While many of the data exchange rules are a shift from previous provisions of the Data Protection Directive, I expect that the volume of formal data exchange agreements will increase significantly now that the RGPD is in force. I am writing a paper on data sharing, and it is a very useful summary of all the considerations to consider. (b) ensures that persons authorized to process personal data are committed to confidentiality or are subject to an appropriate legal obligation of confidentiality; The following links contain instructions on what information should be included in a contract or data-sharing agreement. Is common use between unrelated parties or between related companies? Does the transfer involve specific categories of personal data or criminal conviction data? Sharing is an act of treatment and a legal basis is necessary for all acts of transformation. The usual rules apply. In other words, you may need consent, a legitimate interest, a relevant contractual obligation, etc. A key element of the RGPD is the “right to information,” which includes the requirement for organizations to provide “fair processing information,” usually provided by a data protection statement. It also emphasizes transparency in the use of personal data and you should inform people if their information is being passed on to other organizations. The ICO has also published a checklist for organisations that use data exchanges covering both systematic authorizations and one-off requests: the General Data Protection Regulation (GDPR) does not introduce new requirements of the Data Protection Act (DPA). However, the financial and reputational consequences of data non-compliance have increased significantly and the RGPD is firmly responsible for any abuse/loss of data on the university (as data manager). The university also needs a clear record of all data exchange agreements in the event that a person chooses to use some of his new rights under the RGPD, such as the “right to be forgotten.” What about the legal basis for transferring personal data to an independent official? When is that possible? I am thinking, for example, of social networks that share user data with other controllers to increase advertising revenues.