Data sharing between controllers, rather than between a controller and a processor, is a different legal exercise from a data processing agreement (DPA). Each party is making its own decisions about purpose and means, and each has independent obligations under the UK GDPR.

What a data sharing agreement does (and how it differs from a DPA)

The agreement needs to: establish what is being shared, with whom, and for what purpose; identify the lawful basis each party is relying on; allocate responsibility for transparency to data subjects (typically with consistent privacy notices on each side); deal with data subject rights across the sharing arrangement; and handle international transfers if relevant.

The ICO's Data Sharing Code is the right starting point, and the drafting should track it. Agreements that conflate data sharing with data processing, using DPA language for a controller-to-controller relationship, create avoidable confusion.

Required wherever two organisations are sharing personal data with each other and both determine how and why the data is processed.

Example: a typical scope and fixed fee

For a controller-to-controller data sharing arrangement between two parties, the typical scope looks like this.

What's included

  • A consultation to understand the data sharing arrangement
  • Drafting of a data sharing agreement covering purposes, lawful bases, security, retention, rights, and responsibilities of each party
  • One round of revisions based on your feedback
  • Final version ready to use

What's outside this scope

  • Negotiation with the other party beyond the scope described above
  • Data processing agreements for controller-processor relationships (see Data Processing Agreement)
  • Tax advice

Fixed fee: £495, no VAT.

How I will approach your matter

Once you have instructed me, I will arrange a consultation to understand the data sharing arrangement before drafting. The agreement will track the ICO's Data Sharing Code and will treat the relationship as controller-to-controller rather than as a misclassified DPA.

To instruct me, or to talk through whether this is the right service for your matter, email geoffrey@caesar.co.uk. I aim to reply within 24 hours.