UK Controller-To-Controller Data Sharing Agreements: Key Clauses To Include

byAlex Solo27 January 202610 min read

Contracts Software & IT Regulatory Compliance Data & Privacy

Contents

What Is A Controller-To-Controller Data Sharing Agreement?
- Why Does A Data Sharing Agreement Matter?
When Do Small Businesses Need A Data Sharing Agreement?
- Do You Always Need A Written Agreement?
- Controller-To-Controller Vs Joint Controllers
What Needs To Be Included In A Controller-To-Controller Data Sharing Agreement?
Practical Steps To Set Up Data Sharing The Right Way
Key Takeaways

If your business shares personal data with another organisation, it’s easy to assume it’s “just a GDPR thing” and leave it at that.

But in practice, sharing customer, client, patient, member, or even supplier contact details without the right paperwork can cause real problems - from disputes about “who’s responsible” to data breach headaches and complaints to the ICO.

That’s where a data sharing agreement comes in.

In this guide, we’ll walk you through what a controller-to-controller data sharing agreement is, when small businesses typically need one, and what you should include to protect your business and stay aligned with the UK GDPR and the Data Protection Act 2018.

A controller-to-controller data sharing agreement is a written agreement between two (or more) organisations who are each acting as a data controller and who will share personal data with each other.

In simple terms:

A controller decides why and how personal data is used (the purposes and means of processing).
When two organisations share data and each makes their own decisions about how they’ll use it, you’re often in a controller-to-controller situation.

This is different from a controller-to-processor arrangement, where one party is only processing data on instructions from the other. (That’s where you’d usually use a Data Processing Agreement instead.)

The UK GDPR doesn’t always say you must have a contract for controller-to-controller sharing, but it strongly expects you to be able to demonstrate compliance (the “accountability” principle). A clear agreement helps you do that.

More importantly, it helps you avoid common commercial risks, like:

disagreements about who responds to a data subject access request (DSAR);
confusion about who notifies the ICO (and affected individuals) if there’s a breach;
one party using the data in ways you didn’t expect (or can’t justify to customers);
poor security on the other side causing reputational damage to you.

If data sharing is part of how you deliver your services, having a proper data sharing agreement is one of the simplest ways to set expectations upfront and protect your business.

You’ll typically need (or at least strongly benefit from) a data sharing agreement when you’re regularly sharing personal data with another independent business, and both of you will use that data for your own purposes.

Here are some common small business examples:

Two businesses running a joint promotion and sharing entrant lists or customer contact details.
Referrers and introducers where contact information is passed to another provider (for example, a consultant referring a client to a specialist).
Franchise or group business models where a head office and a franchisee share customer service records.
Professional services collaborations (for example, an accountant and a financial adviser supporting the same client, each for their own service).
Software integrations where both parties use customer data to provide separate features (this can be controller-to-controller depending on the setup).
Community organisations and partners sharing membership lists for jointly delivered services.

Do You Always Need A Written Agreement?

Not every single instance of sharing needs a bespoke agreement. For example, if you’re sharing data because there’s a clear legal obligation, or it’s a one-off disclosure, your documentation may look different.

But if data sharing is:

ongoing, repeated, or part of “business as usual”, and/or
commercially important (meaning disputes would hurt your business), and/or
involves more sensitive categories of data,

…then putting a proper data sharing agreement in place is usually the smart move.

Controller-To-Controller Vs Joint Controllers

One common sticking point is whether you’re separate controllers sharing data, or joint controllers (where you jointly decide the purposes and means of processing).

Joint controller arrangements have extra transparency requirements under the UK GDPR, including making the “essence” of the arrangement available to individuals.

If you’re not sure which category you’re in, it’s worth getting advice - the legal obligations and risk allocation can look quite different depending on the facts.

There’s no single “magic template” that works for every business. Your data sharing agreement should reflect what you’re sharing, why you’re sharing it, and what each party will do with it.

That said, there are key clauses you’ll want to cover in most UK controller-to-controller arrangements.

