1 The processing of personal data by registrars. The processing of personal. registrars
|
|
- Sara Conley
- 7 years ago
- Views:
Transcription
1 1 The processing of personal data by registrars The processing of personal data by registrars
2 1 The processing of personal data by registrars Introduction DNS.be registrars collect and process personal data from their customers/registrants as part of the process for registering domain names, either directly via their website or via third parties (e.g. resellers, etc.). In 1992, a legal framework was created in Belgium for data through the Personal Data Protection Act of 8th December 1992 relative to details (referred to below as the Personal Data Processing Act). This Act was amended in 1998 in response to European Directive 95/46/EC issued by the European Parliament and the Council of Europe on 24th October 1995, relative to the protection of natural persons in connection with the processing of their personal data and regarding the unrestricted traffic of that data. However, it is not the aim of this document to analyse the legislation mentioned above in any detail, but rather to familiarise registrars in this area and to provide them with a number of practical guidelines for complying with the obligations imposed by this legislation.
3 2 The processing of personal data by registrars When does the Personal Data Processing Act apply? The Act applies to any fully or partly automated processing of personal data, as well as to any non-automated processing of personal data entered in a file or that is intended to be entered in it What is personal data? The Personal Data Processing Act describes personal data as any information that relates to an identified or identifiable natural person. 1 Article 3 1 of the Personal 2 European Court of Justice, Ruling of 6th November 2003, Bodil Linqvist (prejudicial questions), Case C-101/01. 3 Florence de Villenfagne, Protection of personal data, In X., Electronic Commerce, legal and practical aspects, UGA, 2004, p L.F. Asscher and S.A. Hoogcarspel, Regulating Spam: A European Perspective after the Adoption of the e-privacy Directive, in Information Technology and Law, Cambridge University Press, 2006, p Patrick Van Eecke (ed.), Law This is understood to include: the contact details of a person, such as their name, postal address, address, telephone number, etc. However, the principle is not limited to data relating to the privacy of individuals. Data that relates to the professional or public life of a person is also considered to be personal data.2 Less obvious information also comes under this definition, such as cookies 3, IP addresses 4, the click-through behaviour of an individual 5, etc. However, data about legal entities or associations does not come under the protection of the Act. & Electronic Commerce, Larcier, 2011, p. 236.
4 3 The processing of personal data by registrars 6 Article 1 4 of the Personal 7 Florence de Villenfagne, Protection of personal data, In X., Electronic Commerce, legal and practical aspects, UGA, 2004, p European Court of Justice, Ruling of 6th November 2003, Bodil Linqvist (prejudicial questions), Case C-101/01. 9 Patrick Van Eecke (ed.), Law & Electronic Commerce, Larcier, 2011, p What is understood by the processing of data? Processing means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by means of transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction of personal data 6 Examples of processing: collecting personal data via a contact form at a website; 7 posting personal data on a webpage; 8 collecting data in order to process orders; collecting data for creating marketing profiles; collecting data for sending out electronic advertising; collecting data to send out a newsletter; etc. In an online context, most operations performed upon personal data are effective processing in the sense of Personal Data Processing Act. 9
5 4 The processing of personal data by registrars Under what conditions may personal data be processed? A. Quality requirements Article 4 of the Personal Data Processing Act gives a summary of the requirements that processing personal data must comply with. 1 Honesty requirement The processing must be transparent for the persons involved and these persons must be informed about the processing of their data. 2 Legality requirement The processing must take account of all the terms set out in the Personal Data Processing Act and may not be in breach of any other regulations (e.g. regarding spam, cookies, etc.). 3 Purpose requirement Personal data may only be obtained for one or more clearly defined, specifically described and justified purposes. It is therefore important to think carefully in advance about the various purposes for which the data will be used: customer management, sending out information about products and services, announcing events, complaints management, etc. The purposes established will determine what kind of data may be collected, what may be done with the data, whom that data may be passed on to, how long it may be kept, etc. Indeed, only actions that comply and are compatible with the established purposes may be carried out. The term compatible is deemed to be what is defined by law and what the person concerned might reasonably expect. Notification of the purposes is best dealt with in a privacy policy, but it is also advisable to reiterate at relevant locations on the website why certain items of data are retrieved Patrick Van Eecke (ed.), Law & Electronic Commerce, Larcier, 2011, p These purposes must be established from the outset and notified to the parties involved.
6 5 The processing of personal data by registrars 4 Proportionality requirement The personal data that is processed must be relevant, taking account of the purposes for which it was obtained or for which it will be processed further. When, for example, personal data is processed for the purpose of customer management, no more data than is strictly necessary may be processed, e.g. the name of the person or the organisation, the address, the address, the company number. For example, it is not relevant to ask for, store and process details regarding the profession of your customers. 5 Accuracy requirement Data that is processed must be accurate and updated if necessary; all reasonable measures must be taken to delete or amend data that is inaccurate or incomplete. 6 Restriction requirement Personal data may not be stored for longer than is necessary to carry out the purposes for which it was obtained or further processed. If the personal data is collected and processed for the purpose of customer management, this data must be deleted/destroyed as soon as the person in question is no longer a customer. DNS.be also advises registrars to delete the contact handles of ex-customers/registrants. Consequently it is very important for a registrar to ensure that the data of its customers/registrants is up-to-date at all times. This requirement of accuracy is explicitly reiterated in the agreement that DNS.be enters into with registrars.
7 6 The processing of personal data by registrars B. Justification grounds 11 Article 5 of the Personal 12 Patrick Van Eecke (ed.), Law & Electronic Commerce, Larcier, 2011, p Privacy Commission, Recommendation nº 04/2009 dated 14th October 2009, p. 13. The Personal Data Processing Act 11 lists 6 circumstances in which personal data may be processed. These are the grounds that the controller may invoke for processing certain personal details. If the controller is unable to invoke any of these grounds, then the processing is unlawful. Personal data that is collected in an online context usually comes under the first two grounds or the last ground, i.e. 1. The person involved has given his/ her unequivocal consent for the processing. This consent is only valid if it is given freely and specifically and is based on information. However, the Act does not stipulate that this consent must be given explicitly and in writing. 12 However, in practice it is advisable to draw up a privacy policy and to request the express acceptance of this policy via a tick-box that it is mandatory to tick. 2. The processing is necessary for the execution of the agreement to which the person involved is a party, or for the implementation of precontractual measures that the person involved has requested. On the basis of this and in the context of the registration of a domain name, a registrar may collect and process the name of the person or the organisation, the address details and the company number of the registrant in order to be able to supply the service ordered and to draft the invoice associated with it. 3. The processing is necessary in order to serve the justified interest of the controller or of a third party, on condition that the interests or rights of the person involved are not impaired. However, this legal ground must be strictly interpreted and may not be seen as a means of circumventing other legal grounds. However, the Commission for the protection of privacy (referred to below as the Privacy Commission ) does accept that this legal ground is used in the case of customer relationship management with regard to one s own customers, such as conducting a satisfaction survey among one s own customers about the services they purchase, an invitation to one s own customers to extend or renew their contract, etc. 13
8 7 The processing of personal data by registrars Obligations of the controller 1. Obligations of the controller The controller is charged with virtually all of the obligations imposed by the Personal Data Processing Act to ensure the protection of the data processed. Under the Act, the controller is any natural or legal person, un-associated organization or public authority which alone or jointly with others determines the purposes and means of the processing of personal data 14 As a result, the controller is the company/person which/who has the authority to take decisions in relation to the data processed (which/who defines what data is processed, the purpose for which the data is used, to whom it is passed on etc.). 14 Article 1 4 of the Personal
9 8 The processing of personal data by registrars 15 Article 9 of the Personal 16 If the data is not obtained from the person in question. 17 Article 9 1 of the Personal 2. Statutory information The controller is obliged to notify the person involved of the following information 15 : the name and address of the controller; the purposes of the processing; the existence of the person s right, on request and without charge, to object to processing intended for direct marketing; other additional information, in particular - the recipients or categories of recipients of the data, - the categories of data involved 16, - whether or not the answer is required and any consequences arising from not answering, - the existence of the person s right to access and amend the data relating to him/her. If the controller collects the personal data itself, it is obliged to provide that information at the latest at the time the data is obtained. 17 A registrar that collects personal data itself via its website can notify registrants of this information in a clause mentioned during the registration procedure. A registrar can also comply with the duty of information by using a link to the privacy policy at its website.
10 9 The processing of personal data by registrars 3. The rights of the person involved A. Right to access and notification 18 Each person involved has the right to obtain the following information from the controller: 18 Article 10 of the Personal whether or not data about that person is being processed; the purpose for which this data is being processed; the nature of the data; the origin of the data; the categories of recipients to whom this data is provided; the data itself that is processed in an understandable form; the information available about the origin of the processed data. The controller may itself determine the way in which the processed data is provided to the person involved. It is therefore not mandatory, for example, to supply a copy of a printout of the processed data or to allow the person involved to look at the computer screen. Providing that person with the data will suffice. It must be possible for the person involved to exercise their right to access and notification free of charge. To exercise that right, the person involved must send a signed and dated request to the controller, accompanied by proof of his or her identity. The controller must provide the information mentioned above at the latest 45 days after receiving the request.
11 10 The processing of personal data by registrars B. Right to rectification 19 Any person involved can also, at no charge, ask the controller to rectify any inaccurate data relating to him or her, as well as to delete incomplete, irrelevant or forbidden data, or to forbid the use of this data. To exercise that right, the person involved must send a signed and dated request to the controller. The controller must, at the latest within one month of the request being submitted, give notification of what amendments or deletions have been carried out. The controller must also pass on this information to any third parties to which the incomplete, irrelevant or forbidden data has been supplied, unless this is impossible or would appear to be extremely difficult. C. Right to object 20 Any person involved has the right to object to the processing of data relating to him or her. However, this right is not absolute. In this case, the person involved must have significant and justified reasons for objecting. This means that he or she must give a reason for the objecting, in the sense that the processing may have detrimental consequences. He or she may also not object to the processing of his or her data if such processing is necessary for the execution of an agreement or to comply with a statutory obligation. 19 Article 12 of the Personal 20 Article 12 of the Personal If the data is collected for the purposes of direct marketing, the person involved may object to the processing of his or her data at no cost and without having to divulge the reason. The right to object must also be exercised via a signed and dated request to the controller. The controller must provide notification of what it has done in response to the request within one month of the request being submitted. If the controller agrees to the request, processing of the data must cease.
12 11 The processing of personal data by registrars 4. General obligation of security Article 16 4 of the Personal Data Processing Act states that the controller, in order to guarantee the security of personal data, must take the appropriate technical and organisational measures required to protect that personal data against accidental or unlawful destruction, against accidental loss, and against the alteration of or access to personal data and any other unauthorised processing of personal data. These measures must ensure an appropriate level of security, taking account on the one hand of current technology in the matter and the cost of applying the measures and, on the other, the nature of the data to be protected and the potential risks involved. The Act therefore provides no concrete measures as such, but leaves interpretation of the obligation to protect data to the controller itself. However, a number of general obligations are imposed on the controller in articles 16 2 and 3. These are: 1. ensure with due care that the data is kept up-to-date, and that incorrect, incomplete and irrelevant data, as well as data that was obtained or further processed in violation of articles 4 to 8, is rectified or erased; 2. ensure that the number of individuals acting under his authority, as well as access to the data and the possible operations carried out on it, are limited to what is necessary for these individuals to fulfill their obligations or to whatever is necessary for the requirements of the service; 3. inform all individuals acting under his authority of the provisions of this Act and its implementing decrees, and of all relevant provisions in respect to the protection of privacy in relation to data; 4. ensure that the programs used for the automatic processing of personal data correspond to the information provided in the notification and that they are not used unlawfully. 5. ensure that the persons acting under the authority of the controller and who have access to the personal data only process this data on his behalf. The Privacy Commission has also drawn up a set of Reference measures for the security of any processing of personal data. This document is a tool that can be used by the controllers assignment in the implementation of a security policy.
13 12 The processing of personal data by registrars 21 Article 15b of the Personal In practical terms, this means that the controller must implement firewalls, virus scanners, logging and tracking mechanisms, etc. but must also ensure that the individuals involved in the processing of personal data are informed sufficiently about the applicable legislation and requirements, that there are documented procedures, that there is a management plan for security incidents, etc. If the processing is entrusted to a processor, the controller must sign a contract with the processor stating what guarantees the processor offers with regard to the technical and organisational security measures that are applied to the processing, what the accountability of the processor is and that the processor and anyone acting under the processor s authority, may only act under the instructions of the controller. Under the Personal Data Processing Act, the controller bears all liability for breaches of the security obligation. 21 Only contractual arrangements with the processor may transfer this liability to the processor.
14 13 The processing of personal data by registrars 22 Article 17 5 of the Personal 5. Reporting to the Privacy Commission Pursuant to article 17 1 of the Personal Data Processing Act, the controller must report the processing prior to proceeding to process the data. A report is not required for requesting permission or an authorisation, but is merely intended to inform the Privacy Commission of the fact that the controller will be processing personal data. A separate report is required for each processing purpose or group of cohesive purposes. 22 Processing for the purposes of customer management and the collection of data for marketing purposes must be reported in different reports to the Privacy Commission. A report of data may be lodged in hardcopy form or electronically via the Privacy Commission website ( A fee must be paid for each report: if the report is lodged electronically, if the report is lodged in hard-copy form. Each report must contain the following details: the identity of the controller; the purposes; the categories of processed data; any statutory or regulatory basis for being able to process the data; the possible recipients to whom the data may be distributed; the guarantees associated with a notification to third parties; the way in which the individuals involve will be notified if their data is passed on to third parties; the person to be contacted for individuals to exercise their rights; the measures taken to make it easier for the individuals involved to exercise their rights; the length of time the data will be kept; the security measures; any sending of the data to other countries.
15 14 The processing of personal data by registrars the data has been collected directly from the person involved (no database enrichment or viral marketing, etc.); There are, however, a number of exceptions to this principle of mandatory reporting in the Royal Decree for implementing the Personal Data Processing Act 23. These exceptions apply only to standard processing and are subject to strict restrictions. For example, customer and supplier management is not subject to a prior report to the Privacy Commission if the following conditions are met: only data of potential, existing and past customers and suppliers; the data is not passed on to third parties. DNS.be has lodged 2 reports with the Privacy Commission: one for the data that is processed in our registration system, and one for the data that is processed for handling complaints relating to.be domain names. 23 Article 17 5 of the Personal no sensitive, medical or judicial data is included; the data is not kept for longer than required for normal business operations;
16 15 The processing of personal data by registrars Conclusion the (technical and organisational) measures taken to guarantee the security of the data; the use of cookies and the procedure for switching them off. The Personal Data Processing Act states as a general rule that personal data may be processed on condition that a justified reason applies and provided all of the conditions laid down by law are complied with in the processing. 24 To comply with the conditions set by the Personal Data Processing Act, DNS.be advises its registrars as follows: 1 draw up and apply a privacy policy. This privacy policy can be made known to third parties by way of a privacy statement or declaration. This privacy policy should include the following provisions: name and address of the controller; The best place to put this privacy policy is somewhere where the individuals involved can easily find it, e.g. a link on the homepage and/or (all) other webpages or a pop-up on the first visit to the website. It is also recommended to include a direct link to the full or summarised text of the privacy policy, a clause or a popup with the full or summarised text of the privacy policy with a tick-box that must be filled in with forms to be completed online. DNS.be s privacy policy is at our website: indicate that the Personal Data Processing Act will be complied with; purpose(s) of the processing; what sort of data is being collected; who the data will be passed on to; mention the existence of a right of access, notification and amendment and the procedure for of exercising these rights; 24 Privacy Commission, Recommendation nº 04/2009 of 14th October 2009, p. 2 the option to explain the right to object if the data is being collected for direct marketing purposes;
17 16 The processing of personal data by registrars The privacy policy should also be known internally. This can only be done if your own staff who deals with personal data and answer s, letters or phone calls from customers are themselves informed about the Personal Data Processing Act and the way it is applied within the organisation. Clear internal communication of the privacy policy must therefore precede communicating that policy externally. 2 implement technical security measures (firewalls, virus scanners, logging and tracking mechanisms, etc.) to protect the personal data. 3 submit a report to the Privacy Commission about the data being processed in the context of their business as a registrar. Registrars in fact pass this personal data on to the competent registration authorities and in many cases they also do not receive personal data directly from the registrant, but via a third party (e.g. a reseller, etc.).
