If, as a data controller, you share personal data with an independent data controller (i.e. no joint controller), I recommend that you enter into an agreement (especially if the disclosure of data is systematic, significant or risky), even if the GDPR does not expressly require it. The agreement helps you justify the exchange of data and prove that compliance issues have been addressed and explains how the parties agree to resolve them. Providers may not subcontract personal data without the consent of the controller. Agreements need to be re-evaluated and reformulated to include downstream processors where necessary. 3. The subcontractor The subcontractor takes appropriate measures to ensure the reliability of all employees, representatives or contractors of a subcontractor: access to the company`s personal data can be guaranteed and, in any case, ensures that access is strictly limited to persons who know /must have access to the relevant personal data of the company, to the extent strictly necessary for the purposes of the main agreement, and to comply with the laws in force relating to the obligations of this person towards the subcontractor, so that all such persons are subject to confidentiality obligations or professional or legal obligations. 6.2.1 immediately inform the company if it receives a request from a data subject under a data protection law regarding the company`s personal data; and responsible for the transfer of data Data Transfers GDPR Concerned If you can invoke legitimate interests, you must inform the data subjects of the transmission of the data and grant them the right to unsubscribe. As a general rule, this is done through your privacy statement and you may need to update it and send it to your data subjects if you have not already informed them of the data disclosure. To answer these and other relevant questions, the GDPR insists on the need to enter into data sharing agreements.
A legitimate interest assessment is a three-step test to determine whether you actually have a legitimate interest in carrying out the processing, the need for the processing to achieve your legitimate interest and whether the rights and freedoms of data subjects outweigh your interest, in which case you cannot invoke the legitimate interests of the processing and you must obtain the consent of the data subjects. You will find a legitimate interest assessment form in my GDPR compliance package which you can access at point //www.suzannedibble.com/gdprpack The precise assessment whether you are transferring data to a processor, joint controller or other independent controller is essential, as the nature of the agreement you need to enter into varies depending on the nature of the other party. If in doubt, seek legal advice. The exchange of data between the controllers takes place when the controllers have different purposes for the use of the data. For example, you should also consider the need for a written contract (in the case of controller-processor relationships, a contract is a legal requirement under the GDPR) and other steps you can take to ensure that you are responsible. To confirm these legal obligations, the GDPR requires responsible companies to enter into data exchange agreements with their subcontractors….