1) The Parties, Scope, And Definitions

Start with the basics, clearly:

who the parties are (full legal names, company numbers if relevant);
what data is being shared (categories of personal data, and whether special category data is involved);
any key definitions (so everyone uses the same language for “shared data”, “permitted purpose”, “security incident”, etc.).

This sounds simple, but unclear scope is one of the main reasons data sharing arrangements become messy later.

Your agreement should spell out exactly why the data is being shared and how each party can use it.

For example:

to deliver a service to a shared customer;
to fulfil bookings or appointments;
to meet compliance checks;
to investigate suspected fraud;
to provide after-sales support.

It should also include what’s not allowed - for example, “no marketing unless the recipient controller can demonstrate a valid lawful basis (and any required PECR compliance)”, or “no onward sharing with third parties without written approval”.

3) Lawful Basis (And Special Category Data Rules If Needed)

Each controller needs a lawful basis under the UK GDPR for processing the personal data they receive, and remains responsible for meeting the UK GDPR requirements that apply to them.

Your data sharing agreement should document (at a high level):

the lawful basis the parties expect to rely on (for example, contract necessity, legal obligation, legitimate interests, consent); and
if special category data is involved, the relevant Article 9 condition and any Data Protection Act 2018 requirements that may apply (for example, an appropriate policy document in some substantial public interest scenarios).

You don’t need to turn the agreement into a legal essay, but you do want clarity. If one party relies on consent and the other relies on legitimate interests, you’ll want to make sure that aligns with what your customers have been told.

4) Transparency: What You’ll Tell People

Under UK GDPR, you need to tell individuals what you’re doing with their personal data, including who you share it with and why.

This is where your agreement should connect with your outward-facing documents like a Privacy Policy (and any just-in-time notices or consent wording).

Good agreements often cover:

which party will provide privacy information (or whether each party does it separately);
how you’ll handle objections to processing (especially if relying on legitimate interests);
what happens if either party receives a complaint.

5) Data Security Standards

Even though you’re separate controllers, you’ll both be expected to implement appropriate technical and organisational measures to protect personal data.

Your agreement should set minimum standards, such as:

access controls (who can access the data internally);
encryption in transit and at rest (where appropriate);
secure transfer methods (not emailing spreadsheets around without protection);
staff training and confidentiality expectations;
security requirements for any devices used to access the data.

For many small businesses, the practical day-to-day risk is staff sharing data casually. A clear internal Acceptable Use Policy can help support your external commitments, especially where staff access shared customer databases or inboxes.

6) Data Minimisation And Retention

A data sharing agreement should reinforce the core GDPR principle: only share what you need, and don’t keep it for longer than necessary.

Make sure the agreement addresses:

what data fields will be shared (for example, “name, contact details, booking details” but not unrelated notes);
how long each party can keep the shared data;
how the data will be deleted or anonymised when it’s no longer needed.

Retention is often overlooked, but it’s one of the easiest areas for regulators (and unhappy customers) to challenge.

7) Handling Data Subject Rights Requests (DSARs)

Individuals can ask for access to their data, corrections, deletion, restriction, and more.

Your agreement should set out a practical process for:

who responds if a request relates to shared data;
how quickly the parties will assist each other (remember: UK GDPR timelines are tight);
how you’ll confirm identity and share relevant records securely.

Without this, it’s easy for requests to fall into the gap between “not our problem” and “we don’t have it anymore”.

8) Personal Data Breaches: Notification And Cooperation

If there’s a data breach involving shared data, both controllers may have duties to assess the risk and, in some cases, notify the ICO and affected individuals.

Your agreement should cover:

how quickly each party must notify the other after becoming aware of a breach;
what information must be provided (what happened, what data, what mitigation steps);
who leads communications with individuals (if needed);
how the parties cooperate with investigations.

This works best when it lines up with a practical internal process, like a Data Breach Response Plan, so your team isn’t trying to invent a process mid-incident.

9) International Transfers (If Data Leaves The UK)

Many small businesses use cloud systems or partners who store or access data outside the UK.

