1 Personal Data Act (1998:204); issued 29 April Be it enacted as follows. General provisions Purpose of this Act Section 1 The purpose of this Act is to protect people against the violation of their personal integrity by processing of personal data. Deviating provisions in another enactment Section 2 If another statute or other enactment contains provisions that deviate from this Act, those provisions shall apply. Definitions Section 3 In this Act the following terms are used with the meaning stated below. Term Processing (of personal data) Blocking (of personal data) Recipient Personal data Meaning Any operation or set of operations which is taken as regards personal data, whether or not it occurs by automatic means, for example collection, recording, organisation, storage, adaptation or alteration, retrieval, gathering, use, disclosure by transmission, dissemination or otherwise making information available, alignment or combination, blocking, erasure or destruction. An operation that is taken in order that personal data shall be linked with information that they are restricted and about the reasons for the restriction and in order that personal data should not be provided to a third party except under the provisions of Chapter 2 of the Freedom of the Press Act. A person to whom personal data is provided. However, when personal data is provided in order that an authority should be able to perform such supervision, control or audit that it is under a duty to attend to, the authority shall not be regarded as a recipient. All kinds of information that directly or indirectly may be referable to a natural person who is alive.
2 2 Controller of personal data Personal data assistant Personal data representative The registered person Consent Supervisory authority Third country Third party A person who alone or together with others decides the purpose and means of processing personal data. A person who processes personal data on behalf of the controller of personal data. A natural person, appointed by the controller of personal data, who shall independently assure that the personal data is processed in a correct and lawful manner. A person to whom the personal data relates. Every kind of voluntary, specific and unambiguous expression of will by which the registered person, after having received information, accepts processing of personal data concerning him or her. The authority appointed by the Government to perform supervision. A state that is not included in the European Union or part of the European Economic Area. A person other than the registered person, the controller of personal data, the personal data representative, the personal data assistant and such persons who under the direct responsibility of the controller of personal data or the personal data assistant is authorised to process personal data. Scope The territorial scope Section 4 This Act applies to those controllers of personal data who are established in Sweden. The Act is also applicable when the controller of personal data is established in a third country but for the processing of the personal data uses equipment that is situated in Sweden. However, this does not apply if the equipment is only used to transfer information between a third country and another such country. In the case referred to in the second paragraph, first sentence, the controller of personal data shall appoint a representative for himself who is established in Sweden. The provisions of this Act concerning the controller of personal data shall also apply to the representative.
3 3 Processing of personal data subject to the Act Section 5 This Act applies to such processing of personal data as is wholly or partly automated. The Act also applies to other processing of personal data, if the data is included in or is intended to form part of a structured collection of personal data that is available for searching or compilation according to specific criteria. Exemption of private processing of personal data Section 6 This Act does not apply to such processing of personal data that a natural person performs in the course of activities of a purely private nature. Relationship to freedom of the press and freedom of expression Section 7 The provisions of this Act are not applied to the extent that they would contravene the provisions concerning the freedom of the press and freedom of expression contained in the Freedom of the Press Act or the Fundamental Law on Freedom of Expression. The provisions of Sections 9 29 and and also Section 45, first paragraph, and Sections shall not be applied to such processing of personal data as occurs exclusively for journalistic purposes or artistic or literary expression. Relationship to the principle of public access to official documents Section 8 The provisions of this Act are not applied to the extent that they would limit an authority s obligation under Chapter 2 of the Freedom of the Press Act to provide personal data. Nor do the provisions prevent an authority from archiving or saving official documents or that archive material is taken care of by an archive authority. The provisions of Section 9, fourth paragraph, do not apply to the use by an authority of personal data in official documents. Fundamental requirements for processing of personal data Section 9 The controller of personal data shall ensure that a) personal data is processed only if it is lawful, b) personal data is always processed in a correct manner and in accordance with good practice, c) personal data is only collected for specific, explicitly stated and justified purposes, d) personal data is not processed for any purpose that is incompatible with that for which the information is collected,
4 4 e) the personal data that is processed is adequate and relevant in relation to the purposes of the processing, f) no more personal data is processed than is necessary having regard to the purposes of the processing, g) the personal data that is processed is correct and, if it is necessary, up to date, h) all reasonable measures are taken to correct, block or erase such personal data as is incorrect or incomplete having regard to the purposes of the processing, and i) personal data is not kept for a longer period than that as is necessary having regard to the purpose of the processing. However, as regards the first paragraph, d), the processing of personal data for historical, statistic or scientific purposes shall not be regarded as incompatible with the purposes for which the information was collected. Personal data may be kept for historical, statistic or scientific purposes for a longer time than that stated in the first paragraph i). However, personal data may not in such cases be kept for a longer period than is necessary for these purposes. Personal data that is processed for historical, statistical or scientific purposes may be used in order to take measures as regards the person registered only if the person registered has given his/her consent or there is extraordinary reason having regard to the vital interests of the registered person. When processing of personal data is permitted Section 10 Personal data may be processed only if the registered person has given his/her consent to the processing or if the processing is necessary in order a) to enable the performance of a contract with the registered person or to enable measures that the registered person has requested to be taken before a contract is entered into, b) that the controller of personal data should be able to comply with a legal obligation, c) that the vital interests of the registered person should be protected, d) that a work task of public interest should be performed, e) that the controller of personal data or a third party to whom the personal data is provided should be able to perform a work task in conjunction with the exercise of official authority, or f) that a purpose that concerns a legitimate interest of the controller of personal data or of such a third party to whom personal data is provided should be able to be satisfied, if this interest is of greater weight than the interest of the registered person in protection against violation of personal integrity.