18 17 The processing of personal data by registrars Executive Editor: DNS.be vzw/asbl Concept: ABSOLUUT Photo.be: Jesse Willems
19 18 The processing of personal data by registrars DNS Belgium vzw/asbl Ubicenter Philipssite 5 bus Leuven info@dns.be
GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4
GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4 PREFACE The following provides general guidance on data protection
More informationData Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document
Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1
More informationPRESIDENT S DECISION No. 40. of 27 August 2013. Regarding Data Protection at the European University Institute. (EUI Data Protection Policy)
PRESIDENT S DECISION No. 40 of 27 August 2013 Regarding Data Protection at the European University Institute (EUI Data Protection Policy) THE PRESIDENT OF THE EUROPEAN UNIVERSITY INSTITUTE, Having regard
More informationLEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT
LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT 2300 Pursuant to its authority from Article 59 of the Rules of Procedure of the Croatian Parliament, the Legislation Committee determined the revised text
More informationDATA PROTECTION POLICY
Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection
More informationFIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS
FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS As a world leader in electronic commerce and payment services, First Data Corporation and its subsidiaries ( First Data entity or entities ),
More informationBinding Corporate Rules ( BCR ) Summary of Third Party Rights
Binding Corporate Rules ( BCR ) Summary of Third Party Rights This document contains in its Sections 3 9 all provision of the Binding Corporate Rules (BCR) for Siemens Group Companies and Other Adopting
More informationCorporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data
Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data *) For the purposes of these Corporate Guidelines, Third Countries are all those countries, which do not
More informationAppendix 11 - Swiss Data Protection Act
GLEIF- LOU Restricted Appendix 11 - Swiss Data Protection Act GLEIF Revision Version: 1.0 2015-09-23 Master Copy page 2 of 11 Applicable Provisions of the Swiss Data Protection Act (DPA) including the
More information-«Trustee Authority»: Entity that defines and regulates the conditions of assignment and use of Domain Names, applying to each particular Extension.
NETIM - GENERAL TERMS AND CONDITIONS OF DOMAIN NAMES CG-ND version 2.1-15 th November 2015 NETIM, limited liability company under french law, with head office located 165 avenue de bretagne 59000 LILLE
More informationFactsheet on the Right to be
101010 100101 1010 101 Factsheet on the Right to be 100 Forgotten ruling (C-131/12) 101 101 1) What is the case about and what did 100 the Court rule? 10 In 2010 a Spanish citizen lodged a complaint against
More informationHow To Write A Report On A Recipe Card
Opinion on a notification for Prior Checking received from the Data Protection Officer of the European Investment Bank (EIB) concerning procedures related to "360 Leadership feedback report" Brussels,
More informationGuidelines on Data Protection. Draft. Version 3.1. Published by
Guidelines on Data Protection Draft Version 3.1 Published by National Information Technology Development Agency (NITDA) September 2013 Table of Contents Section One... 2 1.1 Preamble... 2 1.2 Authority...
More informationData Protection Policy
Internal Ref: NELC 16.60 Review date December 2016 Version No. V04 Data Protection Policy 1 Data Protection Statement Data Protection Policy 1.1 North East Lincolnshire Council recognises that in order
More informationDIFC LAW NO. 1 OF 2007
DATA PROTECTION LAW DIFC LAW NO. 1 OF 2007 Consolidated Version (December 2012) Amended by Data Protection Law Amendment Law DIFC Law No. 5 of 2012 CONTENTS PART 1: GENERAL... 4 1. Title... 4 2. Legislative
More informationCorporate ICT & Data Management. Data Protection Policy
90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control
More informationPRIVACY POLICY. comply with the Australian Privacy Principles ("APPs"); ensure that we manage your personal information openly and transparently;
PRIVACY POLICY Our Privacy Commitment Glo Light Pty Ltd A.C.N. 099 730 177 trading as "Lighting Partners Australia of 16 Palmer Parade, Cremorne, Victoria 3121, ( LPA ) is committed to managing your personal
More informationtechnical factsheet 176
technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection
More informationPersonal Data Act (1998:204);
Personal Data Act (1998:204); issued 29 April 1998. Be it enacted as follows. General provisions Purpose of this Act Section 1 The purpose of this Act is to protect people against the violation of their
More informationProposal of regulation Com 2012 11/4 Directive 95/46/EC Conclusion
Page 1 sur 155 Proposal of regulation Com 2012 11/4 Directive 95/46/EC Conclusion Legal nature of the instrument Règlement Directive Directly applicable act in internal law 91 articles 34 articles Art.
More informationData protection compliance checklist
Data protection compliance checklist What is this checklist for? This checklist is drawn up on the basis of analysis of the relevant provisions of European law. Although European law aims at harmonizing
More informationAlign Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved.
Align Technology Data Protection Binding Corporate Rules Controller Policy Contents INTRODUCTION 3 PART I: BACKGROUND AND ACTIONS 4 PART II: CONTROLLER OBLIGATIONS 6 PART III: APPENDICES 13 2 P a g e INTRODUCTION
More informationProtection. Code of Practice. of Personal Data RPC001147_EN_D_19
Protection of Personal Data RPC001147_EN_D_19 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Rules Responsibility
More informationData Protection Policy
Data Protection Policy CONTENTS Introduction...2 1. Statement of Intent...2 2. Fair Processing or Privacy Statement...3 3. Data Uses and Processes...4 4. Data Quality and Integrity...4 5. Technical and
More informationCorporate Policy. Data Protection for Data of Customers & Partners.
Corporate Policy. Data Protection for Data of Customers & Partners. 02 Preamble Ladies and gentlemen, Dear employees, The electronic processing of virtually all sales procedures, globalization and growing
More informationData Protection Policy
Data Protection Policy Document Ref: DPA20100608-001 Version: 1.3 Classification: UNCLASSIFIED (IL 0) Status: ISSUED Prepared By: Ian Mason Effective From: 4 th January 2011 Contact: Governance Team ICT
More information235.1. Federal Act on Data Protection (FADP) Aim, Scope and Definitions
English is not an official language of the Swiss Confederation. This translation is provided for information purposes only and has no legal force. Federal Act on Data Protection (FADP) 235.1 of 19 June
More informationRecommendations for companies planning to use Cloud computing services
Recommendations for companies planning to use Cloud computing services From a legal standpoint, CNIL finds that Cloud computing raises a number of difficulties with regard to compliance with the legislation
More informationData Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk
Data Protection Act 1998 The for the Borough Council of King's Lynn & West Norfolk 1 Contents Introduction 3 1. Statement of Intent 4 2. Fair Obtaining I Processing 5 3. Data Uses and Processes 6 4. Data
More informationThe Manitowoc Company, Inc.
The Manitowoc Company, Inc. DATA PROTECTION POLICY 11FitzPatrick & Associates 4/5/04 1 Proprietary Material Version 4.0 CONTENTS PART 1 - Policy Statement PART 2 - Processing Personal Data PART 3 - Organisational
More informationPersonal Data Act (523/1999)
1 NB: Unofficial translation Personal Data Act (523/1999) Chapter 1 General provisions Section 1 Objectives The objectives of this Act are to implement, in the processing of personal data, the protection
More informationCROATIAN PARLIAMENT 1364
CROATIAN PARLIAMENT 1364 Pursuant to Article 88 of the Constitution of the Republic of Croatia, I hereby pass the DECISION PROMULGATING THE ACT ON PERSONAL DATA PROTECTION I hereby promulgate the Act on
More informationPolicy and Procedure Title: Maintaining Secure Learner Records Policy No: CCTP1001 Version: 1.0
PROVIDER NAME: POLICY AREA: College of Computing Technology (CCT) Standard 10: Information Management, Student Information System & Data Protection Policy and Procedure Title: Maintaining Secure Learner
More informationDATA PROTECTION ACT 1998 COUNCIL POLICY
DATA PROTECTION ACT 1998 COUNCIL POLICY Page 1 of 5 POLICY STATEMENT Blackpool Council recognises the need to fully comply with the requirements of the Data Protection Act 1998 (DPA) and the obligations
More informationAPPENDIX 8 THE DATA PROTECTION REGULATION OF SZIGET KULTURÁLIS MENEDZSER IRODA KORLÁTOLT FELELŐSSÉGŰ TÁRSASÁG
APPENDIX 8 THE DATA PROTECTION REGULATION OF SZIGET KULTURÁLIS MENEDZSER IRODA KORLÁTOLT FELELŐSSÉGŰ TÁRSASÁG Sziget Kulturális Menedzser Iroda Kft. (the Data Controller ) executes the processing and protection
More informationPRIVACY STATEMENT OF THE WEBSITE http://www.viscontipalace.com Page 1 of 7
PRIVACY STATEMENT OF THE WEBSITE http://www.viscontipalace.com Page 1 of 7 LEARN MORE ABOUT OUR PRIVACY STATEMENT In this privacy statement, Visconti Cesi S.r.l., with registered office at Via Vittoria
More informationAlign Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved.
Align Technology Data Protection Binding Corporate Rules Processor Policy Confidential Contents INTRODUCTION TO THIS POLICY 3 PART I: BACKGROUND AND ACTIONS 4 PART II: PROCESSOR OBLIGATIONS 6 PART III:
More informationOBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data;
OBJECTS AND REASONS This Bill would provide for (a) the regulation of the collection, keeping, processing, use or dissemination of personal data; (b) the protection of the privacy of individuals in relation
More informationLast updated: 30 May 2016. Credit Suisse Privacy Policy
Last updated: 30 May 2016 Credit Suisse Please read this privacy policy (the ) as it describes how we intend to collect, use, store, share, and safeguard your information. By accessing, visiting or using
More informationData Protection Policy.
