Joint controllers data sharing agreement

This data sharing agreement is designed for joint controllership scenarios: in other words, data sharing arrangements where the parties to the contract together determine the purposes and means of processing of personal data.

The unilateral version of the data sharing agreement is designed for one-way flows of data, whereas the mutual version should be used where data is flowing back and forth.

The agreement facilitates compliance with the General Data Protection Regulation (GDPR) in both its EU and UK forms, and was drafted with one eye on the detailed guidance on data sharing published by the UK Information Commissioner's Office.

Unlike transfers from a controller to a processor, there are no prescribed clauses for contracts governing controller-to-controller transfers. However, Article 26 of the GDPR defines principles for joint controllership, stipulating that joint controllers must transparently determine their respective responsibilities for GDPR compliance, particularly regarding data subject rights and information provision duties. These arrangements should be accessible to individual data subjects. Regardless of responsibility allocation in the agreement, data subjects may assert their rights against either controller.

"Relevant Processing" is the core concept in the agreement, delineating those processing activities that are subject to joint controllership rules. This allows that a party may be a joint controller with respect to some processing activities, and an independent controller or processor with respect to others.

The unilateral version of the data sharing agreement for joint controllers contains the following provisions:

1. Definitions
2. Term
3. Obligations to share Personal Data
4. Data quality
5. No special categories
6. Parties acting as joint controllers
7. Compliance with Data Protection Laws
8. Further disclosure of Supplier Personal Data
9. International transfers of Supplier Personal Data
10. Relevant Processing by joint controllers and supervisory authorities
11. Relevant Processing and data subject rights
12. Security of Relevant Processing
13. Data breaches involving the Supplier Personal Data
14. Retention and deletion
15. Compliance audit
16. Changes to Data Protection Laws
17. Recipient confidentiality obligations
18. Warranties
19. Indemnities
20. Limitations and exclusions of liability
21. Termination
22. Effects of termination
23. Notices
24. Data protection contacts
25. General
26. Interpretation

• SCHEDULE 1 (DATA PROTECTION INFORMATION NOTICE)
• SCHEDULE 2 (FORM OF CONSENT)
• SCHEDULE 3 (INTERNATIONAL TRANSFER CLAUSES)
• SCHEDULE 4 (SECURITY MEASURES)

The mutual version of the data sharing agreement for joint controllers contains the following provisions:

1. Definitions
2. Term
3. Obligations to share Personal Data
4. Data quality
5. No special categories
6. Parties acting as joint controllers
7. Compliance with Data Protection Laws
8. Further disclosure of Shared Personal Data
9. International transfers of Shared Personal Data
10. Shared Personal Data and supervisory authorities
11. Shared Personal Data and data subject rights
12. Security of Shared Personal Data
13. Data breaches involving Shared Personal Data
14. Retention and deletion
15. Compliance audit
16. Changes to Data Protection Laws
17. Confidentiality obligations
18. Warranties
19. Indemnities
20. Limitations and exclusions of liability
21. Termination
22. Effects of termination
23. Notices
24. Data protection contacts
25. General
26. Interpretation

• SCHEDULE 1 (DATA PROTECTION INFORMATION NOTICES)
• SCHEDULE 2 (INTERNATIONAL TRANSFER CLAUSES)
• SCHEDULE 3 (FORM OF CONSENT)
• SCHEDULE 4 (SECURITY MEASURES)

Ask a question

Copies of both of the versions of this data sharing agreement are included in the following pack:

• GDPR pack