Privacy concerns information about people. This includes any information that can be traced directly or indirectly to a natural person, for example a person’s name, identification number, phone number, location data (also digital), assessments, ethnicity, religion, health and biometric data. When you collect or use personally identifiable data of persons (e.g., respondents, informants, test subjects, interviewees) who participate in your research, you have to comply with the GDPR privacy law. If possible, process the data of the persons in your research anonymously right from the start or as soon as possible, anonymous data does not fall under the GDPR law. You can also work with pseudonymization (make use of coding), in that case, make sure you keep the key secure, as this data falls under GDPR regulations. More information on this can be found on the UT privacy website.
Do you engage a (new) party that processes personal data for you, you may need a processor agreement in case the research data is identifiable to individual persons. Please contact the PCP (Privacy Contact Person) of ET to sort out if a processor agreement is necesarry: Maria Kamp.
If you bring in someone who will be processing personal data for you, this person is not allowed to use this information for his or her own purposes. You need to formalize this in a data processor agreement. This agreement establishes that the new person may not use the personal data for his or her own purposes and that this person must immediately report any data breach.
The UT has already established a data processor agreement for standard applications that process personal data. If you are bringing in a new person, or if you’re not sure if someone has already signed a data processing agreement, contact the Privacy Contact Person of ET or the Data Protection Officers team.
WHAT SHOULD BE INCLUDED IN A DATA PROCESSOR AGREEMENT?
At the UT we use a standard template by SURF for the data processor agreement, which you can request from your Privacy Contact Person. You should include the following items in this agreement:
- The topic and the duration of the data processing.
- The nature and the objective of the data processing.
- The type of personal data.
- The categories of those involved.
- The rights and obligations of the person responsible for processing the data.
PROCEDURE PROCESSOR AGREEMENT FACULTY OF ENGINEERING TECHNOLOGY
- Please contact the PCP of ET if a processor agreement is necessary
- The PCP will send the template by SURF to the researcher
- The researcher fills out the form and returns it to the PCP
- The researcher receives a copy of the signed processor agreement from the PCP
Reporting data processing
All data registrations of personal information must be recorded across the University of Twente (see FAQ). These registrations (systems, forms) are referred to as ‘processing’. The responsible owner of the registration must report the processing to the DPO team. Processing in the course of scientific research also falls under this obligation. In that case, the research scientist is the processing owner.
The Privacy Contact Person (PCP) of the faculty ET can assist with processing registration. A registration tool is available to make it easier for the custodian to comply with the statutory requirements set for this purpose.
For more information check the GDPR registration tool.