Content of the contract
Data privacy agreement in the Graduate Study Cooperation Project (KOAB)
A contractually defined and legally binding agreement exists between the Institute for Applied Statistics and the universities as to how the results of the graduate surveys are handled. The agreement in question is as follows:
Section 3 Joint controllers
3.1 In the context of executing the Graduate Study Cooperation Project (KOAB), the university and ISTAT are joint controllers in accordance with Art. 26 GDPR.
3.2 Description of duties for KOAB: ISTAT coordinates a research project in the German-speaking area. The university supports this research project by means of an address referral process. In addition, ISTAT integrates university-specific elements into the KOAB questionnaires on behalf of the university and creates a university-specific data set. Moreover, ISTAT draws up university-specific and also cross-university (all participating universities) statistical evaluations. The university uses the data and evaluations supplied by ISTAT for its internal quality management. ISTAT uses the data to draw up scientific evaluations and provides publicly available research results on the basis of the data (without reference to individual universities).
3.3 Purpose and means of the data processing in the KOAB: For the university, the purpose of the data processing is contact with its graduates so that these can take part voluntarily in the KOAB survey. In doing so, the university draws on the address database that already exists in the university and uses this data to support the research project (KOAB). When participating, the graduates consent at the beginning of the survey to the survey data being transferred to the university for the purposes of quality management. The university handles the data and evaluations in accordance with this strict purpose. ISTAT uses the collected data to compile cross-university scientific reports, for scientific publications, to generate scientific-use files and for the services contractually agreed between the participating universities and ISTAT.
3.4 Process: The joint controlling that exists in the context of KOAB can be broken down into the respective responsibilities as described below:
- Creation of access codes (as margin) by ISTAT
- Transfer of access codes by ISTAT to the university
- Selection of participants by the university
- The university writes to the graduates and sends out randomly selected access codes. The names and addresses of the graduates remain unknown to ISTAT
- The survey data is collected on the ISTAT server
- Evaluation and analysis conducted in ISTAT
- Transfer of the statistical evaluations and a university-specific data set to the university by ISTAT
- In-depth interpretation and evaluation within the university
3.5 Obligations of the university.
The university itself bears responsibility for the internal process of the survey, in particular the sourcing of the graduates’ addresses. To this end, the university should coordinate the steps of the address research and invitation process with the on-site data protection officer. It must be ensured that the personal data is stored in a way that is secured against access, that a deletion date is set for the address databases and that these are also complied with. In addition, the university informs the invitees that the collected data will be used both for research purposes and for the university’s quality management and that the graduates are invited as part of the Graduate Study Cooperation Project (KOAB) coordinated by ISTAT. The university also undertakes to perform only such evaluations whereby it is not possible to identify individual graduates.
Beyond the obligations arising directly from the GDPR for the university as controller, from which it is not released in the framework of the joint controller arrangement, the university is obligated as follows in the context of the invitation process:
- A responsible contact partner must be named in the invitation communication.
- The purposes for which the data is processed must be specified; here, these are the invitation to take part in a research project and quality management as well as the development of study programmes within the university.
- The legal bases for the processing are to be specified; these are, for example, the evaluation regulations and/or relevant state legislation.
- The duration for which the personal data is saved (for the duration of the invitation process and/or the field phase (1 January of the first project year until July of the second project year)) as well as the implementation of corresponding deletion dates must be specified.
- The right to information from the controller about the personal data in question as well as to correction or deletion or to a restriction of the processing or a right to object to the processing as well as the independent processing of such requests by the data subject must be specified. If the exercise of the aforementioned rights involve the processing by ISTAT as part of the survey process, the university shall immediately forward these requests to ISTAT for independent processing. The parties shall support each other, where necessary, in the processing of the data subjects’ requests within the deadlines.
- The right to complain to a supervisory authority must be indicated.
- The voluntary nature of participation in the survey must be made clear.
- The university guarantees that the invitation process is represented in the record of the processing activities.
- Data breaches in the context of the invitation process must be reported.
- The university is liable for damage incurred in the execution of the invitation process and is responsible for settling any claims for compensation that arise.
The university is liable as follows in the context of the data processing undertaken within the university:
- Maintaining data privacy. The university recognises that it is not permitted to merge the anonymous survey data with personal data.
