Giuseppe Busia Segretario generale Garante per la protezione dei dati personali

Size: px
Start display at page:

Download "Giuseppe Busia Segretario generale Garante per la protezione dei dati personali"

Transcription

1 mhealth enablers panel The Health & Mobile World Congress 2015 Giuseppe Busia Segretario generale Garante per la protezione dei dati personali 1

2 mhealth main concern Mobile Health (mhealth) raises many concerns about the appropriate processing of the data collected through apps or solutions by individuals, developers, health professionals, advertising companies and public authorities any personal data can become health data (if it is collected for the purpose of inferring health status) Therefore mhealth apps require a baseline of privacy and security protections appropriate to sensitive data 2

3 I dati EU pubblicati data protection devono essere: legal framework applicable to lifestyle and wellbeing Apps The relevant legal framework applicable: - Data Protection Directive (Directive 95/46/EC) - eprivacy Directive (Directive 2002/58/EC) These rules apply to any apps installed/used by users in the EU, regardless of the location of the app developer or the app store 3

4 Data Protection Directive The legal ground for processing personal data varies according to the nature of the data processed. Article 8 of the Data Protection Directive (95/46/EC) qualifies health data as a special category of data to which a higher level of data protection applies The processing of special categories of data is prohibited, unless an exception applies such as: the explicit consent of the data subject; except where in accordance with national law the prohibition to process such personal data cannot be lifted by the consent of the data subject (art. 8, 2 (a)) the vital interest of the data subject or of another person where the data subject is physically or legally incapable of giving his consent (art. 8, 2 (c)) where processing of the data is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of healthcare services, and where those data are processed by a health professional or any professional bound by the obligation of secrecy (art. 8, 3) 4

5 Article 29 Working Party Opinions (1) WP29 Advice Paper on special categories of data (April 2011): the rationale behind Article 8 stricter legal regime Lifestyle and wellbeing apps can collect indifferently personal data of general nature (e.g. information on the data subject's hobbies) and health data (e.g. heartbeat or oxygenation of the blood) The data subject's explicit consent to the processing of his health data must be freely given, informed and specific The other principles relating to data quality (including data minimisation, data retention limitation and the adoption of appropriate safeguards in this regard) are applicable too (Article 6 of the Directive) 5

6 Article 29 Working Party Opinions (2) WP29 Opinion 02/2013 "on apps on smart devices seeks to clarify the legal obligations of each of the parties involved in the development and distribution of apps (February 2013): guidance to all the players, in particular the need to provide clear and unambiguous information about data processing to users the need for explicit consent of the user as the processing will be done for a distinct purpose than the one of the app developer the level of complexity of identifying the role of a third party can be well illustrated by the case of cloud computing providers (see also WP29 Opinion 05/2012 on Cloud Computing, July 2012) 6

7 Article 29 Working Party Opinions (3) WP29 Opinion 08/2014 on the Internet of Things (IoT) ehealth and and Quantified-self devices devices such as such body as trackers body trackers are always are carried always by carried users who by users who want want to record to record information information about about their own their habits own and habits lifestyles and lifestyles WP29 adopted on 16 September 2014, Opinion 8/2014 on the Internet of Things (IoT), which highlights the privacy and data protection challenges posed by the IoT and puts forward recommendations to help stakeholders comply with current EU data protection legislation for the development of a sustainable IoT WP29 stated that the quantified self focuses on motivating users to closely monitor their biological rhythms, it has many connections with e-health WP29 stressed that the application of Article 8 to sensitive data in the IoT requires that data controllers obtain the user s explicit consent, unless the data subject has made himself the data public 7

8 eprivacy Directive eprivacy Directive 2002/58/EC, as revised by Directive 2009/136/EC sets a specific standard to any entity worldwide that wishes to store or access information stored in devices of users located in the EEA. Cookies: the storing of information or the access to information already stored in the terminal equipment of a user is only allowed on condition that he has given his consent, having been provided with clear and comprehensive information about the purposes of the processing (Article 5(3) of this Directive). This consent requirement applies to any information (i.e. not limited to personal data as information can be any type of data stored on the device) This means that when installing an app, users should be given the choice to accept or refuse cookies or similar tracking technologies to be placed on their device In this regard, on 17 February 2015, WP29 issued a press release on the joint survey made by European regulators on website cookie usage 8

9 WP29 recent letter to European Commission (1) WP29 recent letter to European Commission, clarifying Scope of Health Data Processed by Lifestyle and Wellbeing Apps (February 2015) In the Annex to this letter, the Working Party identifies criteria to determine when personal data qualifies as health data, a special category of data receiving enhanced protection under the EU Data Protection Directive 95/46/EC Scope of Health Data WP29 identifies three main scenarios: 1) data processed by the app or device is inherently/clearly medical data (i.e. data provides information about an individual s physical or mental health status generated in a professional medical context (e.g., healthcare providers); 2) raw sensor data processed by the app or device can be used, independently or in combination with other data, to draw conclusions about an individual s actual health status or health risks; 3) data allows for conclusions to be drawn about an individual s health status or health risks (irrespective of whether these conclusions are accurate or inaccurate, legitimate or illegitimate or otherwise adequate or inadequate). 9

