Data Sharing Agreement Guidance

You need to understand the nature of your relationship with the organisation (or person) with whom you share data and understand what is required by data protection law. Depending on how the data is shared, there are also some specific requirements to meet. Data sharing agreements – There should be consistent retention policies for all data sets and adequate security. Physical and technical security measures must be taken into account for the storage of all data. There are no specific legal provisions (e.g. B specific contractual clauses) which cover the exchange of data for independent controllers. However, this does not mean that the data exchange activity is exempt from accountability or transparency requirements, which could argue for some kind of written agreement. This has implications for issues, for example.B. For the agreement to be effective, the parties must agree that it is feasible and practical. Both parties must sign it. Therefore, where personal data are used for the same or combined purposes, they may be joint controllers. This is a distinction between independent controllers who may share data, but who separately determine how that data is used. If two managers use the same data for different purposes, they would be independent controllers.

The OIC has published, under the GDPR, updated guidelines for organizations regarding data processing contracts/agreements. The processor should be able to demonstrate to the controller an approach to information security, expertise, reliability, resources, compliance with the principles and the exercise of its rights in compliance with the requirements of the GDPR. This helps the controller to determine whether sufficient safeguards have been fulfilled. There are two legal mechanisms to clarify roles, responsibilities and expectations in the exchange of data with third parties: the OIC has also published a checklist for organizations that use data exchange, which covers both systematic exchanges and ad hoc requests: in simpler situations, the controller who shares the data may have a simple confidentiality agreement than anything, what is necessary is considered necessary. NDDs for example can be obtained here.

Pin It