Overview of Privacy Agreements under the GDPR

A Data Processing Agreement (DPA) is an agreement that is concluded between a controller and a processor. The controller determines the purpose and means of the processing of personal data, while the processor carries out this processing exclusively on behalf of the controller.

The legal basis for the data processing agreement is laid down in Article 28 of the General Data Protection Regulation (GDPR). This stipulates that the controller may only use processors who provide sufficient guarantees that they implement appropriate technical and organisational measures to comply with the requirements of the GDPR and ensure the protection of the rights of data subjects.

Purpose and importance Data Processing Agreement

The primary purpose of the processing agreement is to establish clear and enforceable agreements about the way in which personal data is processed. This not only ensures compliance with the GDPR, but also reduces the risk of misuse or careless use of data.

The agreement also ensures that personal data is treated securely and confidentially, and that the rights of data subjects, such as the right of access or deletion, can be exercised. For both the controller and the processor, the DPA provides clarity about their roles and responsibilities. This prevents ambiguity or liability discussions in the event of incidents, such as a data breach or a dispute about the processing of data.

Examples of processors

Here are some examples of processors that the UT uses:

• IT and cloud providers; such as Microsoft (Office 365, Teams, OneDrive);
• Student administration and learning environments; such as Canvas, Osiris, Studielink; 
• Research and data analysis services; for example, SPSS/Crowdtech/Matchworks.

In addition, there are also situations in which the UT is a processor of personal data for another party. Think of:

• Hosting external databases or systems, for example data storage on Unishare;
• Research project commissioned by an external party, for example survey research on behalf of a municipality;
• Data processing of sponsored projects; For example, a hospital provides a dataset to the university and asks the university to make analyses or reports. 

When two or more organisations jointly determine the purpose and manner in which personal data are processed, they are joint controllers (Article 26 GDPR). An agreement sets out how responsibilities are divided, for example with regard to the provision of information to data subjects, the handling of requests or the reporting of data breaches.

Despite the fact that mutual agreements are made, the parties remain jointly liable to the parties involved. The agreement is mainly intended to make the cooperation transparent and workable.

Purpose and importance of joint controller agreement

An agreement between joint controllers is drawn up when two or more parties jointly determine the purposes and means of the processing of personal data. The purpose of this agreement is:

• Creating transparency about the division of responsibilities and obligations between the parties involved.
• Determine who performs which tasks with regard to compliance with the GDPR (e.g. providing information to data subjects, handling access requests or reporting data breaches).
• Preventing ambiguity, so that it is clear who is the point of contact for those involved and supervisors.

The importance of an agreement between joint controllers is that it ensures transparency and legal certainty when several parties process personal data together. This makes it clear to data subjects who they can turn to with questions or requests, which better safeguards their rights.

In addition, the agreement makes it possible to divide responsibilities and risks among themselves. This prevents misunderstandings and provides guidance in the event of incidents, such as data breaches or complaints. In this way, the agreement supports both GDPR compliance and effective and careful cooperation between the parties involved.

Examples of joint controllers

Here are some examples where the UT is jointly responsible for the processing of personal data:

• University medical examination with a hospital; Both parties jointly determine which personal data from patients is collected, how it is analyzed and for what purpose the results are used. They are jointly responsible for the processing and stipulate in the agreement who informs participants and who is the point of contact for access requests.
• Joint alumni platform of universities; Three universities jointly manage an alumni platform. The parties jointly decide which personal data is processed and how it is used, for example for networks or events. The agreement regulates who is responsible for security, communication with alumni and the handling of access and removal requests.
• International research consortium; Several universities from several countries are working together on a large research project. Together, they decide on the processing of the personal data of the data subjects. The agreement regulates who is responsible for data security, who will process which data and which party is the central point of contact for questions and complaints for data subjects.

The purpose of a Data Transfer/Sharing Agreement is to formalize agreements on the transfer and processing of personal data between two parties, so that it is secure, transparent and in accordance with the GDPR.

The importance of a Data Transfer/Sharing Agreement lies in several aspects, such as:

• Protection of the rights of data subjects; They can rely on the care of their personal data.
• Legal clarity and division of responsibility; the DTA/DSA defines the roles between the parties and which tasks and responsibilities lie with the receiving party.
• Compliance and transparency; a DTA/DSA helps to structure and document the cooperation between parties, so that both parties can demonstrate their obligations under the GDPR.

In short, a DTA/DSA provides a clear legal basis for cooperation, and ensures that personal data is adequately protected during transfer and processing. 

Examples of when a DTA/DSA can be used

Here are some examples where a DTA/DSA can be concluded between the UT and another party:

• Scientific research; A hospital shares medical data for scientific research.
• Student exchange and alumni data; In an international student exchange, personal data of exchange students is shared with partner institutions.
• Analysis and reporting by external consultants; An external agency sends a survey to students and the data received is used to analyze and report student satisfaction. 

In order to provide insight into the various privacy agreements and their scope at a glance, the schematic representation below has been drawn up. It specifies when a Data Processing Agreement (DPA), Joint Controller Agreement or Data Transfer Agreement (DTA)/Data Sharing Agreement (DSA) is required. The schematic representation below gives an indication of which agreement can be used in which situation.

* Check whether the processing of personal data is explicitly defined in the contract concluded with the software supplier.

Do you need an agreement?
Please contact the privacy contact person within your department or faculty. You can find them here.

They will be happy to help you with the appropriate template and can support you in completing it. They can also advise on the further process and the final signing of the agreement.