10 WP29 recent letter to European Commission (2) Legal Requirements for Processing Health Data users of lifestyle and wellbeing apps do not have to comply with the Directive when the data is not transmitted outside their device, as this qualifies as purely personal use of personal data WP29 letter also underlines: the importance of providing clear and easily accessible information to the users before they install the app or buy the device the need to implement proper anonymization techniques and other security measures, such as privacy by design and data minimization Further Processing of Health Data for Historical, Statistical and Scientific Purposes WP29 would like the EC to make a clear statement that, under the Directive, further Processing of Health Data for Historical, Statistical and Scientific Purposes requires explicit consent, unless specific exceptions provided in national law apply 10

11 EC mhealth public consultation results The recently published results of the EC public consultation on mhealth well show how WP29 concerns are shared by different stakeholders (January 2015) From the analysis of comments from the 211 respondents (71% were from organizations and 29% were from individuals): there is a great interest in strong privacy and security tools, and strengthened enforcement of data protection rules not only among data protection stakeholders but also among european citizens The success of an mhealth concept is based on its capacity to generate TRUST from a wide range of users 11

12 2014 GPEN PRIVACY SWEEP On 10 September 2014, the Global Privacy Enforcement Network (GPEN) published the results of its privacy enforcement survey or sweep carried out earlier in 2014 with respect to popular mobile apps many raised concerns about mobile apps 12

13 About GPEN The GPEN Global Privacy Enforcement Network was established in 2008 upon recommendation by the OECD to foster cross-border cooperation among privacy regulators in an increasingly global market The informal network is comprised of 47 privacy enforcement authorities in 37 jurisdictions around the world 13

14 2014 App Sweep purpose Over the course of a week in May 2014, GPEN s sweepers (made up of 26 data protection authorities, including the Italian DPA, across 19 jurisdictions) participated in the survey by downloading and briefly interacting with the most popular apps released by developers in their respective jurisdictions, in an attempt to recreate a typical consumer s experience. GPEN 2014 App Sweep purpose was to increase public and commercial awareness of data protection rights and responsibilities as well as identify specific high-level issues which may become the focus of future enforcement actions and initiatives The results of the sweep suggest that a high proportion of the apps downloaded did not sufficiently explain how consumers personal information would be collected and used. 14

15 2014 App Sweep highlights - 3/4 of all apps examined requested one or more permissions, the most common of which included location, device ID, access to other accounts, camera and contacts - Some 59 % of apps left sweepers scrambling to find pre-installation privacy communications - For nearly one-third of the apps (31%), sweepers expressed concern about the nature of the permissions being sought - Some 43 % of apps did not tailor privacy communications to the small screen - Just a fraction of apps examined, 15 %, provided a clear explanation of how it would collect, use and disclose personal information 15

16 Italian DPA medical App Sweep The Italian DPA (Garante), as part of the "2014 GPEN Privacy Sweep, chose to sweep medical applications WHY medical Apps? Because it was not possible to postpone medical App evaluation in terms of usefulness/data protection requirements.and our decision was in line with the concerns that were voiced recently at European level in this regard (EC Green Paper on mhealth and public consultation on mhealth) The results of the italian sweeping activity show that the degree of transparency on the processing of user data and the permissions required them to download the selected medical App are, in some cases, not in line with the Italian data protection legislation 16

17 Italian DPA medical App Sweep highlights 50% of the medical apps surveyed by the Italian DPA's "sweepers" out of a sample including those with the highest number of downloads on the various platforms do not provide information on data use prior to installation (or else provide very general information or request excessive data compared to their features) In many cases the privacy notice is not tailored to the small screen size and is thus hard to decipher; in yet other cases the privacy notice is found, for instance, in the technical credits area of the given device 17

18 Italian DPA further steps The italian medical App Sweep was not an investigation, nor was it intended to conclusively identify compliance issues or possible violations of privacy legislation Nevertheless - any profiles of privacy violation detected will be evaluated by the Garante - at the national level, we are planning an assessment in terms of needed inspections and any possible prescriptive measures/sanctions 18

19 2014 GPEN Sweep follow up letter On December 9, 2014, 23 privacy authorities from around the world have signed an open letter to the operators of seven app marketplaces (Apple, Google, Samsung, Microsoft, Nokia, BlackBerry and Amazon.com), urging them to make links to privacy policies mandatory for apps that collect personal information The Italian DPA, as well as all the other undersigned privacy enforcement authorities, strongly believe that an app marketplace operator should, acting as a responsible corporate citizen, make the basic commitment to require each app that can access or collect personal information, to provide users with timely access to the app s privacy policy 19

20 Which future of mhealth? mhealth apps will surely be a large part of the future of health care but there are still too many unresolved questions of what to do with mhealth. those issues of mhealth regulation and standardisation must become surmountable...thanks to our common efforts 20

COMMISSION STAFF WORKING DOCUMENT. on the existing EU legal framework applicable to lifestyle and wellbeing apps. Accompanying the document

COMMISSION STAFF WORKING DOCUMENT. on the existing EU legal framework applicable to lifestyle and wellbeing apps. Accompanying the document EUROPEAN COMMISSION Brussels, 10.4.2014 SWD(2014) 135 final COMMISSION STAFF WORKING DOCUMENT on the existing EU legal framework applicable to lifestyle and wellbeing apps Accompanying the document GREEN

More information

ANNEX - health data in apps and devices

ANNEX - health data in apps and devices ANNEX - health data in apps and devices Concept of health data in Directive 95/46/EC Article 8 of the Data Protection Directive (95/46/EC) qualifies health data as a special category of data to which a

More information

Response of the German Medical Association

Response of the German Medical Association Response of the German Medical Association To the Green Paper on mobile Health ( mhealth ) of the European Commission Berlin, 3 July 2014 Bundesärztekammer Herbert-Lewin-Platz 1 10623 Berlin We are grateful

More information

Legal compliance for developers. Training materials (prepared by Tilburg University)

Legal compliance for developers. Training materials (prepared by Tilburg University) Legal compliance for developers using FI-STAR ehealth platform Training materials (prepared by Tilburg University) Target audience: Target audience and objectives developers & other potential users of

More information

What is Quantified Self (QS)?

