Data sharing agreements
These agreements facilitate the lawful sharing of personal data between two controllers (as that term is defined in the General Data Protection Regulation). They can be used with respect to either joint controllers or independent controllers. They are not suitable for use in relation to controller-to-processor or processor-to-processor sharing.
Data sharing agreement (mutual)
Buy | |
Version | 2.0 |
---|---|
First published | 31 May 2018 |
Last updated | 21 Mar 2024 |
Word count | 6,706 |
Template pages | 15 |
Data sharing agreement (unilateral)
Buy | |
Version | 2.0 |
---|---|
First published | 31 May 2023 |
Last updated | 21 Mar 2024 |
Word count | 5,907 |
Template pages | 13 |
Joint controllers data sharing agreement (unilateral)
Buy | |
Version | 1.0 |
---|---|
First published | 22 Mar 2024 |
Last updated | 22 Mar 2024 |
Word count | 5,891 |
Template pages | 13 |
Joint controllers data sharing agreement (mutual)
Buy | |
Version | 1.0 |
---|---|
First published | 22 Mar 2024 |
Last updated | 22 Mar 2024 |
Word count | 6,653 |
Template pages | 15 |
Compare contents
Data sharing agreement (mutual) contents
- Definitions: definitions; data protection terms.
- Term: commencement of term; end of term.
- Obligations to share Personal Data: obligation on First Partyto share personal data; obligation onSecond Partyto share personal data.
- Data quality: parties to ensure data quality.
- No special categories: no special categories of personal data to be shared; no criminal conviction data to be shared.
- Parties acting as controllers: each party is independent controller of shared personal data; legal bases of sharing personal data (independent controllers); document does not apply to all personal data.
- Compliance with
Data Protection Laws : compliance with data protection laws with respect to shared personal data; shared personal data collected in accordance with law; requirements relating to consent-based processing of personal data;First Partyresponsible for meeting data protection transparency requirements;Second Partyresponsible for meeting data protection transparency requirements; assistance in relation to compliance with data protection laws. - Further disclosure of
Shared Personal Data :First Partymust not disclose personal data;Second Partymust not disclose personal data; obligations on disclosure ofFirst Partypersonal data; obligations on disclosure ofthe Second Partypersonal data; section does not prevent disclosure of anonymised data; section does not prevent disclosure of personal data to processors. - International transfers of
Shared Personal Data : prohibition on third country transfers of shared personal data; exceptions to prohibition on third country transfers of shared personal data; approved international transfer clauses take precedence overAgreement. Shared Personal Data and supervisory authorities: communications from supervisory authorities about shared personal data; cooperation in relation to supervisory authority action.- Shared Personal Data and data subject rights: communications from data subjects about shared personal data; cooperation in relation to data subject rights.
- Security of
Shared Personal Data : appropriate measures to secure shared personal data; particular security measures for shared personal data. - Data breaches involving Shared Personal Data: notification of data breaches involving shared personal data; assistance in relation to shared personal data breaches.
- Retention and deletion: retention periods for First Partypersonal data; retention periods forSecond Partypersonal data; section subject to effects of termination.
- Compliance audit: right to audit compliance; notice of audit; cooperation in relation to audit; costs of licence audit; limits on audit right.
- Changes to
Data Protection Laws : changes to data protection law. - Confidentiality obligations: First Partyconfidentiality undertaking;Second Partyconfidentiality undertaking; disclosure of confidential information to certain persons; exceptions to confidentiality obligations; disclosures of confidential information mandated by law etc; confidentiality obligations after termination.
- Warranties: first party warranty of authority; second party warranty of authority; exclusion of implied warranties and representations.
- Indemnities: First PartyindemnifiesSecond Partyupon data protection breach;Second PartyindemnifiesFirst Partyupon data protection breach.
- Limitations and exclusions of liability: caveats to limits of liability; interpretation of limits of liability; no liability for force majeure; per event liability cap.
- Termination: termination by either party without cause; termination by either party upon breach; termination upon insolvency.
- Effects of termination: parties to delete shared personal data; surviving provisions upon termination; termination does not affect accrued rights.
- Notices: contractual notices must be in writing; methods of sending contractual notices; contact details for contractual notices; substitute contact details for notices; acknowledgement of notice by email; deemed receipt of contractual notices.
- Data protection contacts: First Partydata protection contact;Second Partydata protection contact.
- General: no waiver; severability; variation written and signed; no assignment without written consent; no third party rights; entire agreement; governing law; exclusive jurisdiction.
- Interpretation: statutory references; section headings not affecting interpretation; no ejusdem generis.
SCHEDULE 1 (DATA PROTECTION INFORMATION NOTICES)
- First Partydata protection information notice: prompt forFirst Partydata protection information notice.