5 5 Direct marketing Section 11 Personal data may not be processed for purposes concerning direct marketing, if the registered person gives notice in writing to the controller of personal data that he/she opposes such processing. Revocation of consent Section 12 In those cases where processing of personal data is only permitted when the registered person has provided his/her consent under Section 10, 15 or 34, the registered person is entitled to revoke at any time consent that has been given. Further personal data about the registered person may not subsequently be processed. A registered person is not entitled, beyond that provided by the first paragraph and Section 11, to oppose such processing of personal data as is permitted under this Act. Prohibition against processing of sensitive personal data Section 13 It is prohibited to process personal data that reveals a) race or ethnic origin, b) political opinions, c) religious or philosophical beliefs, or d) membership of a trade union. It is also prohibited to process such personal data as concerns health or sex life. Information of the kind referred to in the first and second paragraphs is designated as sensitive personal data in this Act. Exemptions from the prohibition of processing sensitive personal data Section 14 Despite the prohibition of Section 13 it is permitted to process sensitive personal data in those cases stated in Sections In Section 10 there are provisions concerning the cases in which processing of personal data is not permitted in any case whatsoever. Consent or publicising Section 15 Sensitive personal data may be processed if the registered person has given his/her explicit consent to processing or in a clear manner publicised the information.
6 6 Necessary processing Section 16 Sensitive personal data may be processed if the processing is necessary in order that a) the controller of personal data should be able to comply with his/her duties or exercise his/her rights within employment law, b) the vital interests of the registered person or some other person should be able to be protected and the registered person cannot provide his/her consent, or c) legal claims should be able to be established, exercised or defended. Information that is processed on the basis of the first paragraph a) may be disclosed to a third party only if there is within employment law an obligation for the controller of personal data to do so or the registered person has explicitly consented to the provision. Non-profit organisations Section 17 Non-profit organisations with political, philosophical, religious or trade union objects may within the framework of their operations process sensitive personal data concerning the members of the organisation and such other persons who by reason of the objects of the organisation have regular contact with it. However, sensitive personal data may be provided to a third party only if the registered person explicitly consents to it. Health and hospital care Section 18 Sensitive personal data may be processed for health and hospital care purposes, provided the processing is necessary for a) preventive medicine and health care, b) medical diagnosis, c) health care or treatment, or d) management of health and hospital care services. A person who is professionally operational within the health care sector and is subject to a duty of confidentiality may also process sensitive personal data that is subject to the duty of confidentiality. This also applies to the person who is subject to a similar duty of confidentiality and who has received sensitive personal data from the operation within the health care sector. Research and statistics Section 19 Sensitive personal data may be processed for research and statistics purposes, provided the processing is necessary in the manner stated in Section 10 and provided the interest of society in the research or statistics project within which the processing is included is manifestly
7 7 greater than the risk of improper violation of the personal integrity of the individual that the processing may involve. If the processing has been approved by a research ethics committee, the prerequisites under the first paragraph shall be deemed satisfied. Research ethics committee means such special body for consideration of research ethics issues that has representatives for both the public and the research and that is linked to a university or a university college or to some other instance that to a very substantial extent funds research. Personal data may be provided to be used in such projects referred to in the first paragraph, unless otherwise provided by the rules on secrecy and confidentiality. Authorisation to prescribe further exemptions Section 20 The Government or the authority appointed by the Government may issue regulations on further exemptions from the prohibition in Section 13 if it is necessary having regard to an important public interest. Information concerning legal offences, etc. Section 21 It is prohibited for other parties than public authorities to process personal data concerning legal offences involving crime, judgments in criminal cases, coercive penal procedural measures or administrative deprivation of liberty. The Government or the authority appointed by the Government may issue regulations on exemptions from the prohibition in the first paragraph. The Government may in an individual case decide on an exemption from the prohibition in the first paragraph. The Government may delegate power to the supervisory authority to make such decisions. Processing of personal identity numbers Section 22 Information about personal identity numbers or classification numbers may, in the absence of consent, only be dealt with when it is clearly justified having regard to a) the purpose of the processing, b) the importance of a secure identification, or c) some other noteworthy reason.