What is Quantified Self (QS)? Subtitle Title Content Quantified Self (QS) (Sensitive) Personal data Security risks QS Privacy risks QS Art. 29 Working Party (WP29) on QS WP29 on ehealth WP29 on Internet of Things (IoT) QS data at risk

More information

Data protection compliance checklist

Data protection compliance checklist Data protection compliance checklist What is this checklist for? This checklist is drawn up on the basis of analysis of the relevant provisions of European law. Although European law aims at harmonizing

More information

European Commission initiatives on e- and mhealth

European Commission initiatives on e- and mhealth European Commission initiatives on e- and mhealth Fundamental Rights Forum, 22 June 2016 WG 24: E-health: improving rights fulfilment through innovation Claudia Prettner, Unit for Health and Well-Being,

More information

International Working Group on Data Protection in Telecommunications

International Working Group on Data Protection in Telecommunications International Working Group on Data Protection in Telecommunications 675.42.10 4 April 2011 Working Paper Event Data Recorders (EDR) on Vehicles Privacy and data protection issues for governments and manufacturers

More information

Draft Code of Conduct on privacy for mobile health applications

Draft Code of Conduct on privacy for mobile health applications Draft Code of Conduct on privacy for mobile health applications I. About this Code 1) Introduction To be drafted as a last step, when the rest of the Code is more or less stable Ed. 2) Purpose The purpose

More information

AIRBUS GROUP BINDING CORPORATE RULES

AIRBUS GROUP BINDING CORPORATE RULES 1 AIRBUS GROUP BINDING CORPORATE RULES 2 Introduction The Binding Corporate Rules (hereinafter BCRs ) of the Airbus Group finalize the Airbus Group s provisions on the protection of Personal Data. These

More information

Written Contribution of the National Association of Statutory Health Insurance Funds of 16.11.2015

Written Contribution of the National Association of Statutory Health Insurance Funds of 16.11.2015 Written Contribution of the National Association of Statutory Health Insurance Funds of 16.11.2015 to the Public Consultation of the European Commission on Standards in the Digital : setting priorities

More information

Under European law teleradiology is both a health service and an information society service.

Under European law teleradiology is both a health service and an information society service. ESR statement on the European Commission Staff Working Document on the applicability of the existing EU legal framework to telemedicine services (SWD 2012/413). The European Society of Radiology (ESR)

More information

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively.

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively. Joint work between experts from the Article 29 Working Party and from APEC Economies, on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities in

More information

GARANTE PER LA PROTEZIONE DEI DATI PERSONALI WHEREAS

GARANTE PER LA PROTEZIONE DEI DATI PERSONALI WHEREAS [doc. web n. 1589969] Spamming: How to Lawfully Email Advertising Messages GARANTE PER LA PROTEZIONE DEI DATI PERSONALI Prof. Stefano Rodotà, President, Prof. Giuseppe Santaniello, Vice-President, Prof.

More information

Multi-Jurisdictional Study: Cloud Computing Legal Requirements. Julien Debussche Associate January 2015

Multi-Jurisdictional Study: Cloud Computing Legal Requirements. Julien Debussche Associate January 2015 Multi-Jurisdictional Study: Cloud Computing Legal Requirements Julien Debussche Associate January 2015 Content 1. General Legal Framework 2. Data Protection Legal Framework 3. Security Requirements 4.

More information

Data Protection Policy.

Data Protection Policy. Data Protection Policy. Data Protection Policy Foreword 2 Foreword Ladies and Gentlemen, In the information age, we offer customers the means to be always connected, even in their cars. This requires data

More information

COCIR contribution to the public consultation on Personal Data Protection in the EU 1

COCIR contribution to the public consultation on Personal Data Protection in the EU 1 COCIR contribution to the public consultation on Personal Data Protection in the EU 1 European Coordination Committee of the Radiological, Electromedical and Healthcare IT Industry Bd. A. Reyers 80, 1030

More information

Plus500UK Limited. Statement on Privacy and Cookie Policy

Plus500UK Limited. Statement on Privacy and Cookie Policy Plus500UK Limited Statement on Privacy and Cookie Policy Statement on Privacy and Cookie Policy This website is operated by Plus500UK Limited ("we, us or our"). It is our policy to respect the confidentiality

More information

Data protection issues on an EU outsourcing

Data protection issues on an EU outsourcing Data protection issues on an EU outsourcing Saam Golshani, Alastair Gorrie and Diego Rigatti, Orrick Herrington & Sutcliffe www.practicallaw.com/8-380-8496 Outsourcing can mean subcontracting a process

More information

Trusted Personal Data Management A User-Centric Approach

Trusted Personal Data Management A User-Centric Approach GRUPPO TELECOM ITALIA Future Cloud Seminar Oulu, August 13th 2014 A User-Centric Approach SKIL Lab, Trento - Italy Why are we talking about #privacy and #personaldata today? 3 Our data footprint Every