If shared data will be transferred internationally (or accessed from abroad), your agreement should cover:

whether international transfers will occur;
what safeguards apply (for example, the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU SCCs, or adequacy regulations, as applicable);
how the parties will support any required transfer risk assessments and keep transfer arrangements under review.

This is an area where “we didn’t realise it was stored overseas” can quickly become an issue, so it’s worth checking early.

10) Liability, Indemnities, And Commercial Protections

Beyond GDPR compliance, a data sharing agreement is also a commercial risk-management document.

Depending on bargaining power and risk, you may want clauses dealing with:

who is responsible if there’s a breach caused by one party’s poor security;
limits of liability (and whether GDPR-related losses are carved out);
indemnities for regulatory fines (to the extent permitted), third-party claims, and remediation costs;
insurance requirements (for example, cyber insurance).

This is one of those areas where cookie-cutter wording can be dangerous - liability clauses should reflect the real-world risk and the value of the relationship.

11) Governance: Points Of Contact, Audits, And Review

Even small businesses benefit from simple governance terms, like:

who the data protection contact is on each side;
how changes to the sharing arrangement are approved;
how often the agreement is reviewed (for example, annually or on major process changes);
whether audits or compliance information can be requested.

This is especially helpful if you scale - what felt “informal” early on can become a compliance and operational headache later.

12) Termination And What Happens To Shared Data

Finally, your agreement should cover how the relationship ends, including:

when either party can terminate data sharing (for example, breach of agreement, security concerns, or end of the commercial relationship);
what happens to shared data on termination (delete, return, or retain only where legally required);
survival clauses (confidentiality and security obligations usually continue).

Putting a data sharing agreement in place is much easier when you tackle it in a structured way.

Before drafting anything, get clear on:

what personal data you’re sharing;
where it comes from (customers, staff, website forms, CRM);
how it’s transferred (API integration, spreadsheet, email, shared platform);
who receives it, and who can access it internally;
what each party does with it after receiving it.

This “data map” becomes your reality check - and it often highlights risks you didn’t spot at first.

Step 2: Confirm Roles (Controller, Processor, Or Joint Controllers)

Don’t assume roles based on job titles or who “owns” the customer relationship. Under UK GDPR, roles depend on who decides the purposes and means of processing.

If you get this wrong, you might end up with the wrong documents (or missing obligations entirely).

Step 3: Align Your Privacy Documents And Internal Processes

A data sharing agreement shouldn’t contradict what your customers have been told.

In many cases, you’ll want to make sure your privacy compliance is consistent across the board, which might include a GDPR package if you’re formalising policies, notices, and operational steps as you grow.

It’s tempting to “start the partnership now and paper it later”. But with personal data, later can become too late - especially if a customer complains or a breach happens early on.

Getting it signed upfront means you’re protected from day one and everyone knows the rules.

Step 5: Review And Update When The Relationship Changes

Many data sharing arrangements change over time:

you start sharing more data fields;
you introduce a new platform or integration;
you expand into a new region;
you start using data for analytics or marketing.

These changes can affect lawful basis, transparency, and security expectations - so make sure your agreement keeps pace.

Key Takeaways

A data sharing agreement helps you share personal data with another controller while managing compliance and commercial risk under the UK GDPR and the Data Protection Act 2018.
Controller-to-controller sharing is common for small businesses collaborating on services, referrals, joint promotions, and ongoing partnerships.
A good controller-to-controller agreement clearly sets out the purpose of sharing, expected lawful basis, permitted uses, and restrictions (including rules on onward sharing and marketing).
You should include practical clauses on security standards, retention, data subject rights handling, and breach notification and cooperation.
Don’t forget commercial protections like liability allocation, indemnities, and termination provisions that deal with what happens to shared data when the relationship ends.
Because controller/joint controller/processor roles can be tricky, it’s worth getting legal help to make sure the agreement matches what’s happening in real life.

This guide is general information only and isn’t legal advice. If you’d like help putting a controller-to-controller data sharing agreement in place (or reviewing an existing arrangement), you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.

Alex Solo

Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Need legal help?

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Proceeding confirms you agree to our Privacy Policy

Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get Started Book A Call