There are two key things to consider. First, the rules that apply when a bureau is used to process personal data on your behalf. Second, the rules that apply when personal data is transferred outside Europe.
Using a bureau to process information about individuals is regulated in the UK by the Data Protection Act 1998. Under the Act, someone who uses a bureau is a 'data controller' and the bureau that processes personal data on their behalf is a 'data processor'.
Regardless of location, your processor must be chosen on the basis of its security provision. If the processor is outside Europe, transfers of personal data are not allowed unless the destination country provides adequate protection. Certain preconditions must be met. These include where the transfer is:
- to a country outside the European Economic Area identified by the European Commission as providing 'adequate protection';
- to a US company certified under 'safe harbour principles' administered by the US Department of Commerce;
- done with the consent of the customers whose data is transferred; and
- with a contract using the European Commission's 'model terms' between the business and the overseas processor.
Additional rules apply to transfers of sensitive personal data (such as race, political opinions or religious beliefs) and more stringent security measures may also be needed to protect transfers of this data.
_1.jpg)
.jpg)
