Glossary
Data Processing Agreement (DPA)
An agreement between a data controller and a data processor (GDPR art. 4, definitions 7 & 8). The data controller is the party which determines the purpose (“why”) and means (“how”) of the processing operation. The data processor processes personal data on behalf of the data controller. If you process personal data but are not fully in control, e.g. because you use a cloud service, you need to ensure that the data are still processed in compliance to the GDPR; you need to establish yourself as the data controller. You do so in a Data Processing Agreement (in Dutch: verwerkersovereenkomst), in which you establish how the third party whose services you use ensures you to be able to fulfill your role as a controller (see also GDPR, ch. 4). This type of agreement should be created with the aid of Legal Affairs and the privacy officer. In some cases, you may need to ask the Data Protection Officer for advice.
The UU has a number of standard data processing agreements, e.g. with Qualtrix (online platform for surveys) and Microsoft Teams, and of course all services of SURF, like SURFDrive and SURFFilesender.
Go to index