UW Privacy Office

Data Processing Agreement

ON THIS PAGE:


Overview

Before launching any UW activity that involves sharing personal data with an external (non-UW) organization or contractor — from business processes to systems to surveys — your first step is to create a data processing agreement (DPA). A DPA outlines how you plan to use personal data and is especially important for clarifying the purpose and use of data as well as roles and responsibilities with an external organization or contractor.

The workflow on this page will lead you through the process. After that, the workflow will guide you in creating a data inventory about the purpose and use of personal data, determining whether the personal data you are using are high risk, and describing how you can make informed decisions about data processing.

While detailed, carefully following this process will save you time and effort in the long run, and ensure you are addressing compliance obligations that are related to personal data. The workflow is continually updated, so be sure to return here for the latest version.

If your anticipated data processing is high risk as described in Step 2, the UW Privacy Office can advise you. If your anticipated data processing is not high risk, please take advantage of the self-help resources, such as the “Glossary of Privacy Terms” used throughout the workflow.

Benefits

A DPA helps ensure you are upholding the UW’s Privacy Principles by:

  • Creating transparency about the purposes and parameters for personal data processing.
  • Documenting accountability between the UW and a third party (e.g., a non-UW entity, sponsor, affiliate, supplier, contractor).
  • Addressing laws and regulations that govern the protection of personal data.

Step 1: Inventory data processing

Starting in September 2022, inventory records for your third party, system, and business process must be created in the TrustArc Privacy Management Platform. The Data Inventory Hub in TrustArc helps clarify and document the nature, purpose, and use of data. It also helps you identify whether the data you are processing is considered high risk.

In preparation, please register and attend a TrustArc training and support session. In the meantime, you can proceed to the next step.

Step 2: Complete privacy assessment or Decision Support Tool

Starting in September 2022, the information entered in the TrustArc Data Inventory will help determine if your processing is considered high risk as described in this section. If it is, the Privacy Office may require you to complete a privacy assessment in TrustArc before you enter into an agreement with a third party. The assessment helps the UW evaluate the potential benefits and harms to individuals as well as the appropriateness of processing personal data. If your processing is not considered high risk, you may proceed with the Decision Support Tool.

High-risk data processing

The high-risk data processing categories are summarized in this section and described in more detail on the “High-Risk Data Processing” page.

  • Automated decision-making.
  • Evaluation or scoring.
  • Systematic monitoring.
  • Sensitive or personal data.
  • Large scale data.
  • Matched or combined datasets.
  • Data concerning vulnerable subjects.
  • Innovative use or new technology.
  • Interference with rights.
  • Risks to fundamental rights or freedoms of individuals.
  • Other likely high risks.

Privacy assessments

Starting in September 2022, high-risk data processing will be determined in TrustArc and will require a privacy assessment before you enter into an agreement with a third party. As part of the TrustArc workflow, you will be sent a privacy assessment to complete before you begin processing data. Once the assessment is complete, you may proceed to the next step.

Decision Support Tool

If the data processing is not considered high risk, you must complete the Decision Support Tool to determine the:

  • Identifiability of data as personal data.
  • Applicability and need for a DPA and/or Standard Contractual Clauses.
  • Your UW unit’s role in the data processing.
  • Third party’s role in the data processing.

Download DPA-SCC Decision Support Tool [DOCX]

Step 3: Engage appropriate office

Inform the appropriate contracting office (e.g., Procurement Services, UW Medicine Supply Chain Management, Office of Sponsored Programs, etc.) of your anticipated agreement involving personal data.

If the data processing does not involve an agreement facilitated by a central contracting office, then identify the person in your UW unit who may be able to assist you with your agreement.

Step 4: Understand intent and key terms

Review the following DPA summary so you are familiar with the intent and substance of each section of the DPA.

Introduction, Parties and Effective Date

Creates clarity as to the contracting parties and the role of the DPA in the larger contracting relationship.

Definitions

Gives meaning to terms that help UW articulate its privacy expectations, consolidate varying definitions in applicable laws, and address an evolving privacy landscape. Key features include:

      • The kinds of events or incidents that constitute a “Data Breach”;
      • A broad definition of personal data;
      • An inclusive term that captures the variety of activities relating to or operations performed on personal data (known as “Data Processing”); and
      • An individual’s request to exercise a privacy right available under applicable law (known as “Data Request”).

Standard of Care

Articulates a third party’s accountability for quality and sufficient personal data protection practices.

