If you bring in someone who will be processing personal data for you, this person is not allowed to use this information for his or her own purposes. You need to formalise this in a data processing agreement. This agreement establishes that the new person may not use the personal data for his or her own purposes and that this person must immediately report any data breach.
The UT has already established a data processing agreement for standard applications that process personal data. If you are bringing in a new person, or if you’re not sure if someone has already signed a data processing agreement, contact the Privacy Contact Person of BMS or the Data Protection Officers team.
What should be included in a Data Processing Agreement?
At the UT we use a standard template by SURF for th data processing agreement, which you can request from your Privacy Contact Person. You should include the following items in this agreement:
- The topic and the duration of the data processing.
- The nature and the objective of the data processing.
- The type of personal data.
- The categories of those involved.
- The rights and obligations of the person responsible for processing the data.