Aalborg University (AAU) is one of Denmark’s eight universities, and we collect and process personal information about various individuals. As a rule, Aalborg University will record and process your personal data if you are or have been employed or enrolled as a student, if you have attended a conference, if you have collaborated with the University or if you subscribe to any of the University’s web services.  Furthermore, the University processes personal data in connection with research projects. In all of such cases, Aalborg University is the data controller.

Aalborg University’s privacy policy applies to all personal data collected and processed by Aalborg University. In this privacy policy, ‘AAU’, ‘the University’, ‘we’, ‘us’ or ‘our’ refer to Aalborg University.

AAU primarily records personal data in accordance with the data protection regulations: EU’s General Data Protection Regulation (GDPR) and the Danish Data Protection Act which was passed by the Danish Parliament on 17 May 2018.

Aalborg University’s official contact details:

Aalborg University
Fredrik Bajers Vej 5
DK-9220 Aalborg East

Tel.: +45 9940 9940
aau@aau.dk
www.en.aau.dk
CVR No.: 29102384

In our privacy policy, the term ‘personal data’ refers to information that relates to you and may be used to identify you either alone or in connection with other information collected about you.

In general, we process the following personal data:

A. Data:

• Name, address, occupation, email address, phone number and date of birth

Scope of application:

• If you apply for a job
• If you apply for admission to a degree programme
• If you attend a conference
• If you use AAU’s facilities, such as when you book a seminar room

B. Data:

• Danish civil registration number (CPR)

Scope of application:

• If you are an AAU staff member (including non-tenured staff)
• If you are an AAU student

C. Data:

• Account details, financial company information (only sole trader businesses)

Scope of application:

• If you have financial transactions

D. Data:

• Staff number, username, place of employment

Scope of application:

• If you are an AAU staff member

E. Data:

• Information on your education and grades

Scope of application:

• If you are an AAU student

F. Data:

• Information about your employment, knowledge and experience

Scope of application:

• If you apply for a job
• If you are an external examiner

G. Data:

• Digital data, such as traffic data, location data and other forms of communications data, including IP addresses, data related to devices (PCs, telephones and tablets) and technical data, such as device type and operating system

Scope of application:

• Relates to how we design our website, platforms and digital applications

H. Data:

• Data on when you use your access card to enter our buildings

Scope of application:

• Securing our building

 

2.1 Sensitive personal data

If required by law or when you participate in specific research projects, AAU will also record sensitive personal data about you. We will require your explicit consent to collect and process sensitive personal data, unless we are permitted by law to collect and process such data without your consent. We may collect and process the following sensitive personal data:

• Your health data
• Biometric data, such as DNA information
• Political affiliations and trade union membership

We collect and process personal data for various purposes. In general, we collect and process personal data within the following five areas of application:

3.1 Staff members

We use your personal data for recruitment purposes; during your recruitment process, during your employment and to a certain extent, we use your personal data after your employment has ended. In general, we process personal data for recruitment purposes to comply with certain legal requirements, such as transferring personal data to SKAT, the Danish Customs and Tax Administration, or for being able to pay your salary.

3.2 Students

We process your personal data if you are an AAU student. If you are an AAU student, we will process your personal data both before and after your enrolment at AAU. We do this to be able to enrol you as an AAU student and allow you to attend exams at AAU. In some cases, we will share your personal data with others, such as with the agency responsible for the Danish State Educational Grant and Loan Scheme; moreover, in being able to issue you a degree certificate, we will store some of your personal data for an extended period after you have graduated from AAU.

3.3 Research

In our capacity as a research institution, we collect and process a vast amount of personal data as part of our research projects. The nature of the personal data depends on the individual research themes for which they are used.

3.4 Administration and cooperation

We collect and process personal data for various administrative purposes, such as during conferences and other events organised by AAU and attended by both staff members and external participants. In general, we use these personal data to be able to provide participants with practical information, such as the time and place of a conference, or we use the information to be able to communicate with participants after the conference, such as when we forward slides used at a conference or when we charge participation fees.

