[Extendt2_omt] Re: Exten.D.T.2 Project_Joint Data Controller Agreement_draft agreement for comments by 24 November

Dear Shamim, Find below the comments from the NKUA Data Protection Officer regarding the Joint Data Controller Agreement document * The reference to the Consortium Agreement (paragraph 1 of the Background) does not provide a clear description of the personal data categories or sensitive personal data that will be processed, the categories of persons, the purpose and nature of the processing (which actions and procedures of the project include processing of personal data and what it consists of) that each partner will process. These could be included in an annex * Since there is data exchange, the partners could be separated into data providers and data receivers, possibly specifying obligations for the latter, such as some additional technical and organisational measures they have to take or more generally when transferring and transmitting information (possibly in a second annex). An attempt is made in the text but from the wording it seems that there is some ambiguity ( e.g. in 4.3, 5, 6.3 which is the other Party?). * In the sentence of the Background section: '/The Parties agree and acknowledge that it is rarely possible, before or at the start of personal data collection for research purposes, to completely identify the aim of such personal data processing. However,the Parties shall not, as far as possible, process personal data to a greater extent or for other purposes than stated in the primary agreement/" we propose to make the corresponding deletion in the text because both the retrospective data and the prospective data of the project must  be collected for specific and legitimate purposes and must always be processed lawfully ( Articles 6(1) and 9(2) of the GDPR) otherwise they are unlawful. * If during the project it is envisaged to use third parties as contractors who will process personal data (processors), it would be appropriate to describe obligations for Controllers such as the existence of personal data processing contracts based on standard contractual clauses or minimum technical and organisational measures to be met, taking into account the nature of the processing they undertake. * Upon termination of the contract, for whatever reason, there may need to be provision for the return or deletion of the data by the data receiver. * If all the provisions we mention are described in the required manner in the consortium agreement, or in deliverables, and you do not wish to include them in the JDCA text, there could be explicit references to them. Best, Marianthi Στις 10/11/2022 12:11 μ.μ., ο/η Shamim Patel έγραψε: -- Marianthi Grizioti (PhD) Post-doc researcher & software developer /Educational Technology Lab (ETL) <http://etl.eds.uoa.gr/> / /Department of Educational Studies/ /National and Kapodistrian University of Athens, Greece/ Research Gate <https://www.researchgate.net/profile/Marianthi_Grizioti> | Academia <https://en-uoa-gr.academia.edu/MarianthiGrizioti>| LinkedIn <https://www.linkedin.com/in/marianthi-grizioti-b0394038/> -- Αυτό το email έχει ελεγχθεί για ιούς από το Avast antivirus. www.avast.com