Who is who: data controller or processor?

Sharing and exchanging personal data is considered data processing and requires appropriate actions. The first question to ask is whether you are a data controller or processor. The GDPR stipulates that you share responsibility for the parties with whom you share personal data.

It is essential to understand your business’s role to determine the level of responsibility and the type of agreement you need to establish with third parties (collaborative partners, suppliers, members, consultants, etc.).

Data processing agreement or data sharing agreement?

Once you know whether you are a controller or processor, you must enter into the correct agreement(s). The type of agreement depends on the processing process.

If one party processes personal data on behalf of another?

  • It is considered a processor, requiring a Data Processing Agreement.
  • The content of such an agreement is strictly regulated by the GDPR.


If both parties jointly determine the purposes and means (the “why” and “how”) of the processing?

  • They are considered joint data controllers.
  • The collaboration and task allocation must be included in a transparent arrangement.
  • The GDPR does not specify the full content here, but rather the agreements that must be publicly shared.

If parties share personal data with each other, but each determines the purposes and means of processing individually afterward?

  • Then each party remains an independent data controller individually responsible for its share in the processing.
  • Although the GDPR does not explicitly impose an obligation for an agreement in this case, it is preferable to make certain agreements regarding GDPR compliance in a ‘Data Sharing Agreement.

Data Processing Agreement en Data Sharing Agreement: What should be included?

Download the handy checklist to ensure your agreement is complete.

Checklist Data Processing Agreement

Checklist Data Sharing Agreement

What can we do?

Our Privacy experts provide tailored assistance and advice on agreements, the role and status of all parties. We can negotiate, draft, and review the right contracts for you.

In a more complex organization or collaboration structure, we map out the roles of all parties, highlight potential implications, and work with you to develop a strategy to make this ecosystem GDPR compliant.

Variable price More info about our prices

Ensure the correct approach for sharing and processing personal data?

Contact our Privacy & IT experts. They will be happy to assist you with concrete and hands-on advice.

Contact team Privacy & IT