Generate a UK controller-to-controller Data Sharing Agreement. For sharing personal data with another organisation under UK GDPR and the ICO Data Sharing Code. Plain English. From £4.99.
A Data Sharing Agreement (DSA) governs the sharing of personal data between two organisations that are each a data controller — not a controller and its processor. It records what data is shared, for what purpose, on what lawful basis each side relies, how data subjects are informed, and how their rights, security and breaches are handled. It reflects the ICO's statutory Data Sharing Code of Practice (issued under section 121 of the Data Protection Act 2018).
Whenever your business shares personal data with another organisation that will use it for its own purposes — a referral partner, a joint-marketing collaborator, a group company, or a project partner — rather than handing it to a supplier who only processes it on your instructions (which needs a Data Processing Agreement instead). A written agreement is best practice, and for joint controllers under Article 26 UK GDPR a transparent arrangement is mandatory.
Whether the parties share as separate controllers or joint controllers; the data specification (categories of data, data subjects, permitted purpose and direction); each party's own lawful basis; compliance with the Article 5 principles; transparency and privacy information; how data subject rights are handled; security; breach notification; international transfers; retention and deletion; and liability between the parties.
Loading interactive view…