Data Protection Toolkit - Contracts and Data Sharing
It is important that the data protection principles are observed when sharing data or engaging the services of a data processor.
Though data may have been obtained for a related and legitimate purpose, the sharing activity itself must meet with the principles and provisions of data protection law.
Depending on who the data is being shared with, there are also some specific requirements that need to be met.
This will affect matters such as who is the accountable body, your role and responsibility to other organisations, and what needs to be covered by written contractual arrangements when sharing data.
The GDPR defines a controller as a person or organisation:
which, alone or jointly with others, determines the purposes and means of the processing of personal data
and a processor simply as a person or organisation:
which processes personal data on behalf of the controller
The distinction hinges on recognising whether an organisation " determines the purposes and means" of processing personal data. "Processing" includes the collection, storage, using, and sharing of personal data.
A controller is an organisation making decisions about the 'why' and 'how' of the processing. While they may undertake the actual processing themselves, they could also engage an external third-party (i.e. a processor) to carry out the processing and have no direct involvement with the data itself, but remain the controller.
In either case, the controller remains responsible for ensuring that compliance with data protection law can be demonstrated (the accountability principle ).
Processors, therefore, do not have a definitive say on the 'why' and 'how' of the processing, and act only on instruction from the controller.
The European Commission website has some examples of controller, joint controller and processor situtations.
You need to understand the nature of your relationship with the organisation (or person) you are sharing data with, and what is required by data protection law.
When a controller is sharing personal data with another organisation, there are three relationships that could exist:
- Controller to processor
- Joint controllers
- Independent controllers (controller to controller)
The GDPR outlines specific duties and contractual requirements that must be observed, especially in the case of controller-processor relationships.
Even where no specific duties are outlined by the GDPR, it is important that a controller recognises the accountability principle. Compliance with the data protection principles applies to data sharing practices as much as they do to day-to-day processing.
You also need to give thought as to whether a written contract is necessary (with controller-processor relationships, a contract is a legal requirement under the GDPR) and what other steps you can take to ensure you are being accountable.
In each case, you should ensure that you have documented as part of your written records.
Controller-processor data sharing most often occurs when a controller uses a service that involves the handling or storing of personal data.
You should think carefully about where this applies, as it may not at first be obvious that you as a controller have data held with a processor. For example, storing some personal data on a cloud-storage service would likely meet this definition, as personal data is being processed (stored on servers) by an external third-party (the processor), even though that company may have no direct interaction with the data.
Examples of controller-processor relationships
The use of data processors by data controllers in the voluntary and community sector might take the form of:
- booking event registrations through an online ticketing platform
- using a marketing platform to email contacts
- outsourcing recruitment, personnel and payroll administration to a HR provider
- storing personal data on cloud web services (e.g. cloud hosting and storage)
- receiving donations from individuals through an online payments system
In each of these examples, the controller-processor relationship is not a forgone conclusion, and each case will depend on whether the definitions of controller and processor are met.
To look at the first example in a bit more detail: a charity called Local Activities decides it would like to run and advertise an event. The person organising the event chooses an online ticketing platform (EZTicket) that can take registrations from attendees. The service could be either free or paid for, this has no impact on the controller-processor relationship.
Use of this service means that the personal data of people who register (likely to include names, email address and other personal information requested) will be processed by EZTicket, and the information is stored on their servers. The service will process any payments from registrations and send emails to confirm booking and updates.
LocalActivities is the data controller as they have decided on the purposes and means of the use of personal data i.e. to collect registration information for an event they are organising.
EZTicket is a data processor, as they carry out processing of personal data on the charity's behalf.
LocalActivities is therefore accountable for ensuring and demonstrating compliance with the data protection principles for this processing, even though the actual processing is being carried out by another company.
Duties and responsibilities
The controller should use only processors that can provide sufficient guarantees to implement appropriate technical and organisational measures in meeting the GDPR and ensuring the rights of data subjects .
