Key issues in data protection: a pan-european view

Size: px
Start display at page:

Download "Key issues in data protection: a pan-european view"

Transcription

1 Key issues in data protection: a pan-european view 19 th March 2014 Nicola Fulford, Kemp Little LLP, UK Andreas Peschel-Mehner, SKW Schwarz, Germany Marco Bellezza, Portolano Cavallo, Italy Emmanuel Schulte, Bersay & Associes, France

2 Today s Session Transfer of personal data internationally and into the cloud SKW Schwarz Enforcement of data protection laws Kemp Little LLP EU Data Protection Regulation: update on the process / next steps Portolano Cavallo EU Data Protection Regulation: update on some specifics Bersay Associes

3 Berlin Düsseldorf Frankfurt/Main Hamburg München Titel der Präsentation oder Nennung des Fachbereichs Falls nötig Untertitel, Datum oder ähnliches 3 Transfer of personal data internationally and into the cloud -The German perspective Dr. Andreas Peschel-Mehner

4 Berlin Düsseldorf Frankfurt/Main Hamburg München Titel der Präsentation oder Nennung des Fachbereichs Falls nötig Untertitel, Datum oder ähnliches 4 4 International transfer and cloud 01 Warm up: What is personal data? relating to an identified or identifiable natural person IP address: yes Cookies: it depends on nature of cookie Smartphone identifier: presumably yes

5 Berlin Düsseldorf Frankfurt/Main Hamburg München Titel der Präsentation oder Nennung des Fachbereichs Falls nötig Untertitel, Datum oder ähnliches 5 5 International transfer and cloud 01 Warm up: Which law? easy: European principle of origin national law of controller decides also for controllers intending use of data without EEA relevance?

6 Berlin Düsseldorf Frankfurt/Main Hamburg München Titel der Präsentation oder Nennung des Fachbereichs Falls nötig Untertitel, Datum oder ähnliches 6 6 International transfer and cloud 01 Warm up: Which law? Example: UK service or company, data of German subjects involved, transferred to Ireland from a German perspective: UK data protection laws applicable! DE service or company, data of UK subjects involved, transferred to Ireland DE data protection law decides whether transfer legitimate.

7 Berlin Düsseldorf Frankfurt/Main Hamburg München Titel der Präsentation oder Nennung des Fachbereichs Falls nötig Untertitel, Datum oder ähnliches 7 7 International transfer and cloud 01 Warm up: Consent and third party Transfer to a third party any separate legal entity including all affiliates How to avoid transfer to third party? data processing agreement, where appropriate Caution: only viable for EU/EEA without further requirements Consent Always superseding all requirements but not realistic concept to rely on

8 Berlin Düsseldorf Frankfurt/Main Hamburg München Titel der Präsentation oder Nennung des Fachbereichs Falls nötig Untertitel, Datum oder ähnliches 8 8 International transfer and cloud 02 Prerequisites for international transfer: two step test First step: Permission for data use under applicable local law? any authorization under law (fulfillment of contract, mandatory obligations etc.)

9 Berlin Düsseldorf Frankfurt/Main Hamburg München Titel der Präsentation oder Nennung des Fachbereichs Falls nötig Untertitel, Datum oder ähnliches 9 9 International transfer and cloud 02 Prerequisites for international transfer: two step test Second step: equal level of protection? First alternative: EU/EEA-transfer? (+) Second alternative: non-eu/eea transfer non-eu/eea, but comparable level of protection: CH, AUS, CAN, Jersey, Guernsey, Isle of Man, Andorra, ARG, ISR, (scenario 1) USA and its safe harbors (scenario 2) transfer to all other countries (scenario 3)

10 Berlin Düsseldorf Frankfurt/Main Hamburg München Titel der Präsentation oder Nennung des Fachbereichs Falls nötig Untertitel, Datum oder ähnliches International transfer and cloud 03 International transfer: equal level of protection Scenario 2: USA and its safe harbors Requirements for safe harbor self certification adherence to principles declared by company towards US authority ( FAQs & Annexes )

11 Berlin Düsseldorf Frankfurt/Main Hamburg München Titel der Präsentation oder Nennung des Fachbereichs Falls nötig Untertitel, Datum oder ähnliches International transfer and cloud 03 International transfer: equal level of protection Scenario 2: USA and its safe harbors safe harbor really safe? post NSA scandal: authorities may suspend data transfer, if great likelihood that safe harbor principles or EU model clauses violated. DSK press release 24 July 2013: This is now the case. factual consequences?

12 Berlin Düsseldorf Frankfurt/Main Hamburg München Titel der Präsentation oder Nennung des Fachbereichs Falls nötig Untertitel, Datum oder ähnliches International transfer and cloud 03 International transfer: equal level of protection Scenario 3: non-eu/eea transfer transfer to all other countries under EU model clauses works as well for Scenario 2, potential solution for German controller during clarification of safe harbor status

13 Berlin Düsseldorf Frankfurt/Main Hamburg München Titel der Präsentation oder Nennung des Fachbereichs Falls nötig Untertitel, Datum oder ähnliches International transfer and cloud 03 International transfer: Summary For the past, additionally self certification of processor under save harbor required, challenged now How to solve scenario 2: Integration of EU model clauses in any event (as standard practice for scenario 3 in the past) If not possible, only way out is consent (or binding corporate rules )

14 Berlin Düsseldorf Frankfurt/Main Hamburg München Titel der Präsentation oder Nennung des Fachbereichs Falls nötig Untertitel, Datum oder ähnliches International transfer and cloud 04 Cloud based services : Any difference? Very short answer: Same same, almost. Why? Any cloud is based somewhere through its provider through its server infrastructure Cloud services are mostly only processing data on behalf of the controller (with the cloud service operator being the processor) Does this data processing structure work in practice? written agreements, TOMs, factual powers/controls, etc.