8 8 Information to the registered person Information should be provided voluntarily Section 23 If data about a person is collected from the person him/herself, the controller of personal data shall in conjunction therewith voluntarily provide the registered person with information about the processing of the data. Section 24 If personal data has been collected from another source than the registered person, the controller of personal data shall voluntarily provide the registered person with information about the processing of the data when it is registered. However, if the data is intended to be disclosed to a third party, the information need not be given before the data has been disclosed for the first time. Information under the first paragraph need not be provided if there are provisions concerning the registration or disclosure of personal data in an act or some other enactment. Nor need information be provided in accordance with the first paragraph, if it proves to be impossible or would involve a disproportionate effort. However, if the data is used to take measures concerning the registered person, the information shall be provided at the latest in conjunction with that happening. The information that must be provided voluntarily Section 25 Information under Section 23 or 24 shall comprise a) information concerning the identity of the controller of personal data, b) information concerning the purpose of the processing, and c) all other information necessary in order for the registered person to be able to exercise his/her rights in connection with the processing, such as information about the recipients of the information, the obligation to provide information and the right to apply for information and obtain rectification. However, information need not be provided regarding such matters as the registered person already knows of. Information shall be provided upon application Section 26 The controller of personal data is liable to provide, to every natural person who requests it, free of charge notification once per annum of whether personal data concerning the applicant is processed or not. If such data is processed, written information shall also be provided about a) which information about the applicant that is processed, b) where this information has been collected,
9 9 c) the purpose of the processing, and d) to which recipients or categories of recipients the information is disclosed. An application under the first paragraph shall be made in writing to the controller of personal data and be signed by the applicant him/herself. Information under the first paragraph shall be provided within one month from when the application was made. However, if there are special reasons for so doing, the information may be provided not later than four months after when the application was made. Information under the first paragraph does not need to be provided about personal data in running text that has not been given its final wording when the application was made or which comprises an aide memoire or the like. However, that stated here does not apply if the data has only been disclosed to a third party or if the data was only processed for historical, statistical or scientific purposes or, as regards running text that has not been given its final wording, if the data has been processed for a longer period than one year. Exemptions from the obligation to provide information in the case of secrecy and duty of confidentiality Section 27 To the extent that it is specifically prescribed by a statute or other enactment or by a decision that has been issued under an enactment that information may not be provided to the registered person, the provisions of Sections do not apply. A controller of personal data who is not an authority may in that connection in a corresponding case as referred to in the Secrecy Act (1980:100) refuse to provide information to the registered person. Rectification Section 28 The controller of personal data is liable at the request of the registered person to immediately rectify, block or erase such personal data that has not been processed in accordance with this Act or regulations that have been made under the Act. The controller of personal data shall also notify a third party to whom the data has been disclosed about the measure, if the registered person requests it or if more substantial damage or inconvenience for the registered person could be avoided by a notification. However, no such notification need be provided if it is shown to be impossible or would involve a disproportionate effort. Automated decisions Section 29 If a decision that has legal effects for a natural person or otherwise has manifest effects for the natural person, is based solely on automated processing of such personal data as is intended to assess the qualities of the person, the person who is affected by the decision shall have an opportunity to have the decision reconsidered by a person upon request. Anybody who has been the subject of such a decision as is referred to in the first paragraph is entitled to on application obtain information from the controller of personal data about what has controlled the automated processing that resulted in the decision. As regards applications and provision of information, the applicable parts of the rules under Section 26 apply.
10 10 Security in processing Persons who process personal data Section 30 A personal data assistant and a person or those persons who work under the assistant s or the controller of personal data s direction may only process personal data in accordance with instructions from the controller of personal data. There shall be a written contract on the processing by the personal data assistant of personal data on behalf of the controller of personal data. It shall be specifically stipulated in the contract that the personal data assistant may only process personal data in accordance with instructions from the controller of personal data and that the personal data assistant is liable to take those measures referred to in Section 31, first paragraph. If there are special provisions in a statute or other enactment concerning processing of personal data in public operations as regards matters referred to in the first paragraph, these shall apply instead of that stated in the first paragraph. Security measures Section 31 The controller of personal data shall implement appropriate technical and organisational measures to protect the personal data that is processed. The measures shall provide a level of security that is appropriate having regard to a) the technical possibilities available, b) what it would cost to implement the measures, c) the special risks that exist with processing of personal data, and d) how sensitive the personal data processed really is. If the controller of personal data engages a personal data assistant, the controller of personal data shall ensure for him/herself that the personal data assistant can implement the security measures that must be taken and ensure that the personal data assistant actually takes the measures. The supervisory authority may decide on security measures Section 32 The supervisory authority may in an individual case decide on which security measures the controller of personal data shall implement in accordance with Section 31. Section 45 contains rules about the powers of the supervisory authority to make the decision subject to a default fine.
