Even if a controller manages to find a legal basis to provide access to the data to third party, this does not mean that the guarantees and requirements of the GDPR do not apply to these datasets. Similarly, a researcher who gains access to a database must be aware of the legal implications that their new position (as controller, joint controller or processor) might bring about (see the “Main Actors” section in the General Part of these Guidelines). Furthermore, the fairness and transparency requirement will have to be met again. This means that data subjects must be made aware of their rights as to this further processing. All the other principles of the GDPR will have to be complied with in relation to this further processing as well.
In order to clarify the roles to be played by different parties involved in data transfer agreements and ensure that GDPR provisions are adequately implemented, contracts are necessary and advised. These contracts should encompass all the details of the data processing operations, including the subject matter (data to be processed), the duration of the processing, the purpose of the data processing, the nature of the processing, the nature of the data, the categories of data subjects, etc. They should specify how the rights of data subjects will be protected and by whom. Everybody must be fully aware of what roles, responsibilities and rights every party involved has. Needless to say, contracts should also include clauses about security measures, data storage, audit rights, notification of breaches and, in general, all sensitive issues that are covered by the GDPR. These clauses should clarify the different obligations assumed by each signing party.
Standard contracts exist also for the different cases, including, for instance, joint controllership. Researchers providing access to their databases shall include detailed clauses devoted to consent management for further processing as they are the initial controller who passes on the personal data.
Regardless of whether the project is academic or commercial in nature, the controllers must provide to data subjects the same information which is provided when data is collected directly from data subjects, including but not limited to who is the controller and how to contact them, the purposes of the processing and the legal basis for the processing as well as the data subject rights. Additionally, data subjects must be informed from which source the personal data originate and whether it came from publicly accessible sources. The information obligation must be fulfilled within a reasonable period from obtaining the data, but at the latest within one month. Exceptions to this obligation apply (e.g., data subject has already the information). Full details on scope of this obligation and applicable exceptions are provided in Article 14 of the GDPR (see the right to information section in the Rights part of these Guidelines).