Q&As

Where a law firm has been instructed by Client X (and Client X has also instructed Company Y), and in order to carry out its services required by Client X it must liaise directly with Company Y and share personal data relating to employees of Client X, does it need to have a separate agreement in place with Company Y in order to comply with data protection requirements?

read titleRead full title
Published on LexisPSL on 08/09/2021

The following Information Law Q&A provides comprehensive and up to date legal information covering:

  • Where a law firm has been instructed by Client X (and Client X has also instructed Company Y), and in order to carry out its services required by Client X it must liaise directly with Company Y and share personal data relating to employees of Client X, does it need to have a separate agreement in place with Company Y in order to comply with data protection requirements?
  • Establishing the roles of the parties
  • Whether the law firm is likely to be a controller
  • Example scenario 1—if the law firm and Company Y are both independent controllers
  • Example scenario 2—if the law firm and Company Y are joint controllers
  • Example scenario 3—if the law firm is a controller and Company Y is acting as processor on behalf of the law firm
  • Other scenarios
  • If different scenarios apply to different processing activities
  • Precedent provisions

Where a law firm has been instructed by Client X (and Client X has also instructed Company Y), and in order to carry out its services required by Client X it must liaise directly with Company Y and share personal data relating to employees of Client X, does it need to have a separate agreement in place with Company Y in order to comply with data protection requirements?

This Q&A assumes that:

  1. the data sharing takes place within the UK and is exclusively subject to the UK’s General Data Protection Regulation, Retained Regulation (EU) 2016/679 (UK GDPR)

  2. the law firm and Client X are each acting as a controller in relation to all relevant processing activities and data sharing (see below)

This reply focuses on what may be necessary only from the data protection compliance perspective of the law firm in relation to having an agreement in place with Company Y. It does not consider what may be necessary for compliance by any other organisation (eg Client X or Company Y) or what may be necessary for the law firm in relation to other aspects of data protection compliance (eg transparency, lawful basis for processing, data minimisation and so on).

This response uses a number of common data protection terms such as ‘personal data’, ‘processing’, ‘controller’, ‘joint controller’ and ‘processor’. For a definition of such terms, see

Related documents:

Popular documents