Data processing agreements (PUBA)
When is a data processing agreement required?
When the University engages or collaborates with another organisation that processes personal data for which the University is responsible, a data processing agreement between the parties is to be set up. The data processing agreement is usually a separate agreement which is distinct from the agreement that regulates the content of the actual service. Usually, the service falls under IT services or collaboration projects. Typical examples of IT services are the platform used by the University for recruiting employees, or the Image and Media Bank for managing photo and video material.
When is a data processing agreement not required?
The University is not to draw up a data processing agreement with organisations that need the data to carry out their duties. If, for example, you provide your name, personal identity number and photograph to obtain an access card for a building that someone else administrates, then that organisation is the data controller. A similar case is when the University discloses a list of students to a hospital or school that is responsible for internships or placements. However, you must still inform employees and students that their data will be disclosed.
Who can sign a data processing agreement?
If the agreement concerns a university-wide service, the vice-chancellor signs the agreement; if it concerns a service to be used by the central administration, the university director signs the agreement. If the service in question is only used by a department or equivalent, the agreement is to be signed by the head of department or equivalent.
What is the procedure for setting up a data processing agreement?
Agreement templates are available for download. It is important to describe exactly what personal data the processor is to process on our behalf and procedures for how we manage the rights of the data subjects. If you do not want to use a template, you are to contact the Legal Division and ask them to review the agreement.
A data processing agreement is not always sufficient
For Lund University, a data processing agreement with other organisations that process personal data on our behalf is the most common scenario. However, there are cases in which the University is the processor for another organisation – or that several organisations share responsibility as processors. Both variants occur in research projects implemented in collaboration with Region Skåne.
dataskyddsombud [at] lu [dot] se