This affects issues such as who is the responsible body. B, your role and responsibility to other organisations and what needs to be covered by written contractual agreements when exchanging data. This partnership leads to questions such as: “In the event of a personal data breach, who is responsible?” Data Controller Data Processor Data Sharing Data Subject GDPR In the above example of sharing PAYE information with HMRC, it would be unnecessary to have a written contract with revenue. As this is a legal obligation of employers, the purpose and use of the data is already clearly defined by law, and there is little that can be changed. Article 26 further stipulates that the core of the agreement must be made available to data subjects (presumably in data protection notices) and that a contact point for data subjects may be designated. Regardless of the nature of the agreement and the division of responsibilities between the joint controllers, a data subject may exercise his or her rights vis-à-vis any of the joint controllers. Controllers must carry out a risk assessment of the provider to ensure that it has the means and willingness to comply with data protection standards. The results of the assessment must be documented before the start of the business engagement and before the sharing of personal data. Therefore, where personal data are used for the same or combined purposes, they may be joint controllers. This is a distinction between independent controllers who can share data with each other, but separately determine how that data is used.
If two controllers use the same data for different purposes, they will be independent controllers. Examples of joint controllers Joint controllers operating in the community and voluntary sector may jointly define the purposes and means of the processing of personal data as follows: Article 26 of the GDPR states that joint controllers shall determine their respective compliance responsibilities “in a transparent manner” – in particular with regard to the provision of information And the exercise of the rights of the data subject. The exception to this rule is when EU law or the national law of an EU Member State determines the respective competences. Data governance teams play an important role in establishing data sharing agreements. You need to ensure that the legal and compliance teams are different from one organisation to another and from one provider to a downstream processor before transferring an EU citizen`s personal data from one country to another. .