for a number of years when working in the UK and it's a mind field to read. Here are a few key principles:
Data may only be used for the specific purposes for which it was collected.
Personal information may not be transmitted outside the EEA unless the individual whom it is about has consented or adequate protection is in place, for example by the use of a prescribed form of contract to govern the transmission of the data.
Data must not be disclosed to other parties without the consent of the individual whom it is about, unless there is legislation or other overriding legitimate reason to share the information (for example, the prevention or detection of crime). It is an offence for Other Parties to obtain this personal data without authorisation
So even though it should not go outside of the EEA and data must not be disclosed without a person consent, there would be I think, legislation brought forward to allow this.
for a number of years when working in the UK and it's a mind field to read. Here are a few key principles:
Data may only be used for the specific purposes for which it was collected.
Personal information may not be transmitted outside the EEA unless the individual whom it is about has consented or adequate protection is in place, for example by the use of a prescribed form of contract to govern the transmission of the data.
Data must not be disclosed to other parties without the consent of the individual whom it is about, unless there is legislation or other overriding legitimate reason to share the information (for example, the prevention or detection of crime). It is an offence for Other Parties to obtain this personal data without authorisation
So even though it should not go outside of the EEA and data must not be disclosed without a person consent, there would be I think, legislation brought forward to allow this.