More information

Common position of national authorities within the CPC Network

Common position of national authorities within the CPC Network Common position of national authorities within the CPC Network Assessment of proposals made by Apple, Google and relevant trade associations regarding in-app purchases in online games By letter dated 9

More information

Tilburg University. U.S. Subpoenas and European data protection legislation Moerel, Lokke; Jansen, Nani; Koëter, Jeroen

Tilburg University. U.S. Subpoenas and European data protection legislation Moerel, Lokke; Jansen, Nani; Koëter, Jeroen Tilburg University U.S. Subpoenas and European data protection legislation Moerel, Lokke; Jansen, Nani; Koëter, Jeroen Published in: International Data Privacy Law Document version: Preprint (usually an

More information

2015 GPEN Sweep Children s Privacy

2015 GPEN Sweep Children s Privacy 2015 GPEN Sweep Children s Privacy Summary Observations Many websites and apps targeted at, or popular among, children are collecting personal information without offering kids and their parents adequate

More information

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

Binding Corporate Rules ( BCR ) Summary of Third Party Rights Binding Corporate Rules ( BCR ) Summary of Third Party Rights This document contains in its Sections 3 9 all provision of the Binding Corporate Rules (BCR) for Siemens Group Companies and Other Adopting

More information

Working Document 02/2013 providing guidance on obtaining consent for cookies

Working Document 02/2013 providing guidance on obtaining consent for cookies ARTICLE 29 DATA PROTECTION WORKING PARTY 1676/13/EN WP 208 Working Document 02/2013 providing guidance on obtaining consent for cookies Adopted on 2 October 2013 This Working Party was set up under Article

More information

By Emily Hay and Jan Dhont, Data Privacy Department, Lorenz Brussels.

By Emily Hay and Jan Dhont, Data Privacy Department, Lorenz Brussels. Getting a Clean Bill of Health for Privacy in Your Mobile App By Emily Hay and Jan Dhont, Data Privacy Department, Lorenz Brussels. I. Introduction to the legal regime and risks As the marketplace floods

More information

Green Paper on mhealth apps Input from the European Chronic Disease Alliance (ECDA) 2 July 2014

Green Paper on mhealth apps Input from the European Chronic Disease Alliance (ECDA) 2 July 2014 Green Paper on mhealth apps Input from the European Chronic Disease Alliance (ECDA) 2 July 2014 About ECDA The European Chronic Disease Alliance (ECDA) is a Brussels-based alliance of 11 European health

More information

Connected car, big data, big brother?

Connected car, big data, big brother? Connected car, big data, big brother? Using geolocation in a trustworthy and compliant way Simon.Hania@tomtom.com Trends that threaten trust 2 Connected cars with downloadable apps Location services, cloud,

More information

Proposal of regulation Com 2012 11/4 Directive 95/46/EC Conclusion

Proposal of regulation Com 2012 11/4 Directive 95/46/EC Conclusion Page 1 sur 155 Proposal of regulation Com 2012 11/4 Directive 95/46/EC Conclusion Legal nature of the instrument Règlement Directive Directly applicable act in internal law 91 articles 34 articles Art.

More information

legal & ethical data sharing prof.dr. Ronald Leenes r.e.leenes@uvt.nl TILT - Tilburg Institute for Law, Technology, and Society

legal & ethical data sharing prof.dr. Ronald Leenes r.e.leenes@uvt.nl TILT - Tilburg Institute for Law, Technology, and Society legal & ethical data sharing prof.dr. Ronald Leenes r.e.leenes@uvt.nl TILT - Tilburg Institute for Law, Technology, and Society overview the problem revisited secondary use data protection regulation Data

More information

Overview. Data protection in a swirl of change 28.03.2014. Cloud computing. Software as a service. Infrastructure as a service. Platform as a service

Overview. Data protection in a swirl of change 28.03.2014. Cloud computing. Software as a service. Infrastructure as a service. Platform as a service Data protection in a swirl of change Overview 1 Data protection issues in cloud computing 2 Consent for mobile applications Security Seminar 2014: Privacy Radboud University Nijmegen 3 The WhatsApp case

More information

Resolution on Privacy Protection in Social Network Services

Resolution on Privacy Protection in Social Network Services 30 th International Conference of Data Protection and Privacy Commissioners Strasbourg, 17 October 2008 Resolution on Privacy Protection in Social Network Services Proposer: Data Protection and Freedom

More information

Guidelines on Executive Order on Information and Consent Required in Case of Storing and Accessing Information in End-User Terminal Equipment

Guidelines on Executive Order on Information and Consent Required in Case of Storing and Accessing Information in End-User Terminal Equipment Guidelines on Executive Order on Information and Consent Required in Case of Storing and Accessing Information in End-User Terminal Equipment ("Cookie Order") 2nd version, April 2013 Preface...3 1. Introduction...5

More information

UNILEVER PRIVACY PRINCIPLES UNILEVER PRIVACY POLICY

UNILEVER PRIVACY PRINCIPLES UNILEVER PRIVACY POLICY UNILEVER PRIVACY PRINCIPLES Unilever takes privacy seriously. The following five principles underpin our approach to respecting your privacy: 1. We value the trust that you place in us by giving us your

More information

Cloud Computing and Data Protection Compliance - Experiences from Norway

Cloud Computing and Data Protection Compliance - Experiences from Norway Cloud Computing and Data Protection Compliance - Experiences from Norway PhD Thomas Olsen Legal Aspects of Cloud Computing, UiO, 27 January 2015 www.svw.no Overview Cloud Computing Introduction to EU and

