FSBS Privacy & Data Management

Legal agreements

When working with personal identifying information, you will occasionally need to use a legal document in order to establish rights and responsibilities of the parties involved. For more information on the various types of agreements that exist, take a look at the chapter on Agreements in the Data Privacy Handbook. Below a brief description with some relevant practical information.

When sharing data that (may) contain personal identifying information with someone outside the University, you are required under the GDPR to use a Data Transfer Agreement (DTA). This is a relatively simple document with a number of standard clauses, where you will need to fill in:

  • Title of the project involving the data transfer
  • Name and details of the receiving researcher
  • Duration of the agreement
  • Description of the research project (e.g., an abstract)
  • Description of the data (e.g., a table with variables and a brief description)

The document can then be signed by your department manager and someone authorized to sign at the receiving institute. You can contact privacy-fsw@uu.nl for a DTA template.

You need a processing agreement when a third party is going to process (e.g., store, analyse, share, transcribe) personal data on your behalf. This is often the case when you use tools, such as survey or storage platforms.

This agreement contains statements on how data may be handled and for how long, who has access and for what exact goal it can be used. You will need to fill in:

  • Title of the project involving the data transfer
  • Name and details of the receiving institute or company
  • Description and purpose of processing
  • Categories of data subjects and types of data
  • Whether subprocessors are involved
  • Specification of the security measures

The document can then be signed by your department manager and someone authorized to sign at the receiving end. You can contact privacy-fsw@uu.nl for a processing agreement template.

If you are initiating a research project with partners outside of UU, you can use a consortium agreement to clarify rights and responsibilities of the parties involved. In this agreement, parties agree on the intellectual property of the data produced or gathered, as well as how these data will be shared and used among the partners during and after the project. Typically, a consortium agreement will also need to include information on how personal data are managed and by which party. You can contact privacy-fsw@uu.nl for help setting up this agreement.