How GDPR Affects Data-Sharing Agreements Between Partner Companies
The General Data Protection Regulation (GDPR) has transformed the way organisations approach personal data. Introduced by the European Union in 2018, GDPR establishes clear responsibilities and obligations for entities that handle personal data of EU residents, irrespective of where these organisations are based. While much has been written about how businesses collect and store data, a less discussed yet equally important aspect is how companies share this data with one another. Collaborative arrangements between organisations frequently involve the exchange of personal information, be it for joint ventures, outsourced processes, shared IT infrastructure, or strategic business partnerships. This practice, common across most industries, now must operate within strict parameters set by GDPR.
Defining the Legal Relationship
When companies exchange personal data, GDPR mandates a clear delineation of roles. The nature of each party’s relationship to the data must be defined from the outset. GDPR classifies parties as either controllers, joint controllers, or processors.
A data controller determines the purposes and means of processing personal data. A processor, on the other hand, processes data on behalf of the controller. Where two or more entities jointly determine the purposes and means of processing, they are considered joint controllers. Understanding and accurately defining these roles is a critical precursor to data sharing. Partnerships that underestimate this requirement expose themselves to significant regulatory and legal risks.
Misclassification is a common pitfall. For example, Company A may believe it is merely processing data on behalf of Company B, when in fact it independently determines data use objectives, thus making it a controller. Confusion in such definitions complicates accountability, especially in the event of a data breach or subject rights request. This is why companies engaging in data-sharing arrangements must conduct a thorough analysis of their roles before any personal data changes hands.
Granularity in Data-Sharing Agreements
A robust agreement between parties is essential under GDPR. These contracts go far beyond pre-GDPR data-sharing practices, requiring legally binding terms that assert compliance with data protection principles. Whether the relationship is between a controller and processor, two joint controllers, or even between two independent controllers, specific requirements apply.
In agreements between a controller and a processor, the contract must explicitly state how the processor will act on the controller’s instructions. It should also detail the nature of processing, its duration, type of data involved, security measures employed, and obligations concerning data subject rights, data breaches, and auditing provisions. Notably, the GDPR is prescriptive in its expectations, enumerating specific contractual elements in Article 28.
When companies are joint controllers, GDPR requires them to transparently define their respective responsibilities for compliance, particularly regarding data subject rights and information provision under Articles 13 and 14. Although this internal arrangement can be divided, data subjects should be able to approach either party to exercise their rights. This necessitates both clarity and co-operation.
Cross-Border Considerations
In any partnership, it is not uncommon for data to flow across national or regional boundaries. GDPR introduces significant requirements for international data transfers. Should one of the partner organisations be located outside of the European Economic Area (EEA), or if data is to be processed in a non-adequacy jurisdiction, additional safeguards must be observed.
Standard Contractual Clauses (SCCs) serve as the most widely adopted mechanism for lawful cross-border transfers. However, the onus remains on both parties to ensure that these clauses are not merely template documents but are tailored to the realities of their processing activities. Since the Schrems II ruling in 2020, companies must also assess the recipient country’s legal environment, in a process known as a “Transfer Impact Assessment.” A data-sharing agreement in an international context is incomplete without acknowledging and preparing for such examinations.
Other mechanisms, such as Binding Corporate Rules (BCRs) or reliance on derogations, may apply in specific contexts, such as intra-group transfers or one-off circumstances, but the burden of proof partly lies with the companies involved to justify the chosen method. Failure to ensure lawful cross-border transfers can result in fines up to 4% of global turnover, making it a critical area of consideration.
Balancing Data Minimisation and Business Objectives
GDPR insists on the principle of data minimisation—collecting and sharing no more data than is necessary for the specified purpose. This principle can often appear at odds with business objectives. Modern analytics-driven partnerships often rely heavily on the exchange of rich, granular datasets. Companies must therefore strike a fine balance between operational requirements and regulatory compliance.
One best practice is to undertake a Data Protection Impact Assessment (DPIA) prior to data sharing. Not only does this help in identifying and mitigating risks, but it also demonstrates proactive compliance. The DPIA should consider the necessity and proportionality of the data sharing, potential impacts on individuals, and risk mitigation strategies.
