(Legal) Agreements with collaborators

This page is based on information from the Privacy Handbook, which we have carefully adapted to align with the specific context of the University of Groningen (UG).

Research often involves collaborations with others. These collaborations may include researchers or students from the University of Groningen, as well as partners from other institutions or external organizations. Depending on the type of research data processed (e.g. personal data), it is essential to have a clear agreement with your collaborators regarding how the data will be used in your research.

On this page you can find more information on when it is necessary to have certain legal agreements in place, what agreements are necessary in which situation, who is mandated to sign this agreement, and who can support you in this process.

What kind of agreements do you need?

Collaboration vs Consortium agreement

A collaboration or cooperation agreement is a bilateral agreement between two partners. It defines the conditions under which parties work together on a specific research project. It outlines the roles, responsibilities and contributions of each party, as well as how funding, data sharing, intellectual property and publication rights will be managed. A consortium agreement is a multilateral agreement between more than two partners and should cover the same topics as a collaboration agreement.

Agreements focused on the processing of (personal) data

Joint controllers agreement

A joint controllers agreement is mandatory when you work together with another data controller and you have common purposes (why) and means (how) of processing personal data. In a joint controllers agreement, the respective responsibilities of both (all) parties are formalized. Important components of a JCA are:

Who informs data subjects,
who is the contact point for data subjects,
a description of what (personal) data are processed in which manner and by whom,
how data are kept secure.

In research, this happens most often in a consortium, where multiple institutions participate in a research project. Therefore, joint controllers agreements and consortium agreements often refer to one another.

Data processing agreement

A data processing agreement (DPA) is mandatory when you transfer personal data to a third party who fulfills the role of data processor. In other words: when an organization processes personal data on your behalf without having a say as to why and how the data are processed. Important components of a DPA are:

A description of the data that are being shared,
why are they being shared,
what the third party can or cannot do with them and for how long,
what happens in case of a personal data breach,
that the data will be deleted or returned after termination of the DPA.

For example, the third party cannot use the data for their own purposes and is required to keep the data safe and report any potential data breaches to you.

A DPA is most often used when you use an application or tool that processes personal data. Examples of these are survey tools, analysis tools, transcription tools, documentation tools and data repositories. However, a DPA is also needed in case companies are hired to perform surveys, analysis, transcription or other services for your research project.

Data transfer agreement

A data transfer agreement (DTA) is mandatory when you transfer data to a third party who will (re)use the data for their own purposes, without your involvement in their research project. Contrarily, it is advisable to establish a DTA if you are receiving data from a third party under similar conditions. A DTA is used to ensure that both parties are aware of their responsibilities and are bound to do what the agreement says. A DTA contains:

A description of the data that are being shared,
why are the data being shared,
that the recipient shall keep the data strictly confidential,
how the data should be protected by the receiving party.

A DTA can be used, for example, when you want to share personal data for reuse purposes with other researchers.

Non-disclosure agreement

A Non-Disclosure Agreement (NDA), or Confidentiality agreement, is an agreement that ensures that the receiver of the data handles data with care. An NDA is meant to make sure that the receiving party handles data confidentially, according to specific guidelines. In research, an NDA is often used between university researchers and students who perform research on their behalf. That is because students are not (always) bound to confidentiality through a contract with the university, whereas the researchers are.

Signing an agreement

Any agreement should be signed by a person mandated or authorized to do so. Depending on the situation, this is either the Board of the University (College van Bestuur) or dedicated representatives of your faculty. Researchers are not mandated to sign agreements but sometimes co-sign. The Privacy & Security (P&S) coordinator can support you in this process.

Archiving signed agreements

A copy of the signed agreement should be sent to the UG archive at div rug.nl and a copy of the agreements focusing on the processing of personal data should be sent to the legal department at privacy rug.nl. The P&S coordinator of the faculty and possibly other persons involved in the process of creating the agreement should be informed of the final result: an agreement signed by all parties.

Need support?

P&S coordinators at the faculties are the contact point for all matters relating to the contractual aspects of research projects. You can seek advice from P&S coordinators on the type of agreement that might be necessary in your research project and they can provide information on the templates that are available at the university.

Staff? Contact the P&S coordinator of your faculty

Last modified:

26 June 2025 3.41 p.m.