3.5 Legal requirements and security reasons

We often need to process your personal data in complying with a wide range of legal requirements. Furthermore, we may process your personal data for security reasons, for example for the purpose of building security, when we need to protect the rights of others, etc.

In some cases, we may share your personal data with a third party outside the University; for instance, we may share your data with external data processors, collaboration partners or other authorities or public bodies.

As a rule, your personal data will not be disclosed to a third party without your knowledge unless the University is required to pass on this information to other public authorities. For example, we may share personal data with public authorities, such as SKAT, the Danish Customs and Tax Administration, the Police and supervisory authorities when the disclosure of such data is required by law.

Along with all other organisations that collect and process personal data, Aalborg University is required to provide information on when we collect and process personal data, both on our own initiative and when we are asked to do so.

In general, AAU collects and processes personal data on individuals who are or have been AAU students or staff members and on individuals who have participated in conferences or who have collaborated with AAU. Furthermore, AAU processes personal data in connection with research projects.

When we process your personal data, you have certain rights:

• Your personal data should be processed lawfully, fairly and in a transparent manner
• You must be informed of your personal data being processed (this privacy policy is an example of this)
• You must be able to gain access to the personal data processed by AAU
• You may request that we correct any inaccurate information about you
• Some situations permit you the right to require that we delete information about you
• You may require that we share your personal data with you or another organisation
• You have the right to object to us processing your personal data for direct marketing purposes
• You have the right to object to automated individual decision-making, including profiling
• You have the right to object to the continued processing of your personal data
• In certain circumstances, you have the right to temporarily restrict or discontinue the processing of your personal data

Please note, however, that these rights may be subject to exemptions or limitations, such as in relation to research and in the exercise of official authority.

Moreover, it is essential that you provide us with correct information and that you inform us whenever your personal data change.

5.1 The right to be informed

When AAU collects and uses the personal data of individuals, we are required to provide the following information to such individuals:

• AAU’s contact details and, where relevant, the contact details of AAU’s data protection officer
• AAU’s purposes for processing your personal data and the lawful basis for the processing
• The categories of personal data obtained and how they have been obtained
• The recipients or categories of recipients to whom the personal data have been or will be transferred, including recipients in third countries or international organisations
• The retention periods for the personal data
  The rights of data subjects
• The right to lodge a complaint with the Danish Data Protection Agency or another supervisory authority
• The existence of automated decision-making, including profiling
• Whether AAU plans to use personal data for a new purpose

This right to be informed applies regardless of whether AAU has collected the personal data directly from the data subject or obtained the personal data from a third party.

5.1.1 Exemptions

AAU is not required to comply with the obligation to inform data subjects where it is clear that the data subject is already familiar with the above information; similarly, the right to be informed does not apply in such cases when personal data must remain confidential or when the University has a statutory obligation to process personal data.

5.2 The right of access

The right of access provides individuals with the right to make a subject access request to obtain information on what happens to their personal data.

The right of access provides you with the right to obtain confirmation as to whether AAU processes personal data about you; if this is the case, you have the right to request access to your personal data and you have the right to request access to the following information:

• The purposes for which your personal data are processed
• The categories of personal data obtained and how they have been obtained
• The recipients or categories of recipients to whom the personal data have been or will be transferred, including recipients in third countries or international organisations
• The retention periods for the personal data
  The rights of data subjects
• The right to lodge a complaint with the Danish Data Protection Agency or another supervisory authority
• Where the personal data are not collected from the data subject, any available information as to their source;
• The existence of automated decision-making, including profiling

5.2.1 Deadlines

When you make a subject access request, AAU must respond as soon as possible and no later than a month after having received your request. This deadline will apply whether you request to receive general or more specific information about your personal data[LH1] . However, AAU may extend the time limit to respond to subject access requests if a request is particularly complex. If special circumstances apply, we may send a preliminary response to you, stating the reasons for the delay.

5.2.2 Submitting a subject access request

There are no specific requirements as to how you should submit a subject access request. You can request access via email, by post, over the telephone or by contacting us in person. However, we kindly ask you to follow the steps below as this makes it easier for us to respond to your request.

