarantees your rights (in relation to the protection of your personal data), essentially corresponding to your rights within the EU/EEA.
We process your personal data as long as is necessary to achieve one or more research purposes. We are obligated to store research data, including personal data, for at least five years after the latest research publication in order to document the integrity of the research.
Protection of your personal data is important and, among other things, it involves secure systems, restriction of access and requirements for the individual researcher. As the data controller, Aarhus University is obligated to comply with all the rules in the General Data Protection Regulation (GDPR), the Data Protection Act and other special rules on the processing of personal data.
All processing of personal data is also in accordance with our information security policy and our research instructions. Examples include:
Personal information to which researchers gain access via public registers is generally pseudonymised (i.e. it does not contain name, civil registration number or other information that can be linked directly to you). If researchers themselves collect personal data, they are obligated to pseudonymise the data themselves to the extent that this does not obstruct the research.
When your personal data is used for research purposes, you generally have the following rights:
If you want to complain about the processing of your personal data, you can do so via the Danish Data Protection Authority's website, where there are also instructions on how to complain.