Letter to party who has been supplied with data to confirm its correction

This template letter to a party who has been supplied with data to confirm its correction will allow you to produce a letter to be sent to anyone you have shared personal data with which you have subsequently had to correct or complete after a request from the individual whose data you have shared. If you have shared the personal data with any other people or organisations, you must take reasonable steps to attempt to inform them about the correction you have made. If you have shared the data widely, you will need to be satisfied you have done all you reasonably can to notify others of the correction. You do not have to make disproportionate efforts to do so, but you should at least take steps to contact other organisations you have shared the data with. This letter will help you to take those steps. You can also get this template letter as part of the Data subject request toolkit .
£10 + VAT

Letter to party who has been supplied data to confirm its deletion

This letter to a party who has been supplied data to confirm its deletion will allow you to produce a letter to be sent to anyone you have shared someone's personal data with, and you have subsequently had to delete that data after a request from the individual concerned. If you have shared the personal data with other individuals or businesses, you must take reasonable steps to tell them about the deletion request and that you have deleted the data as a result of it. If you have shared the data widely, you will need to be satisfied that you have done all you reasonably can to notify the others. You can also get this template letter as part of the Data subject request toolkit .
£10 + VAT
See all solutions
Sharing personal data
The rules about sharing personal data
Q1:When can I share personal data?

Sharing with another business may be a necessary and normal part of your business activities. You are allowed to if you have one of a limited number of specific reasons for doing so (known as a lawful basis) and you have been clear and transparent with the individual involved from the outset about any planned sharing of their data that you will be doing. This information will usually be set out in your . See Privacy policy for a template you can put on your website for your customers or clients, and Privacy information for more information on how and when to use it. See Q&A 33 for more information on what to include in your about sharing .

There are six specific reasons for using (or sharing) data. The reasons which are most likely to apply to your business when sharing are:

  1. you need to the data in order to fulfil a contract with the individual concerned (eg an order). See Q&A 3;

  2. you have a legitimate reason for sharing the data. See Q&A 5;

  3. the individual has consented to you sharing their data. See Q&A 6; or

  4. you need to the data because the law requires you to do so (eg sharing the data with a regulatory authority for law enforcement purposes). See Q&A 7.

Before sharing any , you should consider whether there are any other legal constraints on your sharing (eg , confidentiality restrictions or industry specific regulations or guidance, full coverage of which is outside the scope of this service).

Note that the 's confirms that if you plan on sharing children's you should always consider the best interests of the child, only their data if you have a compelling reason to do so (eg for safeguarding purposes) and carry out a first. See Q&A 37 for guidance about the and who it applies to. Remember that if you run an online service which is likely to be used by children, you should also comply with the 's to ensure that their is safeguarded. For more information, see Privacy and children.

Bear in mind that if the data that you will be sharing contains both personal and , less strict rules may apply to the transfer of the . If the two categories of data cannot be separated out (eg because it would be impossible to do so or cost too much), you must apply the rules about transferring data, as set out in this section, to all of the data in question (personal and non-personal).

Q2:Can I share someone's personal data if I am a data processor?

If you are a , you are dealing with on behalf of someone else and in accordance with their instructions. In these circumstances, you are only permitted to data if you are authorised to do so by the , This is likely to be specified in your . See Q&A 38 and following for more information about when you need a .

It is a criminal offence to knowingly or recklessly obtain or disclose without the consent of the (unless you are legally required to do so) and if you are found guilty, you could face an unlimited fine.

See Data protection obligations for guidance on the difference between a and a .

Q3:Can I share someone's personal data to fulfil an order they have placed?

Sharing with another business may be a necessary and normal part of your business activities, and something that you are required to do in order to carry out, or perform, a contract with the individual concerned. For example, if the has purchased from you through your website, you may need to some of their with a courier in order for the to be delivered.

See Q&A 1 for other acceptable reasons to someone's .

Q4:What does a legitimate interest to share someone's personal data mean?

This is the most flexible basis on which you can an individual's . You can rely on this basis in many different circumstances. The interests or purpose can include your own commercial interests, or those of a . Preventing fraud or highlighting a possible criminal act will also be a legitimate interest.

See Q&A 5 for more information.

See Q&A 1 for other acceptable reasons to someone's .

Q5:Can I share someone's personal data if I have a legitimate interest in doing so?

Yes, you can someone's if:

  1. you have a legitimate reason or purpose for doing so. This may be the case if your business is part of a group of and you have a legitimate interest in sharing within that group for internal administrative purposes (eg you need to your ' with your head office for HR purposes); and

  2. it is necessary for you to the data to achieve your purpose. If there is another reasonable way you can do it without sharing , you cannot rely on having a legitimate interest; and

  3. the individual's interests do not override your reason for sharing. Generally, this will mean that you can use this basis if the individual would reasonably expect you to their data in the way you want to.

See Q&A 1 for other acceptable reasons to someone's .

Q6:Can I share someone's personal data if I have their consent?

In some circumstances, sharing data with another business may not be a necessary and obvious part of your business activities and if none of the other acceptable reasons apply, you may need to rely on the consent of the individual whose data you want to . For example, if you want to sell you have collected to external marketing or data brokers (see Customer data for more information) or if you are merging with another organisation and need to you have collected with it, it is likely that you will need to obtain the specific consent of the individual concerned.

