I see from your free document you make a statment about transfer of personal data outside of the EEA. Should you not warrant that as the data controller you have confirmed the adequacy of the protection to whomsoever you transfer the data, as you are not allowed to send it outside the EEA (unless to a country considered having adequate) unless you as the data controller have confirmed the adequacy of the protection to wherever you may send it?
For a summary of the law, see my note from 2008 here:
For more detail, see:
Should a data controller warrant to data subjects that it has confirmed the adequacy of protection where data is transferred outside the EEA? I'm not sure there is any need, given data subjects' rights under the legislation. As well as regulatory enforcement, a breach of the Data Protection Act can ground a private action for breach of statutory duty - see Section 13 of the Act.