The global nature of virtually all supply chains mean that manufactures will encounter the same challenges that all multinational organisations face in relation to ensuring that data can flow legally between jurisdictions and affiliates.

Data will inevitably need to be collected about the company’s employees, customers and suppliers. This data clearly has the potential to constitute personal data for the purposes of the EU Directive and also comparable legislation in other jurisdictions.

Broadly speaking the obligations under data protection legislation will affect:

  • how that data is gathered;
  • how it is stored, processed and what security measures are put in place to protect the individual;
  • how long data is stored before being deleted; and
  • where it is stored and processed, where it can be transmitted and what safeguards need to be in place.

Unfortunately, these detailed requirements can vary quite substantially between jurisdictions and deciding on a compliance strategy often requires a “risk based” approach to be taken having understood what full compliance would look like.


For any business, its customer and supplier contact lists have a huge value and the creation of a large central customer or supplier relationship management database can seem a sensible way to fully extract the value from this information.

Often data protection compliance is seen as a restriction on the ability to create such databases. However, the following three examples demonstrate that taking some small steps can not only assist with data protection compliance but can also, at the same time, improve the content of, and the ability to use, the database:

  • implement arrangements in place to archive/cleanse records after appropriate periods of time;
  • inform data subjects of their right to have their data corrected or removed from the database; and
  • manage the access points and put in place appropriate access control.


Under the EU Directive personal data is not permitted to be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of the data subjects in relation to the processing of personal data.

It is likely that multinational operators will want to transfer some forms of personal data of EEA based employees to third parties including outsourced service providers or to entities/subsidiaries outside of the EEA.

Ensuring that these transfers are legally compliant can broadly be achieved by adopting one of the following methods:

  • the transfer is to a country deemed to have adequate data protection laws in place;
  • the transfer is made to a US Safe Harbor Certified Entity;
  • the transfer is made under pre-approved EU standard contractual clauses;
  • the individual whose personal data is being transferred has consented to the transfer; or
  • the transfer is necessary to perform or conclude a contract with the individual, in some jurisdictions this can include employment contracts.

In addition, under the EU Directive it is likely to be necessary to ensure that each entity in the group has a direct contractual relationship with any entity processing data outside of the EEA (including other group entities of affiliates) to ensure that the personal data is processed securely.


Operators should not treat these obligations lightly. The penalties for breach can be significant with the UK Data Commissioner now able to levy fines of up to £500,000.