Data Processing Agreement

If you bring in someone (e.g. external research partners, app-developer) who will be processing personal data*(see note below) for you, this person is not allowed to use this information for his or her own purposes. You need to formalize this in a data processing agreement (in Dutch: Verwerkersovereenkomst). This agreement establishes that the new person may not use the personal data for his or her own purposes and that this person must immediately report any data breach.

The UT has already established a data processing agreement for standard applications that process personal data. If you are bringing in a new person, or if you’re not sure if someone has already signed a data processing agreement, contact the Privacy Contact Person of BMS or the Data Protection Officers team.  

What should be included in a Data Processing Agreement?

At the UT we use a standard template by SURF for th data processing agreement, which you can request from your Privacy Contact Person. You should include the following items in this agreement:

*NOTE: Definitions under the GDPR
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- 'processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;