You are also likely to need the explicit consent of the individual if you wish to any about them; see When to use personal data for more information on using (including sharing) . You may have already obtained the consent of the person involved to your sharing their in a particular way when you initially collected the data from them, therefore you should check your records before deciding whether you need to get additional consent. See Consent to use personal data for more information about how to get the someone's consent to use, or , their data.

See Q&A 1 for other acceptable reasons to someone's .

Q7:Can I share someone's personal data if the law requires me to?

In some limited circumstances, you may be required to without an individual's knowledge or consent. This may be because you have to the data with a regulatory authority for law enforcement purposes or because the law requires you to, eg as part of a police investigation. Even if this is the case, it is best practice to explain in general terms in your that in such circumstances, individuals' may be shared. See Q&A 33 for more information about what information to include in your . You should also ensure that any decisions you take to data in this way are well documented in case your decision to the data is challenged.

See Q&A 1 for other acceptable reasons to someone's .

Q8:Do I need to carry out a data protection impact assessment before I share personal data?

Yes, it is recommended that you carry out a () before sharing any to make sure that you have considered the benefits and risks of doing so. In many circumstances it will be a legal requirement for you to conduct one.

For example, you must carry out a where:

  1. you are a and you are sharing with another in a way that would not be expected by the , eg for marketing purposes. Note that although it will not always be legally required, the 's specifically recommends that data controllers carry out a before sharing any with other data controllers. See Q&A 37 for further guidance about the Code;

  2. you are sharing , eg health records; or

  3. there is a change in the risk level, eg because you would like to transfer outside of the .

See Data protection impact assessments for more information about carrying out a and Data Protection impact assessment policy for a template you can use.

Sharing personal data outside the UK
Q9:What implications did Brexit have for sharing personal data outside the UK?

There was a Brexit transition period until 31 December 2020 during which there were no changes to law in the , including how data could be shared outside the , whether to countries within or outside the .

Now that the transition period has ended, the has been retained in domestic law as the . Whilst the key obligations remain the same under the , Brexit does nevertheless have implications for sharing internationally. The effects on your business will depend on how and where you are transferring , including whether you will be sharing with countries inside or outside the ; see Q&A 14.

There are also important implications for any that your business acquired from the before the end of the transition period on 31 December 2020; see Q&A 24.

Q10:Can I share personal data outside the UK?

Yes, however there are important restrictions on the transfer of to a separate organisation or individual outside the (see Q&A 14). This is because once the has been transferred outside the , those whose data it is risk losing the protection offered by the .

Transfers outside the are only permitted where individuals' rights in relation to their are protected in an alternative way to the protection offered by the .

Transfers are also permitted if an exception to the restriction on transferring applies.

Q11:Can I share personal data outside the UK on a website?

If you add to a website, this will often result in a transfer that is subject to restrictions (see Q&A 14). You can therefore only outside the on a website where it is permitted under the rules.

This is because it is likely that someone outside the will access the information. In this situation, you should make sure that you comply with the rules set out in Q&A 14 and following.

Q12:Can I share anonymised personal data outside the UK?

Yes. Before transferring any outside the , you should consider whether the transfer of data in the form it is in is actually necessary. For example, it may be possible to make the data anonymous. You could then the anonymous data outside the without any restrictions. It is important to remember that to remain anonymous, it should not be possible to identify any individuals from the data, even when combined with other information which is available to the person or business receiving the data.

Q13:Can I share personal data outside the UK to a company that is in the same group as mine?

The restrictions to the transfer of outside the (see Q&A 14) can apply to a that is in the same group as your . You can therefore only outside the to a where it is permitted under the rules.

It is also important to understand that the restrictions apply to the actual transfer of , and not to where it travels en route. If the is routed through a server in Australia, for example, but the actual transfer is made within the from one business to another, then the restrictions do not apply.

Q14:What are the restrictions on transferring personal data outside the UK?

Under the , you can only make a transfer of outside the where:

  1. the transfer is to or from countries in the (see Q&A 15);

  2. the transfer is covered by adequacy regulations (see Q&A 19);

  3. the transfer is covered by appropriate safeguards (see Q&A 20); or

  4. the transfer is covered by an exception to the restriction on the transfer of outside the (see Q&A 23).

If the transfer does not fall within one of the above categories, then you cannot transfer the outside the .

Q15:Can I share personal data with countries in the EEA?

Yes, but following Brexit, there are restrictions on you doing so and you will need to comply with the at all times in relation to your data .

The rules applicable to your data sharing will depend on whether your transfer is:

  1. from the to an country, see Q&A 16; or

  2. from an country to the , see Q&A 17.

Q16:How can I send personal data from the UK to the EEA?

The government has confirmed that transfers of from the to countries in the are not restricted following Brexit and no additional steps are required for you to make a transfer.

See Q&A 17 if you will be receiving from the .

Q17:How can I receive personal data from the EEA?

On 28 June 2021, the adopted an in respect of the . This means that can continue to flow freely from countries in the to the without additional safeguards being introduced. Note that there is an exception for processed for immigration control purposes, guidance for which is outside the scope of this service. For access to a specialist lawyer in a few simple steps, you can use our Ask a Lawyer service. See Q&A 18 for further guidance about adequacy decisions.

It is important to bear in mind that the for the is time limited and will automatically expire after four years unless it is renewed. The will also monitor any developments in the and may amend, suspend or repeal its in the future if it determines that the no longer adequate protection for individuals' rights and freedoms in relation to their . If the adequacy is withdrawn, there may be implications for the the mechanism you rely on to receive from the , and for you collected on or before 31 December 2020 (see Q&A 24 for further guidance).

