[aries1980]

I'm not sure they still comply for the UK Data Protection Act. According to the Information Commisioner Office https://ico.org.uk/for-organisations/guide-to-data-protectio... :

> A company in the UK uses a centralised human resources system in the United States belonging to its parent company to store information about its employees.

or

> A travel agent sends a customer’s details to a hotel in Australia where they will be staying while on holiday.

> If you intend information on the website to be accessed outside the EEA, then this is a transfer.

This means if your data can be accessed outside the EEA e.g. you access your on-premise CRM on your African holiday, you are likely to void the Principle 8.

[M2Ys4U]

The ICO is a member of the Article 29 Working Party (the WP is made up of a representative from each of the 28 EU Member States + the European Commission and EU bodies dealing with data protection, as detailed in Article 29 of the Data Protection Directive).

The WP is designed to make sure that Member States' Data Protection Authorities apply the DPD in a roughly uniform manner.

Of course, if the ICO deviates from the DPD then any party is able to appeal to the First-Tier Tribunal, the Upper Tribunal and the Court of Appeal who may then refer any questions of EU law to the ECJ in a similar way to Schrems' case.