FRANCE. Chapter XX OVERVIEW

Size: px
Start display at page:

Download "FRANCE. Chapter XX OVERVIEW"

Transcription

1 Chapter XX FRANCE Merav Griguer 1 I OVERVIEW France has an omnibus privacy, data protection and cybersecurity framework law. As a member of the European Union, France has implemented the EU Data Protection Directive 95/46/EC (the Data Protection Directive), 2 but almost 10 years late. French Law No of 6 January 1978 on Data Processing, Data Files and Individual Liberties (the Data Protection Law) was amended by the Law of 6 August 2004 on protecting individuals with regard to the processing of personal data by adopting a law that regulates the collection and processing of personal data across all sectors of the economy. The most recent amendment to the Data Protection Law was dated 24 August Decree No of 20 October 2005, enacting the Data Protection Law, was amended by Decree No of 25 March Offences against the provisions of the French Data Protection Law are qualified and sanctioned by Articles to of the Criminal Code. The Criminal Code also lays down the penalties for privacy and cybersecurity offences. For example, violations of privacy (such as the act of recording the words or image of individuals without their consent) are sanctioned in accordance with Article et seq. of the Code. Article of the Criminal Code, created by a law of 14 March 2011, renders digital identity theft liable to one year in prison and a 15,000 fine. Moreover, Article of the same Code provides for a penalty of two years imprisonment and a fine of 30,000 in cases of unauthorised access to a computer system. 1 Merav Griguer is a partner at Dunaud Clarenc Combles & Associés. 2 European Parliament and Council Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. 1

2 In France, compliance with the French data protection framework has become a major concern for public and private companies. There are two main reasons for this: to avoid heavy penalties imposed by the French data protection authority (CNIL) 3 and to protect those companies reputation. On 27 February 2014, the President of the CNIL was elected President of the Article 29 Working Party, European supervisory authorities group, for two years. I THE YEAR IN REVIEW The CNIL grants endorsements to products or procedures for the protection of individuals with regard to the processing of data, such as training and audits. On 23 January 2014 the CNIL adopted a new standard enabling it to grant endorsements of digital safety deposit box products. 4 The CNIL imposed, for the second time, a 150,000 fine on Google for lack of information, not defining a period of data holding, absence of a legal basis for the combination of data and lack of the data subject s consent. The scope of whistle-blowing procedures authorised by the CNIL was extended by Resolution No of 30 January 2014 (AU-004). Henceforth if a whistleblowing procedure on finances; accounting; banking and the fight against corruption; anti-competitive practices; the fight against discrimination and harassment in the workplace; or health, hygiene and safety or environmental protection complies with AU-004, CNIL authorisation can be automatically given without delay. If the whistleblowing procedure is not compliant with the CNIL standard, the authorisation of the CNIL is required, which may take several months because of the large volume of applications to be processed by the CNIL. II REGULATORY FRAMEWORK i Privacy and data protection legislation and standards Privacy and data protection laws and regulations French Law No of 6 January 1978 on Data Processing, Data Files and Individual Liberties was amended by the Law of 6 August 2004 implementing the Data Protection Directive in national law and entered into force two years later. Law No of 21 June 2004 on confidence in the digital economy (LCEN), in particular Article 22 which implements the provisions of European Directive 3 National Commission on Computers and Civil Liberties. 4 Resolution No of January 23, 2014 establishing a standard for issuing endorsements of digital safety deposit boxes for secure data storage. 2

3 2000/31/EC of 8 June on Electronic Commerce and some of the provisions of Directive 2002/58/EC, 6 regulating direct marketing. The LCEN 7 and Decree No of 25 February regulate processing of personal identification, location and traffic data of individuals contributing to the creation of online content. The EU Telecoms Package 9 directives regulating the use of cookies were integrated into the French Data Protection Law by Government Order No of 24 August 2011 on Electronic Communications. A new Article 32-II has, therefore, been integrated into the French Data Protection Law. Key definitions under French standards a Data controller: unless expressly designated by legislative or regulatory provisions relating to processing, a data controller is a person, public authority, department or any other body that determines the purposes and means of data processing; 10 b data subject: an individual to whom the data covered by the processing relates; 11 c data processor: a person who acts under the authority of the data controller or of the processor or any person who processes personal data on behalf of the data controller; 12 d personal data: any information relating to a natural person who is or can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to them; 13 e processing of personal data: any operation or set of operations in relation to such data by whatever mechanism especially obtaining, recording, organising, storing, adapting, altering, retrieving, consulting, using, disclosing via communication, disseminating or any other making available, aligning or combining, blocking, deleting or destroying; 14 f recipient of processing of personal data: any authorised person to whom the data is disclosed, other than the data subject, data controller, subcontractor and 5 Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services (in particular electronic commerce), in the internal market. 6 Directive 2002/58/EC of the European Parliament and Council of 12 July 2002 on processing personal data and protecting privacy in electronic communications sector. 7 Law No of 21 June 2004 on Confidence in the Digital Economy. 8 Decree No of 25 February 2011 on holding and communicating data to identify any person contributing to creation of online content. 9 Directive 2009/136/EC and Directive 2009/140/EC of the European Parliament and of the Council of 25 November Article 3 of the Data Protection Law. 11 Article 2 of the Data Protection Law. 12 Article 35 of the Data Protection Law. 13 Article 35 of the Data Protection Law. 14 Article 35 of the Data Protection Law. 3

4 g persons who, through their work, are in charge of processing data, except legally entitled authorities that in particular situations ask the data controller to send them the personal data concerned; and sensitive personal data: personal data that reveals, directly or indirectly, the racial and ethnic origins, political, philosophical, religious opinions or trade union affiliation of persons, or their health or sexuality. 15 Data protection authority The CNIL is the independent administrative authority responsible for ensuring personal data 16 protection. For this purpose, the CNIL has significant powers, including a supervisory power and the power to impose penalties. CNIL members and accredited officers have access from 6am to 9pm for the exercise of their functions, to the places, premises, surroundings, equipment or buildings used for the processing of personal data for professional purposes. Penalties for non-compliance are as high as 300,000. Penalties are often published by the CNIL, which conducts about 500 checks per year. As a regulator, the CNIL authorises the processing of information regarding a subject s politics, philosophy, medical state and sexuality, genetics, offences, waiver of rights, combination, social security number, social difficulties and biometric data. The French authority also receives notifications relating to other processing. ii General obligations for data handlers Data controllers must comply with the five essential data protection principles set out below. 17 Collection Personal data must be collected and processed fairly and lawfully. Data should not be collected without the knowledge of the data subject. The data controller must provide the data subject with the information required by Article 32 of the Data Protection Law. The data subject s consent must be obtained, except when data processing, for example: a complies with any legal obligation to which the data controller is subject; b c d is necessary to protect the data subject s life; is necessary for the execution of either a contract to which the data subject is a party or steps taken at the request of the data subject before entering into a contract; or pursues a legitimate interest for the data controller or the data recipient, provided this is not incompatible with the interests or the fundamental rights and liberties of the data subject. 15 Article 8 of the Data Protection Law. 16 Article 11 of the Data Protection Law. 17 Articles 6, 7, 23, 24 and 32 of the Data Protection Law. 4

