OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES

Size: px
Start display at page:

Download "OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES"

Transcription

1 OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES 4 April 2013 James Castro-Edwards Solicitor Monica Salgado Advogada / Portuguese Lawyer

2 OUR TEAM Speechly Bircham is an ambitious, full-service law firm with over 250 lawyers, headquartered in London. We work with business and private clients across the UK and internationally and focus on the financial services, private wealth, technology, real estate and construction sectors We have offices in Luxembourg and Zurich Our Data Protection & Information Law team provide a range of expertise on data privacy audit, compliance, risk management, information security and data breaches We are listed in Chambers 2013 as a leading law firm for Data Protection and have advised on this area of law since 1983 Robert Bond and his team have always provided comprehensive, practical advice on a timely basis. Their knowledge of the EU regulatory scene, including experience with specific agencies, as well as privacy issues globally has been instrumental in establishing our privacy policies and procedures. 2

3 James Castro-Edwards +44 (0) James is a senior commercial solicitor in the IP, Technology & Data Group with extensive experience in data protection. James' recent work includes ownership of global data protection compliance projects for multinationals, including implementation of Sarbanes-Oxley driven whistleblower hotlines. He frequently works with senior in-house counsel, finding solutions to complex cross-border data issues and 'has a pan-european perspective on data protection compliance' according to clients. James has significant experience of the differing requirements of the many European data protection authorities particularly in relation to data transfers. He has advised clients in relation to subject access requests, acting for both data controllers and data subjects, and enabled database owners to optimise their personal data for marketing purposes while remaining in compliance with the law. James also advises online and innovative businesses looking to exploit new intellectual property. In doing so he has advised in relation to distribution, supply and licensing agreements, and regularly advises clients in relation to new online business models. James provides practical advice and commercial solutions to data hosting businesses. James frequently speaks on data protection and has been published in World Data Protection Report, Data Protection Law & Policy, Journal of Database Marketing & Customer Strategy Management, the Marketer and Journal of Intellectual Property Law & Practice. He also contributed to the Fifth Edition of Butterworths' Encyclopaedia of Forms and Precedents Volume 19(1). 3

4 Monica Salgado Advogada registered with the Ordem dos Advogados Registered European Lawyer +44(0) Monica has experience assisting clients with the most varied data protection issues, both in Portugal and the UK. Monica has advised on filings with relevant data protection authorities, processor / controller agreements, trans border flows of personal data, data protection compliance measures and tools, compliance assessments and training. Monica has also provided legal advice on how to comply with the E- Privacy rules, notably by conducting cookies audits, drafting cookies policies and implementing cookies consent tools. Monica has been referred by clients in Legal 500, 2011 edition, as providing top-notch client service. 4

5 WHAT WE WILL COVER 1. Global Data Protection / Privacy Landscape 2. The Data Protection Principles 3. Key Data Protection Principles relevant to Outsourcing 4. Outsourcing: DPA Registration Requirements 5. Outsourcing: Practical Considerations 6. The Data Protection Regulation 5

6 Global Data Protection / Privacy Landscape Legislation Landscape Data Protection Directive 95/46/EC applies throughout Europe Takes effect in European Member States through implementing legislation e.g. Data Protection Act 1998 (UK); EU rules are the longest established and strictest Data protection laws not confined to Europe: - Approved countries Canada/Argentina/Switzerland/Israel - US takes sector based approach e.g. COPPA / HIPPA; - Emerging laws Singapore, Hong Kong, Malaysia, South Korea the Philippines Many similarities between laws because of OECD guidelines (1980) 6

7 The Data Protection Principles European Data Protection Principles: Fair and lawful processing; Specified purposes; Adequate, relevant, not excessive; Accurate and up-to-date; Not held longer than is necessary; Held in accordance with the data subjects rights; Technical and organisation of security measures; Not transferred to a country outside the EEA. Organisations must comply with the principles AND register with the relevant Data Protection Authority (DPA) These are the EU principles, but similar approach adopted outside EU following OECD guidelines. 7

8 Key Data Protection Principles relevant to Outsourcing 1. Fair & Lawful Processing Legitimate ground for processing + notice to data subjects 2. Security Outsourcing provider must ensure personal data is protected but data controller remains liable for compliance with the law 3. Data Transfers Outsourcing arrangements frequently result in transfers of personal data out of the EEA 4. Registration / Notification with DPA DPA should be informed of outsourcing arrangements and transfers of personal data out of the EEA 8

