Register
Forgotten password?

Data sharing agreement (mutual)

This agreement will help you to regulate the sharing of personal data by two companies or other organisations, where each party will act as a controller with respect to the shared data. The document may be used whether the parties will exercise their authority as controllers independently or jointly.

Unlike in the case of controller-to-processor transfers, there is no mandated set of clauses which must be included in contracts that govern controller-to-controller transfers. Indeed, in some cases it is not necessary to have a contract at all. However, some of the controller obligations set out in General Data Protection Regulation (GDPR) will be engaged in relation to such transfers, and in appropriate cases a data sharing agreement will help the parties to meet those obligations.

Such an agreement will not, however, always exhaust the parties obligations under the GDPR. For instance, a data protection impact assessment may be required before a sharing arrangement is instituted.

The operative provisions of this data sharing agreement cover (amongst other things): (i) obligations to comply with the GDPR and other applicable laws; (ii) limits on further disclosure of shared data; (iii) international transfers of data; (iv) issues relating to supervisory authorities and data subject rights; (v) security of shared data; and (vi) the handling of personal data breaches.

This document is not specifically designed to cover the sharing of special categories of personal data; nor should it be used for controller-to-processor sharing.

Ask about this document

Data sharing agreement (mutual) contents

  1. Definitions: definitions; data protection terms.
  2. Term: commencement of term; end of term.
  3. Obligations to share Personal Data: obligation on 
    First Party
     to transfer personal data; obligation on 
    Second Party
    to transfer personal data.
  4. Data quality: parties to ensure data quality.
  5. No special categories: no special categories of personal data to be shared; no criminal conviction data to be shared.
  6. Parties acting as controllers: each party is independent controller of shared personal data; purposes of processing shared personal data (independent controllers); legal bases of processing shared personal data (independent controllers); document does not apply to all personal data.
  7. Compliance with Data Protection Laws: compliance with data protection laws with respect to shared personal data; shared personal data collected in accordance with law; evidence of consent to process personal data;
    First Party
     responsible for meeting data protection transparency requirements;
    Second Party
    responsible for meeting data protection transparency requirements; assistance in relation to compliance with data protection laws.
  8. Further disclosure of Shared Personal Data:
    First Party
     must not disclose personal data;
    Second Party
    must not disclose personal data; obligations on disclosure of shared personal data; section does not prevent disclosure of anonymised data; section does not prevent disclosure of personal data to processors.
  9. International transfers of Shared Personal Data: prohibition on extra-EEA transfers of shared personal data; exceptions to prohibition on extra-EEA transfers of shared personal data; standard contractual clauses take precedence over 
    Agreement
    .
  10. Shared Personal Data and supervisory authorities: communications from supervisory authorities about shared personal data; cooperation in relation to supervisory authority action.
  11. Shared Personal Data and data subject rights: communications from data subjects about shared personal data; cooperation in relation to data subject rights.
  12. Security of Shared Personal Data: appropriate measures to secure shared personal data; particular security measures for shared personal data.
  13. Data breaches involving Shared Personal Data: notification of data breaches involving shared personal data; assistance in relation to shared personal data breaches.
  14. Retention and deletion: retention periods for
    First Party
    personal data; retention periods for
    Second Party
    personal data; section subject to effects of termination.
  15. Compliance audit: right to audit compliance; notice of audit; cooperation in relation to audit; costs of licence audit; limits on audit right.
  16. Changes to Data Protection Laws: changes to data protection law.
  17. Confidentiality obligations: first party confidentiality undertaking; second party confidentiality undertaking; disclosure of confidential information to certain persons; exceptions to confidentiality obligations; disclosures of confidential information mandated by law etc; confidentiality obligations after termination.
  18. Warranties: first party warranty of authority; second party warranty of authority; exclusion of implied warranties and representations.
  19. Indemnities: indemnity upon breach: any provision or specified provisions (with definition); conditions upon first party indemnity; indemnity upon breach: any provision or specified provisions (with definition); conditions upon second party indemnity; limitations of liability vs indemnities.
  20. Limitations and exclusions of liability: caveats to limits of liability; interpretation of limits of liability; no liability for force majeure; per event liability cap.
  21. Termination: termination by either party without cause; termination by either party upon breach; termination upon insolvency.
  22. Effects of termination: parties to delete shared personal data; surviving provisions upon termination; termination does not affect accrued rights.
  23. Notices: methods and deemed receipt of contractual notices; contact details for contractual notices; substitute contact details for notices.
  24. General: no waiver; severability; variation written and signed; no assignment without written consent; no third party rights; entire agreement; governing law; exclusive jurisdiction.
  25. Interpretation: statutory references; section headings not affecting interpretation; no ejusdem generis.

SCHEDULE 1 (DATA PROTECTION INFORMATION NOTICES)

  1. First Party
    data protection information notice:
    prompt for 
    First Party
     data protection information notice.
  2. Second Party
    data protection information notice:
    prompt for 
    Second Party
    data protection information notice.

SCHEDULE 2 (STANDARD CONTRACTUAL CLAUSES)

    Prompt for standard contractual clauses.

SCHEDULE 3 (SECURITY MEASURES)

  1. First Party
    security measures:
    prompt for details of
    First Party
    security measures.
  2.  
    Second Party
     security measures:
    prompt for details of
    Second Party
    security measures.
Data sharing agreement (mutual) document editor previewData sharing agreement (mutual) document editor previewData sharing agreement (mutual) document editor previewData sharing agreement (mutual) document editor previewData sharing agreement (mutual) document editor previewData sharing agreement (mutual) document editor preview
This is a shortened preview of the editor interface; once you create your instance you'll be able to edit the full document in our online editor.
Data sharing agreement (mutual) document previewData sharing agreement (mutual) document previewData sharing agreement (mutual) document previewData sharing agreement (mutual) document previewData sharing agreement (mutual) document previewData sharing agreement (mutual) document previewData sharing agreement (mutual) document previewData sharing agreement (mutual) document preview
This is a shortened preview of the DOCX output; once you create your instance you'll be able to download the full document in PDF, HTML, RTF and/or DOCX (Microsoft Word) format.