Personal Data Processing Agreements (DPA)
The concepts of controller and processor are essentially linked to the processing of personal data. The controller is the party defining the purposes and means of processing personal data. HAMK is a controller for information such as data on HAMK students, personnel, alumni, suppliers and customers. As for the processors of personal data, they process personal data on behalf of the controller. Processors typically include subcontractors and service providers who process or may process the controller’s personal data. In this context, the processor does not refer to the HAMK personnel.
The General Data Protection Regulation requires a Data Processing Agreement (DPA) between the controller and the processor. The mini-content of the agreement is described in the General Data Protection Regulation.
For instance, an agreement is needed if personal data is processed in a cloud service with HAMK being the controller and the service provider being the processor. An agreement is also needed if HAMK acts as the processor of personal data. An agreement is also required for the use of services without charge.
Agreements relating to the processing of personal data, derived from centrally acquired systems and services at HAMK, are processed centrally. For instance, this agreement has been concluded on Webropol and all services provided by CSC.
However, in research/RDI projects, field-specific teaching systems and other similar situations, it may be necessary to draw up a separate agreement on processing personal data. This may be the case, for instance, if the processing of personal data is purchased from an external operator in a research project. This may include, for instance, a service used for collecting or processing research material containing personal data or commissioning the analysis of collected material by an operator external to HAMK. Before implementing such a service or system, you should ensure, among other things, the following:
- Roles: which party acts as a controller and which entity as a processor of personal data
- Appropriateness and protective measures for processing personal data. This particularly includes, inter alia, the geographical area where the processing takes place (e.g. EU / EEA).
- Agreement on the processing of personal data between the controller and the processor
There are several options for concluding contracts on the processing of personal data:
- In the ideal case, the service agreement includes an annex on the processing of personal data.
- Major cloud providers in particular may find completed contract details on the home page. These can be found, for instance, by searching for information using the DPA GDPR search.
- The service provider may have a contract template available upon request.
- Recommendation: EU standard contractual clauses between controllers and processors.
- Where necessary, you can also use JHS 166 General Terms and Conditions of Governmental IT Procurement (JIT 2015) Appendix 9: Particular terms for the processing of personal data
For additional information, please contact your data protection officer.