# Get going as a data controller

This guide aims to describe the steps to get you going as a data controller in HUNT Cloud.

The data processor agreement controls the privacy and security controls for your data in HUNT Cloud. Therefore, we need to ensure that this agreement is in place before we can move the other agreement types forward.

Good to know, there is no cost associated with the establishment of a data processor agreement, and we have solid templates available to for a quick process. You can read more about the data processor agreements in the agreement section.

# 1. Is there already a data processor agreement in place between my organization and HUNT Cloud?

Ask inside your organization or contact us if you are unsure. If an agreement is already in place, your might skip this guide and move directly to the service center guide.

Depending on your organization, data processor agreements may be signed on various organizational levels. For example, your Department will be the internal data controller at NTNU.

# 2. Which agreement type do I need?

(2.1) Data processor agreements: This is the "normal" type that regulates situations where you and your organization controls the data and defines the purpose of the processing.

(2.2.) Data sub-processor agreements: This is when the purpose of the processing is decided by an organization that is not your own, for example contract research. The organization that controls the data may add requirements for privacy and security measures that we will need to incorporate in the sub-processor agreement.

Contact us us if you are unsure on the agreement type needed, approaches for joint-controller scenarios.

# 3. Which other agreement types outside HUNT Cloud may be required?

Do you plan to use data from external data providers? If you take on responsibility as the data controller, such transfers is often regulated in data export agreements or licenses that includes requirements for information security. Contact us us for compliance evaluations if you are unsure if specified requirements are covered in our agreements or services.

Do you plan to onboard users from external organizations? We encourage lab users from different organizations to meet and collaborate in labs. Access for individuals outside your organization may require data processor agreements between your host organization and the organizations of your external collaborators. Contact your local privacy officer for advice.

# 4. Who should sign the data processor agreement?

This is the individual that is authorized to control data on behalf of your organization. This may range from top management via head of departments to individuals in various organizational units. Ask your head of department or local privacy officer for guidance if needed.

NTNU

For NTNU, the internal "enighetsavtaler" is agreed with Departments with Head of Departments as signatory.

# 5. Can we use HUNT Cloud's data processor templates?

Yes. We have agreement templates that is accepted by many organizations. These agreements comply with requirements in GDPR, ISO 27001 and Norwegian health laws. Utilizing these templates is a quick way to ensure compliance with most requirements. Request a copy in our data controller section of our service desk that you and your privacy officer can assess.

If yes, jump to the next section.

If no, your organization may provide other templates as long as they adhere to the above laws, regulations and standards. Discussions between two legal teams take time, so contact us as soon as you can for arrangements. Jump to the service center guide when the data processor agreement is signed.

# 6. Forward required processor agreement information to HUNT Cloud

We need a few bits of information to prepare your agreement template:

  • Download the "HUNT Cloud Data Processor Agreement Form" on your local machine (right click on the link and select "Save Link As...")
  • Open the text file in Notepad, Word or a similar application and supply the required information. Field descriptions are included in the "Clarification of the form fields" under the link above.
  • Save the text file on your local machine and send us the a copy in our service desk.

NTNU

For NTNU, Signatory official is your Head of Department, Scientific contact person your Deputy Head of Department for Research, and Administrative contact the department adviser that manages your privacy agreements.

# 7. Sign the agreement

We will send you the final agreement version by email as a PDF-file after we receive the required information. The final agreement needs to be signed by both parties to become active.

  • Coordinate signing with the signatory official in your organization and return to us by email.
  • We will add our countersignature and send you the active agreement for archiving.

Your data processor agreement is now signed, sealed and delivered. This is a good time for a humble celebration with fresh coffee before you continue with the service center guide.