Join Now
Browse Template

Data Sharing Agreement

Controller to Controller

Data Sharing Agreement (Controller to Controller) for sharing personal data is available for download. This Agreement is in compliance with GDPR.

How to Tailor the Document for Your Need?


Create Document

Fill in the details of the parties. You can click the "Fill with Member’s Information" button to complete it with information saved to your account.


Fill Information

Please fill in any additional information by following the step-by-step guide on the left hand side of the preview document and click the "Next" button.


Get Document

When you are done, click the "Get Document" button and you can download the document in Word or PDF format.


Review Document

Please get all parties to review the document carefully and make any final modifications to ensure that the details are correct before signing the document.

Document Preview

Document Description

The Data Sharing Agreement is a legal document that outlines the terms and conditions for sharing personal data between two parties, referred to as the first party and the second party. The agreement is entered into with the intention of sharing personal data as separate controllers in the European Economic Area (EEA). The document provides a detailed interpretation of key terms and definitions related to data protection laws, such as agreement, data protection laws, controller, processor, data subject, personal data, and processing.


The agreement has a defined term, which specifies the duration of the agreement unless it is terminated earlier. The shared personal data is categorized into different types, and the agreement specifies whether special categories of personal data will be shared or not. It also prohibits the sharing of personal data relating to criminal convictions and offences or related security measures.


The purpose of sharing the personal data is clearly stated in the agreement, and both parties agree not to process the shared personal data for purposes that are incompatible with the agreed purposes. The agreement also outlines the data protection obligations of each party, including compliance with data protection laws, ensuring the accuracy of shared personal data, implementing appropriate security measures, and nominating a representative as the primary point of contact.


The agreement addresses data subject rights, such as access, rectification, and deletion of personal data, and requires both parties to assist each other in complying with these rights. It also establishes procedures for handling data breaches, including notification and cooperation between the parties. The transfer of shared personal data to permitted recipients is allowed, subject to separate written contractual arrangements.


The agreement specifies the retention period for shared personal data and includes provisions for the return or destruction of shared personal data upon termination or expiry of the agreement. It also allows for compliance and audit inspections by one party to ensure the other party's adherence to the agreement. The agreement includes indemnity and limitation of liability clauses to protect the parties from breaches of data protection laws and other liabilities.


The agreement can be amended with the written consent of both parties, and it prohibits the assignment or sub-contracting of the agreement without prior written consent. It includes a severability clause to address the invalidity or unenforceability of any provision and a further assurance clause to ensure the implementation of the agreement. The agreement is governed by the laws of the jurisdiction specified in the agreement, and it includes provisions for notices and service.



How to use this document?

To use the Data Sharing Agreement effectively, follow these steps:


1. Familiarize yourself with the agreement: Read the entire agreement carefully to understand its purpose, terms, and obligations.

2. Identify the parties: Enter the names and addresses of the first party and the second party in the agreement. Ensure that the principal place of business for each party is accurately stated.

3. Determine the types of personal data to be shared: Decide on the types of personal data that will be shared between the parties. If special categories of personal data are involved, choose the appropriate category.

4. Define the purposes of data sharing: Clearly state the purposes for which the shared personal data will be used. Ensure that these purposes are compatible with the agreement.

5. Comply with data protection laws: Both parties must comply with all applicable data protection laws and regulations throughout the term of the agreement. Implement necessary measures to ensure compliance.

6. Ensure accuracy of shared personal data: Regularly review and update the shared personal data to ensure its accuracy. Notify the other party promptly if any inaccuracies are identified.

7. Implement security measures: Establish appropriate technical and organizational measures to protect the shared personal data. Refer to Article 32(1) of the GDPR for guidance on security measures.

8. Nominate a representative: Each party should nominate a representative as the primary point of contact for data sharing issues. Provide the contact details of the representatives in the agreement.

9. Obtain consent for data transfers: If shared personal data is transferred outside the EEA, ensure that the transfer is compliant with data protection laws.

10. Handle data subject rights: Assist the other party in responding to data subject requests, such as access, rectification, and deletion of personal data. Maintain records of such requests.

11. Respond to data breaches: Notify the other party without undue delay in the event of a data breach. Cooperate in investigating and mitigating the breach to comply with data protection laws.

12. Transfer shared personal data to permitted recipients: If shared personal data is transferred to permitted recipients, establish separate written contractual arrangements with each recipient to ensure compliance with the agreement and data protection laws.

13. Retain shared personal data appropriately: Do not retain or process shared personal data longer than necessary for the agreed purposes. Consider any statutory or professional retention periods applicable in your country or industry.

14. Return or destroy shared personal data: Upon termination or expiry of the agreement, promptly return all documents and materials containing shared personal data or destroy them as requested by the other party. Take steps to remove shared personal data from computer systems.

15. Ensure legal compliance and self-audit: Each party is responsible for its own legal compliance and may request to inspect the other party's arrangements for processing shared personal data. Resolve any non-compliance issues through discussions.

16. Terminate the agreement if necessary: Either party may terminate the agreement by providing written notice. Terminate immediately in case of a breach of obligations by the other party.

17. Indemnify and limit liability: Each party should indemnify the other against liabilities arising from breaches of data protection laws. However, certain liabilities, such as fraud or personal injury, cannot be excluded or limited.

18. Amend the agreement if needed: Any variations to the agreement must be in writing and signed by both parties. Variations do not waive existing rights and obligations unless expressly agreed.

19. Seek legal advice if required: If you have any doubts or concerns about the agreement, consult with a legal professional to ensure compliance with applicable laws and regulations.


Related Documents