Position of the retail and wholesale sector on the Draft Data Protection Regulation in view of the trilogue 2015

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Position of the retail and wholesale sector on the Draft Data Protection Regulation in view of the trilogue 2015"

Transcription

1 2 September 2015 Position of the retail and wholesale sector on the Draft Data Protection Regulation in view of the trilogue 2015 We support the efforts of EU legislators to create a harmonised data protection framework. The draft Data Protection Regulation ( Regulation ) will not only set higher standards for the protection of individuals privacy, it will also establish the same rules for all companies. Eliminating a large number of varying data protection rules will be a major step forward for companies operating cross-border. The EU institutions aim to achieve a balance between business and consumer interests. This balance should be fair and we therefore support a risk-based approach. A high level of individual protection should be balanced with adequate safeguards for businesses legitimate commercial use of personal data. One of our priorities is for a Regulation that will create fair and reasonable rules for all companies processing personal data. The Regulation should therefore be appropriate for all types of business models and avoid imposing disproportionate obligations on companies that process data as a subsidiary activity to their main business. Below we focus on the most important issues from retail and wholesale perspective. Full Harmonisation We hope that the original aim of creating a fully harmonised data protection framework will not be abandoned. The number of provisions that allow scope for Member States to diverge in their implementation of some of the Regulation undermines true harmonisation: (collective redress independent from the data subject s mandate (Art.76.2), employment (Art.82), data protection officer (Art.35), public authorities (Art.1), etc.). If this approach is pursued, companies will still have to deal with a patchwork of rules. The original purpose of the Regulation will erode, which will seriously harm the EU s competitiveness towards third country businesses. A specific example: Establishing a compliance hotline within a global company Currently, establishing a compliance hotline across the EU is subjected to different rules and requires separate approvals/notifications. For example, while anonymous reporting is prohibited in some countries, in others it is necessary to provide an anonymous reporting channel. It often takes years to have all the group companies integrated in the same system. Even under the draft Regulation these issues would continue. The Regulation leaves it up to the Member States to adopt data protection rules in the employment context. This means that for example consulting the hotline with the works council would be subject to different rules across the EU.

2 Data Protection Officer (DPO) The experience of our member companies shows that qualified, independent and reasonably resourced DPOs can play a major role in ensuring a company s privacy compliance. An inhouse DPO knows the company best. Therefore, their assessment is fundamental for ensuring privacy compliance. At the same time, appointing a DPO is a non-bureaucratic approach and a cost saving solution for some companies. The rules for the appointment and the qualifications of a DPO should be the same across the EU. We are concerned that if Member States are free to decide on a mandatory or voluntary DPO appointment, this would lead to divergent standards within the EU and would result in an uneven playing field for companies operating cross-border. This would be against the spirit of the Regulation. Ideally, the DPO appointment should depend on the risks involved in the company s data processing operations and on the nature of the business (whether it is purely data-driven or whether data processing is a subsidiary activity to the main business). Therefore, the SMEs and micro-enterprises which do not process personal data as their core business (for example smaller retailers) should be exempt from appointing a DPO. If thresholds are to be set, they should not depend on the mere number of employees or consumers whose personal data are being processed but on the degree of risk attached to the processing. We therefore propose to revise Article 35 as follows: 1. The controller and the processor shall designate a data protection officer, where: (a) the processing is carried out by a public authority or body; or (c) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purpose, the number of the individuals concerned or individuals processing personal data imply regular and systematic monitoring of data subjects or high level of risk. [The text in 1(c) is based on the Commission s proposal modifications proposed by EuroCommerce.] 1a (NEW). The obligation referred to in paragraph 1 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a high risk for the rights and freedoms of data subject such as discrimination, identity theft or fraud, unauthorized reversal of pseudonymisation, financial loss, damage to the reputation, loss of confidentiality of data protected by professional secrecy or any other economic or social disadvantage [The text in 1a(NEW) is new and has been proposed by EuroCommerce.] We also believe that there should be clearer incentives for appointing a DPO, such as: eliminating the need to consult a regulator in case of risky processing; or exempting group companies from putting in place data processing and transfer agreements if a DPO is appointed (group privilege). Many of our members operating internationally have experienced that signing the intra-group agreements has not automatically increased the level of data protection but rather it led to more administrative burden. In group companies any disputes arising from non-compliance are solved internally based on internal data protection policies and practices. We therefore support revising Article 34 as follows: 2. The controller or processor acting on the controller's behalf shall consult the data protection officer, or in case a data protection officer has not been appointed, the supervisory authority prior to the processing of personal data in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where: [The text in bold has been already proposed by the EP. We support this proposal.] 2

3 We also support revising Article 22 as follows: 3a. The controller that appointed a data protection officer shall have the right to transmit personal data inside the EU within the group of undertakings the controller is part of, where such processing is necessary for legitimate internal administrative purposes between connected business areas of the group of undertakings and an adequate level of data protection as well as the interests of the data subjects are safeguarded by internal data protection provisions or equivalent codes of conduct as referred to in Article 38. [The text in 3a has been proposed by the EP we support this proposal and suggest additional changes in bold/italics.] Fines We support dissuasive level of fines for data protection violations. However, we are not in favour of the Regulation s approach of basing those fines on the company s global annual turnover. This approach disconnects the sanction from the actual violation. This may be good in targeting companies that process personal data as their core business. For companies processing personal data as a subsidiary activity to their main business (for example selling goods) this would be disproportionate. We think that as a rule of law, the calculation of fines should be linked primarily to a combination of: (1) the profit or the generated savings that a company made in relation to the data processing that involved the violation, and (2) the actual risk or violation to the data subjects fundamental rights, and (3) the nature of the business (purely data-driven or data processing as a subsidiary activity to the main business). In order to achieve fair and appropriate results, a company s annual turnover can only be of minor interest and if at all serve as a mere overall cap. Profiling Data analysis is crucial for the development of the commerce sector to be more effective and innovative. Profiling not only allows customers to receive offers that are relevant to their needs, rather than being bothered by mass mailings covering products they do not want. Profiling is also used to evaluate patterns of consumer behaviour to improve measures needed for fraud detection, credit evaluation, managing product safety, warranties, purchase and transportation management and product and process quality improvement. We support better privacy safeguards related to profiling. However, we think that rather than creating a right not to be subject to profiling, profiling should be allowed under certain conditions the main condition being that profiling does not result in harm to individuals. Therefore, we support a risk-based approach and requirement for explicit consent for profiling likely to cause harm. Profiling that would cause insignificant effects and of which the consumer would need to be properly informed, could be possible under other legal bases, such as legitimate interest. Consent We support the requirement of unambiguous consent for the processing of non-sensitive data. Calling for explicit consent will increase burdens for businesses and will be annoying for consumers. Obliging consumers to carry out repeated box ticking could mean that they risk ignoring important information about how their personal data are being processed. 3

