The University as data controller
When the University decides that it wishes to share the personal data it holds with another organisation we are acting as a data controller, as we have the authority to take this decision.
Receiving organisation as data controller
The receiving organisation may also become a data controller. This will depend on whether it will have the authority to decide how and why the data will be stored, used and deleted. If the receiving organisation has considerable discretion in this area, it is probably a data controller.
Example
Passing information, such as the destinations of leavers, to HESA for analysis is done as a data controller-to-data controller transfer. This is because HESA is a separate organisation and will be using the data for their own purposes, which the University will not be involved in or have control over.
If the University were to retain control, this would be a data controller-to-data processor transfer.