Personal Data Processing Agreement (PUBA)

When is a DPA agreement required?

A personal data processing agreement is required when an external party processes personal data on behalf of Mid Sweden University and in accordance with the university's instructions. This is typically relevant when using IT systems, cloud services or when consulting services involve personal data being processed.

A common example is when a supplier provides a system where personal data is stored or processed on behalf of the university. In these cases, Mid Sweden University is the data controller and the supplier is the data processor.

When is it not required?

A DPA agreement shall not be signed if the receiving party itself determines the purpose and means of the processing, i.e. is an independent data controller. This applies, for example, to other authorities or partners that process personal data in their own operations.

An agreement is also not needed when the data is anonymised or when the processing is carried out for the recipient's own purposes. In some collaborations, it may instead be relevant to regulate the division of responsibilities through an agreement on joint personal data responsibility.

Who can sign a contract?

Personal data processing agreements may only be signed by an authorized representative according to Mid Sweden University's delegation of authority. This means that individual employees or project managers may not enter into such agreements themselves without special delegation.

What needs to be done before signing an agreement?

Before a DPA agreement is drawn up, the business needs to ensure that it is clear what purpose the processing has and what scope it will have. There must also be a legal basis for the processing.

Furthermore, an assessment must be made of the risks associated with the treatment. In some cases, it may be necessary to carry out an impact assessment (DPIA). The supplier's technical and organisational security measures need to be reviewed, and if personal data is transferred to a country outside the EU/EEA, this must be handled in accordance with applicable regulations.

Once these parts have been investigated, a data processing agreement must be drawn up. In procurements where personal data will be processed, the procurement function must be involved at an early stage. They ensure that data management requirements and data processing agreements are handled correctly within the procurement process.

Use Mid Sweden University's template for PUB agreements in the first instance

Requirements for the contract

A DPA agreement must clearly regulate how personal data may be processed. Among other things, it must be clear what instructions apply to the processing, what security measures are to be applied and how confidentiality and confidentiality are to be ensured.

The agreement also needs to contain provisions on any sub-processors, how personal data breaches are to be handled and what is to happen to the personal data when the agreement ends, such as deletion or return.

In some situations, it may be necessary to use another party's contract template, such as a supplier's standard agreement. In such cases, the agreement must always be reviewed and, if necessary, supplemented to ensure that it meets both the requirements of the General Data Protection Regulation and the University's information security requirements.

Record keeping

Data processing agreements are public documents and must therefore be registered. They must be saved together with the associated main agreement and be possible to follow up during an audit or audit.

It is the responsibility of each business to ensure that the agreement is registered and managed in accordance with applicable procedures.

Template and documents

Template for data processing agreement
Use Mid Sweden University's template when drawing up a PUB agreement.

In cases where another template is used, it must always be reviewed from a legal and information security perspective.

Support

For support in assessments, review of agreements or issues related to personal data processing, you can turn to the University's Legal and Data Protection Function or the Information Security Function.
 

Quick Verdict

External party processes personal data for us → Yes
We decide why and how → Yes
➡️ When a pub agreement must be signed