Summary
- Redeemable shares are shares a company can buy back under pre-agreed terms set out in its articles or at issue.
- Redemption typically occurs on a specified date or event and results in the shares being cancelled rather than transferred.
- A company can fund redemption from profits, proceeds of new shares, or (in limited cases) its capital, subject to strict rules.
- This guide explains how to redeem redeemable shares for business owners in the UK, prepared by LegalVision, a commercial law firm that specialises in advising clients on corporate structuring.
- It provides a practical explanation of legal requirements, funding methods and compliance steps when redeeming shares.
Tips for Businesses
Check your articles and share terms before redeeming. Ensure shares are fully paid and the company can fund redemption lawfully. Follow formal procedures, including approvals and filings. Redemption rules are strict, so seek legal advice to avoid invalid transactions or compliance breaches.
Sharing an individual’s personal information with a third party is lawful only where you meet strict requirements under UK data protection law, including having a valid legal basis and appropriate safeguards in place. For your business, getting this wrong creates immediate regulatory and financial risk, as improper data sharing can lead to significant fines, contractual breaches and reputational damage. You must assess why you are sharing the data, who you are sharing it with and how it will be protected throughout its lifecycle. This article explains when you can share personal information with third parties, the legal requirements under the UK GDPR and how to manage the risks.
What Is the UK GDPR?
The UK GDPR is a data protection law that governs the processing of personal data within the United Kingdom, complemented by the Data Protection Act 2018. It aims to safeguard individuals’ privacy rights and requires organisations to handle personal data lawfully, fairly, and transparently.
What Are Some Common Data Sharing Scenarios?
Many businesses value information sharing. However, you must do it responsibly to prevent misuse, unauthorised access, or potential harm to individuals’ data.
Here are some common scenarios where you might share personal data with third parties:
- IT Support: If your business experiences technical issues that affect employee IT systems, you might need to share staff data, such as their names and email addresses, with an external IT team to resolve the problems;
- Cloud Services: Many businesses store and manage customer data using cloud services. For example, you might share customer information with a cloud service provider to host your e-commerce platform; and
- Subcontracting: When working with subcontractors’ businesses on tasks like marketing campaigns or customer support, you may need to share personal data so they can perform their role. For example, a marketing agency may need access to your customer email lists for targeted campaigns.
In these scenarios, third-party businesses typically act as data processors, handling specific personal data on your company’s behalf.
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form, and we will contact you within one business day.
What Are My Responsibilities as a Data Controller When Sharing Data with a Processor?
When sharing personal data with a third-party processor, there are several responsibilities you must comply with under the UK GDPR rules:
How Do I Conduct Due Diligence?
You should conduct thorough due diligence before engaging with a third-party processor to ensure they can securely handle personal data and comply with the UK GDPR.
This includes assessing their security measures, reviewing their data protection policies, and checking their history for data breaches.
You should ensure they follow good data protection practices and have the technical skills to meet UK GDPR obligations.
Your business is responsible for ensuring your processor provides sufficient guarantees of their ability to protect data subjects’ data. You should also ensure that the processor complies with the data protection principles outlined in the UK GDPR.
Why is a Data Processing Agreement Necessary?
After selecting a suitable processor, you must formalise your relationship with a Data Processing Agreement (DPA).
This legal contract should set out the processor’s responsibilities, including following your instructions when processing the personal data you share.
This factsheet sets out how your business can become GDPR compliant.
The DPA should cover matters including the purposes and scope of data processing, security measures, procedures for reporting data breaches, data retention and deletion rules, and rules involving any sub-processors.
A well-drafted agreement will help you and your processor understand your data protection responsibilities and comply with the UK GDPR. This is also a strict legal requirement under Article 28 of the UK GDPR and, therefore, a critical document.
How Do I Monitor Compliance?
Your duties do not end with selecting a processor and entering a contract. Your business should continue to monitor your processor’s activities to ensure ongoing compliance with the UK GDPR.
Additionally, you must keep records of processing activities (including your data sharing) as required by Article 30 of the UK GDPR unless exceptions apply.
Why is Informing Individuals Important?
Transparency is a vital principle of the UK GDPR. Your privacy notice or policy must inform individuals about data sharing with third-party processors.
You should tell individuals why you share their data, who the processor is, how they will use personal data and why. You can set this out clearly in your privacy policy document.
These are just some of the critical requirements, but the UK GDPR includes a wide range of obligations for businesses. If you need help understanding your full responsibilities when sharing personal data, seek legal advice from a data protection lawyer.
You should also note that not all third parties you share personal data with may be processors. Some may also be data controllers, depending on their level of control over the data you share.
A data controller determines the purposes and means of processing personal data, whereas a processor acts on behalf of the controller. This distinction may require different compliance measures, so you should seek legal advice if you need clarification on the role of the third party you share personal data with and which obligations arise.
Key Takeaways
When sharing personal data with third-party processors, a range of UK GDPR compliance obligations will arise. For instance, your business should conduct a thorough due diligence assessment, enter a comprehensive Data Processing Agreement, and regularly monitor and audit processors to maintain compliance and accountability. You should also inform individuals about data-sharing practices through transparent privacy notices or policies.
If you need advice on UK GDPR compliance and data sharing scenarios, LegalVision provides ongoing legal support for businesses through our fixed-fee legal membership. Our experienced data, privacy and IT lawyers help businesses manage contracts, employment law, disputes, intellectual property, and more, with unlimited access to specialist lawyers for a fixed monthly fee. To learn more about LegalVision’s legal membership, call 0808 196 8584 or visit our membership page.
Frequently Asked Questions
Yes, sharing personal data with third-party processors is permitted under the UK GDPR.
However, you must follow various vital steps, including carrying out due diligence and entering a robust Data Processing Agreement with the processor that sets out their responsibilities and your instructions for handling the data.
Non-compliance with the UK GDPR can result in severe penalties, including fines of up to £17.5 million or 4% of global annual turnover, whichever is higher.
Beyond financial penalties, organisations may suffer reputational damage, legal action, and loss of customer trust.
Yes, you must enter into a Data Processing Agreement if the third party acts as a processor. This contract sets out how they handle and protect the data.
Yes, you must inform individuals about how and why you share their data. This is typically done through a clear and transparent privacy notice or policy.
We appreciate your feedback – your submission has been successfully received.
