All Countries
Compliance
Controller To Controller Agreement GDPR

Controller To Controller Agreement GDPR Template for Netherlands

Create a bespoke document in minutes,  or upload and review your own.

4.6 / 5
4.8 / 5

Let's create your Controller To Controller Agreement GDPR

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Get your first 2 documents free

Your data doesn't train Genie's AI

You keep IP ownership of your information

Key Requirements PROMPT example:

Controller To Controller Agreement GDPR

"I need a Controller to Controller Agreement GDPR for my Dutch fintech company to share customer financial data with a German credit rating agency, including cross-border transfer provisions and specific security measures for financial data, to be implemented by March 2025."

Celebrated by
Collaborations with
Investors
Document background
The Controller to Controller Agreement GDPR is essential when two organizations, acting as independent data controllers, need to share personal data while maintaining GDPR compliance. This agreement is particularly relevant under Dutch jurisdiction and EU data protection law when both parties determine their own purposes and means of processing personal data. It should be used whenever there is systematic sharing of personal data between independent controllers, whether for business partnerships, service delivery, or collaborative projects. The agreement ensures clear allocation of responsibilities, establishes procedures for maintaining data subject rights, and includes necessary safeguards for data protection. It is designed to meet requirements of both the GDPR and Dutch national data protection laws, providing a robust framework for lawful data sharing activities.
Suggested Sections

1. Parties: Identification of the two data controllers entering into the agreement, including full legal names, registration details, and addresses

2. Background: Context of the agreement, description of data sharing relationship, and purpose of the arrangement between the controllers

3. Definitions: Definitions of key terms used in the agreement, including GDPR-specific terminology and agreement-specific definitions

4. Scope and Purpose: Detailed description of the personal data sharing activities, purposes of processing, and categories of data subjects

5. Roles and Responsibilities: Clear delineation of each controller's roles, responsibilities, and obligations under GDPR

6. Lawful Basis for Processing: Specification of the legal bases relied upon by each controller for processing personal data

7. Data Protection Principles: Commitment to GDPR principles and how they will be upheld by both parties

8. Data Subject Rights: Procedures for handling data subject requests and cooperation between controllers

9. Security Measures: Technical and organizational measures required for data protection and security

10. Data Breach Notification: Procedures for notifying each other and authorities of personal data breaches

11. Confidentiality: Obligations regarding confidentiality of shared personal data

12. Term and Termination: Duration of the agreement and conditions for termination

13. Governing Law and Jurisdiction: Specification of Dutch law as governing law and jurisdiction for disputes

14. General Provisions: Standard contractual provisions including amendments, severability, and entire agreement

Optional Sections

1. International Data Transfers: Required when personal data will be transferred outside the EEA, including transfer mechanisms and safeguards

2. Industry-Specific Requirements: Additional provisions for specific sectors (e.g., healthcare, financial services) with special data protection requirements

3. Joint Processing Activities: Required when certain processing activities are conducted jointly by both controllers

4. Audit Rights: Provisions for mutual auditing of data protection compliance, if agreed between parties

5. Insurance and Liability: Specific provisions on insurance requirements and liability allocation beyond standard provisions

6. Data Protection Impact Assessments: Procedures for conducting DPIAs when required and cooperation between parties

7. Sub-processing: Rules regarding the appointment of processors by either controller, if relevant

Suggested Schedules

1. Schedule 1 - Categories of Personal Data: Detailed list of personal data categories being shared, including special categories if applicable

2. Schedule 2 - Processing Activities: Detailed description of processing activities, purposes, and data flows between controllers

3. Schedule 3 - Technical and Organizational Measures: Specific security measures and controls implemented by each party

4. Schedule 4 - Contact Points: List of key contacts for operational matters, data protection officers, and emergency situations

5. Schedule 5 - Data Subject Rights Procedure: Detailed procedures for handling data subject requests and cooperation between parties

6. Appendix A - Standard Contractual Clauses: If applicable for international transfers, including approved SCCs

7. Appendix B - Data Protection Impact Assessment: Summary or full DPIA if conducted for the shared processing activities

Authors

Alex Denne

Head of Growth (Open Source Law) @ Genie AI | 3 x UCL-Certified in Contract Law & Drafting | 4+ Years Managing 1M+ Legal Documents | Serial Founder & Legal AI Author