4 We therefore support revising Article 6 as follows: 1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given unambiguous consent to the processing of their personal data for one or more specific purposes; [The text in 1a has been revised by the Council we support this proposal.] Data portability We are concerned that a provision that was meant to address mainly user-generated data and social media could have unintended consequences for retail if interpreted too broadly. The Regulation should clarify that the right to data portability would not oblige businesses to disclose confidential business information. Any provision that would require a retailer to transfer consumer profile information into a competing retailer s system could have serious competition implications. Therefore, we support including safeguards, such as intellectual property rights. Trade secrets should also be added. We therefore propose revising Article 18 as follows: 2aa. The right referred to in paragraph 2 shall not apply, if disclosing personal data would infringe intellectual property rights or reveal trade secrets in relation to the processing of those personal data. [The text in 2aa has been proposed by the Council we support this proposal and suggest additional changes in bold/italics.] Data Protection Impact Assessment (PIA) and record keeping We are in favour of PIA as a mechanism helping companies maintain their corporate data protection responsibility but combined with a risk-based approach. This means that only certain risky processing operations should require a PIA. The fact that many individuals personal data are being processed is not risky per se. It is the nature and the consequences of the processing that matter. We are sceptical about the requirement to consult on the intended risky processing with individuals or their representatives (Art.33.4). It is unclear how this obligation would work in practice, for example whether only notification rather than agreement of the concerned persons was required, what would be the required timeframe, etc. The provision is vague and would lead to uncertainty. There are already sufficient safeguards in the draft Regulation, such as an obligation to consult a regulator (or a DPO) if there are high risks involved in the processing (Art.34). We therefore propose to delete Article The controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of the processing operations. [The deletion of point 4 has been proposed by the Parliament we support this deletion.] We also think that requiring data controllers to perform a data protection compliance review (Art. 32a) and to review the PIA every two years (Art.33a) will be extremely burdensome, especially for the SMEs. We think that the here are already sufficient safeguards in the draft Regulation, as above. We therefore propose to delete Article 32a and 33a. 4

5 In addition we support that SMEs are exempt from certain compliance obligations, such as record keeping obligations (Art. 28) as long as the processing does not involve high risks for individuals. For many small shops whose core activities do not involve the processing of personal data the prescriptive record keeping duties would add additional burdens and costs. We support a risk-based approach. This means that there should be varying levels of obligation based on the risk of the data processing undertaken by a particular business. We therefore support revising Article 28 as follows: 4. The obligations referred to in paragraphs 1 and 2a shall not apply to: (b) an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a high risk for the rights and freedoms of data subject such as discrimination, identity theft or fraud, unauthorized reversal of pseudonymisation, financial loss, damage to the reputation, loss of confidentiality of data protected by professional secrecy or any other economic or social disadvantage [The text in 4b has been revised by the Council we support Council s proposal.] Encouraging Corporate Responsibility We believe that the best data protection standards are set within the companies that build their robust privacy culture. We therefore support the idea that the Regulation encourages companies to do so even more by offering incentives and regulatory reliefs. In particular, the following measures were a big step forward in improving the overall level of data protection amongst our members: Appointing an independent and qualified DPO Implementing a code of conduct Undergoing external audits / certification We support the approach of promoting these measures by law. The following are particularly suited as possible incentives: Facilitating intra-group data transfers for internal or administrative purposes Providing regulatory reliefs for companies that have adopted codes of conduct Considering mitigating factors when imposing sanctions Doing away with registration and reporting requirements We remain fully at your disposal for any further information we can give you on this topic. 5

6 Comparative chart of the draft General Data Protection Regulation with the retail and wholesale sector recommendations Article number Commission s proposal EP s position Council s position Retail/wholesale recommendations 6 (a) the data subject has given consent to the processing of their personal data for one or more specific purposes; (a) the data subject has given (explicit) consent to the processing of their personal data for one or more specific purposes; 1. (a) the data subject has given unambiguous consent to the processing of their personal data for one or more specific purposes; 1. (a) the data subject has given unambiguous consent to the processing of their personal data for one or more specific purposes; 18 2aa. The right referred to in paragraph 2 shall not apply if disclosing personal data would infringe intellectual property rights in relation to the processing of those personal data. 22 3a. The controller shall have the right to transmit personal data inside the Union within the group of undertakings the controller is part of, where such processing is necessary for legitimate internal administrative purposes between connected business areas of the group of undertakings and an adequate level of data protection as well as the interests of the data subjects are safeguarded by internal data protection provisions or equivalent codes of conduct as referred to in Article 38. 2aa. The right referred to in paragraph 2 shall not apply, if disclosing personal data would infringe intellectual property rights or reveal trade secrets in relation to the processing of those personal data. 3a. The controller that appointed a data protection officer shall have the right to transmit personal data inside the EU within the group of undertakings the controller is part of, where such processing is necessary for legitimate internal administrative purposes between connected business areas of the group of undertakings and an adequate level of data protection as well as the interests of the data subjects are safeguarded by internal data protection provisions or equivalent codes of conduct as referred to in Article 38.

7 28 4. b) an enterprise or an organisation employing fewer than 250 persons that is processing personal data only as an activity ancillary to its main activities. 32a Deleted 4 (b) an enterprise or an organisation employing fewer than 250 persons that is unless the processing personal data only as an activity ancillary to its main activities it carries out is likely to result in a high risk for the rights and freedoms of data subject such as discrimination, identity theft or fraud, unauthorized reversal of pseudonymisation, financial loss, damage to the reputation, loss of confidentiality of data protected by professional secrecy or any other economic or social disadvantage Respect to Risk 1. The controller, or where applicable the processor, shall carry out a risk analysis of the potential impact of the intended data processing on the rights and freedoms of the data subjects, assessing whether its processing operations are likely to present specific risks 2. The following processing operations are likely to present specific risks: (a) processing of personal data relating to more than 5000 data subjects during any consecutive 12- month period; (b) processing of special categories of personal data as referred to in Article 9(1), location data or data on children or employees in large scale filing systems; (c) profiling on which measures are based that produce legal effects concerning the individual or 4 (b) an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a high risk for the rights and freedoms of data subject such as discrimination, identity theft or fraud, unauthorized reversal of pseudonymisation, financial loss, damage to the reputation, loss of confidentiality of data protected by professional secrecy or any other economic or social disadvantage. Deleted 7

8 similarly significantly affect the individual; (d) processing of personal data for the provision of health care, epidemiological researches, or surveys of mental or infectious diseases, where the data are processed for taking measures or decisions regarding specific individuals on a large scale; (e) automated monitoring of publicly accessible areas on a large scale; (f) other processing operations for which the consultation of the data protection officer or supervisory authority is required pursuant to point (b) of Article 34(2); (g) where a personal data breach would likely adversely affect the protection of the personal data, the privacy, the rights or the legitimate interests of the data subject; (h) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects; (i) where personal data are made accessible to a number of persons which cannot reasonably be expected to be limited. 3. According to the result of the risk analysis: (a) where any of the processing operations referred to in points (a) or (b) of paragraph 2 exist, controllers not established in the 8

9 33 4. The controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of Union shall designate a representative in the Union in line with the requirements and exemptions laid down in Article 25; (b) where any of the processing operations referred to in points (a), (b) or (h)of paragraph 2 exist, the controller shall designate a data protection officer in line with the requirements and exemptions laid down in Article 35; (c) where any of the processing operations referred to in points (a), (b), (c), (d), (e), (f), (g) or (h) of paragraph 2 exist, the controller or the processor acting on the controller's behalf shall carry out a data protection impact assessment pursuant to Article 33; (d) where processing operations referred to in point (f) of paragraph 2 exist, the controller shall consult the data protection officer, or in case a data protection officer has not been appointed, the supervisory authority pursuant to Article The risk analysis shall be reviewed at the latest after one year, or immediately, if the nature, the scope or the purposes of the data processing operations change significantly. Where pursuant to point (c) of paragraph 3 the controller is not obliged to carry out a data protection impact assessment, the risk analysis shall be documented. Deleted 4. The controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of Deleted 9

10 33a the processing operations. Data protection compliance review 1. At the latest two years after the carrying out of an impact assessment pursuant to Article 33(1), the controller or the processor acting on the controller's behalf shall carry out a compliance review. This compliance review shall demonstrate that the processing of personal data is performed in compliance with the data protection impact assessment. 2. The compliance review shall be carried out periodically at least once every two years, or immediately when there is a change in the specific risks presented by the processing operations. 3. Where the compliance review results show compliance inconsistencies, the compliance review shall include recommendations on how to achieve full compliance. 4. The compliance review and its recommendations shall be documented. The controller and the processor and, if any, the controller's representative shall make the compliance review available, on request, to the supervisory authority. 5. If the controller or the processor has designated a data protection officer, he or she shall be involved in the compliance review proceeding. the processing operations. Deleted The controller or processor acting on the controller's behalf 2. The controller or processor acting on the controller's behalf 2. The controller or processor acting on the controller's behalf 2. The controller or processor acting on the controller's behalf 10

11 shall consult the supervisory authority prior to the processing of personal data in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where: shall consult the data protection officer, or in case a data protection officer has not been appointed, the supervisory authority prior to the processing of personal data in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where: shall consult the supervisory authority prior to the processing of personal data where a data protection impact assessment as provided for in Article 33 indicates that the in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the would result in a high risks involved for the data subjects where: in the absence of measures to be taken by the controller to mitigate the risk. shall consult the data protection officer, or in case a data protection officer has not been appointed, the supervisory authority prior to the processing of personal data in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where: The controller and the processor shall designate a data protection officer in any case where: (a) the processing is carried out by a public authority or body; or 1. The controller and the processor shall designate a data protection officer in any case where : (a) the processing is carried out by a public authority or body; or 1. The controller and or the processor may, or where required by Union or Member State law shall designate a data protection officer in any case where:. 1. The controller and the processor shall designate a data protection officer in any case where: (a) the processing is carried out by a public authority or body (b) the processing is carried out by an enterprise employing 250 persons or more; or (c) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects. (b) the processing is carried out by an enterprise employing 250 persons or more a legal person and relates to more than 5000 data subjects in any consecutive 12-month period; or (c) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects; or (d) the core activities of the controller or the processor consist of processing special categories of data pursuant to Article 9(1), location data or (c) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purpose, the number of the individuals concerned or individuals processing personal data imply regular and systematic monitoring of data subjects or high level of risk. 11

12 data on children or employees in large scale filing systems (a) (NEW). The obligation referred to in paragraph 1 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a high risk for the rights and freedoms of data subject such as discrimination, identity theft or fraud, unauthorized reversal of pseudonymisation, financial loss, damage to the reputation, loss of confidentiality of data protected by professional secrecy or any other economic or social disadvantage. 12

Comments and proposals on the Chapter IV of the General Data Protection Regulation

Comments and proposals on the Chapter IV of the General Data Protection Regulation Comments and proposals on the Chapter IV of the General Data Protection Regulation Ahead of the trialogue negotiations later this month, EDRi, Access, Panoptykon Bits of Freedom, FIPR and Privacy International

More information

Insurance Europe key messages on the European Commission's proposed General Data Protection Regulation

Insurance Europe key messages on the European Commission's proposed General Data Protection Regulation Position Paper Insurance Europe key messages on the European Commission's proposed General Data Protection Regulation Our reference: SMC-DAT-12-064 Date: 3 September 2012 Related documents: Proposal for

More information

EUROPEAN PARLIAMENT 2009-2014. Committee on Industry, Research and Energy. of the Committee on Industry, Research and Energy

EUROPEAN PARLIAMENT 2009-2014. Committee on Industry, Research and Energy. of the Committee on Industry, Research and Energy EUROPEAN PARLIAMT 2009-2014 Committee on Industry, Research and Energy 2012/0011(COD) 26.02.2013 OPINION of the Committee on Industry, Research and Energy for the Committee on Civil Liberties, Justice

More information

Data Protection in Clinical Studies Implications of the New EU General Data Protection Regulation

Data Protection in Clinical Studies Implications of the New EU General Data Protection Regulation June 19, 2012 Practice Group(s): Health Care Life Sciences Data Protection in Clinical Studies Implications of the New EU General Data Protection Regulation By Mathias Schulze Steinen and Daniela Bohn

More information

The Role and Function of a Data Protection Officer in the European Commission s Proposed General Data Protection Regulation. Initial Discussion Paper

The Role and Function of a Data Protection Officer in the European Commission s Proposed General Data Protection Regulation. Initial Discussion Paper The Role and Function of a Data Protection Officer in the European Commission s Proposed General Data Protection Regulation 1. Introduction Initial Discussion Paper The data protection officer ( DPO )

More information

Proposal of regulation Com 2012 11/4 Directive 95/46/EC Conclusion

Proposal of regulation Com 2012 11/4 Directive 95/46/EC Conclusion Page 1 sur 155 Proposal of regulation Com 2012 11/4 Directive 95/46/EC Conclusion Legal nature of the instrument Règlement Directive Directly applicable act in internal law 91 articles 34 articles Art.

More information

Comments and proposals on the Chapter II of the General Data Protection Regulation

Comments and proposals on the Chapter II of the General Data Protection Regulation Comments and proposals on the Chapter II of the General Data Protection Regulation Ahead of the trialogue negotiations in September, EDRi, Access, Panoptykon Bits of Freedom, FIPR and Privacy International

More information

Guidelines on Data Protection. Draft. Version 3.1. Published by

Guidelines on Data Protection. Draft. Version 3.1. Published by Guidelines on Data Protection Draft Version 3.1 Published by National Information Technology Development Agency (NITDA) September 2013 Table of Contents Section One... 2 1.1 Preamble... 2 1.2 Authority...

More information

EU Data Protection Reforms Challenges for Business

EU Data Protection Reforms Challenges for Business www.pwc.com Contents EU Data Protection Reforms Challenges for Business July 2014 1. Introduction 2. The need for change 3. Changes and challenges 4. Recommendations 5. Conclusion 6. For a deeper conversation

More information

AMENDMENTS TO THE DRAFT DATA PROTECTION REGULATION PROPOSED BY BITS OF FREEDOM

AMENDMENTS TO THE DRAFT DATA PROTECTION REGULATION PROPOSED BY BITS OF FREEDOM AMENDMENTS TO THE DRAFT DATA PROTECTION REGULATION PROPOSED BY BITS OF FREEDOM On 25 January 2012, the European Commission published a proposal to reform the European data protection legal regime. One

More information

A guide for in-house lawyers

A guide for in-house lawyers A guide for in-house lawyers June 2015 The Proposed EU General Data Protection Regulation Index Introduction to the Regulation - 3 Progress of the Regulation - 4 Using this Guide - 5 Conceptual Overview

More information

5419/16 ADD 1 VH/np 1 DGD 2C

5419/16 ADD 1 VH/np 1 DGD 2C Council of the European Union Brussels, 17 March 2016 (OR. en) Interinstitutional File: 2012/0011 (COD) 5419/16 ADD 1 DRAFT STATEMT OF THE COUNCIL'S REASONS Subject: DATAPROTECT 2 JAI 38 MI 25 DIGIT 21

More information

Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information

Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information INTRODUCTION Privacy legislation establishes legal privacy rights for individuals and sets enforceable

More information

PRESIDENT S DECISION No. 40. of 27 August 2013. Regarding Data Protection at the European University Institute. (EUI Data Protection Policy)

PRESIDENT S DECISION No. 40. of 27 August 2013. Regarding Data Protection at the European University Institute. (EUI Data Protection Policy) PRESIDENT S DECISION No. 40 of 27 August 2013 Regarding Data Protection at the European University Institute (EUI Data Protection Policy) THE PRESIDENT OF THE EUROPEAN UNIVERSITY INSTITUTE, Having regard

More information

slaughter and may The new EU Data Protection Regulation revolution or evolution?

slaughter and may The new EU Data Protection Regulation revolution or evolution? slaughter and may The new EU Data Protection Regulation revolution or evolution? BRIEFING April 2012 Reform of Europe s data protection regime moved one step closer this January with the publication of

More information

The Data Protection Landscape. Before and after GDPR: General Data Protection Regulation

The Data Protection Landscape. Before and after GDPR: General Data Protection Regulation The Data Protection Landscape Before and after GDPR: General Data Protection Regulation Data Protection regulations across Europe Current regulations & guidance European Directives 95/46/EC (Data Protection)

More information

Factsheet on the Right to be

Factsheet on the Right to be 101010 100101 1010 101 Factsheet on the Right to be 100 Forgotten ruling (C-131/12) 101 101 1) What is the case about and what did 100 the Court rule? 10 In 2010 a Spanish citizen lodged a complaint against

More information

The potential legal consequences of a personal data breach

The potential legal consequences of a personal data breach The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.

More information

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS As a world leader in electronic commerce and payment services, First Data Corporation and its subsidiaries ( First Data entity or entities ),

More information

Corporate Policy. Data Protection for Data of Customers & Partners.

Corporate Policy. Data Protection for Data of Customers & Partners. Corporate Policy. Data Protection for Data of Customers & Partners. 02 Preamble Ladies and gentlemen, Dear employees, The electronic processing of virtually all sales procedures, globalization and growing

More information

1 Data Protection Principles

1 Data Protection Principles Today, our personal information is being collected, shared, stored and analysed everywhere. Whether you are browsing the internet, talking to a friend or making an online purchase, personal data collection

More information

Council of the European Union Brussels, 8 July 2015 (OR. en)

Council of the European Union Brussels, 8 July 2015 (OR. en) Council of the European Union Brussels, 8 July 2015 (OR. en) Interinstitutional File: 2012/0011 (COD) 10391/15 LIMITE DATAPROTECT 111 JAI 513 MI 425 DIGIT 54 DAPIX 117 FREMP 146 COMIX 304 CODEC 958 NOTE

More information

***I DRAFT REPORT. EN United in diversity EN 2012/0011(COD) 17.12.2012

***I DRAFT REPORT. EN United in diversity EN 2012/0011(COD) 17.12.2012 EUROPEAN PARLIAMT 2009-2014 Committee on Civil Liberties, Justice and Home Affairs 17.12.2012 2012/0011(COD) ***I DRAFT REPORT on the proposal for a regulation of the European Parliament and of the Council

More information

AIRBUS GROUP BINDING CORPORATE RULES

AIRBUS GROUP BINDING CORPORATE RULES 1 AIRBUS GROUP BINDING CORPORATE RULES 2 Introduction The Binding Corporate Rules (hereinafter BCRs ) of the Airbus Group finalize the Airbus Group s provisions on the protection of Personal Data. These

More information

Analysis. The Proposed Data Protection Regulation: What has the Council agreed so far?

