Can a company share the data obtained in a campaign with third parties?

Many companies collect personal data through forms, sweepstakes, newsletters, or advertising campaigns. But a key question arises: can they share this data with third parties, whether with suppliers, agencies, or even companies within the same group?
The answer is yes, but under very strict conditions set by the General Data Protection Regulation (GDPR) and the LOPDGD.

What is meant by data transfer?

The transfer of personal data is any communication of information to a third party that does not act as a data processor. Some examples include:

• Sharing a leads database with an external agency.

• Selling customer data to another company.

• Providing data to group companies for purposes other than the original ones.

When is it legal to transfer data to third parties?

Data transfer will only be legal if at least one of these bases is met:

• Express, informed, and specific consent of the data subject, without pre-checked boxes or generic clauses.

• Execution of a contract, when the transfer is necessary for its fulfillment.

• Legal obligation, when a rule requires providing the data.

• Vital or public interest, in exceptional cases such as medical or security emergencies.

How should it be done correctly?

To legally share data, the company must:

1. Inform the user when collecting data: what data is collected, purpose, recipients, and data subject's rights.

2. Obtain consent, unless there is another legal basis.

3. Sign a transfer agreement with the receiving third party, detailing purpose, security measures, and responsibilities.

4. Record the transfer in the processing activities register.

5. Ensure the rights of data subjects (access, rectification, erasure, objection, etc.).

What if the third party is outside the EU?

International data transfers are only allowed if the destination country provides adequate protection guarantees, through:

• European Commission adequacy decision.

• Standard contractual clauses.

• Binding corporate rules.

At Valero Tax Legal, we advise companies on regulatory compliance in data protection, ensuring legal security in their acquisition campaigns and relationship with third parties.