NTNU's template for data processor agreement and guidance for preparing data processor agreements

Norwegian version - Databehandleravtale

Does NTNU have a software that meets your requirements?

Before procuring software or services, you must check whether NTNU already has an existing agreement that fulfills your needs.

For more information see Software available by request and Anskaffelser (Norwegian).

What is a data processor agreement?

A data processor agreement ensures that personal data is processed in accordance with rules and regulations and provides a clear framework for how the data processor can process information.

This is a contract between the data controller (e.g., NTNU) and the data processor (e.g., someone we buy an IT or transcription service from)

Read more about the data processor agreement at the Norwegian Data Protection Authority (Norwegian).

When do you need a data processor agreement?

When NTNU as the data controller (responsible for personal data) outsources all or part of the processing of personal data to another party, company or business, the person(s) who process the data on behalf of the data controller are defined as data processor. A data processor is, in other words, an external provider that processes personal data on behalf of NTNU. This can be a provider of IT services, a company that transcribes research data, a provider that stores or archives data for NTNU, etc.

When NTNU is the data controller, and allows other providers to access personal data, it is important to ensure that the personal information is only used for the stated purpose and on NTNU's instructions. Other uses are not permitted. More information about this is posted on the Norwegian Data Protection Authority website (Norwegian).

The requirement for such an agreement is regulated by the Personal Data Act and the General Data Protection Regulation (GDPR), Articles 28 and 29.

NTNU must ensure that the data processor has a sufficient level of security. This is done by conducting a risk and vulnerability analysis. Data processors must be able to document how they work with information security. Read more about risk and vulnerability analysis. A separate template has been prepared for research projects (Norwegian).

NTNU's template for data processor agreements

NTNU's template has been developed through collaborative efforts within the higher education sector. As a standard practice, this template is used whenever NTNU enters into data processor agreements. If a provider insists on using their own templates / policies, a more comprehensive comparison and legal review of the agreement becomes necessary. However, if NTNU's template is used there is no need for a legal review.

• NTNU's template for data processing agreements - English (.docx)

Two-part data processor agreement

If NTNU purchases several services from the same provider, either a data processor agreement can be entered into per service (see templates above) or an overall agreement can be made. For cases where the overall agreement is most appropriate, NTNU has prepared a separate template. This is a two-part data processor agreement, where attachments must contain the specific services:

• NTNU's template for two-part data processor agreement - Norwegian (.docx)

Sub-data processor agreement

Occasionally, NTNU acts as the data processor and may engage a subcontractor for data processing purposes. In such instances, NTNU enters into a sub-data processor agreement. This is an agreement between the data processor and the subcontractor / sub-data processor. It is important that the provisions outlined in the sub-data processor agreement mirror the corresponding provisions in the main data processor agreement between the data controller and the data processor. The template provided below mirrors NTNU's template for data processor agreements.

• NTNU's template for sub-data processor agreement - Norwegian (.docx)

What do I do if the provider/subcontractor is located outside the EU/EEA?

The general rule is that transferring data outside the EU/EEA is not allowed. A specific legal basis is required to transfer personal data to countries outside the EU/EEA (third countries). Read more on the Norwegian Data Protection Authority's website (Norwegian).

Below you will find a flowchart illustrating the process for transferring personal data to countries outside the EU/EEA (third countries). The smaller flowchart on the right side shows a snapshot of the most common process: using Standard Contractual Clauses (SCC) as the legal basis for transfer.

• Flowchart for transferring personal data to third countries (pdf, Norwegian)

For all practical cases, there are two relevant legal bases:

• Pre-approved countries (Norwegian)
• EU Standard Contractual Clauses (SCC)
  • The SCC is modular and must be edited to fit the roles of the data controller and data processor.
  • The SCC meets the requirements of Article 28 of the General Data Protection Regulation (GDPR). Therefore, there is no need to enter into a separate data processing agreement in addition to the SCC.

How to proceed

• The legal advisers at NTNU can assist with the assessment of a data processor agreement that does not follow NTNU's template.
• If the IT department procures software, they will sign the agreement.
• If the faculty or department procures software or services, they are responsible for establishing a data processor agreement. The line manager (usually Head of department) should sign the agreement.
• Once the agreement has been signed, it must be archived in ePhorte on the same case number as the service agreement. The case is linked in addition to a single case folder for a total overview - case 17/13795 (the folder "2017/13795 Oversikt databehandleravtaler")

Checklist for Data Processor Agreements and GDPR (Privacy)

The Norwegian Data Protection Authority has made a checklist to verify that data processor agreements comply with the new privacy legislation (GDPR) (Norwegian).

Contact

orakel@ntnu.no

Legal assessment: juridisk@virksomhet.ntnu.no