Skip to Main Content

A Guide to Working with Integrity as a CBS Student: Personal Data & GDPR

Personal Data

Personal data is any kind of information that can be used to identify a specific person or indirectly identify the person if the information is combined with other information.

The processing of personal data is regulated by the General Data Protection Regulation (“GDPR”). If you gain access to or if you collect personal data in connection with your Master’s Thesis or an assignment, you are responsible for taking care of the data and must not do anything that could damage the data subject.

Personal data includes:

  • Name, e-mail, username on social media etc. (general personal data)
  • Education, income, position, employer etc. (general personal data)
  • Details of racial or ethnic origin, political beliefs, religious or philosophical beliefs, trade union affiliation, genetic data, health details and sexual orientation (sensitive personal data)

You may gain access to personal data from:

  • Public or private registries, i.e. RKI (Danish credit reporting bureau), donor registries, etc.
  • Interviews
  • Questionnaires
  • Other means of collecting information about people

Categories of Personal Data

General personal data:

Personal data that does not fall under the category of “sensitive personal data” can be referred to as “general personal data”.

General personal data may include personal identification details such as:

  • Name, address and date of birth
  • Information regarding personal finances, tax-related matters, debts, significant social problems, other purely private matters, sick days, work-related circumstances, family circumstances, residence, car, qualifications, applications, CV, date of employment, position of employment and work phone.

 

Sensitive personal data:

Sensitive personal data is explicitly defined in the GDPR and the access to process such data is more narrow than the processing of non-sensitive personal data. Sensitive personal data must be communicated via secure e-mail and there must be obtained a valid consent before processing sensitive personal data.

The following information is sensitive personal data:

  • Details of racial or ethnic origin
  • Political beliefs
  • Religious or philosophical beliefs
  • Trade union affiliation
  • Genetic data
  • The processing of biometric data for the purpose of uniquely identifying a natural person
  • Health details
  • Sexual orientation

 

Confidential information:

Confidential information is not a category explicitly mentioned in the GDPR. This information is regulated by other laws but may be of importance in the way the GDPR is applied.  Whether an information can be considered confidential relies on an assessment of whether the information should, in the general view of society, be requested to be kept secret to the public. Non-sensitive personal information may be confidential in some situations, but confidential information will not always be sensitive. However, sensitive personal data will always be confidential.

  • Confidential information may be information regarding:
  • National identification number (e.g. CPR-no.)
  • Personality test
  • Divorce
  • Adoption conditions
  • Alcohol and drug testing
  • Registration of cheating for exams
  • Logging of internet usage
  • Grades
  • Significant social problems and family circumstances
  • Reason for expulsion
  • Disciplinary cases
  • Minutes of personal conversations if they contain confidential information
  • Secret address

How to Comply

If you collect personal data from e.g. test subjects or via a questionnaire to be used in your thesis or another assignment, you are responsible for the collected data, which means that you are responsible for:

  • obtaining consent from the participants (the data subjects)
  • complying with the rights of the data subjects
  • storing the collected data safely
  • describing the purpose of the data collection in a record
     

#Obtaining consent from the participants  

If you collect data on other people, you need their written consent to use and possibly disclose the information you receive. To obtain written consent, you must ask everyone involved to sign a consent form. A signed consent form ensures that the persons involved are informed of your use of the personal data and that they agree to have their data used for your specific purpose. You may not collect, process or disclose personal data until you have a signed consent form from the involved participants and you must submit a copy of the consent form to every participant who has signed it. You will find a downloadable consent form on my.cbs.dk.

 

#Complying with the rights of the data subjects

The data subjects have rights in relation to the processing of their data. The most important rights of the data subjects are:

  • The right of access: the data subject has the right to view the personal data you process and to obtain information about the processing
  • The right to rectification: the data subject has the right to get incorrect personal data about him/her corrected
  • The right to be forgotten: the data subject is entitled to withdraw his/her consent at any time
  • Everyone from whom you collect data has the right to withdraw their consent, which means that you are not allowed to continue with the processing of their data.

 

#Storing the collected data safely

Once you have collected data and filled in relevant forms, you must keep this information in a safe and secure manner. This can be done by for example using Microsoft OneDrive, which is available to all students at CBS. You must ensure that the equipment used to collect data with is protected by password to avoid access by unauthorized persons. You must also ensure that data is not accidentally or unlawfully destroyed, lost or impaired. You must always delete personal data when it is no longer relevant for your assignment. This means in practice, that you must delete the personal data when your assignment has been assessed and the deadline for complaints has expired.

 

#Describing the purpose of the data collection in a record

As data controller, you have the obligation to describe the nature and purpose of the personal data that you collect. This must be stated in a document called a “record of processing activities”. Once you have created the record, it must be stored electronically in OneDrive. You may need it in case the Danish Data Protection Agency inspects CBS to check whether we comply with the GDPR.

GDPR Violations

Because they can have severe negative repercussions for the data subjects involved and others, violations of the GDPR may come with various sanctions, both financial and, in very grave cases, custodial. If you experience a data breach, you must - without undue delay and no later than 72 hours after becoming aware of it - report the breach to the Danish Data Protection Agency, followed by a notification to the CBS data protection officer.

Apart from the costs incurred by the person violating the personal data protection regulations and the adverse consequences for data subjects, breaches may also in some cases lead to third-party litigation from individuals or groups seeking damages.

For alle of these reasons, and to protect the reputation of CBS as a trusted partner, whose students may be entrusted with sensitive data for their academic work, meticulously heeding the regulations and being mindful of the adverse consequences to real people in the case of breaches is absolutely essential.   

A Quick Example

You are working on your master’s thesis with two other students. The topic is Copenhagen Pride and you need to collect data from a large group of people in the LGBTQ community about their lives and their sexual orientation via individual interviews. You decide to record the interviews on your smartphone and plan on sharing the interviews with your collaborators so each of you will have easy access when needed.  After completing your last interview, you head back to campus on the Metro to meet up with your group. However, as you get off the Metro, you realize that you have lost your smartphone and with it all of your data  ...

 

This example represents a number of attention points and problems pertaining to the handling of personal data.

When you are writing a thesis or an assignment with other students, all of you are equally responsible for the personal data that you collect, analyse and store.
When you collect data via interviews, you need to obtain consent from the person you are interviewing and this should be done prior to the interview.
The information being collected in this example is about sexual orientation, which in a GDPR context is categorized as sensitive personal data. When working with sensitive personal data you need to be extra aware of how to comply with the GDPR, including how to safely store the collected data.
If your data is lost, you must report the breach to both the Danish Data Protection Agency and the CBS data protection officer as soon as possible and no later than 72 hours after becoming aware of the breach. 

 

Section Author

Jade Yang Faurschou - legal@cbs.dk

Group Projects

If you collaborate with one or more other students on your thesis or other assignment and you collect and process personal data, you are required to conclude an agreement on joint data responsibility. The agreement on joint data responsibility means that all group members will be responsible for the personal data collected in connection with the assignment / thesis. The agreement is available for download along with a lot of other information on my.cbs.dk.

CBS Library, Solbjerg Plads 3, DK-2000 Frederiksberg, Denmark

Homepage | Addresses and Opening Hours | Contact