General Data Protection Regulation (GDPR)

A short overview of the EU regulation

What is the regulation about?

The General Data Protection Regulation (GDPR) is a new EU legislation on the processing of personal data. This is a regulation, which means that it has direct legal effect in member countries as a law, not based on a directive as the current personal data law does. The reason why the new legislation is designed as a regulation is to ensure far greater harmonization of legislation in the field across the EU. Thus, it will be easier to work with personal data between EU member countries.

What is personal information?

The regulation regulates the processing of personal data, so it is relevant that you as a researcher determine whether the data you are working with is personal information or not. The Regulation defines personal data as "any kind of information about an identified or identifiable natural person". This means that virtually all data that in any way concerns a person will be defined as personal data and therefore covered by the regulation's rules. For example, the name, address, email, telephone number, image, health information, IP address and biometric data are all personal data and therefore subject to the regulation.

When is it alright to process personal information?

If you as a researcher want to process personal data, it requires that you have a legitimate purpose for the data treatment and that it is a legal treatment. Article 6 of the EU GDPR Regulation lists a number of factors that can determine whether there is a legal processing of personal data. Please note that collection and storage of personal data are both defined as treatments.

Points of attention in relation to the processing of personal data

As a researcher who wishes to use personal data in a research project, there are two main things to be aware of:
1) Should an impact assessment be made (Data Protection Impact Assessment, DPIA)?
2) Should a data processing agreement be made?

The impact assessment is a new thing in the regulation in relation to "Persondataloven". This is an analysis to assess the reasonableness between the purpose of the treatment and the extent of the treatment and to assess the risk of violating the rights of the registrants. Impact assessment must be made if data processing uses new technology if there is a high risk for the data subjects or, if there is a significant impact on the data subjects.

A data processing agreement is an agreement that must always be made with suppliers whose data is stored externally or, if the supplier has some data access, for example, to process data processing for a researcher. There is an agreement between the data controller and a data processor describing the extent and manner in which a data processor must process data and the agreement must also determine the security of the data processor.

Do you need help with GDPR?

If you need help or advice in connection with a research project that includes the processing of personal data, it is recommended that you contact your local data protection consultant (DPO) if the educational institution has employed one. Otherwise, you should contact the department's Legal Department for assistance and advice.

DPO at your university

Here you can find your data protection consultant (DPO). 

Tabel 1. Overview of DPO´s at the different Danish universities.

 KU
 AAU
 SDU
 AU
 DTU
 ITU
 RUC
 CBS
 Lisa Ibenfeldt Schultz (Email: databeskyttelsesraadgiver@adm.ku.dk)
 Teia Melvej Stennevad (Email: dpo@aau.dk)
 Simon Kamber (Email: dpo@sdu.dk)
 Michal Lund Kristensen (Email: mlklund@au.dk)
 Ane Sandager (Email: dpo@dtu.dk)
 Rasmus Balle (Email: dpo@itu.dk)
 Morten Eeg Ejrnæs Nielsen (Email: dpo@ruc.dk​)
 Jesper Smedegaard Madsen (Email: dpo@cbs.dk)