Data sharing between controllers under the GDPR
Data sharing between controllers under the GDPR

The following Employment guidance note provides comprehensive and up to date legal information covering:

  • Data sharing between controllers under the GDPR
  • Key guidance
  • What is personal data sharing?
  • The GDPR and arrangements between controllers—whether independent or joint
  • General obligations on controllers under the GDPR
  • Steps controllers should take to comply with the GDPR when sharing or receiving personal data
  • Data sharing agreements
  • In-life checks
  • Record keeping
  • Liabilities
  • more

Brexit: On 31 January 2020, the UK ceased to be an EU Member State and entered an implementation period, during which it continues to be subject to EU law. During this period, the GDPR applies in the UK and the UK generally continues to be treated as an EU (and EEA) state for EEA and UK data protection law purposes. Any references to EEA or EU states in this Practice Note should therefore be read to also include the UK until the end of the implementation period. For further guidance on that period, its duration and the data protection laws that are anticipated to apply after the end of it, see Practice Note: Brexit—implications for data protection.

This Practice Note explores issues and best practice relating to the sharing of personal data between controllers (including joint controllers and independent controllers) in the private sector.

Sharing personal data, whether on a one-off or a continuous basis, and whether with a service provider, affiliate, partner, government agency or other third party, qualifies as ‘processing’ under the General Data Protection Regulation, Regulation (EU) 2016/679 (the GDPR) and is therefore generally subject to the GDPR regime.

Data sharing encompasses giving personal data to another person or entity by any means. This Practice Note focuses on data sharing between controllers in general business-to-business commercial situations. It covers:

  1. key