I see from your free document you make a statment about transfer of personal data outside of the EEA. Should you not warrant that as the data controller you have confirmed the adequacy of the protection to whomsoever you transfer the data, as you are not allowed to send it outside the EEA (unless to a country considered having adequate) unless you as the data controller have confirmed the adequacy of the protection to wherever you may send it?
Alasdair Taylor's Answer
As to your first question, the international transfer statement in the privacy policy template is not on its own sufficient to meet the international (extra-EEA) data transfer requirements. One of the permissible ways of transferring data is with data subject consent, but the Information Commissioner’s guidance suggests that consent to international data transfers must be given freely and expressly. A sentence hidden away in a privacy policy just won’t generate a sufficiently free and express consent.
For a summary of the law, see my note from 2008 here:
https://seqlegal.com/blog/international-transfers-personal-data
For more detail, see:
Should a data controller warrant to data subjects that it has confirmed the adequacy of protection where data is transferred outside the EEA? I’m not sure there is any need, given data subjects’ rights under the legislation. As well as regulatory enforcement, a breach of the Data Protection Act can ground a private action for breach of statutory duty – see Section 13 of the Act.