New Guidelines on the Allocation of Data Protection Responsibilities in Research Projects | Denmark

Susanne Stougaard and Egil Husum from Bech-Bruun look at how the Danish Data Protection Agency (Datatilsynet) has taken steps to promote responsible handling of personal data in research projects by publishing guidelines on the matter. They consider how both private entities and public institutions should familiarise themselves with these new guidelines.

Published on 16 October 2023
Susanne Stougaard, Bech-Bruun, Chambers expert focus contributor
Susanne Stougaard
View firm profile

In an increasingly data-driven world, where research projects often rely on the collection and analysis of personal data, it has become imperative to ensure that the privacy rights of individuals are respected and safeguarded. The party primarily responsible for this is the data controller, and it is therefore of high priority to the European Data Protection Board and the Danish Data Protection Agency to designate the data controller to the party/parties drafting the protocol. The Danish Data Protection Agency’s newly published guidelines address this need by offering multiple examples of allocation of data protection responsibilities throughout the lifecycle of a research project. The aim is thus to provide clarity and guidance to researchers, institutions and private entities involved in research activities that involve the processing of personal data.

The guidelines underscore the importance of identifying and designating clear roles and responsibilities within research teams. This involves delineating the obligations of data controllers, data processors and data subjects.

Data Protection Responsibilities

The guidelines set out the responsibilities of the data controller, who determines the purposes and means of processing personal data. Researchers are advised to clearly define the scope of their research, ensuring that it aligns with legal and ethical considerations. The guidelines also emphasise the necessity of conducting data protection impact assessments (DPIAs) to assess and mitigate potential risks associated with data processing activities.

Unlike certain other EU jurisdictions, there is not one solution as to how the data protection responsibilities are allocated among the involved parties, including researchers, institutions and private entities. Ultimately, a specific agreement is required, but the guidelines emphasise criteria, such as:

  • who has taken the initiative;
  • who has drafted the protocol;
  • who has funded (sponsored) the project;
  • whether legal requirements and standards apply to the parties involved (eg, to the sponsor, the Clinical Research Organisation (CRO), the Healthcare Professionals (HCPs), the site, etc); and
  • who will be the marketing authorisation holder.

All three data responsibility options (controller-to-controller, joint controller or data processor) are therefore viable in Denmark depending on the setup you and your collaborating partners engage in. In any case, the guidelines stress the importance of formal agreements, data security measures and transparent communication between the parties involved.

The guidelines also clarify the rights of data subjects, emphasising the need for researchers to provide clear and accessible information on the data processing activities as well as ensuring mechanisms for obtaining informed consent.

Factors Deemed Irrelevant

Contrary to a widely held assumption in Denmark, the guidelines stipulate that it does not affect the allocation of roles that a researcher on a project has been assigned authorship of a scientific article. This is due, among other things, to the fact that it is typically the organisation as a whole and not the individual researcher who is the data controller.

If joint controllership has been determined as the applicable role allocation, the fact that each party handles different parts of the processing or processes different data sets does not change the fact that both parties are joint data controllers.

In addition, the guidelines mention that “it is not in itself decisive for the division of roles who has contact with the subjects and is thus able to appear as a data controller towards them” and, consequently, initial appearances are not decisive, although they may indicate some level of responsibility in other contexts.

"These guidelines are poised to play a pivotal role in shaping responsible data practices."

Finally, cross-border collaboration does not affect the allocation of roles. However, local laws in one of the involved jurisdictions may prescribe a certain setup, such as “data controller”, “data processor” or “joint controller”, in which case this must be adhered to within the scope of applicable legislation and the relevant research study’s protocol.

Bech-Bruun’s Opinion and Recommendations

The processing of personal data as part of research projects is often a focus area of the Danish Data Protection Agency, and as the research landscape continues to evolve, these guidelines are poised to play a pivotal role in shaping responsible data practices in research projects across Denmark.

We therefore recommend that both private entities and public institutions familiarise themselves with the guidelines to ensure compliance before deciding on roles, etc. The guidelines are structured around examples relevant to the different stakeholders taking part in research projects. For example, a pharmaceutical company sponsoring a clinical trial can easily refer to section 3.5 of the guidelines to check whether its “template solution and contractual basis” comply with the examples provided by the Danish Data Protection Agency. Public institutions should do likewise.

Bech-Bruun

Bech-Bruun
13 ranked departments and 43 ranked lawyers

Learn more about the firm's ranking in Chambers Europe

View firm profile

Chambers In Focus Newsletter

Sign up for our newsletter and never miss out on thought leadership content from legal experts and the key stories driving the legal profession forward.
Sign up here