11 11 Transfer of personal data to a third country Prohibition of transfer of personal data to a third country Section 33 It is prohibited to transfer to a third country personal data that is undergoing processing unless the third country has an adequate level of protection for personal data. The provision also applies to transfer of personal data for processing in a third country. The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding the transfer. Particular consideration shall be given to the nature of the data, the purpose of the processing, the duration of the processing, the country of origin, the country of final destination and the rules that exist for the processing in the third country. Exemptions from the prohibition of transfer of personal data to a third country Section 34 Notwithstanding the prohibition in Section 33, it is permitted to transfer personal data to a third country if the registered person has given his/her consent to the transfer or if the transfer is necessary for a) the performance of a contract between the registered person and the controller of personal data or the implementation of precontractual measures taken in response to the request of the registered, b) the conclusion or performance of a contract between the controller of personal data and a third party which is in the interest of the registered person, c) the establishment, exercise or defence of legal claims, or d) the protection of vital interests of the registered person. It is also permitted to transfer personal data for use only in a state that has acceded to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. Section 35 The Government may issue regulations about exemptions from the prohibition in Section 33 of the transfer of personal data to certain states. The Government may also as regards automated processing of personal data issue regulations about transfer of personal data to a third country being permitted, provided the transfer is regulated by a contract that provides adequate safeguards to protect the rights of the registered person. Furthermore, the Government or the authority appointed by the Government issue regulations about exemptions from the prohibition in Section 33, if this is necessary having regard to an important public interest or if there are adequate safeguards to protect the rights of the registered person. The Government may, subject to the preconditions mentioned in the second paragraph, decide in individual cases on an exemption from the prohibition in Section 33. The Government may delegate power to the supervisory authority to make such decisions.
12 12 Notification to the supervisory authority Notification duty Section 36 Processing of personal data that is completely or partially automated is subject to a notification duty. The controller of personal data shall provide a written notification to the supervisory authority before such processing or a set of such processing with the same or similar purpose is conducted. If the controller of personal data appoints a personal data representative, this shall be notified to the supervisory authority. Removal from office of a personal data representative shall also be notified to the supervisory authority. The Government or the authority appointed by the Government may issue regulations concerning exemptions to the notification duty under the first paragraph for such kinds of processing as would probably not result in an improper intrusion of personal integrity. Notification need not be made if there is a personal data representative Section 37 Notification under Section 36, first paragraph, need not be made if the controller of personal data has given notice to the supervisory authority that a personal data representative has been appointed and who he/she is. The functions of personal data representatives Section 38 The personal data representative shall have the function of independently ensuring that the controller of personal data processes personal data in a lawful and correct manner and in accordance with good practice and also points out any inadequacies to him or her. If the personal data representative has reason to suspect that the controller of personal data contravenes the provisions applicable for processing personal data and if rectification is not implemented as soon as is practicable after being pointing out, the personal data representative shall notify this situation to the supervisory authority. The personal data representative shall also otherwise consult with the supervisory authority in the event of doubt about how the rules applicable to processing of personal data shall be applied. Section 39 The personal data representative shall maintain a register of the processing that the controller of personal data implements and which would have been subject to the duty of notification if the representative had not existed. The register shall comprise at least the information that a notification under Section 36 would have contained. Section 40 The personal data representative shall assist registered persons to obtain rectification when there is reason to suspect that the personal data processed is incorrect or incomplete.
13 13 Mandatory notification of processing that is particularly sensitive as regards integrity Section 41 The Government may issue regulations providing that such processing of personal data as involves particular risks for improper intrusion of personal integrity shall be notified for preliminary examination, three weeks in advance, to the supervisory authority in accordance with Section 36. If the Government has issued such regulations, the exemption from the obligation to give notification under Section 37 does not apply. Information to the public about processing that has not been notified Section 42 The controller of personal data shall, to everybody who requests it, expeditiously and in an appropriate manner provide information about such automated or other processing of personal data that have not been notified to the supervisory authority. The information shall comprise that which a notification under Section 36, first paragraph, would have comprised. However, the controller of personal data is not responsible to provide information subject to secrecy or information about which security measures have been taken. In that connection, a controller of personal data who is not an authority may, in a case corresponding to those referred to in the Secrecy Act (1980:100), refuse to provide information. The powers of the supervisory authority Section 43 The supervisory authority is entitled for its supervision to obtain on request a) access to the personal data that is processed, b) information about and documentation of the processing of personal data and security of this processing, and c) access to those premises linked to the processing of personal data. Section 44 If the supervisory authority cannot, pursuant to a request under Section 43, obtain sufficient information in order to conclude that the processing of personal data is lawful, the authority may prohibit, subject to a default fine, the controller of personal data to process personal data in any other manner than by storing them. Section 45 If the supervisory authority concludes that personal data is processed or may be processed in an unlawful manner, the authority shall by a reminder or similar procedure endeavour to attain rectification. If it is not possible to obtain rectification in any other manner or if the matter is urgent, the authority may prohibit, subject to a default fine, the controller of personal data to continue processing the personal data in any other manner than by storing them. If the controller of personal data does not voluntary comply with the decision concerning security measures under Section 32 that has entered into final legal force, the supervisory authority may prescribe a default fine.