15 International Data Protection Seminar Enforcement of Data Protection Laws NICOLA FULFORD Kemp Little Privacy & DP Partner 19 / 03 / 2014

16 Agenda Means of Enforcement? Role of the ICO The ICO s enforcement toolkit Changes / trends Rights of individuals Cookies enforcement International comparison and comments _16

17 Means of Enforcement in the UK? The Information Commissioner s Office ICO UK data protection regulator Mission to uphold information rights in the public interest Corporate objective enforcement powers are used proportionately to ensure improved information rights compliance issue penalties as appropriate Individuals have rights to bring action under the DPA (more limited in practice) _17

18 The ICO s enforcement toolkit Criminal Prosecution Monetary Penalty Notice Enforcement Notice Application for an Enforcement Order Audit Factors for enforcement action: Consistently failed to comply; or Significant detriment to individuals Undertaking Information Notice Publicity around bad practice / complaints outcomes (to promote good practice?) _18

19 Enforcement outcomes (from the ICO s website) Investigated; remedial action identified 1252 Investigated; insufficient evidence to prosecute 123 Undertaking obtained 22 Monetary Penalty Notice served 15 Enforcement notice served 8 Prosecuted _19

20 Monetary Penalties Maximum 500,000 S.55A-E DPA serious contravention, of a kind likely to cause substantial damage or substantial distress; deliberate or [reckless] ICO 2013 framework: relevant issues for the ICO to determine the appropriate amount CLCH v. ICO [2013] UKUT 551 (AAC) fine valid despite co-operation early payment discount scheme is lawful Scottish Borders v. ICO EA/2012/0212 what is the actual contravention of the DPA and was that contravention likely to directly cause substantial damage or distress? _20

21 Possible changes / trends in the ICO s approach? Indications: Public Private? Security Fairness / other principles? Advice Penalties? New approach for complaints and concerns (more proactive?) More co-ordinated enforcement with other regulators? Increased publicity? Changes to the law so imprisonment for unauthorised obtaining of personal data this year? _21

22 Rights of individuals to enforce the DPA Individuals rights under the DPA Section 13 of DPA (1) compensation for damage (2) compensation for distress if (a) damage is suffered or (b) contravention relates to processing for special purposes Vidal-Hall and Others v. Google Inc [2014] EWHC 13 (QB) _22

23 Final thoughts Cookies enforcement The first fine! International comparison and comments? Thank you _23

24 Coffee Break

25 EU Data Protection Regulation: update on the process / next steps LONDON, MARCH 19, 2014

26 MAIN TOPICS What happened till now? Update on current status One Stop Shop Is it really a big change? Next steps portolano.it 26

27 PREVIOUSLY ON THE GDP REGULATION Commission Proposal on January 2012 EU Parliament Compromise Amendments on October 2013 Text under discussion before the EU Council portolano.it 27

28 CURRENT STATUS (1/4) The Regulation is currently under 1 st reading at EU Council New timeline: end of 2014? portolano.it 28

29 CURRENT STATUS (2/4) One Stop Shop: lead supervisory authority in the State where controller/processor has "main establishment" - What is main establishment? - What are the roles of the leading authorities and other authorities? - Risk of forum shopping portolano.it 29

30 CURRENT STATUS (3/4) EU Parliament: - The lead authority supervises the processing activities of controller/processor in all Member States - It shall consult with authorities of the other Member States before taking measures EU Council: - Debate in the Eu Council - Legal service for the Eu Council: one-stop shop undermines EU citizens human rights - Criticism from Germany, Denmark, Hungary and Czech Republic portolano.it 30

31 CURRENT STATUS (4/4) Is it really a big change? - Yes, as to the scope of application (single law for Europe) - No (at least in Italy) as to the approach Risk assessment Accountability Documentation to demonstrate compliance with GDP Direct obligations on Processors - Yes, as to how the approach should be translated in practice Not a formalistic approach to compliance portolano.it 31

32 NEXT STEPS Priority for EU institutions Approval: end of 2014? portolano.it 32

33 EU DATA PROTECTION REGULATION Update on some specifics 33

34 1. T E R R I TO R I A L S COPE One Continent One Law Harmonization of all national legislations 1 Regulation instead of 28 Broad Territorial Scope Processing of personal data in the context of the activities of an establishment of a controller or processor in the EU, even if processing outside the EU Extraterritorial Effect When offering services to European consumers, non-european companies, will have to apply the same rules and adhere to the same levels of protection of personal data if: Offer goods or services in the EU (even for free) Monitor data subjects in the EU 34

35 2. R I G H T TO E R A S U R E From Controller Erasure and abstention of further dissemination if no longer needed for any legitimate purpose Take all reasonable steps to have the data erased (including by third parties) where it has made the personal data public without justification From Third Parties Erasure of any links to, copy or replication of personal data Exceptions Historical, statistical and scientific research, freedom of expression and press, public health, legal obligation of retention 35

36 3. P RO F I L I N G Profiling leading to measures producing legal effects or significantly affect the interests, rights or freedoms of individuals Allowed only if: - Necessary to conclude or perform a contract - Based on individual s consent - Expressly authorized by European or national law Shall include human assessment and not be based solely or predominantly on automated processing Profiling leading to discrimination is prohibited Profiling based solely on the processing of pseudonymous data is presumed not to significantly affect the interests, rights or freedoms Right to object and related information 36

