Data processing agreements (PUBA)
Information and templates
When is a data processing agreement required?
When the University engages or collaborates with another organisation that processes personal data for which the University is responsible, a data processing agreement between the parties is to be set up. The data processing agreement is usually a separate agreement which is distinct from the agreement that regulates the content of the actual service. Usually, the service falls under IT services or collaboration projects. Typical examples of IT services are the platform used by the University for recruiting employees, or the Image and Media Bank for managing photo and video material.
When is a data processing agreement not required?
The University is not to draw up a data processing agreement with organisations that need the data to carry out their duties. If, for example, you provide your name, personal identity number and photograph to obtain an access card for a building that someone else administrates, then that organisation is the data controller. A similar case is when the University discloses a list of students to a hospital or school that is responsible for internships or placements. However, you must still inform employees and students that their data will be disclosed.
Are you unsure of the different processing responsibilities?
For Lund University, a data processing agreement with other organisations that process personal data on our behalf is the most common scenario. However, there are cases in which the University is the processor for another organisation or that several organisations share responsibility as processors. Both variants occur in research projects implemented in collaboration with Region Skåne. Read more about responsibility for personal data:
Who can sign a data processing agreement?
If the agreement concerns a university-wide service, the vice-chancellor signs the agreement. If it concerns a service to be used by the central administration, the university director signs the agreement. If the service in question is only used by a department or equivalent, the agreement is to be signed by the Head of Department or equivalent.
What is the procedure for setting up a data processing agreement?
Agreement templates are available for download. It is important to describe exactly what personal data the processor is to process on our behalf. It is also important to describe the procedures for how we manage the rights of the data subjects. If you do not use a template, you may contact the Legal Division and ask them to review the agreement.
Lund University has an external Data Protection Officer; Secure State Cyber AB and the contact person at Secure State Cyber AB is Sanja Hebib.
Do you have questions regarding data protection - please contact:
dataskyddsombud [at] lu [dot] se (dataskyddsombud[at]lu[dot]se)
Questions regarding a personal data agreement
If you should have any questions regarding a personal data agreement, please contact the legal counsel responsible for your faculty or area: