A method is provided for controlling exchange of privacy sensitive data between a first certified party server (A) associated with a first party and at least a second certified party server (B) associated with a second party using a certified intermediate server (Y) subject to authorizations (XAB) imposed by an authorizing party (X), using a public network. Therein the first certified party server (A) transmits (S2) to the certified intermediate server (Y) a primary request (ARQ(IxA,ΓxA)) that includes a digitally signed primary request indication (IXA,ΓXA) comprising a primary request indication (IXA) specifying a set of privacy sensitive data units (XA) for which a copy (CXA) is requested and a digital signature (ΓXA) of said first party, associated with said primary request indication (IXA). The certified intermediate server (Y) determines (S3) which authorizations are provided by the authorizing party (X) for transmission of information concerning privacy sensitive data from the second certified second party server (B) to the first certified party server (A). The certified intermediate server (Y) executes (S4) a query procedure (QP) in which at least includes transmitting the digitally signed primary request (IXA,ΓXA) by the certified intermediate server (Y) to the second certified party server (B). The second certified party server (B) inspects (S5) the digital signature (ΓXA) to verify authenticity of said the primary request. Subject to confirmation of its authenticity it makes available a provider copy (CXAMB) including at least a censored copy, being a copy of a censored subset of privacy sensitive data units, the censored subset comprising the privacy sensitive data units as specified by the primary request indication (IXA) subject at least to said authorizations (XAB) and subject to availability thereof with the at least a second certified party server. It also provides a second party digital signature, i.e. a digital signature (ΓB) of the second certified party, associated with the censored subset. Upon completion of the query procedure, the censored copy and the second party digital signature are made available to the first certified party server as a digitally signed authorized copy.