What are your obligations in relation to the new law on personal data?

On 25 May 2018, the new EU General Data Protection Regulation (GDPR) became effective. It is a good opportunity to refresh how to look after the personal data of our students, colleagues and others in everyday life.

2018.06.04 | Institut for Ingeniørvidenskab

This message is not a full or final review of the rules relating to personal data. It is only a summary of our basic rules of thumb, and simply reflects common sense.

Lock your computer:
Everyone should make sure that their computer locks automatically when it is not used. If this function is not already activated on your computer, you can find information on how to do it here: http://www.au.dk/informationssikkerhed/laasdincomputer/.

5 tips for handling personal data:
From now on everyone must follow these 5 basic tips:

  1. clean up your mailbox
  2. clean up your personal network drive
  3. clean up your desktop on your computer
  4. clean up your physical desk
  5. clean up your mobile devices.

It should be noted that the GDPR also applies to archives on paper. It is therefore important also to clean up paper archives. That applies to both TAP and VIP.

Email and other web based communication:
Avoid sending sensitive or confidential personal data via the open internet (email programmes, Snapchat, Messenger or others). In web based communication with the students it is important that as much communication as possible takes place via the student's AU email. As we do not always have the student's AU email, you should delete sensitive or confidential personal data that you receive from the student in an email from a private address before you send a reply to the student. We are not allowed to answer the student in an email that is forwarded to the student’s private email address and that includes the original text of the email, such as the confident and/or sensitive information. Confident and/or sensitive information must be returned via a closed line or the data must be encrypted, for example by using the student's AU email or by sending via e-Boks to the student's public digital mailbox.

You may never encourage students or others to forward personal data through the open internet.

You may send emails with sensitive or personal data as long as you are in a closed network that meets safety requirements. The AU email system meets this requirement, and for this reason you are allowed to send emails with sensitive or confidential personal data to other persons internally at AU, i.e. persons who have an email address ending on au.dk.

If you send an email containing personal data, you must insert the following text as standard in your email signature. 

“Please note that this email contains personal data. You must ensure that this data cannot be accessed by anyone else without good reason, and that it is deleted immediately when it is no longer required in relation to the purpose for which it was sent.”

Remember:  According to the guidelines of the Danish Data Protection Agency emails with sensitive or confidential personal data must be deleted from the mail system within 30 days of receipt.

Correspondence with colleagues or students outside the EU or the EEA:
Here specific requirements apply. You can find useful information on the links below, for instance under here: http://www.au.dk/en/informationsecurity/data-protection/in-particular-concerning-research/.

You are allowed to handle personal data:
It is legitimate for us to handle personal data as part of our tasks. It means that you are still allowed to have personal data on your drive if the data is relevant for you in your daily work. This also means that it is still legal to have CPR numbers of current part-time staff members, if you are handling the pay-out of salary to them. However, such information must be deleted from your PC when the staff member is no longer employed.

You must make sure that personal data is stored on the university’s network drive. In that way you ensure that personal data is stored securely and that you have a back-up if data is lost. There are two types of network drives: 1) A personal drive to which only you have access, 2) A shared drive/folder to which several persons have access. If personal data is stored on a shared drive/folder, it is important that only persons with a legitimate need to access the data have access to the drive/folder.

If in doubt:
If you are in doubt as to whether and how you are allowed to handle personal data, help is available.

  • Questions on HR issues, please contact our HR partner Pia Thystrup.
  • Questions concerning education can be addressed to Aarhus ST Studier.
  • Questions concerning research can be addressed to TTO.

Further, you are always welcome to contact the Data Protection Officer (DPO) at AU, Michal Lund Kristensen.

Useful links on AU.dk:
You can test your knowledge of personal data here:


You can find more information on http://www.au.dk/en/informationsecurity/data-protection/in-particular-concerning-research/ and http://www.au.dk/en/informationsecurity/data-protection/ and www.datatilsynet.dk

79466 / i31