---
name: dpa-en-controller-tmpl
description: "English language Controller-to-Controller data sharing agreement template used between two independent controllers exchanging personal data under the GDPR. Used when neither Article 26 nor Article 28 GDPR applies but the parties want a contractual data sharing framework. Output: complete English..."
---

# Data Sharing Agreement – English Template Controller / Controller

## Zweck / Purpose

Template for a controller-to-controller (C2C) data sharing agreement where two independent controllers exchange personal data without becoming joint controllers under Article 26 GDPR. Purpose (DE): Mustervorlage für eine englischsprachige Datentransfer-Vereinbarung zwischen zwei getrennten Verantwortlichen ohne gemeinsame Verantwortlichkeit.

## Wann dieses Modul hilft

- Two organisations transfer personal data and each pursues its own purpose with its own lawful basis.
- The relationship is neither processing on behalf (Article 28 GDPR) nor joint controllership (Article 26 GDPR).
- A robust written framework is required for transparency, security and breach notification.
- Where data flows out of the EEA, the C2C module of the EU SCC (Decision (EU) 2021/914, Module One) must be paired.

## Rechtlicher Rahmen

- Article 4 (7) GDPR – Controller definition.
- Article 6 GDPR – Lawful bases.
- Article 13/14 GDPR – Information duties.
- Article 32 GDPR – Security.
- Article 33-34 GDPR – Breach notification.
- Article 44-49 GDPR – International transfers.
- Decision (EU) 2021/914, Module One (Controller-to-Controller) for transfers outside the EEA.
- CJEU C-25/17 (Jehovah's Witnesses), C-498/16 (Wirtschaftsakademie / Fanpages), C-40/17 (Fashion ID) – verified case numbers for boundary lines with joint controllership.

## Ablauf / Checkliste

1. Confirm that each party processes for an independent purpose with an independent lawful basis – otherwise Article 26 GDPR applies.
2. Map data flows and document categories of data and data subjects.
3. Allocate Article 13/14 GDPR information duties (each party for its own data subjects).
4. Define security baseline (independent TOM per party).
5. Define breach notification flow between the parties (which party informs the supervisory authority).
6. Address transfers outside the EEA via Module One SCC (Decision (EU) 2021/914).
7. Sign in two counterparts.

## Mustertext / Template

```
CONTROLLER-TO-CONTROLLER DATA SHARING AGREEMENT

This Controller-to-Controller Data Sharing Agreement ("Agreement") is entered into
between:

 (1) [Party A Legal Name], a company organised under the laws of [jurisdiction],
 ("Party A"); and

 (2) [Party B Legal Name], a company organised under the laws of [jurisdiction],
 ("Party B").

Recital A. The Parties wish to share personal data within the meaning of Article 4
(1) GDPR for the purposes described in Annex I.
Recital B. Each Party determines independently the purposes and means of its own
processing and acts as a separate controller within the meaning of Article 4 (7)
GDPR. This Agreement does not establish joint controllership under Article 26 GDPR.

1. SCOPE
1.1 The Parties shall share the categories of personal data described in Annex I
 for the purposes and on the lawful bases set out therein.

2. INDEPENDENT CONTROLLERSHIP
2.1 Each Party shall act as an independent controller and shall comply with the
 GDPR in its own right.
2.2 Each Party is solely responsible for identifying and documenting the lawful
 basis under Article 6 GDPR and, where applicable, Article 9 GDPR.

3. INFORMATION DUTIES (Art. 13 / 14 GDPR)
3.1 Each Party shall provide its own data subjects with the information required
 under Articles 13 and 14 GDPR, including the disclosure of personal data to
 the other Party as a recipient.

4. SECURITY (Art. 32 GDPR)
4.1 Each Party shall implement appropriate technical and organisational measures
 in accordance with Article 32 GDPR. The minimum baseline is set out in Annex II.

5. PERSONAL DATA BREACH (Art. 33 / 34 GDPR)
5.1 The Party that becomes aware of a personal data breach affecting the shared
 data shall notify the other Party without undue delay and in any event within
 twenty-four (24) hours after becoming aware of the breach.
5.2 Each Party shall be responsible for its own notification to the competent
 supervisory authority under Article 33 GDPR and to data subjects under
 Article 34 GDPR.

6. DATA SUBJECT REQUESTS
6.1 Each Party shall handle requests from its own data subjects under Articles 15
 to 22 GDPR. The Parties shall cooperate where a request relates to shared data.

7. INTERNATIONAL TRANSFERS
7.1 Where personal data is transferred outside the EEA, the Parties shall execute
 Module One (Controller-to-Controller) of the EU Standard Contractual Clauses
 adopted by Decision (EU) 2021/914 of 04 June 2021, and conduct a transfer
 impact assessment in accordance with EDPB Recommendations 01/2020.

8. SUBSEQUENT TRANSFERS
8.1 A Party shall not transfer the shared personal data onward to any third party
 other than its own processors (Article 28 GDPR) without the prior written
 consent of the other Party, except where such transfer is required by law.

9. AUDIT
9.1 Each Party may, on reasonable prior notice, request evidence of the other
 Party's compliance with this Agreement.

10. LIABILITY
10.1 Each Party shall be liable for its own infringements of the GDPR in
 accordance with Article 82 GDPR.

11. TERM AND TERMINATION
11.1 This Agreement enters into force on the date of last signature and remains
 in force until terminated by either Party with [number] months' written
 notice or where required by applicable data protection law.

12. GOVERNING LAW AND JURISDICTION
12.1 This Agreement shall be governed by the laws of [jurisdiction]. The courts
 of [court venue] shall have exclusive jurisdiction.

Annex I Description of Data Sharing (purposes, lawful basis, categories, retention)
Annex II Minimum Security Baseline

Signed on behalf of Party A: Signed on behalf of Party B:
__________________________________ __________________________________
Name: Name:
Title: Title:
Date: Date:
```

## Typische Drafting-Fehler

- C2C agreement used where the reality is joint controllership (Article 26 GDPR) – the legal label does not change the underlying assessment.
- No documentation of each party's independent lawful basis.
- Information duties (Article 13/14 GDPR) not allocated.
- Cross-border transfers without Module One SCC.
- Breach notification only one-way.
- Onward transfer not addressed.

## Quellen Stand 06/2026

- GDPR Articles 4, 6, 13, 14, 26, 28, 32, 33, 34, 44 to 49, 82.
- Decision (EU) 2021/914 of 04 June 2021, OJ L 199/31, Module One.
- EDPB Recommendations 01/2020 on transfer impact assessment (Version 2.0, June 2021).
- CJEU C-25/17, C-498/16, C-40/17 – verified case numbers; check full text via curia.europa.eu before citation.
- Citation rules: `../../../references/zitierweise.md`.