ΊΪΑΟΚΣΖ΅

Book a demo

Controller To Controller Agreement GDPR Template for the Netherlands

Generate a bespoke document

  • England and Wales
  • Scotland
  • Northern Ireland
  • Ireland
  • United States
  • Alabama (USA)
  • Alaska (USA)
  • Arizona (USA)
  • Arkansas (USA)
  • California (USA)
  • Colorado (USA)
  • Connecticut (USA)
  • Delaware (USA)
  • Florida (USA)
  • Georgia (USA)
  • Hawaii (USA)
  • Idaho (USA)
  • Illinois (USA)
  • Indiana (USA)
  • Iowa (USA)
  • Kansas (USA)
  • Kentucky (USA)
  • Louisiana (USA)
  • Maine (USA)
  • Maryland (USA)
  • Massachusetts (USA)
  • Michigan (USA)
  • Minnesota (USA)
  • Mississippi (USA)
  • Missouri (USA)
  • Montana (USA)
  • Nebraska (USA)
  • Nevada (USA)
  • New Hampshire (USA)
  • New Jersey (USA)
  • New Mexico (USA)
  • New York (USA)
  • North Carolina (USA)
  • North Dakota (USA)
  • Ohio (USA)
  • Oklahoma (USA)
  • Oregon (USA)
  • Pennsylvania (USA)
  • Rhode Island (USA)
  • South Carolina (USA)
  • South Dakota (USA)
  • Tennessee (USA)
  • Texas (USA)
  • Utah (USA)
  • Vermont (USA)
  • Virginia (USA)
  • Washington (USA)
  • West Virginia (USA)
  • Wisconsin (USA)
  • Wyoming (USA)
  • Austria
  • Denmark
  • France
  • Germany
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • Switzerland
  • Australia
  • New Zealand
  • Singapore
  • Hong Kong
  • India
  • Malaysia
  • Pakistan
  • United Arab Emirates
  • Qatar
  • Saudi Arabia
  • South Africa
  • Nigeria
  • Canada
  • Brasil
  • Monaco
  • Bermuda
  • Cayman Islands
  • Gibraltar
  • Isle of Man
  • Mauritius

What is a Controller To Controller Agreement GDPR?

The Controller to Controller Agreement GDPR is essential when two organizations, acting as independent data controllers, need to share personal data while maintaining GDPR compliance. This agreement is particularly relevant under Dutch jurisdiction and EU data protection law when both parties determine their own purposes and means of processing personal data. It should be used whenever there is systematic sharing of personal data between independent controllers, whether for business partnerships, service delivery, or collaborative projects. The agreement ensures clear allocation of responsibilities, establishes procedures for maintaining data subject rights, and includes necessary safeguards for data protection. It is designed to meet requirements of both the GDPR and Dutch national data protection laws, providing a robust framework for lawful data sharing activities.

Frequently Asked Questions

Is a Controller To Controller Agreement legally binding in the Netherlands?

Yes, a Controller To Controller Agreement is legally binding in the Netherlands under both the Dutch GDPR Implementation Act (UAVG) and EU GDPR Article 26. When two organizations act as joint controllers or share personal data as separate controllers, this agreement creates enforceable legal obligations regarding data protection compliance, liability allocation, and data subject rights.

Can Dutch data protection authorities fine my company if I don't have a Controller To Controller Agreement?

Yes, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) can impose substantial fines for operating without a required Controller To Controller Agreement. Under GDPR Article 83, fines can reach €20 million or 4% of annual global turnover, whichever is higher. The agreement is mandatory when organizations share personal data as separate controllers.

How long does it take to create a Controller To Controller Agreement in Netherlands?

Creating a comprehensive Controller To Controller Agreement typically takes 2-4 weeks in the Netherlands. This includes identifying data flows, conducting a joint Data Protection Impact Assessment if required, negotiating liability terms, and ensuring compliance with both GDPR and Dutch UAVG requirements. Complex data sharing arrangements may require additional time for legal review.

How is a Controller To Controller Agreement different from a Data Processing Agreement in Netherlands?

