There are many situations where the University might engage a third party to carry out activities on their behalf, perhaps some specialist expertise or a software platform.
Where they will be collecting or storing the personal data of our staff, students, or customers on our behalf they are acting as ‘data processors.’ The University is the ‘data controller’ and determining how the data is used; the supplier or ‘data processor’ is carrying out our instructions. If the data processor is using its own processors, such as a hosting provider, these are called ‘subprocessors.’
In data protection law both ‘controllers’ and ‘processors’ have obligations under data protection law. If a processor suffers a data breach, the University could be liable for substantial monetary penalties.
The University as ‘controller’ needs to ensure there is a formal contract in place for the supplier covering a range of standard provisions.
You can assess this in the contract checker document (.docx).