Denmark: Datatilsynet issues guidance on data protection in connection with research projects
On July 14, 2023, the Danish data protection authority (Datatilsynet) published new guidance on processing personal data in the context of research. The guidance is mainly targeted at researchers with the aim of clarifying the data protection roles and obligations of different parties. In particular, the Datatilsynet noted that a party may have different data protection obligations depending on whether they are considered a data controller or a data processor in a research project. The Datatilsynet also explained that the level of control a party has over the collection and processing of data would determine the data protection role the party plays.
In the guidance, the Datatilsynet gave examples of the data protection roles different parties would assume in various research scenarios. In particular, the guidance outlines the data protection obligations of:
- individuals carrying out research, including university students and supervisors;
- institutions involved in research, such as universities and hospitals;
- pharmaceutical companies involved in clinical studies; and
- institutions that sell and transfer research data.
Furthermore, the guidance addresses disclosure in connection with research projects and the purchase of data and ordering services.