Workflow for data sharing agreements at the Faculty of Law
Introduction
Research projects that involve the use of data supplied by other parties generally require an agreement between the UG and the other party, in accordance with Section 26 (1) of the AVG (GDPR). Such a data sharing agreement contains provisions on the following subjects, among others:
• How the data will be secured;
• With whom the data is shared;
• How the data will be stored during the research;
• How the data will be archived after the research;
• Whether the University of Groningen may share the data with others (third parties).
It is also possible that the University of Groningen will have the data it receives or collects itself processed (partly) by other parties. In that case, a data processing agreement must be concluded in accordance with Article 28(3) of the AVG (GDPR).
At the request of the Managing Director of the Faculty, the CETOR1 has defined a workflow for such agreements. This is described in more detail below.
Workflow for data sharing agreements
- The researcher (or project controller) contacts the Faculty's P&S coordinator. In consultation with the coordinator, the researcher draws up a Research Data Management Plan (RDMP) that clearly shows which personal data will be processed and which technical and organizational measures will apply in relation to the processing of the data.
- The P&S coordinator then contacts the Privacy & Security department of ABJZ. When the provision of (research) data containing personal data is part of a larger agreement, this will be further coordinated within ABJZ between the Civil Affairs and Privacy & Security department.
- ABJZ sends the draft agreement to the P&S coordinator and the researcher, if applicable in CC to the project controller. After possible editing by them, the final agreement is sent to the Managing Director of the Faculty Board for signing.
- The Managing Director sends the signed agreement to the researcher and the researcher sends the agreement to the other party.
Variations or deviations from this workflow
- In case the researcher or project controller first contacts the Managing Director or contacts ABJZ directly, they will inform the P&S coordinator in order to draw up the data management plan. Of course, this involves further consultation with the researcher and, if necessary, coordination with (the Civil Affairs department of) ABJZ, as described in step 1;
- The researcher reports to the CETOR for review of the research. In that case, the Managing Director or the P&S coordinator will first refer to ABJZ, in combination with step 2, the supply of an RDMP and the technical and organizational measures to be taken;
- Researchers are not allowed to conclude such an agreement themselves with the other party without informing the Managing Director or the Management Controller. The researcher is not authorized to do so, and this creates a real risk of non-compliance with legal obligations under the GDPR (risk of fines) and/or a risk of legal dispute to which the UG (and not the researcher) is a party. In the unlikely event of such a case, this agreement will have to be reviewed by the ABJZ and amended if necessary. In accordance with step 1 of the workflow, an up-to-date data management plan should be present;
- If an agreement has been made in the past that the researcher continues to use, then this agreement should be reviewed by ABJZ and adapted if necessary, in combination with an up-to-date data management plan;
- ABJZ uses its own model for an agreement, but sometimes the other party insists on using its own agreement, in which case the agreement is accompanied by an appendix containing the technical and organizational measures proposed by the UG and the data management plan;
- If this agreement is part of a larger collaboration agreement, ABJZ can also handle the transmission to the other party/parties;
- In the case of high-risk processing2, ABJZ, in collaboration with the P&S coordinator, the researcher involved and the DCC, organizes a "Data Protection Impact Assessment" (DPIA) to be carried out on the basis of Art. 35 AVG (GDPR).
1 Committee for the Ethical Review of Research in Law (CETOR): subgroup for this advice consisting of Maarten Goldberg, Anne Ruth Mackor, Jeanne Mifsud Bonnici and Evgeni Moyakine.
2 Such as, among others, the processing of special personal data or data of vulnerable persons. More information can be found here .Last modified: | 02 June 2022 3.36 p.m. |