What is a Data Processor Agreement?
When UiO uses external data suppliers to process personal data, a data processor agreement must be made between UiO and the data supplier.
In all cases, the relationship between UiO as data controller and the external data supplier, the data processor, shall be regulated in a data processor agreement. This is regulated by The Personal Data Act section 13, cf. section 15.
An external data supplier, the data processor, cannot process the personal data of employees, students, guest researchers, guests or respondents/informants at UiO in a manner other than what is agreed in writing with UiO in the data processor agreement. UiO, as data controller, shall ensure that the data processor has a sufficient security level, cf. Personal Data Act, section 15. This is done by conducting a risk and vulnerability analysis.
NOTE: If UiO is data controller, the risk and vulnerability analysis must be completed before the agreement is valid. Contact the data controller at firstname.lastname@example.org if you have any questions.
UiO has its own templates for data processor agreements:
Remember that the data processor agreement must be signed by an authorised signatory.