9 Key Data Protection Principles relevant to Outsourcing Fair and Lawful Processing the Fundamental Data Protection Principle Requirements: Legitimate Ground establishing a legitimate ground: (consent / contract performance / legal obligation / vital interests/ legitimate interests) + Fair processing information Provision of fair processing information when data is first processed ; telling individuals who you are and what will be done with their personal data (e.g. privacy policy) Relevant each time data is collected, shared or used for a new purpose e.g. implementation of outsourced solution 9

10 Key Data Protection Principles relevant to Outsourcing Appropriate Technical Organisational and Physical Security Measures Legal Requirements EU data protection law requires data controllers to implement appropriate technical and security measures to protect personal data against: - Accidental or unlawful destruction or loss; - Unauthorised alteration, disclosure or access (in particular where the processing involves the transmission of data over a network); and - All other unlawful forms of processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected. The Member States shall provide that the controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures. 10

11 Key Data Protection Principles relevant to Outsourcing Appropriate Technical Organisational and Physical Security Measures Practical Considerations Physical measures (physical locks to building; secure physical storage). Organisational access to data on need to know basis/appointment of third party processors Technical IT security/encryption, destruction of data Contractual binding third party processors to comply - The law currently does not apply to processors - The data controller remains liable for breaches of the law 11

12 Key Data Protection Principles relevant to Outsourcing Data Transfers Personal data must not be transferred to a country which does not provide adequate protection. - European Member States all provide adequate protection - Approved countries (Argentina, Canada, Switzerland, New Zealand) - US Safe Harbor - Binding Corporate Rules - EU Approved Model Clauses - Data controller to data controller - Data controller to data processor Even between members of the same group of companies Non-EU jurisdictions have similar provisions Transfers may require notification with DPA 12

13 Outsourcing: DPA Registration Requirements Overview Most European DPAs require registration / notification of processing operations - Specific requirements vary - Notification may be filed online - Register is usually public The use of outsourcers and data transfers should generally be notified; some DPAs must grant prior authorisation Generally one registration per individual company Exemptions exist Some require Data Protection Officer instead Some DPAs require additional documentation or steps More and more DPAs outside Europe are adopting similar positions 13

14 Outsourcing: DPA Registration Requirements More than a tick the box exercise More than a bureaucratic formality Purpose - to assist the DPA enforcing the data protection law You must be fully informed to present a registration/notification Types of notifications: - Prior registration of processing operations - Prior checking of processing operations - Notification of breaches to the DPA - Notification of breaches to the data subjects - Other types of notifications / requests for authorisation 14

15 Outsourcing: DPA Registration Requirements Current EU framework - prior registration of processing operations Obligation set out in the 1995 EU Data Protection Directive - Member States shall provide that the controller or his representative, if any, must notify the supervisory authority ( ) before carrying out any wholly or partly automated processing operations or set of processing operations intended to serve a single purpose or several related purposes article 18 no. 1 of the Directive Member States have transposed the Directive, adapting how in practice controllers should register processing operations Common issues: - The main criteria is the purpose of the processing - The registration is either previous or contemporary with the beginning of the processing operations - Registration can be exempted or simplified in specific circumstances - The main content of the registration are predefined in the Directive - Details of the controller - Description of the processing operation, including its purpose, categories of data and data subjects - Recipients - Transfers - Security measures 15

16 Outsourcing: DPA Registration Requirements Current EU framework - prior checking of processing operations Obligation set out in the 1995 EU Data Protection Directive - Member States shall determine the processing operations likely to present specific risks to the rights and freedoms of data subjects and shall check that these processing operations are examined prior to the start thereof article 19 no. 1 of the Directive Relevant issues - More freedom for Member States to transpose this obligation - Checking is also prior to the beginning of the processing operation - Prior checking is also required before legislative initiatives with data protection impact Usually covers: - Transfers of personal data to non adequate countries - Processing of sensitive personal data - CCTV or other forms of surveillance - Combination of data 16

17 Outsourcing: DPA Registration Requirements - main differences between prior registration and prior checking Prior registration Aims at understanding what will take place and include it in a public register Controller may usually begin the processing as soon as the form is presented - There are exception A lot of processing operations have been exempt from prior registration, however usually once they include a prior checking aspect the exemption will fall Prior checking Aims at checking whether the processing operation is compliant with applicable data protection and privacy laws Controller will have to wait for the DPA to issue its approval of the processing operation before commencing processing There are no exemptions from the prior checking obligation as they cover very specifically defined situations where the rights of the individuals are considered more at stake 17

