Kast met ordners, foto Viktor Talashuk

Handling personal data with care

What if I want to make use of an external party for my classes, research, or business?

If Tilburg University, as the legal controller, engages a company for the processing of personal data, a processing agreement is requierd. This is a legal obligation under the GDPR.

In a number of cases, this other organization is not a processor within the meaning of the GDPR and does not need to enter into a processing agreement, but it is sufficient to include certain agreements (e.g., on responsibility and security) in the main agreement.  However, in many cases, a processing agreement is mandatory. The Data Representative can help determinewether this is the case.

If Tilburg University processes personal data for itself within the organization, no processing agreement is required.

What is a process, a controller, and a sub-processor?
In what cases controller?
What to do when entering into a processing agreement