Data sharing between controllers under the GDPR
Data sharing between controllers under the GDPR

The following Employment guidance note provides comprehensive and up to date legal information covering:

  • Data sharing between controllers under the GDPR
  • Key guidance
  • What is personal data sharing?
  • The GDPR and arrangements between controllers—whether independent or joint
  • General obligations on controllers under the GDPR
  • Steps controllers should take to comply with the GDPR when sharing or receiving personal data
  • Data sharing agreements
  • In-life checks
  • Record keeping
  • Liabilities
  • more

This Practice Note explores issues and best practice relating to the sharing of personal data between controllers (including joint controllers and independent controllers) in the private sector.

Sharing personal data, whether on a one-off or a continuous basis, and whether with a service provider, affiliate, partner, government agency or other third party, qualifies as ‘processing’ under the General Data Protection Regulation, Regulation (EU) 2016/679 (the GDPR) and is therefore generally subject to the GDPR regime.

Data sharing encompasses giving personal data to another person or entity by any means. This Practice Note focuses on data sharing between controllers in general business-to-business commercial situations. It covers:

  1. key guidance

  2. what personal data sharing covers

  3. arrangements between controllers—whether independent or joint

  4. general obligations on controllers under the GDPR

  5. steps controllers should take to comply with the GDPR when sharing or receiving personal data

  6. data sharing agreements

  7. in-life checks

  8. record keeping

  9. potential liabilities

  10. key questions to ask

  11. links to precedent provisions for data sharing arrangements

The following is outside the scope of this Practice Note:

  1. information sharing between public bodies or between public bodies and the private sector—see Practice Note: Data protection clauses in public sector contracts and the Information Commissioner’s Office (ICO) Draft Data Sharing Code of Practice for consultation (the Draft Data Sharing Code)

  2. information sharing between controllers and processors—see Practice Note: Supply chains under the