The definition of biometric data in GDPR art. 4, section 14:
“‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data”.
Biometric data is considered sensitive data. e.g. photographs should only be considered biometric data if they are processed through specific technical means allowing the unique identification or authentication of a natural person.
It has to be considered what the exact content of the video or voice recording is. Is it a portrait (a clear close-up of a person)? What kind of information are they disclosing as they speak?
E.g., if a person shares their health information that is considered sensitive personal data, but if a person talks about his or her personal interests that would be considered non-sensitive data.
Anonymous data
It is important to consider if you can use the data to identify a subject either directly or indirectly. To determine whether a person is identifiable, accounts should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the person directly or indirectly.
Pseudonymized data
When you are processing personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information it would indicate that the data is pseudonymized. In other words – if the personal data is only indirectly identifiable and there is a key to make them directly identifiable – then the data would be considered as pseudonymized data.
Aggregated data
Information on multiple individuals in groups that have been collected and combined without directly focusing on the individual is considered aggregated data. Aggregated data can be anonymous. Whether the information is anonymous or not depends on if the sum of the information collected can be used to identify a person. It depends on a concrete assessment whether the aggregated data is covered by the data protection rules.
It depends on the project. You collect and process personal data for a purpose. When that purpose is fulfilled, then you no longer need the data, and it should be deleted or anonymised. If data is collected based on a consent the purpose is given in the consent form signed by the participants and the consents states when the data will be deleted or anonymised.
You also need to be aware that there can be additional requirements for storing data in special legislation or in a contract for transferring data. For example “Lov om videnskabelig uredelighed” and guidelines by Aarhus University requires researchers to store their data for five years after publication of results. Participants should be notified of this in the consent form.
In general students are not employees at Aarhus University but if a student is hired to work on a project as a research assistant it means that they become an employee and is subject to and covered by the same rules and requirements as other employees at AU.
If a student wants to collect personal data for their final thesis or other purpose of their own they become data controller themselves. If a supervising researcher at AU wants to disclose personal data to students who need it for their final thesis it is necessary to contact TTO who might be able to help you with a solution.
If a student is going to process data on behalf of a researcher, a data processing agreement is needed and you should contact TTO for a modified version of a data processing agreement.