Corporate groups usually share data, including personal data. The sharing of personal data is regulated under UK and EU data protection law (ie the GDPR and the Data Protection Act 2018), and in many cases sharing will not be lawful without an appropriate framework in place. For SMEs, that framework will usually take the form of an intra-group data sharing agreement.
In this post, I identify the most important ingredients for those cooking up such an agreement in a small business context.
The contents and structure of an intra-group agreement ("IGA" henceforce) will depend primarily upon:
- the number of parties involved and the nature of their relationships;
- the legal character of the sharing (e.g. controller-to-controller, or controller-to-processor); and
- the extent to which the sharing involves international transfers, especially transfers of personal data from within the EEA to outside the EEA.
These points will affect which ingredients we use, and how we slice and dice those ingredients.
Ingredient 1: agreement and accession
A small and relatively static group of companies might execute an IGA in the normal way, with no special provision for accession. However, groups do change over time, and most groups will want to build in a mechanism to allow new companies that join the group to become parties to the IGA. One way to do this is to provide a form of accession agreement, which a company meeting the qualifying criteria (e.g. being a subsidiary of an existing party) may sign to become a contracting party. The lead party, or in some cases all the other parties, might also sign each accession agreement.
Ingredient 2: personal data identification
Where different categories of personal data may be transferred within the group, and those different categories will be subject to different rules, it will be especially important to identify the data in question. If transfers are made on a controller-to-processor basis, or if extra-EEA transfers are made under the standard contractual clauses, then data identification is mandatory.
Ingredient 3: personal data handling rules
The substantive provisions of an IGA may fall into the following categories.
First, where transfers are taking place on a controller-to-processor basis, clauses complying with Article 28 of the GDPR must be included in the contract. In summary, these give to the controller a wide range of rights with respect to personal data, to the detriment of the processor.
Second, where transfers are taking place on a controller-to-controller basis, the parties may wish to include contractual limits on recipient rights, and also allocate responsibilities for aspects of compliance. Although the GDPR does not require that all controller-to-controller transfers be subject to contractual rules, and does not specify the content of such rules, regulatory guidance suggests that such rules may be necessary in some cases to comply with the general principles of data protection law (e.g. this somewhat dated code of practice from the UK ICO, which us currently under review).
Third, where transfers are made from within the EEA to outside the EEA, then – unless another approved mechanism is available – the standard contractual clauses issued by the European Commission should be applied to the transfers. There are different flavours for controller-to-processor transfers and controller-to-controller transfers. NB The standard contractual clauses are outdated, and are not wholly consistent with new GDPR regime.
Ingredient 4: meta rules
If you are providing different sets of data handling rules, you will need to specify where and when each set applies. If you are or may be applying more than one set of data handling rules to a given category of data, you may also want to specify which rules take precedence.
Ingredient 5: allocation of liability
Consider whether to identify specific situations in which one party will be liable to another, and also restrictions and caps on such liability. Your liability clauses should be consistent with those provisions of the GDPR relating to the allocation of liability.
Ingredient 6: withdrawal and consequences
If a company leaves the group, it may need to withdraw from the IGA. For this reason, some kind of withdrawal mechanism, which does not lead to the termination of the IGA, is often included.
The difficult question here is: what happens to the shared data after termination? The type of sharing will affect the answer. For instance, data shared on a controller-to-processor basis will need to be deleted or returned under Article 28-compliant processing clauses. If data is supplied under the standard contractual clauses then those clauses will continue to apply, notwithstanding the termination of the IGA.
Whatever ingredients you use, the fact remains that most small businesses will find an IGA to be an unappetising, expensive and somewhat indigestible dish.
I suspect that very few SME groups have formal data sharing agreements in place - although I don't have any data to ground this suspicion - for the simple reason that in the past there has been little risk in failing to comply with the rules on the sharing of personal data within groups. Whether that changes under the new data protection regime remains to be seen. Whilst the potential penalties for non-compliance are harsher, the resources of the supervisory authorities are already stretched, and this kind of hidden compliance issue may not come to anyone's notice unless and until there is a serious data breach. Even then, the lack of a data sharing agreement may not be material.
One driver for the adoption of SME IGA's is demands by larger and more sophisticated customers for demonstrable compliance. In the typical situation, this sort of issue arises where a company is acting as a processor on behalf of another group company, particularly where the latter is within the EEA and the former is without.
If you would like help with a data sharing agreement, or indeed any other legal documentation, please do get in touch. We do not currently have a template intra-group data sharing agremeent, although see this two party data sharing agreement which shares some of the characteristics of an intra-group agreement.