Q18:What does an EU Commission adequacy decision mean?

This means that the has decided that the legal protection available in the country, territory or sector in which the business receiving the operates provides adequate protection for individuals' rights and freedoms for their . An up-to-date list of the countries for which the has made an adequacy finding can be found on the European Commission's data protection website. The made an adequacy determination in respect of the on 28 June 2021 (see Q&A 17).

Now that the has left the , organisations are still able to rely on adequacy decisions to make international data transfers from the as adequacy regulations have been made in respect of all countries covered by an as at 31 December 2020 (see Q&A 19). If you will be receiving from a country outside the the rules will be different; see Q&A 19 for further guidance.

Note that on 16 July 2020, the European Court of Justice issued a judgment invalidating the US Privacy Shield. This means that the Privacy Shield can no longer be relied on to transfer outside the (including by businesses in the ). Businesses should instead put in place other appropriate safeguards (see Q&A 20). Full guidance on transfers of to the US is outside the scope of this service and you should speak to a lawyer if you have any concerns. For access to a specialist lawyer in a few simple steps, you can use our Ask a Lawyer service.

Q19:What are UK adequacy regulations?

Prior to Brexit, businesses in the could transfer to countries outside the if an had been made in respect of that country (see Q&A 18 for information about adequacy decisions).

Now that the transition period is over, you will be able to make a transfer of from the to countries outside the if the transfer is covered by adequacy regulations. A full list of the countries and territories currently covered by adequacy regulations can be found on the ICO's website. It includes all countries covered by adequacy decisions in force at the end of the Brexit transition period on 31 December 2020. If there is no adequacy regulation in place, you will need to consider how else you can make a permitted transfer of outside the (see Q&A 14).

If you will be receiving from countries outside the , you and the sender will need to consider local law requirements. The Government is currently working with those countries covered by adequacy decisions to make arrangements for their continued flow of to the . You should seek legal advice from a lawyer if you are unsure whether your data transfer is permitted. For access to a specialist lawyer in a few simple steps, you can use our Ask a Lawyer service.

Q20:What are appropriate safeguards that will allow me to make a transfer of personal data outside the UK?

Appropriate safeguards are certain agreements that allow you to make a transfer of outside the .

If the other country is not within the and neither falls within the adequacy regulations (Q&A 19) nor is subject to an exception (Q&A 23), you are will need to put appropriate safeguards in place to be able to transfer . Those most likely to be relevant to your business are:

  1. where both your business and the entity receiving the outside the are part of a multinational group (including franchises or joint ventures) and have signed up to an internal code of conduct, also referred to as ( BCRs) (see Q&A 21); or

  2. where both your business and the entity receiving the outside the have signed a contract which contains standard , 'Standard Contractual ' (SCCs) or model (see Q&A 22).

Importantly, the recommends that businesses carry out a before relying on appropriate safeguards for their international data transfers. This will enable you to consider whether the appropriate safeguard you intend to use will provide an adequate level of protection in the country to which data is being transferred, or whether you need to take further steps. If you are concerned about your use of appropriate safeguards for international data transfers, you should consider speaking to a lawyer. For access to a specialist lawyer in a few simple steps, you can use our Ask a Lawyer service.

If the transfer is not covered by appropriate safeguards, you should consider whether it is covered by an exception to the restrictions. See Q&A 23 below.

Q21:What are UK Binding Corporate Rules?

( BCRs) are internal codes of conduct signed up to by businesses which are part of a multinational group (including franchises or joint ventures). They permit a business in the to with a outside of the . BCRs must be approved by the , which began accepting applications for BCRs from 1 January 2021. Guidance on how to apply for a is outside the scope of this service. For access to a specialist lawyer in a few simple steps, you can use our Ask a Lawyer service.

Note that if your business had an prior to the end of the Brexit transition period (ie 31 December 2020) for which the issued an authorisation, you were automatically eligible for a provided you made the necessary changes to produce a version by 1 January 2021. BCRs that were not authorised by the were also required to meet other conditions to be automatically eligible for a after the Brexit transition period, full coverage of which is outside the scope of this service.

Importantly, the European Commission has indicated that old BCRs approved by the on or before 31 December 2020 no longer provide appropriate safeguards for businesses in the who are transferring data to the unless they were also approved by an supervisory authority before 1 January 2021. If you are unsure about the status of your following Brexit, consider getting some legal advice. For access to a specialist lawyer in a few simple steps, you can use our Ask a Lawyer service.

Q22:What are Standard Contractual Clauses?

'Standard Contractual ' (SCCs) or model are standard that are included in a signed contract between your business and the organisation you are sharing with. They set out contractual obligations between the organisations sharing . See Q&A 20 for when you might need to use them.

Prior to Brexit, SCCs were issued by the European Commission under the ( SCCs). Following Brexit, the is able to issue its own SCCs. New SCCs (the () and the ( Addendum)) came into force on 21 March 2022 and can now be used for transfers of outside the . You can find the and Addendum on the ICO's website.

Note that if you are using older contracts containing SCCs, these are no longer valid for sharing outside the . Since 21 March 2024, you are required to enter into a new contract on the basis of the and Addendum, or rely on alternative safeguards to make your restricted transfer.

Q23:What are the exceptions to the restriction on the transfer of personal data outside the UK?

There are several exceptions to the restriction on the transfer of outside the (see Q&A 14), and the ones that are most likely to be relevant to your business are set out below.

