Data processing agreements shall be entered into when personal data is to be processed by someone who is not the data controller.
This checklist is used to quality assure data processing agreements with suppliers who process personal data on behalf of the UiS. This checklist can also be used for the traditional deployment of system operations to external parties which comprise the processing of personal data.
The following factors shall be regulated and accounted for in data processing agreements:
Distribution of responsibilities and purpose of the agreement
It should be clearly shown who the data controller is (the institution) and who the data processor is (the supplier).
It should be clearly shown which service, project or system will be covered by the agreement.
The supplier shall confirm that the personal data which is to be processed will be processed on behalf of the institution.
It should be clearly shown that the data processing agreement takes precedence over the supplier’s privacy statements or any other types of contract/agreement.
The supplier shall clearly define how the institution’s personal data will be used.
It should be clearly shown that the data will not be used for marketing purposes, only for administering and supplying the service.
If the supplier wishes to use the data for any other purposes than those originally agreed, the supplier must obtain permission for such from the institution.
Permission from the institution will also normally be required if the supplier is to provide personal data to third parties, e.g. other companies or official bodies.
Written instructions from the institution
The supplier undertake to comply with the institution’s written instructions in respect of how the data is to be processed and secured.
It should be shown that the supplier cannot process personal data in any other way than that provided for in the institution’s written instructions.
Overview of types of data
The supplier shall specify who the data applies to (e.g. students, employee, etc.). This shall be clearly specified under separate points.
The supplier shall confirm which types of personal data are to be processed on behalf of the institution. This shall be clearly specified under separate points.
The supplier specifies how long the personal data concerned will be processed for on behalf of the institution (e.g. until the date on which the agreement relating to provision of the service ends or until the agreement is terminated).
Obligations of the institution
The institution undertake to fulfil its statutory duties/obligations when the processing of personal data is farmed out to an external service provider.
Administration of rights
The supplier shall clearly undertake to help the institution to safeguard the rights of the data subject in accordance with the current Norwegian Personal Data Act.
This comprises i.a.
• the right to information about how the supplier administers personal data, the right to access one’s own personal data
• the right to demand correction or deletion of one’s own data
It should be specified that the supplier may be liable in damages to the data subject if the supplier or the supplier’s subcontractors for the service process personal data illegally.
The supplier’s information security
The supplier shall undertake to implement all necessary organisational, technical and physical measures in order to protect personal data which is comprised by the agreement against unauthorised access, amendment, deletion, damage, losses or inaccessibility. This documentation shall be available to the institution.
The supplier shall document his own security arrangements, guidelines and procedures relating to security work, risk assessments and established technical, physical or organisational security measures. This documentation shall be available to the institution.
The supplier shall document that his own employees have been trained in information security and how the institution’s personal data shall be handled. This documentation shall be available to the institution.
Confidentiality on the part of the supplier
The supplier shall make it clear that all employees who have access to the institution’s personal data have a duty of confidentiality in respect of such data.
This duty of confidentiality shall continue to apply after the agreement has been terminated.
Duty of notification in the event of security breaches
The supplier undertakes to notify the institution without delay if personal data for which the institution is responsible is subject to a breach of security (unauthorised access, dissemination, amendments, damage, destruction or inaccessibility).
The supplier shall document any security breaches and notification shall include information about who is affected by the security breach, which types of personal data have been affected and what the supplier has done in order to deal with and rectify the situation.
Please note: in its capacity as a data controller, the University has a deadline for notifying the Norwegian Data Protection Authority of discrepancies within 72 hours, or as quickly as possible, without undue delay, after becoming aware of the discrepancy concerned. The collection of data, etc. should therefore be commenced as quickly as possible.
Notification of illegal processing
The supplier undertakes to notify the institution if the institution’s written instructions (in the opinion of the supplier) are illegal (involve breaches of statutory rules about the processing of personal data).
Use of subcontractors by the supplier
The institution shall agree to the supplier hiring subcontractors who have access to the institution’s personal data.
If subcontractors are used, it should be specified that all subcontractors are bound by the same rules as those which apply to the supplier’s processing of the institution’s personal data, especially with respect to the information security of the data concerned. The data processor undertakes to disclose to the institution any agreements with subcontractors when requested to do so.
Finally it should be specified that the supplier is responsible to the institution for breaches of contract committed by any subcontractors of the service.
Transfer of personal data by the supplier to non-EU/EEA countries
The supplier must account for the legal basis used if personal data is transferred to countries outside the EEA, e.g. if the service uses subcontractors or data centres in such countries. Transfers may, for example, be based on the EU’s standard contract on transferring personal data to third countries.
The supplier shall specify which countries data is transferred to.
Reviews conducted by the supplier
The supplier shall account for how reviews of the supplier’s work on compliance with the agreement shall be conducted.
This applies in particular to how the personal data concerned is secured against unauthorised access, dissemination, amendment, damage, destruction or inaccessibility (information security).
It may be shown that such reviews are conducted by independent auditors who have been engaged by the supplier. In such cases the institution shall be informed about which auditor is being used and shall receive access to summaries of the reviews concerned.
The institution may conduct its own reviews at the supplier’s.
In some cases the agreement should specify that the data subjects (students, employees, respondents, etc.) are entitled to receive their data from the supplier in a format which makes it easy for them to transfer the data to another supplier.
As regards universities and university colleges, it is likely that this will primarily be relevant if the institution concerned uses external services which are based on consent from the individual end user.
Returning and deleting personal data upon termination
The supplier undertakes to return all personal data to the institution once the contractual relationship ends. The institution decides the format to be used for the return of such data.
The supplier shall also undertake to delete all personal data after the end of the contractual relationship. This obligation to delete data shall comprise all backups of personal data which the supplier processes on behalf of the institution.
A deadline shall be specified for when deletion shall be completed by.
The supplier undertakes to assist the institution with investigating the consequences of using services/technolgies which represent a particularly high privacy risk (DPIA).
The supplier shall also undertake to assist in the dialogue with the Norwegian Data Protection Authority when it is difficult to deal with the privacy risks (disclosed by the DPIA) in an appropriate manner.
Duration and contacts
The following shall be clearly specified:
• date of commencement of the agreement
• date of termination of the agreement
• deadline for notice of termination of the agreement
• the supplier’s contact
• the institution’s contact
Choice of law and court of venue
It shall be specified which country’s legislation shall apply to the agreement (it is recommended that whenever possible the agreement shall be subject to Norwegian law – use the UiS template for data processing agreements)
It shall be specified which district court shall serve as the court of venue (it is recommended that whenever possible this should be the Stavanger District Court – use the UiS template for data processing agreements)