Clarification on Privacy Policy - Data outside EEA


#1

I’ve just been reading through the Privacy Policy, and just wanted a little clarification on the following:

5.2.1. in relation to a very small number of our suppliers, the data that we collect from you may be transferred to, and stored at, a destination outside the EEA as well as processed by staff operating outside the EEA who work for them. However, by submitting your personal data, you consent to this transfer, storing or processing.

What sort of data is being transferred to, and stored by, these suppliers?


#2

Good spot @dave. Normally in small print like this it would go on to say that suppliers would abide by the same rules and restrictions as if the data was processed by a supplier with in EEA itself. That caveat is conspicuous by its absence here :worried:


#3

Hi @JamesPratley

Interesting point. Has Dave picked up on a real issue here?

Can you seek some clarity on this please?


#4

It does go on to say:

We will ensure that suitable safeguards are in place before personal information is transferred outside the EEA and we will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy;

So it does mention suitable safeguards, but perhaps this needs expanding upon?


#5

Despite their Privacy Policy stating that they may transfer outside of the EEA…

Their ICO declaration states that all data will remain within the EEA…

Some clarification from Starling might be needed here.

"Transfers
It may sometimes be necessary to transfer personal information overseas. When this is needed information is only shared within the European Economic Area (EEA). Any transfers made will be in full compliance with all aspects of the Data Protection Act (DPA)."

https://ico.org.uk/ESDWebPages/Entry/ZA087619


#6

@JamesPratley are you able to shed the light on this?


#7

Just bumping this thread @JamesPratley


#8

Hi everyone.

Sorry for the delay, but I’ve chased an update for you! :slightly_smiling_face:

Here’s what our legal team have said…

"In the vast majority of cases, we process data within the EEA, however this not always possible. In the interests of security and confidentiality, we do not disclose the specific types of data that we transfer outside the EEA, the specific recipients of transfers or the locations of recipients. However, we can confirm that we comply with UK law, including the Data Protection Act 1998, and ensure that third parties to whom we transfer personal data demonstrate that they have appropriate safeguards in place for the protection of the privacy of this personal data.

We are in the process of amending the details of our registration with the Information Commissioner’s Office to ensure that these continue to reflect the practices of our growing business, and this may include revising information regarding the transfer of personal data outside the EEA.

For more information about the Data Protection Act 1998, you can visit https://ico.org.uk/. If you have questions relating to us, including any of our policies or terms and conditions, you may contact us at help@starlingbank.com."

Thought it was best to repeat what they said, rather than edit it for the community. Hope it answers the questions you’ve had! :slight_smile:


#9

I imagine this has something to do with Starling’s use of AWS* and there being a chance of instances spinning up on clusters that are not in the EU.

Could be wrong obviously!

*Source(s): Starling Podcast, AWS Blog