Avtalemaler for personvern - Ansatt

Data protection agreement templates

Data protection agreement templates

We have three data protection agreement types that we use: data processing agreement, agreement for joint processing and agreement on the transfer of data. Here you can find relevant templates and information about when to use the different templates.

The Data Protection Authority has very informative websites about being a data controller, data processor and about shared processing responsibility (datatilsynet.no) (in Norwegian).​​​​​​​

  • Data processing agreement template

    When do you need to enter into a data processing agreement?

    A data processing agreement must be entered into if you outsource parts of the processing to an organisation/institution/natural person outside of OsloMet. This happens when

    • OsloMet (the data controller) transfers personal data to an external organisation/institution/natural person (data processor) that will process personal data on behalf of OsloMet and to which OsloMet has no authority to issue instruction.
    • an external organisation/institution/natural person gains access to data for which OsloMet is the data controller. OsloMet determines the purpose of the processing and the means to be used.

    External parties refers to all parties to which OsloMet has no authority to issue instruction. Persons to which OsloMet has authority to issue instruction and are considered internal are

    • people who are considered students at OsloMet and sign a declaration of confidentiality
    • employees who have entered into employment contracts and sign a declaration of confidentiality (also applies to persons linked to OsloMet in connection with contracting, etc.)

    A data processing agreement must also be entered into if OsloMet will process personal data on behalf of a external organisation, and receives a transfer/access to, or collects, personal data that the external organisation/institution/natural person is the data controller for.  OsloMet is not involved in determining the purpose or means of the processing, and has therefore a role as a data processor.

    In contract research for which the “contracting authority” is interested solely in the results of the research, OsloMet may be so independent in the execution of the contract that OsloMet must still be considered to be the data controller.

    Remember that project team members (research) who interpret results, transcription assistants and research assistants are all considered data processors if they are external parties. They must then sign a data processing agreement that sets out how the personal data will be processed.

    Remember that you are responsible for ensuring that an agreement has been put in place. A data processing agreement is an important legal document that must be in place as early as possible and before any processing of personal data starts.

    Data processors in Norway

    The data processing agreement template should ideally be used at OsloMet but must be adjusted for each case.

    The checklist can be used as needed for the quality assurance of data processing agreements offered by cloud service suppliers or other types of online services. Remember to add sikkerhet@oslomet.no to the section concerning who the data processor must notify in the event of deviations.

    Data processors in third countries

    The EU's standard Data Processing Agreement template (doc) should be used when personal data is transferred to a data processor in a third country.

    No exceptions can be made or agreed in contravention of the terms and conditions set down in the EU’s standard data processing agreement template. The content of the agreement is, in other words, “locked”.

    Other relevant data processing agreement templates

    Checklist

    • You need to check whether the organisation that will process personal data on behalf of OsloMet has a satisfactory information security system in place in the form of policies, guidelines, procedures and similar.
    • In research, you need to check that the external organisation has submitted a notification of change to the Data Protection Services for Research (Sikt) or the Data Protection Officer and that the processing of personal data has been approved in cases where OsloMet will participate in an external project and/or process personal data collected by the external organisation. This must be documented in writing. Email may be sufficient for Norwegian organisations. If you are unsure of what constitutes adequate documentation for your project, please contact the Privacy contact in research and development at your faculty/centre.
    • Before processing of personal data can start, you need to ensure that a risk assessment (in Norwegian) is carried out, see also the information security guidelines on What needs to be protected? Valuation/risk assessment (in Norwegian) and Guidelines for processing personal data.
    • Are privacy considerations taken care of?

    Resources

    Signing and archiving

    The data processing agreement can be signed (by the service owner/system owner/process owner) after a risk assessment has been carried out, which must subsequently be archived in P360. See Registration in Public 360 (sharepoint.com) and the Norwegian Data Protection Authority’s guidance on data processing agreements (datatilsynet.no) (in Norwegian). The reference number must be registered against the processing/work process in the processing overview in Ardoq at OsloMet (applies to processing that must be registered in Ardoq) or in the Excel form used as a record for systems. This must be done by Privacy contact at the unit in question.

  • Agreement template for joint processing

    OsloMet has developed a new agreement for joint processing (doc).

    Old agreement template for joint processing (doc), based on UiO`s template.

    The template can be used in cases in which OsloMet and an external organisation/institution must be considered to have joint data processing responsibilities and personal data will be transferred between the organisations/institutions. Each of the joint data controllers must then have its own lawful basis for the processing of personal data (datatilsynet.no) (in Norwegian).

    Joint data controller responsibilities are deemed to exist if two or more data controllers jointly determine the purposes and means of processing.

    Joint data controller agreements must be archived in P360.

  • Data transfer agreement template

    OsloMet has established a new agreement template for data transfer (doc). 

    Old agreement template for data transfer (doc), mostly based on the NTNU template.

    The template can be used in cases in which OsloMet needs to transfer personal data to an external organisation/institution and both parties have an independent responsibility for processing. This template can also be used in cases in which OsloMet receives personal data from another independent data controller.

    Independent data controllers are deemed to exist if both (all) data controllers will use the personal data for their own purposes and such purposes are not determined jointly.

    Data transfer agreements must be archived in P360.

    See websites on

  • If you need help

    If you need help, contact the Privacy contact at your unit/faculty/center.