Analysis. The Proposed Data Protection Regulation: What has the Council agreed so far? Analysis The Proposed Data Protection Regulation: What has the Council agreed so far? Steve Peers, Professor of Law, University of Essex Twitter: @StevePeers 8 December 2014 Introduction Back in January

More information

Explanatory notes VAT invoicing rules

Explanatory notes VAT invoicing rules Explanatory notes VAT invoicing rules (Council Directive 2010/45/EU) Why explanatory notes? Explanatory notes aim at providing a better understanding of legislation adopted at EU level and in this case

More information

The reform of the EU Data Protection framework - Building trust in a digital and global world. 9/10 October 2012

The reform of the EU Data Protection framework - Building trust in a digital and global world. 9/10 October 2012 The reform of the EU Data Protection framework - Building trust in a digital and global world 9/10 October 2012 Questionnaire addressed to national Parliaments Please, find attached a number of questions

More information

New EU Data Protection legislation comes into force today. What does this mean for your business?

New EU Data Protection legislation comes into force today. What does this mean for your business? 24 th May 2016 New EU Data Protection legislation comes into force today. What does this mean for your business? After years of discussion and proposals, the General Data Protection Regulation ( GDPR )

More information

Data and Cyber Laws Up-date 9 July 2015

Data and Cyber Laws Up-date 9 July 2015 Data and Cyber Laws Up-date 9 July 2015 Janine Regan Alexia Zuber Viktoria Protokova Simon Holdsworth charlesrussellspeechlys.com Topics Updates on the key aspects of, and commentary on, the proposed GDPR

More information

ECB-PUBLIC OPINION OF THE EUROPEAN CENTRAL BANK. of 12 November 2015. on the regulation of companies acquiring credit (CON/2015/45)

ECB-PUBLIC OPINION OF THE EUROPEAN CENTRAL BANK. of 12 November 2015. on the regulation of companies acquiring credit (CON/2015/45) EN ECB-PUBLIC OPINION OF THE EUROPEAN CENTRAL BANK of 12 November 2015 on the regulation of companies acquiring credit (CON/2015/45) Introduction and legal basis On 5 November 2015 the European Central

More information

13772/14 GS/np 1 DG D 2C

13772/14 GS/np 1 DG D 2C Council of the European Union Brussels, 3 October 2014 (OR. en) Interinstitutional File: 2012/0011 (COD) 13772/14 DATAPROTECT 129 JAI 730 MI 726 DRS 120 DAPIX 137 FREMP 164 COMIX 503 CODEC 1926 NOTE From:

More information

Draft GDPR and health-related scientific research: Where do we stand with the EU Council?

Draft GDPR and health-related scientific research: Where do we stand with the EU Council? Draft GDPR and health-related scientific research: Where do we stand with the EU Council? Gauthier Chassang, Lawyer BIOBANQUES Infrastructure, INSERM US013, France Data Protection for health: Enabling

More information

Accountability: Data Governance for the Evolving Digital Marketplace 1

Accountability: Data Governance for the Evolving Digital Marketplace 1 Accountability: Data Governance for the Evolving Digital Marketplace 1 1 For the past three years, the Centre for Information Policy Leadership at Hunton & Williams LLP has served as secretariat for the

More information

Consultation document on the Review of the Insurance Mediation Directive (IMD) Commission Staff Working Paper

Consultation document on the Review of the Insurance Mediation Directive (IMD) Commission Staff Working Paper Consultation document on the Review of the Insurance Mediation Directive (IMD) Commission Staff Working Paper This document is a working document of the Internal Market and Services Directorate General

More information

Option Table - Directive on Statutory Audits of Annual and Consolidated Accounts

Option Table - Directive on Statutory Audits of Annual and Consolidated Accounts Option Table - Directive on Statutory Audits of Annual and Consolidated Accounts The purpose of this document is to highlight the changes in the options available to Member States and Competent Authorities

More information

Data Protection Ensuring high level of privacy while promoting business innovation and competition

Data Protection Ensuring high level of privacy while promoting business innovation and competition Data Protection Ensuring high level of privacy while promoting business innovation and competition Tele2 AB, Skeppsbron 18 P.O Box 2094, SE-103 13 STOCKHOLM, SWEDEN Tel +46 8 5620 0000, Fax +46 8 5620

More information

EU Data Protection Reform. Interpretations at GP level

EU Data Protection Reform. Interpretations at GP level EU Data Protection Reform Interpretations at GP level EU Data Protection Reform Why GDPR BREXIT implications EU GDP Reform key aspects GPs getting ready Further resources, help and advice Why the DP reform?

More information

Registration must be carried out by a top executive or a number of executives having the power to commit the whole company in the EU.