If the transfer is not covered by the adequacy regulations, or is not covered by appropriate safeguards, you can still make the transfer if one of the following exceptions applies (and you comply with the rest of your obligations):

  1. the individual has given their specific, explicit consent to the restricted transfer. You cannot obtain a general consent for restricted transfers. The threshold for obtaining consent is high. You must provide the individual with details about the transfer, including who the data will be sent to, what data will be sent, and the risks involved in making the transfer to a place which does not provide adequate protection nor appropriate safeguards for . See Consent to use personal data for more information on obtaining consent, including the right to withdraw such consent;

  2. you have or are about to enter into a contract with the individual, and you need to make the restricted transfer in order to fulfil your obligations under the contract. This exception can only be used for occasional restricted transfers. In addition, the transfer must be necessary to either perform the contract or the steps needed to enter into the contract. It does not cover a transfer to use an IT cloud-based system;

  3. you have or are you entering into a contract with an individual which benefits another individual whose is being transferred, and you need to make the transfer to fulfil your obligations under the contract. This exception can only be used for occasional restricted transfers, and the transfer must be necessary in order for you to be able to enter into or perform the contract. There must be a close and substantial link between the transfer and the contract;

  4. you need to make the transfer to establish if you have a legal claim, to make a legal claim or to defend a legal claim. This exception can only be used for occasional transfers, and there must be a direct link between the legal claim and the transfer, which makes it necessary. This exception covers contract claims, criminal cases, pre-trial discovery procedures, and out-of-court procedures. The claim must have a legal basis – this exception cannot be relied upon where there is only the possibility of a claim being brought in the future;

  5. you are making a one-off transfer and it is in your compelling . Note that the threshold for this exception is very high, and it is for truly exceptional circumstances, and to be used only as a last resort. In order to rely on it, you must have first of all given serious consideration to other appropriate safeguards and exceptions (eg you may be able to obtain consent, even if this involves some work on your part). The must only relate to a limited number of individuals, and the transfer must be necessary for your compelling (eg to protect your computer systems from serious immediate harm). You must document a full assessment of the circumstances and put in place suitable safeguards to protect the (eg strict confidentiality agreements or data retention policies). You must inform the of the transfer. You must also inform the individual concerned, and set out your compelling legitimate interest to them.

Q24:How did Brexit affect personal data transferred to me from an EEA country before the end of the transition period?

Prior to the adopting an in respect of the on 28 June 2021, your business must have ensured that it continued to comply with law (as it stood on 31 December 2020; known as 'Frozen ') in respect of all that was transferred to you from an country prior to 1 January 2021 (referred to as 'legacy data'). This was in addition to complying with law in respect of your activities. Now that the has been adopted, you no longer need to process legacy data in accordance with the Frozen . However, if the repeals or suspends its in respect of the , you will need to revert to applying the Frozen to any legacy data that you hold at that time. It is therefore important that you are able to identify any that your business processes that was collected from the prior to 1 January 2021.

Key obligations when sharing personal data
Q25:What are my obligations when sharing personal data?

Before sharing any , you should consider whether your objective could be achieved without the need for you to any . If you do need to data, whether you are disclosing or receiving , you must be clear and transparent with the (eg in your Q&A 33 for more information). You will also be under the following key obligations:

  1. compatibility of data sharing. See Q&A 26;

  2. necessity of data. See Q&A 27;

  3. accuracy of data. See Q&A 28;

  4. retention periods. See Q&A 29;

  5. measures. See Q&A 30;

  6. systems and procedures. See Q&A 31; and

  7. contractual safeguards. See Q&A 32.

Bear in mind that if your business is a and you are sharing with another , you should also consider whether you are doing so in accordance with the 's . For further guidance, see Q&A 37.

Q26:What does compatibility of data sharing when I share personal data mean?

This means that must only be shared where sharing it is compatible with the purpose for which you originally collected it. If your data sharing will be for a different purpose, and you are not required to the data by law, you will need to obtain the individual's consent. For example, if you hold customers' email address details for the purposes of orders they have placed with you, you cannot (or sell) these details with a , or with other in your group, for marketing purposes, unless you have your customers' specific consent to do so.

Bear in mind that if you are a and you are receiving from another business (eg because you have acquired that business) you must only process that data in line with the reasonable expectations of the individual involved. For example, if the has previously opted out of communications, you must respect this choice when carrying out your own marketing. See Obtaining consent for direct marketing for more information. If you want to process the data in another way, you will need to obtain the 's consent to this.

See Q&A 25 for other key obligations when sharing .

Q27:What does only sharing necessary personal data mean?

You must ensure that you only that is necessary for the purpose for which you are sharing it. For example, if you need to with a courier to deliver for you, you should name and address information and not other unnecessary information, such as credit card details.

See Q&A 25 for other key obligations when sharing .

Q28:Do I have to make sure the personal data I share is accurate?

Yes. You must ensure that the you is accurate and kept up-to-date where necessary (see The rules about storing data for more information about how to ensure you are storing is kept accurate and up to date). If you receive a request for that you are storing to be rectified, you must also (where possible) inform any third parties to whom you have disclosed that data. See Q&A 50 for more information about who is responsible for responding to such as this when data has been shared.

It will also be important that the format in which you is compatible with the organisation with which you are sharing it. This is to ensure that the information remains accurate and reliable at all times. For example, you must ensure that your IT systems are aligned so that data is not corrupted when it is transferred. These issues should be considered before any data sharing takes place.

See Q&A 25 for other key obligations when sharing .

