View cookie policy.

Employment information
Applying for a role Starting at Essex Employment policies, procedures and guidance Pay, rewards and benefits Pensions People systems and information Contracts Leaving the University Sickness absence Taking leave Working flexibly PDR and reviews UECS and Wivenhoe House employees Information and data
Information for managers
Managing recruitment Compliance Managing new employees Managing flexible working Leave Sickness absence Employment, policies and procedures Managing pay and reward Resolving problems Managing performance and development Change management
Health, safety and wellbeing
Emergencies, security and safety Safeguarding Fire safety Health and safety policies and procedures Health and safety responsibilities and support Working safely Assessing risks Occupational health services Supporting health and wellbeing
Professional development and training
Development at Essex Essential training Learning Event Catalogue Professional development Educator development Research development People management development Leadership programmes Digital skills
Equality, diversity and inclusion
Our commitment to diversity and inclusion Inclusive Essex EDI resources, training and support EDI calendar Report and Support service
Our University
Brand Departments and schools Faculty support Forums and networks Freedom of information Governance Graduation Sustainability and biodiversity University partnerships
Services and facilities
Buildings, grounds and maintenance Crowdfunding Childcare Design, print and copy services Events, meetings and conferences Faith Centre Finance, planning and data insight Food and drink IT services Marketing and communications support Media Centre Parking Post and property services Professional Services teams Sport and recreation Strategic project delivery Student work experience and volunteering Theatre and arts on campus Travel, transport and accommodation Web support
Research
Funding sources Making a funding application Research impact Promoting your research and research visibility Research governance Take part in research Managing an award Planning and assessment Knowledge exchange and commercialisation Research systems Repository and publishing Research management information Celebrating Excellence Awards
Education services
Academic standards and quality DBS checks for students Department student support roles Developing student success Exams and assessment Heads of Department Learning technologies Reading lists Staff awards and funding Student feedback Student wellbeing support and signposting Supporting students with disabilities and health conditions Supporting and welcoming new students Timetables
Online services
Email login Research Information System Research Repository Room booking form Unit4 Business World Phonebook Change your password
People and Culture
HR Organiser People Manager Homepage Job vacancies
Academic
Moodle Libraries Academic departments FASER LEAP Programme specifications Reading lists (Talis Aspire)
Info and help
Find your way campus map IT services Tableau Planning information portal Key dates Staff blog Report harassment Report a concern about student
Staff Directory Home Working with information and data Data Protection and GDPR Data protection and third-party suppliers

Data protection and third-party suppliers

There are many situations where the University might engage a third party to carry out activities on their behalf, perhaps some specialist expertise or a software platform. 

Data processors and data controllers 

Where the third party will be collecting or storing the personal data of our staff, students, or customers on our behalf they are acting as ‘data processors.’ The University is the ‘data controller’ and determining how the data is used; the supplier or ‘data processor’ is carrying out our instructions. If the data processor is using its own processors, such as a hosting provider, these are called ‘subprocessors.’

In data protection law both ‘controllers’ and ‘processors’ have obligations under data protection law. If a processor suffers a data breach, the University could be liable for substantial monetary penalties.

Contract with the supplier

Whenever the University as ‘controller’ uses a processor it needs to ensure that there is a formal written contract in place with the supplier. The contract needs to cover a range of standard provisions stating that the processor must:

  • process data only on instructions from the University
  • ensure that their staff accessing the data are under an obligation of confidentiality
  • have appropriate security measures in place
  • assist the University with any data protection impact assessments for the University in relation to the system
  • only appoint their own third parties (“subprocessors”) on the University’s authorisation, who will process data at the same level of protection as they will   
  • demonstrate their compliance to the controller
  • take appropriate measures to help the controller respond to requests from individuals to exercise their rights
  • assist the controller in meeting its UK GDPR obligations in relation to the security of processing and the notification of data breaches
  • delete or return all personal data to the controller at the end of the contract, and also delete existing personal data unless the law requires its storage
  • submit to audits and inspections, providing the controller with whatever information it needs to ensure they are both meeting their Article 28 obligations

You can assess this in the contract checker document (.docx).

Arrow symbol
Contact us
Information Assurance Manager
Telephone: 01206 872285

  • University of Essex
  • Wivenhoe Park
  • Colchester CO4 3SQ

 

CONNECT WITH US
© 2025 University of Essex. All rights reserved