Data Sharing Agreement (UK) (GDPR-Compliant)
This Data Sharing Agreement is designed for use in situations where two
data controllers wish to share personal data.
The sharing is envisaged to be one-way; however, unlike a data processing
agreement, the recipient of the data is a data controller and is not acting
under the instructions of, or on behalf of, the disclosing party.
Please note that this document is not suitable if one party is to process
personal data on behalf of another. A data processing agreement is required
for such situations.
This document is designed primarily for use between two UK-based data
controllers. The applicable data protection legislation is defined as the
Data Protection Act 2018 and the GDPR. Our definition here is broad and has
been designed to help ensure a smooth transition from the GDPR to the Data
Protection Act 2018. It also guards against the possibility of an uncertain
Brexit transition by retaining the applicability of the GDPR until such
time as it no longer has legal effect in the UK.
Please also note that the wording of Clause 13 of this document is derived
from EU Commission model clauses, hence the reference to “the Disclosing
Party’s country of establishment”. Despite this wording, this document is
designed primarily for UK-only use.
Under this Data Sharing Agreement, while the “receiving party” is not
instructed by the “disclosing party”, the purposes for which the shared
personal data should nevertheless be tightly defined so as to ensure that
excessive personal data is not shared, and that that which is shared is
used appropriately. Both parties should be very clear on the reasons for
the personal data sharing, and what it is expected to achieve. This should
be negotiated and agreed prior to signing, then reviewed regularly one the
agreement comes into force. The personal data to be shared should also be
defined in detail using the schedule provided.
This agreement sets out the respective obligations of the parties,
addressing key areas including compliance with the data protection
legislation, the fair and lawful processing of personal data, the rights of
data subjects, data retention and erasure, the transfer of the shared
personal data (including, optionally, the transfer by the recipient to a
third party located outside of the EEA), the all-important requirement to
implement “appropriate technical and organisational measures” to protect
the data, and the handling of personal data breaches.
Optional phrases / clauses are enclosed in square brackets. These should be
read carefully and selected so as to be compatible with one another. Unused
options should be removed from the document.
This Data Sharing Agreement contains the following clauses:
1. Definitions and Interpretation
2. Stated Purposes
3. Data Protection Compliance
4. The Shared Personal Data
5. Shared Personal Data – Fair and Lawful Processing
6. The Rights of Data Subjects
7. Data Retention and Deletion and/or Disposal
8. Shared Personal Data Transfers
9. Shared Personal Data Security
11. Personal Data Breaches
12. Term, Review, and Termination
13. Resolution of Disputes with Data Subjects or the Supervisory Authority
16. Limitation of Liability
17. No Partnership or Agency
18. Non-Assignment of Agreement
19. Entire Agreement
21. No Waiver
24. Third Party Rights
26. Law and Jurisdiction
and the following schedules:
1. Shared Personal Data and Stated Purposes
2. Technical and Organisational Data Protection Measures
This Data Sharing Agreement is in open format. Either enter the requisite
details in the highlighted fields or adjust the wording to suit your
Once you have purchased access to the appropriate document folder click on
the “Download Document” link below. You will be asked what you want to do
with the file. It is recommended that you save the document to a location
of your choice prior to viewing.