5 Processing Data must be processed for specified, explicit and legitimate purposes. The legitimacy of the processing of personal data is assessed in particular in the light of French legislation and the data subject s individual rights. Data cannot subsequently be processed in a manner that is incompatible with such purposes. Nevertheless, further data processing for statistical, scientific and historical purposes may be considered legitimate. Nature of processed data Data must be adequate, relevant and not excessive in relation to the purposes for which is is obtained and further processing. Data must be accurate, complete and up to date. Data storage Data must be stored for a period no longer than is necessary for the purposes for which the data is collected and processed. Requirements for processing data The data controller must complete all necessary formalities before processing data. Data controllers called upon to process personal data must notify the CNIL. Simplified notifications can be communicated if the data processing complies with the relevant standard established and published by the CNIL. An authorisation application must be submitted to the CNIL in special cases, such as the processing of political, philosophical, medical and sexual information on a subject; genetic data, offences, waivers of a personal right; combinations; social security number; social difficulties; and biometrics. Moreover, data transfers outside the EU are generally subject to the authorisation procedure. A data controller not established in France, or any other EEA country, but who is using equipment in France to process personal data other than merely for the purposes of transit in France has to appoint a representative in France. Some data processing is exempt from formalities. This is true for any data processing subject to standards drawn up and published by the CNIL or processing for which the data controller has appointed a personal data protection officer charged with independently ensuring compliance with the obligations of the Data Protection Law, except for data transfer outside the European Union. Currently there are no legal requirements under French law to appoint a data protection officer, even if the CNIL strongly recommends this. iii Technological innovation and privacy law Anonymisation Anonymous data does not fall within the scope of the French Data Protection Law. However, the CNIL considers that perfect anonymisation must be irreversible. This means that all information identifying an individual directly or indirectly is removed so that it will be impossible to re-identify this person. For example, the CNIL recommends 5

6 generating a secret code that is long enough and difficult to memorise and to apply a one-way function to the data. 18 The anonymisation of sensitive data is submitted to the authorisation of the CNIL. 19 Big data Although such processing is not prohibited, the CNIL pays particular attention to big data processed for the purpose of marketing or tracking without the knowledge and the consent of the data subject. The CNIL is more especially concerned about connected objects, self-quantified data (data provided by the individuals themselves 20 but hosted by the data controller who has access to sensitive data) and new devices that store a significant amount of data without security and confidentiality guarantees and without transparency for users. Bring your own devices The CNIL considers that the use by employees of personal devices at work presents a risk of breach of privacy for the employee and the security of his or her data. The relevant data controller must take technical and practical measures to ensure the protection of employees privacy and data. Cloud computing The CNIL considers that data subjects suffer from a lack of transparency on the part of cloud service providers, and more especially in terms of security and transparency. According to the CNIL, data subjects generally do not know whether their data is transferred and to which country. In June 2012, the CNIL published recommendations for companies planning to use cloud computing services: a clearly identify the data and processing operations that will be hosted in the cloud; b define your own requirements for technical and legal security; c carry out a risk analysis to identify security measures essential for the company; d identify the relevant type of cloud for the planned processing; e choose a service provider offering sufficient guarantees (in particular by assessing the level of protection provided by the service provider for data processed); f review internal security policy; and g monitor changes over time. The CNIL also describes the essential items that should appear in a cloud computing service contract Personal Data Security Guide. 19 Article 8-III of the Data Protection Law. 20 Device enabling measurement and analysis of your own personal data. 6

7 Cookies and similar technologies By Government Order No of 24 August 2011 on Electronic Communications, the Data Protection Law s new Article 32-II, which implements the European Telecoms Package directives regulating the use of cookies, was incorporated into French law. The CNIL published Resolution No of 5 December 2013 adopting a recommendation on cookies and other trackers referred to in Article 32-II of the Data Protection Law. Accordingly, data subjects must be informed in a clear and comprehensive manner by the data controller. Moreover data subjects must give their prior consent to the implementation of cookies within their device (computer, smartphone, tablet, etc.). Consent is not required for cookies exclusively intended to enable or facilitate communication by electronic means or for cookies strictly necessary for the provision of an online communication service at the user s express request. iv Specific regulatory areas Whistle-blowing biometric devices Whistle-blowing procedures are subject to CNIL authorisation. The CNIL has published a standard (AU-004) 21 that allows data controllers to process a simplified notification if they comply with the framework provided by the CNIL standard. The scope of the standard is limited but has recently been extended by Resolution No of 30 January This standard may encourage whistle-blowing procedures enabling the reporting of violations in the following areas: financial, accounting and banking information; the fight against corruption and anti-competitive practices; the fight against discrimination and harassment in the workplace; and health and safety and environmental protection. Biometric devices identifying individuals by their behavioural, physical or biological characteristics are subject to special CNIL control and cannot be implemented without its prior authorisation. The French authority has published standards applicable to certain biometric devices that allow data controllers to process a simplified notification if they comply with the framework provided by the CNIL s standard. The CNIL has, for example, published standards relative to hand contour recognition to control workplace access 22 and fingerprint recognition to control workplace access Single Authorisation AU-004 adopted by Resolution No of 8 December 2005 on single authorisation for automated processing of personal data implemented within whistleblowing procedures. 22 Single Authorisation AU-007 adopted by Resolution No of 20 September Single Authorisation AU-008 adopted by Resolution No of 27 April