You are not required to state your reasons for requesting access.

• If you are making a subject access request for yourself, please use this subject access request form.
• If you are making a subject access request on behalf of someone else of which you have legal authority to act (e.g. power of attorney, parental authority or guardianship), please use the subject access request via a third party form.

Since the subject access request forms contain confidential information, we recommend that you send these to AAU using secure email via e-Boks or Digital Post (lifeindenmark.borger.dk), select ‘Aalborg Universitet’. Alternatively, you can send your subject access request form to AAU via email at anmodning@aau.dk.

5.2.3 Responding to subject access requests

Before responding to your subject access request, we must be able to verify your identity, and we will therefore forward the requested information to you via e-Boks/Digital Post. If you do not wish to receive the response via e-Boks/Digital Post, you must collect the information in person at the University; on collecting the response in person, you will need to present a valid photo ID. By only responding to your subject access request by way of the above methods, we ensure that such responses do not fall into the wrong hands.

Upon complying with your subject access request, AAU must always consider whether this may infringe the rights of other individuals or organisations. This may constitute an infringement of the rights and freedoms of other individuals or an infringement of trade secrets or intellectual property rights. In such cases, we will blur any information that may breach the rights of other data subjects before submitting the response to you.

When responding to subject access requests, AAU will forward the response form and a copy of the data held by AAU on the data subjects.

5.2.4 Refusal of subject access requests

In the event that AAU cannot comply with your subject access request, you will receive a refusal of your subject access request along with the reasons for refusal within one month.

Your subject access request may be refused if your right of access does not apply to how we process your personal data, if we are not processing your personal data or if we cannot verify your identity.

The right of access does not apply to personal data used as part of research projects. Therefore, if you have submitted your personal data to AAU via a research project, you do not have a right of access to such information.

5.3 Right to rectification

If the personal data that AAU is processing about you are inaccurate, you have the right to have your data rectified.

Similarly, you have the right to have incomplete personal data completed if the missing data are relevant to the purpose of the processing. 

AAU is obliged to rectify your personal data without undue delay.

If you would like to have your personal data rectified, please write to anmodning@aau.dk stating the data in question.

5.3.1 Exceptions

The right to rectification does not apply if your personal data are processed exclusively for scientific or statistical purposes.

5.3.2 Notification obligation

AAU is obliged to communicate any rectification of personal data to each recipient to whom the personal data have been disclosed,  unless this proves impossible or involves disproportionate effort.

Furthermore, AAU is obliged to inform you of these recipients upon request.

5.4 Right to erasure

According to the General Data Protection Regulation, AAU is obliged to erase personal data without undue delay where one of the following grounds applies:

1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
2. AAU is processing your data based on your consent and you withdraw your consent, and AAU has no other legal ground for the processing.
3. you object to the processing of your personal data.
4. your personal data have been unlawfully processed (i.e. without legal basis in the General Data Protection Regulation, Chapter II).
5. your personal data have to be erased for AAU to comply with a legal obligation.

If AAU has made your personal data public and is obliged to erase your personal data, cf. items 1-5, AAU is obliged to take reasonable steps to inform other data controllers processing your personal data that the data subject has requested erasure of personal data, including any links to, or copy or replication of, those personal data.

5.4.1 Exceptions

The right to erasure of personal data does not apply in the following cases:

1. if the processing is necessary for exercising the right of freedom of expression and information.
2. If the processing is necessary for compliance with a legal obligation to which AAU is subject.
3. if the processing is carried out in the public interest or in the exercise of official authority vested in AAU.
4. if the processing is necessary for reasons of public interest in the area of public health.
5. if the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
6. if the processing is necessary to establish, exercise or defend a legal claim.

Since AAU is both a university and a public authority, the above stated exceptions to the right to erasure mean that, in most cases, you will not be able to have your personal data erased. This is due to the fact that public authorities must always be able to demonstrate the basis on which a decision is based. However, if you learn that AAU is processing incorrect or incomplete data about you, you have a right to rectification, cf. section 5.3. 

