tiktok³ΙΘΛ°ζ

Book a demo

Data Controller To Data Controller Agreement Template for England and Wales

Generate a bespoke document

  • England and Wales
  • Scotland
  • Northern Ireland
  • Ireland
  • United States
  • Alabama (USA)
  • Alaska (USA)
  • Arizona (USA)
  • Arkansas (USA)
  • California (USA)
  • Colorado (USA)
  • Connecticut (USA)
  • Delaware (USA)
  • Florida (USA)
  • Georgia (USA)
  • Hawaii (USA)
  • Idaho (USA)
  • Illinois (USA)
  • Indiana (USA)
  • Iowa (USA)
  • Kansas (USA)
  • Kentucky (USA)
  • Louisiana (USA)
  • Maine (USA)
  • Maryland (USA)
  • Massachusetts (USA)
  • Michigan (USA)
  • Minnesota (USA)
  • Mississippi (USA)
  • Missouri (USA)
  • Montana (USA)
  • Nebraska (USA)
  • Nevada (USA)
  • New Hampshire (USA)
  • New Jersey (USA)
  • New Mexico (USA)
  • New York (USA)
  • North Carolina (USA)
  • North Dakota (USA)
  • Ohio (USA)
  • Oklahoma (USA)
  • Oregon (USA)
  • Pennsylvania (USA)
  • Rhode Island (USA)
  • South Carolina (USA)
  • South Dakota (USA)
  • Tennessee (USA)
  • Texas (USA)
  • Utah (USA)
  • Vermont (USA)
  • Virginia (USA)
  • Washington (USA)
  • West Virginia (USA)
  • Wisconsin (USA)
  • Wyoming (USA)
  • Austria
  • Denmark
  • France
  • Germany
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • Switzerland
  • Australia
  • New Zealand
  • Singapore
  • Hong Kong
  • India
  • Malaysia
  • Pakistan
  • United Arab Emirates
  • Qatar
  • Saudi Arabia
  • South Africa
  • Nigeria
  • Canada
  • Brasil
  • Monaco
  • Bermuda
  • Cayman Islands
  • Gibraltar
  • Isle of Man
  • Mauritius

What is a Data Controller To Data Controller Agreement?

The Data Controller to Data Controller Agreement is essential when two organizations need to share personal data while maintaining independent control over their respective data processing activities. This agreement, governed by English and Welsh law, establishes clear protocols for data sharing, ensuring compliance with UK data protection legislation. It should be used whenever organizations plan to regularly share personal data, defining each party's obligations, security requirements, and procedures for handling data subject requests and breaches. The agreement is particularly crucial following Brexit, as it incorporates UK GDPR requirements and ICO guidance.

Frequently Asked Questions

Is a Data Controller To Data Controller Agreement legally binding in England and Wales?

Yes, a properly executed Data Controller To Data Controller Agreement is legally binding in England and Wales under contract law. The agreement creates enforceable obligations between parties and demonstrates compliance with UK GDPR Article 26 requirements for joint processing arrangements. Courts will enforce the terms provided the agreement meets basic contract formation requirements including offer, acceptance, and consideration.

Can I share personal data without a Data Controller To Data Controller Agreement?

Sharing personal data without a proper agreement risks serious UK GDPR violations and ICO enforcement action. While not every data sharing scenario requires a formal written agreement, Article 26 mandates clear arrangements between controllers that define responsibilities and ensure data subject rights protection. Missing or inadequate agreements can result in regulatory fines and legal liability for data breaches.

How does this differ from a Data Processor Agreement under UK law?

A Data Controller Agreement governs relationships between independent controllers who determine their own processing purposes, while a Data Processor Agreement covers situations where one party processes data solely on behalf of another controller. Under UK GDPR, controllers maintain separate legal responsibilities and liability, whereas processors act under the controller's instructions and have more limited obligations.

How long does it typically take to negotiate a Data Controller To Data Controller Agreement?

