Sharing private data with co-controllers requires your own research and proper agreements.

By: Caroline Willemse

Organizations now know that – before engaging a processor – they must satisfy themselves that the processor has taken proper measures to protect the personal data. And that clear agreements must be made about this and recorded in a processor agreement.

Unfortunately, it is considered less self-evident if an organization engages another controller to ask that party critical questions and to record the agreements. Yet you see in practice that this is handled too easily. Isn’t it the responsibility of the other party? It may be lawful for the data to be shared with that other controller, but is it also quite what you do? Your own research into that other controller is therefore necessary before you share personal data. You must establish that the other controller has properly organized the protection of personal data and can demonstrate this. And an ISO certificate may not be sufficient to demonstrate this.

After you as an organization are convinced that you are going to exchange data with a good party, it is advisable to conclude a data exchange agreement. In such an agreement you make clear agreements about which data will be exchanged, the security of the transport of the data, the purpose of the exchange and the security of the data by that other controller. And regularly check whether that third party is still adhering to the agreements.

Do you have any questions about the blog? Please do not hesitate to contact us on +31 (70) 392 22 09 or info@duthler.nl. Our legal and compliance professionals are happy to help you!