Most customer or contact lists will contain information about individuals within organisations, even if this is limited to job titles. As such, the information constitutes "personal data" for the purposes of the Data Protection Act 1998 ("DPA"). Under the DPA, you have a number of obligations in respect of personal data. For example, the data must be kept secure and you should not use the data for purposes other than those for which it was collected.
If you are considering allowing your business partner to access customer lists, you need to tell everyone on the list that you will be allowing access to their details in this way. You should also give individuals the opportunity to refuse their consent to their details being passed onto your partner.
There are even more stringent requirements under the DPA if your business partner will be accessing the information from outside the European Union. The DPA requires that personal data is not sent to any country outside the European Union unless that data will be protected in a way that is equivalent to the protections under the DPA. There are very few countries which are considered to offer adequate protection.
Some Solutions
If you intend to transfer personal data outside the European Union, ideally you should seek the express consent of every person whose details you hold to such transfer. Obviously, this could be a major task.
An alternative is to enter into an agreement with the overseas partner which obliges it to treat the personal data as if the partner were subject to the requirements of the DPA. Although, in theory, this method is much simpler than requiring the consent of each individual, in order to meet the requirements of the DPA such an agreement needs to be quite onerous and many overseas businesses may be reluctant to sign it.[WU1]
Follow us online