37 4. OT H E R ITEMS DPOs DPOs required where the processing relates to more than 5000 data subjects in any consecutive 12-month period or the core activities consist of processing special categories of data, location data or data on children or employees in large filing system Sanctions 100M or up to 5% of the annual worldwide turnover Cookies and IP Addresses constitute personal data 37

38 Questions?

39 Contact Us Nicola Fulford Privacy & DP Partner, Kemp Little LLP Andreas Peschel-Mehner Partner, SKW Schwarz ddi +44 (0) ddi Emmanuel Schulte Partner, Bersay Associes Marco Bellezza Associate, Portolano Cavallo ddi + 33 (0) ddi

The Data Protection Landscape. Before and after GDPR: General Data Protection Regulation

The Data Protection Landscape. Before and after GDPR: General Data Protection Regulation The Data Protection Landscape Before and after GDPR: General Data Protection Regulation Data Protection regulations across Europe Current regulations & guidance European Directives 95/46/EC (Data Protection)

More information

OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES

OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES 4 April 2013 James Castro-Edwards Solicitor Monica Salgado Advogada / Portuguese Lawyer OUR TEAM Speechly Bircham is an ambitious, full-service law firm with

More information

technical factsheet 176

technical factsheet 176 technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection

More information

Personal information, for purposes of this Policy, includes any information which relates to an identified or an identifiable person.

Personal information, for purposes of this Policy, includes any information which relates to an identified or an identifiable person. PART I: INTRODUCTION AND BACKGROUND Purpose This Data Protection Binding Corporate Rules Policy ( Policy ) establishes the approach of Fluor to compliance with European data protection law and specifically

More information

Into the Cloud: How will the Draft EU Data Protection Regulation affect cloud computing service providers and users?

Into the Cloud: How will the Draft EU Data Protection Regulation affect cloud computing service providers and users? 10 Juni 2013 Taylor Wessing - Essay Competition 2013 Into the Cloud: How will the Draft EU Data Protection Regulation affect cloud computing service providers and users? by Katarina Kesselová, LLM. Introduction

More information

Privacy & Data Security: The Future of the US-EU Safe Harbor

Privacy & Data Security: The Future of the US-EU Safe Harbor Privacy & Data Security: The Future of the US-EU Safe Harbor NAOMI MCBRIDE, LISA J. SOTTO AND BRIDGET TREACY, HUNTON & WILLIAMS LLP, WITH PRACTICAL LAW US INTELLECTUAL PROPERTY & TECHNOLOGY AND UK IP&IT

More information

PRACTICAL LAW DATA PROTECTION MULTI-JURISDICTIONAL GUIDE 2012/13. The law and leading lawyers worldwide

PRACTICAL LAW DATA PROTECTION MULTI-JURISDICTIONAL GUIDE 2012/13. The law and leading lawyers worldwide PRACTICAL LAW MULTI-JURISDICTIONAL GUIDE 2012/13 The law and leading lawyers worldwide Essential legal questions answered in 30 key jurisdictions Analysis of critical legal issues AVAILABLE ONLINE AT WWW.PRACTICALLAW.COM/DATAPROTECTION-MJG

More information

Data and Cyber Laws Up-date 9 July 2015

Data and Cyber Laws Up-date 9 July 2015 Data and Cyber Laws Up-date 9 July 2015 Janine Regan Alexia Zuber Viktoria Protokova Simon Holdsworth charlesrussellspeechlys.com Topics Updates on the key aspects of, and commentary on, the proposed GDPR

More information

Data Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014

Data Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014 Data Protection Avoiding Information Commissioner Fines Caroline Egan 5 June 2014 Why is data protection a hot topic in pensions? Pension schemes hold large amounts of personal data Individuals more aware

More information

User tracking: Scope and Implementation eprivacy Directive Article 5(3)

User tracking: Scope and Implementation eprivacy Directive Article 5(3) User tracking: Scope and Implementation eprivacy Directive Article 5(3) Email Sender & Provider Coalition April 3, 2012 Presented By Karin Retzer 2012 Morrison & Foerster LLP All Rights Reserved mofo.com

More information

Data Protection Policy

Data Protection Policy Data Protection Policy September 2015 Contents 1. Scope 2. Purpose 3. Data protection roles 4. Staff training and guidance 5. About the Data Protection Act 1998 6. Policy 7. The Information Commissioner's

More information

AIRBUS GROUP BINDING CORPORATE RULES

AIRBUS GROUP BINDING CORPORATE RULES 1 AIRBUS GROUP BINDING CORPORATE RULES 2 Introduction The Binding Corporate Rules (hereinafter BCRs ) of the Airbus Group finalize the Airbus Group s provisions on the protection of Personal Data. These

More information

Corporate Policy. Data Protection for Data of Customers & Partners.

