When Is A Data Sharing Agreement Necessary

Since the RGPD is much less prescriptive when it comes to sharing with controllers than for transfers to processors, it will probably take some time for the practice to be regulated. The person in charge of the processing should only use subcontractors capable of providing sufficient safeguards to take appropriate technical and organisational measures for the implementation of the RGPD and the guarantee of the rights of the persons concerned. Even if data has been obtained for related and legitimate purposes, the sharing activity itself must be consistent with the principles and provisions of data protection legislation. The written contract must define the purpose, duration, nature and purpose of the treatment, as well as the types (categories) of personal data and the persons concerned. Finally, remember to take into account the effects of the law in the jurisdiction in which the data is transferred. In some cases, there may be an irreconcilable contradiction between EU law and applicable national law. So when will a contract be required in these other cases? Generally speaking, the more risk an agreement carries, the more reason there is to enter into a contract. From a data protection perspective, the specific risks that are relevant are those that affect the individuals involved and not the organizations that are exchanging. Factors that may be relevant to the risk include: If you share personal data with a third party, whether for joint controllers or for an independent manager, you must have a legitimate reason for handling personal data in this way. It is possible to share data on the legitimate stoltogen interest of treatment, but you must make an assessment of legitimate interests very carefully to ensure legality – and of course, store them if you are ever challenged. It is useful to classify sharing in order to have a clear idea of these legal implications and to better understand the steps you should take to facilitate compliance with the RGPD. In this article, I emphasize the main categories and distinctions. I am thinking in particular of the contractual agreements that organizations may need under the RGPD.

If you have legitimate interests, you must inform the people concerned of the data sharing and grant them the right to opt-out. As a general rule, this is done through your privacy policy and you may need to update it and send it to your affected individuals if you have not yet informed them of the data sharing. For example, the use of the Eventbrite online ticketing system automatically applies Eventbrite`s addendum Data Processing as part of the service agreement, which also contains the controller`s agreement for listed subcontractors. Second, it avoids miscommunication by the data provider and the authority receiving the data by indicating that data usage issues are being addressed. Before the data is disclosed, the provider and recipient must speak in person or over the phone to discuss data sharing and data usage issues and reach a common communication, which will then be recorded in a data sharing agreement. This relates to issues such as who is responsible authority, your role and responsibility to other organizations, and what should be covered by written contractual agreements when transmitting the data. Article 26 also states that the core of the agreement must be made available to the persons concerned (probably in the data protection instructions) and that a point of contact may be designated for those concerned. Regardless of the nature of the agreement and the distribution of responsibilities among the common person responsible for treatment, a person concerned may exercise his or her rights against each of the common persons responsible for the treatment.

You need to understand the definitions of the controller and processor, as specified in the RGPD. This distinction is important for situations where data can be exchanged. Suzanne Dibble is a multi-award winning business lawyer with 23 years of experience and author of the best-selling book RGPD for models.