- Second Partydata protection information notice: prompt forSecond Partydata protection information notice.
SCHEDULE 2 (INTERNATIONAL TRANSFER CLAUSES)
- Prompt for international transfer clauses.
SCHEDULE 3 (FORM OF CONSENT)
- First Partyform of consent: prompt forFirst Partyform of consent.
- Second Partyform of consent: prompt forSecond Partyform of consent.
SCHEDULE 4 (SECURITY MEASURES)
- First Partysecurity measures: prompt for details ofFirst Partysecurity measures.
- Second Partysecurity measures: prompt for details ofSecond Partysecurity measures.
Data sharing agreement (unilateral) contents
- Definitions: definitions; data protection terms.
- Term: commencement of term; end of term.
- Obligations to share
Personal Data : obligation onSupplierto share personal data. - Data quality: Supplierto ensure data quality.
- No special categories: no special categories of personal data to be shared by Supplier; no criminal conviction data to be shared by first party.
- Parties acting as controllers: each party is independent controller of Supplierpersonal data; legal bases of sharingSupplierpersonal data (independent controllers); document does not apply to all personal data disclosed bySupplier.
- Compliance with
Data Protection Laws : compliance with data protection laws with respect toSupplierpersonal data;Supplierpersonal data collected in accordance with law; requirements relating to consent-based processing of personal data;Supplierresponsible for meeting data protection transparency requirements; assistance in relation to compliance with data protection laws. - Further disclosure of SupplierPersonal Data:Recipientmust not disclose personal data; obligations on disclosure ofSupplierpersonal data; section does not prevent disclosure of anonymised data; section does not prevent disclosure of personal data to processors.
- International transfers of
: prohibition on third country transfers ofSupplierPersonal DataSupplierpersonal data; exceptions to prohibition on third country transfers ofSupplierpersonal data; approved international transfer clauses take precedence overAgreement. and supervisory authorities: communications from supervisory authorities aboutSupplierPersonal DataSupplierpersonal data; cooperation in relation to supervisory authority action. and data subject rights: communications from data subjects about first party personal data; cooperation in relation to data subject rights.SupplierPersonal Data- Security of
: appropriate measures to secureSupplierPersonal DataSupplierpersonal data; particular security measures forSupplierpersonal data. - Data breaches involving the SupplierPersonal Data: notification of data breaches involvingSupplierpersonal data; assistance in relation toSupplierpersonal data breaches.
- Retention and deletion: retention periods for Supplierpersonal data; section subject to effects of termination.
- Compliance audit: right to audit compliance; notice of audit; cooperation in relation to audit; costs of licence audit; limits on audit right.
- Changes to
Data Protection Laws : changes to data protection law. - Recipientconfidentiality obligations:Recipientconfidentiality undertaking; disclosure of confidential information byRecipientto certain persons; exceptions toRecipientconfidentiality obligations; disclosures ofSupplierconfidential information mandated by law etc;Recipientto stop using confidential information upon termination;Recipientconfidentiality obligations after termination.
- Warranties: first party warranty of authority; second party warranty of authority; exclusion of implied warranties and representations.
- Indemnities: SupplierindemnifiesRecipientupon data protection breach;RecipientindemnifiesSupplierupon data protection breach.
- Limitations and exclusions of liability: caveats to limits of liability; interpretation of limits of liability; no liability for force majeure; per event liability cap.
- Termination: termination by either party without cause; termination by either party upon breach; termination upon insolvency.
- Effects of termination: Recipientto deleteSupplierpersonal data; surviving provisions upon termination; termination does not affect accrued rights.
- Notices: contractual notices must be in writing; methods of sending contractual notices; contact details for contractual notices; substitute contact details for notices; acknowledgement of notice by email; deemed receipt of contractual notices.
- Data protection contacts: Supplierdata protection contact;Recipientdata protection contact.
- General: no waiver; severability; variation written and signed; no assignment without written consent; no third party rights; entire agreement; governing law; exclusive jurisdiction.
- Interpretation: statutory references; section headings not affecting interpretation; no ejusdem generis.
SCHEDULE 1 (DATA PROTECTION INFORMATION NOTICE)
- Prompt for
Recipient
data protection information notice.SCHEDULE 2 (FORM OF CONSENT)
- Prompt for
Recipient
form of consent.SCHEDULE 3 (INTERNATIONAL TRANSFER CLAUSES)
- Prompt for international transfer clauses.
SCHEDULE 4 (SECURITY MEASURES)
- Suppliersecurity measures: prompt for details ofSuppliersecurity measures.
- Recipientsecurity measures: prompt for details ofRecipientsecurity measures.