Data sharing agreements and contracts

When a Controller engages the services of a Processor, the relationship and activities must be governed by a written contract. The contract is binding on the Processor, with regard to the Controller, and helps both parties understand their responsibilities and liabilities.

Warning Controllers are liable for their compliance with relevant laws and regulations. Furthermore, they must only appoint Processors that can provide sufficient guarantees that such legal requirements are met and the rights of data subjects protected. Processors are expressly obliged to comply with certain laws and can be fined or sanctioned for non-compliance.

Contractual obligations

The contract dictates, at a minimum, the following obligations toward the Processor:

  • Act only on the written instructions of the Controller.
  • Ensure that the people processing the data are subject to a duty of confidence.
  • Take appropriate measures to ensure the security of processing.
  • Engage sub-processors only with the prior consent of the Controller, and under a written contract.
  • Assist the Controller in providing data subjects with access to their data and allowing data subjects to exercise their rights as defined by the relevant regulation.
  • Assist the Controller in meeting its obligations in relation to:
    • The security of the business process.
    • The notification of personal data breaches.
    • Data protection impact assessments.
  • Delete or return all personal data to the Controller, as requested, at the end of the contract.
  • Submit to audits and inspections.
  • Provide the Controller with any information it needs to ensure that both parties are meeting their respective obligations.
  • Tell the Controller immediately if it is asked to do something that infringes upon the laws of the relevant jurisdiction.

Data Sharing Agreement workflow

The successful result of this workflow is an approved Data Sharing Agreement asset. Data Sharing Agreement assets are used to document the details of the contracts between Controllers and Processors.

The following attributes are essential to Data Sharing Agreement assets:

  • The data processed.
  • The data subject categories processed.
  • The start date and end date of the contract.
  • The location of processing.
  • How data is handled at the end of the contract.
  • The purpose of the processing.
  • The safeguards in place for protecting the data in the case of cross-border transfers.

Relevant roles

Action Role

Start the workflow.

 Any user.
Review the asset. Data Steward.
Approve or reject the asset. The Owner for the domain in which the Data Sharing Agreement asset is created and stored.