8 Electronic marketing Electronic marketing is regulated by the LCEN 24 and Decree No of 25 February on the processing of identification, location and traffic data relative to persons creating online content. Electronic marketing is possible provided that consumers have given their explicit consent to be contacted at the time of collecting of their address. Consent is not required if the consumer is already a customer of the company and if the products or services proposed to the consumer are similar to those already provided by the company. The customers concerned must at the time of collection of their address be informed that their address will be used for electronic marketing and they must be able, freely and easily, to oppose the use of their address for this purpose. Two professional electronic marketing ethics codes have been recognised by the CNIL in accordance with the Data Protection Law. 26 Health Article L of the Public Health Code provides that personal health data collected or produced during prevention, diagnosis or treatment activities must be hosted by accredited hosting providers. The Ministry of Health publishes the list of accredited hosting service providers. Foreign hosting providers may also be subject to the approval procedure. IV INTERNATIONAL DATA TRANSFER Data controllers may not transfer personal data to a country that is not a Member State of the European Union if the country is not considered, by the European Commission, as providing a sufficient level of protection of individuals privacy, liberties and fundamental rights with regard to European standards. 27 There are various exemptions including: 28 a if the data subject has expressly consented to the transfer; b if the transfer is necessary for the protection of the data subject s life or the protection of the public interest; c if the transfer is necessary to meet obligations ensuring the establishment, exercise or defence of legal claims; 24 Law No of 21 June 2004 on confidence in the digital economy. 25 Decree No of 25 February 2011 on holding and communicating data to identify anyone contributing to the creation of online content. 26 Resolution No of 30 March 2005 on review of a draft code of conduct introduced by French Union for Direct Marketing on use of electronic contact details for direct marketing and Resolution No of 22 March 2005 on review of a draft code of ethics presented by National Union for Direct Communication on electronic direct communications. 27 Article 68 of the Data Protection Law. 28 Article 69 of the Data Protection Law. 8

9 d e f g h i if the transfer is necessary for the legal consultation, in accordance with legal conditions, of a public register that, according to legislative and regulatory provisions, is intended for public information and is open for public consultation or by any person demonstrating a legitimate interest; if the transfer is necessary for the performance of a contract between the data controller and the data subject, or of pre-contractual measures taken in response to the data subject s request; if the transfer is necessary for the conclusion or performance of a contract, either concluded or to be concluded in the interest of the data subject between the data controller and a third party; if the EU s standard contractual clauses (Model Contracts) are used for the transfer of personal data; if the data controller has entered into binding corporate rules (BCRs); 29 or if the recipient of the data transferred is a company in the US self-certified under the US Safe Harbor scheme organised by the US Department of Commerce. V COMPANY POLICIES AND PRACTICES The wording and updating of policy and practices is a sign of good management of personal data taken into account by the CNIL in the event of checks or audits provided they are in full compliance with applicable law and take into account both technological developments and the CNIL s evolving doctrine. It is particularly recommended that companies have: a a personal data protection and privacy policy; b a storage and archive policy; c a process for the management of access rights; d a register of personal data processing, including risk assessments; e f notices of information specific to each situation; and a code of conduct for good uses of technology resources, internet and social media usage. VI DISCOVERY AND DISCLOSURE Any communication of information under Discovery proceedings shall be in accordance with Article 23 of the Hague Convention of 18 March 1970 and Article 1b of Law No of 27 July 1968, 30 (the French blocking statute ). The French Data Protection Law applies since the communication involves personal data processing and transfers of personal data outside the European Union. 29 BCRs are internal rules developed by the Article 29 Working Party to govern international data transfers within companies or groups of companies. 30 Created by Law No of 16 July 1980 on disclosure of documents or information on an economic, commercial, industrial and technical matter to individuals or foreign corporations. 9

10 As a result, dependent on circumstances, a notification or a demand of authorisation to the CNIL is necessary. Discovery procedures must meet the following principles: a legitimacy of processing and maintaining of professional secrecy; b proportionality and adequacy of data (local data filtering); c limited period of storage; d security measures; e provision of information to data subjects on their rights; and f compliance with provisions relating to personal data transfers. The CNIL has published recommendations regulating the e-discovery procedure. 31 VII PUBLIC AND PRIVATE ENFORCEMENT i Enforcement agencies The CNIL is responsible for enforcing the French Data Protection Law. For this purpose, the CNIL may: 32 a receive claims, petitions and complaints relating to the carrying out of the processing of personal data and inform the initiators of such actions of the decisions taken regarding them; b respond to requests from public authorities and courts for an opinion and advise individuals and bodies that set up or intend to set up automatic processing of personal data; c immediately inform the Public Prosecutor of offences of which it has knowledge and may present its observations in criminal proceedings. d entrust one or several of its members or its general secretary to undertake or have undertaken by staff members audits and controls relating to any processing. In the event of a breach, the Select Committee of the CNIL has the power to pronounce penalties after the due hearing of all parties, 33 such as: a warning a data controller failing to comply with the obligations required by the Data Protection Law; b financial penalties; or c injunctions to cease processing. If processing or using processed data leads to violation of rights and liberties, the Select Committee may, after hearing both parties, initiate an emergency procedure to decide on suspending processing for a maximum period of three months. 31 Resolution No of 23 July 2009 on recommendation for transfer of personal data within American discovery judicial procedures. 32 Article 11 of the Data Protection Law. 33 Article 45 of the Data Protection Law. 10

11 During the hearing of the parties by the Select Committee, data controllers may be represented by their attorney. ii Recent enforcement cases Examples of recent enforcement cases by the CNIL: The search engine Google was fined 150,000 on 3 January 2014 for several breaches of the French Data Protection Law including lack of information, unlimited period of storage and failure to obtain consent. Google has lodged an appeal with the French Council of State, which is the supreme court for administrative matters. In order to help the company Google with its compliance efforts resulting from several sanctions imposed by various European national data protection authorities including the CNIL s sanction referred to above, the Article 29 Working Party the group of European data protection authorities - adopted and published a package of dedicated measures to achieve compliance with the applicable legal framework. The purpose of this compliance package is to offer specific and practical measures that could be implemented quickly by Google Inc to meet the requirements of the European data protection framework. A diet coaching website was sanctioned on 26 June 2014 by the CNIL by a published warning for lack of information, lack of security and confidentiality of data and failure to cooperate with CNIL standards. The CNIL orders about 500 audits per year and imposes more than 10 penalties per year. VIII CONSIDERATIONS FOR FOREIGN ORGANISATIONS The Data Protection Law applies to processing of personal data if the data controller is established on French territory. Data controllers operating within an establishment, whatever its legal form, are considered to be on French territory. 34 The Data Protection Law applies to processing of personal data if the data controller even if it is not French or situated in any other Member State of the European Union uses a means of processing located on French territory, unless the processing is merely for the purposes of transit through this territory or that of any other Member State of the European Union. In such cases, data controllers shall notify the CNIL of the appointment of a representative established on French territory who will represent them for the fulfillment of the duties required by the Data Protection Law. IX CYBERSECURITY AND DATA BREACHES Cybersecurity of industrial control systems vital operators Law No of 18 December 2013 on military planning for the years 2014 to 2019 and various provisions relating to defence and national security (the 2013 Military 34 Article 5 of the Data Protection Law. 11