Corporate Policy. Data Protection for Data of Customers & Partners. Corporate Policy. Data Protection for Data of Customers & Partners. 02 Preamble Ladies and gentlemen, Dear employees, The electronic processing of virtually all sales procedures, globalization and growing

More information

Data Protection in Clinical Studies Implications of the New EU General Data Protection Regulation

Data Protection in Clinical Studies Implications of the New EU General Data Protection Regulation June 19, 2012 Practice Group(s): Health Care Life Sciences Data Protection in Clinical Studies Implications of the New EU General Data Protection Regulation By Mathias Schulze Steinen and Daniela Bohn

More information

Factsheet on the Right to be

Factsheet on the Right to be 101010 100101 1010 101 Factsheet on the Right to be 100 Forgotten ruling (C-131/12) 101 101 1) What is the case about and what did 100 the Court rule? 10 In 2010 a Spanish citizen lodged a complaint against

More information

Inhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten. MHC.ie

Inhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten. MHC.ie Inhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten MHC.ie Rewriting the Past Oisin Tobin otobin@mhc.ie Agenda 1. Background 2. Findings and impact: a) Jurisdiction b) A

More information

Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data

Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data *) For the purposes of these Corporate Guidelines, Third Countries are all those countries, which do not

More information

Corporate Compliance: A Global Perspective

Corporate Compliance: A Global Perspective Corporate Compliance: A Global Perspective 6/27/2012 37 Offices in 18 Countries Current Compliance Environment Ever-intensifying regulatory burden new areas of regulation existing regulations becoming

More information

The eighth data protection principle and international data transfers

The eighth data protection principle and international data transfers Data Protection Act 1998 The eighth data protection principle and international data transfers The Information Commissioner s recommended approach to assessing adequacy including consideration of the issue

More information

Watch Special. Making sense of European Data Protection Regulations as they relate to the storage and management of content in the Cloud

Watch Special. Making sense of European Data Protection Regulations as they relate to the storage and management of content in the Cloud AIIM Market Intelligence Delivering the priorities and opinions of AIIM s 80,000 community Making sense of European Data Protection Regulations as they relate to the storage and management of content in

More information

EU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update. By Stephen H. LaCount, Esq.

EU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update. By Stephen H. LaCount, Esq. EU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update By Stephen H. LaCount, Esq. Overview The European Union Data Protection Directive 95/46/EC ( Directive ) went effective in

More information

Corporate ICT & Data Management. Data Protection Policy

Corporate ICT & Data Management. Data Protection Policy 90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control

More information

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

Binding Corporate Rules ( BCR ) Summary of Third Party Rights Binding Corporate Rules ( BCR ) Summary of Third Party Rights This document contains in its Sections 3 9 all provision of the Binding Corporate Rules (BCR) for Siemens Group Companies and Other Adopting

More information

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS Mat Wright www.britishcouncil.org CONTENTS Purpose of the code 1 Scope of the code 1 The British Council s data protection commitment and

More information

Data Transfer Policy London Borough of Barnet

Data Transfer Policy London Borough of Barnet London Borough of Barnet DATA PROTECTION 11 Document Control Document Description Data Transfer Policy Version v.2 Date Created December 2010 Status Authorisation Name Signature Date Prepared By: IS Checked

More information

Data Protection, Software Licenses and other Legal Issues in the Cloud

Data Protection, Software Licenses and other Legal Issues in the Cloud Data Protection, Software Licenses and other Legal Issues in the Cloud Dr. Hendrik Schöttle Rechtsanwalt, Fachanwalt für IT-Recht OSDC 2012, Nuremberg 26. April 2012 Overview Introduction Data Protection

More information

Overview. Data protection in a swirl of change 28.03.2014. Cloud computing. Software as a service. Infrastructure as a service. Platform as a service

Overview. Data protection in a swirl of change 28.03.2014. Cloud computing. Software as a service. Infrastructure as a service. Platform as a service Data protection in a swirl of change Overview 1 Data protection issues in cloud computing 2 Consent for mobile applications Security Seminar 2014: Privacy Radboud University Nijmegen 3 The WhatsApp case

More information

South East Asia: Data Protection Update

South East Asia: Data Protection Update Data Privacy and Security Team To: Our Clients and Friends September 2013 South East Asia: Data Protection Update Europe has had data protection laws in place for over a decade. Such laws regulate how

More information

Data Protection Act. Privacy & Security in the Information Age. April 26, 2013. Ministry of Communications, Ghana

Data Protection Act. Privacy & Security in the Information Age. April 26, 2013. Ministry of Communications, Ghana Data Protection Act Privacy & Security in the Information Age April 26, 2013 Agenda Privacy in The Information Age The right to privacy Why We Need Legislation Purpose of the Act The Data Protection Act

More information

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively.

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively. Joint work between experts from the Article 29 Working Party and from APEC Economies, on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities in

More information

Summary of Data Protection Requirements When transferring Data Outside the UK End Users

Summary of Data Protection Requirements When transferring Data Outside the UK End Users Summary of Data Protection Requirements When transferring Data Outside the UK End Users 14 May 2010 Background to transfers of the Data outside the UK Data can be transferred in a couple of ways in relation

More information

Privacy in the cloud. DNB has indicated that it considers cloud computing a form of outsourcing.

Privacy in the cloud. DNB has indicated that it considers cloud computing a form of outsourcing. Privacy in the cloud computing, and the company concerned is required to submit a risk analysis to DNB. 3 Cloud computing entails the saving, processing and using of company data on the servers of a cloud

More information

An overview of UK data protection law

An overview of UK data protection law An overview of UK data protection law Our team Vinod Bange Partner +44 (0)20 7300 4600 v.bange@taylorwessing.com Graham Hann Partner +44 (0)20 7300 4839 g.hann@taylorwessing.com Chris Jeffery Partner +44

More information

Navigating the Privacy Law Landscape - US and Europe

Navigating the Privacy Law Landscape - US and Europe 21 January, 2015 Navigating the Privacy Law Landscape - US and Europe Roberta Anderson, Partner, K&L Gates, Pittsburgh Friederike Gräfin von Brühl, Senior Associate, K&L Gates, Berlin Etienne Drouard,

More information

A guide for in-house lawyers

A guide for in-house lawyers A guide for in-house lawyers June 2015 The Proposed EU General Data Protection Regulation Index Introduction to the Regulation - 3 Progress of the Regulation - 4 Using this Guide - 5 Conceptual Overview

More information

Data Protection Policy.

