Data sharing is the lifeblood of modern commerce. Whether you’re onboarding a new cloud provider, collaborating with a marketing agency, or integrating a third-party HR system, personal data flows between organisations constantly. But here’s the uncomfortable truth: most businesses underestimate the legal minefield that data sharing represents under the General Data Protection Regulation (GDPR).
The stakes are real. Fines can reach €20 million or 4% of global annual turnover—whichever is higher. Beyond financial penalties, you risk reputational damage, regulatory scrutiny, and civil liability claims from affected individuals. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, or AP) has made it clear: ignorance is not a defence.
This article walks you through seven critical GDPR risks that arise when sharing personal data. Each risk is grounded in specific GDPR provisions, illustrated with real-world consequences, and paired with practical guidance to help you stay compliant. Whether you’re a business owner, compliance officer, or legal professional operating in the Netherlands, understanding these pitfalls is essential.
1. Sharing Data Without a Valid Legal Basis (Article 6 GDPR)
The Risk: You cannot share personal data just because it’s convenient or beneficial. Every instance of data sharing requires a valid legal basis under Article 6 GDPR.
Why Companies Get It Wrong: Many organisations assume that having a commercial reason to share data is enough. It’s not. The GDPR provides six lawful bases for processing: consent, contractual necessity, legal obligation, vital interests, public task, and legitimate interests. Each has specific requirements and limitations.
For example, “legitimate interests” is often invoked to justify data sharing with partners or service providers. But this basis requires a careful balancing test: your interests must not override the rights and freedoms of the individuals whose data you’re processing. And you must document this assessment.
Legal Grounding: Article 6 GDPR sets out the exhaustive list of lawful bases. Article 5(1)(a) GDPR mandates that all processing be lawful, fair, and transparent.
Real-World Consequence: The AP has issued fines to organisations that shared customer data with third parties for marketing purposes without a proper legal basis. Even if the data was anonymised or aggregated, if re-identification is possible, it remains personal data and requires a lawful basis.
Practical Takeaway: Before sharing any personal data, identify and document which legal basis applies. If relying on legitimate interests, conduct and record a legitimate interests assessment (LIA). If using consent, ensure it’s freely given, specific, informed, and unambiguous.
2. Confusion Over Roles: Controller vs. Processor (Article 4(7)–(8) GDPR)
The Risk: The GDPR distinguishes between controllers (who determine the purposes and means of processing) and processors (who process data on behalf of a controller). Misidentifying your role—or that of your partner—creates serious compliance gaps.
Why Companies Get It Wrong: In practice, roles can be ambiguous. If you share data with a SaaS provider, are they a controller or processor? What if they use your data to improve their algorithms? Many businesses default to calling every vendor a “processor” without properly analysing the relationship.
Misclassification matters because controllers and processors have different obligations. Controllers must ensure processors provide sufficient guarantees of compliance (Article 28 GDPR). Joint controllers must agree on their respective responsibilities (Article 26 GDPR). Get it wrong, and you may be held liable for breaches you didn’t even know were happening.
Legal Grounding: Article 4(7) and (8) GDPR define “controller” and “processor.” Article 24 GDPR outlines the controller’s accountability obligations.
Real-World Consequence: The European Court of Justice ruled in Fashion ID (C-40/17) that even partial determination of purposes can make you a joint controller. This means you can be held jointly liable for GDPR breaches, even if another party caused them.
Practical Takeaway: Map out data flows and determine who decides why and how data is processed. Document this in writing and ensure each party understands their role and obligations.
3. Missing or Inadequate Data Processing Agreement (Article 28 GDPR)
The Risk: If you engage a processor to handle personal data on your behalf, you are legally required to have a written data processing agreement (DPA) in place. No exceptions.
Why Companies Get It Wrong: It’s tempting to skip the paperwork, especially with trusted or long-standing partners. But without a compliant DPA, you’re in breach of Article 28 GDPR from day one—even if no actual harm occurs.
A proper DPA must include specific mandatory clauses: the subject matter and duration of processing, the nature and purpose of processing, the type of personal data, categories of data subjects, and the obligations and rights of the controller. It must also address sub-processing, data security, and breach notification.
Legal Grounding: Article 28(3) GDPR lists the mandatory content of a DPA. Article 28(4) GDPR requires explicit authorisation for sub-processors.
Real-World Consequence: The AP has sanctioned organisations for engaging processors without adequate DPAs. Even if the processor itself is compliant, the controller can still be fined for failing to enter into a proper agreement.
Practical Takeaway: Use a standardised DPA template that covers all Article 28(3) requirements. Review existing agreements to ensure they’re GDPR-compliant. Don’t onboard any new processor without a signed DPA.
4. Unlawful Transfer to Third Countries Outside the EEA (Articles 44–49 GDPR & Schrems II)
The Risk: Transferring personal data outside the European Economic Area (EEA) is heavily restricted. You can only do so if the destination country provides an adequate level of protection—or if you implement appropriate safeguards.
