Various roles are defined within the AVG when processing personal data. The most important roles are: controller, joint controller and processor.
Since controllers and processors have different responsibilities and obligations, it is important that these roles are clearly defined at the start of the investigation.
The data controller determines the purpose and of the processing means. The mere provision of research funding (eg by FWO, the European Commission, etc.) is not sufficient to be a controller in the context of research. In this case, the university remains the controller.
Although the university, as a legal entity, is the controller, there is a shared responsibility with the researchers. For example, researchers within their own research projects are responsible for thoroughly considering the privacy aspects and complying with the legal obligations of the GDPR.
With joint controllers , the purpose and resources are determined by two or more organizations or institutions. For example, research carried out within an (international) consortium is included. In this situation it is important that the various controllers establish in a transparent manner who is responsible for providing information to the data subjects and for exercising the rights of the data subjects (see 2.8).
Finally, an organization can also be a processor . In this case, an organization processes personal data on behalf of another organization. Contract research commissioned by private companies or some types of policy-relevant research can fall under this. Within a research project it can also happen that researchers call on processors to collect, process, store or make personal data available. Agreements between controller (s) and processor (s) or between processors and sub-processors are recorded in a processor agreement (see 2.8).
« Ga terug
Powered by Help Desk Software HESK, brought to you by SysAid
Bezig met laden kennisbank...