Data Controller To Data Controller Agreement Template for the United States

Generate a bespoke document

Trusted by 200k+ teams

4.7 Capterra
4.8 Product Hunt
4.6 Trustpilot

What is a Data Controller To Data Controller Agreement?

The Data Controller to Data Controller Agreement is essential when two organizations need to share personal data while maintaining independent control over the processing of that data. This agreement type is particularly relevant under U.S. privacy law frameworks, where organizations must establish clear responsibilities and compliance mechanisms for data sharing. The agreement covers crucial aspects such as security measures, breach notification procedures, and compliance with both federal regulations and state privacy laws like CCPA/CPRA. It's particularly important when sharing regulated data types or operating in jurisdictions with specific privacy requirements.

Reviewed by

Swetha Meenal

Legal Engineer, GenieAI

Swetha Meenal profile photo

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

Reviewed by

Imad Mohammed Nazar

Legal Engineer, GenieAI

Imad Mohammed Nazar profile photo

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

Jurisdiction

United States

Publisher

GenieAI

Sector

Business

Cost

Free to use

Last updated

About the Data Controller To Data Controller Agreement

When your organization needs to share personal data with another company while both maintain independent control over data processing, you need a Data Controller To Data Controller Agreement. This legal document establishes clear responsibilities, compliance obligations, and data protection requirements under United States privacy law frameworks.

When do you need this document?

You'll need this agreement when partnering with another organization for joint marketing campaigns, sharing customer databases for business analytics, or collaborating on research projects involving personal information. Healthcare providers frequently use these agreements when sharing patient data for treatment coordination while maintaining separate HIPAA compliance obligations. Financial institutions require them when sharing consumer credit information under GLBA requirements, and educational institutions use them when sharing student records under FERPA guidelines. Technology companies often need these agreements when integrating platforms or sharing user data for enhanced service delivery.

Key legal considerations

Your agreement must clearly define each party's role as an independent data controller, specify the types of personal data being shared, and establish the lawful basis for processing under applicable federal and state laws. Include detailed security safeguards that meet or exceed industry standards, particularly for regulated data types like healthcare information or financial records. Address breach notification procedures that comply with both federal requirements and state laws, including specific timelines and notification methods. Establish data retention and deletion schedules, and include provisions for data subject rights requests, ensuring both parties can respond appropriately to individual privacy requests. Consider including indemnification clauses to protect against privacy violations and specify dispute resolution mechanisms.

Legal requirements in United States

Under the FTC Act Section 5, your data sharing practices must not constitute unfair or deceptive acts, requiring transparent disclosure of data sharing purposes and adequate security measures. If handling healthcare data, ensure HIPAA compliance through appropriate Business Associate Agreements or covered entity arrangements. For financial data, comply with GLBA's safeguarding requirements and privacy notice obligations. Educational records require FERPA compliance, including proper consent mechanisms and directory information handling. State privacy laws like the California Consumer Privacy Act (CCPA) and Colorado Privacy Act impose additional obligations, including data minimization requirements, consumer rights provisions, and specific disclosure obligations. Children's data requires COPPA compliance with parental consent mechanisms and enhanced protection measures. Your agreement should address cross-border data transfers if either party operates internationally, ensuring adequate protection levels and compliance with emerging state data localization requirements.

GOVERNING LAW

Applicable law

This Data Controller To Data Controller Agreement is drafted to comply with United States law. Key legislation includes:

FTC Act: Federal Trade Commission Act, particularly Section 5, governing unfair or deceptive practices and establishing FTC's privacy and data security enforcement authority

HIPAA: Health Insurance Portability and Accountability Act - Federal law governing protection of healthcare data and medical information

GLBA: Gramm-Leach-Bliley Act - Federal law governing collection, disclosure, and protection of consumers' personal financial information

FCRA: Fair Credit Reporting Act - Federal law regulating the collection and use of consumer credit information

FERPA: Family Educational Rights and Privacy Act - Federal law protecting the privacy of student education records

COPPA: Children's Online Privacy Protection Act - Federal law imposing requirements on operators of websites or online services directed to children under 13

CCPA/CPRA: California Consumer Privacy Act and California Privacy Rights Act - Comprehensive state privacy laws providing California residents with data privacy rights

CalOPPA: California Online Privacy Protection Act - State law requiring commercial websites to post privacy policies and comply with stated practices

VCDPA: Virginia Consumer Data Protection Act - Comprehensive state privacy law providing Virginia residents with data privacy rights

CPA: Colorado Privacy Act - State law establishing privacy rights for Colorado residents and obligations for data controllers

UCPA: Utah Consumer Privacy Act - State privacy law providing Utah residents with data privacy rights and establishing business obligations

CTDPA: Connecticut Data Privacy Act - State law establishing privacy rights for Connecticut residents and requirements for businesses processing their data

EU-US DPF: EU-US Data Privacy Framework - Framework governing transatlantic data flows between the EU and US

PIPEDA: Personal Information Protection and Electronic Documents Act - Canadian federal privacy law governing private-sector organizations' collection, use, and disclosure of personal information

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it