Why Companies Get It Wrong: Many businesses use cloud services, payment processors, or analytics tools hosted in the US or Asia without realising they’re triggering international transfer rules. Even if your contract is with an EU entity, if data is stored or accessed outside the EEA, transfer rules apply.
The Schrems II judgment (Case C-311/18) invalidated the EU-US Privacy Shield and reinforced that standard contractual clauses (SCCs) alone are not enough. You must also conduct a transfer impact assessment (TIA) to evaluate whether the destination country’s laws undermine the protection guaranteed by SCCs.
Legal Grounding: Articles 44–49 GDPR govern international transfers. Chapter V GDPR requires adequacy decisions (Article 45) or appropriate safeguards (Article 46), such as SCCs.
Real-World Consequence: The AP can order you to suspend or ban data transfers to third countries if adequate safeguards are not in place. Companies have faced enforcement action and reputational damage for transferring data to the US without conducting a TIA post-Schrems II.
Practical Takeaway: Identify all third-country transfers in your data flows. Check whether an adequacy decision exists. If not, implement SCCs and conduct a TIA. Document supplementary measures if needed (e.g., encryption, pseudonymisation).
5. Failure to Conduct a Data Protection Impact Assessment (Article 35 GDPR)
The Risk: A Data Protection Impact Assessment (DPIA) is mandatory when data sharing is likely to result in a high risk to individuals’ rights and freedoms. This includes large-scale processing of special categories of data, systematic monitoring, or use of new technologies.
Why Companies Get It Wrong: Many organisations treat DPIAs as optional or only relevant for “big” projects. In reality, sharing health data with a third-party analytics platform, deploying AI-driven profiling tools, or combining datasets from multiple sources can all trigger the DPIA requirement.
A DPIA is not just a box-ticking exercise. It’s a structured process to identify risks, assess their severity, and determine measures to mitigate them. If residual risks remain high, you must consult the AP before proceeding.
Legal Grounding: Article 35 GDPR mandates DPIAs for high-risk processing. The AP has published guidelines on when a DPIA is required.
Real-World Consequence: Failure to conduct a DPIA when required is itself a GDPR breach. The AP has fined organisations for proceeding with high-risk data sharing without completing a DPIA, even when no actual data breach occurred.
Practical Takeaway: Screen all data-sharing activities for DPIA triggers. When in doubt, conduct one. Involve your Data Protection Officer (DPO) and document the assessment process thoroughly.
6. Inadequate Information to Data Subjects (Articles 13 & 14 GDPR)
The Risk: Transparency is a cornerstone of the GDPR. Whenever you collect or share personal data, you must inform data subjects about who will receive their data, for what purpose, and on what legal basis.
Why Companies Get It Wrong: Privacy notices are often vague or outdated. Phrases like “we may share your data with trusted partners” don’t cut it. You must specify the categories of recipients (e.g., “cloud hosting providers,” “marketing agencies”) and, where relevant, name them.
When data is obtained indirectly—for example, from a data broker or another controller—Article 14 GDPR imposes additional information obligations, including the source of the data.
Legal Grounding: Articles 13 and 14 GDPR list the information that must be provided to data subjects. Article 5(1)(a) GDPR requires transparency in all processing activities.
Real-World Consequence: The AP has sanctioned companies for failing to inform individuals that their data was being shared with third parties. Even if the sharing itself was lawful, inadequate transparency is a standalone breach.
Practical Takeaway: Review and update your privacy notices to clearly describe data-sharing practices. Ensure notices are easily accessible and written in plain language. When sharing data with new partners, update your notices before the sharing begins.
7. Pseudonymisation as a False Sense of Security
The Risk: Pseudonymisation—replacing direct identifiers with codes or tokens—is encouraged under the GDPR as a security measure. But it does not render data anonymous. If the data can still be linked back to an individual, it remains personal data and is subject to the full scope of the GDPR.
Why Companies Get It Wrong: Businesses often assume that pseudonymised data is “safe” to share without restrictions. In practice, pseudonymisation only reduces risk; it doesn’t eliminate it. If you share pseudonymised data with a partner who has access to the key or other datasets that enable re-identification, you’re still processing personal data.
Legal Grounding: Article 4(5) GDPR defines pseudonymisation. Recital 26 GDPR clarifies that pseudonymised data remains personal data unless it is truly anonymised (i.e., re-identification is no longer possible by any reasonable means).
Real-World Consequence: The AP has clarified in guidance that pseudonymisation is not a “get out of jail free” card. If re-identification is feasible, all GDPR obligations apply, including having a legal basis, conducting DPIAs, and ensuring adequate security.
Practical Takeaway: Treat pseudonymised data as personal data unless you’ve undergone a rigorous anonymisation process validated by experts. Document the technical and organisational measures in place to prevent re-identification.
Frequently Asked Questions
When is data sharing under the GDPR permitted?
Data sharing is only lawful if you have a valid legal basis under Article 6 GDPR. The six legal bases are: consent, contractual necessity, legal obligation, vital interests, public task, and legitimate interests. You must also comply with the principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and confidentiality (Article 5 GDPR). In practice, this means clearly documenting why you’re sharing data, ensuring the purpose aligns with why you originally collected it, and informing data subjects about the sharing.
