Iubenda logo
Start generating


Table of Contents

Data Sharing Agreement: What You Should Know as a Business

As a business, implementing a data sharing agreement can be a good practice when sharing personal data with other parties. Before getting started, you should make sure to understand what this agreement is and why it can be useful for your business in ensuring compliance, security, and trust with your partners and customers.

👀 In this article, we explain everything that you should know about data sharing agreements, why and in what cases they can be useful. We also look at the difference with another document, the data processing agreement. Let’s get started!

📌 What is a Data Sharing Agreement?

As the name implies, a data sharing agreement may be defined as a legally-binding document or agreement, between two or more entities, which regulates how data is shared among these parties and for what purpose.

A data sharing agreement or DSA clearly defines the roles, responsibilities, and rights of all parties involved in the data exchange process.

The types of data shared may be of various types:

  • data about identified or identifiable natural persons or “personal data“;
  • data protected by intellectual property rights or another kind of property-like right;
  • data considered confidential (including trade secrets and know-how), financial data, etc.

💡 The parties to the DSA are bound to comply with obligations at two levels: mandatory rules arising from the applicable law(s); and terms and conditions of the contract itself, agreed by the parties.

👋 Have you considered a Data Privacy Impact Assessment?

🔍 A DPIA is a common organizational measure to implement. Make sure to learn more here

Why is a data sharing agreement important?

There are several reasons why it is a good practice to implement a data sharing agreement in your company:

  • Legal Compliance: Considering the privacy laws in place today, such as the GDPR in Europe, it is prudent for entities that carry out some data sharing activities to have a DSA in place. This helps to regulate data sharing and be compliant with the relevant privacy legislation.
  • Data Security: A robust data sharing agreement also protects your data’s integrity by setting out guidelines on how the data should be transmitted, mitigating the risks of data breaches.
  • Trust & Privacy: By having an explicit agreement, you’re establishing trust with your partners and customers by showing them that you are implementing privacy-friendly practices for protecting the data shared. Transparency in data handling is a critical factor in establishing and maintaining this trust.

When is it Useful?

Data sharing agreements are especially valuable when it comes to data transfers that involve a high amount of data, or data that is quite sensitive (e.g. confidential data).

They are typically used for data transfers between government agencies, for example, or in the big data industry.

In fact, big data requires a multitude and complexity of factors, data sources, flows, algorithms… For carrying safe and compliant analytics activities, it’s a good starting point to have the right agreements in place.

🔍 What does the law say about DSAs?

👉 The GDPR does not expressly state data sharing agreements as a requirement. However, when sharing data, you need to keep in mind the applicable legislation and make relevant disclosures in your agreement. For example, if you declare sharing sensitive health data in your DSA, you will have to comply with GDPR’s article 9.

👉 European Data Act: in an early draft (not in force yet), the European Data Act refers to establishing rules on “fair contractual terms for data sharing agreements”.

👉 In the US, there can be some specific disclosures to be made in a data sharing agreement, especially when it comes to certain types of data, for example for sharing military health system data.

📌 What are the Components of a Data Sharing Agreement?

A well-structured data sharing agreement should, at least, contain the following elements:

  1. Definition of parties: clearly identify all parties involved in the data sharing process. This includes the data owner (the entity providing the data), the data recipient (the entity receiving the data), and any third parties involved.
  2. Purpose of data sharing and legal basis: articulate why the data is being shared, e.g. for data analysis, for the implementation of a new program or service…
  3. Categories of data to be shared: specify the types and categories of data being shared (e.g. name, address, phone number). You can also mention subject’s rights as per the GDPR.
  4. Function of the parties: define the function of the party disclosing and the party receiving data, in relation to their purpose.
  5. Processing details: description of how data will be processed (e.g. information is sent via a secure file transfer, then stored). Mention duration and frequency.
  6. Security measures: detail the security measures in place to protect the data during transmission and storage. These include password protection, the use of unique identifiers, procedures for handling data breaches, data encryption, staff training, and data backup, including backups for VMware in virtualized environments.
  7. Retention and deletion: specify for how long the data will be kept before it is deleted.
  8. Withdrawal and termination: define the various procedures and specify how the agreement can be ended and what happens to the data after termination.

💡 Looking to use a template? A template data sharing agreement can help you get started, but always remember to tailor the agreement to your specific situation and seek professional legal advice to ensure all bases are covered.

data sharing agreement

📌 Data Sharing Agreement vs. Data Processing Agreement

Unlike data sharing agreements, data processing agreements are required under the GDPR (Article 28).

When you, as a data controller, need an external supplier to help process personal data, this “supplier”, referred to as a processor by the GDPR, will handle your client data on your behalf, not for their own interest.

According to Article 28 of the GDPR, a written “Data Processing Agreement” must be established between the data controllers and data processors.

This agreement outlines each party’s responsibilities, like:

  • following instructions from controllers;
  • implementing sufficient data protection measures; and
  • cooperating with controllers in response to user queries or actions by regulatory bodies.

💡 Controllers and processors are jointly liable to third parties. This means, if an individual believes their data has been illegally processed, they can demand compensation from either the controller or processor. The party that compensated can later seek reimbursement from the other party.

Working with a data processor?

You probably need to have a data processing agreement in place.

👉 Read our guide and use our template

See also