Is the international transfer statement adequate?

I see from your free document you make a statment about transfer of personal data outside of the EEA. Should you not warrant that as the data controller you have confirmed the adequacy of the protection to whomsoever you transfer the data, as you are not allowed to send it outside the EEA (unless to a country considered having adequate) unless you as the data controller have confirmed the adequacy of the protection to wherever you may send it?

83 viewsdata protection law

Alasdair Taylor's Answer

As to your first question, the international transfer statement in the privacy policy template is not on its own sufficient to meet the international (extra-EEA) data transfer requirements.  One of the permissible ways of transferring data is with data subject consent, but the Information Commissioner’s guidance suggests that consent to international data transfers must be given freely and expressly.  A sentence hidden away in a privacy policy just won’t generate a sufficiently free and express consent.

For a summary of the law, see my note from 2008 here:

For more detail, see:

Should a data controller warrant to data subjects that it has confirmed the adequacy of protection where data is transferred outside the EEA?  I’m not sure there is any need, given data subjects’ rights under the legislation.  As well as regulatory enforcement, a breach of the Data Protection Act can ground a private action for breach of statutory duty – see Section 13 of the Act.

Ask a question

Question in one sentence
Select a topic that best fits your question.

Search questions


Using this legal Q&A, users can get guidance on business-related legal questions from our legal experts.

The guidance is not legal advice; no lawyer-client or similar relationship is created by the Q&A.

By using the Q&A, you agree to the limitations and exclusions of liability set out in our terms and conditions.

SEQ Legal
Copyright © 2021 Docular Limited | All rights reserved