New Guidelines on the Allocation of Data Protection Responsibilities in Research Projects | Denmark

In an increasingly data-driven world, where research projects often rely on the collection and analysis of personal data, it has become imperative to ensure that the privacy rights of individuals are respected and safeguarded. The party primarily responsible for this is the data controller, and it is therefore of high priority to the European Data Protection Board and the Danish Data Protection Agency to designate the data controller to the party/parties drafting the protocol. The Danish Data Protection Agency’s newly published guidelines address this need by offering multiple examples of allocation of data protection responsibilities throughout the lifecycle of a research project. The aim is thus to provide clarity and guidance to researchers, institutions and private entities involved in research activities that involve the processing of personal data.

The guidelines underscore the importance of identifying and designating clear roles and responsibilities within research teams. This involves delineating the obligations of data controllers, data processors and data subjects.

The guidelines set out the responsibilities of the data controller, who determines the purposes and means of processing personal data. Researchers are advised to clearly define the scope of their research, ensuring that it aligns with legal and ethical considerations. The guidelines also emphasise the necessity of conducting data protection impact assessments (DPIAs) to assess and mitigate potential risks associated with data processing activities.

Unlike certain other EU jurisdictions, there is not one solution as to how the data protection responsibilities are allocated among the involved parties, including researchers, institutions and private entities. Ultimately, a specific agreement is required, but the guidelines emphasise criteria, such as:

All three data responsibility options (controller-to-controller, joint controller or data processor) are therefore viable in Denmark depending on the setup you and your collaborating partners engage in. In any case, the guidelines stress the importance of formal agreements, data security measures and transparent communication between the parties involved.

The guidelines also clarify the rights of data subjects, emphasising the need for researchers to provide clear and accessible information on the data processing activities as well as ensuring mechanisms for obtaining informed consent.

Contrary to a widely held assumption in Denmark, the guidelines stipulate that it does not affect the allocation of roles that a researcher on a project has been assigned authorship of a scientific article. This is due, among other things, to the fact that it is typically the organisation as a whole and not the individual researcher who is the data controller.

If joint controllership has been determined as the applicable role allocation, the fact that each party handles different parts of the processing or processes different data sets does not change the fact that both parties are joint data controllers.

In addition, the guidelines mention that “it is not in itself decisive for the division of roles who has contact with the subjects and is thus able to appear as a data controller towards them” and, consequently, initial appearances are not decisive, although they may indicate some level of responsibility in other contexts.

Finally, cross-border collaboration does not affect the allocation of roles. However, local laws in one of the involved jurisdictions may prescribe a certain setup, such as “data controller”, “data processor” or “joint controller”, in which case this must be adhered to within the scope of applicable legislation and the relevant research study’s protocol.

The processing of personal data as part of research projects is often a focus area of the Danish Data Protection Agency, and as the research landscape continues to evolve, these guidelines are poised to play a pivotal role in shaping responsible data practices in research projects across Denmark.

We therefore recommend that both private entities and public institutions familiarise themselves with the guidelines to ensure compliance before deciding on roles, etc. The guidelines are structured around examples relevant to the different stakeholders taking part in research projects. For example, a pharmaceutical company sponsoring a clinical trial can easily refer to section 3.5 of the guidelines to check whether its “template solution and contractual basis” comply with the examples provided by the Danish Data Protection Agency. Public institutions should do likewise.