Data is shared all the time. Confidential business information, trade
secrets, research, you name it. Perhaps one of the most important and
certainly high-profile types of data at present, however, is personal data.
Personal data is big business – big business which, thanks to the GDPR and
Data Protection Act 2018, is strictly regulated.
In many cases, when personal data is shared, one party (a data controller)
is sharing it with a third party (a data processor) for processing
purposes. In other words, they are contracting out the processing of that
personal data and instructing the third party with respect to that
processing. In other cases, however, the balance of power is a little more
equal and one party may share personal data with another for that other
party’s own purposes. In other words, rather than being a
controller-to-processor relationship, a controller-to-controller
relationship has been created.
New Data Sharing Template
This is where our latest GDPR-related template comes in. When one data
controller wishes to share personal data with another data controller, a
data processing agreement (of which we currently offer two flavours) simply
won’t do the job. A key part of what makes someone a data controller is
their independence when it comes to determining what they will do with the
personal data in question. The GDPR defines a controller as the party which
“alone or jointly with others, determines the purposes and means of the
processing of personal data”. Compare this with the definition of a
processor, one who “processes personal data on behalf of the controller”,
and the difference in the power-balance becomes clear.
Our new Data Sharing Agreement is designed for use by two UK-based data
controllers in a one-way sharing relationship (i.e. the “disclosing party”
shares personal data with the “receiving party”). Careful thought should be
given to the personal data to be shared, the reasons for the sharing, and
what the parties seek to achieve by doing so. This will help to ensure that
only that data which needs to be shared is. The ongoing “relevance” of the
shared personal data should also be regularly reviewed to ensure that the
original agreed purposes are not deviated from.
The Agreement itself, having nailed down the specifics of the data and the
purposes for which it is to be shared, sets out the all-important
obligations of the parties, highlights of which include compliance with the
data protection legislation (i.e. the GDPR and DPA 2018), fair and lawful
data processing, data retention, and the implementation of appropriate
technical and organisational measures to protect the shared personal data.
Further important provisions govern matters including indemnity, the
limitation of liability, and the all-important term, review, and
termination provisions which play a key role in ensuring that the sharing
and use of personal data stays on target and does not go beyond that which
was originally agreed.
The contents of this Newsletter are for reference purposes only and do not constitute
legal advice. Independent legal advice should be sought in relation to any specific
legal matter.