Ms Nicola Coogan:

If it is the same entity, it will depend on the legal personality. It may be a branch of an Irish entity operating in the North but it may not be a legal entity in its own right. That is slightly different from a case involving two or three companies within the same group. In a branch scenario, it might not necessarily constitute a data transfer if data was being processed in the branch in question. Anyway, we would still need to have clear and comprehensive processes for what can happen with the data, restriction of access, ensuring there is a basis for this and that only necessary processing takes place. There may be two entities within the same group. Some of the banks have entities in the North or the UK for example. This may mean there would be a transfer. The adequacy decision will cover this if it is in place. If there is no adequacy decision then the banks or a large entity might have binding corporate rules to allow the data to be transferred within the group. Standard contractual clauses would probably be the first port of call.

On the other point about surveillance and things like that, the UK is slightly different in that it is still under the jurisdiction of and submission to the European Court of Human Rights, which means there are certain processes that would be adhered to as regards oversight of surveillance and so on. That is a positive in the adequacy decision on the UK as well, which will help assuage any worries in that regard.