Controller To Controller Data Sharing Agreement In The UK

Sharing personal data with another organisation can unlock growth - whether you’re partnering with a referral network, running a marketplace, or working with a sister brand in your group. But when each party decides its own purposes and means of processing, you’re likely in “controller to controller” territory. That means you’ll need a smart, well-structured approach to document the sharing and stay compliant with UK data protection law.

In this guide, we’ll break down when you need a controller to controller data sharing agreement, what it should cover, the key legal rules to follow under the UK GDPR and Data Protection Act 2018, and practical steps to get it right from day one.

What Does “Controller To Controller” Data Sharing Mean?

Under the UK GDPR, a controller is the organisation that decides why (the purposes) and how (the means) personal data is processed. If you and another organisation each make your own decisions about the data you receive, you’re acting as independent controllers. In contrast, a processor only acts on your documented instructions.

Controller to controller data sharing typically looks like this:

• Two retailers agree to share customer contact details to cross-promote relevant products, each deciding their own marketing strategy and retention periods.
• A professional association shares member data with an insurance provider so the insurer can underwrite and service policies in its own right.
• Two brands within the same corporate group share customer profiles for analytics and product development, with each brand setting its own purposes and legal bases.

If you jointly determine the purposes and means together, you may be joint controllers instead - which triggers additional transparency duties (Article 26 UK GDPR). If one party acts only on instructions, that’s a controller-to-processor relationship and you’ll need a Data Processing Agreement, not a controller-to-controller arrangement.

Do You Need A Controller To Controller Data Sharing Agreement?

There’s no explicit requirement in the UK GDPR that independent controllers must have a contract between them. However, the ICO strongly recommends documenting data sharing as part of your accountability obligations - and its Data Sharing Code of Practice sets out what good looks like.

In short: a controller to controller data sharing agreement is best practice and often critical for risk management. It helps you:

• Evidence compliance with the accountability principle (Article 5(2) UK GDPR).
• Allocate responsibilities clearly (e.g., who handles data subject rights, who notifies in a breach).
• Control scope creep by agreeing what data will be shared, why, and for how long.
• Demonstrate due diligence if something goes wrong (which can reduce regulatory risk).

If you’re joint controllers, you must set out “in a transparent manner” your respective responsibilities for compliance, usually in a written arrangement. Even if you’re confident you’re independent controllers, a written Data Sharing Agreement is a smart move and often expected by partners, auditors and investors.

Legal Essentials: The Rules You Must Follow When Sharing Data

Before you send a single row of personal data, make sure the sharing aligns with the UK GDPR and related laws. Here are the key duties to tick off.

1) Identify A Lawful Basis

Every controller must have a lawful basis for processing. For data sharing, typical options are legitimate interests or consent. Contract or legal obligation may also apply in specific contexts. If you rely on legitimate interests, complete and document a balancing test and give individuals the right to object. For consent-based sharing, make sure consent is freely given, specific, informed and unambiguous - and keep records.

2) Be Transparent

Your privacy notice must tell individuals that you share their data, with whom (at least by category), why, and the legal basis. This is a core part of the transparency principle (Articles 13/14 UK GDPR). Keep your notice accessible and written in clear, plain English. If you operate online, publish a current, user-friendly Privacy Policy and keep it in step with your sharing practices.

3) Respect Data Minimisation And Purpose Limitation

Only share what’s necessary for the stated purpose - and no more. If the partner doesn’t need date of birth, don’t include it. Lock down “function creep” with tight purpose wording in your agreement and technical controls.

4) Protect Data With Appropriate Security

Controllers must implement “appropriate technical and organisational measures” (Article 32) considering the risks. Encrypt transfers, use secure APIs or SFTP, apply role‑based access, and ensure the receiving party meets a robust security baseline. Agree incident response obligations and timelines.

5) Assess And Document Risks

For higher-risk sharing (e.g., large-scale profiling or special category data), complete a Data Protection Impact Assessment (DPIA). The ICO’s code encourages a data sharing DPIA even where not strictly mandatory. Keep your risk record alongside your contract and change‑control notes.

6) Special Category And Children’s Data

If you share special category data (health, biometrics, etc.), you’ll need an Article 6 lawful basis and an Article 9 condition (e.g., explicit consent or substantial public interest). For criminal offence data, see Article 10 and the DPA 2018. Take extra care with children’s data - ensure protections and language are appropriate for the age group.