5.4.2 Notification obligation

AAU is obliged to communicate any erasure of personal data to each recipient to whom the personal data have been disclosed,  unless this proves impossible or involves disproportionate effort.

Furthermore, AAU is obliged to inform you of these recipients upon request.

5.5 Right to restriction of processing

In some cases, you have the right to restrict the processing of your personal data. Restriction of processing means that the stored personal data are labelled for the purpose of restricting the future processing of that data. During the period of restriction, AAU may only store the personal data. Thus, the data may not be accessed, used or disclosed. 

You have the right to obtain restriction of processing where one of the following applies:

1. you contest the accuracy of the personal data. AAU will restrict the processing while verifying the accuracy of the personal data.
2. the processing is unlawful, but you oppose the erasure of your personal data and instead request the restriction of their use.
3. AAU no longer needs to process the personal data, but they are required to establish, exercise or defend a legal claim.
4. you have objected to the processing of your personal data. AAU will restrict the processing while verifying whether AAU’s legitimate grounds override yours.

5.5.1 Exceptions

Even if the processing of your personal data have been restricted, AAU may nevertheless process your data in the following cases:

1. if you have given your consent to the processing.
2. if the processing is carried out to establish, exercise or defend a legal claim.
3. if the processing is carried out to protect a person or a company.
4. if the processing is carried out for reasons of public interest.

Furthermore, the right to restriction does not apply if your personal data are processed exclusively for scientific or statistical purposes.

If you have obtained restriction of processing, AAU must notify you before the restriction is lifted.

5.5.2 Notification obligation

AAU is obliged to communicate any restriction of the processing of your personal data to each recipient to whom the personal data have been disclosed,  unless this proves impossible or involves disproportionate effort.

Furthermore, AAU is obliged to inform you of these recipients upon request.

Aalborg University treats all personal data as confidential. All personal data are processed and stored in the University’s own case administration systems. When the University no longer uses the data for the purposes for which they were collected, the data will be erased or archived in Aalborg University’s filing system. However, the University may need to comply with other legislation which may require us to store personal data for shorter or longer periods.

We value security and have introduced a number of security measures that help us protect both your personal data and our business. In this respect, we have increased security through the introduction of various strategies, controls, policies and technical measures. We protect your personal data through the application of encryption methods and other security measures, such as firewalls and password protection. We continuously seek to increase security and ensure that our staff members are well equipped for the ever-changing technical opportunities.

7.1 Data protection officer

If you have any questions on how we collect and process your personal data, you may contact Aalborg University’s data protection officer at dpo@aau.dk.

7.2 Submitting a complaint to the Danish Data Protection Agency

You can find more information on your rights in the General Data Protection Regulation, chapter 3.

Data subjects have the right to submit a complaint about how their personal data is processed to the Danish Data Protection Agency at dt@datatilsynet.dk or by post to Datatilsynet/the Danish Data Protection Agency, Borgergade 28, 5., 1300 Copenhagen K.

However, before contacting the Danish Data Protection Agency, we recommend that you contact Aalborg University’s data protection officer who may be able to solve the matter.

A cookie is a small data file that is stored on your computer, tablet or mobile phone. A cookie is not a programme that can contain malicious programmes or viruses.

Website use of cookies

Cookies may be necessary to make the website work. Cookies also help us get an overview of your visit to the website so that we can continuously optimise and target the website to your needs and interests. Cookies remember, for example, what you have added to a shopping cart, whether you have previously visited the site, whether you are logged in and what language and currency you would like to see on the website. We also use cookies to target our ads to you on other websites. Overall, we use cookies as part of our service to display content that is as relevant as possible to you.

How long are cookies stored?

How long a particular cookie is stored on your devices and browsers varies. The lifetime of a cookie is calculated based on your last visit to the website. When the lifetime of the cookie expires, it is automatically deleted. See the expiration time for each cookie in the complete list of cookies below.

