If the university plans to involve non-university partners in the research project or study, the conditions for lawful and secure processing of the participants’ personal data must also be agreed upon. It is important to know that, in the case of human research or any other research subject to review by an ethics committee, the approval of the ethics committee does not release researchers from the requirement to conclude a data processing agreement.
A data processing agreement must be concluded with all partners who process the personal data of the data subjects for research purposes (see 1.4). Such agreements are generally concluded with legal persons (e.g., partner universities, research institutions, or service providers), but, depending on the circumstances, they may also be concluded with natural persons (e.g., students, sole proprietors, or professional experts). The university’s data protection specialists can assist in determining data processing roles and in drafting or reviewing draft agreements. The university’s intellectual property lawyer can help with questions related to intellectual property in research.
If the university is the data controller in the research (see 1.4), it is first necessary to establish the partner’s role in the processing of personal data, as the roles determine the mandatory terms of the data processing agreement. The conditions for personal data processing may also be specified in the research consortium agreement, cooperation agreement, service agreement, or other main agreement regarding the research. The data processing agreement may be an annex to the main agreement or, if there is no main agreement, concluded as a separate agreement.
If the university is the processor in the research (see 1.4), the controller is responsible for concluding the data processing agreement and setting its terms and conditions and usually prepares the draft agreement.
If a data processing agreement is to be concluded with a natural person (e.g., an analyst or specialist), it must first be established whether they are acting as a representative of an institution or a company within the scope of their respective tasks or as a private individual providing services. If the natural person has access to the personal data and/or data processing tools in the course of their tasks within an institution, they must not use those data and/or tools to provide services as a natural person, in line with the principle of purpose limitation.
Data processing agreements with natural persons are concluded similarly to those described in clause 2.3.1, and they must also establish the person’s role in data processing. If the natural person is a representative of an institution or another legal person, the data protection agreement must be concluded with the respective institution or legal person.
When students are involved in research, the need to conclude a data processing agreement depends on the student’s role and tasks. If the student is part of the university’s research team (e.g., as a data analyst), the purpose of processing is research as defined by the university; the university is the controller, and the student acts as a processor performing the tasks assigned by the university (e.g., providing a service). In this case, a non-disclosure and data processing agreement must be concluded with the student; the template and guide for completing the agreement are available on the university intranet.
A data processing agreement with a student is not required if:
Note: If the student does not comply with these requirements and processes personal data for purposes outside their studies, they become an independent controller and, if necessary, must ensure compliance with the GDPR;
Note: If a student wants to use the personal data processed by the university for their thesis, they must sign a data processing agreement, as in cases where the university issues personal data to research institutions, students, or researchers outside the university.
If research data are shared with partners outside the European Economic Area (EEA) – for example in EU-funded programmes (Horizon Europe, etc.), international consortia or multilateral international cooperation – it is necessary to consider international data transfer requirements already at the planning stage, and to assess which technical and organisational measures are required to comply with them, and whether the transfer takes place in the role of a controller or a processor. This determines:
If the university transfers personal data to a non-EEA country for which no adequacy decision has been issued, a research cooperation agreement or a data processing agreement alone is not sufficient. The latter regulate relations between the partners, but do not constitute appropriate safeguards under the GDPR. According to the GDPR, additional safeguards must be applied, which, in practice, mainly means concluding the standard contractual clauses (SCC) adopted by the European Commission. These require the data recipient to implement EU-equivalent safeguards, and grant the university contractual rights to exercise control, conduct audits, and respond to breaches.
SCCs must be applied if, during the research,
Agreements with SCCs must always be concluded for transfers to the USA, India, China, Brazil, Ukraine, South Africa and Turkey. The official list of countries for which adequacy decisions have been adopted is available at https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en. Transfers to partners in countries on this list may be carried out under the same conditions as within the EEA. Note: As adequacy decisions are made for a specified period, it is always necessary to check their validity on the website referred to above.
If an agreement with SCCs is not concluded or other appropriate GDPR-compliant safeguards are not applied, the data transfer does not comply with the GDPR and may lead to a suspension of the data transfer and supervisory authority proceedings for the university (e.g., if the University of Tartu transfers personal data to a university in India, and no agreement with SCCs has been concluded).
The Personal Data Protection Act, which specifies the implementation of the GDPR in Estonia, including in the context of research, allows the processing of personal data for research purposes in certain cases without the data subject’s consent. However, this does not eliminate the requirement to comply with GDPR rules on international transfers. Therefore, even for research conducted without the data subject’s consent, an agreement with SCCs must be concluded with partners in countries with an inadequate level of protection.
An agreement with SCCs may not always be a sufficient safeguard. If personal data processing or transfer during research may involve a high risk to the data subject’s rights, a data protection impact assessment (see 2.15.3) must be carried out before transfer to determine:
A data protection impact assessment is usually required if the research involves the processing of:
More information about data protection impact assessment is available in clause 2.15.3 and if necessary, the university’s data protection specialists may be consulted.