Data sharing and data processing agreements are critical for organisations when handling personal data and ensuring compliance with GDPR. Both types of agreements serve distinct purposes depending on how data is exchanged or processed.
Data sharing agreements
A data sharing agreement between parties exchanging personal data is a key part of compliance with the accountability principle. This type of agreement helps to:
- Justify the sharing of personal data between parties.
- Clarify the roles and responsibilities of the parties involved.
- Document relevant compliance issues and standards.
The structure of the agreement depends on the scale and complexity of the data being shared and the parties’ roles. It’s important to determine whether the parties are acting as joint or independent controllers of the data. If they are joint controllers, you should clearly establish who is responsible for providing privacy information to individuals and who will be the main contact point.
As data sharing agreements aren’t mandatory, there are no set rules for their content. You’re free to negotiate terms that best protect your organisation from risk and reputational damage. It’s important to define what data is being shared, whether it will be transferred to third parties, and where those third parties are located, and the obligations both parties have. This includes handling subject access requests, security measures, and responses to data breaches.
It is good practice for organisations to have written data sharing agreements when controllers share personal data as it helps demonstrate compliance and understanding of the organisation’s obligations, responsibilities and liabilities.
Data processing Agreements
When a controller uses a processor to handle personal data, a written contract is legally required. Similarly, if a processor uses a sub-processor, a contract must be in place between them. This differs from a data sharing agreement because it’s mandatory and must include specific terms.
Data processing agreements set out the subject matter, duration, nature, purpose, and categories of the data being processed. They also address key points like security measures, data subject rights, and sub-processors.
As a controller, if you engage a processor, your agreement must include certain provisions. As a processor, if you appoint a sub-processor, the contract must offer the same level of protection as your agreement with the controller.