Data Protection Policy. Data Protection Policy. Data Protection Policy Foreword 2 Foreword Ladies and Gentlemen, In the information age, we offer customers the means to be always connected, even in their cars. This requires data

More information

UK Data Protection Newsletter June 2015

UK Data Protection Newsletter June 2015 UK Data Protection Newsletter June 2015 Headlines this month: n Data Protection reform update n New regulation must not lower data protection standards n Raid on Manchester Call Centre n Recent data breaches

More information

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Sopra HR Software as a Data Processor Sopra HR Software, 2014 / Ref. : 20141120-101114-m 1/32 1.

More information

Article 29 Working Party Issues Opinion on Cloud Computing

Article 29 Working Party Issues Opinion on Cloud Computing Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,

More information

The prospects for data breach laws in 22 European countries

The prospects for data breach laws in 22 European countries The prospects for data breach laws in 22 European countries Stewart Dresner, Chief Executive Privacy Laws & Business Wednesday, 4 November 2009 16 30-17 45: PARALLEL SESSION A: Ooopsss!!!!! Where did I

More information

The reform of the EU Data Protection framework - Building trust in a digital and global world. 9/10 October 2012

The reform of the EU Data Protection framework - Building trust in a digital and global world. 9/10 October 2012 The reform of the EU Data Protection framework - Building trust in a digital and global world 9/10 October 2012 Questionnaire addressed to national Parliaments Please, find attached a number of questions

More information

Code of Conduct. Corporate Data Protection. We make ICT strategies work

Code of Conduct. Corporate Data Protection. We make ICT strategies work Corporate Data Protection Code of Conduct for the Protection of the Individual s Right to Privacy in the Handling of Personal Data within the Deutsche Telekom Group 2010 / 04 We make ICT strategies work

More information

Multi-Jurisdictional Study: Cloud Computing Legal Requirements. Julien Debussche Associate January 2015

Multi-Jurisdictional Study: Cloud Computing Legal Requirements. Julien Debussche Associate January 2015 Multi-Jurisdictional Study: Cloud Computing Legal Requirements Julien Debussche Associate January 2015 Content 1. General Legal Framework 2. Data Protection Legal Framework 3. Security Requirements 4.

More information

Cloud Software Services for Schools

Cloud Software Services for Schools Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Supplier name Address Contact name Contact email Contact telephone Parent Teacher Online

More information

Data protection compliance checklist

Data protection compliance checklist Data protection compliance checklist What is this checklist for? This checklist is drawn up on the basis of analysis of the relevant provisions of European law. Although European law aims at harmonizing

More information

INTERNATIONAL SOS. Data Protection Policy. Version 1.05

INTERNATIONAL SOS. Data Protection Policy. Version 1.05 INTERNATIONAL SOS Data Protection Policy Document Owner: LCIS Division Document Manager: Group General Counsel Effective: December 2008 Revised: 2015 All copyright in these materials are reserved to AEA

More information

Council of the European Union Brussels, 26 June 2015 (OR. en)

Council of the European Union Brussels, 26 June 2015 (OR. en) Council of the European Union Brussels, 26 June 2015 (OR. en) Interinstitutional File: 2012/0011 (COD) 9985/1/15 REV 1 LIMITE DATAPROTECT 103 JAI 465 MI 402 DIGIT 52 DAPIX 100 FREMP 138 COMIX 281 CODEC

More information

EU Data Protection Reforms Challenges for Business

EU Data Protection Reforms Challenges for Business www.pwc.com Contents EU Data Protection Reforms Challenges for Business July 2014 1. Introduction 2. The need for change 3. Changes and challenges 4. Recommendations 5. Conclusion 6. For a deeper conversation

More information

Data Protection and Cloud Computing: an Overview of the Legal Issues

Data Protection and Cloud Computing: an Overview of the Legal Issues Data Protection and Cloud Computing: an Overview of the Legal Issues Christopher Kuner Partner, Hunton & Williams, Brussels Research Assistant, University of Copenhagen Nordic IT Law Conference Copenhagen,

More information

International Privacy and Data Security Requirements. Benedict Stanberry, LLB LLM MRIN Director, Centre for Law Ethics and Risk in Telemedicine

International Privacy and Data Security Requirements. Benedict Stanberry, LLB LLM MRIN Director, Centre for Law Ethics and Risk in Telemedicine International Privacy and Data Security Requirements Benedict Stanberry, LLB LLM MRIN Director, Centre for Law Ethics and Risk in Telemedicine Aims of this Presentation. To provide a brief overview of

More information

Recruitment Sector. Consultation on prohibiting employment agencies and employment businesses from advertising jobs exclusively in other EEA countries

Recruitment Sector. Consultation on prohibiting employment agencies and employment businesses from advertising jobs exclusively in other EEA countries Recruitment Sector Consultation on prohibiting employment agencies and employment businesses from advertising jobs exclusively in other EEA countries JULY 2014 Contents Contents... 2 Prohibiting employment

