Skip to main content

GDPR for students

As a student, you are basically an independent data controller. This means that you are responsible for ensuring that the data protection rules are complied with when you process personal information in connection with an assignment during your studies – regardless of semester. In general, the same applies in connection with your bachelor project and thesis. The rules apply to e.g. questionnaire surveys, interviews, video recordings, tissue processing, etc.

When writing an assignment on your own, you should always consider the following. Consider it reference or a checklist.

When you start working on a new assignment, you must clarify whether or not you are going to process personal information in this connection. This is because it will determine whether you have to comply with the data protection rules (see the items below to find out what you have to live up to). 

You can read more about what personal information is, different types of information and see examples of types of personal information here. 

You must always make sure that you have permission (legal basis) to use the information collected. The Danish Data Protection Act operates with different legal bases but the most relevant for you is the processing of personal information based on voluntary consent.

Consent is a voluntary acceptance by a person that you are allowed to process the information you obtain about that person. You must therefore prepare a declaration of consent and obtain consent of the relevant person or persons before you start processing the personal information.

The consent must be able to answer the following:

  • Who has given consent?
  • When and how was the consent given?
  • What did the person you asked for consent agree to?  

Consent must be freely given, specific, informed and unambiguous. You must therefore prepare a coherent text and in a neutral language so that it is easy to read and adapted to the person who is to sign (the data subject). For online versions, it is okay to have a field where you can click ‘accepter’ (‘accept’). 

As a student, you are responsible for storing the declarations of consent that you have collected. Also, be aware that if a person regrets his or her consent, he or she always has the right to withdraw his or her information and have it erased.  

It is a requirement that you can document that you have obtained consent for your data collection.

You can read more about consent on the Danish Data Protection Agency’s website.

As a data controller, you must ensure that personal data are stored securely both during collection and while you are processing data, so that unauthorised persons do not gain access to data. 

Always remember to delete personal information when you no longer need it. Personal information collected for an assignment must be deleted when your assignment has been assessed and the time limit for submission of appeals, cf. the Examination Order, has expired.  

When you collect, store and possibly transfer data, SDU provides some options that you can use in order to handle data in a safe and secure manner

If possible, you can choose to add an extra layer of security to data by pseudonymising or anonymising the collected personal data. 

You can find an overview of systems made available by SDU here. Examples of material you may store are: Transcribed/entered/scanned data, declarations of consent, audio files, photos, etc. Raw data in the form of ‘tapes’, audio files on recording devices, paper questionnaires and declarations of consent must be destroyed (shredded) as soon as they have been moved to Onedrive or Nextcloud

In addition, some good general rules to remember when processing material containing personal data:

  • Always use systematic naming of files so that data about a person can be easily retrieved.  
  • You need to handle personal data on paper with heightened attention in the public domain and store them in locked rooms when not in use.   
  • You should never store the data you have collected on the local drive on your private computer. Use OneDrive or Nextcloud instead. Also, remember to delete data when you have finished using them. 
  • Remember that you must destroy physical papers (if you print declarations of consent, transcribed interviews, etc.) when you have finished using them. You should only print if it is necessary.
At SDU IT, you can read more about IT programs available to you as a student at SDU.
When collecting information, you should collect as little information as possible, cf. the principle of data minimisation. If you can do with collecting name, region, age and political position, do not also collect marital status, seniority, sexual orientation, etc. It may be a good idea to avoid processing sensitive information if possible. In the case of civil registration numbers, neither your civil registration number nor the civil registration numbers of your respondents/contributors, other sensitive information or personally identifiable information must appear in the final product.


Last Updated 02.03.2022