Thanks, Claire. Circulating your comment below to the wider list. In the absence of having to avoid the need to get consent, I am happy to add necessary for performance of a contract to my defence to a regulator investigation! R From: Claire E Miller [mailto:[log in to unmask]] Sent: 04 April 2016 15:50 To: Marchini, Renzo <[log in to unmask]<mailto:[log in to unmask]>> Subject: RE: email address as personal data Renzo, Could you not argue that the processing is necessary for the performance of a contract (employment contract), insofar as the contract of employment could not be performed adequately if the email was not sent because the employee would not be following reasonable instructions required in return for their salary and the employment relationship would break down? A very tenuous argument, admittedly, but the situation you describe below can't be the intended outcome, even if it's only arrived at when sticking to the strict letter of the law. Regards, Claire Claire Miller Information Governance Officer Legal Services University of Central Lancashire From: Marchini, Renzo [mailto:[log in to unmask]] Sent: 04 April 2016 15:32 To: Claire E Miller <[log in to unmask]<mailto:[log in to unmask]>>; [log in to unmask]<mailto:[log in to unmask]> Subject: RE: email address as personal data Thank you, Claire. I agree with your answers. Or at least agree that that is a "purist" approach to the issue. But was hoping for a contrary view to avoid the following: A consequence then is that any EU company needs to put in place "model clauses" with all non-EU companies with whom it deals (except those in "white listed" adequate countries). I accept that regulators would take a "pragmatic" view of this, but was hoping that there was a clear way out of that conclusion ... but I can't see it. Best Renzo Renzo Marchini Special Counsel Dechert LLP +44 20 7184 7563 Direct From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Claire E Miller Sent: 04 April 2016 15:25 To: [log in to unmask]<mailto:[log in to unmask]> Subject: Re: [data-protection] email address as personal data An employee of an EU company sends an email (on behalf of the employer) to an address of an individual at a US company. 1. Is this a transfer of "personal data" for the purposes of the eight principle? (The content of email is not personal data. But the email heading will contain, as usual, the email address "From: [log in to unmask]<mailto:[log in to unmask]>".) I think it must be - it identifies the individual and tells you that they work for the organisation. 2. If so, can the EU company rely on "consent" of the employee to avoid having to comply with the eighth principle? Is the employee really consenting if they are told by their employer to email someone and it is part of their role? Is it a request or an order? Is it reasonable/acceptable for them to say no? If not, it's not really consent. 3. If so, does it make any difference if the employee does not know that the nationality of the recipient entity (ie does not know that the company at which the recipient works is a US company)? If the employee can consent freely to sending the email, it must make a difference whether or not they know that the recipient works for a US company, otherwise it's not informed consent - they can't consent to sending the email (and their personal data) to the US if they don't know that that's what they're doing. Claire Miller Information Governance Officer Legal Services University of Central Lancashire ________________________________ ********************************************************************** This e-mail is from Dechert LLP, a law firm, and may contain information that is confidential or privileged. If you are not the intended recipient, please delete the e-mail and any attachments, and notify the sender. Dechert LLP is a limited liability partnership registered in England & Wales (Registered No. OC306029) and is authorised and regulated by the Solicitors Regulation Authority. A list of names of the members of Dechert LLP (who are solicitors or registered foreign lawyers) is available for inspection at its registered office, 160 Queen Victoria Street, London EC4V 4QQ. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm Any queries about sending or receiving messages please send to the list owner [log in to unmask] Full help Desk - please email [log in to unmask] describing your needs To receive these emails in HTML format send the command: SET data-protection HTML to [log in to unmask] (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^