Data sharing agreement (mutual)
This agreement will help you to regulate the sharing of personal data by two companies or other organisations, where each party will act as a controller with respect to the shared data. The document may be used whether the parties will exercise their authority as controllers independently or jointly.
Unlike in the case of controller-to-processor transfers, there is no mandated set of clauses which must be included in contracts that govern controller-to-controller transfers. Indeed, in some cases it is not necessary to have a contract at all. However, some of the controller obligations set out in General Data Protection Regulation (GDPR) will be engaged in relation to such transfers, and in appropriate cases a data sharing agreement will help the parties to meet those obligations.
Such an agreement will not, however, always exhaust the parties obligations under the GDPR. For instance, a data protection impact assessment may be required before a sharing arrangement is instituted.
The operative provisions of this data sharing agreement cover (amongst other things): (i) obligations to comply with the GDPR and other applicable laws; (ii) limits on further disclosure of shared data; (iii) international transfers of data; (iv) issues relating to supervisory authorities and data subject rights; (v) security of shared data; and (vi) the handling of personal data breaches.
This document is not specifically designed to cover the sharing of special categories of personal data; nor should it be used for controller-to-processor sharing.Ask about this document
Data sharing agreement (mutual) contents
- Definitions: definitions; data protection terms.
- Term: commencement of term; end of term.
- Obligations to share Personal Data: obligation on First Partyto transfer personal data; obligation onSecond Partyto transfer personal data.
- Data quality: parties to ensure data quality.
- No special categories: no special categories of personal data to be shared; no criminal conviction data to be shared.
- Parties acting as controllers: each party is independent controller of shared personal data; purposes of processing shared personal data (independent controllers); legal bases of processing shared personal data (independent controllers); document does not apply to all personal data.
- Parties acting as controllers: parties are joint controllers of shared personal data; purposes of processing shared personal data (joint controllers); legal bases of processing shared personal data (joint controllers); document does not apply to all personal data.
- Compliance with
Data Protection Laws: compliance with data protection laws with respect to shared personal data; shared personal data collected in accordance with law; evidence of consent to process personal data;First Partyresponsible for meeting data protection transparency requirements;Second Partyresponsible for meeting data protection transparency requirements; assistance in relation to compliance with data protection laws.
- Further disclosure of Shared Personal Data: First Partymust not disclose personal data;Second Partymust not disclose personal data; obligations on disclosure of shared personal data; section does not prevent disclosure of anonymised data; section does not prevent disclosure of personal data to processors.
- International transfers of
Shared Personal Data: prohibition on extra-EEA transfers of shared personal data; exceptions to prohibition on extra-EEA transfers of shared personal data; standard contractual clauses take precedence overAgreement. Shared Personal Dataand supervisory authorities: communications from supervisory authorities about shared personal data; cooperation in relation to supervisory authority action.
- Shared Personal Data and data subject rights: communications from data subjects about shared personal data; cooperation in relation to data subject rights.
- Security of
Shared Personal Data: appropriate measures to secure shared personal data; particular security measures for shared personal data.
- Data breaches involving Shared Personal Data: notification of data breaches involving shared personal data; assistance in relation to shared personal data breaches.
- Retention and deletion: retention periods for First Partypersonal data; retention periods forSecond Partypersonal data; section subject to effects of termination.
- Compliance audit: right to audit compliance; notice of audit; cooperation in relation to audit; costs of licence audit; limits on audit right.
- Changes to
Data Protection Laws: changes to data protection law.
- Confidentiality obligations: first party confidentiality undertaking; second party confidentiality undertaking; disclosure of confidential information to certain persons; exceptions to confidentiality obligations; disclosures of confidential information mandated by law etc; confidentiality obligations after termination.
- Warranties: first party warranty of authority; second party warranty of authority; exclusion of implied warranties and representations.
- Indemnities: indemnity upon breach: any provision or specified provisions (with definition); conditions upon first party indemnity; indemnity upon breach: any provision or specified provisions (with definition); conditions upon second party indemnity; limitations of liability vs indemnities.
- Limitations and exclusions of liability: caveats to limits of liability; interpretation of limits of liability; no liability for force majeure; per event liability cap.
- Termination: termination by either party without cause; termination by either party upon breach; termination upon insolvency.
- Effects of termination: parties to delete shared personal data; surviving provisions upon termination; termination does not affect accrued rights.
- Notices: methods and deemed receipt of contractual notices; contact details for contractual notices; substitute contact details for notices.
- General: no waiver; severability; variation written and signed; no assignment without written consent; no third party rights; entire agreement; governing law; exclusive jurisdiction.
- Interpretation: statutory references; section headings not affecting interpretation; no ejusdem generis.
SCHEDULE 1 (DATA PROTECTION INFORMATION NOTICES)
- First Partydata protection information notice: prompt forFirst Partydata protection information notice.
- Second Partydata protection information notice: prompt forSecond Partydata protection information notice.
SCHEDULE 2 (STANDARD CONTRACTUAL CLAUSES)
- Prompt for standard contractual clauses.
SCHEDULE 3 (SECURITY MEASURES)
- First Partysecurity measures: prompt for details ofFirst Partysecurity measures.
- Second Partysecurity measures: prompt for details ofSecond Partysecurity measures.