Free Word download • Edit online • Save & share with Drive • Export to PDF
A Data Sharing Agreement is a legally binding contract between two or more organizations that governs the terms under which specified data — including personal, proprietary, or confidential information — may be accessed, used, stored, and disclosed by a receiving party. It identifies the parties, defines precisely which data is being shared, restricts use to documented permitted purposes, mandates specific security controls, sets breach notification timelines, and establishes what must happen to the data when the arrangement ends. Unlike a general non-disclosure agreement, a data sharing agreement addresses the full lifecycle of data from transfer through deletion and is specifically designed to satisfy the obligations imposed by data protection law on both the disclosing and receiving organization.
Sharing data without a written agreement exposes your organization to regulatory liability, reputational damage, and commercial loss on multiple fronts simultaneously. Under GDPR, HIPAA, CCPA, and equivalent frameworks, regulators can impose substantial fines on the organization that shared data with a party that failed to protect it — regardless of who caused the breach. Without documented permitted purposes, a recipient can use your customer data to train a competing AI model, enrich a third-party database, or sell derived insights without your knowledge. Without a deletion obligation, data you shared for a 12-month analytics project may sit indefinitely on a vendor's servers, available to sub-processors you never approved. This template gives you a structured, enforceable starting point that closes those gaps, satisfies common regulatory audit requirements, and establishes a clear accountability framework between you and every party that touches your data.
| If your situation is… | Use this template |
|---|---|
| Sharing personal data with a vendor who processes it on your behalf | Data Processing Agreement |
| Transferring personal data from the EU to a non-adequate third country | Standard Contractual Clauses (SCCs) |
| Sharing confidential business information without a data-processing element | Non-Disclosure Agreement |
| Exchanging data as part of a broader commercial partnership | Partnership Agreement |
| Providing data access via API under defined commercial terms | API License Agreement |
| Sharing research data between two academic or nonprofit institutions | Research Collaboration Agreement |
| One-way data licensing arrangement with royalties or fees | Data License Agreement |
Why it matters: Data transferred before execution is unprotected by the contractual obligations. If a breach occurs during that window, the discloser has no contractual basis to claim indemnification or require remediation.
Fix: Make execution of the agreement a hard prerequisite for any data transfer. Build this as a checklist step into your vendor onboarding or partnership process.
Why it matters: Broad terms like 'analytics' or 'research' allow recipients to use data for purposes the discloser never intended — including training AI models, building competitive products, or selling insights to third parties.
Fix: Draft the permitted purpose at the level of a specific workflow or output. Include an explicit list of prohibited uses — re-identification, onward sale, profiling for advertising — so the boundaries are unambiguous.
Why it matters: Without a contractual notification window, a recipient may delay disclosing a breach for days or weeks — causing the discloser to miss its own 72-hour regulatory reporting obligation under GDPR and equivalent laws.
Fix: Set a contractual notification window of 72 hours or less, with a defined content checklist for the notification. Align this to the jurisdiction with the shortest regulatory deadline applicable to the arrangement.
Why it matters: A retention clause without a deletion certification is unverifiable. The discloser cannot demonstrate to regulators that data was destroyed, and cannot establish breach of contract if the data surfaces later in an unauthorized context.
Fix: Require the recipient to provide a written certificate of deletion — signed by an authorized officer — within 30 days of the retention period expiry or agreement termination.
Why it matters: Standard commercial liability caps (e.g., fees paid in the prior 12 months) are typically far too low to cover regulatory fines, class-action exposure, or reputational costs arising from a personal data breach.
Fix: Create a tiered liability structure: a standard cap for general commercial breaches and a higher or uncapped exposure for personal data breaches, fraud, and willful misconduct.
Why it matters: If the recipient is permitted to engage sub-processors without prior consent, the discloser loses visibility and control over where the data actually resides and who can access it.
Fix: Require the recipient to obtain written approval before engaging any sub-processor, and mandate that sub-processors are bound by contractual obligations at least as protective as the main agreement.
In plain language: Identifies the data disclosing party and the data receiving party by their full legal names, states the commercial context for the agreement, and defines key terms used throughout.
This Data Sharing Agreement ('Agreement') is entered into on [DATE] between [DISCLOSING PARTY LEGAL NAME], a [ENTITY TYPE] incorporated in [JURISDICTION] ('Discloser'), and [RECEIVING PARTY LEGAL NAME], a [ENTITY TYPE] incorporated in [JURISDICTION] ('Recipient').