The processor should be able to demonstrate to the controller an approach to information security, expert knowledge, reliability, resources, adherence to the principles, and allowing data subjects to exercise their rights in meeting the requirements of the GDPR. This helps the controller in assessing whether the sufficient guarantees have been met.
If a controller is unable to assess the processor's compliance, then more information should be sought to allow an informed decision about whether to engage the services of the processor.
- Article 29 of the GDPR stipulates that a processor should process personal data only on the instruction of the controller (this also applies to any person working under the authority of a controller, which would include the controller's own employees).
- A binding contract (or other legal act) must exist between the controller and processor to govern the processing of personal data, ensuring that the obligations of the processor are set out. This contract must contain specific elements from Article 28 of the GDPR. See the following section.
- A processor must not engage another processor (a sub-processor) without written authorisation from the controller. If general written permission had been given by the controller to allow sub-processing, the processor should inform the controller in advance of new processors to give the controller the opportunity to object . A similar contract should be imposed on that other processor, and the initial processor will remain fully liable to the controller for the sub-processor's actions.
These duties and responsibilities will apply regardless of whether the required written contract has been agreed.
Article 28 of the GDPR places certain requirements on either party in cases where a processor is carrying out processing on behalf of a controller.
There are specific clauses that must be reflected in a binding written contract between the controller and the processor, which should exist in an electronic form.
If the processor acts outside of the scope of the contractual terms then they are not complying with the GDPR (unless compelled to do so for other legal reasons). They may be liable to the controller and to regulatory authorities in such cases.
The written contract must set out the subject matter, duration, nature and purpose of the processing, and define the types (categories) of personal data and data subjects covered by the processing.
In addition, the contract must stipulate that the processor:
- act only on documented instruction from the controller, unless required by law to do otherwise
- ensure that the people involved in the processing are bound by confidentiality
- take appropriate security measures to ensure the integrity and confidentiality of personal data (as defined by Article 32 of the GDPR)
- should not engage another processor without prior written permission from the controller
- assist the controller in ensuring compliance with security, data protection impact assessment and breach notification obligations
- delete or return all copies of personal data shared after the service has ended (the term of the contract)
- demonstrate compliance to the controller and allow for audits and inspections by the controller
While the terms are binding on the processor, it is essential that the controller ensures that a written contract is in place, as it is they who are accountable for the processing under data protection regulations.
The above stipulations must be present, but the contract can include additional terms deemed necessary by either party.
In cases where you (as the data controller) need to ensure the necessary contractual terms are covered, we have provided a template controller-processor contract containing the contractual terms defined in Article 28.
It is important that you review and amend the document before agreeing it with a processor — in particular, the parts in square brackets and the information in the Schedule need completed.
You must use this template contract at your own discretion and risk. Click here to download the template.
In other cases, the terms of service of the data processor may include or make reference to a contract that covers the necessary clauses, especially in the case of online web services that you may be using. There is no standardised approach to this and different terminology is often used.
You do not necessarily need to accept the agreement offered to you and can suggest changes to be reviewed and accepted by the processor.
For example, use of the Eventbrite online ticketing system will automatically apply Eventbrite's Data Processing Addendum as part of the service agreement, which will also include the controller's agreement to listed sub-processors.
With other services you may have to sign a contract. For example, if you use Mailchimp to send marketing emails, their terms of service requires you (as an organisation) to sign up to their Customer EU Data Processing Addendum. If you use Airtable to manage lists of volunteers, they have a Data Processing Agreement with model clauses available on request.
As the controller, it is your responsibility to ensure that the required contractual terms are included and are suitable for the processing.
Another issue that may arise with the use of processors is the international transfer of personal data outside of the European Union, particularly if the service you use stores this data on servers located outside the EU. The GDPR refers to such storage as "restricted transfer". While this can be complex it is outside of the scope of this article, but you can get information from the ICO's guidance on the situations in which restricted transfers are permissible.