Q29:How long can I keep the personal data that someone has shared with me for?

You must make sure that you do not keep the you receive from another party for any longer than is necessary for the purpose for which it was shared with you. You should establish time limits for deleting data or reviewing whether it needs to be deleted and agree these in your or . See Q&A 38 and following for more information about and and The rules about storing data for more information on keeping data.

Bear in mind that you may also be under a legal obligation to keep records of any activities you undertake (see Record-keeping for guidance). Importantly however, the 's recommends that data controllers keep a regularly reviewed record of their data sharing, even if they are not legally required to keep records of your activities. These records should include documents demonstrating how you have complied with your other obligations under the when sharing (eg in relation to your lawful basis for the ). See Q&A 37 for further information about the Code.

See Q&A 25 for other key obligations when sharing .

Q30:What security measures must I have in place when sharing personal data?

You must put in place appropriate technical and organisational measures to make sure that is shared, and subsequently stored by each business, securely. These measures should be set out in your or (see Q&A 38 and following for more information about what information should be included in your or , and Template data processing agreement for a template you can tailor to your circumstances).

If you are a , you must ensure that the that you are sharing is protected against unauthorised access, use, loss, destruction or damage while in transit and any business involved in data sharing must at all times ensure a level of appropriate to the risks posed. You could consider anonymising the data before sharing it (eg where you are sharing data for statistical purposes only), which may take the data outside of the scope of regulation (see The rules about storing data for more information about anonymisation).

The specific measures that you need to put into place will depend on the context of your data sharing (eg are you sharing it internally within your group (see Q&A 45) or externally with a business outside of the (see Q&A 9)), as well as the particular risks posed by that context. When determining what measures to implement you should also bear in mind existing technology and the associated costs of any measures. Examples of the measures that you should consider implementing include:

  1. ensuring you have clear instructions in place about the measures to be taken in relation to each type of file transfer (eg physical and electronic);

  2. encrypting files that are transferred electronically;

  3. applying pseudonyms; and

  4. ensuring you have adequate access controls so that only those people who require access to are able to gain access.

See Secure data storage for more detailed information about the measures that you should put in place to ensure that you are is kept secure at all times.

See Q&A 25 for other key obligations when sharing .

Q31:What systems and procedures will I need to put in place when sharing personal data?

You will need to ensure that you have measures in place to comply with your obligations, alongside appropriate policies and training for your . This includes making sure that someone within your organisation has the skills and knowledge to ensure that you comply with your obligations. You may be legally required to appoint a , but if not you should make sure that you have within your business who have a reasonable level of knowledge about matters and can make sure you comply with your obligations. See Data protection officers and staff training for more information about who that person should be and what policies and procedures you should put into place to ensure that you fulfil your obligations.

See Q&A 25 for other key obligations when sharing .

Q32:What contractual safeguards will I need to put in place when sharing personal data?

It is crucial when sharing that you make sure that the recipient of the data has in place adequate safeguards and measures as you may both be liable if either party its obligations. See Q&A 47 for more information about what happens if a party you have shared with its obligations. In practice, you can ensure adequate safeguards are in place by entering into a or a which sets out the various obligations and responsibilities of both parties. In some circumstances, you are legally required to have such an agreement in place – see Q&A 38 and following and Template data processing agreement for a template you can tailor to your circumstances.

See Q&A 25 for other key obligations when sharing .

Q33:What should my privacy policy say about sharing personal data?

If you are a and you are sharing , you must be clear and transparent with the person whose data you are sharing from the outset about why you are sharing the data and who you will be sharing it with. You must also provide details about how individuals can exercise their rights in relation to their (see Q&A 50). It is common to set this information out in your , provided to the when you first collect the data. For example, if you rely on external courier to make deliveries for you, you should explain in your that you with couriers for this purpose. If you may be required to with regulatory authorities for law enforcement purposes (eg ), you should explain this in general terms in your . Note that the 's recommends that if your business is a and you are sharing data with several different data controllers, you should ensure your makes it clear which organisation they should contact if they want to make a (see Q&A 50 for more information about when sharing ).

Most busin will publish a link to their on their website, and you may also consider using other methods including and to effectively deliver privacy information, particularly if information is provided at different times. See When to use personal data and Privacy information for more information about what other information must be included in your , How to tell people about a privacy policy and a cookie policy for how you should communicate your notice to individuals, and Privacy policy for a template document you can tailor to your circumstances.

You must ensure that your is reviewed on a regular basis and updated where necessary to correctly reflect your data sharing activities. A review will also help you analyse any complaints from the public about how you use their , including how you explain that use. Bear in mind that if you want to in a new way, you will need to ensure that the relevant individuals are informed about this before you do so. You can do this by updating your and ensuring that you bring this change to users' attention before you change your sharing activities.

Q34:How does Brexit affect what my privacy policy should say about sharing personal data?

You should review any provisions about sharing outside the (either to the or countries outside the ) in your privacy documentation. These will need to be updated to reflect the basis under which you are making those transfers and to reflect the fact that the is no longer a member of the . See Q&A 9 and following for more detail on sharing outside the .

See Q&A 35 for guidance on what your should say if the data you are sharing has been provided by a .

Q35:What should my privacy policy say if the data I share comes from a third party?

As a , you may receive shared from a , rather than from the relevant individual themselves. You still need to ensure that the individual whose data has been shared has received all the relevant privacy information about how you will be using their data, particularly if you are planning to the with another business. See When to use personal data and Privacy information for more details on the data privacy information you must give people about using their , and Privacy policy for a template , which you can tailor, depending on how you will the data.

