Top 5 FAQs about controller-to-controller agreements

1. What is a controller-to-controller agreement?

A controller-to-controller agreement is a legal contract between two independent data controllers who share personal data with one another. Unlike controller-processor relationships (where one party processes data on behalf of the other and a DPA should be used), both controllers in a controller-to-controller agreement have independent purposes for processing the data.

Key features of a controller-to-controller agreement include:

• Independent controllers: each party controls how and why the data is processed, acting independently.

• No direct processing relationship: unlike data processors, who act solely under a controller’s instructions, the controllers in a controller-to-controller agreement determine their own purposes for using the data.

• Clear responsibilities: A controller-to-controller agreement outlines the respective obligations of both parties in relation to data protection, including safeguarding personal data and ensuring transparency with data subjects.

Example:

Consider two companies that independently collect customer data for their own marketing purposes. If they agree to share this data with each other (and have a lawful basis for doing so), they would need a controller-to-controller agreement in place to clarify how they will handle the shared data responsibly.

Find out more by reading this guide.

2. What is the ICO data sharing code?

The ICO (Information Commissioner's Office) data sharing code of practice is a statutory code of practice (made under section 121 of the Data Protection Act 2018) that provides guidance to organisations on when and how to share personal data between them. It aims to ensure that data sharing is only taking place when necessary, and where it is carried out that it is done so in compliance with data protection laws.

The code sets out principles that should be adhered to when sharing personal data with another organisation, as well as details about what a controller-to-controller agreement should include. Some of the areas covered by the code are:

1. How to consider the benefits and risks of sharing and not sharing personal data - any sharing of personal data must be reasonable and proportionate and individuals must know what is happening to their data and why;

2. How the data protection principles can be applied to data sharing - the code states that the “importance of accountability cannot be overstated”, so each organisation has consideration to its own compliance with data protection principles when sharing personal data;

3. How to ensure the data sharing is done in a fair and transparent manner - ethical factors should be taken into consideration when deciding whether to share personal data including considering “whether it is right to share it”; and

4. What to include in a controller-to-controller agreement - it is best practice (and mandatory in some cases) to have a controller-to-controller agreement in place. The ICO will take into account the existence of any relevant controller-to-controller agreement when assessing any complaint received by data subjects.

3. What should be included in a controller-to-controller agreement?

A well-drafted controller-to-controller agreement will clearly outline the responsibilities of each data controller to ensure full compliance with data protection laws. Here are the essential elements that should be included:

1. Roles and responsibilities: clearly define the roles of each controller and how they will manage personal data.

2. Data subjects' rights: set out how data subjects will be informed about the sharing arrangement and how they can exercise their rights (e.g., access, rectification, deletion).

3. Lawful basis for sharing: each controller must have its own lawful basis for processing the data (e.g., consent, legitimate interest, legal obligation).

4. Data security measures: specify the technical and organisational measures that will be in place to protect the shared data.

5. Breach notification: include protocols for notifying each other in the event of a data breach.

6. Data retention: outline how long the shared data will be kept and what will happen to it after the relationship ends.

Find out more by reading this guide.

4. How does a controller-to-controller agreement differ from a data processing agreement (DPA)?

Many organisations confuse controller-to-controller agreements with data processing agreements (DPAs), but they serve different purposes. Understanding the distinction between these agreements is key to ensuring you have the right contract in place for your data sharing relationships.

Key differences:

• Controller-to-controller: both parties are independent data controllers, each with their own purpose and responsibility for the data.

• Controller-to-processor: in a DPA, the processor acts on behalf of the controller and processes data strictly according to the controller’s instructions. Find out more about DPAs here.

Example:

• Controller-to-controller agreement: Two retail companies share customer data for their own respective marketing efforts. Both are controllers, so a controller-to-controller agreement is necessary.

• DPA: A company outsources its payroll processing to a third-party service provider. The service provider is only acting on the company's behalf as a processor, so a DPA is required.

It’s crucial to distinguish between the two types of agreements to ensure proper legal coverage.

5. How can Docue help me produce a controller-to-controller agreement?

Created by lawyers: Docue’s controller-to-controller agreement template has been drafted by, and is maintained by, expert privacy lawyers. Our lawyer-crafted guidelines provide you with the support you need to be correctly guided through every stage of the drafting process.

Manage your contracts: Our cutting-edge technology combined with our lawyer-made document content allows you to create, customise, e-sign, store and manage your contracts all in one place with just a few clicks. Signatures can be collected electronically, and all contracts you make are saved in your company's own secure account, Docue Drive.