As the name suggests, it is possible to determine the purposes and means together with another organisation and therefore be "joint controllers".
Article 26 of the GDPR makes reference to joint controllers:
Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers.
Therefore, if personal data is used for the same purpose or for combined purposes, then they may be joint controllers.
This is a distinction with independent controllers that might share data with each other, but who separately determine how that data is used. If two controllers use the same data for different purposes, then they would be independent controllers.
Examples of joint controllers
Joint controllers operating in the community and voluntary sector may jointly determine the purposes and means of processing of personal data in situations where:
- they work together on a funded partnership project to provide a service to the local community
- they work as part of a group of legally separate entities or subsidiaries that share and use service users' data
- they provide a combined service to beneficiaries, and share client information at the point of collection
Again, just because a situation like this may exist does not predetermine a joint controller status. The definition hinges on whether controllers jointly determine the purposes and means of processing.
Responsibilities of joint controllers
The GDPR stipulates that joint controllers enter into an arrangement that clearly sets out their respective responsibilities for complying with the GDPR, particularly those regarding data subjects' rights . Though a written agreement between the joint controllers is not mentioned, it is worth putting one in place as this helps to meet the essential requirements of transparency and accountability.
Any privacy notice should make clear to data subjects who the joint controllers are and who has responsibility for what. For example, if a combined service is being provided then data subjects need to know which organisation they contact for subject access requests.
For other situations where the recipient of the data is another controller and not a joint controller, it is up to the controller sharing the data to determine what is necessary to meet the provisions of the GDPR and protect people's privacy.
There are no specific legal provisions (such as specific contract clauses) covering independent controller data sharing. However, this does not mean that the data sharing activity is freed from requirements for accountability or transparency, which may argue the case for putting some sort of written agreement in place.
Controller-to-controller data sharing takes place where the controllers have separate purposes for using the data. For example:
- a charity reports employee PAYE tax payments to HMRC as a legal duty
- a charity shares conference attendee information with people who are speaking
- a disability charity refers clients to another charity service specialising in mental health treatment, and provides some personal information in doing so
In each of these cases, the recipient controller has their own use for the personal data, and they are not processors as they separately determine why and how the data will be used.
Data sharing agreements
It may be wise to have an understanding or agreement with the recipient controller, even though there is no blanket requirement for a written contract to be in place (as with controller-processor data sharing).
This will help to reduce risk and ensure clarity around how the data can (and cannot) be used, especially where the sharing is systematic, contains detailed information or includes special category data.
It is not necessary to have a data sharing agreement in all situations, such as where the sharing is already strictly defined or it is a limited one-off occasion.
In the above example of sharing of PAYE information with HMRC, it would be unnecessary to have a written contract with the Revenue. As this is a legal duty placed on employers, the purpose and use of the data is already clearly defined in law, and there is little that can be altered.
For situations where a charity shares data on a one-off, discrete basis with limited impact on data subjects' privacy, a signed agreement would probably not be needed. However, it is worth checking the the recipient clearly understands their responsibilities in treating the information securely and in line with the GDPR.
We have not provided a template data sharing agreement as there are a broad range of possible inclusions and levels of detail to include, and it would not be possible to cover all needs in an easy-to-use way.
However, there a number of clauses to consider including in a data sharing agreement:
- Name and address of the disclosing organisation and the recipient organisation (the parties)
- Description of the data to be shared
- What the data can be used for (the purposes) and limitations on its use
- Requirements for non-disclosure and confidentiality of the data
- How data will be transferred and stored securely by the recipient
- Who the data may be further shared with
- Legal obligations concerning the data and its use
- Responsibilities of the recipient to report any errors in the data and notify personal data breaches within a time limit
- Other limitations and requirements deemed necessary
For the agreement to be effective, it is necessary for the parties to agree that it is realise and practical. Both parties will need to sign it.
In more straightforward situations, the controller sharing the data may deem a simple non-disclosure agreement to be all that is required. Sample NDAs can be obtained here.