In these circumstances, you must provide your to the relevant individual:

  1. within a month of you obtaining the ;

  2. if you are using the to communicate with the individual concerned, at the point you first communicate with them, at the latest; or

  3. if you are planning to disclose the to someone else, at the point at which you disclose the .

See Q&A 36 for a list of exceptions to the above rule that you need to provide privacy information if the data has come from a .

Bear in mind that your business remains responsible for ensuring the integrity of any that it receives from a , and for complying with its obligations in respect of that data (see Q&A 25). If your business will be using marketing lists bought, rented or otherwise obtained from a , see Direct marketing for further guidance.

Q36:Do I always need to provide privacy information if the data I share comes from a third party?

No. There are some limited exceptions to the requirement to provide the individual concerned with your privacy information if you obtain it from a source (see Q&A 35), including those set out below.

  1. The individual already has your privacy information

    To rely on this exception, you must be able to demonstrate that the individual in question already has your privacy information (eg because the organisation you obtained the data from already provided it to them). If you are unsure what information has been passed on, you should make sure you provide it yourself.

  2. Providing the information to the individual would be impossible

    In some circumstances it may be impossible for you to provide your privacy information to the . For example, you may not have their contact details or any reasonable way to get hold of them.

    If you are going to rely on this exception, you must carry out a before doing so and publish your privacy information (eg by including a on your website). See Data protection impact assessments for more information on DPIAs, and Data Protection impact assessment policy for a template internal policy that will assist you in fulfilling your obligations.

  3. Providing the information to the individual would involve a disproportionate effort

    If the effort it will take you to provide the individual in question with your privacy information would be disproportionate as against the effect that your use of the data will have on them, you may be able to rely on this exception. To do so, you should make a written record of your assessment of the proportionality and conduct a before the data. See Data protection impact assessments for more information on DPIAs, and Data Protection impact assessment policy for a template internal policy that will assist you in fulfilling your obligations.

    Considerations you can bear in mind when making your assessment of proportionality include:

    1. the number of individuals involved;

    2. how old the is; and

    3. what safeguards you have put in place.

      In any event, if you are relying on this exception you must still publish your privacy information (eg by including a on your website).

  4. You are required by law to obtain or disclose the

    In some instances, you will be required by law to obtain or disclose which you have obtained from a source.

Q37:What is the Data Sharing Code of Practice?

It's a statutory code of practice published by the , which aims to provide practical guidance to businesses about how to comply with their obligations when sharing . It came into force on 5 October 2021 and applies to the sharing of between data controllers. It does not apply to data sharing with data processors.

Although the Code is not technically law, the Information Commissioner must take compliance with the Code into account when considering whether a business has its obligations. If you do not comply with the Code, you may find it more difficult to demonstrate that you have complied with law. Failure to comply with law can have serious financial and reputational consequences for your business, including in the most serious cases fines of up to £17.5 million or 4% of your global annual , whichever is higher.

Recommendations contained within the Code include:

  1. carrying out a before sharing any between data controllers (see Q&A 8);

  2. entering into a (see Q&A 43); and

  3. making it easy for individuals to assert their information rights (see Q&A 50).

Relevant guidance for data controllers about how to comply with the Code when sharing with other data controllers is set out in this section where applicable.

Data processing agreements and data sharing agreements
Q38:What is a data processing agreement?

A is an agreement between a and a , which sets out each party's rights and responsibilities in relation to the that has been shared between them.

If you are a and you are sharing with a , or you are a receiving data from a , you must have a written in place. For more information about how to tell the difference between a and a , see Data protection obligations.

The must provide the with enough that the will put in place proper technical and organisational measures to ensure that the 's obligations will at all times be complied with and that the rights of the individual concerned will be protected. If you are a , it is vital that you have satisfied yourself that the has provided you with these in relation to the data sharing.

A will often be provided as an addendum to an agreement already in place between a and a (eg as an annex to a ). You can find a template between a and a , which has been produced on that basis here: Template data processing agreement.

Note that if you want to transfer to a business that is outside of the , there are additional issues to consider and safeguards that you must put into place. See Q&A 9 and Q&A 14 for further information.

Q39:What is a data sub-processor?

You are a if you are dealing with on behalf of a and in accordance with their instructions. See Q&A 40 for information on sharing data with a .

Q40:Can I share personal data with a data sub-processor?

Yes, if you are a , you can with a . It is important to remember that you may only that has been shared with you on the written instructions of the (or the if you are a sub-), unless you are required to do so by law. These instructions will usually be contained in your (see Q&A 38). This means that you can only with a if you have prior authorisation from the . This authorisation can be general or specific (ie in relation to a particular sub-). If you have a general authorisation, you must inform the if you are going to add or replace any sub-.

Q41:Do I need a contract to share personal data with a data sub-processor?

Yes. Before sharing any with a , you should check your with the to find out what you are permitted to do and when you are permitted to do it.

If you do have the 's authorisation to with a , you must put in place a sub- agreement with the and ensure that its terms reflect your own contractual obligations with the . It is particularly important that the sub- provides you with sufficient that it will put in place appropriate technical and organisational measures to ensure that all the relevant obligations in respect of that are complied with.

It is important to bear in mind that if the sub- fails to comply with its obligations, you will remain fully liable to the for the performance of the sub-'s obligations. You may therefore wish to ensure that your with the sub- contains appropriate indemnities. See Q&A 47 for more information about who is liable when a party you have shared with its obligations.

