In this blogpost we will inform you about a kind of GDPR agreement, namely a Data Sharing Agreement. We will answer the questions; when it is necessary and how it should be put together? In difference to Personal Data Processing Agreements, all parties are data controllers and decide together the purpose and means for the processing of personal data.
When a Data Sharing Agreement is necessary – joint data controllers
Before concluding an agreement, it is important that you evaluate the relationship of the parties and what processing of personal data that is concerned. Does it concern a data processor-relation or are you joint data controllers? To enable an answer to this question we will firstly demonstrate what those different concepts mean.
Data controller is the party that decides the purpose and means for the processing of personal data. The data controller is in principle always a legal person, e.g. a company, an organization or a municipal. Data processor is the party that process personal data on the behalf of the data controller.
If the situation at hand is one where personal data flows freely between a data processor and a data controller, you need a Personal Data Processing Agreement as stated in our Swedish blogpost.
A Data Sharing Agreement is instead important to have in a situation when the personal data is transferred between two data controllers that together decide the purpose and means of the processing. Example of a situation like that is when company X joins company Y in the launching of a new product. Company X and Y create a website in order to market the product together. Through the website the user’s data is being saved, e.g. their IP addresses. Company X and Y have jointly decided what data shall be processed and in what way. They become joint data controllers since they pose the purposes and means for the processing together. However, it is important to look at the actual situation in order to decide what kind of relation they have.
What a Data Sharing Agreement should look like
A Data Sharing Agreement is a way to fulfil the demand of having an internal arrangement in case you are seen as joint data controllers. A Data Sharing Agreement should therefore constitute information regarding;
- The joint data controllers’ respective roles. What are your different tasks in the cooperation?
- Why personal data is shared between the joint data controllers, what the purpose of the processing is and what type of data that will be shared between the parties. It can for example concern information regarding salaries of the employees or agreements with clients.
- How the data subjects can exercise their rights and the responsible organization. Both parties have a responsibility to make sure that the data subjects have a possibility to exercise the rights given to them in the GDPR. There are many rights in the GDPR, e.g. right of access and right to be forgotten.
- The obligation to inform the data subject.
- Which legal ground is used for the processing.
- The joint controllers´ relationship towards the data subjects.
It is an advantage to, in addition to the points above, include information about the retention period and the security measures implemented for the processing. The content of the agreement can favourably be made available to the data subjects.
Do you need more help?
If you have any questions, you are welcome to contact GDPR Hero at firstname.lastname@example.org, we are available weekdays between the hours 8-17. Do you need help to determine a relationship or to draw up a Data Sharing Agreement? We are happy to help you with your legal questions!