|Updated:||5 July 2018|
|Format:||MS Word (.DOCX)|
This is a mutual (i.e. two-way) data sharing agreement, which has been designed for use in the situation where two organisations are sharing personal data, and each organisation is acting as a controller with respect to the shared personal data, rather than a processor. They may be acting as joint controllers or as independent controllers.
A controller, under the GDPR, is a person who determines the purposes and means of processing of the personal data; whereas a processor is a person acting on behalf of a controller. Where parties are joint controllers, they together determine the purposes and means.
Although there is no general requirement in the GDPR for controllers to enter into contracts with other controllers when sharing data, the general principles of data protection law mean that, in some circumstances, a contract may be required to ensure compliance.
The clauses of this data sharing agreement are similar in some respects to the clauses you might find in a data processing agreement. They cover the same types of subject matter - purposes of processing, security, co-operation, etc - but with more flexibility. When editing this document, you should take care to ensure that you do not transform the relationship into a controller-processor type relationship. Such relationships should be governed by a data processing agreement meeting the specific requirements of Article 28 of the GDPR.