Further information on sub- agreements is currently outside the scope of this service.

Q42:Can I share personal data with another data controller?

Yes. If you are a , you can with another provided you have a lawful basis for doing so (see Q&A 1) and you comply with your obligations at all times (see Q&A 25 and following).

Note that if you are sharing with another , you should also comply with the provisions of the 's (see Q&A 37).

Q43:Do I need a contract to share personal data with another data controller?

When data controllers are sharing , there is not the same legal requirement to have an agreement in place as between a and a (see Q&A 38). However, it is best practice to enter into a with the other , and this is also recommended by the 's . See Q&A 37 for further information about the .

Note that if you and the other will be acting as in respect of the (rather than independent controllers, separately the shared for your own purposes) then you are required to put in place a joint control arrangement and be transparent about the way in which you and the other joint have apportioned compliance with your respective obligations. Whilst you are not required to put in place a if you are acting as , the 's advises that entering into such an agreement can help you to put in place your joint control arrangement (see Q&A 44).

See Q&A 44 for more information on , including what they should say.

Q44:What is a data sharing agreement?

This is an agreement entered into between two data controllers which sets out the purpose of the data sharing and each party's rights and obligations when they data with each other. It might also be called an information sharing agreement or a data sharing protocol.

If you are a and you are sharing with another , there is not the same legal requirement to have a in place as between a and a (see Q&A 38). However it is best practice to enter into a with the other as it can help you to demonstrate that you are complying with your obligations and is recommended by the 's (see Q&A 43). Your agreement should make it very clear whether you will be the shared data as , or as separate and independent controllers (see Q&A 43).

If you are entering in to a , the recommends that you include the following information:

  1. the purpose of your data sharing (eg your specific aims and why sharing the data is necessary for those to be achieved);

  2. your lawful basis for sharing (see Q&A 1 for guidance about the lawful bases available to you). Note that the 's advises that if consent is being relied upon for your data sharing, then your agreement should provide a model consent form used to obtain that consent;

  3. who will be involved in the data (including contact details for each organisation's DPO or other individual responsible for );

  4. the types of data being shared, including whether any will be shared;

  5. how requests from individuals in relation to their data will be dealt with, including a confirmation that all controllers remain responsible for compliance with their duties under law at all times (note that if you will be acting as rather than separate and independent controllers, the situation may be different; see below); and

  6. provisions about information governance (eg for ensuring the accuracy of shared data and rules about how long the data will be kept for and what measures will be put in place).

It might also be appropriate for you to consider including whereby parties in of their contractual obligations the other party for any losses it suffers as a result of the (see Q&A 48 for more information).

Remember that if you and the other will be acting as in respect of the , then you are required to put in place a joint control arrangement (see Q&A 43). The 's suggests that entering into a can help you to put in place your joint control arrangement. Your joint control arrangement should clearly set out that both parties are acting as joint data controllers in relation to the data that is being shared, and what your respective responsibilities are; for example, which will be responsible for responding to (see Q&A 50 for more information) and how liability will be divided between you in the event of a data (see Q&A 48). You may want to consider including in your a mechanism for resolving disputes in relation to liability. A summary of your joint control arrangement must be made available to the individual whose data has been shared (eg through a joint or joint terms and conditions – see Q&A 33 for more information about what should be included in your ).

You should review your on a regular basis to ensure that they continue to properly reflect your data sharing activities.

Q45:What type of agreement do I need for data sharing within my group?

If you are a that is part of a group, then you will generally be able to within your as you will have a proper reason for doing so (see Q&A 5). This will be for internal administrative purposes, including the of clients' or ' . However, laws still apply to intra-group transfers of such as these and you will still need to fulfil your obligations, including the requirement to put in place written agreements where appropriate. Remember that if you are a , you must only process (which includes sharing with other organisations within your group) on the written instructions of the unless you are required to do so by law (see Q&A 38 for more information).

Bear in mind that, prior to the end of the Brexit transition period, businesses sharing data with in the were able to identify a lead supervisory authority for that data , to avoid dealing with more than one supervisory authority. Now that the has left the , your business will need to deal with both the and the local supervisory authority in the relevant country if your data affects individuals there. See Q&A 46 for more information. If you want to transfer to a that is outside of the , there are additional issues to consider and safeguards that you must put into place. See Q&A 9 for further information.

Q46:How does Brexit affect which authority I deal with when sharing personal data within the EEA?

Prior to the end of the Brexit transition period, businesses cross-border data within the were able to identify a lead supervisory authority for that data , to avoid dealing with more than one supervisory authority. Now that the has left the , your business will need to deal with both the and the local supervisory authority in the relevant country if your data affects individuals there. However, if you will be carrying our cross-border data with more than one country, you should review your business's structure and consider whether you will be able to have an alternative lead supervisory body in the , which you need to deal with alongside the from 1 January 2021. This will be the case if you have offices, branches or other establishments in the . Alternatively, if you do not have an establishment, you will now need to deal with both the and the supervisory bodies for each country in which you deal with .

If your business is based in the and you have no branch, office or establishment in any country, but you offer or services to individuals in the , or monitor their behaviour, now that the Brexit transition period has ended, you will need to comply with the as well as the regime in relation to your use of that data. This means that unless your use of data is low risk (eg it is occasional or doesn't involve your business using or sharing any ), you will need to appoint a representative in the relevant country. This representative will need to be authorised in writing to act on your behalf in relation to your compliance with the in the , including dealing with any supervisory bodies or individuals. As most are unlikely to require an representative, detailed guidance is outside the scope of this service.

