The New Data Protection Regulation and Research Data (GDPR)
There are new rules on the way regarding the processing of personal data in research projects and biobanks. The new rules are set out in the general data protection Regulation (GDPR). The regulation replaces the existing data processing regulation on 25 May 2018.
On this site, you can read about the regulation’s expected implications for different aspects of processing personal data in research projects.
The GDPR will generally not bring about changes to the existing practice of processing and storage of personal data collected as part of research projects.
You will still have to report that you are collecting and researching personal data. In addition to personally sensitive data, however, you will now also have to report collections of ordinary, non-sensitive personal data.
If you are going to act as data processor or make use of one in connection with a research project, you should enter into a data processor agreement, which the head of department will sign on behalf of you and the institution.
If you are doing work as data processor for external parties, the Danish Data Protection Agency must be notified in a special form. Contact your department administrator or firstname.lastname@example.org for help with the registration.
The Danish Parliament is processing a proposed data protection act, which is to supplement the rules of GDPR. It is proposed that:
Personal data becomes disclosable for research purposes within the EU/EEA without the need for prior permission from the Danish Data Protection Agency. The Danish Data Protection Agency will, however, set up the conditions for the transfer.
This more lenient practice will not apply to biological material.
Publication of personal data in scientific journals requires approval
In the proposed bill for a data protection act, which is to supplement the rules of GDPR, it is proposed that sensitive personal data in research projects may only be disclosed for publication in a recognised scientific journal or the like with prior permission from the Danish Data Protection Agency.