Sharing data processing responsibilities with a third party creates a risk that needs to be managed. Some third parties help you manage this risk through insurance. They could use certification systems to support insurance that can also be useful. Contracts are avoidance guarantees that guarantee the validity of other insurance. That`s why it`s so important to sign contracts from your own organization, through UCL`s purchasing services and third parties. Any use of personal data that is not defined by the data manager is illegal, so you should not rely on a data processor`s guidelines for policies and procedures. If you are acting as a data processing processing, you should also follow the data manager`s policies and procedures for processing personal data and, if this is not possible, seek advice from the person in charge of the processing. Organisations operating within the European Economic Area (EEA), which include the United Kingdom or some of the other countries mentioned in this regulation, are subject to the General Data Protection Regulation. If you enter into an agreement with an organization in which processes will be carried out exclusively within those countries, you can expect your data processing contract to be enforced by that jurisdiction.
It`s really important that you don`t expect this without checking if there is a data processing agreement with your service provider. Your service provider probably won`t ask you if you want to negotiate a data processing contract with them! In most cases, they will be satisfied with a basic licensing agreement that will require you to pay for the service. Sometimes these agreements give the supplier a lot of room to pass on customer data to third parties. If this happens, you have completely lost control of your data and this should be reported as an incident. The proper anonymization of the data is generally, but not always, acceptable to share with a third party, provided that this is done under the UCL Directive, safely and in cases where there is no link with the identifiable person concerned. However, data may be limited by a contract, whether or not it is personal data, so that restrictions by data providers may restrict the freedom of use of third parties in practice. Search service providers are generally transcrifors, survey tools and database services. Some may promote the safety of their services as primaries. In fact, they are data-processing organizations, but they play no role in determining the purpose of processing personal data: “data processing.” This recommendation also applies to pseudonyms. There may be a good reason to use a third party for which UCL is responsible for data to perform certain tasks, as long as you have a legal basis.
When an agreement with a third party on the processing of personal data, a contract with specific clauses for the processing of personal data, a “data processing agreement” (see “Data Processing” here) is required. As an organization, UCL has staff who can help negotiate these contracts through procurement services.