More information

Data Protection HEADLINE PART Developments: Implications HEADLINE for the PART Insurance 2 Sector Strategies for Compliance

Data Protection HEADLINE PART Developments: Implications HEADLINE for the PART Insurance 2 Sector Strategies for Compliance Data Protection HEADLINE PART Developments: 1 Implications HEADLINE for the PART Insurance 2 Sector Strategies for Compliance Sub-headline Arial 18pt dark gray Optional Name Arial 13pt italic white Venue

More information

OSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data

OSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data OSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data Terms Adopting company an OSRAM associated company in Germany or overseas

More information

Information Commissioner s Office. ICO response to the discussion paper on the Rehabilitation of Offenders Act 1974

Information Commissioner s Office. ICO response to the discussion paper on the Rehabilitation of Offenders Act 1974 Information Commissioner s Office ICO response to the discussion paper on the Rehabilitation of Offenders Act 1974 14 November 2013 1 Contents Introduction Response Further issues About the ICO The ICO

More information

235.1. Federal Act on Data Protection (FADP) Aim, Scope and Definitions

235.1. Federal Act on Data Protection (FADP) Aim, Scope and Definitions English is not an official language of the Swiss Confederation. This translation is provided for information purposes only and has no legal force. Federal Act on Data Protection (FADP) 235.1 of 19 June

More information

Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved.

Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved. Align Technology Data Protection Binding Corporate Rules Controller Policy Contents INTRODUCTION 3 PART I: BACKGROUND AND ACTIONS 4 PART II: CONTROLLER OBLIGATIONS 6 PART III: APPENDICES 13 2 P a g e INTRODUCTION

More information

on the transfer of personal data from the European Union

on the transfer of personal data from the European Union on the transfer of personal data from the European Union BCRsseptembre 2008.doc 1 TABLE OF CONTENTS I. PRELIMINARY REMARKS 3 II. DEFINITIONS 3 III. DELEGATED DATA PROTECTION MANAGER 4 IV. MICHELIN GROUP

More information

Auditing data protection a guide to ICO data protection audits

Auditing data protection a guide to ICO data protection audits Auditing data protection a guide to ICO data protection audits Contents Executive summary 3 1. Audit programme development 5 Audit planning and risk assessment 2. Audit approach 6 Gathering evidence Audit

More information

New EU Data Protection legislation comes into force today. What does this mean for your business?

New EU Data Protection legislation comes into force today. What does this mean for your business? 24 th May 2016 New EU Data Protection legislation comes into force today. What does this mean for your business? After years of discussion and proposals, the General Data Protection Regulation ( GDPR )

More information

Align Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved.

Align Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved. Align Technology Data Protection Binding Corporate Rules Processor Policy Confidential Contents INTRODUCTION TO THIS POLICY 3 PART I: BACKGROUND AND ACTIONS 4 PART II: PROCESSOR OBLIGATIONS 6 PART III:

More information

How we deal with complaints and concerns

How we deal with complaints and concerns I Data Protection Act How we deal with complaints and concerns A guide for data controllers 1 Data Protection Act How we deal with complaints and concerns The ICO is the UK s independent public authority

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Document Ref: DPA20100608-001 Version: 1.3 Classification: UNCLASSIFIED (IL 0) Status: ISSUED Prepared By: Ian Mason Effective From: 4 th January 2011 Contact: Governance Team ICT

More information

DATA PROTECTION ACT 2002 The Basics

DATA PROTECTION ACT 2002 The Basics DATA PROTECTION ACT 2002 The Basics Purpose of the Act Balance the rights of an individual with an organisation s legitimate need to process personal data Promote openness and transparency Establish and

More information

Safe Harbour Agreement no longer a valid basis for EEA to US transfers of personal data

Safe Harbour Agreement no longer a valid basis for EEA to US transfers of personal data Jisc Safe Harbour NOTE ON THE COURT OF JUSTICE OF THE EUROPEAN UNION'S JUDGMENT ON 'SAFE HARBOUR' ARRANGEMENTS FOR THE TRANSFER OF PERSONAL DATA FROM THE EEA TO THE USA KEY POINTS Safe Harbour Agreement

More information

What's Up with Apps in Hong Kong July 2013

What's Up with Apps in Hong Kong July 2013 What's Up with Apps in Hong Kong July 2013 In May this year, the Hong Kong Privacy Commissioner for Personal Data ("Privacy Commissioner") joined the Global Privacy Enforcement Network ("GPEN") to conduct

More information

AlixPartners, LLP. General Data Protection Statement

AlixPartners, LLP. General Data Protection Statement AlixPartners, LLP General Data Protection Statement GENERAL DATA PROTECTION STATEMENT 1. INTRODUCTION 1.1 AlixPartners, LLP ( AlixPartners ) is committed to fulfilling its obligations under the data protection

More information

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY Page 1 of 16 Contents Policy Information 3 Introduction 4 Responsibilities 7 Confidentiality 9 Data recording and storage 11 Subject Access 12 Transparency

More information

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA:

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA: UNOFFICIAL TRANSLATION Written opinion on the application of the Wet bescherming persoonsgegevens [Dutch Data Protection Act] in the case of a contract for cloud computing services from an American provider

More information

Big Data for Mutuals. Marc Dautlich 25 November 2013

Big Data for Mutuals. Marc Dautlich 25 November 2013 Big Data for Mutuals Marc Dautlich 25 November 2013 Agenda BIG DATA What is it? OPPORTUNITIES What are they? LEGAL CHALLENGES How do we overcome them? LEGAL REFORM What can we do now to minimise impact?

