UW Privacy Office

PDPA

Personal Data Processing Agreement and Resources

Personal Data Processing Agreement
Standard Contractual Clauses

Self-help resources:

Checklist
Summary
Privacy Impact Assessment for PDPA Modifications
Privacy Agreement Workflows

Glossary of Privacy Terms
PDPA Training
PDPA FAQs
Support Request

Personal Data Processing Agreement

The Personal Data Processing Agreement (PDPA) helps uphold UW’s values and principles related to privacy and addresses laws and regulations that govern the protection of personal data. The PDPA also establishes the purpose and parameters for data processing and clarifies roles and responsibilities between the UW and a contractor.

The PDPA is required when a UW department or unit:

  • Makes decisions about the purpose and means for processing personal data; and
  • Engages a third-party for data processing, such as sharing, storing, or providing access to personal data.

The UW Privacy Office does not recommend modifying or negotiating a PDPA unless you have or engage appropriate privacy or legal expertise. The UW Privacy Office provides assistance as described in and by way of the PDPA Support Request Form.

Download PDPA (docx)


Standard Contractual Clauses

Standard Contractual Clauses (which may accompany a PDPA) are terms and conditions that only apply to transfers of personal data from the European Economic Area and Switzerland to certain countries (such as the United States) that do not have laws that protect personal data in comparable ways. The PDPA makes these Standard Contractual Clauses applicable when a contractor’s data processing involves such transfers. These Standard Contractual Clauses are issued by the European Commission and cannot be modified. UW departments and units that use the Standard Contractual Clauses may only populate the highlighted placeholders.

Download Standard Contractual Clauses (docx)

Resources

The below self-help resources are available to educate and guide UW departments and units. These resources may be improved and updated over time. We encourage you to come back to this webpage and use the published versions of these resources rather than saving any copies of these resources.


Checklist

The PDPA Checklist guides departments and units step-by-step through the proper use of the PDPA.

Download PDPA Checklist (docx)


Summary

The below PDPA summary helps describe at a high-level the intent for and substance of each section of the PDPA.

Introduction, Parties and Effective Date

Creates clarity as to the contracting parties and the role of the PDPA in the larger contracting relationship.

Definitions

Gives meaning to terms that help UW articulate its privacy expectations, consolidate varying definitions in applicable laws, and address an evolving privacy landscape. Key features include:

  • The kinds of events or incidents that constitute a “Data Breach”;
  • A broad definition of personal data (known as “University Personal Data” or “UPD”);
  • An inclusive term that captures the variety of activities relating to or operations performed on UPD (known as “Data Processing); and
  • An individual’s request to exercise a privacy right available under applicable law (known as “Data Request”).

Standard of Care

Articulates a contractor’s accountability for quality and sufficient personal data protection practices.

Purpose and Limits of Data Processing

Establishes that personal data may only be used to fulfill the specific purpose for which UW engaged a contractor; prohibits a contractor’s secondary use of personal data; and establishes UW’s control of lawfulness, notice, and consent determinations.

Non-Disclosure and Data Requests

Requires a contractor to keep personal data confidential and to assist UW in responding to individuals who exercise legal rights relating to their personal data (such as access, correction, limitation of use, erasure, etc.)

Compliance and Data Transfers

Helps ensure that the contractor is aware of and adheres to the legal and regulatory requirements that relate to University Personal Data that is processed by a contractor on UW’s behalf. Also establishes a mechanism for cross-border data transfers from the European Economic area and Switzerland to the United States.

Safeguarding Data

Requires a contractor to implement appropriate administrative, technical, and physical security measures to protect personal data.

Data Breach Response

Articulates how a contractor should respond if it experiences a data breach. Also enables UW to determine how to best manage its compliance obligations and its communications with and/or support to individuals who entrusted UW with their personal data.

Disposition of UPD Upon Termination or Fulfillment of Purpose

Enables UW to determine what happens to personal data when it is no longer needed for data processing by the contractor or when the underlying agreement (ex. a service contract) comes to an end.

General Terms

Creates contractual mechanisms to maintain the integrity of the PDPA and clarify aspects of its use.

Description of Data Processing Exhibit

Requires the parties to the PDPA to articulate certain details such as why personal data is included in data processing; what data processing activities will take place; and what specific personal data will undergo data processing.


Privacy Impact Assessment for PDPA Modifications

The Privacy Impact Assessment for PDPA Modifications helps departments and units make informed decisions about a contractor’s proposed modifications to the PDPA by documenting and assessing if and how the modifications:

  • Impact individuals’ privacy; and/or
  • Introduce risk for UW.

Download Privacy Impact Assessment for PDPA Modifications (docx)

Glossary of Privacy Terms

The UW Privacy Office Glossary of Privacy Terms introduces and defines terms used throughout this and other areas of the website. See the Glossary of Privacy Terms webpage here.


PDPA Training

The UW Privacy Office provides PDPA training twice per month for UW personnel who need to learn to use the PDPA and related resources. See the UW Privacy Education webpage for the PDPA training schedule.


PDPA FAQs

The Privacy FAQs webpage includes answers to frequently-asked-questions (FAQs) about the PDPA.


Support Request

The PDPA Support Request Form is for UW departments and units to seek assistance from the UW Privacy Office in connection with:

  • Understanding and using the PDPA resources;
  • Populating placeholders in the PDPA or the Description of Data Processing Exhibit; or
  • Assessing a contractor’s proposed modifications when the contractor’s anticipated data processing involves two of the following:

+ Special categories (such as information relating to minors, older adults or seniors, criminal offenses, citizenship and/or immigration status, race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data used to identify a natural person, health, sex life, or sexual orientation);

+ Personal data contained in or relating to approximately 30,000 or more records or individuals, respectively, over the lifetime of the data processing; or

+ Data processing that individuals would consider intrusive or would not have reasonably expected at the time they first entrusted their personal data to the UW.

Request assistance from the UW Privacy Office through the Support Request Form (Please note: you must authenticate and be logged into UW Google G Suite for Education to complete this Google-based Support Request Form.)