Q47:What happens if another business that I have shared data with breaches its data protection obligations?

If a business its data obligations, there are several penalties that it could potentially face, including fines from the , and paying compensation to the individual whose data the involved.

A has rights against any business involved in their if they suffer damage because that business has its obligations. The extent to which either business involved in sharing will be liable to pay compensation to any individual involved will depend on whether they are a or a , what the cause of the was and what the provisions of the data or sharing agreement (if an agreement is in place) said.

If you are a and a data has occurred, you may need to notify the and if you are a you may have notification obligations to the and/or the themselves.

Failure to notify either the or the (s) if required to do so can result in a significant fine of up to £8.7 million or 2% of your global (whichever is higher). For more information about how to respond to see Obligations when a data breach occurs and Checklist for responding to a data breach for a summary of the steps you should take.

Note that now the Brexit transition period is over, you may need to inform both the and the relevant supervisory bodies in the (or the lead supervisory body in the if you have one) if the data affects individuals in the .

See Q&A 48 for liability of data controllers, and see Q&A 49 for liability of data processors.

Q48:Am I liable as a data controller if data has been shared and there has been a data breach?

If you are a , you will be liable for all damage caused by data which breaks law (even if you are acting as a joint in respect of that data, in which case you and the other will both be jointly liable for the damage). This means that unless you can show that you are not in any way responsible for the , you will be fully liable for compensating the (s) for any damage caused.

If the or whom you have shared with is also responsible for the , you will both be liable although the amount you are ordered to pay in compensation may be apportioned according to your level of responsibility. If one of you ends up fully compensating the , that business can claim back relevant amounts from the other business involved.

As the can apply for compensation from any party involved in the data sharing, for practical purposes you should ensure that your data or sharing agreement contains appropriate indemnities to contractually entitle you to claim back any you have paid as a result of another party's (see Q&A 38 and following for more information).

See Q&A 49 for information on liability of data processors.

Q49:Am I liable as a data processor if data has been shared and there has been a data breach?

If you are a , your liability will largely be set out in your with the , and therefore you will be directly liable to the for data where you have the terms of that agreement. However, you also have some direct obligations to the individual involved (eg to ensure that any you are is secure and to notify to the (see Obligations when a data breach occurs for more information and Checklist for responding to a data breach for a summary of steps you should take)). You will be liable to compensate the individual involved directly for any damage caused as a result of you one of those obligations. It is also a criminal offence to knowingly or recklessly obtain or disclose without the consent of the (unless you are legally required to do so) and if you are found guilty, you could face an unlimited fine.

Importantly, if you have shared with a sub-, and that sub- has its obligations (either by its with you or its own legal requirements), you will still remain directly liable to the for any damage caused by that .

Where you and the and/or the sub- (if applicable) are all responsible for the , you will all be liable to fully compensate the unless you can show that you are not in any way responsible for the . If you are all liable, the amounts that you are each obliged to pay in compensation can be apportioned according to your respective responsibilities. If one of you ends up fully compensating the , that business can claim back relevant amounts (proportionate to the levels of responsibility) from the other businesses).

As the can apply for compensation from any party involved in the data sharing, for practical purposes, you should ensure that your data and contain appropriate indemnities to contractually entitle you to claim back any damages you have paid as a result of another party's .

See Q&A 48 for liability of data controllers.

Q50:Who is responsible for responding to data subject requests when personal data has been shared?

If you are a , individuals have numerous rights in relation to the you hold about them (which remain whether or not you have shared that data), and they may make requests about the data at any time. Examples of such requests include that you provide them with copies of the or that you rectify or delete data that you hold about them. If you are sharing with other data controllers, to make it straightforward for individuals to exercise their rights, the 's recommends that you provide (in your ) a single point of contact for requests. However, bear in mind that individuals can still make their requests to whichever they want to. See Data subject requests in general for more information about how to respond to such requests and Data subject request policy for a template policy you can use to prepare your for dealing with them.

If you are acting as a joint in respect of the in question, you must ensure that your sets out which business will be responsible for responding to and ensure that this information is communicated to the (see Q&A 44 for more information about how to do this).

A must generally respond to such requests within one month; simply ignoring a request and failing to adequately reply can be an offence and lead to sanctions, penalties and significant fines. You must also take reasonable steps to inform any third parties with whom you have shared the in question if the data has been either rectified or deleted in response to a . If you have shared the data widely, you will need to be satisfied that you have done all you reasonably can to inform others of the deletion of the in question. This does not mean you have to incur disproportionate costs, but at the very least you should ensure you have taken steps to contact other organisations you have shared the data with. See Data subject requests in general for more information about this requirement and Letter to party who has been supplied data to confirm its deletion and Letter to party who has been supplied with data to confirm its correction for template letters to notify another organisation about the .

If you are a , your legal obligations will be set out in your with the , and you must assist the insofar as possible, by using appropriate technical and organisational measures, to respond to any . You must also respond to any requests from the to rectify or delete , ensuring that any such requests are communicated to your sub- where applicable. See Template data processing agreement for example data terms.

Bear in mind that following Brexit and now that the transition period is over, you may need to appoint a representative within the to deal with on your behalf. See Q&A 46 for further guidance.

Finally, the 's recommends that data controllers put in place procedures to deal with any complaints or queries about your data sharing practices, and that you use such feedback to inform your ongoing data sharing.