Skip to content
LegalVision UK

What Is a Data Sharing Agreement?

Avatar photo

By Sej Lamba

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Table of Contents

The sharing of personal data between businesses is a common business practice. However, strict rules apply when doing so. If your business shares personal data as a data controller, there are various issues you need to consider to comply with the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 rules. A fundamental way to demonstrate compliance is to enter into a data sharing agreement. This article will explore what a data sharing agreement is and highlight examples of when data controllers enter into one. 

Am I a Data Controller?

Whether you share personal data or not, you must first assess whether you act as a data controller or a data processor.

A data controller is a person, public authority, agency or other body that, alone or jointly with others, determines the purposes and means of processing personal data.

Essentially, a data controller decides what to do with personal data. For instance, a business acting as a data controller will determine precisely how and why it uses the personal data it collects from its customers, staff and suppliers. 

This is in complete contrast to the role of a data processor. A data processor is a separate person or organisation that processes personal data by following the strict instructions of a separate data controller. 

For instance, a third-party IT supplier may use a customer’s staff data to deliver IT support services. The IT company will not have any choice in how the data is processed; it must simply follow its customer’s instructions. 

How Can Controllers Share Personal Data?

There are a couple of crucial ways in which controller organisations can share personal data, as shown below.

Joint Controller Data Sharing

Individual data controllers can share personal data for joint purposes. In such cases, the parties will be joint data controllers – as they jointly determine the means and purposes for processing personal data. An example is where two companies enter into a joint venture arrangement. They share personal data about their customers to process for collaborative marketing purposes. 

Independent Controller Data Sharing

In this scenario, separate data controllers will share personal data to use for different reasons. Each will independently decide how to use the shared personal data for their own purposes. 

Front page of publication
GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

For example, travel companies need to send personal data to hotels so that the hotels can make their own bookings for the customers. In this case, the parties use personal data independently, not jointly. 

When sharing personal data with another controller, it is essential to carefully assess the facts and consider in which capacity data is shared. 

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

What Is a Data Sharing Agreement?

A data sharing agreement is a contract that sets out the terms of data sharing. 

Under the UK GDPR rules, this agreement is not mandatory. The UK GDPR only requires an arrangement between joint controllers regarding their compliance roles and responsibilities. 

However, a data sharing agreement is best practice for the following reasons:

  • A data sharing agreement can help demonstrate that your business complies with the UK GDPR and show its accountability. For example, it can serve as evidence of good practice in the event of an investigation from the data protection regulator. 
  • A data sharing agreement can help prevent problems and risks of non-compliance by allocating and documenting clear responsibilities around processing personal data.
  • A data sharing agreement can help address liability risks and concerns and hold the other data controller party accountable. For example, your agreement can include provisions around recovering losses from the other controller if they are at fault and you suffer as a result. 

For these reasons, many companies enter into data sharing agreements.

What Should My Data Sharing Agreement Cover?

Drafting a data sharing agreement can be done in various ways. This will depend on several factors, such as whether the parties are joint controllers, the risk of the personal data shared between controllers, and the processing activities. 

Some typical key areas to cover include:

  • An identification of the roles and responsibilities of each data controller. This includes who is responsible for what – for instance, who will provide transparency-related information to individual data subjects (such as privacy notices). 
  • Information about the types of data shared between controllers and why it is shared– this is a chance for the parties to set expectations and limits around the shared data. 
  • How to address problem issues – for example, who will deal with personal data breaches when they arise? 
  • Considering how best to protect the personal data being shared – for instance, by detailing security measures and standards expected of each controller. 
  • Setting out who will act as the contact for data subjects. For example, who will address and respond to subject access requests?
  • Considering liability issues which may arise from the data sharing. As a joint controller, you could be on the hook for damage caused by the other controller if they breach the UK GDPR rules applying to shared personal data. As such, you should carefully consider liability issues.

Why Should I Approach Data Sharing Agreements With Caution?

There are various legal and commercial risk points to consider when entering into a data sharing agreement. For example, what happens if you share your customer details with another controller and they use that data illegally? This could result in massive damage to your reputation. You should, therefore, carefully consider data sharing agreements and their terms, considering the risks involved and how to protect yourself from them. 

Data sharing agreements do not have a prescribed format. In practice, they can be challenging to navigate, as the parties may seek to negotiate various commercial terms driven by their own concerns.

If you are unsure what your data sharing agreement should include to protect your organisation, you can consult an experienced data protection solicitor to support you. 

Key Takeaways 

Understanding whether your business is a data controller or a data processor is vital. If you are a controller and share personal data with another controller, you should consider entering into a data sharing agreement. A well-drafted agreement will help demonstrate accountability with the UK GDPR principles, encourage compliance, and protect your business from risk. 

If you need help drafting or negotiating a data sharing agreement, LegalVision’s experienced privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Register for our free webinars

Corporate Governance 101: Responsibilities For Directors

Online
Learn key responsibilities for new directors to avoid legal risks. Join our free webinar to learn more.
Register Now

Business Divorces: Exiting Directors and Shareholders From Your Company

Online
Removing a board director is not simple. Join our free webinar to understand your options. Register today.
Register Now
See more webinars >
Sej Lamba

Sej Lamba

Read all articles by Sej

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

3 Documents Your Company Needs to Demonstrate GDPR Compliance

3 Common Mistakes to Avoid in Your Privacy Policy

4 Common Challenges Your Company Will Face With the GDPR in the UK

Are Email Disclaimers Mandatory for UK Businesses Under the GDPR?

We’re an award-winning law firm

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards

  • Award

    2021 Fastest Growing Law Firm in APAC - Financial Times