Step 4 of 11

Data Sharing & Third Parties

Document who you share data with and why.

Types of Third Parties

Identify all parties who receive personal data from you:

Service Providers (Processors)

Companies that process data on your behalf under your instructions.

Hosting providersPayment processorsEmail servicesAnalytics toolsCRM systems

Business Partners

Partners with whom you share data for joint services or marketing.

Integration partnersResellersAffiliate networksCo-branded services

Professional Advisors

Experts who need access to data for professional services.

Legal counselAccountantsAuditorsConsultants

Authorities

Government bodies and regulators when legally required.

Tax authoritiesLaw enforcementRegulatorsCourts

International Data Transfers

If you transfer data outside your region (e.g., EU to US), specify:

Transfer Destinations

Countries where data is sent

Transfer Mechanisms

Legal basis for transfers (e.g., SCCs, adequacy decisions)

Safeguards

Protections for transferred data

Recipients

Categories of recipients in each location

💡 Common Transfer Mechanisms

  • • Adequacy Decisions: Countries the EU considers "adequate"
  • • Standard Contractual Clauses (SCCs): EU-approved contract terms
  • • Binding Corporate Rules: For intra-group transfers

Documenting Third Parties

For each third party, document:

Name/category of recipient
Purpose of sharing
Types of data shared
Location (country)
Transfer safeguards (if outside region)
Data Processing Agreement status

Data Processing Agreements

Ensure you have Data Processing Agreements (DPAs) with all processors. These contracts are legally required under DPDPA and establish the processor's obligations regarding your data.

Previous
Legal Basis
Next
User Rights