Skip to main content
DA / EN
DA / EN

Search

Legal Services

How to handle personal data in a research project

Handling personal data in your research project comes with certain legal responsibilities. Legal Services at SDU RIO is here to support you with all GDPR-related matters.

This page offers guidance on how to handle personal data throughout every phase of your research project – from planning and collection to storage and completion. This will help ensure that your project complies with data protection regulations throughout the entire process.

Need help?

Contact the GDPR team at SDU RIO.
Contact the GDPR team

Register your project

All research projects involving personal data must be registered with SDU RIO. This is a legal requirement that ensures your project is included in SDU's register of processing activities.

Register your project as early as possible, before data collection begins, so we can provide you with the assistance you need.

Register your project - ENGLISH

Go to English registration form

Register your project - DANISH

Go to Danish registration form

  • Video guide

    Get started with GDPR

    Registering your project with SDU RIO is the first step toward GDPR compliance. In this video, you will get three tips on how you can avoid GDPR becoming an obstacle for you.

Choose your legal basis for data processing

Before you begin data collection, you must select an appropriate legal basis for processing personal data. This will shape how you collect, use, and manage data throughout your project. There are two main options:

  • Section 10 of the Danish Data Protection Act: This applies if your project serves the public interest and does not rely on consent.  When it comes to research, this may often be the more appropriate choice. This is also the case with research projects collecting REC consent - see FAQ.
  • Article 6(1)(a) of the GDPR: This is used when you collect personal data based on consent from the participants.

When you register your project with SDU RIO, we will advise you on what legal basis is right for your research.

 

Plan your data collection

You must decide how and from where you will collect your data. Will you:

  • Collect it yourself (e.g., through interviews, surveys, or experiments), or
  • Obtain it from a register or a third party (e.g., Statistics Denmark or a hospital database)?

This decision impacts your responsibilities and the documentation you need to prepare.

Inform participants and collect consent

You must inform participants about:

  • Who is collecting the data
  • What data is collected and why
  • Which legal basis data is collected on
  • How the data will be used and stored
  • Their rights (e.g. access, deletion)

This must be done before or at the time of collection in clear and simple language for the targeted audience. 


Consent must be:

  • Voluntary – no pressure or negative consequences
  • Specific – for a clearly defined purpose
  • Informed – participants must understand what they agree to
  • Unambiguous – e.g. active opt-in, not silence

Consent can be withdrawn at any time. Note that consent should only be used when it is the most suitable legal basis.

If you need help preparing or reviewing an information form or consent form, please contact Legal Services at SDU RIO.

Report any changes to SDU RIO

Once your project is ongoing, you must notify SDU RIO if anything changes in your project. This includes:

  • Adding new collaborators or institutions
  • Changing the type of data you collect
  • Extending the project timeline
  • Using new systems or data processors
  • Changes in purpose
  • Change of contact person or people involved
  • Major changes in the number of registered persons
  • Change of data processor

Changes must be approved before they are implemented. If you are unsure whether a change is significant, it is always best to contact the GDPR team.

Report changes

Go to form

Store your data

You must only process and store personal data in systems approved by SDU, such as:

  • SharePoint
  • Nextcloud
  • Ucloud

These systems are secure and meet the university’s data protection standards.

See full list of approved systems

Go to list

Limit and review access to data

Only people who need access to personal data should have it. Employees handling personal data must receive proper instruction and training in data protection and management and their access rights should be reviewed at least every six months to ensure compliance.

Share your data

Before you share data, you must consider the following questions:

  1. Are you receiving data or giving data?
  2. Is the transfer internal or external?

This is essential for the type of transfer form you will need to fill out.

Transfer of data externally

You can transfer personal data to a third party outside SDU, such as a regional authority, another research institution, a private company, etc.  To transfer data, a data transfer declaration must be completed. This will be sent to you by your case officer when the case begins.

This only applies for transfers within the EU. If you transfer data outside the EU, you must notify the Danish Data Protection Agency. Learn more here.

