Beneficiary EU consortium

Normally PNO’s role in a Consortium is based on the Consortium Agreement / Annexes. Normal is for all consortium partners to become Controller. When a Processor /third party is engaged, a Processing Agreement is needed. Data exchange between consortium beneficiaries and/or third parties should be described in the consortium agreement/annexes.

GDPR road-map:
1 – The Consortium Agreement / Annexes will cover all liabilities with respect to the GDPR. Most times there is ‘nothing new’ about these texts. When in doubt just assume a role as Controller and comply with GDPR.

Make sure the Personal Data used aligns with the Personal Data mentioned in the PNO Privacy Statement. When not, a specific Privacy Statement must be made and used.

Personal data flows from the Person owning the data (Data Subject) via a Client / Consortium (Controller) to PNO (Controller or Processor) and from there to third parties ((sub-) Processor). Across the chain, data must be handled ‘GDPR-proof’.

Data Subject >Consent> Client >GDPR Text> PNO >Processing Agreement> (sub) Processor

2 – In case PNO operates a website for the Consortium the PNO Privacy Statement, DisclaimerNetiquette, and Cookie Policy applies.

Websites are technically maintained by a Processor. The preferred PNO suppliers for (technical) website maintenance, SEO (Search Engine Optimation), statistics, etc. are InnovationEngineering S.l.r. and Cloudselling B.V. With both PNO has a generic Processing Agreement covering all websites made for PNO.
Contact for the look and feel, stats, and functionalities of the website.

3 – Depending on the work-package PNO subscribes to, consent must be gathered for a newslettergigmailing listdonating human tissue, etc. Per service/action research what Personal Data is at hand => technical and/or organizational measures and when needed follow up DPIA work.

The Processing Agreement is a document the client must keep in its archive. Sometimes clients provide an own version of a Processing Agreement which must be checked by PNO Legal or the PNO DPO using email or It is also good practice to have a second opinion by Legal (overall) and/or DPO (GDPR specific) on the Consortium Agreement / Annexes.