14 Section 46 Before the supervisory authority decides a default fine in accordance with Section 44 or 45, the controller of personal data shall have been given an opportunity to express him/herself. However, if the matter is urgent the authority, pending the expression of views, may issue a temporary decision on a default fine. The temporary decision shall be reconsidered when the period for expressing views has expired. An order for a default fine shall be served on the controller of personal data. Service under Section 12 of the Service Act (1970:428) may only be used if there is reason to assume that the controller of personal data has absconded or concealing him/herself in some other way. Section 47 The supervisory authority may at the County Administrative Court in the county where the authority is situated apply for the erasure of such personal data as has been processed in an unlawful manner. Decision on erasure may not be issued if it is unreasonable. Damages Section 48 The controller of personal data shall compensate the registered person for damages and the violation of personal integrity that the processing of personal data in contravention of this Act has caused. The liability to pay compensation may, to the extent that it is reasonable, be adjusted if the person providing personal data proves that the error was not caused by him or her. Penalties Section 49 A person who intentionally or by carelessness a) provides untrue information in such information to registered persons as is prescribed by this Act, or in the notification to the supervisory authority under Section 36 or to the supervisory authority when the authority requests information in accordance with Section 43, b) processes personal data in contravention of Sections 13 21, c) transfers personal data to a third country in contravention of Sections 33 35, or d) omits to give notification under Section 36, first paragraph, or in accordance with regulations issued under Section 41, shall be sentenced to a fine or imprisonment of at most six months or, if the offence is grave, to imprisonment of at most two years. A sentence shall not be imposed in petty cases. 14
15 A person who has contravened an order subject to a default fine in accordance with Section 44 or 45, first paragraph, shall not be sentenced for liability for an act that is subject to the default fine order. Detailed regulations Section 50 The Government or the authority appointed by the Government may issue more detailed regulations concerning a) the cases in which processing of personal data is permitted, b) the requirements which are imposed on the controller of personal data when processing personal data, c) the cases in which use of personal identity number is permitted, d) what a notification or application to a controller of personal data should contain, e) which information shall be provided to the registered person and how information shall be provided, and f) notification to the supervisory authority and procedure when information notified has been altered. Appeals Section 51 The supervisory authority s decision in accordance with this Act, except as regards regulations, may be appealed against to a general administrative court. Leave to appeal is required to appeal to the Administrative Court of Appeal. The supervisory authority may decide that its decision should apply even if it has been appealed against. Entry into force and transitional provisions 1. This Act enters into force on 24 October 1998, upon which the Data Act (1973:289) shall cease to apply. However, the old act still applies to issues concerning appeals of decisions that have been issued before 24 October As regards processing of personal data that commenced before the entry into force, or processing conducted for a particular decided purpose if processing for the purpose was commenced before the entry into force, the old act shall apply instead of the new act up to and including 30 September This also applies to the rules in the old act on appeals. 3. The rules of Sections 9, 10, 13 and 21 in the new act shall not start to be applied before 1 October 2007 as regards such manual processing of personal data as was commenced before the entry into force, or as regards manual processing that is conducted for a 15
16 16 particular decided purpose if manual processing for the purpose was commenced before the entry into force. 4. As regards personal data that at entry into force are stored for historical research, the provisions of Sections 9, 10, 13 and 21 of the new act shall first begin to be applied when the information is processed in some other way. The corresponding rules in the old act shall be applied until then. However, the said rules in the new act shall not be applied before the time prescribed by 2 or 3 by reason of that stated here. 5. Notification under Section 36 of the new act may be made before the new act has entered into force for the processing in question. 6. Consent that has been provided before the new act has entered into force for the processing in question shall also apply after the entry into force provided the consent fulfils the requirements in the new act. 7. If a request for registration under Section 10 of the old act was received before the new act entered into force for the processing in question but has drawn out or not been carried out before entry into force, the request shall be considered to be an application under Section 26 of the new act. 8. The rules of the new act on damages shall only be applied if the circumstances to which the application relates have occurred before the new act has entered into force for the processing in question. In other cases the old rules apply.
OBJECTS AND REASONS This Bill would provide for (a) the regulation of the collection, keeping, processing, use or dissemination of personal data; (b) the protection of the privacy of individuals in relation
LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT 2300 Pursuant to its authority from Article 59 of the Rules of Procedure of the Croatian Parliament, the Legislation Committee determined the revised text
Page 1 sur 155 Proposal of regulation Com 2012 11/4 Directive 95/46/EC Conclusion Legal nature of the instrument Règlement Directive Directly applicable act in internal law 91 articles 34 articles Art.
CROATIAN PARLIAMENT 1364 Pursuant to Article 88 of the Constitution of the Republic of Croatia, I hereby pass the DECISION PROMULGATING THE ACT ON PERSONAL DATA PROTECTION I hereby promulgate the Act on
Guidelines on Data Protection Draft Version 3.1 Published by National Information Technology Development Agency (NITDA) September 2013 Table of Contents Section One... 2 1.1 Preamble... 2 1.2 Authority...
Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1
1 NB: Unofficial translation Personal Data Act (523/1999) Chapter 1 General provisions Section 1 Objectives The objectives of this Act are to implement, in the processing of personal data, the protection
Law No. 677/2001 on the Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of Such Data, amended and completed The Romanian Parliament adopts the present law.