18 Outsourcing: DPA Registration Requirements Current EU framework what have Member States implemented re registrations and prior checking? Types of obligation Generally exemption except in specific circumstances - Estonia - Italy - Germany Not too detailed general obligation to register and no general prior checking obligation - UK - Sweden - Slovenia Very detailed obligations re registration and prior checking - Spain - Portugal - France - Greece 18

19 Outsourcing: DPA Registration Requirements Current EU framework what have Member States implemented re registrations and prior checking? Duration of registration - Renewable - UK, Ireland - Non renewable - Portugal Cost of registration - No cost - Bulgaria, Cyprus, Czech Republic, Iceland - Fees payable - Austria, Belgium, Ireland, UK Sanctions for not complying - Administrative offences - Criminal offences 19

20 Outsourcing: Practical Considerations Key issues 1. Privacy Impact Assessment 2. Security measures 3. Due diligence 4. Employee considerations 5. Customer considerations 20

21 Outsourcing: Practical Considerations Privacy Impact Assessments What? An assessment of the impact of the proposed processing upon individuals personal data Why? A pre-emptive exercise, which seeks to avoid problems arising from new processes When? At the earliest stage when a new system / activity is first proposed Not an afterthought a few weeks prior to roll out!! E.g. - Centralised HR system hosted outside the EU - Social media marketing providers - Use of third party software to provide targeted advertising - Cloud hosted solutions - Third party hosted CRM system Third party fulfilment services provider 21

22 Outsourcing: Practical Considerations Privacy Impact Assessments What personal data is being processed Which entities are legally responsible Which parties will determine purposes and means of data processing What are the data processing purposes What is the basis for data transfer to the service provider Is consent or notice required prior to transfer In which jurisdiction(s) does the data reside Is authorisation by the national DPA required for transfers What is the transfer solution (i.e. Model Clauses, Safe Harbor) 22

23 Outsourcing: Practical Considerations Security Measures IT infrastructure components (e.g. servers) physical location System and security administrator location Client-specific security processes Client-specific access controls by employee Data Protection security policies and processes in place (against access, loss and destruction) Employee contracts, non-disclosure agreements and checks External certification covering data protection and/or security Data breach incident response plan (roles, responsibilities and escalation paths) Business continuity planning / Disaster Recovery System Physical security and access Measures against third party access to sensitive data Network security, firewalls and perimeter defences Access-restricted client work locations 23

24 Outsourcing: Practical Considerations Due Diligence Ensure provider has in place - Appropriate security measures - Adequate policies, procedures and processes - Data transfer solutions - Appropriate contractual provisions - Proper understanding of legal obligations 24

25 Outsourcing: Practical Considerations Employee Considerations Fair processing information - employee announcement - staff handbook - Works councils Subject access requests will outsourcing provider assist? 25

26 Outsourcing: Practical Considerations Customer Considerations Fair processing information - website privacy statement - Clear, plain English - Subject access requests - But consider offline alternatives (and disability discrimination legislation) - DPO to deal with issues 26

27 The Data Protection Regulation Controllers, processors and producers Redefinitions of the obligations for the data controller, joint data controllers and the data processor; The data processor now has a direct liability for compliance which does not exist in the current regime. Introduction of producer creates automated data processing or filing systems for use by data controllers or processors Producers must ensure compliance with principles in design, set-up and operation of automatic processing or filing systems. The Regulation applies to both data controllers and data processors who have either legal entities in the EU, or process personal data of EU data subjects irrespective as to the location of the controller or processor (subject to household exemption). 27

28 The Data Protection Regulation Privacy Impact Assessments What? An assessment of the impact of the proposed processing upon individuals personal data Why? A pre-emptive exercise, which seeks to avoid problems arising from new processes When? At the earliest stage when a new system / activity is first proposed E.g. - Centralised HR system hosted outside the EU - Use of social media for marketing purposes - Use of cookies for targeted advertising - Cloud hosted solutions - Adoption of bring your own device policy - Remote working policy - Due diligence in company sale 28

