Data Protection Network
CONTACT US
NEWSLETTER

Sharing, processing and data protection agreements

Simon Blanchard
June 2026

What’s the difference between a Data Processing Agreement and a Data Sharing Agreement?

Sometimes organisations, especially smaller ones who don’t have the luxury of a data protection manager or team, can get in a bit of muddle about what type of data protection agreement needs to be in place when ‘sharing’ data with other parties, or permitting access to it.

This can lead to the wrong type of agreement being in place between the parties, with perhaps inappropriate or incorrect clauses. This is a risk because the law requires specific terms to be in place in specific contexts, to provide legal protection for those whose personal data is processed.

So, here’s my explanation of what’s legally required, what good practice looks like and what types of agreement suit the context.

The key is to first establish the relationship, in data protection terms, between your organisation and other parties.

Is it a controller to processor relationship?
Are you joint controllers?
Are you both independent controllers – using the shared data for your own distinct purposes?

If you’re unsure about the relationship see: Controller or processor; what are we?

Once you are clear on the relationship, you can then move onto what type of agreement your need, or would be good to have.

1. Controllers and processors: legally required agreement

“Processing by a processor shall be governed by a contract or other legal act” Article 28, UK GDPR

It’s crystal clear in GDPR / UK GDPR; there must be a written agreement in place between an organisation acting as a controller and another acting as their processor.

What’s this agreement called?
They are often referred to as;

Data Processing Agreement (often if standalone) or
Data Processing Addendum / Appendix (often if joined onto another agreement)

Often specific data protection terms are located in an addendum / appendix to the main agreement. Some established suppliers (processors) will simply give a weblink to their standard Data Processing Agreement/Addendum. However, sometimes necessary clauses will be embedded within the body of the main contract. What’s important is making sure key terms are included somewhere!

What must this agreement cover?
The law sets out the following specific elements which must be covered in a controller-processor agreement.

The nature and purpose of processing
Confirmation processing can only be carried by the processor in accordance with the documented instructions of the controller
Categories of data subject (I must admit I seldom see this in Data Processing Agreements)
Types of personal data
Term of the contract
Rights and duties of each party
Confirmation the processor guarantees appropriate technical and organisational measures.
Processor assurance of staff confidentiality
Controller approval of sub-contractors (‘sub-processors’ the processor uses to provide service)
Safeguards for international data transfer (as necessary)
Processor to assist the Controller in handling individual privacy rights requests.
Processor to notify and assist control with personal data breaches
Processor to assist (as necessary) with conducting Data Protection Impact Assessments (DPIAs) and with the requirements under Privacy by Design
Confirmation the processor will delete or return controller’s personal data on termination of contract
The processor will make available to the controller all information necessary to demonstrate compliance
The controller’s right to audit the processor.

For more detail please see: Why data processing agreements with suppliers matter

2. Joint controllers: legally required ‘transparent arrangement’

There isn’t a legal requirement to have a contract per se in place between organisations acting as joint controllers. However GDPR/UK GDPR does require the parties to have a transparent ‘arrangement’ which sets out agreed roles and responsibilities. Furthermore, this arrangement should be made clear to individuals, for example it might be explained in a joint privacy notice.

Joint controllers may choose to have a data sharing agreement (or similar), with similar content to agreement between separate controllers. See below.

Just to say, different legal entities within a company group will often have an intra-group data sharing agreement.

3. Separate controllers: good practice data sharing agreement

It’s not mandatory under GDPR/UK GDPR to have a formal agreement between organisations who act as distinct controllers, who share personal data either reciprocally or one-way, and then use the data for their own purposes. However the ICO considers it good practice and a way to make sure all parties involved are clear about their roles and responsibilities. The regulator says an agreement will also help to meet accountability obligations under UK GDPR.

What’s this agreement called?
It’s not set in stone what this must be called, commonly I see the terms;

Data Sharing Agreement
Information Sharing Agreement

As such agreements aren’t mandatory; there are no specific legal requirements for what they must cover, but they can be used to provide clarity over each parties legal and contractual obligations, liabilities and warranties. Alongside this, from a data protection perspective they may cover matters such as;

The reason personal data is being shared, and what each party is permitted to do with it.
The type of personal data involved
The lawful basis for sharing, and any further specific conditions for the handling of any special category data.
Confirmation both parties are independent controllers
Details on making sure personal data is accurate, how long it will be kept and when it must be securely destroyed.
Security measures in place to protect the data in transit
Procedures for reporting and managing personal data breaches.
Procedure for handling privacy rights requests or data protection complaints
Any necessary safeguard measures for international data transfers

Why it’s important to get this right?

We know routinely agreements are signed and often never touched again. Until that is there’s a tricky privacy rights request, a significant data breach or a serious compliant. Then a lack of clarity surrounding roles and responsibilities can be exposed, and insufficient or incorrect assumptions or procedures can cause confusion, or in worst case scenario, expose organisations to unexpected liabilities. Establishing the relationship, being clear what agreement is needed and getting this in place, means you can have your ducks in a row should anything go awry.

 

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN

The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Related Articles

Controller or processor? What are we?

Why its important to establish whether you're acting as a controller or processor, and set this out clearly in contractual terms.

Why Data Processing Agreements with suppliers matter

Appointing a new supplier? The data protection essentials for supplier contracts when they'll be handling personal data on your behalf...

Data Sharing Checklist

Make sure your organisation's data sharing is compliant with data protection law with this handy data sharing checklist.

6 Steps to Manage International Data Transfers from the UK

How organisations can manage international data transfers; cross-border transfers from the UK in six simple steps.
Data Protection Network