Data Processing and Data Sharing

Data sharing agreements and data processing agreements are are essential for businesses to ensure the lawful and secure transfer of data, particularly in today's data-driven world.

Our team of experienced lawyers provides comprehensive legal advice on a range of data-related matters, including:

• Data Processing Agreements - we draft and negotiate contract terms to govern the processing of personal data between parties.

• Data Sharing Agreements - we draft, negotiate review and advise on data sharing agreements including cross-border data transfers where we advise on the lawful transfer of personal data to countries outside the European Economic Area (EEA).

• Cybersecurity and Data Security - we work with cybersecurity experts to assess and enhance your organisation's data security measures.

Data Processing Agreements

A data processing agreement is required when a data controller engages a data processor to process personal data on their behalf. The agreement needs to provide clarity relating to the terms and conditions under which the data processor will handle the data, ensuring compliance with data protection laws.

Under English law, particularly the UK version of the General Data Protection Regulation (UK GDPR), there are two primary roles in data processing:

• Data Controller - determines the purposes and means of processing personal data. This includes deciding what personal data to collect, how to process it, and for what purposes. Examples of data controllers include businesses, organisations, and public authorities.

• Data Processor- processes personal data on behalf of a data controller. This means they carry out the instructions of the data controller. Examples of data processors include cloud service providers, customer relationship management (CRM) platforms, and payroll providers.

Why is a Data Sharing Agreement needed?

A data sharing agreement is usually between two data controllers to set out how each of those controllers will handle and deal with data.

Analyse the data being shared or processed

It is crucial to analyse the type of data that will be shared and document the process. This helps ensure compliance with data protection laws and demonstrates that the processing is necessary and proportionate.

Not every UK business needs a data sharing or processing agreement. However, if a business shares personal data with another party, whether internally or externally, it should have a clear legal basis for doing so. This is particularly important in light of the UK GDPR, which imposes strict requirements on the processing of personal data.

However, if your business is using third party service providers, such as cloud service providers, customer relationship management (CRM) platforms or payment processors, if your business doesn’t have a written contract with them, that needs to be drafted urgently.

Recent example of client instruction

A very successful clients of ours has a number of well-known brands they provide services to. In order to provide that service, as well as the commercial contracts that are needed to cement the relationship, they deal with not only client data, but also use a non-EU based supplier to process data.

The client needed specific clauses and documents with that supplier to ensure that the transfer of data was legally compliant and also that any risks were mitigated as far as possible. After all, losing the data not only could lose them a client, but given the size of clients they are working with, any legal action against them could be a huge issue.

By providing this advice, we ensured that the data transfer remained compliant and if our client was subject to any investigation or complaint, they had complied with the law.