Processor agreement related to privacy legislation

On the 25th of May 2018 the GDPR will come into effect. The GCPR stands for General Data Protection Regulation and is a Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC.

Insofar as a processor processes personal data for the Radboud University within the framework of the execution of an agreement, the processor is considered a processor within the meaning of the General Data Protection Regulation (GDPR) and the agreement is the agreement concluded between the controller and the processor and on the basis of which the processor processes personal data for the controller for the purpose of the performance of this agreement.

The processor shall process the personal data exclusively on assignment from the controller and on the basis of instructions from the controller. The processor shall exclusively process the personal data in so far as the processing is necessary for the performance of the agreement, and never for its own use, the use of third parties and/or other purposes, unless applicable union law or provisions of member state law oblige the processor to perform processing.

In the above case, the processor will take appropriate technical and organizational security measures to protect the personal data against loss or against any form of unlawful processing. These measures guarantee, taking into account the state of the technique and the costs of their implementation, an appropriate level of security in view of the risks involved in the processing and the nature of the data to be protected. The measures are also intended to prevent unnecessary collection and further processing of personal data. The processor will record the measures in writing. The processor will process personal data, as applicable in the General Data Protection Regulation (GDPR) in a proper and careful manner and in accordance with the applicable legislation and regulations as well as any applicable code of conduct of Radboud University.

The above regulations also apply in full to cross-border shipping and / or distribution and / or provision of personal data to non-EU countries.

The processor grants Radboud University its full cooperation to allow interested parties to inspect their personal data, (ii) have personal data removed or corrected, and / or (iii) to demonstrate that personal data have been removed or corrected if they are incorrect, or, if Radboud University fights the point of view of the person concerned, to record that the person concerned considers his personal data as incorrect.

Processor Agreement (docx, 534 kB) with instructions (pdf, 1 MB)