Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
You (as the UK data controller) can send data elsewhere, but you have to make sure that it's adequately protected - plenty of guff on how you can legally do this on that last link. Basically, it's hassle, and you can avoid a lot of extra paperwork and effort if you keep it within the EU (strictly, the EEA, which includes a few extra countries).
This is all assuming that you are essentially a UK operation (person, organisation, company), which is the framework I know.
There's two common exceptions I can think of off the top of my head. (Ignoring the easy one of stripping out the personally-identifying bits.)
If you're a large multinational with one small leg in the UK then you're probably much better off biting that bullet and getting the Information Commissioner to formally agree that your internal procedures for data handling meet UK DPA standards, because you'd save significant resource by operating a single data handling regime internally for all your operating arms (which would need to be strictest-common-denominator), rather than N systems for the N different legislative regimes you work in. And AIUI for smaller companies that operate in both the UK and the US, it's way easier to do it that way round (host/process data in and under American regulations, get UK approval for your arrangements) than to try to convince the American authorities that the British DPA fits the American requirements.
The other common situation is the don't know/don't care one. So e.g. if you were a small web company and weren't up to speed on the UK regulatory situation, you might just do what you thought was right; if you came to the attention of the UK Info Commissioner you'd probably be told to shape up and it'd end there so long as you did so in polynomial time. Or if you were a bold company (in the Yes Minister sense of bold) you might try it on by deliberately having all your web services based out of the US and arguing that you weren't processing personal data in the UK, but if it came to the attention of the Information Commissioner that you'd done so deliberately to evade the legislation I wouldn't fancy your chances.
That's not my understanding of how the legislation works - obviously I don't know the details of how you're operating here (and don't want or need to), but under the DPA the data controller is 'a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.' Which would surely cover the developer of a website with access to the db.
So - again, on my understanding, and I'm not a lawyer and this is not legal advice - if I (a UK citizen) were to set up a website collecting personal data from other UK citizens, I'd be regarded as the data controller for DPA purposes regardless of where the site was hosted.
One last quick point (which was also my first): 'political opinions' is explicitly one of the sorts of data that count as 'sensitive personal data' under the DPA which require extra care.
I'm not trying to argue that you are or aren't covered (obviously, I suspect you probably are) - that has to be for you to decide. I just don't want someone who's spent some genuine effort building an interesting tool for others to enjoy to get in to trouble because they didn't know about the legal situation.
Best of luck, anyway - it's a fun service, and people are obviously enjoying it.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
no subject
There's a list of countries that are officially adequate, and the USA is OK if the company you're using/part of has signed up to Safe Harbor.
You (as the UK data controller) can send data elsewhere, but you have to make sure that it's adequately protected - plenty of guff on how you can legally do this on that last link. Basically, it's hassle, and you can avoid a lot of extra paperwork and effort if you keep it within the EU (strictly, the EEA, which includes a few extra countries).
This is all assuming that you are essentially a UK operation (person, organisation, company), which is the framework I know.
There's two common exceptions I can think of off the top of my head. (Ignoring the easy one of stripping out the personally-identifying bits.)
If you're a large multinational with one small leg in the UK then you're probably much better off biting that bullet and getting the Information Commissioner to formally agree that your internal procedures for data handling meet UK DPA standards, because you'd save significant resource by operating a single data handling regime internally for all your operating arms (which would need to be strictest-common-denominator), rather than N systems for the N different legislative regimes you work in. And AIUI for smaller companies that operate in both the UK and the US, it's way easier to do it that way round (host/process data in and under American regulations, get UK approval for your arrangements) than to try to convince the American authorities that the British DPA fits the American requirements.
The other common situation is the don't know/don't care one. So e.g. if you were a small web company and weren't up to speed on the UK regulatory situation, you might just do what you thought was right; if you came to the attention of the UK Info Commissioner you'd probably be told to shape up and it'd end there so long as you did so in polynomial time. Or if you were a bold company (in the Yes Minister sense of bold) you might try it on by deliberately having all your web services based out of the US and arguing that you weren't processing personal data in the UK, but if it came to the attention of the Information Commissioner that you'd done so deliberately to evade the legislation I wouldn't fancy your chances.
no subject
When the user enters their data it is not me (legally) who is entering it in a country outside of the UK, it's them.
no subject
So - again, on my understanding, and I'm not a lawyer and this is not legal advice - if I (a UK citizen) were to set up a website collecting personal data from other UK citizens, I'd be regarded as the data controller for DPA purposes regardless of where the site was hosted.
One last quick point (which was also my first): 'political opinions' is explicitly one of the sorts of data that count as 'sensitive personal data' under the DPA which require extra care.
I'm not trying to argue that you are or aren't covered (obviously, I suspect you probably are) - that has to be for you to decide. I just don't want someone who's spent some genuine effort building an interesting tool for others to enjoy to get in to trouble because they didn't know about the legal situation.
Best of luck, anyway - it's a fun service, and people are obviously enjoying it.