Skip to ContentSkip to Navigation
Research Research Data Management Data Protection & GDPR Data Protection

Roles & responsibilities


The GDPR defines various roles for natural persons and organisations that process personal data. For each role the GDPR establishes a set of obligations regarding the protection of the rights and freedoms of the person concerned:

  • the ‘data controller’, which ‘alone, or jointly with others, determines the purposes and means of the processing of personal data’, and
  • the ‘data processor’, which ‘processes personal data on behalf of the controller’.  

The UG uses a data processing agreement template that is based on the SURF template. It is appropriate for situations in which the UG is the controller and another party is the data processor. You can acquire the UG template at the Department of Administrative and Legal Affairs (ABJZ). For more information consult the Privacy Portal (on My University).

Joint controllers

The European Data Protection Board in September 2020 provided guidance on the concepts of controller and processor in the GDPR.
This guidance also provides  clarity on when there is a joint responsibility (joint controllers, art. 26 GDPR) in research collaboration. In that case it is needed to clarify responsibilities and make the essence of the arrangement available to the data subjects. See for further advice the checklist and consult ABJZ.

It is underlined that the use of a common data processing system or infrastructure will not in all cases lead to qualify the parties involved as joint controllers. The EDPB provides the following example.

Example: Research project by institutes
Several research institutes decide to participate in a specific joint research project and to use to that end the existing platform of one of the institutes involved in the project. Each institute feeds personal data it holds into the platform for the purpose of the joint research and uses the data provided by others through the platform for carrying out the research. In this case, all institutes qualify as joint controllers for the personal data processing that is done by storing and disclosing information from this platform since they have decided together the purpose of the processing and the means to be used (the existing platform). Each of the institutes however is a separate controller for any other processing that may be carried out outside the platform for their respective purposes.

Internal responsabilities

The GDPR and the Netherlands Law on Higher Education shape the internal responsibilities for research. These responsibilities are elaborated in the UG Data Protection Policy, and they are in interplay with Codes of conduct on research integrity, ethical code of conduct and discipline-specific data management policies.  

Every faculty or service unit within the UG has at least one privacy & security coordinator who supports the privacy-proofing of that faculty or service unit and coordinates the execution of the duties of their board or directorate. The privacy & security coordinator is the first point of contact for privacy-related questions from staff members of that faculty or service unit [1]. For more information and contacts consult the Privacy Portal (on My University).

The Data Protection Officer (DPO) is responsible for supervising compliance with the privacy laws and regulations and the privacy policy. The Data Protection Officer provides advice to all administrative layers of the University and, together with the information security manager and the IT auditor, advises the board of the University on the annual action plan of the faculty or service department for information security and privacy protection.

RDO can help you to identify best practices and to further develop transparency about the internal and external responsibilities in your research project.

[1] General Policy on Protection of Personal Data University of Groningen

Last modified:15 March 2022 2.35 p.m.