When a processing manager shares personal data with another organization, there may be three relationships: in other situations where the recipient of the data is another person in charge of processing and not a common person in charge of processing, it is up to the person in charge of the processing to share the data in order to determine what is necessary to comply with the provisions of the RGPD and protect the privacy of individuals. The RGPD`s NICVA data protection toolkit was designed to help voluntary organizations prepare for the biggest data protection change in 20 years under the RGPD. You are not obliged to accept the agreement offered to you and you can propose changes that must be verified and accepted by the subcontractor. EZTicket is a data processor that processes personal data on behalf of the charity. The RGPD provides for joint treatment managers to enter into an agreement clearly stating their respective responsibilities for compliance with the RGPD, including the rights of those affected. While there is no mention of a written agreement between the co-leaders, it is worth reaching an agreement, as it helps to meet the essential requirements for transparency and accountability. The written contract must define the purpose, duration, nature and purpose of the treatment, as well as the types (categories) of personal data and the persons concerned. In situations where a charity shares data on a single, discrete basis with a limited impact on the privacy of the individuals involved, it is unlikely that a signed agreement will be necessary. However, it is interesting to verify that the recipient clearly understands their responsibility for the safe and consistent management of information. You need to think carefully about where this applies, as it may not be obvious that you have data on a processor as a controller. For example, storing certain personal data on a cloud storage service would likely fit this definition, since personal data is processed by an external third party (processor) (stored on servers), even if that company does not have direct interaction with the data.