A Controller To Controller Agreement is used when two organizations independently determine purposes and means of processing personal data, while a Data Processing Agreement applies when one organization (processor) processes data on behalf of another (controller). The Controller To Controller Agreement involves shared responsibility and joint liability, whereas a Data Processing Agreement creates a hierarchical relationship with the controller maintaining primary responsibility.

Can I share personal data with other companies in Netherlands without a Controller To Controller Agreement?

No, sharing personal data between organizations in the Netherlands without a proper Controller To Controller Agreement violates both GDPR Article 26 and Dutch UAVG requirements. Each organization must have a valid legal basis for processing, and the agreement must specify respective responsibilities, liability allocation, and procedures for handling data subject requests.

Which Dutch laws must my Controller To Controller Agreement comply with?

Your Controller To Controller Agreement must comply with the EU GDPR (Regulation 2016/679), the Dutch GDPR Implementation Act (UAVG), and relevant provisions of the Dutch Civil Code regarding contract law. The agreement must also consider sector-specific regulations if applicable, such as healthcare data protection laws or financial services regulations.

What are the most common mistakes companies make with Controller To Controller Agreements in Netherlands?

The most common mistakes include failing to clearly define each party's role and responsibilities, inadequate liability allocation clauses, missing procedures for handling data subject requests, and insufficient security measures specifications. Many companies also fail to conduct required Data Protection Impact Assessments or neglect to update agreements when data processing activities change.

Reviewed by

Legal Engineer, GenieAI

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

Reviewed by

Legal Engineer, GenieAI

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

Jurisdiction

Netherlands

Reviewed by

&

Publisher

GenieAI

Category

Data Processing Agreement

Sector

Business

Cost

Free to use

Last updated

About the Controller To Controller Agreement GDPR

When two organizations need to share personal data while maintaining their independence as data controllers, you need a Controller To Controller Agreement GDPR. This legally binding contract ensures compliance with European data protection law while establishing clear responsibilities between parties who each determine their own purposes and means of processing personal data.

When do you need this document?

You require this agreement whenever your organization shares personal data with another independent controller. This includes business partnerships where both companies use shared customer data for their own purposes, joint marketing initiatives involving multiple brands, research collaborations between universities or companies, and service arrangements where both parties process personal data independently. The agreement is also essential when establishing data sharing relationships with international partners, suppliers who maintain their own customer databases, or consortium arrangements involving multiple data controllers. Without this agreement, you risk GDPR violations and potential fines for unlawful data sharing.

Key legal considerations

Your agreement must clearly define each party's role as an independent data controller and specify the categories of personal data being shared. You need to establish the lawful basis for processing under Article 6 GDPR, whether consent, legitimate interests, or contract performance. The agreement should detail how you'll handle data subject requests, including procedures for responding to access, rectification, and deletion requests. You must include provisions for data breach notification, specifying timelines and responsibilities for reporting incidents to supervisory authorities and affected individuals. Security measures and technical safeguards require detailed specification, along with procedures for international data transfers if applicable. The agreement should address liability allocation, indemnification clauses, and termination procedures including data return or destruction requirements.

Legal requirements in Netherlands

Under Dutch law, your Controller To Controller Agreement must comply with both GDPR and the Dutch GDPR Implementation Act (UAVG). You must ensure the agreement satisfies Dutch Civil Code contract law requirements, particularly regarding formation, validity, and enforceability. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) expects clear documentation of your data sharing arrangements, including impact assessments where high-risk processing occurs. You need to consider Dutch sector-specific regulations, such as healthcare privacy laws or financial services requirements, that may impose additional obligations. The agreement should specify Netherlands jurisdiction for dispute resolution and reference applicable Dutch procedural requirements. You must also ensure compliance with Dutch employment law if employee data is involved, and consider telecommunications regulations if processing involves electronic communications data.

GOVERNING LAW

Applicable law

This Controller To Controller Agreement GDPR is drafted to comply with Netherlands law. Key legislation includes:







Explore 208,390+ legal templates

Explore 208,390+ legal templates

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it