November 17, 2021
Data Privacy & Sponsored Programs
Some information on Third Party Data Processing and the European Union (EU) General Data Protection Regulation (GDPR) that impact sponsored programs.
Third Party Data Processing
The UW Privacy Office requires Data Privacy Agreement terms when:
- The UW makes decisions about the purpose and means for processing personal data; and
- Engages a third party for data processing, such as sharing, storing, or providing access to personal data; or
- The UW and a third party both make decisions about the purpose and means for processing personal data.
There are a variety of scenarios and types of agreements where a sponsored program could involve the UW sharing personal data with a third-party. A third-party can be a sponsor, a collaborator, or a subrecipient. These agreement types can include a sponsored research agreement, data use agreement, or an outgoing subaward. Some collaboration agreements may also include terms related to personal data sharing.
At the earliest point, let OSP know if your sponsored program involves sharing personal data.
UW Privacy Office Data Registry
The Privacy Office hosts a Registry of personal data processing activity.
When personal data are shared, the Privacy Office requires the individual within the UW unit responsible for the relationship with the third party to register. Refer to the Privacy Office Registration requirements for more information.
European Union (EU) General Data Protection Regulations (GDPR)
The European Union (EU) General Data Protection Regulation (GDPR) limits when and how organizations worldwide can collect, store, use, or otherwise process personal data broadly related to persons residing in the European Economic Area (EEA). It also provides individuals with certain rights regarding their personal data, such as the right to be informed, to make choices about personal data processing, to access personal data, and in some cases, to delete personal data, as well as other rights. Learn more on the EU GDPR from the UW Privacy Office.
EU GDPR Standard Contractual Clauses
Effective September 27, 2021, the EU Commission mandated a set of updated Standard Contractual Clauses (SCCs). These SCCs apply to all personal data transfers from controllers or processors in the European Union/European Economic Area (EU/EEA), or those entities otherwise subject to the GDPR, such as controllers or processors established outside the EU/EEA, such as controllers or processors in the US.
When Do SCCs Come Up?
SCCs may come up in sponsored program agreements when a sponsor or collaborator is sharing personal data that are subject to EU GDPR with the UW.
SCCs involve providing detailed information related to:
- the categories of data subjects or data types,
- nature of the processing,
- who is serving as controller versus processor,
- and organizational and technical measures set up by the PI and department to protect personal data.
What does this mean for Sponsored Programs?
When SCCs are part of or accompany a sponsored agreement, OSP must place the sponsored agreement on hold while the PI completes the details.
The PI should at a minimum seek assistance from their IT or department administrator, and guidance from the UW Privacy Office. Additionally, help may be needed from an outside consultant.