We covered the differences between controllers and processors and how to identify them in our earlier article here. Data sharing only occurs between two controllers. Each controller pursues its own purposes when processing the personal data and each controller is responsible for its own data protection compliance.
The Information Commissioner’s Office recommends that data sharing agreements are put in place between the parties setting out the purpose of the data sharing, the categories of personal data and the data subjects involved. It should also cover data retention in the hands of the receiving party and whether any further transfer of the data is permitted.
Data sharing is particularly common between companies in a group structure, not least for communication purposes but often for strategic direction and management from head office. The recommendation that a data sharing agreement be put in place applies equally to data sharing between companies in the same group. It can be a complex situation within a group of companies: there may be shared services with shared costs or one company providing services to others in the group. For each aspect of the relationship it is important to identify the status of the participants, controller or processor and ensure that this is reflected in the intercompany agreements.
For advice on this or any other aspect of data protection law just ask us. Why not try our ongoing support service to help your organisation double check its data protection compliance, keep up with changes to law and practice and establish a compliance framework including a compliance checking programme.
Mandy P Webster, Data Protection Consultant