Data Sharing Agreements

When Do You Need a Data Sharing Agreement?

You’re likely to need a data sharing agreement whenever personal data is disclosed between your organisation and another party. Common scenarios include:

• Sharing customer or employee data with third-party service providers (e.g. payroll, IT support, marketing platforms)
• Sharing data between companies within a group structure
• Joint ventures or partnerships where both parties access the same data
• Referral arrangements where customer details are passed between businesses
• Research collaborations
• Outsourcing arrangements

What Should a Data Sharing Agreement Include?

Our Commercial Team will ensure your agreement clearly addresses:

• What data is being shared — The categories of personal data and data subjects involved
• Why the data is being shared — The lawful basis and purpose for sharing
• Roles and responsibilities — Whether each party is a controller, joint controller, or processor
• Security measures — What technical and organisational safeguards each party must have in place
• Retention and deletion — How long the data will be kept and what happens when the agreement ends
• Individual rights — How requests from data subjects will be handled
• Breach notification — What happens if there’s a data breach and how quickly the other party must be informed
• Sub-processing — Whether the receiving party can share the data further
• Audit rights — Your ability to check the other party’s compliance
• Liability and indemnities — Who bears the risk if something goes wrong
  

  
  International Data Transfers

  If you share personal data with organisations outside the UK, additional rules apply. Since the UK left the EU, the rules around international transfers have continued to evolve, and it’s essential that your business gets this right.

  You can only transfer personal data outside the UK if one of the following applies:

  • The destination country has been granted an adequacy decision by the UK government (meaning it provides an adequate level of data protection)
  • You have put in place appropriate safeguards — most commonly the UK’s International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs)
  • A specific exception applies (e.g. the individual has given explicit consent)

  Getting international transfers wrong can result in enforcement action by the Information Commissioner’s Office (ICO) and significant fines. Our team can advise you on the correct mechanism to use, prepare the necessary documentation, and help you carry out Transfer Risk Assessments where required.

  How We Can Help

  At Nelsons, our Commercial Team regularly advises businesses on data sharing arrangements — from straightforward domestic agreements to complex international transfer structures. We work closely with you to understand your data flows, identify risks, and put in place documentation that protects your business while keeping you compliant.

  We’re based in Derby, Leicester and Nottingham, but we advise businesses throughout the UK and beyond.

  Call us: 0800 024 1976 Submit an enquiry: Complete our online enquiry form