fradolo, I think you need to re-read that page you linked to, specifically the bit around points 8, 9, and 10.
I see your point..
Please note that mine was a straight answer to the previous post, which speculated that Data Protection Act didn't include anything about processing data outside of EU..
Obviously it is not, there are some requirements and laws to be compliant with.
As well, it is possible to store, process, transfer data outside of EU if appropriate security measures are in place.. these need to be regularly verified, controlled and reviewed.. Data processor and data controller will be defined, each one with its own responsibilities..
I won't bother you with further details..
But I would like to make an example... Sorry if it is a bit of a technicality..
A company put in place a call centre outside of EU and ensures that security measures are in place to be compliant with the standard legislation.
They decide to randomly record phone calls for improving quality of their service.
Therefore, when a user calls, he receives information about information privacy, how the call may be recorded for service quality and for training purposes.
During the call the call centre supervisor states that all calls are recorded for providing evidence, recording complaints and track down information.
This is different from the information privacy message at the beginning of the call. They record all calls for different purposes..
This, for example, is against the 1st principle of Data Protection Act:
1.Data can only be used for the explicit purpose for which it was gathered.
Probably against the 2nd as well:
4.Personal data cannot be kept for longer than is necessary and must be kept up to date.
"call recording undertaken and retained by a contact centre – be it for training purposes or for subsequent data entry – could be construed as data that is being ‘processed’. It is therefore advisable for contact centres to protect call recordings in the same way they would protect any digital or written data where the customer can be identified by that information and so are susceptible to a data breach"
Therefore, this could extend the requirements for point #8 - they might have not security measures in place for protecting sensitive and personal stored infomation...
(I can assure you that there is a very long list when requirements are related to storing sensitive and personal information..)
Sorry for my long winded message... This is all related to my job..