# Data processor agreement

The data processor agreement in HUNT Cloud is on top of our agreement hierarchy because it regulates one of the most important asset in digital science: your trustworthiness towards your research participants (data protection and data privacy).

# About

In short, the data processor agreement defines that your organization owns the data that you upload and generate in HUNT Cloud. And it specifies privacy and security controls that are to be in place to protect your data.

The data processor agreement allows your research to be compliant with the Data Protection Directive from EU (GDPR) and relevant Norwegian laws and regulations, including partly compliance with the Norwegian «Norm for informasjonssikkerhet».

All other agreements with your organization are formally incorporated into the data processor agreement as attachments.

# Attachments

The following documents are attached to the agreement:

  • Purpose of the processing
  • List of individual processing (data spaces and labs)
  • "Avgrensning mot Helsenormen" (Norwegian health law)
  • Security measures
  • Contact list
  • Subcontractor list

# Signatories

The data processor agreement is formally agreed between your host organization that control your data (data controller), and our host institution that process the data on your behalf (data processor).

Your signatory will be the individual that is authorize to control your data on behalf of your organization. This may range from top management via head of departments to individuals in various organizational units.

For NTNU, we recommend Head of Departments as signatories on our internal data processor agreements (see 'enighetsavtale' below).

Our signatory will be the Head of Department at our department, the Department of Public Health and Nursing (opens new window) at the Faculty of Medicine and Health Sciences, NTNU.

# Agreements within NTNU

Data processor agreements are agreed between enterprises. This means that we cannot sign data processor agreements between NTNU departments.

To allow for documented security measures, we have therefore developed a Memorandum of understanding (MoU) for internal data processing that we call "enighetsavtale". We sign these at the Department level.

The document clarifies the same rights and protections as our regular processor agreement with one exception: Disputes will be resolved with binding effect by NTNU's management with our Rector as the last instance.

# Data subprocessor agreement

Sometimes you may be processing data on behalf of others. This is the case when the processing purpose if defined by another organization than your host organization (contract research).

To illustrate, this may be the case if you provide analytical expertise to a project that is controlled/managed by another organization, and you want to transfer their data to your lab to take advantage of your established tools and resources.

In such circumstances your data provider may be the "data controller" and you may be the "data processor". If so, HUNT Cloud may be the "data subprocessor" (data underbehandler). We have dedicated agreement templates for such setups that gets defined under "Agreement type" in the agreement form fields (see required information above).

Contact us if you wonder which of the two agreement types that fits your processing needs.

# Custom processing templates

Your host organization may prefer to use their own data processing agreement template. This is fine with us as long as the template is compliant with requirements set forth in GDPR, other relevant laws, ISO 27001 and 27701, and that we are able to comply with your organization's security requirements.

Note that such templates will need involvement from legal teams from both sides. Contact us for time estimates of such arrangements.

Last Updated: 9/27/2023