Personal data sharing between controllers

The following Information Law practice note provides comprehensive and up to date legal information covering:

  • Personal data sharing between controllers
  • In brief—summary of steps controllers should often take before data sharing
  • Scope of this Practice Note
  • Key guidance from regulators
  • Guidance from the UK’s ICO
  • Guidance from the EDPB
  • What is personal data sharing?
  • Situations which may involve personal data sharing
  • Data sharing under the GDPR regimes
  • Incidental or limited data sharing
  • More...

Personal data sharing between controllers

This Practice Note explores issues and best practice relating to the sharing of personal data between controllers (including joint controllers and independent controllers) in general business-to-business commercial situations under the requirements of the United Kingdom General Data Protection Regulation, Retained Regulation (EU) 2016/679 (UK GDPR) and EU’s General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR).

It assumes a degree of familiarity with key data protection concepts and terms and the role of key supervisory organisations. For a higher-level introduction to this topic and related issues, see: Data sharing and transactions—overview.

For higher-level introductions to those data protection laws generally, see Practice Notes: Data protection law—new starter guide and Introduction to the EU GDPR and UK GDPR. The Data protection toolkit collates further general guidance on those regimes, including guidance on key terms used in the legislation, and is a recommended starting point for data protection research.

In brief—summary of steps controllers should often take before data sharing

Both the UK GDPR and EU GDPR regimes seek to ensure information about living individuals (within the definition of ‘personal data’) is used fairly and responsibly.

One of the key protections under both regimes is the obligations placed on ‘controllers’ (usually meaning those that decide the purposes and means of processing). ‘Processing’ is broadly defined to include doing most things with data, including storing, deleting, collecting, disclosing

Popular documents