Data Processing and Data Sharing

Data sharing and/or processing agreements are essential for many businesses to ensure compliance and minimise legal risks.

Our team of experienced lawyers provides comprehensive legal advice on a range of data-related matters, including:

• Data Processing Agreements - we draft and negotiate contract terms to govern the processing of personal data between parties.

• Data Sharing Agreements - we draft, negotiate review and advise on data sharing agreements including cross-border data transfers where we advise on the lawful transfer of personal data to countries outside the European Economic Area (EEA).

• Cybersecurity and Data Security - we work with cybersecurity experts to assess and enhance your organisation's data security measures.

Do you need a Data Processing Agreement?

There are many situations. Some practical scenarios when a Data Sharing Agreement is highly advisable include :-

• Partnering with another business - such as where a retail store shares customer purchase data with a marketing agency to run targeted ads.

• Outsourcing Services - such as where a company hires a payroll provider and shares employee salary information.

• Government or Regulatory Compliance - such as where a hospital shares patient data with a health research institute for studies.

• Mergers or Acquisitions - where a company is being bought, and customer data needs to be transferred.

• Joint Ventures or Collaborations - such as where 2 companies create a new app and share user data between them.

Analyse the data being shared or processed

It is crucial to analyse the type of data that will be shared and document the process. This helps ensure compliance with data protection laws and demonstrates that the processing is necessary and proportionate.

Not every UK business needs a data sharing or processing agreement. However, if a business shares personal data with another party, whether internally or externally, it should have a clear legal basis for doing so. This is particularly important in light of the UK GDPR, which imposes strict requirements on the processing of personal data.

However, if your business is using third party service providers, such as cloud service providers, customer relationship management (CRM) platforms or payment processors, if your business doesn’t have a written contract with them, that needs to be drafted urgently.

Recent example of client instruction

A very successful clients of ours has a number of well-known brands they provide services to. In order to provide that service, as well as the commercial contracts that are needed to cement the relationship, they deal with not only client data, but also use a non-EU based supplier to process data.

The client needed specific clauses and documents with that supplier to ensure that the transfer of data was legally compliant and also that any risks were mitigated as far as possible. After all, losing the data not only could lose them a client, but given the size of clients they are working with, any legal action against them could be a huge issue.

By providing this advice, we ensured that the data transfer remained compliant and if our client was subject to any investigation or complaint, they had complied with the law.