Linkedin in social icon imageX social icon image
alex.den.21@genieai.co
Relevant legal definitions
Agreement
Applicable Data Protection Laws
Autoriteit Persoonsgegevens
Business Day
Business Hours
Confidential Information
Controller
Data Protection Impact Assessment
Data Protection Laws
Data Security Breach
Data Subject
Data Subject Rights
EEA
Effective Date
EU
GDPR
Information Security Incident
Law Enforcement Request
Legitimate Interests
Notice
Personal Data
Personal Data Breach
Processing
Processor
Receiving Controller
Regulatory Authority
Representatives
Restricted Transfer
Security Measures
Shared Personal Data
Special Categories of Personal Data
Supervisory Authority
Technical and Organizational Measures
Term
Third Country
Third Party
Transfer Mechanism
UAVG
Working Day
Clauses
Interpretation
Definitions
Scope of Processing
Roles and Responsibilities
Data Protection Compliance
Legal Basis for Processing
Data Sharing
Security Requirements
Confidentiality
Data Subject Rights
Personal Data Breaches
Cross-border Transfers
Audit Rights
Liability and Indemnification
Term and Termination
Force Majeure
Assignment
Notices
Severability
Entire Agreement
Governing Law
Dispute Resolution
Variation
Data Protection Impact Assessment
Sub-processing
Representatives and Notices
Costs and Expenses
Third Party Rights
Waiver
Counterparts
Relevant Industries

Financial Services

Healthcare

Technology

E-commerce

Insurance

Education

Professional Services

Telecommunications

Retail

Marketing and Advertising

Research and Development

Transportation and Logistics

Real Estate

Human Resources Services

Relevant Teams

Legal

Compliance

Data Protection

Information Security

Risk Management

Information Technology

Privacy

Regulatory Affairs

Corporate Governance

Operations

Relevant Roles

Data Protection Officer

Privacy Officer

Legal Counsel

Compliance Manager

Information Security Manager

Risk Manager

Privacy Manager

Chief Privacy Officer

General Counsel

IT Security Manager

Data Protection Manager

Compliance Officer

Chief Legal Officer

Chief Information Security Officer

Privacy Analyst

Data Protection Specialist

Industries
General Data Protection Regulation (GDPR): EU Regulation 2016/679 - The primary legislation governing personal data processing in the EU, defining obligations for data controllers and processors, data subject rights, and compliance requirements
Dutch GDPR Implementation Act (UAVG): Uitvoeringswet Algemene verordening gegevensbescherming - The Dutch national law implementing and supplementing GDPR provisions within the Netherlands
Dutch Civil Code (Burgerlijk Wetboek): Particularly Book 6 on contract law, governing general contractual obligations and requirements under Dutch law
EDPB Guidelines on Data Controllers and Processors: Guidelines 07/2020 on the concepts of controller and processor in the GDPR, providing clarity on roles and responsibilities
Dutch Telecommunications Act: Telecommunicatiewet - Relevant for data processing in electronic communications and requirements regarding electronic consent
ePrivacy Directive: Directive 2002/58/EC - Specific rules for processing personal data in the electronic communications sector, particularly relevant for online data sharing
Teams

Employer, Employee, Start Date, Job Title, Department, Location, Probationary Period, Notice Period, Salary, Overtime, Vacation Pay, Statutory Holidays, Benefits, Bonus, Expenses, Working Hours, Rest Breaks,  Leaves of Absence, Confidentiality, Intellectual Property, Non-Solicitation, Non-Competition, Code of Conduct, Termination,  Severance Pay, Governing Law, Entire Agreemen

Find the exact document you need

Joint Controller Data Processing Agreement

Dutch law-governed Joint Controller Data Processing Agreement establishing GDPR-compliant framework for shared data processing responsibilities.

find out more

Controller To Controller Agreement GDPR

A Dutch law-governed agreement establishing GDPR-compliant data sharing arrangements between two independent data controllers.

find out more

Dpa Data Privacy Agreement

Dutch law-governed Data Processing Agreement establishing GDPR-compliant terms for personal data processing between controller and processor.

find out more

Commissioned Data Processing Agreement

Dutch law-governed Data Processing Agreement establishing GDPR-compliant terms for personal data processing between controller and processor.

find out more

Supplier Data Processing Agreement

A Dutch law-governed data processing agreement establishing GDPR-compliant terms between a company and its supplier for personal data processing activities.

find out more

Data Privacy Addendum

A Dutch law-governed Data Privacy Addendum establishing GDPR-compliant terms for personal data processing between controllers and processors.

find out more

Non Disclosure Agreement Data Protection

Dutch law-governed NDA with enhanced data protection provisions compliant with GDPR and local privacy regulations.

find out more

Download our whitepaper on the future of AI in Legal

By providing your email address you are consenting to our Privacy Notice.
Thank you for downloading our whitepaper. This should arrive in your inbox shortly. In the meantime, why not jump straight to a section that interests you here: https://www.genieai.co/our-research
Oops! Something went wrong while submitting the form.

Genie’s Security Promise

Genie is the safest place to draft. Here’s how we prioritise your privacy and security.

Your documents are private:

We do not train on your data; Genie’s AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

Our bank-grade security infrastructure undergoes regular external audits

We are ISO27001 certified, so your data is secure

Organizational security

You retain IP ownership of your documents

You have full control over your data and who gets to see it

Innovation in privacy:

Genie partnered with the Computational Privacy Department at Imperial College London

Together, we ran a £1 million research project on privacy and anonymity in legal contracts

Want to know more?

Visit our Trust Centre for more details and real-time security updates.

Read our Privacy Policy.