• The person responsible for disclosure “should take appropriate measures to ensure that the data [that is shared] remains protected. by the beneficiary organization. This is much easier to do, we offer if the recipient is a regulated professional organization, more difficult in z.B. an M&A scenario if you are the seller. Other instructions for dealing with complaints from concerned subjects are 110 in the ICO code. You can respond to the consultation through the OIC online survey or download the document and contact datasharingcode@ico.org.uk by e-mail. “With regard to mergers and acquisitions, the Code clearly sets out the OIC`s expectations regarding compliance with the governance and accountability requirements of the GDPR. In particular, the code states that once completed, companies must verify the accuracy of the data, conduct an audit follow-up of the use of the data, including updating their records of processing activities, compliance with data retention policies and ensuring adequate security. The security guidelines come after the ICO recently criticized the Marriott hotel group for due diligence in acquiring Starwood`s business, after its investigation found that the personal data of millions of hotel guests had been compromised after a hack into a Starwood database.” she said. • Think about who will have access after release and submit restrictions to the original recipient. On the same day, the OIC also announced its intention to punish Marriott International with a fine of just over £99 million for violating the General Data Protection Regulation (GDPR), underscising the importance of due diligence in data exchange.

. . .