What’s the difference between a controller and a processor?
A controller determines the purposes and means of processing personal data. A processor processes data on behalf of the controller under specific instructions. This distinction matters because controllers are primarily responsible for GDPR compliance, while processors have more limited obligations (mainly ensuring security and confidentiality). If you’re sharing data with a supplier who processes it on your instructions—for example, a payroll provider or cloud storage service—they’re typically a processor. If they also decide how to use the data for their own purposes, they may be a (joint) controller. Misidentifying roles can lead to gaps in accountability and joint liability for breaches.
When is a data processing agreement (DPA) mandatory?
A DPA is mandatory whenever you engage a processor to handle personal data on your behalf (Article 28 GDPR). This applies regardless of the size of your organisation or the volume of data involved. The DPA must be in writing and include specific mandatory clauses, such as the subject matter and duration of processing, the nature and purpose, the types of data and categories of data subjects, and the obligations of both parties regarding security, breach notification, and sub-processing. Without a compliant DPA, you’re in breach from the moment the processor begins processing, even if no harm occurs.
Can I share customer data with a party outside the EU?
Yes, but only if strict conditions are met. Under Articles 44–49 GDPR, you can transfer data to a third country if: (a) the European Commission has issued an adequacy decision for that country, or (b) you’ve put in place appropriate safeguards, such as standard contractual clauses (SCCs). Following the Schrems II judgment, you must also conduct a transfer impact assessment (TIA) to evaluate whether the destination country’s laws (e.g., government surveillance) undermine the protection guaranteed by the SCCs. If risks remain, you must implement supplementary measures, such as encryption or data minimisation. Transfers without adequate safeguards can result in enforcement action by the AP, including suspension of the transfer.
When is a DPIA required for data sharing?
A DPIA is mandatory under Article 35 GDPR when processing is likely to result in a high risk to individuals’ rights and freedoms. This includes: large-scale processing of special categories of data (e.g., health, biometric, genetic data), systematic monitoring of publicly accessible areas, automated decision-making with legal or similarly significant effects, and use of new technologies. When sharing data, a DPIA is often required if you’re combining datasets, sharing sensitive information, or using the data for profiling or AI-driven analytics. The AP has published a list of processing operations that require a DPIA. If in doubt, conduct one—it’s better to be safe than sorry.
What fines can companies face for breaching the GDPR?
The GDPR provides for two tiers of fines. The lower tier—up to €10 million or 2% of global annual turnover—applies to breaches such as failing to implement appropriate security measures or not conducting a DPIA when required. The higher tier—up to €20 million or 4% of global annual turnover—applies to more serious infringements, including lacking a lawful basis for processing, unlawful international transfers, or violating data subjects’ rights. The AP determines the fine amount based on factors including the nature and severity of the breach, whether it was intentional or negligent, the number of affected individuals, and any mitigating actions taken. Recent enforcement shows the AP is willing to impose substantial fines, particularly for systemic or deliberate violations.
Is pseudonymised data always safe to share?
No. Pseudonymisation reduces risk but does not eliminate it. Under Article 4(5) GDPR, pseudonymisation means replacing direct identifiers (like names) with codes or pseudonyms. However, if the data can still be linked back to an individual—for example, by using additional information held by you or the recipient—it remains personal data and is fully subject to the GDPR. This means you still need a legal basis, must inform data subjects, and must ensure adequate security. Only true anonymisation—where re-identification is no longer possible by any reasonable means—removes data from the scope of the GDPR. In practice, achieving genuine anonymisation is difficult and requires expert validation.
What should I do if my business has a data breach due to unlawful data sharing?
If you discover a personal data breach—including one caused by unlawful data sharing—you have 72 hours to notify the AP under Article 33 GDPR (unless the breach is unlikely to result in a risk to individuals’ rights and freedoms). You must also notify affected individuals without undue delay if the breach is likely to result in a high risk to them (Article 34 GDPR). Immediate steps include: containing the breach, assessing its scope and impact, documenting what happened and what you’re doing about it, and notifying the AP via their online portal. Failure to notify can result in a separate fine. The AP will assess whether enforcement action is warranted based on the severity of the breach and your response.
Protect Your Business—Get Expert Legal Guidance
Data sharing is unavoidable, but GDPR breaches don’t have to be. The seven risks outlined above are not theoretical—they’re drawn from real enforcement cases, court judgments, and regulatory guidance. Every one of them can result in fines, liability claims, and reputational damage.
The good news? With the right legal framework, clear documentation, and proactive compliance measures, you can share data confidently and lawfully. But getting it right requires more than generic advice—it requires tailored legal support that understands your business, your data flows, and the specific risks you face.
Don’t wait for the AP to come knocking. If you’re unsure whether your data-sharing practices are GDPR-compliant, or if you need help drafting DPAs, conducting DPIAs, or managing international transfers, get in touch with a specialist privacy lawyer. Your business—and your customers—deserve nothing less.