More information

Give Your Mobile App

Give Your Mobile App Give Your Mobile App a Clean Bill of Health A Guide to Data Privacy to Ensure Your App is Legally Compliant Determine your legal responsibilities for data privacy during mobile app development Key insights

More information

Comments and proposals on the Chapter II of the General Data Protection Regulation

Comments and proposals on the Chapter II of the General Data Protection Regulation Comments and proposals on the Chapter II of the General Data Protection Regulation Ahead of the trialogue negotiations in September, EDRi, Access, Panoptykon Bits of Freedom, FIPR and Privacy International

More information

Article 29 Working Party Issues Opinion on Cloud Computing

Article 29 Working Party Issues Opinion on Cloud Computing Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,

More information

GSK Public policy positions

GSK Public policy positions Safeguarding Personally Identifiable Information A Summary of GSK s Binding Corporate Rules The Issue The processing of Personally Identifiable Information (PII) 1 and Sensitive Personally Identifiable

More information

PRIVACY E COOKIES: LA PROTEZIONE DEI DATI NELL E-COMMERCE COOKIES AND PRIVACY: DATA PROTECTION LAW FOR E-COMMERCE BUSINESS

PRIVACY E COOKIES: LA PROTEZIONE DEI DATI NELL E-COMMERCE COOKIES AND PRIVACY: DATA PROTECTION LAW FOR E-COMMERCE BUSINESS PRIVACY E COOKIES: LA PROTEZIONE DEI DATI NELL E-COMMERCE COOKIES AND PRIVACY: DATA PROTECTION LAW FOR E-COMMERCE BUSINESS Anna Frankum Partner: IP, IT and Commercial Agenda Overview of EU/UK Data Protection

More information

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS EUROPEAN COMMISSION Brussels, XXX [ ](2011) XXX draft COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS

More information

Guidelines on Data Protection. Draft. Version 3.1. Published by

Guidelines on Data Protection. Draft. Version 3.1. Published by Guidelines on Data Protection Draft Version 3.1 Published by National Information Technology Development Agency (NITDA) September 2013 Table of Contents Section One... 2 1.1 Preamble... 2 1.2 Authority...

More information

The Future Of UK Pharmaceutical Best Practices --By Lincoln Tsang and Silvia Valverde, Arnold & Porter LLP

The Future Of UK Pharmaceutical Best Practices --By Lincoln Tsang and Silvia Valverde, Arnold & Porter LLP Published by Life Sciences Law360 on January 26, 2015. Also ran in Health Law360. The Future Of UK Pharmaceutical Best Practices --By Lincoln Tsang and Silvia Valverde, Arnold & Porter LLP Law360, New

More information

Selling Telematics Motor Insurance Policies. A Good Practice Guide

Selling Telematics Motor Insurance Policies. A Good Practice Guide Selling Telematics Motor Insurance Policies A Good Practice Guide April 2013 1 INTRODUCTION 1.1 The purpose of the guidance This guidance sets out high-level actions that insurers should seek to achieve

More information

Healthcare Coalition on Data Protection

Healthcare Coalition on Data Protection Healthcare Coalition on Data Protection Recommendations and joint statement supporting citizens interests in the benefits of data driven healthcare in a secure environment Representing leading actors in

More information

Privacy in the Cloud A Microsoft Perspective

Privacy in the Cloud A Microsoft Perspective A Microsoft Perspective November 2010 The information contained in this document represents the current view of Microsoft Corp. on the issues discussed as of the date of publication. Because Microsoft

More information

E-COMMERCE GOES MOBILE: SEEKING COMPETITIVENESS THROUGH PRIVACY

E-COMMERCE GOES MOBILE: SEEKING COMPETITIVENESS THROUGH PRIVACY E-COMMERCE GOES MOBILE: SEEKING COMPETITIVENESS THROUGH PRIVACY Oana Dolea 7 th Annual Leg@l.IT Conference March 26th, 2013 Montreal, Canada INTRODUCTION Mobile e-commerce vs. E-commerce Mobile e-commerce:

More information

Zubi Advertising Privacy Policy

Zubi Advertising Privacy Policy Zubi Advertising Privacy Policy This privacy policy applies to information collected by Zubi Advertising Services, Inc. ( Company, we or us ), on our Latino Emoji mobile application or via our Latino Emoji

More information

ESTRO PRIVACY AND DATA SECURITY NOTICE

ESTRO PRIVACY AND DATA SECURITY NOTICE ESTRO PRIVACY AND DATA SECURITY NOTICE This Data Privacy and Security Policy is a dynamic document, which will reflect our continuing vigilance to properly handle and secure information that we are trusted

More information

Cookies and consent. The Article 29 Working Party has identified seven types of cookies that are not subject to the consent requirement.