7) Deal With PECR And Marketing Rules

If the receiving controller will use the data for electronic marketing, the Privacy and Electronic Communications Regulations (PECR) may require consent for emails and texts to individuals, unless the “soft opt‑in” applies. Build these constraints into your contract and your partner onboarding checks. Your on‑site pop‑ups should align with your Cookie Policy and consent capture logic.

8) International Transfers

If sharing involves a transfer outside the UK, you’ll need a valid transfer tool (e.g., UK IDTA or Addendum, or an adequacy decision). Map the data flows and include transfer safeguards and audit rights in your agreement.

9) Records, Fees And Responding To Rights

Maintain your Article 30 record of processing, keep your lawful basis assessments handy, and prepare to respond to data subject rights. If you receive a subject access request that touches shared data, you’ll need a clear playbook with your partner for handing it on time.

Don’t forget your ICO registration duties. Most controllers must pay a data protection fee unless an exemption applies under the Data Protection (Charges and Information) Regulations 2018 - the ICO has categories and ICO fee exemptions to consider.

What Should A Controller To Controller Data Sharing Agreement Include?

Think of your contract as a risk-control blueprint. It should be practical, proportionate and crystal clear about who does what. Here are the clauses we typically recommend for UK small businesses.

Scope, Purposes And Legal Bases

• Define exactly what personal data will be shared (fields, categories, and frequency).
• State the permitted purposes, with a “no secondary use” rule unless agreed in writing.
• Require each party to maintain and document an appropriate lawful basis and transparency notices.

Data Quality, Minimisation And Retention

• Who is responsible for data accuracy checks and correction workflows.
• Retention periods for shared data and a secure deletion timetable.
• Prohibit attempts to re-identify pseudonymised data without consent.

Security Standards And Transfers

• Baseline technical/organisational controls (encryption in transit, access control, audit logging).
• Notification duties for incidents and suspected breaches, including response timelines.
• International transfer safeguards (e.g., UK IDTA), with cooperation to complete assessments.

Individual Rights And Complaints

• Allocation of responsibility for receiving, triaging and responding to rights requests.
• Mutual assistance obligations and contact points for privacy queries.
• Clear rules for handling complaints and ICO enquiries, including prompt notification of the other party.

Marketing And PECR Compliance

• Ensure lawful acquisition and use of marketing consents and preferences.
• Use restrictions for electronic marketing in line with PECR (and the soft opt-in, where relevant).

Audit, Assurance And Training

• Right to request reasonable assurance evidence (policies, certifications, penetration test summaries).
• Minimum training standards for staff handling shared data.
• Change management: how to update the arrangement as products or purposes evolve.

Sub-Recipients And Onward Sharing

• Ban onward sharing without written permission, or limit it to named categories.
• Controls for appointing processors, including making sure processors are bound by adequate terms (even though this is a controller-to-controller arrangement).

Liability, Indemnities And Termination

• Proportionate caps and carve-outs (e.g., for wilful misconduct or regulatory fines directly caused by a breach).
• Suspension and termination rights for non-compliance, with post-termination deletion obligations.

Avoid relying on generic templates. You’ll get much better protection from a tailored Data Sharing Agreement that reflects your data flows, risks and regulatory environment.

Common Scenarios: How The Rules Apply In Practice

Referral Partnerships

Imagine you run a financial services consultancy and agree to share prospective client details with an insurance broker. If each party markets and sells their own services independently, you’re likely independent controllers. You’ll want to:

• Record your legitimate interests assessment for the sharing.
• Explain the sharing in your privacy notice and offer an opt-out.
• Restrict the broker’s use to the agreed purpose and enforce a clear deletion schedule.

Marketplace And Platform Models

Platforms often act as controllers alongside vendors. For example, a marketplace may share customer order details with a seller to fulfil an order, while the platform uses similar data for fraud prevention and analytics. Map who is controller for which purpose, and separate those purposes in your contracts and policies. Where the platform engages a provider purely on instructions for a back-office function, a Data Processing Agreement is the right tool for that specific processing.

Group Companies

Group sharing isn’t a free pass. Each company is a separate controller and must meet transparency, lawful basis and security requirements. A group-wide data sharing framework - supported by a Data Sharing Agreement template and playbook - keeps everyone aligned and reduces risk.

