Data processing agreements
When is a data processing agreement required?
When the University engages or collaborates with another organisation that processes personal data for which the University is responsible, a data processing agreement between the parties is to be set up. The data processing agreement is to regulate what personal data is involved, what the other organisation is permitted to do or not do with the personal data, and how security is managed.
The data processing agreement is usually a separate agreement which is distinct from the agreement that regulates the content of the actual service. Usually, the service falls under IT services or collaboration projects. Typical examples of IT services are the platform used by the University for recruiting employees, or the Image and Media Bank for managing photo and video material.
When is a data processing agreement not required?
The University is not to draw up a data processing agreement with organisations that need the data to carry out their duties. If, for example, we release names, personal identity numbers and photographs to obtain access cards for a building that someone else administrates, then that organisation is the data controller. A similar case is when the University releases a list of students to a hospital or school that is responsible for internships or placements. Neither of the latter two cases mentioned requires a data processing agreement. However, you must still inform employees and students that their data will be disclosed.
Who can sign a data processing agreement?
If the agreement concerns a university-wide service, the vice-chancellor signs the agreement; if it concerns a service to be used by the central administration, the university director signs the agreement. If the service in question is only used by a department or equivalent, the agreement is to be signed by the head of department or equivalent function.
What is the procedure for setting up a data processing agreement?
The initiative and proposal for an agreement can come either from the University or from the organisation providing the service. Agreement templates are available for download. Start by trying to establish whether you have all the details you need to use the template, and study the formulations about personal data processing in the main agreement. One important aspect is to describe exactly what personal data the processor is to process on our behalf. Other aspects concern data security and procedures for how we manage the rights of the data subjects where applicable. Once you have a proposal for an agreement, you can contact the Legal Division.
In which situations can the data processing agreement be invoked?
Firstly, the University must be able to show the agreement to the Swedish Data Protection Authority, and secondly, our data protection officer may follow up on the service provider’s compliance with the agreement. A third possible scenario could be if the University is dissatisfied with the way in which the processor is carrying out its duties.
A data processing agreement is not always sufficient
For Lund University, a data processing agreement with other organisations that process personal data on our behalf is the most common scenario. However, there are cases in which the University is the processor for another organisation – or that several organisations share responsibility as processors. Both variants occur in research projects implemented in collaboration with Region Skåne.
dataskyddsombud [at] lu [dot] se
- Personal data controller – the organisation responsible for processing your personal data. In all but a few cases, Lund University is always the personal data controller.
- Data subject – the person whose personal data you collect and/or process.
- Data protection officer – the role and function responsible for Lund University’s compliance with the GDPR.
- The EU’s General Data Protection Regulation (GDPR) - The Swedish translation of GDPR is “Dataskyddsförordningen”.
- Data Protection Act – the Swedish national complement to the EU’s GDPR.