Genvejsmenu:
S - Indhold
1 - Forside
2 - Nyheder
3 - Oversigt
4 - Søg

Private research and statistics projects

The regulations of the Act on Processing of Personal Data apply to the processing of personal data if the processing is conducted for scientific or statistical purposes.

Personal data is understood as data about a person that directly or indirectly can be identified.

Processing is understood as all forms of handling of data, i.e. collection, registration, storage, application, etc.


Which projects must be notified to the Danish Data Protection Agency?
If data about individuals’ purely private matters (sensitive information) is processed in a research or statistics project, the project must be notified to the Danish Data Protection Agency and must obtain  the agency’s authorisation. The Danish Data Protection Agency imposes a number of conditions in addition to the general provisions of the law that must be observed when conducting the project.

According to sections 7 and 8 of the Act on Processing of Personal Data’s, sensitive information is:


• Racial or ethnic background,
• political, religious or philosophical conviction,
• trade union membership information,
• information about health, sexual or criminal matters,
• information about significant social problems, and
• other similar information related to one’s private life.


The term health-related matters covers information about:


• A person’s past, current and future physical or mental condition, and
• medicine use and abuse of narcotics, alcohol and similar stimulants.


Also covered by the term “sensitive personal data” is biological material that can be used to identify an individual (blood and tissue samples, etc.).

Projects that solely involve non-sensitive data about participants do not have to be notified to the Danish Data Protection Agency. The provisions of the law must be observed, but the Danish Data Protection Agency does not impose specific conditions for the project.

 
What happens when a project is notified to the Danish Data Protection Agency?
After a review of the notification, the Danish Data Protection Agency issues a authorisation specifying the conditions for the project.

The conditions are set to protect the participants’ privacy and to ensure that personal data is processed in accordance with the law.

The Danish Data Protection Agency grants authorisation for a limited period of time. The expiration date will be displayed in the letter of authorisation.

Notification and authorisation are free of charge.

A notification is automatically considered to be a request for authorisation.


What happens if I do not notify the Danish Data Protection Agency?
The Act on Processing of Personal Data states that it is punishable by law to refrain from notifying a project to the Danish Data Protection Agency, and that it is punishable by law to violate the conditions stipulated by the Danish Data Protection Agency. The maximum penalty is a fine or imprisonment for up to four months.

Who must submit a notification?
The data controller is responsible for notification of a private research or statistics project.


The controller is the researcher or company that is responsible for the execution of the project, including the processing of personal data about participants. The project manager will typically be the person who must submit the report.

It is permittable for another person to notify on behalf of the data controller by proxy.

When must the notification be submitted?
The project must be notified and have secured authorisation from the Danish Data Protection Agency prior to the commencement of processing of personal data.

Collection of personal data for use in the project may not commence before authorisation has been granted.

How do you submit a notification?
The notification can be submitted electronically via the Danish Data Protection Agency’s website. Under the menu item “Blanketter” – “Privat forskning” you can find a form for notification of private research and statistics projects. The form can be completed and submitted electronically.

Download the notification form “Privat forskning”
("private research". Danish version).

Read the Danish Data Protection Agency’s standard conditions for research projects.

When submitting af notification to the Danish Data Protection Agency, the notification form must always be used.

The Danish Data Protection Agency must be notified of changes to the project.. Some changes will require advance authorisation from the Danish Data Protection Agency, whereas other changes of minor importance must simply be reported.

Changes can be reported electronically - as a change to the existing notification - or manually. In connection with notification changes, the Danish Data Protection Agency’s journal number must always be cited.

Upon expiry of the Danish Data Protection Agency’s authorisation, the notification will be automatically deleted from the electronic register, cf. below.

You are not required to send a project description/protocol, a copy of the statement from the Scientific Committee or other attachments in connection with the notification to the Danish Data Protection Agency.

 
How is the notification disclosed in the Danish Data Protection Agency’s register?
Notifications of private research and statistical projects are disclosed in the electronic register on the Danish Data Protection Agency’s website. The register includes most of the information that is provided in the notification.

It is possible to exclude some information from disclosure if it is of vital importance to private interests, e.g. if disclosure will reveal business or research secrets.

If you wish information in the notification to be excluded from disclosure in the register, this must be made explicitly clear to the Danish Data Protection Agency in connection with the notification. The Danish Data Protection Agency will then make a decision on this matter.

 
When is a research or statistics project carried out for a public administration? And when is it carried out for a private controller?
If a research or statistics project is conducted for a public authority, the project cannot be considered to be a private project.

A number of PhD projects are conducted at the regional hospitals. These projects often involve the department’s patients and the PhD students receive guidance from the department’s chief physicians. The Danish Data Protection Agency is not opposed to these projects being notified to the Danish Data Protection Agency by the PhD students themselves, i.e. as “private research”, unless the region has made a different decision.

A PhD project is conducted so that the candidate, as a part of his/her education, can qualify for the academic degree of PhD.
 
If a public authority processes sensitive personal data for statistical or scientific purposes, this must be notified by the authority to the Danish Data Protection Agency and the opinion of the agency must be obtained before such processing commences.

In most cases this will also apply if the project only involves data that is confidential but not sensitive, e.g. various financial information about individual persons.

Notification of “public” research and statistics projects must be submitted electronically. The form “Offentlig forvaltning” (= public administration) must be used for this purpose.

 
Download the “Offentlig forvaltning” notification form (Danish version).

Note that “public” research projects at hospitals must be reported via the regions. The regions then submit a report to the Danish Data Protection Agency. The hospitals must not submit a notification directly to the Danish Data Protection Agency.

Read more about the regions’ reporting of scientific projects and clinical databases (in Danish).

The Danish Data Protection Agency has issued a guide on notification in accordance with chapter 12 of the Act on Processing of Personal Data, which applies to public administrations. The guide can be found on the Danish Data Protection Agency’s website.

 
Who conducts inspections and control of private projects?
According to the Act on Processing of Personal Data, the Danish Data Protection Agency can conduct inspection of private research and statistics projects.