If the university plans to involve non-university partners in the research project or study, the conditions for lawful and secure processing of the participants’ personal data must also be agreed upon. It is important to know that, in the case of human research or any other research subject to review by an ethics committee, the approval of the ethics committee does not release researchers from the requirement to conclude a data processing agreement.

A data processing agreement must be concluded with all partners who process the personal data of the data subjects for research purposes (see 1.4). Such agreements are generally concluded with legal persons (e.g., partner universities, research institutions, or service providers), but, depending on the circumstances, they may also be concluded with natural persons (e.g., students, sole proprietors, or professional experts). The university’s data protection specialists can assist in determining data processing roles and in drafting or reviewing draft agreements. The university’s intellectual property lawyer can help with questions related to intellectual property in research.

2.3.1. Concluding data processing agreements with legal persons

If the university is the data controller in the research (see 1.4), it is first necessary to establish the partner’s role in the processing of personal data, as the roles determine the mandatory terms of the data processing agreement. The conditions for personal data processing may also be specified in the research consortium agreement,  cooperation agreement, service agreement, or other main agreement regarding the research. The data processing agreement may be an annex to the main agreement or, if there is no main agreement, concluded as a separate agreement.

  • If a data processor (e.g., technical provider of the research database, developer, analyst) is involved in the research, a written, binding data processing agreement compliant with the requirements of article 28 of the General Data Protection Regulation (the GDPR) must be concluded. As the controller is fully liable for the processor’s data processing activities, the agreement must include clear instructions and conditions between the parties for the processing of personal data.
  • If a joint controller (e.g., partner universities in a consortium) is involved, a written, binding data processing agreement compliant with the requirements of article 26 of the GDPR must be concluded. The parties to the agreement must clearly specify which party is responsible for each processing operation (e.g., inviting participants to the study, data collection, setting up and managing the server for the study, data cleaning, data analysis, publishing etc).
  • An agreement between independent controllers (e.g., a national database controller that transfers data to the university) is not subject to specific requirements according to the GDPR; it is good practice, however, to agree on details related to the transfer of personal data and security measures, e.g., the means of transmission of personal data or on whose behalf the data are encrypted.

If the university is the processor in the research (see 1.4), the controller is responsible for concluding the data processing agreement and setting its terms and conditions and usually prepares the draft agreement.

2.3.2. Concluding data processing agreements with natural persons

If a data processing agreement is to be concluded with a natural person (e.g., an analyst or specialist), it must first be established whether they are acting as a representative of an institution or a company within the scope of their respective tasks or as a private individual providing services. If the natural person has access to the personal data and/or data processing tools in the course of their tasks within an institution, they must not use those data and/or tools to provide services as a natural person, in line with the principle of purpose limitation.

Data processing agreements with natural persons are concluded similarly to those described in clause 2.3.1, and they must also establish the person’s role in data processing. If the natural person is a representative of an institution or another legal person, the data protection agreement must be concluded with the respective institution or legal person.

When students are involved in research, the need to conclude a data processing agreement depends on the student’s role and tasks. If the student is part of the university’s research team (e.g., as a data analyst), the purpose of processing is research as defined by the university; the university is the controller, and the student acts as a processor performing the tasks assigned by the university (e.g., providing a service). In this case, a non-disclosure and data processing agreement must be concluded with the student; the template and guide for completing the agreement are available on the university intranet.

A data processing agreement with a student is not required if:

  • the student processes personal data to achieve learning outcomes, e.g., within a course or practical training provided by the university. In this case, the purpose of processing is studying, and the university is the controller. The processing of personal data takes place while the student is pursuing higher education, for purposes and by means defined by the university, and in accordance with the requirements specified in the curriculum or guidance materials.

Note: If the student does not comply with these requirements and processes personal data for purposes outside their studies, they become an independent controller and, if necessary, must ensure compliance with the GDPR;

  • the student processes personal data for a bachelor’s or master’s thesis. In this case, the student is the controller and independently determines whether and which personal data are processed, the means used and the legal basis for personal data collection or reuse. For human research or the processing of special categories of data, the student must obtain ethics committee approval. In addition, the student must follow the university’s requirements for the organisation of studies, use of information systems, and personal data protection. The university is an independent controller in allowing the use of its information systems and in assessing, defending and publishing the student’s thesis, as the requirements for the theses are defined in the university bylaws and other applicable legislation and guidelines. Therefore, it is not necessary to conclude a data processing agreement with the student.

