Case: Processors agreement clarifies responsibilities in relation to privacy(Publicatie)

Educational institutions and their suppliers often process personal data. The laws and regulations governing this are complex and constantly changing – e.g. the obligation that came into force in 2016 to report data leaks. SURF helps institutions with their obligations in this area, e.g. with the provision of a new model processors agreement.

09 MAY 2017

Revision of legal standards framework

Evelijn Jeunink is Corporate Privacy Officer at SURF. As part of her work she often has to deal with regulations governing privacy-sensitive data: "In 2016 we revised the legal standards framework. This provides guidelines on confidentiality, privacy, ownership, and availability of data for agreements with suppliers of cloud services. The revision was necessary due to the declaration of the invalidity of Safe Harbor, and the new obligation to report data leaks. Universities and colleges also asked for clear conventions on how to deal with personal data. Many institutions would prefer to see these conventions set out in the form of a processors agreement."

New model processors agreement

The main output of the revision of the standards framework is the new model processors agreement, says Evelijn: "This agreement sets out the agreements between a responsible party – generally an educational institution – and a processor – a provider who supplies a product or service in which personal data is processed. We add an appendix in which parties can specify in exact detail what they will do with particular personal data." Olga Scholcz, Legal Adviser at SURF, adds: "Institutions nonetheless retain a clear personal responsibility. After all, the processors agreement is signed by both the institution and the supplier."

Compliance statement

One important addition to the processors agreement is the compliance statement. "This needs to provide as clear an overview as possible of what a given supplier can and cannot provide in the area of privacy," explains Evelijn. "It shows what SURFmarket has achieved in its negotiations with the supplier. The institution can then decide for itself whether this is sufficient. Only if the supplier fully complies with the processors agreement is a compliance statement unnecessary."

Institutional involvement

A legal committee established by SURF plays a major role in the development and specification of the legal standards framework and the model processors agreement. This committee is made up of lawyers and privacy & security officers from the institutions.

Number of times shown:
Latest modifications 29 May 2017