Workflow for data processing agreements through which the Faculty of Law allows data to be processed by other parties
Introduction
If a researcher wishes to have data processed by another party, for example, by having interviews transcribed and translated by a translation agency, a data processing agreement must be concluded in accordance with Article 28(3) of the AVG.
Such an agreement must contain provisions on the following subjects, among others:
- What security measures the processor has taken during processing and transport;
- Which persons at the processor have access to the data;
- How long the data remains with the processor and what happens to the data after processing.
It is also possible that data supplied by parties other than the UG will be processed. In that case, a data sharing agreement is usually concluded between the UG and the other party in accordance with Article 26(1) of the AVG (GDPR).
At the request of the Faculty's Managing Director, the CETOR1 has defined a workflow for such agreements. This is described in more detail below.
Workflow for data processing agreements
- The researcher (or project controller) contacts the Faculty's P&S coordinator. In consultation with the coordinator, the researcher draws up a Research Data Management Plan (RDMP) that clearly shows which personal data will be processed and which technical and organizational measures will apply in relation to the processing of the data.
- The P&S coordinator then contacts the Privacy & Security department of ABJZ. When the provision of (research) data containing personal data is part of a larger agreement, this will be further coordinated within ABJZ between the Civil Affairs and Privacy & Security department.
- ABJZ sends the draft agreement to the P&S coordinator and the researcher, if applicable in CC to the project controller. After possible editing by them, the final agreement is sent to the Managing Director of the Faculty Board for signing.
- The Managing Director sends the signed agreement to the researcher and the researcher sends the agreement to the other party.
Variations or deviations from this workflow
- In case the researcher or project controller first contacts the Managing Director or contacts ABJZ directly, they will inform the P&S coordinator in order to draw up the data management plan. Of course, this involves further consultation with the researcher and, if necessary, coordination with (the Civil Affairs department of) ABJZ, as described in step 1;
- The researcher reports to the CETOR for review of the research. In that case, the Managing Director or the P&S coordinator will first refer to ABJZ, in combination with step 2, the supply of an RDMP and the technical and organizational measures to be taken;
- Researchers are not allowed to conclude such an agreement themselves with the other party without informing the Managing Director or the Management Controller. The researcher is not authorized to do so, and this creates a real risk of non-compliance with legal obligations under the GDPR (risk of fines) and/or a risk of legal dispute to which the UG (and not the researcher) is a party. In the unlikely event of such a case, this agreement will have to be reviewed by the ABJZ and amended if necessary. In accordance with step 1 of the workflow, an up-to-date data management plan should be present;
- If an agreement has been made in the past that the researcher continues to use, then this agreement should be reviewed by ABJZ and adapted if necessary, in combination with an up-to-date data management plan;
- ABJZ uses its own model for an agreement, but sometimes the other party insists on using its own agreement, in which case the agreement is accompanied by an appendix containing the technical and organizational measures proposed by the UG and the data management plan;
- If this agreement is part of a larger collaboration agreement, ABJZ can also handle the transmission to the other party/parties;
- In the case of high-risk processing2, ABJZ, in collaboration with the P&S coordinator, the researcher involved and the DCC, organizes a "Data Protection Impact Assessment" (DPIA) to be carried out on the basis of Art. 35 AVG (GDPR).
1 Committee for the Ethical Review of Research in Law (CETOR): subgroup for this advice consisting of Maarten Goldberg, Anne Ruth Mackor, Jeanne Mifsud Bonnici and Evgeni Moyakine.
2 Such as, among others, the processing of special personal data or data of vulnerable persons. More information can be found here .Last modified: | 02 June 2022 3.34 p.m. |