Article 26 also provides that the core of the agreement must be made available to data subjects (probably in data protection notices) and that a contact point may be designated for data subjects. Regardless of the nature of the agreement and the division of responsibilities between the joint controllers, a data subject may exercise his or her rights vis-à-vis each of the joint controllers. If you transmit personal data to third parties, whether as a jointly responsible company or to an independent controller, you must have a legal reason to process the personal data in this way. It is possible to share data on the basis of the legitimate interests of the processing, but you must carry out a very careful assessment of the legitimate interests in order to guarantee legality – and of course to keep them if you are ever challenged. The distinction depends on whether an organisation determines “the purposes and means” of the processing of personal data. “processing” means the collection, storage, use and transfer of personal data. The GDPR provides that together, managers conclude an agreement clearly defining their respective responsibilities for compliance with the GDPR, including the rights of data subjects. Although there is no mention of a written agreement between joint officials, it is worth concluding one, as this helps to meet the essential requirements of transparency and accountability. What personal data do you process on behalf of the controller You need to understand the nature of your relationship with the organisation (or person) with whom you share data and what is necessary under data protection law. This data processing agreement is adapted from the ProtonMail DPA that you will find on this page. Organizations can use the document below as part of their GDPR compliance.

In both cases, the controller remains responsible for proving compliance with data protection legislation (principle of responsibility). In simpler situations, the controller who shares the data may consider that a simple confidentiality agreement is necessary for everything that is necessary. NDDs for example can be obtained here. Depending on how the data is shared, there are also some specific requirements to meet. In the following example of the transmission of PAY information to HMRC, it would be unnecessary to have a written contract with the Revenue. Since this is a legal obligation of employers, the purpose and use of the data is already clearly defined by law and there is little that can be changed. It is not necessary to have a data sharing agreement in all situations, for example. B if release is already strictly defined or if it is a limited one-time opportunity. When a controller shares personal data with another organisation, there are three relationships that may exist: the assessment of whether you are transferring data to a processor, a joint controller or another independent controller is essential, as the nature of the agreement you need to enter into varies depending on the nature of the other party. If in doubt, seek legal advice. In other cases, the terms of use of the data processor may contain or refer to a contract that covers the necessary clauses, in particular in the case of online web services that you can use….