In Short
- Companies within the same group are treated as separate legal entities under UK data protection law.
- Sharing personal data internally must still comply with UK GDPR and the Data Protection Act 2018.
- An intra-group data sharing and transfer agreement helps document responsibilities, data flows, and safeguards.
Tips for Businesses
Map how personal data moves between group companies before putting any agreement in place. Identify who controls the data, why it is shared, and whether any international transfers occur. Review arrangements regularly, especially where group structures, centralised functions, or overseas operations change.
Summary
This article explains the role of intra-group data sharing and transfer agreements for businesses operating within corporate groups in the United Kingdom. Prepared by LegalVision, a commercial law firm specialising in advising clients on data protection and privacy matters, it outlines how these agreements support compliance with UK GDPR and the Data Protection Act 2018.
As the scale of data sharing amongst businesses increases globally, group companies often need to exchange data in various ways. A business might assume that sharing personal data within a corporate group is simple and low-risk. However, the law treats each company within a group as a separate legal entity. This means it has its own respective compliance responsibilities. Therefore, internal data flows and sharing must comply with legal rules.
Internal data flows can quickly become rapid and complex as groups of companies expand, consolidate functions or operate across borders. An intra-group data sharing and transfer agreement (IGDSTA) provides a robust and tailored contractual framework for data sharing within a group of companies. Adopting these agreements can provide companies with a clear framework for documenting:
- how data flows across their group;
- how responsibilities for personal data protection are allocated; and
- which safeguards apply.
IGDSTAs have become an important part of data practice under the UK GDPR. Both small organisations and larger groups operating across multiple regulatory regimes use them.
This article provides an introduction to the benefits and drafting considerations for an IGDSTA and how entering into this agreement can help support compliance.
This factsheet sets out how your business can become GDPR compliant.
What is a Group Company Data Sharing Agreement?
A group of companies handling personal data in the UK must comply with the GDPR and the Data Protection Act 2018. These laws regulate how organisations can:
- collect;
- use;
- share; and
- retain personal data.
An intra-group personal data sharing and transfer agreement helps companies within the same corporate group manage how they share and transfer personal data. It can assist your business to clearly record:
- why personal data is shared;
- how it can be used; and
- who is responsible for what.
Why are Group Data Sharing Agreements Important?
As large volumes of data are shared globally, IGDSTAs have become increasingly important. They can be a key part of an organisation’s wider data governance, creating order and consistency where internal data flows might otherwise be difficult to manage and track.
They are also a valuable way to meet and demonstrate key compliance obligations. For example, they can:
- record joint-controller arrangements;
- cover controller-to-processor terms; and
- embed provisions for any necessary safeguards for international transfers.
Many corporate groups run centralised functions that involve sharing personal data. For example, one company may manage IT or HR services, or hold licences used across the group. This means several entities often process personal data. The agreement should reflect these arrangements so that each company understands its responsibilities and individuals know how the companies use their personal data.
As the companies involved belong to the same group, the agreement can adopt a collaborative tone whilst still imposing obligations.
Continue reading this article below the formConsiderations When Entering a Group Data Sharing Agreement
Before entering into an IGDSTA, you must analyse and develop an understanding of how personal data moves within the group structure. This typically involves:
- identifying what data is shared;
- which companies receive it;
- the purposes behind the sharing; and
- how those receiving entities use the data.
Without this practical understanding, the agreement may be drafted inaccurately, thereby creating risks.
Organisations must still remember to comply with the core UK GDPR principles whenever they share personal data internally. For example:
- any data sharing must be fair and lawful;
- individuals must be informed about how their data moves within the group;
- appropriate security measures must be in place; and
- only the minimum personal data necessary for the purpose should be shared.
International transfers require particular attention and should be reflected in the agreements. Whilst transfers from the UK to countries covered by a UK adequacy regulation (such as those within the European Economic Area) may proceed without additional safeguards, transfers to other jurisdictions usually require an International Data Transfer Agreement or the UK Addendum.
How Can Legal Advice Support My Business?
A data protection lawyer can assist a group of companies with drafting and updating an IGDSTA that accurately reflects internal data flows and complies with applicable rules.
Legal advice can help clarify whether each entity is acting as a controller, joint controller, or processor, and ensure this aligns with your internal governance and records of processing activities.
Where international transfers are involved, a data protection lawyer can:
- advise on the most appropriate safeguards;
- draft the relevant transfer documentation;
- support transfer-risk assessments; and
- guide on ways to prevent risk.
Key Takeaways
Entering into an IGDSTA between group companies can demonstrate compliance and reduce risk in group data-sharing arrangements. A clear understanding of internal data flows is essential before implementing an IGDSTA to fully ensure that it is fit for purpose, accurate and effective. This agreement can offer a structured way to document data sharing and supports compliance with the UK GDPR and the Data Protection Act 2018. Legal advice can help a business ensure the agreement reflects the group’s data processing activities.
LegalVision provides ongoing legal support for businesses through our fixed-fee legal membership. Our experienced lawyers help businesses manage contracts, employment law, disputes, intellectual property, and more, with unlimited access to specialist lawyers for a fixed monthly fee. To learn more about LegalVision’s legal membership, call 0808 196 8584 or visit our membership page.
Frequently Asked Questions
A group data sharing agreement, though not legally mandatory, is essentially a contract between companies within the same corporate group. The agreement sets out how and why the companies share personal data, the roles each entity plays, and the safeguards and governance that apply to those data flows.
This can be particularly useful where your business is part of a large group company structure, and you can adopt an IGDTA to document data sharing between them.
You should assess whether personal data leaves the UK, including whether members of your group remotely access it from outside the UK as part of your operations.
If your organisation transfers personal data to, or allows access from, a country without a UK adequacy regulation, it will usually need to implement safeguards, such as the International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, to ensure the transfer is lawful.
We appreciate your feedback – your submission has been successfully received.
