Dictionary

Data sharing agreement

A data sharing agreement is the written deal between organisations that share data: what moves, to whom, for what purpose, on what legal basis, for how long, under what security, and what happens at the end. Under GDPR the roles decide whether you also need a data processing agreement.

What is a data sharing agreement?

A data sharing agreement is a written agreement between organisations that share data. It sets out what data moves, to whom, for what purpose, on what legal basis, for how long, under what security, and what happens to the data once the arrangement ends.

It works as two documents at once. For legal and compliance, it records the purpose, the lawful basis, and the roles under data protection law. For the data teams on both sides, it is a working brief: which fields come through, how often, and who reports an incident.

Without one, shared data drifts. An export lands in a shared folder, someone builds a report on it, and a year later nobody can say who owns a wrong figure or a deletion request. The agreement records those answers up front.

What a data sharing agreement sets out

Most agreements cover the same core ground, and the detail scales with how sensitive the data is.

  • Purpose. Not a blanket "for analysis" but which analysis, for whom, and what decisions may follow. Data shared for billing should not quietly become training data for a model or a marketing list.

  • Parties and roles. Who shares, who receives, and who carries which responsibility under data protection law at each stage, including after the data has changed hands.

  • The data in scope. A specification of the datasets and fields covered. Often it is right to share part of a record and leave the more sensitive fields behind.

  • Legal basis. The lawful ground for the sharing, which matters most when the data includes personal data, what many teams call PII.

  • Retention and deletion. How long each side may keep the data and how it gets deleted. This is where data retention and data minimisation stop being policy words and become clauses someone has to honour.

  • Security. The technical and organisational measures each side applies, plus how a breach is reported and to whom.

  • The end of the arrangement. What happens when it stops: return the data, delete it, or anonymise it, with copies, backups, and exports covered too.

Controller to controller, or controller to processor?

The most important question in a data sharing agreement is a GDPR question: what role does each side play. The answer decides which document you actually need, and GDPR is strict about two of the three cases.

Two controllers sharing data

If the other organisation decides its own purposes for the data, you are two separate controllers. A manufacturer sends a distributor monthly sales figures, and the distributor uses them for its own demand forecasting. Each side answers for its own use. GDPR does not impose a fixed template here, but regulators expect a written agreement, and the accountability principle is hard to meet without one.

A processor acting on your instructions

If the other organisation only handles the data on your behalf and follows your instructions, it is your processor rather than an independent controller. A retailer hands its customer list to an email platform that sends campaigns for it and does nothing else with the data. Here GDPR Article 28 makes a data processing agreement mandatory and prescribes its contents: documented instructions, confidentiality, security, limits on sub-processors, help with data subject requests, and deletion or return of the data when the service ends.

Joint controllers

If both sides decide the purposes together, you are joint controllers, and GDPR Article 26 requires an arrangement that sets out who is responsible for what, above all who answers to the people whose data it is. The essence of that arrangement has to be made available to those individuals, and they can exercise their rights against either party.

The dividing line is always who decides the purpose. The same data can flow in each case, but the legal instrument differs because the control does.

What to watch out for with data sharing agreements

Vague purpose clauses. A clause like "for analysis and business purposes" permits almost anything, so it controls almost nothing. Write down the specific use and the decisions it feeds.

Deletion you cannot actually perform. A duty to delete is only real when both sides know where copies, backups, and exports sit. Without data lineage that is guesswork, and the clause becomes a promise nobody can keep.

Definitions that quietly differ. If your "active customer" is not the receiving side's "active customer", the same dataset supports two different conclusions. Agree the definitions, not only the fields. That is ordinary data governance applied across an organisational boundary.

Confusing it with a data contract. A data contract pins down the schema, fields, and delivery between systems; a data sharing agreement pins down why the data may be used and by whom. A partnership often needs both, and one of them working does not mean the other exists.

Leaning on a technical control alone. A data clean room can enforce some limits by construction, but it does not record the purpose or the roles, so it does not replace the agreement.

Data protection decisions turn on the specifics of each case. For sensitive data, large-scale sharing, or anything novel, bring in legal and privacy specialists rather than leaning on a template.

Last Updated: July 10, 2026 Back to Dictionary
Keywords
data sharing agreement data sharing gdpr data processing agreement data governance data contract personal data joint controllers data privacy compliance