As a business, implementing a data sharing agreement can be a good practice when sharing personal data with other parties. Before getting started, you should make sure to understand what this agreement is and why it can be useful for your business in ensuring compliance, security, and trust with your partners and customers.
👀 In this article, we explain everything that you should know about data sharing agreements, why and in what cases they can be useful. We also look at the difference with another document, the data processing agreement. Let’s get started!
Short on time? Jump to… ⬇️
As the name implies, a data sharing agreement may be defined as a legally-binding document or agreement, between two or more entities, which regulates how data is shared among these parties and for what purpose.
A data sharing agreement or DSA clearly defines the roles, responsibilities, and rights of all parties involved in the data exchange process.
The types of data shared may be of various types:
💡 The parties to the DSA are bound to comply with obligations at two levels: mandatory rules arising from the applicable law(s); and terms and conditions of the contract itself, agreed by the parties.
🔍 A DPIA is a common organizational measure to implement. Make sure to learn more here
There are several reasons why it is a good practice to implement a data sharing agreement in your company:
Data sharing agreements are especially valuable when it comes to data transfers that involve a high amount of data, or data that is quite sensitive (e.g. confidential data).
They are typically used for data transfers between government agencies, for example, or in the big data industry.
In fact, big data requires a multitude and complexity of factors, data sources, flows, algorithms… For carrying safe and compliant analytics activities, it’s a good starting point to have the right agreements in place.
👉 The GDPR does not expressly state data sharing agreements as a requirement. However, when sharing data, you need to keep in mind the applicable legislation and make relevant disclosures in your agreement. For example, if you declare sharing sensitive health data in your DSA, you will have to comply with GDPR’s article 9.
👉 European Data Act: in an early draft (not in force yet), the European Data Act refers to establishing rules on “fair contractual terms for data sharing agreements”.
👉 In the US, there can be some specific disclosures to be made in a data sharing agreement, especially when it comes to certain types of data, for example for sharing military health system data.
A well-structured data sharing agreement should, at least, contain the following elements:
💡 Looking to use a template? A template data sharing agreement can help you get started, but always remember to tailor the agreement to your specific situation and seek professional legal advice to ensure all bases are covered.
Unlike data sharing agreements, data processing agreements are required under the GDPR (Article 28).
When you, as a data controller, need an external supplier to help process personal data, this “supplier”, referred to as a processor by the GDPR, will handle your client data on your behalf, not for their own interest.
According to Article 28 of the GDPR, a written “Data Processing Agreement” must be established between the data controllers and data processors.
This agreement outlines each party’s responsibilities, like:
💡 Controllers and processors are jointly liable to third parties. This means, if an individual believes their data has been illegally processed, they can demand compensation from either the controller or processor. The party that compensated can later seek reimbursement from the other party.
You probably need to have a data processing agreement in place.