21. (1) Subject to section 25 of the Act, a data controller or data processor may share or exchange personal data collected, upon request, by another data controller, data processor, third party or a data subject.
(2) A data controller or data processor shall determine the purpose and means of sharing personal data from one data controller or data processor to another.
(3) Data sharing outlined under this regulation may include—
(a) providing personal data to a third party by whatever means by the data controller or data processor;
(b) receiving personal data from a data controller or data processor as joint participant in a data sharing arrangement;
(c) exchanging or transmission of personal data;
(d) providing third party with access to personal data on the data controller’s information systems;
(e) separate or joint initiatives by data controllers or data processors to pool personal data making the data available to each other or a third-party subject to entering into an agreement, as may be applicable; or
(f) routine data sharing between data controllers on a regular or pre-planned basis.
(4) In carrying out any routine data sharing as contemplated under paragraph (3)(f), a data controller shall enter into agreements prior to data sharing.
(5) For the avoidance of doubt, the sharing of data within the organizational structures of a data controller or data processor is not considered as a data sharing.
(6) A request for sharing personal data under this regulation shall be in writing, and shall specify—
- (a) the purpose for which personal data is required;
- (b) the duration for which personal data shall be retained; and
- (c) proof of the safeguards put in place to secure personal data from unlawful disclosure.
