The brand, the car manufacturer and the bank are common data controllers. After the event, each organization uses the personal data of the individuals involved who have chosen to obtain more information from that organization within its own organizations. They are not common controllers with respect to this data because they are not treated for common purposes. We did not agree on the exchange of data-sharing models, as there is a wide range of inclusions and possible levels of detail that can be included and not all needs could be met in a user-friendly manner. Personal data processed on behalf of the processing manager Finally, the ICO reminds that organizations must respect the fundamental principles of data protection legislation when transmitted, including accountability (which documents all aspects of data sharing) and data minimisation (to ensure that they are adequate and proportionate to data exchange). With respect to security, the OIC notes that organizations are expected to take appropriate measures, even after the data is released, to ensure that this data remains well protected. If you are proposing to transfer personal data to third parties and these third parties need consent to process it (for example. B they plan to send direct marketing emails to the people concerned), you will also need permission to transmit personal data to these third parties and these third parties should be explicitly mentioned in their consent.