Normally PNO’s role in a Consortium is based on the Consortium Agreement / Annexes. Normal is for all consortium partners to become Controller. When a Processor /third party is engaged, a Processing Agreement is needed. Data exchange between consortium beneficiaries and/or third parties should be described in the consortium agreement/annexes.
1 – The Consortium Agreement / Annexes will cover all liabilities with respect to the GDPR. Most times there is ‘nothing new’ about these texts. When in doubt just assume a role as Controller and comply with GDPR.
|Make sure the Personal Data used aligns with the Personal Data mentioned in the PNO Privacy Statement. When not, a specific Privacy Statement must be made and used.|
Personal data flows from the Person owning the data (Data Subject) via a Client / Consortium (Controller) to PNO (Controller or Processor) and from there to third parties ((sub-) Processor). Across the chain, data must be handled ‘GDPR-proof’.
|Websites are technically maintained by a Processor. The preferred PNO suppliers for (technical) website maintenance, SEO (Search Engine Optimation), statistics, etc. are InnovationEngineering S.l.r. and Cloudselling B.V. With both PNO has a generic Processing Agreement covering all websites made for PNO.|
Contact email@example.com for the look and feel, stats, and functionalities of the website.
3 – Depending on the work-package PNO subscribes to, consent must be gathered for a newsletter, gig, mailing list, donating human tissue, etc. Per service/action research what Personal Data is at hand => technical and/or organizational measures and when needed follow up DPIA work.
|The Processing Agreement is a document the client must keep in its archive. Sometimes clients provide an own version of a Processing Agreement which must be checked by PNO Legal or the PNO DPO using email firstname.lastname@example.org or email@example.com. It is also good practice to have a second opinion by Legal (overall) and/or DPO (GDPR specific) on the Consortium Agreement / Annexes.|