Note: If a student wants to use the personal data processed by the university for their thesis, they must sign a data processing agreement, as in cases where the university issues personal data to research institutions, students, or researchers outside the university.

  • a doctoral researcher employed as a junior research fellow processes data for preparing their doctoral thesis. Since a junior research fellow is a university employee, the purpose is university research, and the controller is the university. Personal data protection requirements arise from the employment contract concluded with the university and from internal rules; a data processing agreement is not required.

2.3.3. Agreements with partners in third countries

If research data are shared with partners outside the European Economic Area (EEA) – for example in EU-funded programmes (Horizon Europe, etc.), international consortia or multilateral international cooperation – it is necessary to consider international data transfer requirements already at the planning stage, and to assess which technical and organisational measures are required to comply with them, and whether the transfer takes place in the role of a controller or a processor. This determines:

  • which data processing agreements are required;
  • which additional safeguards are needed (particularly, preparing a data protection impact assessment) before sharing the data;
  • who is responsible for informing data subjects and ensuring their rights;
  • who is liable for possible breaches.

If the university transfers personal data to a non-EEA country for which no adequacy decision has been issued, a research cooperation agreement or a data processing agreement alone is not sufficient. The latter regulate relations between the partners, but do not constitute appropriate safeguards under the GDPR. According to the GDPR, additional safeguards must be applied, which, in practice, mainly means concluding the standard contractual clauses (SCC) adopted by the European Commission. These require the data recipient to implement EU-equivalent safeguards, and grant the university contractual rights to exercise control, conduct audits, and respond to breaches.

SCCs must be applied if, during the research,

  • personal data are transferred to a partner in a country with an inadequate level of data protection;
  • cloud or IT services (e.g., analysis applications) are used, the provider of which is located in a country with an inadequate level of data protection;
  • data are analysed outside the EEA (e.g., recordings of data subjects are sent to experts in the USA for analysis);

Agreements with SCCs must always be concluded for transfers to the USA, India, China, Brazil, Ukraine, South Africa and Turkey. The official list of countries for which adequacy decisions have been adopted is available at https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en. Transfers to partners in countries on this list may be carried out under the same conditions as within the EEA. Note: As adequacy decisions are made for a specified period, it is always necessary to check their validity on the website referred to above.

If an agreement with SCCs is not concluded or other appropriate GDPR-compliant safeguards are not applied, the data transfer does not comply with the GDPR and may lead to a suspension of the data transfer and supervisory authority proceedings for the university (e.g., if the University of Tartu transfers personal data to a university in India, and no agreement with SCCs has been concluded).

The Personal Data Protection Act, which specifies the implementation of the GDPR in Estonia, including in the context of research, allows the processing of personal data for research purposes in certain cases without the data subject’s consent. However, this does not eliminate the requirement to comply with GDPR rules on international transfers. Therefore, even for research conducted without the data subject’s consent, an agreement with SCCs must be concluded with partners in countries with an inadequate level of protection.

An agreement with SCCs may not always be a sufficient safeguard. If personal data processing or transfer during research may involve a high risk to the data subject’s rights, a data protection impact assessment (see 2.15.3) must be carried out before transfer to determine:

  • what data are transferred;
  • how sensitive are the data;
  • the purpose of data processing;
  • whether data are encrypted or pseudonymised;
  • to what extent the recipient country’s data protection requirements align with those of the EU. For example, security agencies in the USA have extensive access to personal data, and so the European Commission has not issued an adequacy decision regarding the USA.

A data protection impact assessment is usually required if the research involves the processing of:

  • health, genetic, or other special category data;
  • data of vulnerable groups (e.g., patients, children);
  • new technologies (e.g., AI, big data);
  • data that are monitored systematically or over a long period.

More information about data protection impact assessment is available in clause 2.15.3 and if necessary, the university’s data protection specialists may be consulted.

  • No labels