If you share personal data with a jointly responsible company, Article 26 of the GDPR states that an „agreement“ must be concluded between the data controllers. A data sharing agreement through data sharing is different from a data sharing agreement between the responsible data. If you need these documents, these are two of the many documents in my GDPR compliance package that makes you very cheap at //www.suzannedibble.com/gdprpack Suzanne Dibble is a multi-award-winning business lawyer with 23 years of experience and author of the bestseller GDPR for Dummies. Suzanne advises multinationals on data protection and has created the largest social media group under the GDPR, in which she has helped 40,000 organizations around the world comply with the GDPR. If you transmit personal data to third parties, whether as a jointly responsible company or to an independent controller, you must have a legal reason to process the personal data in this way. It is possible to share data on the basis of the legitimate interests of the processing, but you must carry out a very careful assessment of the legitimate interests in order to guarantee legality – and of course to keep them if you are ever challenged. Article 26 also provides that the core of the agreement must be made available to data subjects (probably in data protection notices) and that a contact point may be designated for data subjects. Regardless of the nature of the agreement and the division of responsibilities between the joint controllers, a data subject may exercise his or her rights vis-à-vis each of the joint controllers. .