Pseudonymisation and anonymisation techniques can also play a pivotal role in mitigating risk. Where personal identifiers are removed or obscured, the data carries less risk—though it must be noted that only anonymised data falls outside of GDPR’s scope. Pseudonymised data, where identification remains possible through additional information, still qualifies as personal data and thus remains subject to regulation.
Consent and Lawful Basis Between Partners
Parties sharing data must always identify a lawful basis for processing under GDPR. Consent, while popular and intuitive, is not always the most appropriate basis, especially in B2B contexts where agreements are more transactional and less reliant on individual permissions. More often, data processing will be justified on grounds of contractual necessity, compliance with legal obligations, legitimate interests, or public interest.
If data sharing relies on legitimate interests, companies must conduct a “Legitimate Interests Assessment,” balancing their interests against the fundamental rights and freedoms of data subjects. Transparency is key here; data subjects must be clearly informed about which entities process their data and for what purposes. A shared privacy notice, or at least harmonised communication strategies, can be an effective means of satisfying GDPR’s transparency requirements.
It is also important to evaluate the original consent obtained—if data subjects agreed to processing for a specific purpose within Company A, this consent doesn’t automatically travel with the data to Company B. The receiving party must either rely on a separate lawful basis or ensure that the original consent explicitly covered the sharing arrangement.
Responsibility in the Event of a Breach
One of the more serious concerns in shared data ecosystems is accountability during a data breach. GDPR mandates notification of a breach to the supervisory authority within 72 hours if there’s a risk to individual rights. But if multiple parties access or maintain the data, responsibilities must be clearly articulated: Who notifies whom? Who notifies the authority? Who communicates with data subjects?
Comprehensive agreements should include incident response protocols, communication channels, notification obligations, and negotiation terms should compensation or liability come into play. Inadequate preparation can result in delayed responses, conflicting public statements, or worsened reputational harm.
Controllers and processors must also ensure that any sub-processors used as part of the arrangement are held to equivalent standards. If Company B uses a third-party data host to process records received from Company A, Company A must ensure this host is subject to contractual obligations similar to those in the initial agreement. Failing to do so exposes all involved parties to penalties.
Audits, Monitoring, and Demonstrating Accountability
GDPR’s emphasis on accountability means it’s not enough to be compliant—you must also be demonstrably compliant. In data-sharing scenarios, this translates to diligent record keeping, monitoring, and the implementation of appropriate technical and organisational controls.
Companies are expected to conduct periodic audits or assessments of their partner’s practices, especially where sensitive data or large volumes are involved. Contracts should reserve the right to perform such reviews and outline conditions under which they may occur. This is not only a regulatory safeguard but also a trust-building practice.
In addition, Data Processing Records—mandated under Article 30—must reflect shared processing arrangements, detailing the categories of data shared, purposes, data flows, and any international transfers involved. These records should be easily retrievable in the event of a regulatory enquiry and reflect the real-world practices of the business relationship.
The Role of the Data Protection Officer
For many organisations, the Data Protection Officer (DPO) serves as a crucial bridge between compliance obligations and operational execution. When entering or revising data-sharing agreements, the DPO should be involved from the outset, helping to evaluate risk, advise on legal bases, co-ordinate DPIAs, and review contractual terms.
Moreover, DPOs function as the point of contact with supervisory authorities, and as such must be aware of all ongoing data-sharing practices within the organisation’s ecosystem. They play a vital role in embedding a culture of compliance that stands resilient under scrutiny.
Future Trends and Emerging Challenges
As data ecosystems grow more interconnected, issues around interoperability, standardisation, and ethical data use will intensify. Regulatory evolutions, such as the proposed EU Data Act and AI regulations, are poised to create additional layers of complexity. These upcoming frameworks will intersect with GDPR, potentially requiring even deeper contractual scrutiny between business partners around issues such as data portability, algorithmic transparency, and sector-specific compliance.
At the same time, public awareness and expectations around data autonomy are rising. Any data-sharing practice that fails to align with societal norms risks backlash, even if it technically complies with the law. Companies must therefore manage not only legal risk but also reputational and ethical concerns.
In summary, the implementation of GDPR hasn’t necessarily curtailed data sharing between partner organisations—but it has fundamentally changed its mechanics. Data-sharing agreements are no longer informal arrangements or simple privacy disclaimers. They are strategic documents, part legal contract and part compliance roadmap. Those who understand and proactively manage the regulation’s implications are best positioned to forge sustainable, trustworthy partnerships in the digital age.