Registration must be carried out by a top executive or a number of executives having the power to commit the whole company in the EU. Questions and answers 1- What is the purpose of The Initiative? Why are we doing this? The purpose of the Supply Chain Initiative is to promote fair business practices in the food supply chain as a basis

More information

technical factsheet 176

technical factsheet 176 technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection

More information

CHAPTER 14 ELECTRONIC COMMERCE

CHAPTER 14 ELECTRONIC COMMERCE CHAPTER 14 ELECTRONIC COMMERCE Article 14.1: Definitions For the purposes of this Chapter: computing facilities means computer servers and storage devices for processing or storing information for commercial

More information

Clause 1. Definitions and Interpretation

Clause 1. Definitions and Interpretation [Standard data protection [agreement/clauses] for the transfer of Personal Data from the University of Edinburgh (as Data Controller) to a Data Processor within the European Economic Area ] In this Agreement:-

More information

SUPPLEMENTARY INTERNAL RULES IMPLEMENTING REGULATION (EC) N 45/2001 IN RELATION TO THE DATA PROTECTION OFFICER

SUPPLEMENTARY INTERNAL RULES IMPLEMENTING REGULATION (EC) N 45/2001 IN RELATION TO THE DATA PROTECTION OFFICER SUPPLEMENTARY INTERNAL RULES IMPLEMENTING REGULATION (EC) N 45/2001 IN RELATION TO THE DATA PROTECTION OFFICER 10 September 2009 page 1 / 8 SUPPLEMENTARY INTERNAL RULES IMPLEMENTING REGULATION (EC) N 45/2001

More information

Improving self-regulation through (law-based) Corporate Data Protection Officials *

Improving self-regulation through (law-based) Corporate Data Protection Officials * Improving self-regulation through (law-based) Corporate Data Protection Officials * Article by Christoph Klug ** The rise of globalization and multinational corporations is creating a pressing need for

More information

I. EBF KEY PRIORITIES. A. Data breach notification

I. EBF KEY PRIORITIES. A. Data breach notification D1391E-2012 29.10.2012 EUROPEAN BANKING FEDERATION PROPOSED AMENDMENTS TO THE EUROPEAN COMMISSION PROPOSAL FOR A REGULATION ON THE PROTECTION OF INDIVIDUALS WITH REGARD TO THE PROCESSING OF PERSONAL DATA

More information

Comparison of the Parliament and Council text on the General Data Protection Regulation

Comparison of the Parliament and Council text on the General Data Protection Regulation Comparison of the Parliament and Council text on the General Data Protection Regulation General comments The Council text and the Parliament text are both based on the Commission's proposal and as such

More information

European Privacy Reporter

European Privacy Reporter Is this email not displaying correctly? Try the web version or print version. ISSUE 02 European Privacy Reporter An Update on Legal Developments in European Privacy and Data Protection November 2012 In

More information

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively.

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively. Joint work between experts from the Article 29 Working Party and from APEC Economies, on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities in

More information

COMMISSION REGULATION (EU) No /.. of XXX

COMMISSION REGULATION (EU) No /.. of XXX EUROPEAN COMMISSION Brussels, XXX [ ](2013) XXX draft COMMISSION REGULATION (EU) No /.. of XXX on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC on privacy

More information

1 September /552

1 September /552 Foreword from the Chair of the ICC Commission on the Digital Economy Paris, 1 April 2016 The International Chamber of Commerce (ICC) policy inventory on the European Union (EU) General Data Protection

More information

International Data Transfer Agreement

International Data Transfer Agreement International Data Transfer Agreement Standard Contractual Clauses (processors) For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third

More information

The EBF would like to take the opportunity to note few general remarks on key issues as follows:

The EBF would like to take the opportunity to note few general remarks on key issues as follows: Ref.:EBF_001314 Brussels, 17 June 2013 Launched in 1960, the European Banking Federation is the voice of the European banking sector from the European Union and European Free Trade Association countries.

More information

Data protection compliance checklist

Data protection compliance checklist Data protection compliance checklist What is this checklist for? This checklist is drawn up on the basis of analysis of the relevant provisions of European law. Although European law aims at harmonizing

More information

Linde Integrity Line. Process and Data Protection Policy. 1 July 2007

Linde Integrity Line. Process and Data Protection Policy. 1 July 2007 Linde Integrity Line Process and Data Protection Policy 1 July 2007 Page 2 of 10 Table of Contents Preamble 3 1 Scope of application 3 2 Definitions 3 3 Submitting Reports Regular Channels 3 4 Submitting

More information

Recommendation Recipients are invited: To consider the report. To discuss the points raised, and determine a response for action.

Recommendation Recipients are invited: To consider the report. To discuss the points raised, and determine a response for action. ISC15D032 Title: Data protection briefing - GDPR Author: Raymond Scott (ISD) Date: 5 May 2016 Circulation: ISSC 14 June 2016 Agenda: ISC15A003 Version: Draft v0.1 Status: Open Issue On 14 April 2016, the

More information

Microsoft response to the Ministry of Justice Call for Evidence on EU Data Protection Proposal - Regulation COM(2012)11.

Microsoft response to the Ministry of Justice Call for Evidence on EU Data Protection Proposal - Regulation COM(2012)11. Microsoft response to the Ministry of Justice Call for Evidence on EU Data Protection Proposal - Regulation COM(2012)11 6 th March 2012 Executive Summary Microsoft welcomes the very idea of a Regulation

More information

ADLS GUIDANCE NOTE. Therefore, in order to process sensitive personal data fairly and lawfully specifically for research purposes:

ADLS GUIDANCE NOTE. Therefore, in order to process sensitive personal data fairly and lawfully specifically for research purposes: ADLS GUIDANCE NOTE Can a researcher legitimately process sensitive personal data for research purposes? This guidance note provides information on processing sensitive personal data for research purposes.

More information

CISCO MERAKI EU DATA PROCESSING ADDENDUM

CISCO MERAKI EU DATA PROCESSING ADDENDUM Meraki LLC 500 Terry Francois Blvd. San Francisco, CA 94158 T 415.432.1000 CISCO MERAKI EU DATA PROCESSING ADDENDUM This EU Data Processing Addendum ( DPA ) forms part of the End Customer Agreement (the

More information

Personal Data Act (1998:204);

Personal Data Act (1998:204); Personal Data Act (1998:204); issued 29 April 1998. Be it enacted as follows. General provisions Purpose of this Act Section 1 The purpose of this Act is to protect people against the violation of their

More information

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES TECHNICAL COMMITTEE OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS FEBRUARY 2005 Preamble The IOSCO Technical Committee

More information

10227/13 GS/np 1 DG D 2B

10227/13 GS/np 1 DG D 2B COUNCIL OF THE EUROPEAN UNION Brussels, 31 May 2013 10227/13 Interinstitutional File: 2012/0011 (COD) DATAPROTECT 72 JAI 438 MI 469 DRS 104 DAPIX 86 FREMP 77 COMIX 339 CODEC 1257 NOTE from: Presidency

More information

Privacy and Transparency for Consumer Trust and Consumer Centrality

Privacy and Transparency for Consumer Trust and Consumer Centrality 1 1 2 2 Ecommerce Europe is the association representing around 5000+ companies selling products and/or services online to consumers in Europe. Ecommerce Europe is a major stakeholder in policy issues

More information

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

More information

Privacy and Electronic Communications Regulations

Privacy and Electronic Communications Regulations ICO lo Notification of PECR security breaches Privacy and Electronic Communications Regulations Contents Introduction... 2 Overview... 2 Relevant security breaches... 3 What is a service provider?... 3

More information

Operational Risk Publication Date: May 2015. 1. Operational Risk... 3

Operational Risk Publication Date: May 2015. 1. Operational Risk... 3 OPERATIONAL RISK Contents 1. Operational Risk... 3 1.1 Legislation... 3 1.2 Guidance... 3 1.3 Risk management process... 4 1.4 Risk register... 7 1.5 EBA Guidelines on the Security of Internet Payments...

