Data sharing agreement (unilateral)
The function of this data sharing agreement is to provide protection for personal data disclosed by one business to another, in line with the General Data Protection Regulation (GDPR) in both its EU and UK forms, taking account of the guidance on data sharing issued by the UK Information Commissioner's Office.
The data sharing agreement is intended for use in relation to controller-to-controller data sharing - in other words, where both the sharer and the recipient will use the personal data for their own purposes and via their own means.
The agreement assumes that the controllers are independent, and not joint controllers.
The core provisions of the data sharing contract cover: (i) obligations to share personal data and to ensure that the data meets identified quality requirements; (ii) a prohibition on sharing especially sensitive data (known as special categories of personal data in the GDPR); (iii) the identification of the parties as independent controllers; (iv) data protection compliance obligations; (v) onward disclosures and international transfers of the personal data; and (vi) responses to the actions of supervisory authorities and data subjects.
The agreement includes a standard confidentiality clause covering the shared data, as well as some basic warranties, indemnities and limitations of liability.
The template data sharing agreement does not include a licensing clause, and if the recipient of the data needs a licence, a separate licensing contract should be entered into. In that case, you will need to consider the relationship between the two contracts. For instance, should the termination of one lead automatically to the termination of the other?
Ask about this documentData sharing agreement (unilateral) contents
- Definitions: definitions; data protection terms.
- Term: commencement of term; end of term.
- Obligations to share
Personal Data : obligation onSupplierto share personal data. - Data quality: Supplierto ensure data quality.
- No special categories: no special categories of personal data to be shared by Supplier; no criminal conviction data to be shared by first party.
- Parties acting as controllers: each party is independent controller of Supplierpersonal data; legal bases of sharingSupplierpersonal data (independent controllers); document does not apply to all personal data disclosed bySupplier.
- Compliance with
Data Protection Laws : compliance with data protection laws with respect toSupplierpersonal data;Supplierpersonal data collected in accordance with law; requirements relating to consent-based processing of personal data;Supplierresponsible for meeting data protection transparency requirements; assistance in relation to compliance with data protection laws. - Further disclosure of SupplierPersonal Data:Recipientmust not disclose personal data; obligations on disclosure ofSupplierpersonal data; section does not prevent disclosure of anonymised data; section does not prevent disclosure of personal data to processors.
- International transfers of
: prohibition on third country transfers ofSupplierPersonal DataSupplierpersonal data; exceptions to prohibition on third country transfers ofSupplierpersonal data; approved international transfer clauses take precedence overAgreement. and supervisory authorities: communications from supervisory authorities aboutSupplierPersonal DataSupplierpersonal data; cooperation in relation to supervisory authority action. and data subject rights: communications from data subjects about first party personal data; cooperation in relation to data subject rights.SupplierPersonal Data- Security of
: appropriate measures to secureSupplierPersonal DataSupplierpersonal data; particular security measures forSupplierpersonal data. - Data breaches involving the SupplierPersonal Data: notification of data breaches involvingSupplierpersonal data; assistance in relation toSupplierpersonal data breaches.
- Retention and deletion: retention periods for Supplierpersonal data; section subject to effects of termination.
- Compliance audit: right to audit compliance; notice of audit; cooperation in relation to audit; costs of licence audit; limits on audit right.
- Changes to
Data Protection Laws : changes to data protection law. - Recipientconfidentiality obligations:Recipientconfidentiality undertaking; disclosure of confidential information byRecipientto certain persons; exceptions toRecipientconfidentiality obligations; disclosures ofSupplierconfidential information mandated by law etc;Recipientto stop using confidential information upon termination;Recipientconfidentiality obligations after termination.
- Warranties: first party warranty of authority; second party warranty of authority; exclusion of implied warranties and representations.
- Indemnities: SupplierindemnifiesRecipientupon data protection breach;RecipientindemnifiesSupplierupon data protection breach.
- Limitations and exclusions of liability: caveats to limits of liability; interpretation of limits of liability; no liability for force majeure; per event liability cap.
- Termination: termination by either party without cause; termination by either party upon breach; termination upon insolvency.
- Effects of termination: Recipientto deleteSupplierpersonal data; surviving provisions upon termination; termination does not affect accrued rights.
- Notices: contractual notices must be in writing; methods of sending contractual notices; contact details for contractual notices; substitute contact details for notices; acknowledgement of notice by email; deemed receipt of contractual notices.
- Data protection contacts: Supplierdata protection contact;Recipientdata protection contact.
- General: no waiver; severability; variation written and signed; no assignment without written consent; no third party rights; entire agreement; governing law; exclusive jurisdiction.
- Interpretation: statutory references; section headings not affecting interpretation; no ejusdem generis.
SCHEDULE 1 (DATA PROTECTION INFORMATION NOTICE)
- Prompt for
SCHEDULE 2 (FORM OF CONSENT)
- Prompt for
SCHEDULE 3 (INTERNATIONAL TRANSFER CLAUSES)
- Prompt for international transfer clauses.
SCHEDULE 4 (SECURITY MEASURES)
- Suppliersecurity measures: prompt for details ofSuppliersecurity measures.
- Recipientsecurity measures: prompt for details ofRecipientsecurity measures.