Cookies and consent. The Article 29 Working Party has identified seven types of cookies that are not subject to the consent requirement. Cookies and consent Cookies are small text files placed on a computer and accessed by the browser when opening a webpage. - DDMA 2012 The statutory requirements governing the placement of cookies were

More information

ehealth The issues that matter

ehealth The issues that matter ehealth The issues that matter Contents Technology outpacing regulation 4 A new frontier for data privacy 6 Product liability and jurisdictional issues 8 Cyber security rules under observation 10 Your

More information

ARTICLE 29 Data Protection Working Party

ARTICLE 29 Data Protection Working Party ARTICLE 29 Data Protection Working Party 11601/EN WP 90 Opinion 5/2004 on unsolicited communications for marketing purposes under Article 13 of Directive 2002/58/EC Adopted on 27 February 2004 This Working

More information

Application of Data Protection Concepts to Cloud Computing

Application of Data Protection Concepts to Cloud Computing Application of Data Protection Concepts to Cloud Computing By Denitza Toptchiyska Abstract: The fast technological development and growing use of cloud computing services require implementation of effective

More information

EUROPEAN DATA PROTECTION SUPERVISOR

EUROPEAN DATA PROTECTION SUPERVISOR C 47/6 Official Journal of the European Union 25.2.2010 EUROPEAN DATA PROTECTION SUPERVISOR Opinion of the European Data Protection Supervisor on the Communication from the Commission on an Action Plan

More information

South East Asia: Data Protection Update

South East Asia: Data Protection Update Data Privacy and Security Team To: Our Clients and Friends September 2013 South East Asia: Data Protection Update Europe has had data protection laws in place for over a decade. Such laws regulate how

More information

COMMUNIQUÉ ON PRINCIPLES FOR INTERNET POLICY-MAKING OECD HIGH LEVEL MEETING ON THE INTERNET ECONOMY,

COMMUNIQUÉ ON PRINCIPLES FOR INTERNET POLICY-MAKING OECD HIGH LEVEL MEETING ON THE INTERNET ECONOMY, COMMUNIQUÉ ON PRINCIPLES FOR INTERNET POLICY-MAKING OECD HIGH LEVEL MEETING ON THE INTERNET ECONOMY, 28-29 JUNE 2011 The Seoul Declaration on the Future of the Internet Economy adopted at the 2008 OECD

More information

Opinion 8/2014 on the on Recent Developments on the Internet of Things

Opinion 8/2014 on the on Recent Developments on the Internet of Things ARTICLE 29 DATA PROTECTION WORKING PARTY 14/EN WP 223 Opinion 8/2014 on the on Recent Developments on the Internet of Things Adopted on 16 September 2014 This Working Party was set up under Article 29

More information

European Privacy Reporter

European Privacy Reporter Is this email not displaying correctly? Try the web version or print version. ISSUE 02 European Privacy Reporter An Update on Legal Developments in European Privacy and Data Protection November 2012 In

More information

Corporate Policy. Data Protection for Data of Customers & Partners.

Corporate Policy. Data Protection for Data of Customers & Partners. Corporate Policy. Data Protection for Data of Customers & Partners. 02 Preamble Ladies and gentlemen, Dear employees, The electronic processing of virtually all sales procedures, globalization and growing

More information

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA:

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA: UNOFFICIAL TRANSLATION Written opinion on the application of the Wet bescherming persoonsgegevens [Dutch Data Protection Act] in the case of a contract for cloud computing services from an American provider

More information

Privacy Challenges in the Internet of Things (IoT) a European Perspective

Privacy Challenges in the Internet of Things (IoT) a European Perspective Privacy Challenges in the Internet of Things (IoT) a European Perspective Alicja Gniewek, PhD Student Interdisciplinary Centre for Security, Reliability and Trust Weicker Building, Université du Luxembourg

More information

PRESIDENT S DECISION No. 40. of 27 August 2013. Regarding Data Protection at the European University Institute. (EUI Data Protection Policy)

PRESIDENT S DECISION No. 40. of 27 August 2013. Regarding Data Protection at the European University Institute. (EUI Data Protection Policy) PRESIDENT S DECISION No. 40 of 27 August 2013 Regarding Data Protection at the European University Institute (EUI Data Protection Policy) THE PRESIDENT OF THE EUROPEAN UNIVERSITY INSTITUTE, Having regard

More information

IAPP PRIVACY ACADEMY

IAPP PRIVACY ACADEMY IAPP PRIVACY ACADEMY KEEPING UP WITH EMERGING STANDARDS FOR MOBILE PRIVACY Joanne McNabb Julie Mayer Tim Tobin Director of Privacy Staff Attorney Partner Education & Policy Northwest Regional Office Hogan

More information

Big Data for Mutuals. Marc Dautlich 25 November 2013

Big Data for Mutuals. Marc Dautlich 25 November 2013 Big Data for Mutuals Marc Dautlich 25 November 2013 Agenda BIG DATA What is it? OPPORTUNITIES What are they? LEGAL CHALLENGES How do we overcome them? LEGAL REFORM What can we do now to minimise impact?

More information

Work programme 2016 2018

Work programme 2016 2018 ARTICLE 29 Data Protection Working Party 417/16/EN WP235 Work programme 2016 2018 Adopted on 2 February 2016 This Working Party was set up under Article 29 of Directive 95/46/EC. It is an independent European

More information

Data privacy guidelines for using Wellnomics Risk Management. Wellnomics White Paper

Data privacy guidelines for using Wellnomics Risk Management. Wellnomics White Paper Data privacy guidelines for using Wellnomics Risk Management Wellnomics White Paper Wellnomics Limited www.wellnomics.com 2008-2010 Wellnomics Limited Ref 062010 Data Privacy Guidelines using Wellnomics

More information

S Z E C S K A Y Ü g y v é d i

S Z E C S K A Y Ü g y v é d i EMPLOYEE MONITORING FROM THE PERSPECTIVE OF HUNGARIAN DATA PROTECTION LAWS While employers oftentimes wish to monitor the behavior of their employees, which generally is a rightful intention, it is also

