Through a data-sharing agreement, a processing manager (i.e., a party that determines what to do with the relevant personal data instead of taking instructions from another party) is able to share personal data with another person who is responsible for processing for specific purposes. The person in charge of third-party processing is not subject to the instructions of the first controller; However, the agreement contains a number of restrictions on the use of shared data, as well as a number of obligations to ensure that both parties meet their obligations under the RGPD and the Data Protection Act 2018. The final version of the code contains examples of checklists for data sharing and data sharing forms. The code under Section 121 of the UK Data Protection Act (DPA) can be viewed publicly until 9 September 2019. Once completed, the code will become a legal code of conduct within the data protection authority. Non-compliance with the code is probably considered a breach of data protection legislation. There is no defined format for a data sharing agreement that, depending on the size and complexity of processing, can accept a large number of forms. However, the OIC recommends that an agreement on data exchange cover a number of points, including: the ICO states that organizations must assess their overall compliance with data protection rules when reviewing data exchange. The OIC encourages the completion of a Data Protection Impact Analysis (DPIA) that is considered good practice for all large-scale projects related to the disclosure of personal data or routine data sharing plans, even if there is no specific or likely high-risk indicator. On 9 July 2019, the UK Data Protection Authority (ICO) updated its Code of Conduct for Joint Information Exchange (first published in 2011) (code). On the same day, the ICO also announced its intention to impose fines on Marriott International for violating the General Data Protection Regulation (GDPR), underlining the importance of due diligence in data exchange.
Similarly, the duty of care for respecting data protection in the transfer of personal data to databases and lists (for profit or non-profit reasons) is essential, and this exercise should be carried out by both the sharing controller and the receiver. Organizations should make appropriate requests and verifications of the data, including its source, and a copy of the data protection information provided at the time of data collection. Finally, the ICO stresses that organizations must respect the fundamental principles of data protection legislation with respect to data transmission, in particular accountability (which documents all aspects of data exchange) and data minimisation (to ensure they are adequate and proportionate, and to exchange data). With respect to security, the OIC notes that organizations are expected to take appropriate measures, even after the data is released, to ensure that this data remains well protected. Unlike the subcontractors` commitment, which is subject to the prescriptive requirements of Article 28 of the RGPD, the RGPD remains silent on the joint disclosure of personal data between organisations responsible for processing (with the exception of the obligations established by Article 26 of the RGPD for common control scenarios). Overall, the code aims to provide practical guidelines for sharing personal data among processing managers (i.e. separate/common processers) in accordance with data protection legislation and encourages recommendations for good practice. According to ICO, it is a « good practice » to have a data exchange agreement between processing managers who share and receive data.
Agreement on data exchange helps parties to be con