12 Planning Law) 35 provides that it is the responsibility of the state to ensure adequate security of vital operators critical systems. The state must: a determine obligations, such as the prohibition of certain systems connected to the internet; b implement detection systems by providers certified by the state; c check the security level of critical information systems using an audit system; and d in the event of a major crisis, it may impose the necessary measures on operators. Vital operators are required to report incidents to the relevant authorities to give advance warning to companies potentially affected by the same type of attack. 36 Cyber attacks have been identified as one of the main threats to national territory by the French White Paper on Defence and National Security, published on 17 June The French Network and Information Security Agency (ANSSI), under the authority of the Prime Minister and the auspices of the Secretary General for National Defence, has published key measures to improve the cybersecurity of industrial control systems. The ANSSI specifies that the two documents 37 will serve as a basis for elaborating the rules required by the 2013 Military Planning Law. Administrative access to information and data connection for the purpose of investigation The 2013 Military Planning Law 38 provides that the intelligence services of the Ministries of Defence, the Interior, the Economy and the Ministry for the Budget may access personal information and data connections (including location-based mobile terminals, such as smartphones in real time) stored by electronic communications operators, ISPs and hosts, for the following reasons: a searching information relating to national security; b c safeguarding essential elements of France s scientific and economic potential; and prevention terrorism, organised crime and the prevention of rebuilding or maintaining dissolved groups. Breach of security public electronic communication services Article 38 of Government Order No of 24 August 2011 implementing the European Telecom Package directives, 39 provides that security breaches (any breach of security leading accidentally or unlawfully to destruction, loss, alteration, disclosure or 35 Articles L et seq. of the Defence Code; Articles L et seq. of the Defence Code. 36 Article L of the Defence Code. 37 One describes a classification method for industrial control systems and key measures to improve their cybersecurity; the other gives a more in-depth description of applicable cybersecurity measures. 38 Article L and following of Homeland Security Code. 39 Directive 2009/136/EC and Directive 2009/140/EC of the European Parliament and of the Council of 25 November

13 unauthorised access to personal data processed in the context of providing electronic communication services to the public) should be immediately notified to the CNIL. Only providers to the public of electronic communication services using electronic communication networks with open public access are concerned by this new requirement. They must establish an inventory of violations and keep it available to the CNIL. Article 34 b created by Government Order No provides that if a violation is likely to breach personal data security or the privacy of a subscriber or any other individual, the provider shall also immediately notify the party affected. Criminal penalties for cybersecurity attacks The Criminal Code lays down penalties for cybersecurity offences. For example, Article of the Criminal Code, created by a law of 14 March 2011, renders digital identity theft liable to one year in prison and a 15,000 fine. Moreover, Article of the Criminal Code penalises unauthorised access to a computer system by two years imprisonment and a fine of 30,000. X OUTLOOK The legislative framework is not sufficient to ensure protection of personal data. New concepts are emerging to strengthen protection of privacy and personal data. Privacy by design, for example, aims to integrate personal data protection from the outset in terms of technology, internal practices and physical infrastructure. Moreover, the main players in areas of new technology are currently working on the development of codes for cloud computing services. It has been observed that protecting personal data and privacy is becoming a competitive issue for companies seeking to differentiate themselves via this guarantee of quality. 13

14 DUNAUD CLARENC COMBLES & ASSOCIÉS 4 avenue Hoche Paris France Tel: Fax: MERAV GRIGUER Dunaud Clarenc Combles & Associés Merav Griguer is a partner at Dunaud Clarenc Combles & Associés. Ms Griguer s practice includes personal data protection and privacy, audit and compliance, control procedure and litigation before the French data protection authority (CNIL), big data, online reputation, e-commerce, cybersecurity and WIPO arbitration. Further, Ms Griguer has experience in the following sectors: banking and insurance; the pharmaceuticals and cosmetic industry; the medical industry; metallurgy; luxury products; and media, communications and the internet. 14

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Sopra HR Software as a Data Processor Sopra HR Software, 2014 / Ref. : 20141120-101114-m 1/32 1.

More information

Personal Data Act (1998:204);

Personal Data Act (1998:204); Personal Data Act (1998:204); issued 29 April 1998. Be it enacted as follows. General provisions Purpose of this Act Section 1 The purpose of this Act is to protect people against the violation of their

More information

LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT

LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT 2300 Pursuant to its authority from Article 59 of the Rules of Procedure of the Croatian Parliament, the Legislation Committee determined the revised text

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection

More information

on the transfer of personal data from the European Union

on the transfer of personal data from the European Union on the transfer of personal data from the European Union BCRsseptembre 2008.doc 1 TABLE OF CONTENTS I. PRELIMINARY REMARKS 3 II. DEFINITIONS 3 III. DELEGATED DATA PROTECTION MANAGER 4 IV. MICHELIN GROUP

More information

Guidelines on Data Protection. Draft. Version 3.1. Published by

Guidelines on Data Protection. Draft. Version 3.1. Published by Guidelines on Data Protection Draft Version 3.1 Published by National Information Technology Development Agency (NITDA) September 2013 Table of Contents Section One... 2 1.1 Preamble... 2 1.2 Authority...

More information

AlixPartners, LLP. General Data Protection Statement

AlixPartners, LLP. General Data Protection Statement AlixPartners, LLP General Data Protection Statement GENERAL DATA PROTECTION STATEMENT 1. INTRODUCTION 1.1 AlixPartners, LLP ( AlixPartners ) is committed to fulfilling its obligations under the data protection

More information

Corporate Policy. Data Protection for Data of Customers & Partners.

Corporate Policy. Data Protection for Data of Customers & Partners. Corporate Policy. Data Protection for Data of Customers & Partners. 02 Preamble Ladies and gentlemen, Dear employees, The electronic processing of virtually all sales procedures, globalization and growing

More information

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1

More information

CROATIAN PARLIAMENT 1364

CROATIAN PARLIAMENT 1364 CROATIAN PARLIAMENT 1364 Pursuant to Article 88 of the Constitution of the Republic of Croatia, I hereby pass the DECISION PROMULGATING THE ACT ON PERSONAL DATA PROTECTION I hereby promulgate the Act on

More information

Data Protection Policy.

Data Protection Policy. Data Protection Policy. Data Protection Policy Foreword 2 Foreword Ladies and Gentlemen, In the information age, we offer customers the means to be always connected, even in their cars. This requires data

More information

PRACTICAL LAW DATA PROTECTION MULTI-JURISDICTIONAL GUIDE 2012/13. The law and leading lawyers worldwide

PRACTICAL LAW DATA PROTECTION MULTI-JURISDICTIONAL GUIDE 2012/13. The law and leading lawyers worldwide PRACTICAL LAW MULTI-JURISDICTIONAL GUIDE 2012/13 The law and leading lawyers worldwide Essential legal questions answered in 30 key jurisdictions Analysis of critical legal issues AVAILABLE ONLINE AT WWW.PRACTICALLAW.COM/DATAPROTECTION-MJG

More information

The potential legal consequences of a personal data breach

The potential legal consequences of a personal data breach The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.