More information

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: Privacy Responsibilities and Considerations Cloud computing is the delivery of computing services over the Internet, and it offers many potential

More information

Declaration of Internet Rights Preamble

Declaration of Internet Rights Preamble Declaration of Internet Rights Preamble The Internet has played a decisive role in redefining public and private space, structuring relationships between people and between people and institutions. It

More information

Data Protection Act. Conducting privacy impact assessments code of practice

Data Protection Act. Conducting privacy impact assessments code of practice Data Protection Act Conducting privacy impact assessments code of practice 1 Conducting privacy impact assessments code of practice Data Protection Act Contents Information Commissioner s foreword... 3

More information

The reform of the EU Data Protection framework - Building trust in a digital and global world. 9/10 October 2012

The reform of the EU Data Protection framework - Building trust in a digital and global world. 9/10 October 2012 The reform of the EU Data Protection framework - Building trust in a digital and global world 9/10 October 2012 Questionnaire addressed to national Parliaments Please, find attached a number of questions

More information

Unless otherwise stated, our SaaS Products and our Downloadable Products are treated the same for the purposes of this document.

Unless otherwise stated, our SaaS Products and our Downloadable Products are treated the same for the purposes of this document. Privacy Policy This Privacy Policy explains what information Fundwave Pte Ltd and its related entities ("Fundwave") collect about you and why, what we do with that information, how we share it, and how

More information

PRIVACY POLICY. 1. Definitions and Interpretation In this Policy the following terms shall have the following meanings:

PRIVACY POLICY. 1. Definitions and Interpretation In this Policy the following terms shall have the following meanings: PRIVACY POLICY BACKGROUND: This Policy applies as between you, the User of this Website and DisplayNote Technologies Limited the owner and provider of this Website. This Policy applies to our use of any

More information

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1

More information

BRING YOUR OWN DEVICE

BRING YOUR OWN DEVICE BRING YOUR OWN DEVICE Legal Analysis & Practical TIPs for an effective BYOD corporate Policy CONTENTS 1. What is BYOD? 2. Benefits and risks of BYOD in Europe 3. BYOD and existing Policies 4. Legal issues

More information

Data Protection Standard

Data Protection Standard Data Protection Standard Processing and Transfer of Personal Data in Aker Solutions (Binding Corporate Rules) Aker Solutions www.akersolutions.com Table of contents 1 Introduction... 3 1.1 Scope... 3 1.2

More information

Cloud Security under the EU Data Protection Directive and draft General Data Protection Regulation

Cloud Security under the EU Data Protection Directive and draft General Data Protection Regulation ENISA EU28 Cloud Security Conference 16 June 2015 Cloud Security under the EU Data Protection Directive and draft General Data Protection Regulation Kuan Hon Senior Researcher, Cloud Legal Project & Microsoft

More information

The Netherlands response to the public consultation on the revision of the European Commission s Impact Assessment guidelines

The Netherlands response to the public consultation on the revision of the European Commission s Impact Assessment guidelines The Netherlands response to the public consultation on the revision of the European Commission s Impact Assessment guidelines Introduction Robust impact assessment is a vital element of both the Dutch

More information

7.0 Information Security Protections The aggregation and analysis of large collections of data and the development

7.0 Information Security Protections The aggregation and analysis of large collections of data and the development 7.0 Information Security Protections The aggregation and analysis of large collections of data and the development of interconnected information systems designed to facilitate information sharing is revolutionizing

More information

OPINION MAY 2012 ON CLOUD COMPUTING Article 29 Data Protection Working Party (July 1, 2012)

OPINION MAY 2012 ON CLOUD COMPUTING Article 29 Data Protection Working Party (July 1, 2012) OPINION MAY 2012 ON CLOUD COMPUTING Article 29 Data Protection Working Party (July 1, 2012) ARTICLE 29 DATA PROTECTION WORKING PARTY 01037/12/EN WP 196 Opinion 05/2012 on Cloud Computing Adopted July 1

More information

Online and Mobile Privacy Notice ( Privacy Notice )

Online and Mobile Privacy Notice ( Privacy Notice ) Online and Mobile Privacy Notice ( Privacy Notice ) Introduction This Privacy Notice applies to the operations of Cigna Global Health Benefits and its affiliated companies listed at the end of this Privacy

More information

7 August 2015. I. Introduction

7 August 2015. I. Introduction Suggestions for privacy-related questions to be included in the list of issues on Hungary, Human Rights Committee, 115th session, October-November 2015 I. Introduction 7 August 2015 Article 17 of the International

More information

Policy Statement. Employee privacy, data protection and human resources. Prepared by the Commission on E-Business, IT and Telecoms. I.

Policy Statement. Employee privacy, data protection and human resources. Prepared by the Commission on E-Business, IT and Telecoms. I. International Chamber of Commerce The world business organization Policy Statement Employee privacy, data protection and human resources Prepared by the Commission on E-Business, IT and Telecoms I. Introduction

More information

FISHER & PAYKEL PRIVACY POLICY

FISHER & PAYKEL PRIVACY POLICY FISHER & PAYKEL PRIVACY POLICY 1. About this Policy Fisher & Paykel Australia Pty Limited (ABN 71 000 042 080) and its related companies ('we', 'us', 'our') understands the importance of, and is committed

More information

The Manitowoc Company, Inc.

