Q&As

If two businesses will exchange the email addresses of their respective employees once the General Data Protection Regulation (GDPR), Regulation (EU) 2016/679 applies, is it necessary to have an agreement in place between them for compliance with the GDPR?

read titleRead full title
Published on LexisPSL on 26/04/2018

The following Information Law Q&A provides comprehensive and up to date legal information covering:

  • If two businesses will exchange the email addresses of their respective employees once the General Data Protection Regulation (GDPR), Regulation (EU) 2016/679 applies, is it necessary to have an agreement in place between them for compliance with the GDPR?
  • Processors and controllers
  • Controller to processor (and processor to subprocessor) relationships
  • Controller to controller personal data sharing

If two businesses will exchange the email addresses of their respective employees once the General Data Protection Regulation (GDPR), Regulation (EU) 2016/679 applies, is it necessary to have an agreement in place between them for compliance with the GDPR?

The General Data Protection Regulation (GDPR), Regulation (EU) 2016/679 will be applicable from 25 May 2018. The UK Parliament is currently considering a Bill including details of certain specific permitted national derogations under the GDPR that it plans to implement. For more information, see Practice Notes: The Data Protection Act 2018, The General Data Protection Regulation (GDPR) and The GDPR and DPA 2018: key data protection issues for employment lawyers.

What is appropriate will depend on the nature of the processing and other circumstances. We do not have any guidance which addresses the specific issue you raised relating to treatment of employee email addresses. However, the following outline of the general regime applicable to personal data sharing may be useful to your considerations.

Processors and controllers

In a similar manner to preceding EU data protection laws, the GDPR distinguishes between ‘controllers’ and ‘processors’. The GDPR imposes significantly different mandatory obligations on arrangements between controllers than it does between controllers and processors (or to arrangements between processors and so called sub-processors engaged by a processor).

In summary, Article 4 of the GDPR generally defines:

  1. a ‘controller’ as: ‘the natural or legal

Related documents:

Popular documents