Data Privacy & Sponsored Programs

Member for

11 years 8 months
Submitted by stonewil on

We are sharing some information on Third Party Data Processing and the European Union (EU) General Data Protection Regulation (GDPR) that impact sponsored programs.

Third Party Data Processing

The UW Privacy Office requires Data Processing Agreement (DPA) terms when:

  • The UW makes decisions about the purpose and means for processing personal data; and
  • Engages a third party for data processing, such as sharing, storing, or providing access to personal data; or
  • The UW and a third party both make decisions about the purpose and means for processing personal data.

There are a variety of scenarios and types of agreements where a sponsored program could involve the UW sharing personal data with a third-party. A third-party can be a sponsor, a collaborator, or a subrecipient. These agreement types can include a sponsored research agreement, data use agreement, or an outgoing subaward. Some collaboration agreements may also include terms related to personal data sharing.

UW Privacy Office Data Registry

The Privacy Office hosts a Registry of personal data processing activity.

When personal data are shared, the Privacy Office requires the individual within the UW unit responsible for the relationship with the third party to register. Refer to the Privacy Office registration requirements for more information.

EU GDPR - Standard Contractual Clauses

Effective September 27, 2021, the EU Commission mandated a set of updated Standard Contractual Clauses (SCCs). These SCCs apply to all  personal data transfers from controllers or processors in the European Union/European Economic Area (EU/EEA), or those entities otherwise subject to the GDPR, such as controllers or processors established outside the EU/EEA, such as controllers or processors established in the US. Learn more on the GDPR from the UW Privacy Office.

When Do SCCs Come Up?

SCCs may come up in sponsored program agreements when a sponsor or collaborator is sharing personal data that are subject to EU GDPR with the UW. SCCs involve providing detailed information related to:

  • the categories of data subjects or data types,
  • nature of the processing,
  • who is serving as controller versus processor,
  • and organizational and technical measures set up by the PI and department to protect personal data.

What does this mean for Sponsored Programs?

When SCCs are part of or accompany a sponsored agreement, OSP must place the sponsored agreement on hold while the PI completes the details. The PI should at a minimum seek assistance from their IT or department administrator, and guidance from the UW Privacy Office. Additionally, help may be needed from an outside consultant. 

UW Privacy Office Resources

Thank you,
The Office of Sponsored Programs