29 The Data Protection Regulation Data breaches There are enhanced requirements for data security and specifically in Article 31 there is a mandatory breach notification procedure for all but small enterprises Data subjects need to be notified after the controller has where feasible within (24) 72 hours of a breach notified to the DPA. Softer position than leaked draft (mandatory 24 hours) No de-minimis limit for reports to DPA 29

30 The Data Protection Regulation Remedies and sanctions Data subjects can complain to a Supervisory Authority in any Member State Remedies will be available against Supervisory Authorities where they fail to act in a proper or timely manner on complaints Data subjects may take action against controllers or processors for breach of legislation and may seek damages Supervisory Authorities will have power to fine controllers or processors for contravention of the Regulation Fines for more serious breaches can be up to EUR 1,000,000 or 2% of the annual worldwide turnover of the business, with regular updating of absolute amount of fines for a regulation that should be in force for a certain time. 30

31 FURTHER INFORMATION For more information on our services, please contact: James Castro-Edwards Solicitor +44 (0) Monica Salgado Advogada registered with the Portuguese Ordem dos Advogados Registered European Lawyer registered with the SRA +44(0)

HOW TO HANDLE A WHISTLEBLOWER REPORT IN THE EU

HOW TO HANDLE A WHISTLEBLOWER REPORT IN THE EU HOW TO HANDLE A WHISTLEBLOWER REPORT IN THE EU 10 April 2014 Monica Salgado Advogada registered with the Portuguese Ordem dos Advogados Registered European Lawyer with the SRA Kirsti Laird Solicitor, (qualified

More information

Ethical hotlines and whistleblowing ensuring businesses are not in conflict. with EU laws 10 May 2012. James Castro-Edwards, solicitor.

Ethical hotlines and whistleblowing ensuring businesses are not in conflict. with EU laws 10 May 2012. James Castro-Edwards, solicitor. James Castro-Edwards, solicitor and Alexia Zuber, solicitor Data Protection & Information Law Group Ethical hotlines and whistleblowing ensuring businesses are not in conflict with EU laws 10 May 2012

More information

Presentation by: Dr. Nathalie Moreno Partner. Cloud Computing and Data Protection: an Update 4 October 2012

Presentation by: Dr. Nathalie Moreno Partner. Cloud Computing and Data Protection: an Update 4 October 2012 Presentation by: Dr. Nathalie Moreno Partner Cloud Computing and Data Protection: an Update 4 October 2012 Our team Speechly Bircham is an ambitious, international mid-size fullservice law firm head-quartered

More information

Ethical hotlines and whistleblowing ensuring businesses are not in conflict with local laws

Ethical hotlines and whistleblowing ensuring businesses are not in conflict with local laws Ethical hotlines and whistleblowing ensuring businesses are not in conflict with local laws 16 January 2014 Robert Bond, CCEP Partner and Notary Public Our Team Speechly Bircham is an ambitious, full-service

More information

technical factsheet 176

technical factsheet 176 technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection

More information

Summary of Data Protection Requirements When transferring Data Outside the UK End Users

Summary of Data Protection Requirements When transferring Data Outside the UK End Users Summary of Data Protection Requirements When transferring Data Outside the UK End Users 14 May 2010 Background to transfers of the Data outside the UK Data can be transferred in a couple of ways in relation

More information

Personal information, for purposes of this Policy, includes any information which relates to an identified or an identifiable person.

Personal information, for purposes of this Policy, includes any information which relates to an identified or an identifiable person. PART I: INTRODUCTION AND BACKGROUND Purpose This Data Protection Binding Corporate Rules Policy ( Policy ) establishes the approach of Fluor to compliance with European data protection law and specifically

More information

EU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update. By Stephen H. LaCount, Esq.

EU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update. By Stephen H. LaCount, Esq. EU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update By Stephen H. LaCount, Esq. Overview The European Union Data Protection Directive 95/46/EC ( Directive ) went effective in

More information

Data Protection Policy Information for Clients

Data Protection Policy Information for Clients Data Protection Policy Information for Clients Foreword This document outlines Numis Securities Limited s ( the Firm or Numis ) legal obligations and policy on data protection. Further information can

More information

Data Protection and Cloud Computing: an Overview of the Legal Issues

Data Protection and Cloud Computing: an Overview of the Legal Issues Data Protection and Cloud Computing: an Overview of the Legal Issues Christopher Kuner Partner, Hunton & Williams, Brussels Research Assistant, University of Copenhagen Nordic IT Law Conference Copenhagen,

