Skip to content
Law Society of Scotland
Search
Find a Solicitor
Contact us
About us
Sign in
Search
Find a Solicitor
Contact us
About us
Sign in
  • For members

    • For members

    • CPD & Training

    • Membership and fees

    • Rules and guidance

    • Regulation and compliance

    • Journal

    • Business support

    • Career growth

    • Member benefits

    • Professional support

    • Lawscot Wellbeing

    • Lawscot Sustainability

  • News and events

    • News and events

    • Law Society news

    • Blogs & opinions

    • CPD & Training

    • Events

  • Qualifying and education

    • Qualifying and education

    • Qualifying as a Scottish solicitor

    • Career support and advice

    • Our work with schools

    • Lawscot Foundation

    • Funding your education

    • Social mobility

  • Research and policy

    • Research and policy

    • Research

    • Influencing the law and policy

    • Equality and diversity

    • Our international work

    • Legal Services Review

    • Meet the Policy team

  • For the public

    • For the public

    • What solicitors can do for you

    • Making a complaint

    • Client protection

    • Find a Solicitor

    • Frequently asked questions

    • Your Scottish solicitor

  • About us

    • About us

    • Contact us

    • Who we are

    • Our strategy, reports and plans

    • Help and advice

    • Our standards

    • Work with us

    • Our logo and branding

    • Equality and diversity

  1. Home
  2. For members
  3. Business support
  4. GDPR - The General Data Protection Regulation
  5. Guide to GDPR
  6. Sharing data with third parties

Sharing data with third parties

Sharing and transferring personal data to third parties


It is useful to list all the organisations that you share data with on a regular basis. You will have already identified these organisations in your record of processing. Below are some examples.

It is important to distinguish between a processor and a controller as the obligations differ. Other controllers have the same obligations as you but processors do not and, therefore, you must have a written contract in place to limit what they can do with your data. There is an obligation to have a legally binding agreement in place between a controller and a processor. Sometimes these can be found in standard terms and conditions or sometimes in the case of software providers, the data processing agreement can be found on their website.

Data controller Data subject Share with - 3rd party controllers Share with - 3rd party processors
law firm potential clients courts case management database if not sorted on your server
clients solicitors 'on the other side' your cloud-based server provider if not inhouse
other relevant individuals witnesses, beneficiaries, executors expert witnesses supplier of confidential waste shredding
employees Registers of Scotland document storage company
partners Scottish Legal Aid Board outsourced payroll
HMRC supplier who photocopies large amounts of productions for court
financial advisers
Law Society of Scotland

Sharing data with processors

Your obligations

  • Carry out due diligence on the processor
  • Monitor compliance with data protection laws and your contract
  • Have an appropriate written contract in place with any processor 

The level of due diligence and monitoring compliance carried out depends on the risks inherent in the processing. A greater level of due diligence is expected if special category data is being processed on an ongoing basis.

Written contract

There is an obligation to have a legally binding contract between the controller and the processor.

The contract must set out the following:

  • The subject matter of the processing
  • The duration of processing
  • The nature of processing
  • The purpose of processing
  • The type of personal data to be processed
  • The categories of data subjects whose data is to be processed
  • The rights and obligations of the data controller

The contract must include the following instructions to the processor:

  • The processor must only process the data on the instructions of the controller
  • Any individual processing data for the processor must have a commitment to confidentiality
  • The processor must take appropriate security measures
  • The processor must assist the controller to comply with data subjects’ rights, including reporting any personal data breaches to the controller immediately
  • The controller identifies whether the personal data should be deleted or returned to the controller at the end of the provision of services
  • The processor must assist the controller with the provision of information for audit or inspection purposes

Sub-processors

If the processor wishes to sub-contract any processing, they must obtain written authorisation from the controller. This can be provided in general terms in advance, but the processor must tell the controller the identity of any new sub-processor and any other changes.

This allows the law firm as a controller to ensure control over the data you hold and to advise the data subjects where their data is and what is happening to it. This helps to ensure fair and transparent processing.

The processor should have a similar contract in place with any sub-processor to ensure. Any personal data breaches suffered by the sub-processor should be reported to the processor immediately.

 

Sharing data with other controllers


There must always be a lawful basis for sharing any personal data. Recipients (or categories of recipients) of the data must be identified in your fair processing/privacy notice.

Law firms should consider whether they require a written agreement to be in place with any organisation it passes data to. For example, you may wish to point out why the data is being shared and what should happen to it once there is no requirement for it to be processed by that party any longer. You should also consider security of processing and make attempts to ensure that the data will be held securely by the controller you are passing your data to.
This extent of this requirement will depend on the organisation and it is unlikely to be required when personal data is shared with the court, but perhaps should be considered when special category data is passed to an expert or other individual that the data controller has little knowledge of. Although these organisations or individuals have their own obligations as data controllers, you may decide to set out your expectations in your letter of instruction, particularly in relation to security and retention of personal data.

Case study

Through the record of data processing, our high street law firm has pulled together a list of all the data processors and data controllers that it deals with. Against each, it is recording what arrangements are in place to ensure compliance.

Name Status Contract with new T&C's Due diligence Monitor
Case management system processor yes, processor contract statement from supplier at time of contract renewal
Expert witness controller data sharingprovisions in letter of engagement known to us and registered
Add To Favorites

Additional

  • Guide to GDPR

In this section

  • Ten steps
  • Law firms as data controllers
  • Create a record of data processing
  • Marketing
  • Client confidentiality, legal privilege and limited exemptions
  • Sharing data with third parties
  • Data retention
  • Data protection officers
  • AML and data protection
  • Security
  • Reporting personal data breaches
  • Requests for copies of personal data
  • Appendix 1 - Consent
  • Appendix 2 - Example of a data protection policy
  • Example of Privacy Notice
Law Society of Scotland
Atria One, 144 Morrison Street
Edinburgh
EH3 8EX
If you’re looking for a solicitor, visit FindaSolicitor.scot
T: +44(0) 131 226 7411
E: lawscot@lawscot.org.uk
About us
  • Contact us
  • Who we are
  • Strategy reports plans
  • Help and advice
  • Our standards
  • Work with us
Useful links
  • Find a Solicitor
  • Sign in
  • CPD & Training
  • Rules and guidance
  • Website terms and conditions
Law Society of Scotland | © 2025
Made by Gecko Agency Limited