Exchanging information with a company that is not a data processor? Posted by John on 03 September 2015

Following up on an article we published this week about the importance of data processor contracts, what should you do if you are exchanging personal information with another company that is not a data processor?  This situation, known as a ‘data controller to data controller’ relationship, is very common and is a question that we get asked all the time.  There are many situations that require you to pass information on to another company that is not ‘processing information on your behalf’. Similarly, you could be receiving information from a company and not be processing this on behalf of the company. For example, you could be acquiring information from Facebook by allowing users to log on to your site with their Facebook account, or passing someone’s details on to a hotel because they won a competition for a free midweek break.

So what should you be considering here from a data protection perspective? In short, each data controller is responsible for compliance with the data protection acts. However, there are some areas that should be considered and understood.

Passing information to another data controller

If you are passing information onto another data controller then this processing should be considered in your privacy policy. Depending on what the processing is or who you are sending it to, you would likely need to provide fair notice to the data subject and be satisfied that you have a legitimate reason for providing this information in the first place.
 
Once we send the information to another data controller, we have very little say as to what they do with the data; however, we must consider reputational risk in this situation. While we can’t regulate data controllers ourselves we can stipulate terms of conditions of providing the information in the first place. This would be considered best practice and is strongly recommended. Even if we have a legitimate reason for providing the information to another commercial data controller, we should look to put in place some general guidelines. Consider what would happen if the data was lost or misused by the other data controller, how would this affect your brand?

Receiving information from another data controller

Similar to the above, the data controller providing you the information will likely stipulate some conditions themselves. This should be expected, however, the onus here is for you to comply with the data protection acts yourself. Fair notice should be provided to data subjects in order for them to fully understand what information you have about them and where you got it. Furthermore, if you are merging this data with other sources of data then this processing should be covered in your privacy policy.
 
In conclusion, while ‘data controller to data controller’ relationships do not necessitate the need for a data processor contracts to be in place, there are several issues, some of which are covered here, that must be considered in order to protect your customers and your company’s reputation.