Simple agreements using standard templates can be completed within 1-2 weeks, while complex multi-party arrangements may take 2-3 months to negotiate. Timeline depends on factors including data sensitivity, international transfers, technical security requirements, and each organization's legal review processes. Early engagement between legal and data protection teams accelerates the process.

Must Data Controller Agreements specify retention periods under England and Wales law?

Yes, UK GDPR requires controllers to establish clear data retention schedules that comply with the storage limitation principle. The agreement must specify how long each party will retain shared personal data and deletion procedures. This ensures compliance with Article 5(1)(e) and helps demonstrate accountability to the ICO during audits or investigations.

Can Data Controller Agreements cover international data transfers from the UK?

Yes, but additional UK GDPR Chapter V safeguards are required for transfers outside the UK to ensure adequate protection. The agreement must include appropriate transfer mechanisms such as adequacy decisions, Standard Contractual Clauses, or approved certification schemes. Post-Brexit UK data transfer rules differ from EU requirements and must be carefully considered.

Which common mistakes invalidate Data Controller To Data Controller Agreements?

Frequent errors include failing to identify a lawful basis for processing, unclear allocation of data subject rights responsibilities, and inadequate security measures. Other mistakes include missing breach notification procedures, failing to conduct Data Protection Impact Assessments where required, and not updating agreements when processing purposes change. These oversights can lead to ICO enforcement action and contract disputes.

Reviewed by

Legal Engineer, GenieAI

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

Reviewed by

Legal Engineer, GenieAI

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

Jurisdiction

England and Wales

Reviewed by

&

Publisher

GenieAI

Category

Data Processing Agreement

Sector

Business

Cost

Free to use

Last updated

About the Data Controller To Data Controller Agreement

When your organization needs to share personal data with another company while both parties maintain independent control over their data processing activities, you need a Data Controller To Data Controller Agreement. This specialized contract ensures compliance with UK data protection laws while establishing clear boundaries and responsibilities for each organization involved in the data sharing arrangement.

When do you need this document?

You should use this agreement whenever your organization plans to regularly share personal data with another independent data controller. This includes situations such as joint marketing initiatives between companies, sharing customer information for enhanced services, business partnerships requiring customer data exchange, or collaborative research projects involving personal information. The agreement is also essential when outsourcing specific functions while retaining joint control over certain data processing activities, or when establishing data sharing relationships with suppliers, distributors, or other business partners who will process shared data for their own purposes.

Key legal considerations

The agreement must clearly define the purpose and scope of data sharing, ensuring both parties have a lawful basis for processing under UK GDPR. You need to specify which data protection principles apply, including data minimization, accuracy, storage limitation, and accountability requirements. Security measures are crucial – the document should outline technical and organizational safeguards that both parties must implement to protect shared personal data. The agreement must address how data subject rights will be handled, including access requests, rectification, erasure, and portability rights. Breach notification procedures are essential, defining how quickly and through what channels each party must inform the other of security incidents. You should also include clear data retention periods, deletion procedures, and termination clauses that specify what happens to shared data when the agreement ends.

Legal requirements in England and Wales

Under English and Welsh law, this agreement must comply with UK GDPR requirements, which diverged from EU GDPR following Brexit. The Data Protection Act 2018 provides additional context for UK-specific obligations that may not be covered in the EU framework. Both parties must ensure they have appropriate lawful bases for processing, which may include legitimate interests, contract performance, or consent depending on the data sharing purpose. The agreement should reference ICO guidance and codes of practice, particularly those relating to data sharing and joint controllers. You must consider the territorial scope of UK GDPR and ensure appropriate safeguards are in place if data will be transferred outside the UK. The document should also address compliance with PECR 2003 if electronic communications or marketing activities are involved. Regular reviews and updates may be necessary to maintain compliance with evolving UK data protection requirements and ICO guidance.

GOVERNING LAW

Applicable law

This Data Controller To Data Controller Agreement is drafted to comply with England and Wales law. Key legislation includes:

Explore 208,390+ legal templates

Explore 208,390+ legal templates

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it