Evidence Data treatment often outsourced to third-world countries Data that is shared to third-parties is not easibly controllable Conclusion Personal-sensitive data should by treated internally if possible