We use cookies in the following categories: necessary, functional, statistical and marketing. See details below.

Necessary cookies

Necessary cookies help make a website usable by enabling basic features such as page navigation and access to secure areas of the website. The website cannot function optimally without these cookies.

Functional cookies

We collect information about your preferred settings and choices on the website. We do this in order to show you the version of the website that suits your preferences. The information is used to determine which region and language you prefer for displaying videos and other visual elements on the website.

Statistical cookies

We collect information about how you interact with the website, including how often you visit the site and what pages you look at. We do this in order to optimise design and ease of use and to improve the efficiency of the website. In addition, we use the information to provide you with personalised content and prepare market analyses. For this we use our own cookies as well as Google Analytics. We have no interest in how you specifically use our web pages; we are only interested in overall behaviour patterns such as how many people visit a given page during a given period of time, where traffic comes from, what type of device is used, etc.

Marketing cookies

We collect information about your interests, including which pages and ads you click on, which products or services you show interest in or register for on this and other websites. We do this to show you ads that are relevant to you and your interests. In order to show you targeted ads on this and other websites, such as Facebook, Linkedin and Adwords, we work with other companies sharing information with them. We also use third-party services from e.g. Google. In this context, third parties receive information about your browser, IP address and the pages you visit on aau.dk. If you are logged into Google at the same time as your visit, this data can be linked to your profile on this service. This is beyond AAU's control and is therefore solely a relationship between you and third parties.

On some pages, such as news pages, Aalborg University allows you to share content on social media platforms like Facebook, Twitter, Instagram and LinkedIn. In addition, Aalborg University shares social media feeds on our website. Finally, there may be a few aau.dk pages with posts integrated with social media, which means that social media platforms, via Aalborg University's website, put their own cookies on your device in order to be able to target and personalise ads for you. In this context, you should be aware that this cookie policy does not cover the use of cookies by social media, and you should therefore instead orient yourself in the cookie or privacy policies of the individual social media platform.  

Unclassified cookies

Unclassified cookies are cookies that we are in the process of classifying in conjunction with the providers of the individual cookies.

See complete list of cookies below.

You can always reject cookies completely by changing the settings in your browser on your computer, tablet or phone. However, you should be aware that if you reject all cookies, there will be features and services on the website that you cannot use as these are dependent on cookies.

You can opt out of cookies from Google Analytics here.

How to delete cookies

Cookies you have previously accepted can easily be deleted. How you delete these cookies depends on the browser you are using (Chrome, Firefox, Safari, etc.) and which device (mobile, tablet, PC, mac).
Cookies can be deleted typically under Settings - Security and Privacy, but this can vary from browser to browser. Click on the appropriate link for the device/browser you use:

• Internet Explorer
• Microsoft Edge
• Mozilla Firefox
• Google Chrome
• Opera
• Safari
• Flash cookies
• Apple
• Android
• Windows 7

Remember: If you use multiple browsers, delete cookies in all of them.

Changing your consent

You can change your consent in a particular browser either by deleting cookies from the specific browser or by changing your original selection by clicking inside the cookies pop-up message.

When you visit aau.dk, AAU processes the following categories of personal data:

• Name, address, email
• IP addresses

Purposes of processing personal data

When you visit aau.dk, AAU processes personal data about you for the following purposes:

• To ensure that you view the website correctly
• ​To optimise and improve the website based on your behaviour on the website
• To ensure that, if you have consented to receive newsletters or information material, you receive the newsletters and information material that you have consented to.
• To customise ads on Aalborg University's website and on Aalborg University partners’ websites so that ads are tailored to you and your interests.

Basis for processing of personal data

We process the personal data collected on aau.dk based on your consent, which you can withdraw at any time. See more on this under the "Your rights" section of the privacy policy above.

Storage of personal data

Information collected on the basis of your consent will be stored until you withdraw your consent. Information collected and related solely to viewing aau.dk will be deleted when you leave the website.

Questions

If you have questions about the processing of your personal data or your rights under the General Data Protection Regulation, please contact dpo@aau.dk.