More information

Privacy Level Agreement Outline for the Sale of Cloud Services in the European Union

Privacy Level Agreement Outline for the Sale of Cloud Services in the European Union Privacy Level Agreement Working Group Privacy Level Agreement Outline for the Sale of Cloud Services in the European Union February 2013 The PLA Outline has been developed within CSA by an expert working

More information

Comments and proposals on the Chapter IV of the General Data Protection Regulation

Comments and proposals on the Chapter IV of the General Data Protection Regulation Comments and proposals on the Chapter IV of the General Data Protection Regulation Ahead of the trialogue negotiations later this month, EDRi, Access, Panoptykon Bits of Freedom, FIPR and Privacy International

More information

The Impact of EU Data Protection Legislation. Thomas Rivera Hitachi Data Systems

The Impact of EU Data Protection Legislation. Thomas Rivera Hitachi Data Systems Privacy PRESENTATION vs Data TITLE Protection: GOES HERE The Impact of EU Data Protection Legislation Thomas Rivera Hitachi Data Systems SNIA Legal Notice The material contained in this tutorial is copyrighted

More information

12 January 2011. Register of Interest Representatives Identification number in the register: 52646912360-95

12 January 2011. Register of Interest Representatives Identification number in the register: 52646912360-95 Z E N T R A L E R K R E D I T A U S S C H U S S MITGLIEDER: BUNDESVERBAND DER DEUTSCHEN VOLKSBANKEN UND RAIFFEISENBANKEN E.V. BERLIN BUNDESVERBAND DEUTSCHER BANKEN E.V. BERLIN BUNDESVERBAND ÖFFENTLICHER

More information

Binding Corporate Rules Privacy (BCRP) personal Telekom Group rights in the handling of personal data within the Deutsche Telekom Group

Binding Corporate Rules Privacy (BCRP) personal Telekom Group rights in the handling of personal data within the Deutsche Telekom Group Binding Corporate Rules Privacy (BCRP) Binding Corporate corporate Rules rules Privacy for (BCRP) the protection of personal Telekom Group rights in the handling of personal data within the Deutsche Telekom

More information

A list of CIArb subsidiaries relevant to this notice and their activities is set out below.

A list of CIArb subsidiaries relevant to this notice and their activities is set out below. CHARTERED INSTITUTE OF ARBITRATORS DATA PRIVACY NOTICE INTRODUCTION This data protection notice explains what personal data will be collected by the Chartered Institute of Arbitrators and its subsidiary

More information

EU Regulatory Trends in Data Protection & Cybersecurity What should be on the industry s agenda?

EU Regulatory Trends in Data Protection & Cybersecurity What should be on the industry s agenda? EU Regulatory Trends in Data Protection & Cybersecurity What should be on the industry s agenda? Dr. Jörg Hladjk Counsel European Data Protection & Privacy Practice Hunton & Williams, Brussels Cyber Security

More information

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS As a world leader in electronic commerce and payment services, First Data Corporation and its subsidiaries ( First Data entity or entities ),

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Version 1.3 April 2014 Contents 1 POLICY STATEMENT...2 2 PURPOSE....2 3 LEGAL CONTEXT AND DEFINITIONS...2 3.1 Data Protection Act 1998...2 3.2 Other related legislation.....4 3.3

More information

E-COMMERCE GOES MOBILE: SEEKING COMPETITIVENESS THROUGH PRIVACY

E-COMMERCE GOES MOBILE: SEEKING COMPETITIVENESS THROUGH PRIVACY E-COMMERCE GOES MOBILE: SEEKING COMPETITIVENESS THROUGH PRIVACY Oana Dolea 7 th Annual Leg@l.IT Conference March 26th, 2013 Montreal, Canada INTRODUCTION Mobile e-commerce vs. E-commerce Mobile e-commerce:

More information

1 Data Protection Principles

1 Data Protection Principles Today, our personal information is being collected, shared, stored and analysed everywhere. Whether you are browsing the internet, talking to a friend or making an online purchase, personal data collection

More information

Context. To cloud or not to cloud, that is a very serious question. Legal challenges in a post Safe Harbour and pre GDPR cloud world

Context. To cloud or not to cloud, that is a very serious question. Legal challenges in a post Safe Harbour and pre GDPR cloud world To cloud or not to cloud, that is a very serious question EEMA / TrustCore Legal challenges in a post Safe Harbour and pre GDPR cloud world 18 November 2015 hans.graux@timelex.eu Context Major cloud providers

More information

Directive. for the transfer of personal data. to third countries outside the EEA

Directive. for the transfer of personal data. to third countries outside the EEA Directive for the transfer of personal data to third countries outside the EEA (Munich Re reinsurance group directive on third-country data transfer) Information correct at 1 July 2013 - 2 - Contents 1

More information

Merthyr Tydfil County Borough Council. Data Protection Policy

Merthyr Tydfil County Borough Council. Data Protection Policy Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the

More information

PRINCIPLES OF THE TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY. Introduction

PRINCIPLES OF THE TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY. Introduction PRINCIPLES OF THE TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY Introduction The continuous globalization of the world economy influences the international transfer of personal data. The transfer of personal

More information

CABINET OFFICE THE CIVIL SERVICE NATIONALITY RULES

CABINET OFFICE THE CIVIL SERVICE NATIONALITY RULES ANNEX A CABINET OFFICE THE CIVIL SERVICE NATIONALITY RULES Introduction The Civil Service Nationality Rules concern eligibility for employment in the Civil Service on the grounds of nationality and must

