The RGPD does not prevent organizations from sharing personal data. Indeed, there may be good reasons to share data, including in emergencies and for law enforcement purposes, and the draft code recognizes that data exchange can help organizations provide modern and effective services that make people`s lives easier. The OIC has also published a checklist for organizations that use data exchanges covering both systematic sharing and unique requests: in accordance with Articles 13 and 14 of the RGPD, you must inform the persons with whom you share the personal data (recipients or categories of recipients of personal data). On 9 July 2019, the UK Data Protection Authority (ICO) updated its Code of Conduct for Joint Information Exchange (first published in 2011) (code). On the same day, the ICO also announced its intention to impose fines on Marriott International for violating the General Data Protection Regulation (GDPR), underlining the importance of due diligence in data exchange. If you`ve already made sure your privacy settings are set by default to “great privacy,” the amount of data sharing that takes place should already be limited. Children need to actively change the default settings in order to share their personal data in many circumstances. An agreement on the exchange of data does not in itself constitute a protection against actions taken under the RGPD or other laws. However, the OIC will take this into account when it receives a complaint about data sharing. Consent is necessary if the impact on individuals may predominate your own interests in sharing. If you have a good reason to allow (and if you have properly balanced all the problems), you can usually share without consent.
When it comes to sensitive data, we need extra care – so maybe explicit consent is needed. On this point, it is good practice to have an agreement on the exchange of data in order to define (and limit as far as possible) the purpose of shared use (i.e. limit as much as possible the use by the recipient), to clearly define (and limit) the role of the parties (i.e. independent providers/destiners or both) and to understand what will happen to the data at each stage. We (Eversheds Sutherland) would suggest being particularly clear about what happens to the data when the goal is reached (would the recipient want to retrieve a copy of the data or is it simply deleted/destroyed?) All of this contributes to accountability. The publication controller should take appropriate steps to ensure that the data is kept together… by the recipient organisation. This is much easier to do, we recommend, where the recipient is a professionally regulated organization, more difficult in z.B. a scenario of M-A if you are the seller. This information is only used for guidance purposes and should not be considered a substitute for legal assistance. Please see the full terms and conditions of our website.
It also builds on the structure introduced by the Digital Economy Act 2017, which deals with sharing in the public sector. All default parameters related to data disclosure should indicate the purpose of disclosure and indicate for whom the data should be shared. Settings that allow for general or unlimited sharing are not compliant. It will be a legal code as soon as it is adopted (the ICO must prepare it under the 2018 CCA) and, if the treatment managers do not comply, it may be more difficult to prove that their data exchange is fair, lawful and accountable and that it is consistent with the RGPD and the 2018 DPA. This is what the OIC says: “If you deal with personal data in violation of this code and this leads to a violation of the RGPD or the PA, we can act against you.” Don`t forget the role of the DSB (if you have one) in data sharing. The DSB must be closely associated. Examples of treatment activities that require a DPIA and may be relevant to organizing them
