After determining the formal roles of the parties and whether and how Section 28 applies, you need to think about some of the specific features of the version. This will help you decide if a contract is needed and what issues to address in a contract. ico.org.uk/media/for-organisations/documents/1067/data_sharing_checklists.pdf if everything else is the same, it is more likely that a remote agreement could carry risks for both organizations, and with more risks, more contractual guarantees should be put in place. The General Data Protection Regulation (GDPR) does not introduce any new requirements of the Data Protection Act (DSG). However, the financial and reputational consequences of non-compliance have increased significantly and the GDPR defines responsibility for any misuse/loss of data on the university (as a data controller). The university also needs a clear record of all data exchange agreements in case an individual chooses to use some of their new rights under the GDPR, such as . B the „right to be forgotten“. Examples of cases where a contract would be most appropriate include: ico.org.uk/media/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/privacy-notices-in-practice-1-0.pdf is the division between unaffiliated parties or between affiliates? The following links provide guidance on what information should be included in a data-sharing contract or agreement. You should be prepared to give legal services a clear instruction that identifies the information you need to share and any specific requirements you want them to capture in the document you want them to prepare.
`processor` means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; Data sharing contracts and agreements are not necessary to share data with colleagues or other departments of the university, but you should always consider the risks associated with sharing data with others within the organization and the privacy rights of data subjects. Last but not least, you must take full account of the distinction between transfers within the EEA and transfers from the EEA. Chapter 5 of the GDPR sets out the requirements for the transfer. The purpose of this document is to provide guidance on how to determine the most appropriate form of the agreement and the issues to be taken into account in the preparation of the agreement. (b) ensure that the persons authorised to process the personal data have undertaken to respect confidentiality or are subject to an appropriate legal obligation of confidentiality; Within the framework of the GDPR, there are specific requirements for the storage and retention of personal data that must be respected. There are two legal mechanisms to clarify roles, responsibilities and expectations when exchanging data with third parties: as regards point (h) of the first subparagraph, the processor shall immediately inform the controller if it considers that an instruction infringes this Regulation or other Union or Member State data protection rules. .