Skip to main content
data transfer commissioning

Differences between data transfer and commissioning

In every-day office work, we quite often detect some confusion between data transfer and commissioning of the data, that is, access to data by a third party to provide a service.

Formally, it may seem that there are no difference because, at the end of the day, the personal data that a company or entity “A” has ends up in the hands of a company or entity “B”. However, we will see how the differences are extremely important in terms of their processing under the GDPR:

Data transfer: what is it and how is it regulated?

The transfer of data between two companies or entities is another form of personal data processing. From reading the GDPR, it can be concluded that the possible types of data processing include “communication by transmission”, “dissemination” or “interconnection” of data.

This leads to the case, therefore, in which the company or entity “A” has collected a series of personal data and shares it with a company or entity “B”, with a different legal status.

There are essentially three consequences of the transfer of data:

  1. Both entities or companies process the data as controllers, which means that they are directly responsible for the use that will be made of this data, a use that, by the way, may be different between company A and company B.

As data controller, each of the companies or entities involved in this processing is responsible for its obligations and must apply the criteria that the AEPD has established in its extensive doctrine.

  1. As for data processing, this must be set within one of the lawful bases set out in Article 6 of the GDPR. One of them is the consent of the data subject, but there are others such as the fulfilment of a legal obligation or the execution of a contract.

In each case, what the transfer of personal data allows must be analysed and the corresponding solution applied in each case. If the answer is consent, let us remember that it must always be expressed.

  1. In any case, and regardless of its lawful basis, the transfer of the data must be reported to the data subject (Art. 14.1.e) GDPR).

Data transfer and commissioning: Commissioning or treatment by third parties

This is a very different case with a completely different solution. It occurs when a company or entity “uses” other companies or entities so that they process data in their name and on their behalf.

We are effectively talking about cases in which a specific service is contracted, and the provision of that service means that a third party has access to the personal data that the “client” company has independently collected.

This type of assumption is increasing in companies of all sizes: data hosted in the cloud, CRM, ERP, computer maintenance services, email transmission platforms, etc.

The solution in this case, as we have said, is completely opposite to that of the transfer of data, as the key here is to comply with the GDPR, essentially one:

The relationship between both companies or entities must be established in a contract where the assignment is very clearly established, where the data will only be used by the provider for that purpose, the security measures that will be applied, and what will happen to the data when the service ends.

Unilateral clauses

Sometimes, the supplier is not a company that negotiates contracts or agrees to sign the contract provided by the client. Even so, the obligation of the latter, as the data controller, is to ensure that the conditions of the service, even if they are not negotiated, comply with the GDPR.


Subcontracting services deserve a separate mention, in which the contracted provider initially subcontracts part or all of the service entrusted and, with it, access to the data to a third party.

The GDPR is clear in the sense that the client (controller) must authorise these subcontracts. It goes without saying that, in the case of unilateral clauses, this control is very complicated, and, once again, does not exempt the obligation of the controller from knowing all the companies that participate in the data processing.

Therefore, knowing the difference between the transfer of data and commissioning in data processing is essential for correct application of the GDPR. The legal solutions and consequences are, as we have seen, radically different.

If you have any question about this issue or any other issue, don’t hesitate to contact us!

    Information on data protection

    Company name
    Providing the service.
    Sending the newsletter.
    Legal basis
    Compliance with the service provision.
    Your data will not be shared with any third party, except service providers with which we have signed a valid service agreement.

    You may access, rectify or delete your data and exercise the rights indicated in our Privacy Policy.

    Further information
    See the Privacy Policy.