Following up on an article we published this week about the importance of data processor contracts, what should you do if you are exchanging personal information with another company that is not a data processor? This situation, known as a ‘data controller to data controller’ relationship, is very common and is a question that we get asked all the time. There are many situations that require you to pass information on to another company that is not ‘processing information on your behalf’. Similarly, you could be receiving information from a company and not be processing this on behalf of the company. For example, you could be acquiring information from Facebook by allowing users to log on to your site with their Facebook account, or passing someone’s details on to a hotel because they won a competition for a free midweek break.
So what should you be considering here from a data protection perspective? In short, each data controller is responsible for compliance with the data protection acts. However, there are some areas that should be considered and understood.
Passing information to another data controller
Once we send the information to another data controller, we have very little say as to what they do with the data; however, we must consider reputational risk in this situation. While we can’t regulate data controllers ourselves we can stipulate terms of conditions of providing the information in the first place. This would be considered best practice and is strongly recommended. Even if we have a legitimate reason for providing the information to another commercial data controller, we should look to put in place some general guidelines. Consider what would happen if the data was lost or misused by the other data controller, how would this affect your brand?
Receiving information from another data controller
In conclusion, while ‘data controller to data controller’ relationships do not necessitate the need for a data processor contracts to be in place, there are several issues, some of which are covered here, that must be considered in order to protect your customers and your company’s reputation.