Data Protection Policy. Data Protection Policy Foreword 2 Foreword Ladies and Gentlemen, In the information age, we offer customers the means to be always connected, even in their cars. This requires data
More informationProcessor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries
Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Sopra HR Software as a Data Processor Sopra HR Software, 2014 / Ref. : 20141120-101114-m 1/32 1.
More informationData Protection Policy
1 Data Protection Policy Version 1: June 2014 1 2 Contents 1. Introduction 3 2. Policy Statement 3 3. Purpose of the Data Protection Act 1998 3 4. The principles of the Data Protection Act 1998 4 5 The
More informationPRACTICAL LAW DATA PROTECTION MULTI-JURISDICTIONAL GUIDE 2012/13. The law and leading lawyers worldwide
PRACTICAL LAW MULTI-JURISDICTIONAL GUIDE 2012/13 The law and leading lawyers worldwide Essential legal questions answered in 30 key jurisdictions Analysis of critical legal issues AVAILABLE ONLINE AT WWW.PRACTICALLAW.COM/DATAPROTECTION-MJG
More informationClause 1. Definitions and Interpretation
[Standard data protection [agreement/clauses] for the transfer of Personal Data from the University of Edinburgh (as Data Controller) to a Data Processor within the European Economic Area ] In this Agreement:-
More informationMIS Privacy Statement. Our Privacy Commitments
MIS Privacy Statement Our Privacy Commitments MIS Training Institute Holdings, Inc. (together "we") respect the privacy of every person who visits or registers with our websites ("you"), and are committed
More informationTNS UK PRIVACY & COOKIE POLICY FOR SURVEYS ( Policy )
TNS UK PRIVACY & COOKIE POLICY FOR SURVEYS ( Policy ) Introduction Market and survey research serves an important function in society. Businesses and governments are able to make informed decisions through
More informationCoffey International Limited Privacy Policy. July 2014
Coffey International Limited Privacy Policy July 2014 Privacy Policy 1. Introduction Coffey International Limited and its related bodies corporate (we, our, us) recognise your rights under the Privacy
More informationData protection policy
Data protection policy Introduction 1 This document is the data protection policy for the Nursing and Midwifery Council (NMC). 2 The Data Protection Act 1998 (DPA) governs the processing of personal data
More informationORGANIC LAW 15/1999 of 13 December on the Protection of Personal Data
THIS IS AN UNOFFICIAL TRANSLATION PLEASE NOTE THAT THE ONLY LEGALLY BINDING TEXT IS THAT PUBLISHED IN THE SPANISH OFFICIAL JOURNAL (BOE 298, 14 DECEMBER 1999) ORGANIC LAW 15/1999 of 13 December on the
More informationGeneral Terms of Public Procurement in Service Contracts JYSE 2014 SERVICES
General Terms of Public Procurement in Service Contracts January 2015 Contents Introduction...3 Issues to be observed in applying...5 General Terms of Public Procurement in Service Contracts ()...9 1 Definitions...9
More informationCode of Conduct For Subscribers
Code of Conduct For Subscribers WHEREAS: A. The Bureau is in the business, amongst others, of producing credit reports B. Subject always to Credit Reporting Agencies Act 2010 and any other applicable legislation,
More informationon the transfer of personal data from the European Union
on the transfer of personal data from the European Union BCRsseptembre 2008.doc 1 TABLE OF CONTENTS I. PRELIMINARY REMARKS 3 II. DEFINITIONS 3 III. DELEGATED DATA PROTECTION MANAGER 4 IV. MICHELIN GROUP
More informationData protection issues on an EU outsourcing
Data protection issues on an EU outsourcing Saam Golshani, Alastair Gorrie and Diego Rigatti, Orrick Herrington & Sutcliffe www.practicallaw.com/8-380-8496 Outsourcing can mean subcontracting a process
More informationGRTGAZ NETWORK TRANSMISSION CONTRACT
Page 1 of 9 GRTGAZ NETWORK TRANSMISSION CONTRACT APPENDIX A3 STANDARD EVIDENCE AGREEMENT English translation for information. Disclaimer The present translation is not binding and is provided by GRTgaz
More informationPRIVACY POLICY USER INFORMATION. Information you provide to us
PRIVACY POLICY Food Marshal Tech Services Private Limited, ("Food Marshal", the Company, we, us and our ) is a company incorporated under the provisions of the Companies Act, 2013 and powers / manages
More informationProtection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1
Protection of Personal Data RPC001147_EN_WB_L_1 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Responsibility of Employees
More informationData Protection A Guide for Users
Data Protection A Guide for Users EUROPEAN PARLIAMENT Contents Contents 3 Introduction 4 Data protection standards making a difference in the European Parliament 5 Data protection the actors 6 Data protection
More informationAlixPartners, LLP. General Data Protection Statement
AlixPartners, LLP General Data Protection Statement GENERAL DATA PROTECTION STATEMENT 1. INTRODUCTION 1.1 AlixPartners, LLP ( AlixPartners ) is committed to fulfilling its obligations under the data protection
More informationComments and proposals on the Chapter II of the General Data Protection Regulation
Comments and proposals on the Chapter II of the General Data Protection Regulation Ahead of the trialogue negotiations in September, EDRi, Access, Panoptykon Bits of Freedom, FIPR and Privacy International
More informationSubject Access Request, Procedure, Guidance and Information
Subject Access Request, Procedure, Guidance and Information Updated: July 2015 Page 1 of 61 CONTENTS 1. Introduction 5 2. Legal Context 5 3. Subject Access Request to Personal Records Guidance 6 Guidance
More informationPRIVACY POLICY. Any form of reproduction in whole or in part of the content of this document is prohibited.
