A data agreement also assigns appropriate responsibilities to the researchers and recipients who use the data. A data exchange agreement is a formal contract that clearly documents what data is shared and how the data can be used. Such an agreement has two objectives. First, it protects the authority that provides the data and ensures that the data is not misused. Here is a list of the elements that are typically included in a data sharing agreement. While this list may cover the basics, additional concerns may be relevant to a particular dataset or vendor agency. Second, it avoids misunderstandings on the part of the data provider and the agency receiving the data by ensuring that all issues relating to the use of the data are discussed. Before the data is shared, the provider and recipient must speak in person or by phone to discuss data sharing and use issues and reach a common understanding, which is then documented in a data exchange agreement. Under the GDPR, data transfer agreements for data processing (and sub-processor) must include certain specific data provisions and descriptions, and more generally, the obligations and rights of the controller must be included in the contract. The eighth principle of data protection (see Overview of Data Protection Legislation) requires that personal data cannot be transferred outside the European Economic Area (the Member States of the European Union as well as Iceland, Norway and Liechtenstein), unless the country or territory to which the data is to be transferred offers an adequate level of protection for personal data. One of the exceptions to this rule is if you have the appropriate consent. It is therefore important that you have clearly stated in your participant information sheet and consent form that the data may be sent outside the UK or EEA.
The transfer agreement must reflect the relevant binding requirements of the GDPR. Before you start revising or drafting the contract, you must establish the data processing relationship between the parties, e.B. whether the data is a joint controller, a controller of a processor or a processor of a sub-processor or a combination of the above. Under the GDPR (as under the old European data protection regime), the default position is that EU personal data cannot be transferred or accessed outside the EEA unless certain conditions are met. For example, if an adequacy decision for a particular country has been issued by the European Commission; or, where appropriate, safeguards have been put in place, e.B. Binding Corporate Rules (BCRs), Standard Contractual Clauses (SCCs) or Privacy Shield certifications; or where exceptions apply to specific situations (interpreted restrictively). The delegation agreement should specify the condition covered and, where appropriate, include the adequacy mechanism in the agreement itself, e.B. where standard clauses are used. .