Working with external providers

last change: January 1, 2019

If there is a need to store personal data on external servers - in other words at third-party providers, including cloud services - data protection laws stipulate that TUM and the provider must have contractual rules in place to protect this personal data.

This usually is done with a contract on processing of personal data on behalf of a controller in accordance with Article 28 (3) of the EU General Data Protection Regulation (GDPR).

More information in Orientierungshilfe des bayerischen Landesbeauftragten für Datenschutz zum Thema "Auftragsverarbeitung" (only in German).

Contract data processing through the Leibniz Supercomputing Center

If the contract data processing is outsourced to the Leibniz Supercomputing Center (LRZ), a separate agreement is usually not required. These activities are covered under a framework agreement between TUM and LRZ.