Kast met ordners, foto Viktor Talashuk

Handling personal data with care

What if I want to make use of an external party for my classes, research, or business?

If Tilburg University, as the legal controller, engages a company for the processing of personal data, a processing agreement is required. This is a legal obligation under the GDPR.

In a number of cases, this other organization is not a processor within the meaning of the GDPR and does not need to enter into a processing agreement, but it is sufficient to include certain agreements (e.g., on responsibility and security) in the main agreement.  However, in many cases, a processing agreement is mandatory. The Data Representative can help determine whether this is the case.

If Tilburg University processes personal data for itself within the organization, no processing agreement is required.

What is a process, a controller, and a sub-processor?


A data controller determines the purpose and means of processing personal data. Tilburg University will be responsible for most processing of personal data.


A processor processes personal data on behalf of the data controller. If an external organization itself determines the purpose(s) of the processing, the external party itself is responsible for the processing.


If a processor lists a third party, then this third party is a sub-processor.


Tilburg University has outsourced the payroll administration to external organization B. This external organization makes use of its own software, but this is hosted by provider C. In this example Tilburg University is the controller, organization B is the processor, and provider C is the sub-processor.

In what cases controller?

Tilburg University is a controller when it:

  • has control over the processing, and the processor must follow the university's instructions;
  • determines the purposes;
  • has commissioned a third party to process personal data.

The processor can never make choices regarding the type or amount of personal data processed for Tilburg University.

The processor is an -independent- third party that only processes personal data for thecontroller's purposes.

What to do when entering into a processing agreement

There is a procedure for entering a processing agreement that explains the different steps you need to conclude a sound processing agreement.

The advice is always to use the Tilburg University model agreement because:

  • it is based on the SURF model;
  • it has been tested by our specialists;
  • this enables us to guarantee that the agreement meets GDPR obligations.

Especially if Tilburg University is the controller, you can insist that this model agreement is used if processors want to use their own model.

However, (especially large parties) mayu make their own processing agreement mandatory or want to change certain clauses in Tilburg University's model the agreement. However, this involves risks and should therefore be carefully assessed. More information on this can be found in the procedure for entering into a processing agreement.