Since the RGPD is much less prescriptive when it comes to sharing with controllers than for transfers to processors, it will probably take some time for the practice to be regulated. The person in charge of the processing should only use subcontractors capable of providing sufficient safeguards to take appropriate technical and organisational measures for the implementation of the RGPD and the guarantee of the rights of the persons concerned. Even if data has been obtained for related and legitimate purposes, the sharing activity itself must be consistent with the principles and provisions of data protection legislation. The written contract must define the purpose, duration, nature and purpose of the treatment, as well as the types (categories) of personal data and the persons concerned. Finally, remember to take into account the effects of the law in the jurisdiction in which the data is transferred. In some cases, there may be an irreconcilable contradiction between EU law and applicable national law. So when will a contract be required in these other cases? Generally speaking, the more risk an agreement carries, the more reason there is to enter into a contract. From a data protection perspective, the specific risks that are relevant are those that affect the individuals involved and not the organizations that are exchanging. Factors that may be relevant to the risk include: If you share personal data with a third party, whether for joint controllers or for an independent manager, you must have a legitimate reason for handling personal data in this way. It is possible to share data on the legitimate stoltogen interest of treatment, but you must make an assessment of legitimate interests very carefully to ensure legality – and of course, store them if you are ever challenged. It is useful to classify sharing in order to have a clear idea of these legal implications and to better understand the steps you should take to facilitate compliance with the RGPD. In this article, I emphasize the main categories and distinctions. I am thinking in particular of the contractual agreements that organizations may need under the RGPD.
You need to understand the definitions of the controller and processor, as specified in the RGPD. This distinction is important for situations where data can be exchanged. Suzanne Dibble is a multi-award winning business lawyer with 23 years of experience and author of the best-selling book RGPD for models.