Data sharing agreements are essential when your business, as a data controller, shares personal data with other organisations. Whether you're acting independently or jointly with another party under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, knowing your legal obligations is crucial to staying compliant and protecting your organisation from risk.
If your business determines how and why data is used – either alone or with another party – you’ll likely need a controller-to-controller agreement. These contracts are especially important in joint controller arrangements where responsibilities must be clearly defined. A well-drafted agreement not only helps you demonstrate compliance but also shields you from legal, operational and reputational exposure.
Because these agreements can be highly nuanced and no two arrangements are the same, our data protection solicitors can work with you to assess your roles, structure the right agreement, and negotiate key terms that reflect your business's needs and risk profile.
Contents:
- Understanding your role under the UK GDPR
- Analysing how data sharing works in practice
- Knowing when you need a data sharing agreement
- The difference between a data sharing agreement and a data processing agreement
- Clauses in data sharing agreements
- Negotiation considerations for data sharing agreements
- Getting expert legal support for your data sharing agreements
Understanding your role under the UK GDPR
Before you share data, you’ll need to first understand your role under UK GDPR. This will tell you which type of agreement you need.
Put simply:
- You act as a data controller if you determine how and why personal data is processed.
- You act as a data processor if you process personal data on behalf of a controller and only on their instructions.
You must determine whether you are acting as a data controller or data processor, because this affects your legal responsibilities.
In practice, this can be difficult, especially if you're processing data for several purposes. If you misidentify your role, you may fail to meet your UK GDPR obligations and expose yourself to huge legal or reputational risks.
Analysing how data sharing works in practice
Data sharing between organisations can happen in several ways, e.g.:
- Controller to controller - where both parties use personal data for their own, separate purposes.
- Controller to processor - where one party shares personal data for the other to process solely on its instructions.
- Sub-processing - this includes where a processor subcontracts another sub-processor to act on the original controller’s instructions.
If both parties are data controllers, you’ll need to consider whether they’re ‘joint controllers’ or ‘independent controllers’:
Joint controllers
This is where your business and another controller jointly determine the purposes and means of processing the personal data, for example, in a joint research or marketing project. In this case, you act as joint controllers and must agree on each party’s compliance responsibilities, especially regarding transparency and data subject rights.
Independent controllers
Alternatively, you and another controller may each use the same data independently for your purposes - for example, where one organisation shares staff data with another for an unrelated analysis. In this case, you act as independent controllers and have separate responsibilities.
You’ll need to carefully consider each data sharing scenario to determine whether you’re acting as joint or independent controllers. You should also document your analysis and conclusions to help evidence your accountability.
Putting this into practice:
- A business client shares staff data with its law firm for a legal matter. Each party uses the data independently for its purpose, so they’ll likely act as independent controllers.
- A charity and a researcher work together on a study using personal data. Since both decide how to use the data together, they’ll likely act as joint controllers.
Knowing when you need a data sharing agreement
When you share data with another controller, either jointly or independently, you should document the arrangement.
While UK GDPR doesn’t always require a formal written agreement, doing so is good practice, particularly where sensitive or large volumes of data are involved. The ICO also recommends a data sharing agreement:
- If you're joint controllers, UK GDPR requires you to determine your respective responsibilities in an arrangement. This includes determining who will handle privacy notices, respond to subject access requests, and serve as the primary point of contact. Although the law doesn’t mandate a written agreement, you should put one in place to clarify responsibilities and demonstrate compliance.
- If you're an independent controller, the UK GDPR does not require an agreement between independent controllers, but having one is still good practice. A written contract will help show that you’ve seriously considered data protection risks and responsibilities. It also creates a paper trail of your decision-making and shows that compliance has been taken seriously.
The difference between a data sharing agreement and a data processing agreement
A data sharing agreement differs significantly from a data processing agreement.
You need a data processing agreement when you share personal data with a processor acting under your instructions. In this case, UK GDPR requires you to include specific terms by law.
In contrast, a data sharing agreement applies when you share data with another controller. While not mandatory, it is highly recommended. The UK ICO encourages organisations to adopt these agreements to demonstrate accountability, good governance, and to reduce risk.
You mustn’t confuse the two, as the legal rules and types of terms in the agreements are significantly different.
Clauses in data sharing agreements
There’s no one-size-fits-all approach to data sharing agreements. You’ll need to carefully tailor your agreement to reflect the roles of the parties, the nature of the data and the purposes of the sharing. Data sharing agreements can be very complicated, and it’s vital you know which type of agreement you need and don’t confuse the terms required with other types of standard data protection agreements (e.g. data processing agreements) or you could run several risks, including non-compliance.
The UK ICO has prepared a Data Sharing Code, which contains key guidance on obligations and what a data sharing agreement should cover.
Here are some key factors to consider when drafting a data sharing agreement:
- A clear definition of each party’s role and the purposes for sharing the data.
- Obligations on each party to comply with applicable data protection laws.
- A comprehensive description of the personal data being shared.
- Clear parameters governing the use of the shared data.
- Provisions for assisting and responding to data subjects exercising their rights – for example, handling data subject access requests.
- Details of the security measures in place to protect the shared data.
- Transparent allocation of responsibility for managing any personal data breaches.
- The lawful basis relied on for sharing personal data between the parties.
- Any specific conditions applicable to the processing of special category or criminal offence data?
- Identification of the responsible point of contact for data subjects.
- Safeguards for international data transfers, where data is sent outside the UK.
- Provisions dealing with liability between the parties.
- Terms covering data retention, deletion, and what happens to the data once the agreement ends.
Remember that these agreements should be bespoke for your projects and will differ depending on whether you’re sharing data as a joint controller or independent controller, so take legal advice if you’re unsure about what your contract needs to cover. If organisations are joint controllers, note that they have specific obligations under law which will need to be reflected in their arrangements.
Negotiation considerations for data sharing agreements
When you negotiate a data sharing agreement, you have to make sure both parties clearly understand their roles and responsibilities. Confirm right from the start whether you’re acting as joint or independent controllers- remember this will affect your compliance obligations and your contractual negotiations.
For lower risk sharing, you might include data sharing terms as part of your wider commercial agreement. But for high-risk or large-scale sharing, e.g. if sensitive data is involved, you’ll likely need to consider a separate, detailed data sharing agreement.
In addition to compliance issues, you should also consider commercial terms to protect your business from risk, such as indemnity provisions.
Getting expert legal support for your data sharing agreements
Data sharing agreements are a powerful way to manage legal risk, allocate responsibility, and demonstrate compliance with the UK GDPR. Even when not mandatory, these agreements help you create a clear framework that governs how personal data is handled between organisations. Whether you're entering into a high-risk joint controller arrangement or simply sharing data with an independent party, a carefully structured agreement makes all the difference in avoiding disputes and ensuring regulatory accountability.
Because the risks of getting this wrong can be significant, our data protection solicitors are here to support you. We’ll help you identify the correct legal framework, tailor your agreements to the specific nature of your data sharing, and ensure all necessary safeguards are in place to protect your business.