May 2018 DPO Consultancy B.V. (www.DPOConsultancy.nl) made a GDPR assessment for PNO. For advice services, it turned out, that the client together with PNO has Shared Responsibility with respect to data processing within the GDPR boundaries. This means that the combination contract, General Terms & Conditions, Privacy Statement is a basis to comply with the GDPR. There is no need for a Processing Agreement, however, when the client insists PNO provides a template.
Role PNO: Advice – Management support.
In a Consortium shared responsibility is emulated by assigning all beneficiaries the role of Controller. However, when in doubt, present the colleague beneficiary or third party with a Processing Agreement.
Role PNO: Beneficiary EU consortium.