8. Description of Measures to Ensure Compliance by Processors and/or Joint Controllers
The aim here is to describe how you will ensure that working with others from outside the UU, like external collaborators and/or service providers, still complies with data protection regulations.
In general terms, if your project involves working closely with external researchers or other external collaborators, these individuals/organizations would be deemed as ‘joint controllers’, and a joint controllers agreement would likely be needed.
If you are planning to share collected/processed personal data with others that are not part of the UU, either during or after the project is completed, but the data recipients will have no influence on why and/or how your project is conducted – in other words, except for the shared data, these recipients are fully independent of the UU project – then these recipients are deemed as ‘independent controllers’. A data sharing agreement will likely be needed, which will convey and enforce the GDPR obligations that the data recipients will inherit upon receipt of the data.
If you are planning to use external service providers, engage external collaborators and/or use a product from an external company that is not listed in the tools.uu.nl page, and they will use/process personal data on your behalf – meaning they will not use data for their own purposes – then these are considered ‘processors’. Engaging processors will very likely require negotiating a (UU-formatted) Data Processing Agreement (DPA).
As previously mentioned, if a project partner exercises partial or overall control of the purposes and means of the processing of personal data – in other words, it has an influence in the decision of what data to process, how to process it, and why it is processed – and that partner is external to the UU, then that partner is considered a joint controller.
Joint controllers have joint responsibility for the privacy and security of personal data, but joint responsibility does not necessarily imply equal responsibility. On the contrary, project partners may be involved at different stages of that processing of personal data and to different degrees.
Because joint controllers are often not equally involved in the project, they must arrange between themselves who will take primary responsibility for complying with GDPR obligations, in particular transparency obligations (who will primarily inform data subjects) and individuals’ rights (who will be responsible for engaging data subject to respond to their data rights requests). In addition to this, the distribution of responsibilities should cover what lawful basis for processing is being applied (see previous point 7), what security measures will be adopted by partners, how they will deal with data breach notification obligation, how will they deal with their privacy scans / data protection impact assessments, and how they will deal with processors, third country transfers and contacts with data subjects and supervisory authorities.
To facilitate this process, we have assembled a Geo faculty joint controllers template agreement, which controllers can use as a starting point for drafting an agreement, and should be further modified until it suits the specific needs of the project. Furthermore, it is not necessary to draft a separate document, as the articles listed in the joint controllers template agreement can also be implemented within other documentation, like a consortium agreement, service agreement, or as an appendix of another documentation.
If, as mentioned before, both controllers decide independently the means and purposes of the processing, then they are considered independent controllers. Independent controllers must also comply with basically the same GDPR obligations listed above, but they need to make those arrangements independently of each other. Nevertheless, it is necessary to ensure data protection obligations do travel alongside shared data, so that data recipients are clearly made aware of their GDPR obligations towards the shared data. A data transfer agreement can be a suitable instrument for ensuring data recipients (independent controllers) are still independently responsible for ensuring compliance with the GDPR. We have also assembled a template that can be modified to suit the specific context of the transfer.
A processor is a natural or legal person, public authority, agency or another body, which processes personal data on behalf of the controller. Two basic conditions for qualifying as a processor exist: that it is a separate entity in relation to the controller (so, it is not part of or under direct supervision/control by the UU) and that it only processes personal data on the controller’s behalf and according to the controller’s instructions. The controller’s instructions may still leave a certain degree of discretion about how to best serve the controller’s interests, for example, to allow the processor to choose the most suitable technical and organisational means to comply with controller’s instructions. A processor infringes the GDPR, however, if it goes beyond the controller’s instructions and starts to determine its own purposes and means of the processing. The processor will then be considered a controller in respect of that processing and may be subject to sanctions for going beyond the controller’s instructions.
Except for some situations like contracted research services – where the contracting organization decides the what, how and why of the research – external researchers are unlikely to be considered as data processors.
Any processing of personal data by a processor must be governed by a UU-formatted Data Processing Agreement (DPA). DPAs are concluded separately from any (service) agreement with the processor. You should contact the privacy manager and/or Legal Affairs to assist you with drafting a DPA. The UU has a DPA template at UU. This template is rigid and can only be deviated from in special circumstances. If you or the processor still want to deviate from the template, this should be done in consultation with Legal Affairs and the Data Protection Officer.
Previous: Description of Lawful Basis for Processing | Next: Description of Planned Transfers of Personal Data to Other Countries Outside the EU
- Description of the Project’s Purpose
- Description of Data Subjects
- Description of the Categories and Purposes of Personal Data
- Description of the Processing of Personal Data
- Description of Information Provided to Data Subjects
- Description of How Data Subjects Can Exercise Their Data Subject Rights
- Description of Lawful Basis for Processing
- Description of Measures to Ensure Compliance By Processors and/or Joint Controllers
- Description of Planned Transfers of Personal Data to Other Countries Outside the EU
- Obtaining, Consulting, and Dealing with Data Subjects’ Views of the Processing
- Preliminary Risk Assessment