Common mistake: Using trade names instead of registered legal entity names. If an enforcement action becomes necessary, proceedings against the wrong entity name create jurisdictional problems that delay or defeat the claim.
In plain language: Specifies exactly which data sets, categories, fields, or data types are covered — including format, volume, and the technical method of transfer.
The Discloser shall provide the Recipient with access to the following data: [DATA CATEGORIES / FIELDS] in [FORMAT], transferred via [METHOD — secure SFTP / API / encrypted email] on a [FREQUENCY — daily / monthly / one-time] basis.
Common mistake: Describing data too broadly with phrases like 'all customer data.' Overly broad scope exposes the discloser to liability for data the recipient never needed and creates disproportionate security obligations on both sides.
In plain language: States the specific purposes for which the recipient may use the data and explicitly prohibits all other uses, including sale, re-identification, and profiling.
Recipient shall use the Shared Data solely for [SPECIFIC PURPOSE] and shall not use the Shared Data for any other purpose, including but not limited to re-identification of individuals, sale or licensing to third parties, or training machine learning models, without the Discloser's prior written consent.
Common mistake: Listing permitted purposes at a high level of abstraction — e.g., 'research and analytics' — without defining what falls inside or outside those categories. Disputes almost always arise at the boundary of a vaguely drafted purpose clause.
In plain language: Requires the recipient to implement and maintain specific security controls proportionate to the sensitivity of the data, and to document those controls on request.
Recipient shall implement and maintain technical and organizational measures including, at minimum: [AES-256 encryption at rest and in transit], [role-based access controls limited to authorized personnel], [annual penetration testing], and [multi-factor authentication on all systems holding Shared Data].
Common mistake: Requiring 'industry-standard security' without specifying what that means. Vague security obligations are unenforceable and leave the discloser unable to audit compliance or establish a breach of contract.
In plain language: Prohibits the recipient from passing the data to any third party without written consent, and — if sub-processors are permitted — requires them to be bound by equivalent obligations.
Recipient shall not transfer, disclose, or make available any Shared Data to any third party without the prior written consent of the Discloser. Any approved sub-processor must execute a written agreement imposing obligations no less protective than those in this Agreement.
Common mistake: Allowing onward transfer to 'affiliates' without defining the term or requiring the affiliate to be bound by equivalent data obligations — creating an uncontrolled chain of data access.
In plain language: Sets the maximum timeframe within which the recipient must notify the discloser of a suspected or confirmed breach, the content of that notification, and the required containment and remediation steps.
Recipient shall notify Discloser of any actual or suspected Data Breach within [72] hours of becoming aware, providing: (a) description of the nature of the breach; (b) categories and approximate volume of affected data; (c) contact details of the Recipient's data protection officer or privacy lead; and (d) immediate remediation steps taken.
Common mistake: Setting a breach notification window longer than 72 hours. Under GDPR and many other frameworks, the data controller is required to notify its supervisory authority within 72 hours — a longer contractual window puts the discloser in breach of its own regulatory obligations.
In plain language: Requires the recipient to cooperate with the discloser in responding to data subject access requests, deletion requests, and other rights exercised under applicable privacy law within specified timeframes.
Recipient shall, within [5] business days of receiving a data subject request relating to Shared Data, notify Discloser and provide all reasonable cooperation and information necessary to enable Discloser to fulfill its obligations under applicable Data Protection Law.
Common mistake: Omitting this clause entirely on the assumption that data subject rights are the discloser's problem. Recipients holding personal data have independent obligations in many jurisdictions and can be subject to regulatory action regardless of the discloser's role.
In plain language: Specifies how long the recipient may hold the data, what happens to it at contract expiry or termination, and requires written certification of deletion.
Recipient shall retain Shared Data for no longer than [RETENTION PERIOD] from the date of receipt. Upon expiry or termination of this Agreement, Recipient shall, within [30] days, either return all Shared Data to Discloser in [FORMAT] or permanently delete it and provide written certification of deletion.
Common mistake: No deletion certification requirement. Without it, the discloser has no evidence that data was destroyed and cannot demonstrate compliance to regulators or demonstrate breach of contract if data is later misused.
