Agreements
Data Sharing Agreement (DSA) between independent controllers
Data Sharing Agreement (DSs) between independent controllers should be concluded when at least two actors are independent controllers and share personal data between each other. Data sharing can be unilateral or reciprocal.
What is the difference between a Data Sharing Agreement (DSA) and a Data Processing Agreement (DPA)?
A Data Sharing Agreement and Data Processing Agreement are suitable for different situations. When two or more independent controllers cooperate and share personal data between each other, a Data Sharing Agreement (DSA) between independent controllers is particularly appropriate. Each party determines the purpose of its own processing of personal data, the legal basis for its processing and is solely responsible for its processing. A data processor agreement is instead appropriate when one company processes personal data on behalf of another company.
Purpose of establishing a Data Sharing Agreement
Although it is not explicitly stated in the GDPR that companies must enter into a Data Sharing Agreement , there are several rules in the GDPR that a data sharing agreement helps companies to comply with. Benefits of establishing and concluding a Data Sharing Agreement (DSA) between independent controllers:
The parties regulate what information is to be given to the data subjects, so that they know which party is responsible for what.
The reason why the personal data of the data subjects is shared between the parties is formalised in writing and clarified.
The legal basis on which the processing is supported is clarified and communicated with transparency between the parties.
The rights of data subjects are clarified and the parties decide how to deal with data subjects’ requests to exercise their rights among themselves.
The Data Sharing Agreement helps companies prove that they comply with the GDPR in accordance with the principle of accountability.
When should the parties conclude a Data Sharing Agreement?
Both parties are independent data controllers
When both parties (or more) are independent controllers and share personal data with each other, they should enter into a Data Sharing Agreement with each other. This means that each party is the sole controller for its own processing of the personal data that is shared or received. Although it relates to the same personal data, the different parties have their own independent purposes and legal bases for the processing operations they carry out. Data sharing can be one-sided or reciprocal. That is, only one or both parties can share personal data with each other.
The Parties are not joint controllers
The purposes of the processing of the personal data received by the Parties are not jointly determined by the Parties. Therefore, the parties are not joint controllers under Article 26 GDPR. If they were joint controllers, the parties shall instead conclude a “Joint Controllership Agreement”.
No party processes personal data on behalf of the other party
In other words, there is no processor-relationship between the parties.
Examples of content in a Data Sharing Agreement (DSA) between independent controllers
Roles and status
It must be clear that the parties are independent controllers. They thus determine their own purpose of processing. It should also be explicitly clarified that there is no joint controllership or controller-processor relationship between the parties.
Purpose
The purpose of processing must always be explicit and specific. The main rule is that it is not allowed to process personal data for other purposes.
Legal basis
As each party is an independent controller, they must choose their own legal basis for their processing. These should be specified in the Data Sharing Agreement.
Type of personal data
It is important to specify the types of personal data to be shared, from whom and to whom. For example, if it concerns sensitive or other privacy-sensitive personal data. Note that this is important in order to make good risk assessments.
Technical and organisational measures
Companies must take adequate technical and organizational security measures in accordance with the GDPR, in order to protect personal data. It is good to define what security measures companies should take when sharing data. For example, the use of encryption and authentication.
Sharing with third parties
In order to prevent the personal data from being subject to unauthorised disclosure, it is good to agree on prohibitions and requirements for sharing the personal data with a third party. For example, a written permission from the other party is required to share the personal data with third parties, or there is a total ban on sharing.
Rights of data subjects
Controllers must be able to fulfil the rights of data subjects. If several parties process the same personal data and are independent data controllers, it is useful to clarify which of them should handle registered requests. In addition, it is good to include how quickly the handling should take place and the means of communication between the parties.
Obligation to provide information
The GDPR imposes a legal obligation on data controllers to provide information to data subjects. This means, among other things, that each party must inform the data subjects about the processing of their personal data in accordance with Article 13 of the GDPR and Article 14 of the GDPR.
Processing of personal data breaches
GDPR requires the handling of personal data breaches. It is good to agree on how the parties to the agreement should act in the event of a personal data breach. Such as a data breach or mis-sent emails containing personal data. For example, the Data Sharing Agreement should regulate how the communication between the parties on the breach should take place, within what time limit, which party should contact the national data protection authority and the data subjects, etc.
Storage period
Personal data may not be stored indefinitely. The parties to a Data Sharing Agreement may have different retention periods, as they are independent controllers and determine this themselves. However, it is good to include the storage periods in the agreement. In addition, it is good to include how to securely erase personal data.
Termination of the contract
The Data Sharing Agreement shall regulate what happens when the agreement between the parties ends. For example, if the personal data is to be deleted, or if the parties are allowed to keep them for further processing. In addition, it is good to regulate how any rights requests from data subjects in the future will be handled.
Learn more
Privacy Notice
Companies need to inform the data subjects about the processing of personal data, which is usually done in a privacy notice. There, the company describes, among other things, the purpose of the processing, legal bases, retention period, data subjects’ rights, etc. A privacy notice is not the same as a privacy policy. A privacy notice is an external informative document addressed to data subjects. However, a privacy policy is an internal document that describes how the company works with data protection for its employees.