Controller-to-Controller Sharing and the GDPR

Data is shared all the time. Confidential business information, trade secrets, research, you name it. Perhaps one of the most important and certainly high-profile types of data at present, however, is personal data. Personal data is big business – big business which, thanks to the GDPR and Data Protection Act 2018, is strictly regulated.

In many cases, when personal data is shared, one party (a data controller) is sharing it with a third party (a data processor) for processing purposes. In other words, they are contracting out the processing of that personal data and instructing the third party with respect to that processing. In other cases, however, the balance of power is a little more equal and one party may share personal data with another for that other party’s own purposes. In other words, rather than being a controller-to-processor relationship, a controller-to-controller relationship has been created.

New Data Sharing Template

This is where our latest GDPR-related template comes in. When one data controller wishes to share personal data with another data controller, a data processing agreement (of which we currently offer two flavours) simply won’t do the job. A key part of what makes someone a data controller is their independence when it comes to determining what they will do with the personal data in question. The GDPR defines a controller as the party which “alone or jointly with others, determines the purposes and means of the processing of personal data”. Compare this with the definition of a processor, one who “processes personal data on behalf of the controller”, and the difference in the power-balance becomes clear.

Our new Data Sharing Agreement is designed for use by two UK-based data controllers in a one-way sharing relationship (i.e. the “disclosing party” shares personal data with the “receiving party”). Careful thought should be given to the personal data to be shared, the reasons for the sharing, and what the parties seek to achieve by doing so. This will help to ensure that only that data which needs to be shared is. The ongoing “relevance” of the shared personal data should also be regularly reviewed to ensure that the original agreed purposes are not deviated from.

The Agreement itself, having nailed down the specifics of the data and the purposes for which it is to be shared, sets out the all-important obligations of the parties, highlights of which include compliance with the data protection legislation (i.e. the GDPR and DPA 2018), fair and lawful data processing, data retention, and the implementation of appropriate technical and organisational measures to protect the shared personal data. Further important provisions govern matters including indemnity, the limitation of liability, and the all-important term, review, and termination provisions which play a key role in ensuring that the sharing and use of personal data stays on target and does not go beyond that which was originally agreed.