Is the international transfer statement adequate?

I see from your free document you make a statment about transfer of personal data outside of the EEA. Should you not warrant that as the data controller you have confirmed the adequacy of the protection to whomsoever you transfer the data, as you are not allowed to send it outside the EEA (unless to a country considered having adequate) unless you as the data controller have confirmed the adequacy of the protection to wherever you may send it?

As to your first question, the international transfer statement in the privacy policy template is not on its own sufficient to meet the international (extra-EEA) data transfer requirements.  One of the permissible ways of transferring data is with data subject consent, but the Information Commissioner's guidance suggests that consent to international data transfers must be given freely and expressly.  A sentence hidden away in a privacy policy just won't generate a sufficiently free and express consent.

For a summary of the law, see my note from 2008 here:

For more detail, see:

Should a data controller warrant to data subjects that it has confirmed the adequacy of protection where data is transferred outside the EEA?  I'm not sure there is any need, given data subjects' rights under the legislation.  As well as regulatory enforcement, a breach of the Data Protection Act can ground a private action for breach of statutory duty - see Section 13 of the Act.

PS A privacy policy is not a contractual document, and therefore not the right place for giving warranties - even were a warranty warranted.

Contact details

Howbery Park, Wallingford
Oxfordshire OX10 8BA, UK
Tel: +44(0)1491 821123

English law

Unless otherwise stated, the information and resources on this website relate to English law.

Web cookies

By using our website, you agree to our use of web cookies. See our privacy policy for details.

Our ecommerce websites

Copyright © 2007-2013 SEQ Legal LLP.