In plain language: Allocates financial responsibility for losses arising from breach of the agreement, caps aggregate liability, and indemnifies the discloser against third-party claims caused by the recipient's misuse of data.
Recipient shall indemnify and hold harmless Discloser against any third-party claims, regulatory fines, or losses arising from Recipient's breach of this Agreement. Each party's aggregate liability shall not exceed [AMOUNT / the fees paid in the preceding 12 months], except in cases of willful misconduct or fraud.
Common mistake: Applying the same liability cap to data breach claims as to general commercial breaches. Regulatory fines under GDPR can reach €20M or 4% of global turnover — a cap equal to one year's contract fees provides no meaningful protection against catastrophic breach events.
In plain language: States which jurisdiction's law governs the contract, the notice period and grounds for termination, and confirms that the written agreement supersedes all prior discussions and representations.
This Agreement is governed by the laws of [JURISDICTION]. Either party may terminate on [30] days' written notice. Termination for material breach is effective immediately upon written notice if the breach is not remedied within [14] days. This Agreement constitutes the entire agreement between the parties regarding the Shared Data.
Common mistake: Choosing a governing law that differs from the jurisdiction where the data subjects reside. Privacy regulators apply the law of the data subjects' location regardless of the governing-law clause — creating a conflict between contractual rights and regulatory obligations.
Enter the registered legal name, entity type, and jurisdiction of incorporation for both the disclosing and receiving party. Include registered addresses and, where relevant, data protection officer contact details.
💡 Check the company registry of each party's jurisdiction to confirm the exact legal name — a mismatch between the contract and corporate records can create enforcement gaps.
List the specific data categories, fields, file formats, transfer method, and frequency. If personal data is included, identify whether it includes special-category data such as health, financial, or biometric information.
💡 Attach a data inventory table as Schedule A rather than embedding it in the body — this makes future amendments cleaner and avoids reopening the main agreement.
Write a purpose clause that is specific enough to exclude adjacent uses — for example, 'to perform fraud screening on transactions processed through [PLATFORM NAME]' rather than 'fraud prevention.' List all prohibited uses explicitly.
💡 For each permitted purpose, ask whether the data subject would reasonably expect their data to be used that way — if not, that purpose may require additional legal basis under GDPR or similar frameworks.
List the specific technical and organizational measures required — encryption standards, access control protocols, audit log retention periods, and penetration testing frequency. Avoid generic language like 'reasonable security.'
💡 Align security requirements to the sensitivity of the data: financial or health data typically warrants ISO 27001 compliance or SOC 2 Type II attestation as a contractual minimum.
Enter a notification window no longer than 72 hours for personal data breaches to align with GDPR and equivalent frameworks. Include the required content of the notification — nature of breach, data affected, and steps taken.
💡 Consider adding an obligation to provide a preliminary notification within 24 hours followed by a detailed report within 72 hours — this mirrors best practice under most supervisory authority guidance.
Enter the maximum duration the recipient may hold the data after the final transfer date. Specify the deletion standard (e.g., NIST 800-88 media sanitization) and require written certification within 30 days of deletion.
💡 Mirror the retention period to your own internal data retention schedule — inconsistent retention periods between discloser and recipient create regulatory exposure if the same data is held for different durations.
Agree on an aggregate liability cap that reflects the commercial value of the arrangement and the risk profile of the data. Carve out personal data breach and regulatory fine scenarios from the general cap if the data is high-sensitivity.
💡 For arrangements involving personal data, consider requiring the recipient to maintain cyber liability insurance at a specified minimum coverage level as an additional protection.
Both authorized signatories must sign the agreement — including any data processing addenda or schedules — before the first data transfer occurs. Retroactive agreements are difficult to enforce and signal poor data governance to regulators.
💡 Use a versioned amendment process for schedule updates rather than re-executing the full agreement each time the data set or purpose changes.
A data sharing agreement is a legally binding contract between two or more parties that sets out the terms under which specified data — often including personal, proprietary, or confidential information — may be accessed, used, stored, and disclosed. It defines the permitted purposes for the data, the security obligations each party must meet, restrictions on further sharing, breach notification requirements, and what happens to the data when the arrangement ends. Organizations use it to protect themselves legally, demonstrate regulatory compliance, and establish clear accountability between data partners.
