Data Sharing Agreement: Data Sharing Between Controllers

You may already be familiar with a business’ responsibilities as a controller when engaging a processor to collect, use or store personal data on its behalf. But what about when the business decides to share personal data with another controller?

Data sharing falls within the definition of processing under the UK General Data Protection Regulation (UK GDPR), and, like any other processing activity, requires a valid legal basis under Article 6 of the UK General Data Protection Regulation (UK GDPR). This means that before sharing personal data with either a processor or another controller, organisations must identify an appropriate legal basis, such as obtaining the data subject’s consent. Where special category data is involved, businesses must also be able to establish an additional condition for processing under Article 9.

Data sharing between controllers is increasingly common, yet this practice carries distinct legal and compliance obligations that are often overlooked. In this article, we explore what constitutes data sharing between controllers, explain whether a written data sharing agreement is required, and highlight the key elements that should be included in such an agreement. With Information Commissioner’s Office (ICO) fines of up to £17.5 million for non-compliance with the UK’s data protection regime, all businesses should continually consider whether they are sharing personal data and whether they are doing enough to demonstrate compliance with their legal obligations.

What is a controller?

In the UK, an organisation is classified as a controller if it, either alone or jointly with others, determines the purpose and means of processing personal data (e.g. collecting, using, or storing data).

What constitutes data sharing between controllers?

The two types of relationships between controllers

There are two key ways in which one controller may share personal data with another controller:

1. ‍Sharing with a joint controller – this relationship occurs where two or more controllers share personal data for a unified purpose. For example, a car rental business and a hotel business may create a website where both parties decide the purpose and means of processing personal data collected from that website; or ‍
2. Sharing with an independent controller – this relationship occurs where data is shared with another controller who will use that personal data for a different purpose. For example, a business may share the personal data of its employees with HMRC for tax purposes.

The definition of “data sharing” in the UK

The UK’s data protection regime, which consists of the UK GDPR, the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications (EC Directive) Regulation 2003 (SI 2003/2436), does not formally define “data sharing”. However, the DPA does define the scope of the ICO’s 2021 Data Sharing Code of Practice (Data Sharing Code), a code which provides practical guidance on the data sharing requirements set out under the regime. The DPA defines the Data Sharing Code’s scope as:

"the disclosure of personal data by transmission, dissemination or otherwise making it available"

The Data Sharing Code expands upon this definition by providing the following examples of data sharing between controllers:

1. a one-way or reciprocal exchange of personal data between businesses;
2. granting another business with access to personal data on its IT system for a specific research purpose;
3. several businesses pooling information and making it available to each other or to a third party or parties;
4. data sharing on a routine, systematic basis for an established purpose;
5. one-off, exceptional or ad hoc data sharing; and
6. one-off data sharing in an urgent or emergency situation.

In essence, if a business is disclosing personal data to another controller, then this is likely to constitute data sharing.

Is a data sharing agreement mandatory?

A formal data sharing agreement is not mandatory. However, where the relationship between the controllers is that of joint controllers, the UK GDPR requires the controllers to, by means of an “arrangement between them”, determine their respective responsibilities for compliance with their obligations under UK GDPR, in particular with regard to the data subject exercising their rights. The “arrangement” must reflect the roles and responsibilities of each controller, and the “essence of the arrangement” must be made available to data subjects on request.

As a result of the legal requirement for such an arrangement, many joint controllers elect to put an agreement in place to demonstrate compliance with the UK GDPR.

No arrangement is specified for independent controllers, however, the ICO still recommends that such controllers use a data sharing agreement to demonstrate compliance with the data protection regime’s principle of accountability and as an aid to identifying and managing risk.

What should be included in a data sharing agreement?

The Data Sharing Code recommends that the following key elements should be included in all data sharing agreements:

1. ‍Roles of the parties – parties to the agreement should clarify whether the parties are joint or independent controllers, as different responsibilities and liabilities will be imposed on different types of parties. It should include who the controllers are at every stage of the data sharing process, even after the sharing;
2. ‍Purpose – the aim of the data sharing should be clearly stated and detail why the sharing is necessary and the benefits to the controllers hope to bring to the data subjects and wider society by sharing personal data;
3. ‍Contact details – the contact details of all the parties involved in the data sharing, along with the details of their respective Data Protection Officers or other designated contact point should be included in the agreement. Although, it should be noted that data subjects are not obliged to correspond only with the point of contact nominated by that particular party;
4. ‍Adding or removing parties to the agreement – where it is anticipated that business involved in the data sharing may change later down the line the agreement should contain procedures for including additional controllers later down the line and procedures for excluding controllers from the data sharing agreement;
5. ‍Responsibilities – as detailed above, joint controllers are required under the UK GDPR to set out their responsibilities. The responsibilities should therefore be included in any data sharing agreement;
6. ‍Data specification – the type of data being shared should be specified, including whether the data is general personal data, special category or criminal offence data;
7. ‍Lawful basis – each party must document their lawful basis for sharing the personal data. These may differ depending on each party’s role and context. For example, data subject consent or to pursue a legitimate interest. Where special category or criminal offence data is shared, the agreement must additionally specify the Article 9 condition for processing this type of data such as for public interest;
8. ‍Individual rights – controllers should set out how they will uphold a data subject’s rights in the agreement. This includes setting out which controller is responsible for each task related to a data subject’s rights. For example, it should specify which controller is responsible for providing a data subject with access to their shared personal data upon a request by that data subject. However, it is important to highlight that all controllers remain jointly responsible for compliance with the data subject’s rights; and
9. ‍Governance arrangements – the agreement should anticipate the main practical problems that may arise and how those problems shall be prevented or addressed. For example, it may specify obligations for controllers to train their employees or a responsibility to seek advice in relation to preventing excessive information being disclosed.

Advances in technology have made it easier than ever for businesses to share personal data, leading to a significant increase in data sharing between controllers. While not mandatory, a data sharing agreement is strongly recommended by the ICO to clarify responsibilities, demonstrate accountability, and manage risk.

Data sharing agreements should be reviewed regularly to ensure that data sharing remains justified, up to date, and fully compliant with the UK’s data protection regime. Ongoing reviews help businesses stay legally compliant and maintain trust in their data handling practices.

How To Get In Contact

For further insight or if you’d like to speak with our Data Protection and Privacy team, please contact Samantha McManus at Samantha.McManus@ilaw.co.uk or call 07513 826745.

‍