Deck S.r.l. Via Cesareo Console 3 80132 Napoli (NA) P. iva: 04846431213 Cf: 04846431213 Rea 717835 Reg. Imp. di Napoli Cap. Soc. 15.000 PRIVACY POLICY Protecting and defending your privacy is important
More informationROYAL AUSTRALASIAN COLLEGE OF SURGEONS
1. SCOPE This policy details the College s privacy policy and related information handling practices and gives guidelines for access to any personal information retained by the College. This includes personal
More informationAIRBUS GROUP BINDING CORPORATE RULES
1 AIRBUS GROUP BINDING CORPORATE RULES 2 Introduction The Binding Corporate Rules (hereinafter BCRs ) of the Airbus Group finalize the Airbus Group s provisions on the protection of Personal Data. These
More informationData Processing Agreement for Oracle Cloud Services
Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services
More informationINERTIA ETHICS MANUAL
SEVENTH FRAMEWORK PROGRAMME Smart Energy Grids Project Title: Integrating Active, Flexible and Responsive Tertiary INERTIA Grant Agreement No: 318216 Collaborative Project INERTIA ETHICS MANUAL Responsible
More informationOSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data
OSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data Terms Adopting company an OSRAM associated company in Germany or overseas
More information1. Introduction. 2. Sectoral Areas Affected. 3. Data Security. 4. Data Breach Requirements. 5. Traffic Data
1. Introduction Special data protection rules apply to the protection of Personal Data by Data Controllers in the electronic communications sector. These are in addition to the general obligations that
More informationOVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively.
Joint work between experts from the Article 29 Working Party and from APEC Economies, on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities in
More informationThe supplier shall have appropriate policies and procedures in place to ensure compliance with
Supplier Instructions for Processing of Personal Data 1 PURPOSE SOS International has legal and contractual obligations on the matters of data protection and IT security. As a part of these obligations
More informationInvestigation Report: HKA Holidays Limited Leaked Customers Personal Data through the Mobile Application TravelBud
Published under Section 48(2) of the Personal Data (Privacy) Ordinance (Cap. 486) Investigation Report: HKA Holidays Limited Leaked Customers Personal Data through the Mobile Application TravelBud Report
More informationThe primary responsibility for the data processing lies within the Administration Department, which the FINCOP Unit is part of.
Opinion on a Notification for Prior Checking received from the Data Protection Officer of the European Training Foundation Regarding the Processing Operations to Manage Calls for Tenders Brussels, 22 April
More informationESTRO PRIVACY AND DATA SECURITY NOTICE
ESTRO PRIVACY AND DATA SECURITY NOTICE This Data Privacy and Security Policy is a dynamic document, which will reflect our continuing vigilance to properly handle and secure information that we are trusted
More informationON MUTUAL COOPERATION AND THE EXCHANGE OF INFORMATION RELATED TO THE OVERSIGHT OF AUDITORS
Mr. Ryutaro Hatanaka Commissioner Financial Services Agency Government of Japan 3-2-1 Kasumigaseki Chiyoda-ku, Tokyo Japan 100-8967 Dr. Kunio Chiyoda Chairman Certified Public Accountants and Auditing
More informationFirm Registration Form
Firm Registration Form Firm Registration Form This registration form should be completed by firms who are authorised and regulated by the Financial Conduct Authority. All sections of this form are mandatory.
More informationHow To Protect Your Data In European Law
Corporate Data Protection Code of Conduct for the Protection of the Individual s Right to Privacy in the Handling of Personal Data within the Deutsche Telekom Group 2010 / 04 We make ICT strategies work
More informationTerms of Use 1. [Preliminary provision] 1. All capitalized expressions and other terms contained and used in the Terms are primarily meanings assigned to them below: 1) Application - Software made available
More informationAMENDMENTS TO THE DRAFT DATA PROTECTION REGULATION PROPOSED BY BITS OF FREEDOM
AMENDMENTS TO THE DRAFT DATA PROTECTION REGULATION PROPOSED BY BITS OF FREEDOM On 25 January 2012, the European Commission published a proposal to reform the European data protection legal regime. One
More informationCHAPTER I GENERAL PROVISIONS
Proposal for a regulation of the European Parliament and of the Council on the protection of individual with regard to the processing of personal data and on the free movement of such data (General Data
More informationService Description for the Registration and Administration of Domain Names by Swisscom
Service Description for the Registration and Administration of Domain Names by Swisscom 1 Area of application This Service Description govern the conditions for the registration, administration, and use
More informationPrinciples Concerning the Protection of Personal Data in the Workplace: Guidelines for Employee Monitoring *
1 Unofficial Translation Principles Concerning the Protection of Personal Data in the Workplace: Guidelines for Employee Monitoring * The Office for Personal Data Protection, September 2007 In accordance
More information.eu Domain Name Registration. Terms and Conditions
.eu Domain Name Registration Terms and Conditions 1/15 TABLE OF CONTENTS Table of Contents... 2 Definitions...... 3 Object and Scope... 5 Section 1. Eligibility Requirements... 5 Section 2. First Come,
More informationWelcome to our job search and application platform (the Platform ). Please read our Legal Terms (which includes our Privacy Policy) carefully.