You need one any time your organization shares structured data with an external party — including vendors, research partners, government agencies, affiliates, or joint-venture partners. It is especially important when the data includes personal information, proprietary business data, or commercially sensitive records. If you are subject to GDPR, HIPAA, CCPA, or similar frameworks, a written data sharing agreement is typically a regulatory requirement rather than merely a best practice.
A data sharing agreement governs an arrangement where one party provides data to another who will use it for their own purposes — both parties may act as independent data controllers. A data processing agreement (DPA) is used when a processor handles personal data strictly on behalf of and under the instructions of a controller — the processor has no independent right to use the data. Under GDPR, a DPA is mandatory for all controller-processor relationships; a data sharing agreement is used for controller-to-controller sharing.
Yes, if any of the shared data relates to individuals located in the European Economic Area, GDPR compliance is required regardless of where the parties are based. The agreement must identify the lawful basis for sharing, specify the purposes, include data subject rights procedures, address international transfer mechanisms if data leaves the EEA, and align retention periods to the principles of data minimization and storage limitation. Non-compliance can result in fines of up to €20M or 4% of global annual turnover.
At minimum, the agreement should specify encryption standards for data at rest and in transit, access control requirements limiting data to authorized personnel, audit logging obligations, incident response procedures, and any required certifications such as ISO 27001 or SOC 2 Type II. For highly sensitive data — health records, financial data, biometrics — consider requiring penetration testing on a defined schedule and mandatory breach insurance coverage. Vague requirements like "industry-standard security" are difficult to audit and harder to enforce.
Retention periods should be set to the minimum duration necessary for the permitted purpose — no longer. Typical ranges are 12–36 months for marketing or analytics data, aligned to regulatory minimums for financial records (typically 5–7 years), or aligned to research data management plans for academic datasets. The agreement should require deletion or return within 30 days of expiry and mandate written certification of deletion so the discloser can demonstrate compliance to regulators.
Yes. Most data sharing agreements include provisions for termination for convenience with a defined notice period — typically 30 to 90 days — and immediate termination for material breach, insolvency, or regulatory action. Upon termination, the agreement should trigger an obligation to return or delete data within a specified period. Allowing data to remain with the recipient after termination without a clear mechanism to retrieve or destroy it is one of the most common and consequential drafting gaps.
For straightforward arrangements between domestic parties involving non-sensitive data, a well-structured template reviewed by a privacy professional is often sufficient. Engage a lawyer when the arrangement involves personal data subject to GDPR, HIPAA, or CCPA; when data is being transferred internationally; when the data is commercially valuable or competitively sensitive; or when the counterparty is a large organization with significant negotiating leverage. A 2–3 hour privacy counsel review typically costs $500–$1,500 and is worthwhile for any arrangement involving personal data at scale.
The non-breaching party may terminate the agreement, demand return or deletion of all shared data, and pursue damages or indemnification for losses arising from the breach. If personal data was involved, the discloser may also face regulatory scrutiny for having shared data with a party that failed to protect it adequately — making the recipient's indemnification obligation a critical commercial protection. In serious cases involving unauthorized disclosure of personal data, regulatory fines and class-action exposure can far exceed the direct commercial value of the arrangement.
An NDA protects confidential information from unauthorized disclosure but does not govern how data is processed, stored, secured, or deleted. A data sharing agreement builds on confidentiality obligations and adds data-specific protections — permitted purpose, security controls, breach notification, and retention limits. Organizations sharing personal data need a data sharing agreement; an NDA alone does not satisfy regulatory requirements under GDPR or HIPAA.
A data processing agreement is used when one party processes personal data solely on the instructions of another — the processor has no independent right to use the data. A data sharing agreement is used when both parties use the data for their own purposes as independent controllers. Choosing the wrong instrument mischaracterizes the relationship and can result in regulatory non-compliance under GDPR Article 28.
A master service agreement governs the overall commercial relationship between a service provider and client, including payment, warranties, and liability. A data sharing agreement is a focused instrument addressing only data governance obligations. Where data sharing is one component of a broader commercial arrangement, a data sharing agreement or addendum should sit alongside — not be replaced by — the MSA.
A partnership agreement defines the business and financial terms of a joint venture or collaboration, including profit sharing, decision-making, and exit rights. It does not address the specific data governance obligations that arise when partners exchange personal or proprietary data. Organizations running data-intensive partnerships need both a partnership agreement and a standalone data sharing agreement.