More information

Recommendations for companies planning to use Cloud computing services

Recommendations for companies planning to use Cloud computing services Recommendations for companies planning to use Cloud computing services From a legal standpoint, CNIL finds that Cloud computing raises a number of difficulties with regard to compliance with the legislation

More information

Proposal of regulation Com 2012 11/4 Directive 95/46/EC Conclusion

Proposal of regulation Com 2012 11/4 Directive 95/46/EC Conclusion Page 1 sur 155 Proposal of regulation Com 2012 11/4 Directive 95/46/EC Conclusion Legal nature of the instrument Règlement Directive Directly applicable act in internal law 91 articles 34 articles Art.

More information

THE TRANSFER OF PERSONAL DATA ABROAD

THE TRANSFER OF PERSONAL DATA ABROAD THE TRANSFER OF PERSONAL DATA ABROAD MARCH 2014 THIS NOTE CONSIDERS THE SITUATION OF AN IRISH ORGANISATION OR BUSINESS SEEKING TO TRANSFER PERSONAL DATA ABROAD FOR STORAGE OR PROCESSING, IN LIGHT OF THE

More information

technical factsheet 176

technical factsheet 176 technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection

More information

GSK Public policy positions

GSK Public policy positions Safeguarding Personally Identifiable Information A Summary of GSK s Binding Corporate Rules The Issue The processing of Personally Identifiable Information (PII) 1 and Sensitive Personally Identifiable

More information

LOI INFORMATIQUE ET LIBERTES ACT N 78-17 OF 6 JANUARY 1978

LOI INFORMATIQUE ET LIBERTES ACT N 78-17 OF 6 JANUARY 1978 LOI INFORMATIQUE ET LIBERTES ACT N 78-17 OF 6 JANUARY 1978 ON INFORMATION TECHNOLOGY, DATA FILES AND CIVIL LIBERTIES AMENDED BY THE FOLLOWING LAWS: ACT OF 6 AUGUST 2004 RELATIVE TO THE PROTECTION OF INDIVIDUALS

More information

PRESIDENT S DECISION No. 40. of 27 August 2013. Regarding Data Protection at the European University Institute. (EUI Data Protection Policy)

PRESIDENT S DECISION No. 40. of 27 August 2013. Regarding Data Protection at the European University Institute. (EUI Data Protection Policy) PRESIDENT S DECISION No. 40 of 27 August 2013 Regarding Data Protection at the European University Institute (EUI Data Protection Policy) THE PRESIDENT OF THE EUROPEAN UNIVERSITY INSTITUTE, Having regard

More information

AIRBUS GROUP BINDING CORPORATE RULES

AIRBUS GROUP BINDING CORPORATE RULES 1 AIRBUS GROUP BINDING CORPORATE RULES 2 Introduction The Binding Corporate Rules (hereinafter BCRs ) of the Airbus Group finalize the Airbus Group s provisions on the protection of Personal Data. These

More information

Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved.

Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved. Align Technology Data Protection Binding Corporate Rules Controller Policy Contents INTRODUCTION 3 PART I: BACKGROUND AND ACTIONS 4 PART II: CONTROLLER OBLIGATIONS 6 PART III: APPENDICES 13 2 P a g e INTRODUCTION

More information

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data;

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data; OBJECTS AND REASONS This Bill would provide for (a) the regulation of the collection, keeping, processing, use or dissemination of personal data; (b) the protection of the privacy of individuals in relation

More information

The Romanian Parliament adopts the present law. Chapter I: General Provisions

The Romanian Parliament adopts the present law. Chapter I: General Provisions Law No. 677/2001 on the Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of Such Data, amended and completed The Romanian Parliament adopts the present law.

More information

235.1. Federal Act on Data Protection (FADP) Aim, Scope and Definitions

235.1. Federal Act on Data Protection (FADP) Aim, Scope and Definitions English is not an official language of the Swiss Confederation. This translation is provided for information purposes only and has no legal force. Federal Act on Data Protection (FADP) 235.1 of 19 June

More information

Article 29 Working Party Issues Opinion on Cloud Computing

Article 29 Working Party Issues Opinion on Cloud Computing Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,

More information

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

Binding Corporate Rules ( BCR ) Summary of Third Party Rights Binding Corporate Rules ( BCR ) Summary of Third Party Rights This document contains in its Sections 3 9 all provision of the Binding Corporate Rules (BCR) for Siemens Group Companies and Other Adopting

More information

Information Governance Policy

Information Governance Policy Information Governance Policy 1 Introduction Healthwatch Rutland (HWR) needs to collect and use certain types of information about the Data Subjects who come into contact with it in order to carry on its

More information

Appendix 11 - Swiss Data Protection Act

Appendix 11 - Swiss Data Protection Act GLEIF- LOU Restricted Appendix 11 - Swiss Data Protection Act GLEIF Revision Version: 1.0 2015-09-23 Master Copy page 2 of 11 Applicable Provisions of the Swiss Data Protection Act (DPA) including the

More information

1 September /552

1 September /552 Foreword from the Chair of the ICC Commission on the Digital Economy Paris, 1 April 2016 The International Chamber of Commerce (ICC) policy inventory on the European Union (EU) General Data Protection

More information

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS As a world leader in electronic commerce and payment services, First Data Corporation and its subsidiaries ( First Data entity or entities ),

More information

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively.

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively. Joint work between experts from the Article 29 Working Party and from APEC Economies, on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities in

More information

Align Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved.

Align Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved. Align Technology Data Protection Binding Corporate Rules Processor Policy Confidential Contents INTRODUCTION TO THIS POLICY 3 PART I: BACKGROUND AND ACTIONS 4 PART II: PROCESSOR OBLIGATIONS 6 PART III:

More information

Dublin City University

Dublin City University Dublin City University Data Protection Policy Data Protection Policy Contents Purpose... 1 Scope... 1 Data Protection Principles... 1 Disclosure of Personal Data... 2 Summary of Responsibilities... 3 Rights

More information

Data Protection in Ireland

Data Protection in Ireland Data Protection in Ireland 0 Contents Data Protection in Ireland Introduction Page 2 Appointment of a Data Processor Page 2 Security Measures (onus on a data controller) Page 3 8 Principles Page 3 Fair

More information

DATA PROTECTION LAWS OF THE WORLD. India

DATA PROTECTION LAWS OF THE WORLD. India DATA PROTECTION LAWS OF THE WORLD India Date of Download: 6 February 2016 INDIA Last modified 27 January 2016 LAW IN INDIA There is no specific legislation on privacy and data protection in India. However,

More information

Multi-Jurisdictional Study: Cloud Computing Legal Requirements. Julien Debussche Associate January 2015

Multi-Jurisdictional Study: Cloud Computing Legal Requirements. Julien Debussche Associate January 2015 Multi-Jurisdictional Study: Cloud Computing Legal Requirements Julien Debussche Associate January 2015 Content 1. General Legal Framework 2. Data Protection Legal Framework 3. Security Requirements 4.