More information

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Sopra HR Software as a Data Processor Sopra HR Software, 2014 / Ref. : 20141120-101114-m 1/32 1.

More information

002264/EU XXV.GP Eingelangt am 15/11/13

002264/EU XXV.GP Eingelangt am 15/11/13 002264/EU XXV.GP Eingelangt am 15/11/13 COUNCIL OF THE EUROPEAN UNION Brussels, 15 November 2013 Interinstitutional File: 2011/0196 (COD) 11532/4/13 REV 4 ADD 1 TRANS 354 CODEC 1599 PARLNAT 282 STATEMT

More information

Council of the European Union Brussels, 26 June 2015 (OR. en)

Council of the European Union Brussels, 26 June 2015 (OR. en) Council of the European Union Brussels, 26 June 2015 (OR. en) Interinstitutional File: 2012/0011 (COD) 9985/1/15 REV 1 LIMITE DATAPROTECT 103 JAI 465 MI 402 DIGIT 52 DAPIX 100 FREMP 138 COMIX 281 CODEC

More information

12555/15 CHS/KR/np 1 DGD 2C

12555/15 CHS/KR/np 1 DGD 2C Council of the European Union Brussels, 2 October 2015 (OR. en) Interinstitutional File: 2012/0010 (COD) 12555/15 NOTE From: To: Presidency Council No. prev. doc.: 12266/15 No. Cion doc.: 5833/12 Subject:

More information

Big Data for Mutuals. Marc Dautlich 25 November 2013

Big Data for Mutuals. Marc Dautlich 25 November 2013 Big Data for Mutuals Marc Dautlich 25 November 2013 Agenda BIG DATA What is it? OPPORTUNITIES What are they? LEGAL CHALLENGES How do we overcome them? LEGAL REFORM What can we do now to minimise impact?

More information

Policy Statement. Employee privacy, data protection and human resources. Prepared by the Commission on E-Business, IT and Telecoms. I.

Policy Statement. Employee privacy, data protection and human resources. Prepared by the Commission on E-Business, IT and Telecoms. I. International Chamber of Commerce The world business organization Policy Statement Employee privacy, data protection and human resources Prepared by the Commission on E-Business, IT and Telecoms I. Introduction

More information

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

Binding Corporate Rules ( BCR ) Summary of Third Party Rights Binding Corporate Rules ( BCR ) Summary of Third Party Rights This document contains in its Sections 3 9 all provision of the Binding Corporate Rules (BCR) for Siemens Group Companies and Other Adopting

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection

More information

Annex 1: Detailed outline

Annex 1: Detailed outline Annex 1: Detailed outline Key issues Possible text for proposal for a directive/regulation Comments/Explanations on ongoing and periodic transparency requirements for issuers, and holders, of securities

More information

235.1. Federal Act on Data Protection (FADP) Aim, Scope and Definitions

235.1. Federal Act on Data Protection (FADP) Aim, Scope and Definitions English is not an official language of the Swiss Confederation. This translation is provided for information purposes only and has no legal force. Federal Act on Data Protection (FADP) 235.1 of 19 June

More information

TEXTUAL PROPOSAL EXCLUSIVE RIGHTS OR PRIVILEGES. Chapter on Initial Provisions and Definitions

TEXTUAL PROPOSAL EXCLUSIVE RIGHTS OR PRIVILEGES. Chapter on Initial Provisions and Definitions TEXTUAL PROPOSAL POSSIBLE PROVISIONS ON STATE ENTERPRISES AND ENTERPRISES GRANTED SPECIAL OR EXCLUSIVE RIGHTS OR PRIVILEGES In line with the proposed content developed in the Initial Position Paper proposed

More information

Financial Services Regulatory Commission Antigua and Barbuda Division of Gaming Customer Due Diligence Guidelines for

Financial Services Regulatory Commission Antigua and Barbuda Division of Gaming Customer Due Diligence Guidelines for Division of Gaming Customer Due Diligence Guidelines for Interactive Gaming & Interactive Wagering Companies November 2005 Customer Due Diligence for Interactive Gaming & Interactive Wagering Companies

More information

16140/14 GS/tt 1 DG D 2C

16140/14 GS/tt 1 DG D 2C Council of the European Union Brussels, 1 December 2014 (OR. en) Interinstitutional File: 2012/0011 (COD) 16140/14 DATAPROTECT 181 JAI 961 MI 950 DRS 163 DAPIX 183 FREMP 220 COMIX 645 CODEC 2375 NOTE From:

More information

Guidelines on operational functioning of colleges

Guidelines on operational functioning of colleges EIOPA-BoS-14/146 EN Guidelines on operational functioning of colleges EIOPA Westhafen Tower, Westhafenplatz 1-60327 Frankfurt Germany - Tel. + 49 69-951119-20; Fax. + 49 69-951119-19; email: info@eiopa.europa.eu

More information

Do you have a private life at your workplace?

