Dashboard
Dashboard Make a document Ask a lawyer Get guidance Home
Dashboard Member settings
Logout
Help
Help Contact us
Explore
Make documents Ask a lawyer Start a business new Sign documents Get guidance About us Pricing
Sign up Sign in
Help
Help Contact us

Sharing personal data with third parties

4 min read

Last reviewed or updated 06/01/2026

Written and reviewed by experts
Written and reviewed by experts
This guide was created, edited, and reviewed by editorial staff who specialise in translating complex legal topics into plain language.

Make your Data processing agreement

Get started

What is data sharing?

Data sharing is when an organisation discloses personal data (like names and addresses) to another organisation (ie a third party). This applies whether you're hiring a payroll provider, using a cloud storage service, or engaging a marketing agency.

This sharing can be a one-off disclosure (eg providing information to a solicitor) or a routine, systematic arrangement (eg using a separate company to manage your payroll). It also includes sharing data between different parts of your own organisation or group.

What are the different types of data sharing?

Under the UK General Data Protection Regulation (UK GDPR), the type of sharing arrangement you have determines your legal responsibilities. It's crucial to understand your role before you share any data. There are three main types of relationships:

Controller to processor

This is the most common business relationship. It involves a data controller and a data processor. The:

  • data controller is the organisation (eg your business) that decides why and how personal data is processed (eg collected and stored)

  • data processor is the third-party organisation processing the data on behalf of the controller (eg your payroll provider)

This relationship must be covered by a Data processing agreement (DPA), which is the main focus of the rest of this guide. A DPA is used alongside a main Services agreement to ensure data protection law is followed.

Controller to controller

This is when you share data with another organisation (ie another data controller) that will use it for its own separate purposes. For example, sharing an employee's details with a pension provider, which then becomes the controller for that data.

Joint controllers

This is where you and another organisation jointly decide the 'why' and 'how' of processing data. For example, two companies co-hosting a marketing event and sharing responsibility for the attendee list.

For more details on controller-to-controller and joint controller relationships, read Data protection. If you need a data sharing agreement for these circumstances, use our Bespoke drafting service. This guide focuses on the rules for the controller-to-processor relationship.

When do I need a DPA?

You must have a written DPA in place whenever you (as a data controller) use a data processor to handle personal data for you. This is a key requirement of the UK GDPR and the Data Protection Act 2018.

Having a DPA isn't just a tick-box exercise. It's crucial for compliance and proves you've done your due diligence. It demonstrates that your chosen processor provides sufficient guarantees to protect the personal data it handles on your behalf. For example, if you hire a marketing company to manage your customer email list, you'll need a DPA with them.

 A case study infographic on when data processing agreements are needed 

What should a DPA cover?

A DPA must include specific details to comply with the UK GDPR. While our Data processing agreement covers the full legal requirements, key terms include:

  • details of the processing (eg what data is involved, why, and for how long)

  • the processor's obligation to only act on the controller's written instructions

  • a duty of confidentiality for anyone accessing the data

  • requirements for the processor to implement appropriate security measures (eg encryption)

  • rules on using other processors (known as 'sub-processors')

  • the processor's duty to help the controller with things like data subject access requests and reporting data breaches

  • what happens to the data (eg deletion or return) at the end of the contract

What about sharing data internationally?

Sharing personal data with third parties outside the UK (known as a 'restricted transfer') has extra rules. The UK GDPR prohibits these transfers unless you put specific safeguards in place to ensure the data remains protected to UK standards.

A DPA is still required, but it often needs to be supplemented. One common safeguard is using standard contractual clauses (SCCs). These are model data protection clauses approved for transferring data to 'third countries'. If you're using a service provider based in the US or India, for example, you'll likely need to incorporate SCCs or another safeguard into your DPA.

For more information, read Standard contractual clauses and International transfers of personal data.

 

If you need to put an agreement in place for sharing data, you can make a Data processing agreement. If you have any questions about your specific data sharing needs, do not hesitate to Ask a lawyer.

Written and reviewed by experts
Written and reviewed by experts
This guide was created, edited, and reviewed by editorial staff who specialise in translating complex legal topics into plain language.

At Rocket Lawyer, we believe legal information should be both reliable and easy to understand—so you don't need a law degree to feel informed. We follow a rigorous editorial policy to ensure all our content is helpful, clear, and as accurate and up-to-date as possible.

About this page:

  • this guide was written and reviewed by Rocket Lawyer editorial staff
  • this guide was last reviewed or updated on 6 January 2026

Related Guides

Data protection principles

9 min read

Processing personal data

8 min read

Data protection officers (DPOs)

7 min read

Ask a lawyer

Get quick answers from lawyers, easily.
Characters remaining: 600
Rocket Lawyer Legal Pros

Try Rocket Lawyer FREE for 7 days

Get legal services you can trust at prices you can afford. As a member you can:

Create, customise, and share unlimited legal documents

RocketSign® your documents quickly and securely

Ask any legal question and get an answer from a lawyer

Have your documents reviewed by a Legal Pro

Get legal advice, drafting and dispute resolution HALF OFF* with Rocket Legal+

Your first business and trade mark registrations are FREE* with Rocket Legal+

Try it free for 7 days
*Learn more about Rocket Legal+

**Subject to terms and conditions.

Follow us