It will be a legal code as soon as it is adopted (the ICO must prepare it under the 2018 CCA) and, if the treatment managers do not comply, it may be more difficult to prove that their data exchange is fair, lawful and accountable and that it is consistent with the RGPD and the 2018 DPA. This is what the OIC says: “If you deal with personal data in violation of this code and this leads to a violation of the RGPD or the PA, we can act against you.” The Office of the Information Commissioner (ICO) has published an updated draft code of conduct for the common protection of personal data (`draft code of conduct`) for consultation2, which, once completed, must become a legal code within the meaning of Section 121 of the Data Protection Act 2018 (hereafter the law). The draft code is an update to the OIC Code of Conduct (May 2011) and aims to provide organisations with practical guidelines for sharing personal data, in accordance with data protection rules, in particular the Data Protection Act and General Regulation (EU) 2016/679) (hereafter the RGP). The draft code also aims to explain the law and makes good practice recommendations for private organizations, public sector organizations and those subject to the law. In this article, Sarah O`Brien, a partner at Ropes and Gray LLP, takes into account the key elements that private organizations should consider when transmitting personal data, including a series of proposals for appropriate provisions that could be included in a data exchange agreement. You can respond to the consultation through the OIC`s online survey or download the document and email@example.com. The draft code explains the law and provides examples of good practice. Subsequently, organizations can manage risks, clarify misunderstandings and exchange data confidentially. The draft code makes it clear that data sharing is broad and can be extended when an organization allows third parties to access third parties in one way or another. Sharing can be done routinely, depending on the plan or only once. We provided below with a summary of some of the main escape points in the draft code: the guidelines for the use of a contract or data processing contract or data-sharing agreement are not explicit. This is not the purpose of the code, unless these suppliers are controllers.