PRESIDENT S DECISION No. 40 of 27 August 2013 Regarding Data Protection at the European University Institute (EUI Data Protection Policy) THE PRESIDENT OF THE EUROPEAN UNIVERSITY INSTITUTE, Having regard
DATA PROTECTION LAW DIFC LAW NO. 1 OF 2007 Consolidated Version (December 2012) Amended by Data Protection Law Amendment Law DIFC Law No. 5 of 2012 CONTENTS PART 1: GENERAL... 4 1. Title... 4 2. Legislative
PROVIDER NAME: POLICY AREA: College of Computing Technology (CCT) Standard 10: Information Management, Student Information System & Data Protection Policy and Procedure Title: Maintaining Secure Learner
Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data *) For the purposes of these Corporate Guidelines, Third Countries are all those countries, which do not
Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection
Data protection compliance checklist What is this checklist for? This checklist is drawn up on the basis of analysis of the relevant provisions of European law. Although European law aims at harmonizing
Corporate Data Protection Code of Conduct for the Protection of the Individual s Right to Privacy in the Handling of Personal Data within the Deutsche Telekom Group 2010 / 04 We make ICT strategies work
1 LAWS OF MALAYSIA Act 709 PERSONAL DATA PROTECTION ACT 2010 2 Laws of Malaysia ACT 709 Date of Royal Assent...... 2 June 2010 Date of publication in the Gazette......... 10 June 2010 Publisher s Copyright
Information Governance Policy 1 Introduction Healthwatch Rutland (HWR) needs to collect and use certain types of information about the Data Subjects who come into contact with it in order to carry on its
1 AIRBUS GROUP BINDING CORPORATE RULES 2 Introduction The Binding Corporate Rules (hereinafter BCRs ) of the Airbus Group finalize the Airbus Group s provisions on the protection of Personal Data. These
Office of the Data Protection Commissioner of The Bahamas Data Protection (Privacy of Personal Information) Act, 2003 A Guide for Data Controllers 1 Acknowledgement Some of the information contained in
English is not an official language of the Swiss Confederation. This translation is provided for information purposes only and has no legal force. Federal Act on Data Protection (FADP) 235.1 of 19 June
TRANSLATION OF THE OFFICIAL PUBLICATION OF SINT MAARTEN (AB 2010, GT no. 2) National ordinance personal data protection 1 CHAPTER 1. GENERAL PROVISIONS Article 1 The following definitions apply for the
Data Protection in Ireland 0 Contents Data Protection in Ireland Introduction Page 2 Appointment of a Data Processor Page 2 Security Measures (onus on a data controller) Page 3 8 Principles Page 3 Fair
Data Protection Policy September 2015 Contents 1. Scope 2. Purpose 3. Data protection roles 4. Staff training and guidance 5. About the Data Protection Act 1998 6. Policy 7. The Information Commissioner's
Table of contents: *** In Europe the issue of personal data protection is settled by European Parliament s and European Council s Directive 95/46/WE of October 24, 1995 (which is basis of Polish regulations)
PRACTICAL LAW MULTI-JURISDICTIONAL GUIDE 2012/13 The law and leading lawyers worldwide Essential legal questions answered in 30 key jurisdictions Analysis of critical legal issues AVAILABLE ONLINE AT WWW.PRACTICALLAW.COM/DATAPROTECTION-MJG
Act of 20 March 1998 No. 10 relating to Protective Security Services (the Security Act) Chapter 1. General provisions Section 1. The purpose of the Act The purpose of this Act is to: a) take steps enabling
COMPUTER MISUSE AND CYBERSECURITY ACT (CHAPTER 50A) (Original Enactment: Act 19 of 1993) REVISED EDITION 2007 (31st July 2007) An Act to make provision for securing computer material against unauthorised
Data Protection Standard Processing and Transfer of Personal Data in Aker Solutions (Binding Corporate Rules) Aker Solutions www.akersolutions.com Table of contents 1 Introduction... 3 1.1 Scope... 3 1.2
NB: Unofficial translation, legally binding only in Finnish and Swedish Ministry of Employment and the Economy, Finland Act on Authorised Industrial Property Attorneys (22/2014) In accordance with a decision
Corporate Policy. Data Protection for Data of Customers & Partners. 02 Preamble Ladies and gentlemen, Dear employees, The electronic processing of virtually all sales procedures, globalization and growing
1(10) Auditors Act SFS 2001:883 Revisorslag (2001:883) issued on 29 November 2001. By order of the Riksdag 1 the following is prescribed. General provisions Section 1. This Act regulates 1. The Supervisory
C1193 Electronic Health Record Sharing System Bill Contents Clause Page Part 1 Preliminary 1. Short title and commencement... C1203 2. Interpretation... C1203 3. Substitute decision maker... C1213 4. Ordinance
---------------------------------------------------------------------------------------------- COLLECTIVE INVESTMENT LAW DIFC LAW No. 2 of 2010 ----------------------------------------------------------------------------------------------
DATA PROTECTION POLICY The information and guidelines within this Policy are important and apply to all members, Fellows and staff of the College 1. INTRODUCTION Like all educational establishments, the
LAW FOR PROTECTION OF PERSONAL DATA Prom. SG. 1/4 Jan 2002, amend. SG. 70/10 Aug 2004, amend. SG. 93/19 Oct 2004, amend. SG. 43/20 May 2005, amend. SG. 103/23 Dec 2005, amend. SG. 30/11 Apr 2006, amend.
