You can either disclose data in such a way that both companies are joint controllers, or that each of you is an independent controller (or even from the data controller to the data processing, although this is not taken into account in this article). The distinction between a joint controller and an independent controller can be found here: (B) The company wishes to sublet to the processor certain services that involve the processing of personal data. This will help reduce risks and clarify how the data can be used (and not), especially where the transfer is systematic, provides detailed information or contains data from specific categories. If you can invoke legitimate interests, you must inform the data subjects of the transmission of the data and grant them the right to opt-out. As a general rule, this is done through your privacy statement and you may need to update it and send it to your data subjects if you have not already informed them of the data disclosure. Below are some general topics that need to be addressed in the agreements. Data sharing agreements are complex legal documents. However, these agreements can not only prevent chaotic situations in the event of a data protection breach, but also help protect personal data, which is the central purpose of the GDPR. Talend Metadata Manager can help you collect these data sharing agreements semantically, as well as track and track the physical location of the data and the movement within a data landscape. In cases where you need to ensure (as a data controller) that the required contractual conditions are covered, we have provided a model contract between controllers and subcontractors containing the contractual conditions set out in Article 28. In each of these cases, the recipient responsible for the processing has its own use of the personal data, and it is not a processor, since it separately determines why and how the data is used. To answer these and other relevant questions, the GDPR insists on the need to enter into data sharing agreements. There are no specific legal provisions (e.g.
B specific contractual clauses) which cover the exchange of data for independent controllers. However, this does not mean that the data exchange activity is exempt from accountability or transparency requirements, which could argue for some kind of written agreement. The ICO provides instructions for data exchange at //ico.org.uk/media/for-organisations/documents/1068/data_sharing_code_of_practice.pdf. This document has not yet been updated to reflect the GDPR, but it remains a useful guide. NICVA`s GDPR Data Protection Toolkit has been designed to help community and voluntary organizations prepare for the biggest data protection change in 20 years under the GDPR. . . .