- The university shall not use the data sets provided to it to undertake any evaluation suitable for making individual persons identifiable.
- The university guarantees that the data analysis process is represented in the record of the processing activities.
- Data breaches in the context of the evaluation process must be reported.
- The university is liable for damage incurred in the data processing within the university and is responsible for settling any claims for compensation that arise.
3.6 Obligations of ISTAT
Beyond the obligations arising directly from the GDPR for ISTAT as controller, from which it is not released in the framework of the joint controller arrangement, ISTAT is obligated as follows in the context of the survey process:
- A responsible contact person must be named in the context of the online survey. This may, at the request of the university, also be a university employee, who thus undertakes to report all data privacy-related matters to ISTAT.
- The purposes for which the survey data is processed must be indicated (scientific evaluation by ISTAT and the transfer of the survey results to the university for the purposes of developing study programmes and of quality management).
- The legal basis of the processing must be specified. Since this involves voluntary consent, the voluntary nature of participation in the survey must be made clear.
- The right to information from the controller about the survey data in question as well as to correction or deletion or to a restriction of the processing or a right to object to the processing as well as the independent processing of such requests by the data subject must be specified. If the exercise of the aforementioned rights involve the processing by the university, ISTAT shall immediately forward these requests to the university for independent processing. The parties shall support each other, where necessary, in the processing of the data subjects’ requests within the deadlines.
- The right to complain to a supervisory authority must be indicated.
- ISTAT guarantees that the data collection process is represented in the record of the processing activities.
- Data breaches in the context of the data collection process must be reported.
- ISTAT is liable for damage incurred in the execution of the survey process and is responsible for settling any claims for compensation that arise.
- ISTAT is obligated as follows in the context of the data analysis carried out in the KOAB project and in the creation of university-specific analyses:
- ISTAT shall not use the data sets provided to it to undertake any evaluation suitable for making individual persons identifiable.
- ISTAT shall maintain a processing log for the data analysis process.
- Data breaches in the context of the data analysis process shall be reported.
- ISTAT is liable for damage incurred in the execution of the data analysis process and is responsible for settling any claims for compensation that arise.
Im Rahmen der erfolgenden Datenanalyse im KOAB-Projekt und bei der Erstellung von hochschulspezifischen Analysen ist ISTAT zu Folgendem verpflichtet:
- ISTAT wird keine Auswertungen mittels des an sie gelieferten Datensatzes vornehmen, die geeignet sind, einzelne Personen identifizierbar zu machen.
- ISTAT führt ein Verarbeitungsverzeichnis für den Datenanalyseprozess.
- Datenpannen im Rahmen des Datenanalyseprozesses werden gemeldet.
- ISTAT haftet für Schäden, die bei der Durchführung des Datenanalyseprozesses entstehen und ist verantwortlich etwaig entstehende Schadensersatzforderungen zu begleichen.
3.7 The contractual parties shall inform each other, immediately and in full, if errors or irregularities with regard to data privacy regulations are detected during the auditing of the processing activities.
3.8 Both contractual parties are responsible for the notification and communication obligations arising from Art. 33, 34 GDPR vis-à-vis the supervisory authorities and the data subjects affected by a breach of the protection of their personal data, each for their respective sphere of activity. The parties inform each other immediately about the notification of the supervisory authorities about the breach of the protection of personal data and immediately forward the information necessary for the notification to the other respective party.
3.9 The contractual parties record the processing activities in the processing log pursuant to Art. 30 paragraph 1 GDPR and in particular with a note as to the nature of the processing procedure in joint or sole responsibility. If a data protection impact assessment pursuant to Art. 35 GDPR is required, the parties shall mutually support each other.
3.10 Without prejudice to the provisions of this agreement, the parties are liable for damage caused by processing carried out in non-compliance of the GDPR, in the external relationship jointly vis-à-vis the data subjects. In the internal relationship, the parties are liable, without prejudice to the provisions of this agreement, only for damage incurred within their respective sphere of activity.
3.11 As joint controllers for the processing, the contractual parties are jointly responsible for the determination of the required technical and organisational measures pursuant to Art. 32 GDPR and their adjustment. The parties determine the security measures for their own sphere of activity.