The Manitowoc Company, Inc. The Manitowoc Company, Inc. DATA PROTECTION POLICY 11FitzPatrick & Associates 4/5/04 1 Proprietary Material Version 4.0 CONTENTS PART 1 - Policy Statement PART 2 - Processing Personal Data PART 3 - Organisational

More information

The Digital Marketing Ecosystem: Trends, Risks and Obligations

The Digital Marketing Ecosystem: Trends, Risks and Obligations The Digital Marketing Ecosystem: Trends, Risks and Obligations Teena H. Lee, Vice President, Privacy and E-commerce Counsel The Estée Lauder Companies Inc. Bridget C. Treacy, Partner, Hunton & Williams

More information

PIPEDA and Online Backup White Paper

PIPEDA and Online Backup White Paper PIPEDA and Online Backup White Paper The cloud computing era has seen a phenomenal growth of the data backup service industry. Backup service providers, by nature of their business, are compelled to collect

More information

Simplified Arrangements to Provide Information and Obtain Consent Regarding Cookies - 8 may 2014 THE ITALIAN DATA PROTECTION AUTHORITY

Simplified Arrangements to Provide Information and Obtain Consent Regarding Cookies - 8 may 2014 THE ITALIAN DATA PROTECTION AUTHORITY [versione italiana] Simplified Arrangements to Provide Information and Obtain Consent Regarding Cookies - 8 may 2014 THE ITALIAN DATA PROTECTION AUTHORITY Having convened today, in the presence of Mr.

More information

The EFPIA Disclosure Code: Your Questions Answered

The EFPIA Disclosure Code: Your Questions Answered The EFPIA Disclosure Code: Your Questions Answered Working together: why do the pharmaceutical industry and healthcare professionals work together? 1 Why does industry pay health professionals to provide

More information

Lots of clouds: a stormy weather for information privacy?

Lots of clouds: a stormy weather for information privacy? Lots of clouds: a stormy weather for information privacy? Michel Jaccard Sylvain Métille Web idest.pro Twitter @idestavocats Introduction Purpose: know what you do, why you do it, the risks and the best

More information

Online Security, Traffic Data and IP Addresses. Review of the Regulatory Framework for Electronic Communications

Online Security, Traffic Data and IP Addresses. Review of the Regulatory Framework for Electronic Communications Brussels, October 8 th 2008 Online Security, Traffic Data and IP Addresses Review of the Regulatory Framework for Electronic Communications Francisco Mingorance Senior Director Government Affairs franciscom@bsa.org

More information

eprivacy GmbH Criteria Catalogue "eprivacyapp" June 2015

eprivacy GmbH Criteria Catalogue eprivacyapp June 2015 eprivacy GmbH Criteria Catalogue "eprivacyapp" June 2015 The eprivacyapp seal for data security and data protection from eprivacy GmbH certifies the respective requester that his/her offer is compliant

More information

1. Introduction. 2. Sectoral Areas Affected. 3. Data Security. 4. Data Breach Requirements. 5. Traffic Data

1. Introduction. 2. Sectoral Areas Affected. 3. Data Security. 4. Data Breach Requirements. 5. Traffic Data 1. Introduction Special data protection rules apply to the protection of Personal Data by Data Controllers in the electronic communications sector. These are in addition to the general obligations that

More information

Corporate Compliance: A Global Perspective

Corporate Compliance: A Global Perspective Corporate Compliance: A Global Perspective 6/27/2012 37 Offices in 18 Countries Current Compliance Environment Ever-intensifying regulatory burden new areas of regulation existing regulations becoming

More information

Contracting with a Cloud Service Provider DATA PROTECTION WORKSHOP NJERI OLWENY, MICROSOFT

Contracting with a Cloud Service Provider DATA PROTECTION WORKSHOP NJERI OLWENY, MICROSOFT Contracting with a Cloud Service Provider DATA PROTECTION WORKSHOP NJERI OLWENY, MICROSOFT Overview Cloud computing offers great opportunities for organizations, including schools, hospitals and businesses

More information

ARTICLE 29 DATA PROTECTION WORKING PARTY

ARTICLE 29 DATA PROTECTION WORKING PARTY ARTICLE 29 DATA PROTECTION WORKING PARTY 01037/12/EN WP 196 Opinion 05/2012 on Cloud Computing Adopted July 1 st 2012 This Working Party was set up under Article 29 of Directive 95/46/EC. It is an independent

More information

EU Policy on RFID & Privacy

EU Policy on RFID & Privacy EU Policy on RFID & Privacy Developments 2007, Outlook 2008 Andreas Krisch http://www.edri.org/ http://www.unwatched.org/ 24C3, 30.12.2007 European Digital Rights (EDRi) Umbrella

More information

Opinion 02/2013 on apps on smart devices

Opinion 02/2013 on apps on smart devices ARTICLE 29 DATA PROTECTION WORKING PARTY 00461/13/EN WP 202 Opinion 02/2013 on apps on smart devices Adopted on 27 February 2013 This Working Party was set up under Article 29 of Directive 95/46/EC. It

More information

MEMBI PRIVACY POLICY

MEMBI PRIVACY POLICY MEMBI 1 PURPOSE OF OUR POLICY 1.1 Membi Limited (Company Number 09775238) of 396a Kingston Road, Kingston Road, London SW20 8LL, United Kingdom (Membi, we, us or our) provides the services offered on the

More information