Do you have a private life at your workplace? Do you have a private life at your workplace? Privacy in the workplace in EC institutions and bodies Giovanni Buttarelli In the course of his supervisory activities, the EDPS has published positions on

More information

DATA PROCESSING AGREEMENT

DATA PROCESSING AGREEMENT DATA PROCESSING AGREEMENT This Data Processing Agreement ( DPA ) forms part of the master agreement between Customer and CA (the Agreement ) to reflect the parties agreement with regard to the Processing

More information

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1

More information

UK Data Protection Newsletter June 2015

UK Data Protection Newsletter June 2015 UK Data Protection Newsletter June 2015 Headlines this month: n Data Protection reform update n New regulation must not lower data protection standards n Raid on Manchester Call Centre n Recent data breaches

More information

DATA PROTECTION: THE EU REFORM PROPOSALS Timothy Pitt-Payne QC

DATA PROTECTION: THE EU REFORM PROPOSALS Timothy Pitt-Payne QC DATA PROTECTION: THE EU REFORM PROPOSALS Timothy Pitt-Payne QC INTRODUCTION 1. The Commission s reform proposals are set out in detail at: http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm

More information

Council of the European Union Brussels, 5 March 2015 (OR. en)

Council of the European Union Brussels, 5 March 2015 (OR. en) Council of the European Union Brussels, 5 March 2015 (OR. en) Interinstitutional File: 2013/0027 (COD) 6788/15 LIMITE TELECOM 59 DATAPROTECT 23 CYBER 13 MI 139 CSC 55 CODEC 279 NOTE From: Presidency To:

More information

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS EUROPEAN COMMISSION Brussels, XXX [ ](2011) XXX draft COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS

More information

An overview of UK data protection law

An overview of UK data protection law An overview of UK data protection law Our team Vinod Bange Partner +44 (0)20 7300 4600 v.bange@taylorwessing.com Graham Hann Partner +44 (0)20 7300 4839 g.hann@taylorwessing.com Chris Jeffery Partner +44

More information

COUNCIL OF THE EUROPEAN UNION. Brussels, 31 May 2013 10227/13 ADD 1. Interinstitutional File: 2012/0011 (COD)

COUNCIL OF THE EUROPEAN UNION. Brussels, 31 May 2013 10227/13 ADD 1. Interinstitutional File: 2012/0011 (COD) COUNCIL OF THE EUROPEAN UNION Brussels, 31 May 2013 Interinstitutional File: 2012/0011 (COD) 10227/13 ADD 1 DATAPROTECT 72 JAI 438 MI 469 DRS 104 DAPIX 86 FREMP 77 COMIX 339 CODEC 1257 ADDENDUM TO NOTE

More information

9565/15 CHS/VH/np 1 DGD2C

9565/15 CHS/VH/np 1 DGD2C Council of the European Union Brussels, 11 June 2015 (OR. en) Interinstitutional File: 2012/0011 (COD) 9565/15 NOTE From: To: Presidency Council No. prev. doc.: 9398/15 Subject: DATAPROTECT 97 JAI 420

More information

Appendix 11 - Swiss Data Protection Act

Appendix 11 - Swiss Data Protection Act GLEIF- LOU Restricted Appendix 11 - Swiss Data Protection Act GLEIF Revision Version: 1.0 2015-09-23 Master Copy page 2 of 11 Applicable Provisions of the Swiss Data Protection Act (DPA) including the

More information

LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT

LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT 2300 Pursuant to its authority from Article 59 of the Rules of Procedure of the Croatian Parliament, the Legislation Committee determined the revised text

More information

DRAFT DATA PROTECTION REGULATION BRIEFING BY RSA INSURANCE GROUP (RSA) 17 July 2012

DRAFT DATA PROTECTION REGULATION BRIEFING BY RSA INSURANCE GROUP (RSA) 17 July 2012 DRAFT DATA PROTECTION REGULATION BRIEFING BY RSA INSURANCE GROUP (RSA) 17 July 2012 Introduction This paper outlines the views of RSA Insurance Group on the draft Regulation on the protection of individuals

More information

Salesforce s Processor Binding Corporate Rules. for the. Processing of Personal Data

Salesforce s Processor Binding Corporate Rules. for the. Processing of Personal Data Salesforce s Processor Binding Corporate Rules for the Processing of Personal Data Table of Contents 1. Introduction 3 2. Definitions 3 3. Scope and Application 4 4. Responsibilities Towards Customers

More information

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE

More information

Act CLXV of 2013. on Complaints and Public Interest Disclosures. 1. Complaint and public interest disclosure

Act CLXV of 2013. on Complaints and Public Interest Disclosures. 1. Complaint and public interest disclosure Act CLXV of 2013 on Complaints and Public Interest Disclosures The National Assembly, committed to increasing public confidence in the functioning of public bodies, recognising the importance of complaints

More information

BCS, The Chartered Institute for IT Consultation Response to:

BCS, The Chartered Institute for IT Consultation Response to: BCS, The Chartered Institute for IT Consultation Response to: A Comprehensive Approach to Personal Data Protection in the European Union Dated: 15 January 2011 BCS The Chartered Institute for IT First

More information

CESR Consultation Paper on UCITS Management Company Passport

CESR Consultation Paper on UCITS Management Company Passport News Bulletin October 24, 2008 CESR Consultation Paper on UCITS Management Company Passport Background On 30 th September 2008, the Committee of European Securities Regulators ( CESR ) issued a consultation

More information

Basel Committee on Banking Supervision. Consolidated KYC Risk Management

Basel Committee on Banking Supervision. Consolidated KYC Risk Management Basel Committee on Banking Supervision Consolidated KYC Risk Management October 2004 Table of contents Introduction...4 Global process for managing KYC risks...5 Risk management...5 Customer acceptance

More information

EU DATA PROTECTION REFORM The implications for Lend.io (a fin-tech start-up invented by Coadec and techuk)

EU DATA PROTECTION REFORM The implications for Lend.io (a fin-tech start-up invented by Coadec and techuk) EU DATA PROTECTION REFORM The implications for Lend.io (a fin-tech start-up invented by Coadec and techuk) In order to better understand the implications of proposed EU data protection regulations on European

More information

Standard conditions of the Electricity Distribution Licence

Standard conditions of the Electricity Distribution Licence Gas and Electricity Markets Authority ELECTRICITY ACT 1989 Standard conditions of the Electricity Distribution Licence Statutory Consultation: 29 April 2008 SECTION A: STANDARD CONDITIONS FOR ALL ELECTRICITY

More information

Group insurance arrangements

Group insurance arrangements CONSULTATION PAPER 80 Group insurance arrangements May 2007 What this paper is about 1 It is common for a variety of organisations, such as sporting and community associations (e.g. football clubs or surf

More information