Co-Branded Campaigns

In co-branded marketing, be clear in your forms and notices who will receive the data, what each brand will do with it, and how individuals can opt-out. Align your consent capture, your cookie banner logic and your Cookie Policy so they tell the same story.

Step-By-Step: How To Put A Compliant Data Sharing Arrangement In Place

1) Map The Data And Identify Roles

Start with a data flow map. What data will be shared? From where to where? For what purpose? Who decides the purposes and means? This determines controller/processor status for each activity and prevents mislabelling that can undermine your compliance.

2) Choose Your Lawful Bases And Update Transparency

Pick the right lawful bases for each purpose and document the reasoning. Then update your privacy notices and on‑page explanations so individuals understand who will receive their data and why. If you need to capture consent, build it into your UX and keep auditable records. For online businesses, the work usually sits alongside your Data Protection Pack (policies, notices and internal procedures).

3) Assess Risks (DPIA) And Security

Run a DPIA where appropriate and agree minimum security controls with your partner. Look at encryption, access control, secure transfer methods, and breach response. If there’s any chance of overseas transfers, plan your transfer tool early.

4) Draft And Negotiate The Agreement

Prepare a practical, plain‑English contract that nails scope, roles, rights and responsibilities. Keep it specific (data fields, systems used, timeframes) so you can operationalise it with your teams.

5) Align Your Operational Playbooks

Once signed, translate the agreement into internal processes: checklists for onboarding new partners, playbooks for responding to rights requests and incidents, and templates for change control. If a customer submits a subject access request, your team should know exactly who to contact and what to send.

6) Monitor, Review And Refresh

Set review dates. If the project scope changes - new data fields, a new analytics tool, a third‑party vendor - update your DPIA, notices and contract. Build simple KPIs or assurance checks so both parties stay on track.

Controller-To-Controller Agreement Vs Data Processing Agreement

It’s easy to confuse these two documents, but they serve different jobs.

• A controller-to-controller data sharing agreement documents a relationship where each party decides its own purposes and means. It focuses on allocating responsibilities, transparency, lawful bases, security and rights handling between equals.
• A Data Processing Agreement is required where a processor acts solely on a controller’s instructions. It sets mandatory clauses (Article 28) like confidentiality, sub‑processor controls, audit rights, deletion/return on termination and assistance with rights and DPIAs.

Many partnerships involve both types of processing. For example, two controllers might share a specific dataset while one also provides a processing‑only analytics service to the other. In that case, you’d have a controller‑to‑controller agreement for the sharing and a Data Processing Agreement for the analytics service.

Common Pitfalls To Avoid

• Assuming “controller” status removes accountability. It doesn’t - each controller bears full responsibility for its own compliance and must evidence it.
• Vague purposes and blanket data lists. Keep it tight: specify fields, keep data to the minimum, and block secondary uses without written approval.
• Forgetting PECR. If marketing is involved, check consent rules for emails and texts to individuals and match your consent capture with your notices.
• Under‑specifying security. Name minimum controls and incident timelines so both parties act fast and consistently if there’s a problem.
• Not planning for overseas transfers. If the partner’s tooling stores data outside the UK, plan IDTAs (or Addendum) early.
• Ignoring operational alignment. A great contract fails if teams don’t know how to respond to a rights request or a breach - build the playbooks.

Key Takeaways

• If both parties decide their own purposes and means for personal data, you’re likely in a controller to controller data sharing scenario - document it to meet UK GDPR accountability expectations and reduce risk.
• Cover the essentials: purposes and lawful bases, data minimisation, transparency, security, rights handling, PECR marketing rules, international transfers, and clear retention and deletion duties.
• Use a tailored Data Sharing Agreement for controller‑to‑controller sharing, and a Data Processing Agreement where one party is a processor acting on instructions.
• Keep your public‑facing privacy information accurate and accessible with a current Privacy Policy, and make sure your consent and cookie practices align with PECR and your Cookie Policy.
• Operationalise compliance: map data flows, run DPIAs where needed, set security baselines, define playbooks for handling subject access requests and incidents, and review the arrangement regularly.
• Don’t leave this to chance or generic templates - getting a bespoke agreement and privacy framework in place as part of your wider Data Protection Pack will protect your business and build trust.

If you’d like help drafting a controller to controller data sharing agreement or reviewing your privacy setup, you can reach us on 08081347754 or team@sprintlaw.co.uk for a free, no‑obligations chat.