More information

7.08.2 Privacy Rules for Customer, Supplier and Business Partner Data. Directive 7.08 Protection of Personal Data

7.08.2 Privacy Rules for Customer, Supplier and Business Partner Data. Directive 7.08 Protection of Personal Data Akzo Nobel N.V. Executive Committee Rules 7.08.2 Privacy Rules for Customer, Supplier and Business Partner Data Source Directive Content Owner Directive 7.08 Protection of Personal Data AkzoNobel Legal

More information

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4 GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4 PREFACE The following provides general guidance on data protection

More information

Data protection issues on an EU outsourcing

Data protection issues on an EU outsourcing Data protection issues on an EU outsourcing Saam Golshani, Alastair Gorrie and Diego Rigatti, Orrick Herrington & Sutcliffe www.practicallaw.com/8-380-8496 Outsourcing can mean subcontracting a process

More information

ECSA EuroCloud Star Audit Data Privacy Audit Guide

ECSA EuroCloud Star Audit Data Privacy Audit Guide ECSA EuroCloud Star Audit Data Privacy Audit Guide Page 1 of 15 Table of contents Introduction... 3 ECSA Data Privacy Rules... 4 Governing Law... 6 Sub processing... 6 A. TOMs: Cloud Service... 7 TOMs:

More information

ON MUTUAL COOPERATION AND THE EXCHANGE OF INFORMATION RELATED TO THE OVERSIGHT OF AUDITORS

ON MUTUAL COOPERATION AND THE EXCHANGE OF INFORMATION RELATED TO THE OVERSIGHT OF AUDITORS Mr. Ryutaro Hatanaka Commissioner Financial Services Agency Government of Japan 3-2-1 Kasumigaseki Chiyoda-ku, Tokyo Japan 100-8967 Dr. Kunio Chiyoda Chairman Certified Public Accountants and Auditing

More information

STATUTORY INSTRUMENTS. S.I. No. 336 of 2011

STATUTORY INSTRUMENTS. S.I. No. 336 of 2011 STATUTORY INSTRUMENTS. S.I. No. 336 of 2011 EUROPEAN COMMUNITIES (ELECTRONIC COMMUNICATIONS NETWORKS AND SERVICES) (PRIVACY AND ELECTRONIC COMMUNICATIONS) REGULATIONS 2011 (Prn. A11/1165) 2 [336] S.I.

More information

Pursuant to Convention No. 108 of the Council of Europe for the protection of persons with regard to the automated processing of personal data;

Pursuant to Convention No. 108 of the Council of Europe for the protection of persons with regard to the automated processing of personal data; Decision No. 2011-316 dated 6 October 2011 adopting a standard for delivering privacy seals in audit procedures covering the protection of persons with regard to the processing of personal data The French

More information

Privacy in the cloud. DNB has indicated that it considers cloud computing a form of outsourcing.

Privacy in the cloud. DNB has indicated that it considers cloud computing a form of outsourcing. Privacy in the cloud computing, and the company concerned is required to submit a risk analysis to DNB. 3 Cloud computing entails the saving, processing and using of company data on the servers of a cloud

More information

Data protection policy

Data protection policy Data protection policy Introduction 1 This document is the data protection policy for the Nursing and Midwifery Council (NMC). 2 The Data Protection Act 1998 (DPA) governs the processing of personal data

More information

Personal Data Act (523/1999)

Personal Data Act (523/1999) 1 NB: Unofficial translation Personal Data Act (523/1999) Chapter 1 General provisions Section 1 Objectives The objectives of this Act are to implement, in the processing of personal data, the protection

More information

Act CLXV of 2013. on Complaints and Public Interest Disclosures. 1. Complaint and public interest disclosure

Act CLXV of 2013. on Complaints and Public Interest Disclosures. 1. Complaint and public interest disclosure Act CLXV of 2013 on Complaints and Public Interest Disclosures The National Assembly, committed to increasing public confidence in the functioning of public bodies, recognising the importance of complaints

More information

Corporate ICT & Data Management. Data Protection Policy

Corporate ICT & Data Management. Data Protection Policy 90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control

More information

LAW FOR PROTECTION OF PERSONAL DATA

LAW FOR PROTECTION OF PERSONAL DATA LAW FOR PROTECTION OF PERSONAL DATA Prom. SG. 1/4 Jan 2002, amend. SG. 70/10 Aug 2004, amend. SG. 93/19 Oct 2004, amend. SG. 43/20 May 2005, amend. SG. 103/23 Dec 2005, amend. SG. 30/11 Apr 2006, amend.

More information

QUEENSLAND COUNTRY HEALTH FUND. privacy policy. Queensland Country Health Fund Ltd ABN 18 085 048 237. better health cover shouldn t hurt

QUEENSLAND COUNTRY HEALTH FUND. privacy policy. Queensland Country Health Fund Ltd ABN 18 085 048 237. better health cover shouldn t hurt QUEENSLAND COUNTRY HEALTH FUND privacy policy Queensland Country Health Fund Ltd ABN 18 085 048 237 better health cover shouldn t hurt 1 2 contents 1. Introduction 4 2. National Privacy Principles 5 3.

