Guidance on Outsourcing

The UK Information Commissioner has issued some guidance on outsourcing. This is particularly important if companies intend to outsource their operations to countries outside the EEA because Art. 25 of the Data Protection Directive 95/46/EC (DPD) prohibits the transfer of personal data to third countries (outside the EEA) unless it satisfies the adequacy requirement under Art. 25 DPD. This is implemented under the 8th data protection principle of Schedule 1, Data Protection Act 1998. There are exemptions to Art. 25 under Art. 26 including obtaining consent from the data subject (customers/staff etc); transfer is necessary for the conclusion or performance of a contract and so forth. For more details, see:

• UK Information Commissioner: Outsourcing the processing of personal data - how to comply with the law (pdf)
• UK Information Commissioner: Good Practice Notes
• European Commission: Data Protection: Model Contracts for the transfer of personal data to third countries