LEGAL TERMS AND PRIVACY POLICY Welcome to our job search and application platform (the Platform ). Please read our Legal Terms (which includes our Privacy Policy) carefully. The Platform is accessible
More informationTerms and Conditions of Use and Sale as at 1 st January 2009
Terms and Conditions of Use and Sale as at 1 st January 2009 The present standard terms and conditions of use and sale, also called the Contract, are concluded between the following parties: - with capital
More informationOUTSOURCING, HOSTING AND DATA PRIVACY ISSUES
OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES 4 April 2013 James Castro-Edwards Solicitor Monica Salgado Advogada / Portuguese Lawyer OUR TEAM Speechly Bircham is an ambitious, full-service law firm with
More informationOn Data Protection and the Detailed and Uniform Data Management Regulation
Rector s Directive No. 1/2013 On Data Protection and the Detailed and Uniform Data Management Regulation Budapest, 2013 Version effective as of 31 January 2013 Directives on Data Protection and the Uniform
More informationHow To Settle A Cross Border Dispute With Ancien De L'Ormonde (Cep)
DRAFT DECISION Settlement of a crossborder dispute between EDA and ZON concerning telephone lists I FACTS 1. The application of EDA 1.1. On 07.12.2010, an application was filed at ICP-ANACOM for the settlement
More informationGeneral Terms and Conditions of Trade for the use of the Bitplaces management platform and the Bitplaces software
General Terms and Conditions of Trade for the use of the Bitplaces management platform and the Bitplaces software I. Definitions, application area / conclusion of contract 1. Definitions 1.1 "App" in the
More informationDirect Language Hub - www.dlhub.eu
Terms and conditions of providing services by electronic means page 1 TERMS AND CONDITIONS OF PROVIDING SERVICES BY ELECTRONIC MEANS 1 The present terms and conditions (hereinafter referred to as Terms
More informationBRING YOUR OWN DEVICE
BRING YOUR OWN DEVICE Legal Analysis & Practical TIPs for an effective BYOD corporate Policy CONTENTS 1. What is BYOD? 2. Benefits and risks of BYOD in Europe 3. BYOD and existing Policies 4. Legal issues
More informationThe potential legal consequences of a personal data breach
The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.
More informationArticle 29 Working Party Issues Opinion on Cloud Computing
Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,
More informationDATA PROTECTION POLICY. Examples of personal data which TWM may require from clients include the following and for the reasons ascribed to each;
DATA PROTECTION POLICY Introduction TWM Solicitors maintain certain personal data about individuals for the purposes of satisfying operational and legal obligations. The Data Protection Act sets rules
More informationGARANTE PER LA PROTEZIONE DEI DATI PERSONALI WHEREAS
[doc. web n. 1589969] Spamming: How to Lawfully Email Advertising Messages GARANTE PER LA PROTEZIONE DEI DATI PERSONALI Prof. Stefano Rodotà, President, Prof. Giuseppe Santaniello, Vice-President, Prof.
More informationIf you are unclear about the implications of Auto Enrolment you will find our Guide to Auto Enrolment a good starting point.
The Pay Check Auto Enrolment Service A service designed for Pay Check clients who are looking for a first class pension solution that is simple to administer, cost effective and guarantees full compliance
More informationData controllers and data processors: what the difference is and what the governance implications are
ICO lo : what the difference is and what the governance implications are Data Protection Act Contents Introduction... 3 Overview... 3 Section 1 - What is the difference between a data controller and a
More information4. LIMITATION OF LIABILITY
LEGAL NOTICE Terms and conditions of use The website icem.it ( Website ) is the exclusive property of ICEM srl, with headquarters in Via Corriera, 40 48010 Barbiano di Cotignola (RA) Italy (hereinafter
More informationMerthyr Tydfil County Borough Council. Data Protection Policy
Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the
More information1.1 Legal Notice (LSSI) 1.2 Privacy Policy (LOPD) 1.3 Cookies Policy. 1.1 Legal notice (LSSI)
1.1 Legal Notice (LSSI) 1.2 Privacy Policy (LOPD) 1.3 Cookies Policy 1.1 Legal notice (LSSI) According to article 10 of Law 34/2002, 11th July, Society Services of Information and Electronic Commerce (LSSI),
More informationPRIVACY POLICY. Introduction
PRIVACY POLICY Introduction Thomas & Darden Inc. ( Company or We ) respects your privacy and is committed to protecting it through our compliance with this policy. This policy describes the types of information
More informationCredit Reporting Privacy Policy of Baybrick Pty Ltd
Credit Reporting Privacy Policy of Baybrick Pty Ltd Introduction 1. This Credit Reporting Privacy Policy is the official privacy policy of Baybrick Pty Ltd and its subsidiaries which includes JBS Australia
More information