More information

STUDENT AWARDS AGENCY FOR SCOTLAND (SAAS) NOT FIT FOR SUPPORT POLICY

STUDENT AWARDS AGENCY FOR SCOTLAND (SAAS) NOT FIT FOR SUPPORT POLICY INTRODUCTION STUDENT AWARDS AGENCY FOR SCOTLAND (SAAS) NOT FIT FOR SUPPORT POLICY SAAS is an executive agency of the Scottish Government with responsibility for the assessment of entitlement to and payment

More information

Appendix 11 - Swiss Data Protection Act

Appendix 11 - Swiss Data Protection Act GLEIF- LOU Restricted Appendix 11 - Swiss Data Protection Act GLEIF Revision Version: 1.0 2015-09-23 Master Copy page 2 of 11 Applicable Provisions of the Swiss Data Protection Act (DPA) including the

More information

THE TRANSFER OF PERSONAL DATA ABROAD

THE TRANSFER OF PERSONAL DATA ABROAD THE TRANSFER OF PERSONAL DATA ABROAD MARCH 2014 THIS NOTE CONSIDERS THE SITUATION OF AN IRISH ORGANISATION OR BUSINESS SEEKING TO TRANSFER PERSONAL DATA ABROAD FOR STORAGE OR PROCESSING, IN LIGHT OF THE

More information

Guidelines on Data Protection. Draft. Version 3.1. Published by

Guidelines on Data Protection. Draft. Version 3.1. Published by Guidelines on Data Protection Draft Version 3.1 Published by National Information Technology Development Agency (NITDA) September 2013 Table of Contents Section One... 2 1.1 Preamble... 2 1.2 Authority...

More information

International E-Discovery E-Discovery vs. German Data Protection

International E-Discovery E-Discovery vs. German Data Protection International E-Discovery E-Discovery vs. German Data Protection ABA Tech Committee April 28 30, 2010 New York, LL.M. CMS Hasche Sigle Kranhaus 1 / Im Zollhafen 18 50678 Cologne Germany Tel: +49 221 7716-140

More information

EU Competition Law. Article 101 and Article 102. January 2010. Contents

EU Competition Law. Article 101 and Article 102. January 2010. Contents EU Competition Law January 2010 Contents Article 101 The requirements of Article 101(1) Exemptions under Article 101(3) Article 102 Dominant position Abuse of a dominant position Procedural issues Competition

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Prepared By: Malkiat Thiarai Head of Corporate Information Management Date of Publication: 23/01/2013 Version: 5.0 Classification: Not Protectively Marked Page 1 Table of Contents

More information

Cloud Software Services for Schools

Cloud Software Services for Schools Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Please insert supplier details below Supplier name Address Contact name Contact email Contact

More information

Cloud computing and the legal framework

Cloud computing and the legal framework Cloud computing and the legal framework - Guidance on legislative requirement and the contractual environment related to cloud computing Content 1. Introduction 3 2. The Danish Act on Processing of Personal

More information

Application of Data Protection Concepts to Cloud Computing

Application of Data Protection Concepts to Cloud Computing Application of Data Protection Concepts to Cloud Computing By Denitza Toptchiyska Abstract: The fast technological development and growing use of cloud computing services require implementation of effective

More information

Information Security Risks when going cloud. How to deal with data security: an EU perspective.

Information Security Risks when going cloud. How to deal with data security: an EU perspective. Separating fact from fiction about new software licensing /SaaS/ cloud computing models: advantages, disadvantages and ethical implications. Information Security Risks when going cloud. How to deal with

More information

Launching a Whistleblower Hotline Across Europe

Launching a Whistleblower Hotline Across Europe WhitePaper Launching a Whistleblower Hotline Across Europe 10/15/12 Table of Contents Abstract. 2 Issues Faced by Multinationals When Launching a European Hotline..2 Three-Step Process for Developing a

More information

Cloud Computing and Privacy Laws! 17.7. 22.7. 2011 Prof. Dr. Thomas Fetzer, LL.M. Technische Universität Dresden Law School

Cloud Computing and Privacy Laws! 17.7. 22.7. 2011 Prof. Dr. Thomas Fetzer, LL.M. Technische Universität Dresden Law School DEUTSCH-FRANZÖSISCHE SOMMERUNIVERSITÄT! FÜR NACHWUCHSWISSENSCHAFTLER 2011! CLOUD COMPUTING : HERAUSFORDERUNGEN UND MÖGLICHKEITEN UNIVERSITÉ DʼÉTÉ FRANCO-ALLEMANDE POUR JEUNES CHERCHEURS 2011! CLOUD COMPUTING

More information

THE INTERNATIONAL CHAMBER OF COMMERCE PROPOSES AN ALTERNATIVE FOR LEGITIMIZING INTERNATIONAL TRANSFERS OF PERSONAL DATA FROM THE EUROPEAN UNION

THE INTERNATIONAL CHAMBER OF COMMERCE PROPOSES AN ALTERNATIVE FOR LEGITIMIZING INTERNATIONAL TRANSFERS OF PERSONAL DATA FROM THE EUROPEAN UNION CLIENT MEMORANDUM THE INTERNATIONAL CHAMBER OF COMMERCE PROPOSES AN ALTERNATIVE FOR LEGITIMIZING INTERNATIONAL TRANSFERS OF PERSONAL DATA FROM THE EUROPEAN UNION The ICC Report analyzes the use of binding

More information