Purpose and Limits of Data Processing

Establishes that personal data may only be used to fulfill the specific purpose described in the DPA; prohibits secondary use of personal data; and when appropriate establish UW’s control of lawfulness, notice, and consent determinations.

Non-Disclosure and Data Requests

Requires the third party to keep personal data confidential and to assist UW in responding to individuals who exercise legal rights relating to their personal data (such as access, correction, limitation of use, erasure, etc.)

Compliance and Data Transfers

Helps ensure that the third party is aware of and adheres to the legal and regulatory requirements that relate to University or personal data that is being processed.  Also establishes a mechanism for cross-border data transfers from the European Economic area and/or Switzerland to the United States.

Safeguarding Data

Requires a third party to implement appropriate administrative, technical, and physical security measures to protect personal data.

Data Breach Response

Articulates how a third party should respond if it experiences a data breach. Also enables UW to determine how to best manage its compliance obligations and its communications with and/or support to individuals who entrusted UW with their personal data.

Disposition of Personal Data Upon Termination or Fulfillment of Purpose

Enables UW to determine what happens to personal data when it is no longer needed for data processing described in the DPA or when the underlying agreement (ex. a service contract) comes to an end.

General Terms

Creates contractual mechanisms to maintain the integrity of the DPA and clarify aspects of its use.

Description of Data Processing Exhibit

Requires the parties to the DPA to articulate certain details such as why personal data is included in data processing; what data processing activities will take place; and what specific personal data will undergo data processing.

Step 5: Download and use DPA

Review the following information to identify the appropriate DPA for your relationship with the third party.

DPA for controller-to-processor relationship

A DPA for UW as a controller and third party as a processor also referred to as controller-to-processor or C-to-P, is required when a UW unit:

  • Makes decisions about the purpose and means for processing personal data.
  • Engages a third party for data processing, such as sharing, storing, or providing access to personal data.

Download Controller-To-Processor DPA [DOCX]

DPA for controller-to-controller relationship

A DPA for a controller-to-controller relationship, or C-to-C, is required when a UW unit and the third party both make decisions about the purpose and means for processing personal data. Contact us at uwprivacy@uw.edu to request the Controller-to-Controller DPA.

Populate the placeholders

Populate the bracketed placeholders that appear throughout the DPA.

In the Description of Data Processing Exhibitor “Exhibit” at the end of the DPA, identify the:

  • Nature of and purpose for the data processing (Exhibit, Section 1).
  • Categories of individuals to which the third party’s data processing will relate (Exhibit, Section 2).
  • Types of personal data (Exhibit, Section 3).
  • Name, title, mailing address, email address and phone number for the UW contact person (Exhibit, Section 5).

Template Modifications

Note: The UW Privacy Office strongly advises against using third-party templates, or modifying or negotiating the UW DPA templates, unless you have or engage privacy or legal expertise. Using the third-party provided template may not address the UW’s legal obligations. In addition, reviewing, assessing, and negotiating such templates delays the overall process. The UW Privacy Office can assist UW units with data processing when the data is high risk.

Step 6: Download and use Standard Contractual Clauses

Standard Contractual Clauses (SCCs), which may accompany a DPA, are terms and conditions that apply only to transfers of personal data from the European Economic Area and Switzerland to certain countries, such as the United States, that do not have laws that protect personal data in comparable ways. These clauses are applicable when data processing involves such transfers. Along with other restrictions, the SCCs have specific requirements for onward transfers of data.

The SCCs are issued by the European Commission and can be modified only as specifically directed. UW units that use the SCCs may populate only the highlighted placeholders.

SCCs 1.0

For agreements signed on or before September 26, 2021, the SCCs 1.0 will remain in effect until December 27, 2022. Do not use the SCCs 1.0 after September 27, 2021.
Download SCC 1.0 [DOCX]

SCCs 2.0

For agreements signed on or after September 27, 2021, the SCCs 2.0 are required by the European Commission.
Download SCC 2.0 [DOCX]

Step 7: Navigate third party revisions

Review and ask the third party — on your own, or through your contact in the central contracting office — about the reasoning behind their proposed modifications to the agreement. Their response may inform your decision making about the risks associated with the proposed modifications.

If the third party is unwilling to accept the DPA or SCCs, you are responsible for ensuring that equivalent terms and conditions are included in the agreement in order to address the privacy and data protection requirements that apply to the UW. If your agreement does not include the DPA or SCCs, or equivalent terms and conditions, your UW unit is responsible for the privacy risks, such as costs of non-compliance.