Data Protection Act, 2012 Data Protection Act, 2012 Section ARRANGEMENT OF SECTIONS Data Protection Commission 1. Establishment of Data Protection Commission 2. Object of the Commission 3. Functions of
Opinion on a Notification for Prior Checking received from the Data Protection Officer of the European Training Foundation Regarding the Processing Operations to Manage Calls for Tenders Brussels, 22 April
ATMD Bird & Bird Singapore Personal Data Protection Policy Contents 1. PURPOSE 1 2. SCOPE 1 3. COMMITMENT TO COMPLY WITH DATA PROTECTION LAWS 1 4. PERSONAL DATA PROTECTION SAFEGUARDS 3 5. ATMDBB EXCEPTIONS:
GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4 PREFACE The following provides general guidance on data protection
Comments and proposals on the Chapter II of the General Data Protection Regulation Ahead of the trialogue negotiations in September, EDRi, Access, Panoptykon Bits of Freedom, FIPR and Privacy International
Binding Corporate Rules Privacy (BCRP) Binding Corporate corporate Rules rules Privacy for (BCRP) the protection of personal Telekom Group rights in the handling of personal data within the Deutsche Telekom
Binding Corporate Rules ( BCR ) Summary of Third Party Rights This document contains in its Sections 3 9 all provision of the Binding Corporate Rules (BCR) for Siemens Group Companies and Other Adopting
Align Technology Data Protection Binding Corporate Rules Controller Policy Contents INTRODUCTION 3 PART I: BACKGROUND AND ACTIONS 4 PART II: CONTROLLER OBLIGATIONS 6 PART III: APPENDICES 13 2 P a g e INTRODUCTION
CORK INSTITUTE OF TECHNOLOGY DATA PROTECTION POLICY APPROVED BY GOVERNING BODY ON 30 APRIL 2009 INTRODUCTION Cork Institute of Technology is committed to a policy of protecting the rights and privacy of
Dublin City University Data Protection Policy Data Protection Policy Contents Purpose... 1 Scope... 1 Data Protection Principles... 1 Disclosure of Personal Data... 2 Summary of Responsibilities... 3 Rights
English is not an official language of the Swiss Confederation. This translation is provided for information purposes only and has no legal force. Federal Act on the Implementation of International Sanctions
on the transfer of personal data from the European Union BCRsseptembre 2008.doc 1 TABLE OF CONTENTS I. PRELIMINARY REMARKS 3 II. DEFINITIONS 3 III. DELEGATED DATA PROTECTION MANAGER 4 IV. MICHELIN GROUP
REPUBLIC OF SOUTH AFRICA PROTECTION OF PERSONAL INFORMATION BILL (As amended by the Portfolio Committee on Justice and Constitutional Development (National Assembly) after consideration of proposed National
Ministry of Labour and Social Policy LAW ON VOLUNTARY FULLY FUNDED PENSION INSURANCE 1 Table of Contents CHAPTER 1 GENERAL PROVISIONS... 3 CHAPTER 2 VOLUNTARY PENSION FUNDS... 7 CHAPTER 3 PENSION COMPANIES
Data Protection Act a more detailed guide What does the Act do? The Data Protection Act 1998 places considerable duties on organisations which process personal data; increases the rights of access by data
90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control
Data Protection A Guide for Users EUROPEAN PARLIAMENT Contents Contents 3 Introduction 4 Data protection standards making a difference in the European Parliament 5 Data protection the actors 6 Data protection
DATA PROTECTION MANUAL VERSION TABLE Version Date Published CO Circular 1 September 2008 3 July 2015 July 2015 2 CONTENTS Part A: General Guidance 1 Introduction to the Data Protection Act 1998 5 2 The
Human Resources and Data Protection Contents 1. Policy Statement... 1 2. Scope... 2 3. What is personal data?... 2 4. Processing data... 3 5. The eight principles of the Data Protection Act... 4 6. Council
Data Protection Policy. Data Protection Policy Foreword 2 Foreword Ladies and Gentlemen, In the information age, we offer customers the means to be always connected, even in their cars. This requires data
LAWS OF MALAYSIA ACT 180 MEDICAL ASSISTANTS (REGISTRATION) ACT 1977 Incorporating latest amendment - P.U.(A) 342/2002 Date of Royal Assent : 2 March 1977 Date of publication in the Gazette : 10 March 1977
Data Protection Act Privacy & Security in the Information Age April 26, 2013 Agenda Privacy in The Information Age The right to privacy Why We Need Legislation Purpose of the Act The Data Protection Act
PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE ADOPTED ON 9 th January 2008 TABLE OF CONTENTS Page No. 1 Introduction...3 2 Glossary...3 3 Types of Personal Data held by Us...3 4 Obligations
Qualified Electronic Signatures Act (SFS 2000:832) The following is hereby enacted 1 Introductory provision 1 The purpose of this Act is to facilitate the use of electronic signatures, through provisions
This is an official translation. The original Icelandic text published in the Law Gazette is the authoritative text. Merchants and Trade - Act No 28/2001 on electronic signatures Chapter I Objectives and
