Personal Data Sharing Agreement Template

Data Sharing Agreement (UK) (GDPR-Compliant)


This Data Sharing Agreement is designed for use in situations where two data controllers wish to share personal data.

The sharing is envisaged to be one-way; however, unlike a data processing agreement, the recipient of the data is a data controller and is not acting under the instructions of, or on behalf of, the disclosing party.

Please note that this document is not suitable if one party is to process personal data on behalf of another. A data processing agreement is required for such situations.

This document is designed primarily for use between two UK-based data controllers. The applicable data protection legislation is defined as the Data Protection Act 2018 and the GDPR. Our definition here is broad and has been designed to help ensure a smooth transition from the GDPR to the Data Protection Act 2018. It also guards against the possibility of an uncertain Brexit transition by retaining the applicability of the GDPR until such time as it no longer has legal effect in the UK.

Please also note that the wording of Clause 13 of this document is derived from EU Commission model clauses, hence the reference to “the Disclosing Party’s country of establishment”. Despite this wording, this document is designed primarily for UK-only use.

Under this Data Sharing Agreement, while the “receiving party” is not instructed by the “disclosing party”, the purposes for which the shared personal data should nevertheless be tightly defined so as to ensure that excessive personal data is not shared, and that that which is shared is used appropriately. Both parties should be very clear on the reasons for the personal data sharing, and what it is expected to achieve. This should be negotiated and agreed prior to signing, then reviewed regularly one the agreement comes into force. The personal data to be shared should also be defined in detail using the schedule provided.

This agreement sets out the respective obligations of the parties, addressing key areas including compliance with the data protection legislation, the fair and lawful processing of personal data, the rights of data subjects, data retention and erasure, the transfer of the shared personal data (including, optionally, the transfer by the recipient to a third party located outside of the EEA), the all-important requirement to implement “appropriate technical and organisational measures” to protect the data, and the handling of personal data breaches.

Optional phrases / clauses are enclosed in square brackets. These should be read carefully and selected so as to be compatible with one another. Unused options should be removed from the document.

This Data Sharing Agreement contains the following clauses:
1. Definitions and Interpretation
2. Stated Purposes
3. Data Protection Compliance
4. The Shared Personal Data
5. Shared Personal Data – Fair and Lawful Processing
6. The Rights of Data Subjects
7. Data Retention and Deletion and/or Disposal
8. Shared Personal Data Transfers
9. Shared Personal Data Security
10. Training
11. Personal Data Breaches
12. Term, Review, and Termination
13. Resolution of Disputes with Data Subjects or the Supervisory Authority
14. Warranties
15. Indemnity
16. Limitation of Liability
17. No Partnership or Agency
18. Non-Assignment of Agreement
19. Entire Agreement
20. Variation
21. No Waiver
22. Severance
23. Communication
24. Third Party Rights
25. [Consideration]
26. Law and Jurisdiction

and the following schedules:
1. Shared Personal Data and Stated Purposes
2. Technical and Organisational Data Protection Measures

This Data Sharing Agreement is in open format. Either enter the requisite details in the highlighted fields or adjust the wording to suit your purposes.

Once you have purchased access to the appropriate document folder click on the “Download Document” link below. You will be asked what you want to do with the file. It is recommended that you save the document to a location of your choice prior to viewing.