The individual named in the DPA and SCCs is responsible for the risks related to the data processing and the DPA and SCCs and for accepting or rejecting the third party’s proposed modifications.

The FAQs section addresses common revision questions.

Step 8: Finalize the DPA

If you are working with a central contracting office, follow your contact person’s instructions to finalize the DPA. The person with delegated authority to sign privacy-related agreements for your UW unit signs the DPA.

Vice presidents, vice provosts, deans, chancellors, and other individuals with delegated executive authority are responsible for risks, compliance obligations, budgets and financial costs associated with privacy in their organizational areas. Accordingly, these individuals, or their designees, are responsible for the DPA.

Store the finalized agreement in a secure location in accordance with applicable records retention schedules. Starting in September 2022, you will add your agreements with privacy terms and conditions, such as the DPA, as an attachment in the TrustArc Privacy Management Platform.

Please register and attend a TrustArc training and support session.

Step 9: Manage third-party relationship

Before sharing any personal data with the third party, ensure the personal data requested by, or being provided to, the third party aligns with the personal data identified in the final DPA and Description of Data Processing Exhibit.

If the relationship and data processing changes over time, work with the third party to update or create a new Exhibit that describes the change to the nature of and purpose for data processing, categories of data subjects, and/or types of personal data.

FAQs

Is it possible to waive the Data Processing Agreement when contracting with a third party?

Not if the decision support tool indicates that one is needed. When the criteria on the Data Processing Agreement (DPA) and Standard Contractual Clauses (SCC) Decision Support Tool require a DPA, a DPA or equivalent terms must be put in place.

Can a third party destroy personal data rather than transfer it to the UW when the purpose for processing is fulfilled or the underlying contract is terminated?

A third party may not destroy personal data and must return it to the University. UW units are required to retain records in accordance with applicable UW Retention Schedules. Accordingly, the UW must determine when that data has reached the end of its legally approved records retention schedule and how to completely purge the data.

What should happen if the information in the Description of Data Processing Exhibit changes over time?

It should be updated. UW units are responsible for working with their third party to update or create a new Exhibit whenever the nature of and purpose for processing, categories of data subjects, and/or types of personal data change.

What do I do if a potential third party resists or refuses to enter into a DPA?

The UW unit should ask the third party why they are refusing and explain that the DPA reflects the numerous laws and regulations that may apply to the UW. UW DPAs will likely (a) address the UW’s unique compliance needs more meaningfully than a third party’s own privacy terms and conditions, and (b) result in more consistent and predictable third-party engagements across the UW with respect to privacy. For these reasons, UW units should always utilize the DPA first.

If a potential third party opposes having any privacy terms or conditions governing its provision of services to the UW, the UW unit may need to find a different third party. UW units cannot allow third parties to process personal data when that processing is not governed by privacy terms and conditions.

If a potential third party refuses to enter into a DPA because privacy commitments are addressed in another agreement (e.g., the underlying service agreement or another data processing agreement), UW units are responsible for ensuring that the alternate agreement provides the same level of protection as the UW DPA.

A potential third party’s published privacy notice — sometimes also referred to by a third party as a privacy statement or privacy policy — and terms of service is not equivalent to and cannot replace a DPA or other agreement with equivalent terms and conditions between UW and the third party.

What do I do if a potential third party mistakenly insists that its services do not involve personal data processing?

Clarify with the third party that personal data processing includes any automated or manual operation performed on personal data, such as collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, access, use, disclosure by transmission, dissemination, combination, restriction, or destruction.

If a potential third party insists that storing personal data, including in its cloud solution, does not constitute processing, explain that storage constitutes an operation performed on personal data. This is true even if the potential third party will not view, reference, or retrieve the stored personal data.

If a potential third party insists that the de-identification or anonymization of personal data does not constitute processing, explain that both practices involve adaptation and alteration (i.e., operations performed on personal data). While such adaptation and alteration may result in data that no longer relates to an identified or identifiable person, it constitutes personal data processing.

What do I do if a third party strikes the European Union General Data Protection Regulation (EU GDPR) specific language in the DPA because personal data processing will not include data that are governed by the European Union?

The compliance language in the DPA indicates that a third party shall conduct all work and data processing in full compliance with all applicable statutes, regulations, rules, standards, and orders. Further, the specific laws listed in the DPA are illustrative and may not apply depending on the nature of the third party’s actual processing.

As written, the DPA does not require third parties to comply with legal obligations that do not relate to the actual processing. For this reason, modifications are not needed, and the European Union General Data Protection Regulation-specific language should not be stricken.