I don't see why they would need to disclose the actual data to a prospective 
buyer.  I assume that the supplier is a Data Processor.  If the business is 
transferred you would need a new contract with the new supplier, at which 
point you would presumably transfer the data to them.  I don't see how they 
could sell the business as a going concern without at least giving you the 
option to exercise your responsibilities as a Data Controller - see Schedule 
1, Part II, s.11 & s.12, which say:

"11. Where processing of personal data is carried out by a data processor on 
behalf of a data controller, the data controller must in order to comply 
with the seventh principle-
(a) choose a data processor providing sufficient guarantees in respect of 
the technical and organisational security measures governing the processing 
to be carried out, and
(b) take reasonable steps to ensure compliance with those measures.

12. Where processing of personal data is carried out by a data processor on 
behalf of a data controller, the data controller is not to be regarded as 
complying with the seventh principle unless-
(a) the processing is carried out under a contract-
(i) which is made or evidenced in writing, and
(ii) under which the data processor is to act only on instructions from the 
data controller, and
(b) the contract requires the data processor to comply with obligations 
equivalent to those imposed on a data controller by the seventh principle."

The implication of s.11 is that you would have an obligation to satisfy 
yourself that anyone taking over the business was competent - and it would 
therefore be inappropriate for the personal data to be transferred to them 
without your say-so.

You don't have to tell people their data is being handled by a Data 
Processor (unless they are abroad) - because you (the Data Controller, not 
you personally) are wholly responsible for any breach of data protection 
they cause.

Paul Ticher
0116 273 8191
22 Stoughton Drive North, Leicester LE5 5UB

I hereby require any recipient of this message not to use my personal data
for direct marketing purposes.


----- Original Message ----- 
From: "Julie Gibbs" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Monday, January 22, 2007 11:12 AM
Subject: DP Clause in Contract Agreement


A bit of Monday morning advice please.

We are entering into an agreement with a supplier of personal security
devices for lone workers.  One of the Data Protection clauses in the
agreement states that ".... will carry out the processing (as defined by
the Act) of personal data transmitted by or on behalf of the client only
to the extent necessary for the provision of the services and will not
divulge the whole or any part of the personal data to any person
except:...If ...... sells or buys any business or assets, in which case it
may disclose personal data to the prospective seller or buyer of such
business or assets."

Should we allow this clause?  My own view is that it is ok provided the
data subjects are made aware of what might happen to their personal data
and that it will be used for the same purpose.

Thanks in advance.

Julie

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at 
http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list 
owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your 
needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^