In the Danish Act on Processing of Personal Data there are a number of different conditions legitimatizing the processing of personal data, treated as open alternatives. Thus, the data controller is not required to obtain consent of the data subject if one of the other conditions applies, even though getting consent would be practical and not inappropriate. The conditions regarding the processing of sensitive data and strictly private data are more severe than those applying to other data. Non-sensitive data may for instance be processed if this is necessary for the performance of a task carried out in the public interest (cf. Section 6.1.5). According to Section 10.1, sensitive and strictly private personal data may be processed for the sole purpose of carrying out statistical or scientific studies of significant social importance and where such processing is necessary in order to carry out these studies. Thus, the conditions are stricter than those applying to non-sensitive data.
The Act thus provides an opportunity for the processing of personal data for research purposes without the prior consent of the data subject. Hartlev (2004) consequently states that, in relation to research data, the subject’s powers to control the use of personal data are limited. Furthermore, the use of personal data for research purposes may not be obvious to the data subject as they are not always informed about the possible use of data. If the demand for data appears after the collection, data may be passed on to other researchers (third parties) without the knowledge of the data subjects. The third party’s duty to inform the data subject may be exempted in this situation, and furthermore, the data subject’s right to access may also be set aside according to the Act on Processing of Personal Data. At first glance, this legal situation is not ideal from a data protection point of view. Hartlev, however, remarks that one must consider the legal safeguards provided by the Act in connection with the use of data for research purposes. These safeguards protect the data subject’s privacy towards the general public as results from the research project may only be published in an anonymous form. Furthermore, the data may not be used for other purposes than research and may not be handed over to third parties (other researchers) without the prior authorization of the Supervisory Authority (cf. Section 10.2 and 10.3). It is also important to notice that the Act on Processing of Personal Data should be seen in context with other rules and regulations in the research field. The Act of a Scientific Ethical Committee System will, for instance, require the consent of the data subject when he or she is directly involved as a research subject.
The Data Protection Authority recommends that consent is given in writing, as a means of quality assurance. However, the Act on Processing of Personal Data does not specify any requirement that consent must be in writing to be valid.
Act on Processing of Personal Data, 2000. The Act on Processing of Personal Data No. 429 of 31 May 2000 [pdf] Available at: <http://www.coe.int/t/dghl/standardsetting/dataprotection/national%20laws.... [Accessed 25. February 2014].
Act on Research Ethics Review of Health Research Projects, 2011. DNVK [online] Available at: <http://dnvk.dk/English/actonabiomedicalresearch.aspx>. [Accessed 25. February 2014].
Hartlev, M.,2004. The Implementation of Data Protection Directive 95/46/EC in Denmark. In: D. Beyleveld et.al. Ed. 2004. Implementation of the Data Protection Directive in Relation to Medical Research in Europe. Ashgate.
The Danish Data Protection Agency [online]. Available at: <http://www.datatilsynet.dk/english/>. [Accessed 25. February 2014].