More information

Data Processing Agreement for Oracle Cloud Services

Data Processing Agreement for Oracle Cloud Services Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services

More information

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY Originated by: Data Protection Working Group: November 2008 Impact Assessment: (to be confirmed) Recommended by Senate: 28 January 2009 Approved by Council:

More information

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, 2003. A Guide for Data Controllers

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, 2003. A Guide for Data Controllers Office of the Data Protection Commissioner of The Bahamas Data Protection (Privacy of Personal Information) Act, 2003 A Guide for Data Controllers 1 Acknowledgement Some of the information contained in

More information

Clause 1. Definitions and Interpretation

Clause 1. Definitions and Interpretation [Standard data protection [agreement/clauses] for the transfer of Personal Data from the University of Edinburgh (as Data Controller) to a Data Processor within the European Economic Area ] In this Agreement:-

More information

Data Protection Policy

Data Protection Policy 1 Data Protection Policy Version 1: June 2014 1 2 Contents 1. Introduction 3 2. Policy Statement 3 3. Purpose of the Data Protection Act 1998 3 4. The principles of the Data Protection Act 1998 4 5 The

More information

Merthyr Tydfil County Borough Council. Data Protection Policy

Merthyr Tydfil County Borough Council. Data Protection Policy Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the

More information

Scottish Rowing Data Protection Policy

Scottish Rowing Data Protection Policy Revision Approved by the Board August 2010 1. Introduction As individuals, we want to know that personal information about ourselves is handled properly, and we and others have specific rights in this

More information

Overview of Employment and Employee Privacy Laws and Key Trends in Austria

Overview of Employment and Employee Privacy Laws and Key Trends in Austria P a g e 1 Privacy Interviews with Experts August 2011 Toronto / Washington DC / Brussels www.nymity.com Rainer Knyrim Attorney and Partner Preslmayr Attorneys at Law Vienna, Austria Overview of Employment

More information

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1 Protection of Personal Data RPC001147_EN_WB_L_1 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Responsibility of Employees

More information

Welcome to our job search and application platform (the Platform ). Please read our Legal Terms (which includes our Privacy Policy) carefully.

Welcome to our job search and application platform (the Platform ). Please read our Legal Terms (which includes our Privacy Policy) carefully. LEGAL TERMS AND PRIVACY POLICY Welcome to our job search and application platform (the Platform ). Please read our Legal Terms (which includes our Privacy Policy) carefully. The Platform is accessible

More information

Merchants and Trade - Act No 28/2001 on electronic signatures

Merchants and Trade - Act No 28/2001 on electronic signatures This is an official translation. The original Icelandic text published in the Law Gazette is the authoritative text. Merchants and Trade - Act No 28/2001 on electronic signatures Chapter I Objectives and

More information

Data Protection A Guide for Users

Data Protection A Guide for Users Data Protection A Guide for Users EUROPEAN PARLIAMENT Contents Contents 3 Introduction 4 Data protection standards making a difference in the European Parliament 5 Data protection the actors 6 Data protection

More information

DIFC LAW NO. 1 OF 2007

DIFC LAW NO. 1 OF 2007 DATA PROTECTION LAW DIFC LAW NO. 1 OF 2007 Consolidated Version (December 2012) Amended by Data Protection Law Amendment Law DIFC Law No. 5 of 2012 CONTENTS PART 1: GENERAL... 4 1. Title... 4 2. Legislative

More information

Data Protection Act. Privacy & Security in the Information Age. April 26, 2013. Ministry of Communications, Ghana

Data Protection Act. Privacy & Security in the Information Age. April 26, 2013. Ministry of Communications, Ghana Data Protection Act Privacy & Security in the Information Age April 26, 2013 Agenda Privacy in The Information Age The right to privacy Why We Need Legislation Purpose of the Act The Data Protection Act

More information

Table of contents: ***

Table of contents: *** Table of contents: *** In Europe the issue of personal data protection is settled by European Parliament s and European Council s Directive 95/46/WE of October 24, 1995 (which is basis of Polish regulations)

More information

DATA PROTECTION AND DATA STORAGE POLICY

DATA PROTECTION AND DATA STORAGE POLICY DATA PROTECTION AND DATA STORAGE POLICY 1. Purpose and Scope 1.1 This Data Protection and Data Storage Policy (the Policy ) applies to all personal data collected and dealt with by Centre 404, whether

More information

Linde Integrity Line. Process and Data Protection Policy. 1 July 2007

Linde Integrity Line. Process and Data Protection Policy. 1 July 2007 Linde Integrity Line Process and Data Protection Policy 1 July 2007 Page 2 of 10 Table of Contents Preamble 3 1 Scope of application 3 2 Definitions 3 3 Submitting Reports Regular Channels 3 4 Submitting

More information

INERTIA ETHICS MANUAL

INERTIA ETHICS MANUAL SEVENTH FRAMEWORK PROGRAMME Smart Energy Grids Project Title: Integrating Active, Flexible and Responsive Tertiary INERTIA Grant Agreement No: 318216 Collaborative Project INERTIA ETHICS MANUAL Responsible

More information

Declaration of Internet Rights Preamble

Declaration of Internet Rights Preamble Declaration of Internet Rights Preamble The Internet has played a decisive role in redefining public and private space, structuring relationships between people and between people and institutions. It

More information

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19 Protection of Personal Data RPC001147_EN_D_19 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Rules Responsibility

More information

CCBE RECOMMENDATIONS FOR THE IMPLEMENTATION OF THE DATA RETENTION DIRECTIVE

CCBE RECOMMENDATIONS FOR THE IMPLEMENTATION OF THE DATA RETENTION DIRECTIVE Représentant les avocats d Europe Representing Europe s lawyers CCBE RECOMMENDATIONS FOR THE IMPLEMENTATION OF THE DATA RETENTION DIRECTIVE CCBE RECOMMENDATIONS FOR THE IMPLEMENTATION OF THE DATA RETENTION

More information

Addendum Windows Azure Data Processing Agreement Amendment ID M129

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129 Addendum Amendment ID Proposal ID Enrollment number Microsoft to complete This addendum ( Windows Azure Addendum ) is entered into between the parties identified on the signature form for the

More information

Standard conditions of purchase

Standard conditions of purchase Standard conditions of purchase 1 OFFER AND ACCEPTANCE 2 PROPERTY, RISK & DELIVERY 3 PRICES & RATES The Supplier shall provide all Goods and Services in accordance with the terms and conditions set out

More information

Data protection compliance checklist

Data protection compliance checklist Data protection compliance checklist What is this checklist for? This checklist is drawn up on the basis of analysis of the relevant provisions of European law. Although European law aims at harmonizing

More information

University of Limerick Data Protection Compliance Regulations June 2015

University of Limerick Data Protection Compliance Regulations June 2015 University of Limerick Data Protection Compliance Regulations June 2015 1. Purpose of Data Protection Compliance Regulations 1.1 The purpose of these Compliance Regulations is to assist University of Limerick

More information

Data Protection Standard

Data Protection Standard Data Protection Standard Processing and Transfer of Personal Data in Aker Solutions (Binding Corporate Rules) Aker Solutions www.akersolutions.com Table of contents 1 Introduction... 3 1.1 Scope... 3 1.2

More information

OSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data

OSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data OSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data Terms Adopting company an OSRAM associated company in Germany or overseas

More information

WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY

WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY Version 3.0 DATA PROTECTION ACT 1998 POLICY CONTENTS 1. INTRODUCTION... 3 2. PROVISIONS OF THE ACT... 4 3. SCOPE... 4 4. GENERAL POLICY STATEMENT...

