Yes, a data controller to data processor contract would fulfil the
requirement.
The supplier may not wish to sign up to that, nor join up to safe
harbor.
If that is the case, the UK ICO has helpfully produced detailed guidance
suggesting that this type of formal approach is not always necessary -
as long as the exporting data controller properly undertakes a risk
assessment in relation to a particular transfer. (It is covered -
together with background and up other options - in a briefing I put
together with some colleagues:
http://www.dechert.com/library/DataProtectionandPrivacy_Consequences%20i
n%20France_01_07.pdf.
Often, simply putting in place a contract with the supplier which
complies with the seventh principle will do the trick.
You don't in fact need to tell data subjects that the data will be
transferred out of the EU (only need to if you go the "consent" route),
and you certainly don't need to offer them an opt-out (sorry, Tim!)....
Kind regards
Renzo
Renzo Marchini
Dechert LLP
+44 (0) 20 7184 7563 direct
+44 (0) 20 7184 7001 fax
[log in to unmask]
www.dechert.com
-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Tim Trent
Sent: 12 June 2007 11:16
To: [log in to unmask]
Subject: Re: [data-protection] US Patriot Act
I think you need to look in a different place.
You need to have a Data Processor Agreement in place with the processor
and
also to notify your data subjects that data is held outside the EEA
prior to
holding their details.
If you are transferring existing data to the new processor it seems to
me
that the data subjects need to be notified and have the opportunity to
opt
out of the transfer.
Safe harbor is not a concern here, nor, I think the Patriot act.
-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Lucy Fincham
Sent: 12 June 2007 11:12
To: [log in to unmask]
Subject: [data-protection] US Patriot Act
We are considering buying some software from a company in the States
which
would hold personal data for us.
The company doesn't seem to be registered with the Safe Harbor
Arrangement,
and anyway, even if it was, would the US Patriot Act over-ride this?
If anyone has any knowledge of this Act, and a view on the matter, I
would
be grateful.
Regards
Lucy
Lucy Fincham
Records Manager
Vice Chancellor's Office
University of Greenwich
University of Greenwich, a charity and company limited by guarantee,
registered in England (reg no. 986729). Registered Office: Old Royal
Naval
College, Park Row, Greenwich SE10 9LS.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask] All user
commands
can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list
owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your
needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list
owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your
needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This e-mail is from Dechert LLP, a law firm, and may contain information that is confidential or privileged. If you are not the intended recipient, please delete the e-mail and any attachments, and notify the sender. Dechert LLP is a limited liability partnership registered in England & Wales (Registered No. OC306029) and is regulated by the Law Society of England & Wales. A list of names of the members of Dechert LLP (who are solicitors or registered foreign lawyers) is available for inspection at its registered office, 160 Queen Victoria Street, London EC4V 4QQ.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|