Met je team in gesprek

Processing agreement

What if I want to make use of an external party for my classes, research, or business? The GDPR obliges us to make proper arrangements with third parties regarding the care of processing personal data and the determination of responsibilities.

Arrangements should be legally recorded, normally through an agreement. The type of agreement depends on the nature of the assignment or collaboration. Specifically for research, various models are available: assignment agreement, sponsorship agreement, collaboration agreement and consortium agreement.

See the research agreements page for more information.

Additional agreement

In addition to a main agreement, in certain cases it is also required to draw up an additional agreement, such as a processing agreement, joint controller agreement or data exchange agreement.

To help you enter into these agreements, several models have been created and a procedure has been created. See the models and procedure on the procedures and modules page. In addition, you will find a brief explanation of the most important topics and questions in the drop-down boxes below.

What is a controller, a processor, and a sub-processor?

Controller

A data controller determines the purpose and means of processing personal data. Tilburg University will be responsible for most processing of personal data.

Processor

A processor processes personal data on behalf of the data controller. If an external organization itself determines the purpose(s) of the processing, the external party itself is responsible for the processing.

Sub-processor

If a processor lists a third party, then this third party is a sub-processor.

Example

Tilburg University has outsourced the payroll administration to external organization B. This external organization makes use of its own software, but this is hosted by provider C. In this example Tilburg University is the controller, organization B is the processor, and provider C is the sub-processor.

In what cases is Tilburg University a controller?

Tilburg University is a controller when it:

  • has control over the processing, and the processor must follow the university's instructions;
  • determines the purposes;
  • has commissioned a third party to process personal data.

The processor can never make choices regarding the type or amount of personal data processed for Tilburg University. The processor is an -independent- third party that only processes personal data for the controller's purposes.

When do you need a processing agreement?

If Tilburg University engages other parties to process personal data, the university will have to enter into a processing agreement with these organizations. This is a legal requirement resulting from the GDPR. With a processing agreement, the University excludes that the other party may process the personal data for its own purposes. The University only engages processors that offer sufficient guarantees that they meet the legal requirements. In the agreement you lay down, among other things, the following:

  • The subject and duration of data processing.
  • The nature and purpose of the data processing.
  • The type of personal data.
  • The categories of data subjects.
  • The rights and obligations of the data controller.

The data representative can help determine whether a processing agreement is needed. If Tilburg University processes personal data for itself within the organization, no processing agreement is needed.

When is a joint controller agreement necessary?

When two or more parties are jointly responsible for the processing of personal data (and thus jointly determine the purpose and means of processing), you are required to legally record certain agreements about it. This can possibly be done in a main agreement, but sometimes it is easier to record it separately in a joint data controller agreement. Again, the data representative can help determine what is required.

What to do when entering into a 'privacy' agreement?

There is a procedure for entering a processing agreement that explains the different steps you need to conclude a sound 'privacy' agreement.

The advice is always to use the Tilburg University model agreement because:

  • it is based on the SURF model;
  • it has been tested by our specialists;
  • this enables us to guarantee that the agreement meets GDPR obligations.

Especially if Tilburg University is the controller, you can insist that this model agreement is used if processors want to use their own model.

However, (especially large parties) mayu make their own processing agreement mandatory or want to change certain clauses in Tilburg University's model the agreement. However, this involves risks and should therefore be carefully assessed. More information on this can be found in the procedure for entering into a processing agreement.

International (Transfer)

In addition to the requirement of safeguards in the agreement and processing agreement with the third party, the AVG also requires an adequate national level of protection when transferring personal data to other countries.  The collection/processing of personal data in a third country (or having it collected/processed) is also covered by transfers. Third countries are all non-EEA countries (thus not covered by the GDPR).

If there is no adequate national level of protection, the transfer can still take place by providing adequate safeguards and provided that data subjects have enforceable rights and effective legal remedies at their disposal.

A number of countries have been judged by the European Commission to have an adequate level of protection. You can find the most up-to-date list on the site of the Autoriteit Persoonsgegevens.

The most common method is to use an unchanged EU modelcontract.

In section 4.5.2. of the Privacy & Data Protection Policy you will find some exceptions.