Data exchange agreements are formal contracts detailing the data disclosed and the data used for the data. (a) personal data is only processed on documented instructions from the person in charge of the processing, including the transfer of personal data to a third country or international organisation, unless required by EU law or by the law of the Member States to which the subcontractor is subject; in this case, the subcontractor informs the person in charge of the processing of this legal requirement prior to processing, unless that law prohibits this information for important public interest reasons; Is common use between unrelated parties or between related companies? So when will a contract be required in these other cases? Generally speaking, the more risk an agreement carries, the more reason there is to enter into a contract. From a data protection perspective, the specific risks that are relevant are those that affect the individuals involved and not the organizations that are exchanging. Factors that may be relevant to the risk are: the treatment by a subcontractor is subject to a contract or other legal act under EU or Member State law, which is mandatory for the subcontractor with regard to the person responsible for the treatment and which is concerned with the purpose and duration of the treatment. , the nature and purpose of the treatment, the nature of the personal data and the categories of people involved, as well as the obligations and rights of the person in charge of the treatment. 2 This contract or any other legal act includes the subcontractor: Below is a list of items that are usually found in a data exchange agreement. While this list may cover the databases, additional concerns may be relevant to a data set or supplier agency. (e) taking into account the nature of the treatment, assisting the person in charge of the processing by appropriate technical and organisational measures in accordance with the obligation of the person in charge to respond to requests for the exercise of the rights of the person concerned, in accordance with Chapter III; It is important to recognize that the process of establishing data exchange agreements between countries, as well as the nature of the data that is shared and the agencies that share the data together, are different. Confidentiality and disclaimers: there must be a disclaimer covering the accuracy of the data, as well as a description of the data and the corresponding metadata. In addition, a declaration regarding the disclosure of information to third parties is required. This is necessary because a non-federal authority may not be able to protect USGS information from disclosure, and vice versa, because USGS may be forced to disclose information as part of a foia request if no waiver applies. I am writing a paper on data sharing, and it is a very useful summary of all the considerations to consider.
Before thinking about another aspect of a data exchange agreement, you should define the role of the party making the transfer: is it a manager or a subcontractor with respect to shared personal data? The above categorization is not exhaustive.