Patient data sharing requires HIPAA Business Associate Agreement integration, de-identification standards under Safe Harbor or Expert Determination, and IRB approval references for research datasets.
Open banking and credit data sharing require alignment with PSD2 in Europe, GLBA in the US, and OSFI guidelines in Canada, with enhanced security controls for transaction-level data.
API-based data sharing arrangements require rate limits, data schema versioning, and sub-processor disclosure schedules that update dynamically as cloud infrastructure changes.
Inter-agency data sharing requires alignment with freedom of information legislation, public sector data governance frameworks, and — in the EU — the Data Governance Act requirements for re-use of public sector data.
Research data sharing agreements must address IRB and ethics board conditions, data management plan obligations under funder requirements (NIH, UKRI, Horizon Europe), and embargo periods before public release.
Customer behavioral data sharing with ad tech partners, loyalty program data exchanges, and supply-chain analytics integrations each require purpose limitation clauses tailored to CCPA opt-out and GDPR consent requirements.
The US has no single federal data privacy law equivalent to GDPR. Sector-specific laws apply: HIPAA for health data, GLBA for financial data, FERPA for education records, and COPPA for children's data. State-level privacy laws — including CCPA/CPRA in California, VCDPA in Virginia, and CPA in Colorado — impose additional obligations on data sharing arrangements involving residents of those states. Security breach notification laws exist in all 50 states with varying notification timelines, typically ranging from 30 to 90 days.
Canada's federal private sector privacy law, PIPEDA, is being replaced by Bill C-27 (Consumer Privacy Protection Act) as of the date of this review — organizations should monitor the legislative timeline. Quebec's Law 25 (Bill 64) imposes GDPR-like obligations including privacy impact assessments, 72-hour breach notification, and explicit data transfer agreements for cross-border sharing. Provincially regulated sectors in Alberta, British Columbia, and Quebec are subject to separate provincial privacy legislation.
Following Brexit, the UK operates under its own UK GDPR and Data Protection Act 2018, which are substantively similar to EU GDPR but enforced by the Information Commissioner's Office (ICO). The UK has issued its own adequacy decisions for a limited set of countries. Transfers from the UK to the EU remain lawful under a UK adequacy decision, but transfers from the EU to the UK require a separate legal basis. The ICO has published a specific Data Sharing Code of Practice that sets best-practice expectations for data sharing agreements.
GDPR is the primary framework governing data sharing in the EU, imposing obligations on any organization processing personal data of EU residents regardless of where the organization is based. Controller-to-controller sharing requires a documented lawful basis, a data sharing agreement addressing Articles 26 or 28 as applicable, and — for transfers outside the EEA — an approved transfer mechanism such as Standard Contractual Clauses or Binding Corporate Rules. The EU Data Governance Act (effective September 2023) introduces additional obligations for sharing non-personal public sector data and for data intermediaries.
| Path | Best for | Cost | Time |
|---|---|---|---|
| Use the template | Domestic data sharing arrangements between businesses involving non-sensitive proprietary data with a trusted partner | Free | 1–2 hours |
| Template + legal review | Arrangements involving personal data, cross-border transfers, or regulated industries such as healthcare and financial services | $500–$1,500 (privacy counsel review) | 3–5 business days |
| Custom drafted | High-volume or high-sensitivity data exchanges, international transfers requiring SCCs or BCRs, or arrangements with material commercial liability exposure | $2,000–$8,000+ | 2–4 weeks |
This document is one of 3,000+ business & legal templates included in Business in a Box.
Access over 3,000+ business and legal templates for any business task, project or initiative.
Customize your ready-made business document template and save it in the cloud.
Share your files and folders with your team. Create a space of seamless collaboration.
"Fantastic value! I'm not sure how I'd do without it. It's worth its weight in gold and paid back for itself many times."
"I have been using Business in a Box for years. It has been the most useful source of templates I have encountered. I recommend it to anyone."
"It has been a life saver so many times I have lost count. Business in a Box has saved me so much time and as you know, time is money."
Stop downloading documents. Start operating with clarity. Business in a Box gives you the Business Operating System used by over 250,000 companies worldwide to structure, run, and grow their business.
Start free · No credit card required
