I find that very often people are confused about data sharing and whether it is possible or not within the confines of the GDPR, so I hope this article clears up some of the confusion for you.
Joint controllers or independent controller?
You can either share data so that both entities are joint controllers or so that each of you are independent controllers (or indeed from data controller to data processor, though this is not considered in this article).
The distinction between a joint controller and an independent controller can be seen here:
* A luxury shopping brand, a luxury car manufacturer and a bank together create an event that people sign up to attend. Using the data collected, they communicate event details (and other event-related matters) to the people who have signed up. The data isn’t used for any other purpose. The brand, car manufacturer and the bank are joint controllers of the data.
* After the event, each organization uses within their own organizations the personal data of those data subjects who opted in to receive more information from that organization. They are not joint controllers in relation to that data, because it isn’t being processed for a common purpose.
Lawful ground of processing
If you are sharing personal data with a third party, whether as joint controllers or to an independent controller, you will need to have a lawful ground for processing the personal data in this way. It is possible to share data on the legitimate interests ground of processing, but you will need to carry out a Legitimate Interests Assessment very carefully to ensure the legality – and of course, keep this on file in case you are ever challenged.
A Legitimate Interests Assessment is a three-step test to determine whether you do, in fact, have a legitimate interest to conduct the processing, the necessity of the processing in order to achieve your legitimate interest, and whether data subjects’ rights and freedoms outweigh your interest, in which case you would not be able to rely on the legitimate interests ground of processing and would need to seek consent of the data subjects. A Legitimate Interests Assessment Form can be found in my GDPR Compliance Pack that you can access at //www.suzannedibble.com/gdprpack
If you can rely on legitimate interests, you will need to notify data subjects of the data sharing and provide them with the right to opt out. Typically, this is done via your Privacy Notice and you may need to update it and send it to your data subjects if you haven’t already informed them of the data sharing.
If you are proposing to share personal data with third parties and those third parties need consent for their processing (for example, they plan on sending direct marketing emails to the data subjects), then you will also require consent to share personal data with those third parties and such third parties should be specifically named in the consent.
Consent isn’t valid if you ask data subjects to agree to receive direct marketing from “carefully selected partners” or another, similar generic description. Nor is consent valid where data subjects are provided with a long list of general categories of organizations.
Agreements to put in place
If you’re sharing personal data with a joint controller, Article 26 of the GDPR states that there must be an “arrangement” in place between the data controllers. A joint controller Data-Sharing Agreement is different from a controller-to-controller Data Sharing Agreement. If you need these documents, they are two of the many documents in my GDPR Compliance Pack, that you can purchase very affordably at //www.suzannedibble.com/gdprpack
Accurately assessing whether you’re transferring data to a processor, a joint controller, or another independent controller is vital because the type of agreement you must put in place will differ, depending on the nature of the other party. If in doubt, take legal advice.
Although Article 26 of the GDPR requires an agreement between joint controllers, it does not require a written agreement between joint controllers, but having a written agreement in place to evidence the arrangement is best practice and helps to demonstrate accountability.
Equally, if you, as a data controller, are sharing personal data with an independent data controller (i.e. not a joint controller), I recommend having an agreement in place (particularly where the data sharing is systematic, large-scale, or risky) even though the GDPR doesn’t specifically require it. The agreement helps you justify the data sharing and demonstrate that compliance issues have been considered and sets out how the parties agree to solve them.
Article 26 of the GDPR states that the joint controllers shall “in a transparent manner” determine their respective responsibilities for compliance — in particular, in relation to the provision of information to data subjects and the exercise of data subject rights. The exception to this is where EU law or national law of any EU Member State sets out the respective responsibilities.
Article 26 goes on to say that the essence of the arrangement shall be made available to data subjects (presumably, in Privacy Notices) and that a contact point may be designated for data subjects. Regardless of the nature of the arrangement and the division of responsibilities between the joint controllers, a data subject may exercise their rights against each of the joint controllers.
Although not legally required for a joint controller Data Sharing Agreement, it would be wise to include these elements for joint controllers too:
- An obligation on each party to comply with data protection legislation (not just the GDPR but any applicable data protection legislation)
- A description of the data that’s being shared and whether it’s special category data
- An obligation on each party to provide assistance to the other in the event of a data subject exercising their rights
- Provisions for data retention
- Provisions about onward transfers of the data to a third party
- A description of the security that’s in place to protect the data
- An obligation to inform the other party of any data breach
- Agreement on how to deal with any investigation by a supervisory authority
- A mutual indemnity for each party to reimburse the other for any loss suffered as a result of the other’s actions or inactions
The ICO provides guidance on data sharing at //ico.org.uk/media/for-organisations/documents/1068/data_sharing_code_of_practice.pdf. This document has not yet been updated to reflect the GDPR but is still a useful guide.
To purchase your GDPR Compliance pack, go to //www.suzannedibble.com/gdprpack and if you haven’t yet joined my GDPR Facebook group where there are 35k organisations from around the world discussing GDPR compliance, you can join here.
Suzanne Dibble is a multi-award winning business lawyer with 23 years’ experience and author of the best-selling book GDPR for Dummies. Suzanne consults with multi-nationals on data protection law and has created the largest social media group relating to the GDPR, where she has helped 40k organisations from around the world with GDPR compliance. The Legal Services Board and the Law Society have heralded her innovative approach to helping small business owners with complex regulations. Suzanne worked with Richard Branson at Virgin where she led a group wide data protection project which resulted in Virgin nominating Suzanne for the Solicitor of the Year Award and subsequently Suzanne was runner up in this prestigious award. Suzanne has had second to none training and experience at a top City law firm, leading billion pound deals and being on the board of £150m+ business (resulting in her being listed in the Who’s Who of Britain’s Business Elite two years in a row). Suzanne has run her own legal practice for the past ten years focusing on helping small businesses and has won a number of awards in relation to this.