New South Wales Small Business Grants (Employment Incentive) Act 2015 No 14 Contents Page Part 1 Part 2 Preliminary 1 Name of Act 2 2 Commencement 2 3 Object of Act 2 4 Definitions 2 Grant scheme 5 Grant
101010 100101 1010 101 Factsheet on the Right to be 100 Forgotten ruling (C-131/12) 101 101 1) What is the case about and what did 100 the Court rule? 10 In 2010 a Spanish citizen lodged a complaint against
UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION The Data Protection Act 1998 (DPA) was passed in order to implement the EU Data Protection Directive (95/46/EC) and applies to all data relating to, and
THE REGULATION OF INTERCEPTION OF COMMUNICATIONS BILL, 2007 ARRANGEMENT OF CLAUSES. PART I - PRELIMINARY Clause. 1. Interpretation. PART II - CONTROL OF INTERCEPTION AND ESTABLISHMENT OF A MONITORING CENTRE
227/2000 Coll. ACT of 29 th June 2000 on Electronic Signature and change to some other laws (Electronic Signature Act) Amendment: 226/2002 Coll. Amendment: 517/2002 Coll. Amendment :440/2004 Coll. Amendment:
LAW ON THE PROTECTOR OF HUMAN RIGHTS AND FREEDOMS Podgorica, July 2003 LAW ON THE PROTECTOR OF HUMAN RIGHTS AND FREEDOMS I BASIC PROVISIONS Article 1 Establishing the Protector of Human Rights and Freedoms
(As it has effect at 1st June 1999) Copyright Treasury of the Isle of Man Crown Copyright reserved The text of this legislation is subject to Crown Copyright protection. It may be copied free of charge
technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection
Data protection policy Introduction 1 This document is the data protection policy for the Nursing and Midwifery Council (NMC). 2 The Data Protection Act 1998 (DPA) governs the processing of personal data
LAW ON ELECTRONIC SIGNATURE (Official Gazette of the Republic of Montenegro 55/03 and 31/05) I GENERAL PROVISIONS Article 1 This Law shall regulate the use of electronic signature in legal transactions,
27 July 2006 No.152-FZ RUSSIAN FEDERATION FEDERAL LAW PERSONAL DATA (as amended by Federal Law of 25.11.2009 No.266-FZ) Article 1. Scope of This Federal Law Chapter 1. GENERAL Adopted by The State Duma
CONSULTATION PAPER NO 2. 2004 REGULATION OF GENERAL INSURANCE MEDIATION BUSINESS This consultation paper explains the need for the Island to regulate general insurance mediation business and examines the
ELECTRONIC COMMERCE AND ELECTRONIC SIGNATURE ACT (ZEPEP-UPB1) (Official consolidated text) On basis of article 153 of the National Assembly of Slovenia Rules of Procedure the National Assembly of the Republic
DATA PROTECTION ACT 2002 The Basics Purpose of the Act Balance the rights of an individual with an organisation s legitimate need to process personal data Promote openness and transparency Establish and
Linde Integrity Line Process and Data Protection Policy 1 July 2007 Page 2 of 10 Table of Contents Preamble 3 1 Scope of application 3 2 Definitions 3 3 Submitting Reports Regular Channels 3 4 Submitting
Draft Regulations to illustrate the Treasury s current intention as to the exercise of powers under clause 4 of the the Small Business, Enterprise and Employment Bill. D R A F T S T A T U T O R Y I N S
Version: 21.11.2015 South Australia Building Work Contractors Act 1995 An Act to regulate building work contractors and the supervision of building work; and for other purposes. Contents Part 1 Preliminary
1 AS INTRODUCED IN THE RAJYA SABHA ON THE 28TH NOVEMBER, 2014 Bill No. XXIII of 2014 THE PERSONAL DATA PROTECTION BILL, 2014 A BILL to provide for protection of personal data and information of an individual
LAWS OF MALAYSIA ONLINE VERSION OF UPDATED TEXT OF REPRINT Act 628 NATIONAL SERVICE TRAINING ACT 2003 As at 1 December 2011 2 NATIONAL SERVICE TRAINING ACT 2003 Date of Royal Assent 29 July 2003 Date of
NB: Unofficial translation Ministry of Labour, Finland Chapter 1 - General provisions Section 1 Purpose of the act Act on the Protection of Privacy in Working Life (759/2004) The purpose of this Act is
1 ANNEXURE B BILL An Act to promote the protection of personal information processed by public and private bodies; to provide for the establishment of an Information Protection Commission; and to provide
THIRD SUPPLEMENT TO THE GIBRALTAR GAZETTE No. 4,167 of 7th May, 2015 B. 13/15 Clause PRIVATE TRUST COMPANIES BILL 2015 1. Short title and commencement. 2. Interpretation. 3. Registration of Private Trust
CREDIT REPORTING BILL EXPLANATORY NOTES INTRODUCTION These explanatory notes are intended as a guide to the proposed new Act. They are not meant as a substitute for a careful reading of the Bill itself.
Chapter XX FRANCE Merav Griguer 1 I OVERVIEW France has an omnibus privacy, data protection and cybersecurity framework law. As a member of the European Union, France has implemented the EU Data Protection