In all cases, the relationship between UiO as data controller and the external data supplier, the data processor, shall be regulated in a data processor agreement. This is regulated by The Personal Data Act section 13, cf. section 15.
An external data supplier, the data processor, cannot process the personal data of employees, students, guest researchers, guests or respondents/informants at UiO in a manner other than what is agreed in writing with UiO in the data processor agreement. UiO, as data controller, shall ensure that the data processor has a sufficient security level, cf. Personal Data Act, section 15. This is done by conducting a risk and vulnerability analysis.
NOTE: If UiO is data controller, the risk and vulnerability analysis must be completed before the agreement is signed. Contact the data controller at behandlingsansvarlig@uio.no if you have any questions.
UiO has its own templates for data processor agreements:
Remember that the data processor agreement must be signed by an authorised signatory.