Data Processing Agreement – CSC’s Services for Research and Education

Effective as of June 7 2021 | Download PDF



When you use a service provided by another organization for processing personal data, there must be a written contract (or another legal act) in place. What needs to be included in the contract is defined on the General Data Protection Regulation (2016/679). For that reason, this data processing agreement (DPA) is a mandatory part of the General Terms of Use for CSC's Services for Research and Education, if personal data is processed.


2.1. This Data Processing Agreement (hereinafter “DPA”) establishes the rights and duties between CSC – Finnish IT Сenter for Science Ltd (hereinafter “CSC”) and a controller of data (hereinafter “Controller”) regarding the processing of personal data, as required by Article 28 of the General Data Protection Regulation (2016/679;, when CSC processes personal data in CSC’s Services for Research and Education on behalf of the controller. This DPA does not govern collection and use of personal data in other contexts. This DPA is irremovable part of the Service Agreement (accepted General Terms of Use, accepted DPA and Service Descriptions), whereby the user may upload and process user Content (“Content”) including personal data in, to, or from CSC’s Services for Research and Education. In the event of conflict between the provisions of this DPA and any other agreements or instructions, the provisions of this DPA will prevail.

2.2. The definitions of the terms used in this DPA, such as “personal data”, “controller” and “processor”, correspond to the definitions given in the General Data Protection Regulation.

2.3. CSC will act as the processor of personal data on behalf of the controller, unless explicitly otherwise agreed.

2.4. Processing refers to processing of personal data that is transferred to CSC by the controller or a party authorised by the controller.

2.5. The purpose of processing personal data is to perform the CSC’s Services for Research and Education.

2.6. The person approving this DPA as a part of Service Agreement shall provide CSC with all of the following information in writing:

  • Name and contact information of the controller of the data
  • Types of personal data and categories of data subjects included in the data

2.7. Notifications relating to processing activities set out in this DPA may be sent in electronic format to the data controller, unless other contact information for notifications has been provided by the data controller.

2.8. The person approving this DPA undertakes to notify CSC in writing of any changes in the information mentioned in subparagraph 2.6 and paragraph 2.7.

2.9. The user will have sole responsibility for the legality, reliability, integrity, accuracy and quality of Content transferred for processing.

2.10. CSC shall take into consideration any documented instructions on data processing that the controller delivers to CSC prior to or during the processing. CSC processes personal data only in accordance with this DPA and on documented instructions from the controller.

2.11. If other legal acts under European Union or Member State law require measures targeted at the personal data governed by this DPA, CSC will inform the controller of that legal requirement before processing the data, unless that law prohibits giving such information on important grounds of public interest.


3.1. Both the controller and the processor will implement appropriate technical and organisational measures to ensure the security of data processing. The measures to be implemented by CSC depend on the used Service. CSC provides, upon request, more information on its technical and organisational security measures applicable to the processing activities set out in this DPA.

3.2. Unless otherwise specified in the Service Agreement, the controller, or a party authorised by the controller, may not provide CSC with any sensitive or special categories of personal data that imposes specific data security or data protection obligations on CSC in addition to or different from those specified in the Service Agreement.

3.3. The data processor shall keep any personal data received from the data controller confidential. The data processor will ensure that persons authorized to process personal data have committed to confidentiality or are required to comply with statutory obligations of confidentiality.

3.4. The data processor will not process (nor permit any third party to process) any personal data outside of the European Economic Area unless such processing shall be conducted in a country which the European Commission has declared to have adequate data protection laws; or the processor has taken all such measures as are necessary to ensure that any such processing outside of the European Economic Area is in compliance with EU Data Protection Laws.


4.1. CSC assists the controller, insofar as this is possible, in facilitating the exercise of data subject rights.

4.2. If a data subject makes a request concerning personal data, the data processor will notify the controller of this without undue delay. CSC may not perform any processing activities on the data upon request of a data subject without written instructions from the controller. CSC will advise the data subject to identify and contact the relevant controller(s).

4.3. CSC may be required by law to provide access to data, such as to comply with a subpoena or other legal process, or to respond to government requests, including public and government authorities for national security and/or law enforcement purposes. CSC will promptly inform the controller of requests to provide access to data, unless otherwise required by law.

4.4. CSC assists the controller, insofar as is reasonably possible, in carrying out a data protection impact assessment where necessary and upon request. In determining the measures to be taken to assist the controller, CSC considers the nature of the personal data processing and available information.

4.5. CSC will make available to the controller on request all information necessary to demonstrate compliance with this DPA, and allows for and contribute to audits, including inspections, in relation to the processing of personal data. The controller may exercise information and audit rights to the extent that the Service Agreement does not otherwise give the relevant information to meet the requirements of Data Protection Law. The controller bears audit expenses unless otherwise agreed.

4.6. CSC will immediately inform the controller if it perceives that an instruction given by the controller infringes the Union or Member State data protection provisions.

4.7. CSC shall, without undue delay, notify the controller about any personal data breach it has become aware of concerning data governed by this DPA. The notification shall include at least the following information:

  1. Description of the nature of the personal data breach.
  2. Description of the processing procedures performed on the data based on this DPA.
  3. Description of the measures taken to address the personal data breach.
  4. Contact details of CSC’s data protection officer or other contact point where more information on the breach can be obtained.

4.8. In addition to the information mentioned in the previous paragraph, CSC shall, upon request, provide information in its possession to assist the controller in investigating the breach and mitigating its adverse effects to the degree the information is necessary and deliverable with reasonable effort considering the nature of the processing.


5.1. The controller gives CSC a prior authorisation to engage sub-processors insofar as it is necessary for the performance of the processing.

5.2. CSC shall, upon request, inform the controller of the sub-processors and any indented changes concerning the sub-processors. If the data controller doesn’t accept the used or intended sub-processors it may terminate the Service Agreement.

5.3. The same data protection obligations as set out in this DPA between the controller and CSC shall be imposed on the sub-processors. CSC allows, upon request, the controller to view the agreement or the outlined agreement between CSC and the sub-processor, with the exception of sections which contain confidential information and which are not significant in assessing the data protection obligations.


6.1. The DPA is effective from its approving and for as long as CSC processes personal data on controller's behalf.

6.2. If one of the parties to this DPA decides that processing is no longer justified, the processing in accordance with this DPA ends when the other party has been notified of this decision in writing. Upon termination of the Service Agreement, CSC will delete any remaining copies of data on Service environments, except as otherwise stated in the Service Agreement.

6.3. The contact details of the persons using CSC’s Services for Research and Education are stored in a user register maintained by CSC. CSC acts as the controller of the data in the user register. The personal data mentioned in this paragraph are processed to allow the performance of this DPA.

6.4. The person approving this DPA as a part of Service Agreement assures that he or she has sufficient authority, to the extent required by this DPA, to agree on the rights related to the data and on the conditions of personal data processing.

6.5. The processor has a right to change this DPA. However, the version of the DPA that was applicable at the time of the relevant Service Agreement entered into force shall govern the processing between the parties until terminated or renewed. The processor will upkeep change history of the DPA. The person approving this DPA as a part of Service agreement is encouraged to download a copy of this DPA when approving it.

6.6. This DPA is governed by Finnish law.