More information

Act on Background Checks

Act on Background Checks NB: Unofficial translation Ministry of Justice, Finland Act on Background Checks (177/2002) Chapter 1 General provisions Section 1 Scope of application (1) This Act applies to background checks, which

More information

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS Mat Wright www.britishcouncil.org CONTENTS Purpose of the code 1 Scope of the code 1 The British Council s data protection commitment and

More information

BILL. To be introduced by the Minister for Justice and Constitutional Development

BILL. To be introduced by the Minister for Justice and Constitutional Development 1 ANNEXURE B BILL An Act to promote the protection of personal information processed by public and private bodies; to provide for the establishment of an Information Protection Commission; and to provide

More information

Coordinated Text of the Law of 2 August 2002 on the Protection of Persons with regard to the Processing of Personal Data modified by

Coordinated Text of the Law of 2 August 2002 on the Protection of Persons with regard to the Processing of Personal Data modified by Coordinated Text of the Law of 2 August 2002 on the Protection of Persons with regard to the Processing of Personal Data modified by the Law of 31 July 2006 the Law of 22 December 2006 the Law of 27 July

More information

Code of Conduct. Corporate Data Protection. We make ICT strategies work

Code of Conduct. Corporate Data Protection. We make ICT strategies work Corporate Data Protection Code of Conduct for the Protection of the Individual s Right to Privacy in the Handling of Personal Data within the Deutsche Telekom Group 2010 / 04 We make ICT strategies work

More information

Mitigating and managing cyber risk: ten issues to consider

Mitigating and managing cyber risk: ten issues to consider Mitigating and managing cyber risk: ten issues to consider The board of directors is responsible for managing and mitigating risk exposure. A recent study conducted by the Ponemon Institute 1 revealed

More information

Comments and proposals on the Chapter II of the General Data Protection Regulation

Comments and proposals on the Chapter II of the General Data Protection Regulation Comments and proposals on the Chapter II of the General Data Protection Regulation Ahead of the trialogue negotiations in September, EDRi, Access, Panoptykon Bits of Freedom, FIPR and Privacy International

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Approval date: June 2014 Approved by: Board Responsible Manager: Executive Director of Resources Next Review June 2016 Data Protection Policy 1. Introduction Data Protection Policy

More information

Data Protection Policy

Data Protection Policy Data Protection Policy 1. Introduction to the Data Protection Policy Everyone who works for Chorley Council uses personal data in the course of their duties. Chorley Council must gather and process personal

More information

Office 365 Data Processing Agreement with Model Clauses

Office 365 Data Processing Agreement with Model Clauses Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081

More information

The reform of the EU Data Protection framework - Building trust in a digital and global world. 9/10 October 2012

The reform of the EU Data Protection framework - Building trust in a digital and global world. 9/10 October 2012 The reform of the EU Data Protection framework - Building trust in a digital and global world 9/10 October 2012 Questionnaire addressed to national Parliaments Please, find attached a number of questions

More information

Comments and proposals on the Chapter IV of the General Data Protection Regulation

Comments and proposals on the Chapter IV of the General Data Protection Regulation Comments and proposals on the Chapter IV of the General Data Protection Regulation Ahead of the trialogue negotiations later this month, EDRi, Access, Panoptykon Bits of Freedom, FIPR and Privacy International

More information

Corporate Information Security Policy

Corporate Information Security Policy Corporate Information Security Policy. A guide to the Council s approach to safeguarding information resources. September 2015 Contents Page 1. Introduction 1 2. Information Security Framework 2 3. Objectives

More information

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE This Notice of Privacy Practices describes the legal obligations of Ave Maria University, Inc. (the plan ) and your legal rights regarding your protected health

More information

Data Protection Policy

Data Protection Policy Data Protection Policy CONTENTS Introduction...2 1. Statement of Intent...2 2. Fair Processing or Privacy Statement...3 3. Data Uses and Processes...4 4. Data Quality and Integrity...4 5. Technical and

More information

ATMD Bird & Bird. Singapore Personal Data Protection Policy

ATMD Bird & Bird. Singapore Personal Data Protection Policy ATMD Bird & Bird Singapore Personal Data Protection Policy Contents 1. PURPOSE 1 2. SCOPE 1 3. COMMITMENT TO COMPLY WITH DATA PROTECTION LAWS 1 4. PERSONAL DATA PROTECTION SAFEGUARDS 3 5. ATMDBB EXCEPTIONS:

More information

Electronic Commerce ELECTRONIC COMMERCE ACT 2001. Act. No. 2001-07 Commencement LN. 2001/013 22.3.2001 Assent 14.3.2001

Electronic Commerce ELECTRONIC COMMERCE ACT 2001. Act. No. 2001-07 Commencement LN. 2001/013 22.3.2001 Assent 14.3.2001 ELECTRONIC COMMERCE ACT 2001 Principal Act Act. No. Commencement LN. 2001/013 22.3.2001 Assent 14.3.2001 Amending enactments Relevant current provisions Commencement date 2001/018 Corrigendum 22.3.2001

More information

Privacy Policy. February, 2015 Page: 1

Privacy Policy. February, 2015 Page: 1 February, 2015 Page: 1 Revision History Revision # Date Author Sections Altered Approval/Date Rev 1.0 02/15/15 Ben Price New Document Rev 1.1 07/24/15 Ben Price Verify Privacy Grid Requirements are met

More information

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid. Microsoft Online Subscription Agreement Amendment adding Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Proposal ID MOSA number Microsoft to complete This Amendment

More information

GARANTE PER LA PROTEZIONE DEI DATI PERSONALI WHEREAS

GARANTE PER LA PROTEZIONE DEI DATI PERSONALI WHEREAS [doc. web n. 1589969] Spamming: How to Lawfully Email Advertising Messages GARANTE PER LA PROTEZIONE DEI DATI PERSONALI Prof. Stefano Rodotà, President, Prof. Giuseppe Santaniello, Vice-President, Prof.

More information

2015 No. 0000 FINANCIAL SERVICES AND MARKETS. The Small and Medium Sized Businesses (Credit Information) Regulations 2015

2015 No. 0000 FINANCIAL SERVICES AND MARKETS. The Small and Medium Sized Businesses (Credit Information) Regulations 2015 Draft Regulations to illustrate the Treasury s current intention as to the exercise of powers under clause 4 of the the Small Business, Enterprise and Employment Bill. D R A F T S T A T U T O R Y I N S

More information