Go to external transfer form

Transfer of data internally / reuse of data

If you wish to transfer data to another SDU project or an SDU colleague, this must be approved SDU RIO. It is also necessary to document the origin of the data. Before contacting SDU RIO, please have your consent form or information letter ready.

The receiving project must be approved or in the process of being approved in SDU RIOs records.

Go to internal transfer form

Receiving data from external or internal parties

If you are receiving data from external parties, an agreement must be signed by SDU RIO. You have most likely received this agreement from the external party: If not, we can help draft one for you.

If you want to receive data from internal parties such as an SDU colleague, please contact SDU RIO.


Contact Legal Services

Delete or anonymise the data

When your project ends, you must decide what to do with the personal data you have collected. You are not allowed to retain personal data longer than necessary. You must either:

  • Delete the data securely, or
  • Anonymise it if you intend to use it for future research.
    Note that pseudonymisation is not sufficient.

This step is crucial for protecting participants’ privacy and ensuring legal compliance.

Once you have anonymised or deleted your data, please notify SDU RIO of the change so the project record can be updated.

Pseudonymisation vs. anonymisation

Anonymisation is commonly confused with pseudonymisation. Here is the difference:

Pseudonymisation replaces personal identifiers (like names or ID numbers) with codes or pseudonyms. The data can still be linked back to individuals if you have access to the key. This is still considered personal data under the GDPR.

Anonymisation removes all identifiable information, so it is no longer possible to trace the data back to any individual – not even with a key. Once data is truly anonymized, it is no longer subject to data protection laws.

If we do not hear from you after the project ends, we will assume that the data has been deleted. This means you will no longer be able to reuse the data, make changes to the project, or extend the project period.

If you wish to reuse your data or extend your project, please contact us before the project ends. If we receive your request afterward, we will unfortunately not be able to assist.

Note that some data are subject to mandatory record-keeping obligations. If you have any questions about record-keeping, please contact ESDH

It is important that you know your role in the processing of personal data.  You can be either a data processor or a data controller. As an SDU employee, it is not you personally who holds this role, but SDU as your employer.

SDU RIO determines the allocation of roles in the project. The following questions are considered to help identify SDU’s role in the project when the project is registered with SDU RIO:

  • Who defined the purpose or task of the project?
  • Who decided on the tools, including how and what kind of analysis is conducted?
  • Are you paid to carry out the project?
  • Do you make decisions within the project?
  • Have SDU received the funding?
  • Will SDU use the data for its own purposes (e.g. in another project, publication, etc.)?

Note that in addition to a data processing agreement, you must also ensure that a collaboration agreement is in place. You are welcome to create a case by contacting SDU RIO.

Pictures are personal information regardless of whether the picture is a portrait or a picture of the surroundings where a person happens to appear.

The same is the case with sound recordings.

If you use pictures or sound recordings you must register your project as with all other research projects in which personal information is processed.

Legal Services in SDU RIO can provide guidance on whether consent is needed or whether the information can be processed according to another legal basis.

For research projects that also require consent from the Research Ethics Committee (REC), it is recommended to use the research authorisation as the basis for processing – i.e. Section 10 of the Data Protection Act. This is because GDPR consent has very strict requirements regarding form, content and voluntariness, making it difficult to draft in a way that is both correct and understandable for participants and researchers. In practice, this has often resulted in invalid consents and therefore unlawful data processing.

As a general rule, GDPR consent and REC consent should not be confused, as they have different purposes and legal consequences. REC consent concerns participation in the research project itself, whereas GDPR consent concerns the processing of personal data. Using the research authorisation avoids the situation where participants’ withdrawal of consent automatically requires the deletion of data already collected, which may jeopardise research integrity.

Students who work with research data do not necessarily have to sign a data agreement. It depends on the circumstances.

Please contact Legal Services in SDU RIO to hear about the possibilities.

Report a security breach

If you have accidentally shared personal data, report it immediately. Learn more and fill out the notification form here.
Report a security breach

Last Updated 19.09.2025