You can either share data so that the two entities are common controllers, or each of you is an independent controller (or data controller at data processing, although this is not taken into account in this article). The distinction between a person responsible for the common treatment and an independent person responsible for treatment can be found here: an assessment of legitimate interests is a three-step test to determine whether you actually have a legitimate interest in treatment, the need for treatment to achieve your legitimate interest and whether the rights and freedoms of the persons concerned predominate your interest, in which case you could not invoke the legitimate interests of the treatment and you should obtain the consent of the persons concerned. You will find an evaluation form for legitimate interests in my RGPD compliance package, on which you are under/www.suzannedibble.com/gdprpack If you share personal data with a common official, Article 26 of the RGPD stipulates that an “agreement” must be reached between those responsible for processing. A joint agreement on common data sharing for processing is different from a data-sharing agreement. If you need these documents, they are two of the many documents in my RGPD compliance package that you can buy very cheaply at “www.suzannedibble.com/gdprpack just though, as a data manager, you share personal data with an independent data manager (i.e. no common official), I recommend having an agreement (especially where disclosure is systematic, large-scale or risky), even if the DSGVO does not specifically require it. The agreement helps you justify data sharing and demonstrate compliance issues and explains how the parties agree to resolve them. Article 26 also states that the core of the agreement must be made available to the persons concerned (probably in the data protection instructions) and that a point of contact may be designated for those concerned. Regardless of the nature of the agreement and the distribution of responsibilities among the common person responsible for treatment, a person concerned may exercise his or her rights against each of the common persons responsible for the treatment. Accurate evaluation of data transfer to a processor, common controller or other independent controller is essential, as the type of agreement you need to make varies depending on the nature of the other party. If in doubt, seek legal advice. A processing manager decides how the data is processed.

Suzanne Dibble is a multi-award winning business lawyer with 23 years of experience and author of the best-selling book RGPD for models. Suzanne consults with multinationals on data protection legislation and has created the largest social media group under the RGPD, where she has helped 40k organizations around the world comply with the RGPD. The Legal Services Board and the Law Society have announced their innovative approach to helping small entrepreneurs with complex regulations. Suzanne collaborated with Richard Branson at Virgin, where she led a group-wide data protection project that led to Virgin Suzanne`s nomination for Solicitor of the Year and Suzanne`s second in this prestigious award. Suzanne has unrivalled training and experience in a high-end law firm, has signed billions of pounds and has been a board member of 150 million pounds of business (which has resulted in her being listed in the Who`s Who of Britain`s Business Elite two years in a row).