More information

Data Protection in Ireland

Data Protection in Ireland Data Protection in Ireland 0 Contents Data Protection in Ireland Introduction Page 2 Appointment of a Data Processor Page 2 Security Measures (onus on a data controller) Page 3 8 Principles Page 3 Fair

More information

Data protection issues on an EU outsourcing

Data protection issues on an EU outsourcing Data protection issues on an EU outsourcing Saam Golshani, Alastair Gorrie and Diego Rigatti, Orrick Herrington & Sutcliffe www.practicallaw.com/8-380-8496 Outsourcing can mean subcontracting a process

More information

South East Asia: Data Protection Update

South East Asia: Data Protection Update Data Privacy and Security Team To: Our Clients and Friends September 2013 South East Asia: Data Protection Update Europe has had data protection laws in place for over a decade. Such laws regulate how

More information

Information Security Risks when going cloud. How to deal with data security: an EU perspective.

Information Security Risks when going cloud. How to deal with data security: an EU perspective. Separating fact from fiction about new software licensing /SaaS/ cloud computing models: advantages, disadvantages and ethical implications. Information Security Risks when going cloud. How to deal with

More information

The HR Skinny: Effectively managing international employee data flows

The HR Skinny: Effectively managing international employee data flows The HR Skinny: Effectively managing international employee data flows Topics we will cover today Laws affecting HR data flows HR international data protection challenges and strategic solutions Case study

More information

Article 29 Working Party Issues Opinion on Cloud Computing

Article 29 Working Party Issues Opinion on Cloud Computing Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,

More information

360 o View of. Global Immigration

360 o View of. Global Immigration 360 o View of Global Immigration In a fast moving global economy, remaining compliant with immigration laws, being informed and in control is more challenging than ever before. We are a globally linked

More information

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1

More information

PRACTICAL LAW DATA PROTECTION MULTI-JURISDICTIONAL GUIDE 2012/13. The law and leading lawyers worldwide

PRACTICAL LAW DATA PROTECTION MULTI-JURISDICTIONAL GUIDE 2012/13. The law and leading lawyers worldwide PRACTICAL LAW MULTI-JURISDICTIONAL GUIDE 2012/13 The law and leading lawyers worldwide Essential legal questions answered in 30 key jurisdictions Analysis of critical legal issues AVAILABLE ONLINE AT WWW.PRACTICALLAW.COM/DATAPROTECTION-MJG

More information

Response to the European Commission s consultation on the legal framework for the fundamental right to protection of personal data

Response to the European Commission s consultation on the legal framework for the fundamental right to protection of personal data Stockholm: Göteborg: Malmö: 105 24 Stockholm Box 57 Box 4221 Fax 08 640 94 02 401 20 Göteborg 203 13 Malmö Plusgiro: 12 41-9 Org. Nr: 556134-1248 www.intrum.se Bankgiro: 730-4124 info@se.intrum.com Response

More information

Data Transfer Policy London Borough of Barnet

Data Transfer Policy London Borough of Barnet London Borough of Barnet DATA PROTECTION 11 Document Control Document Description Data Transfer Policy Version v.2 Date Created December 2010 Status Authorisation Name Signature Date Prepared By: IS Checked

More information

Multi-Jurisdictional Study: Cloud Computing Legal Requirements. Julien Debussche Associate January 2015

Multi-Jurisdictional Study: Cloud Computing Legal Requirements. Julien Debussche Associate January 2015 Multi-Jurisdictional Study: Cloud Computing Legal Requirements Julien Debussche Associate January 2015 Content 1. General Legal Framework 2. Data Protection Legal Framework 3. Security Requirements 4.

More information

The Act imposes foreign exchange restrictions, i.e. performance of certain actions requires a relevant foreign exchange permit.

The Act imposes foreign exchange restrictions, i.e. performance of certain actions requires a relevant foreign exchange permit. RESPONSIBILITIES OF THE NATIONAL BANK OF POLAND RESULTING FROM THE FOREIGN EXCHANGE ACT 1. FOREIGN EXCHANGE PROVISIONS Foreign exchange regulations, which constitute part of the financial legislation,

More information

The Data Protection Landscape. Before and after GDPR: General Data Protection Regulation

The Data Protection Landscape. Before and after GDPR: General Data Protection Regulation The Data Protection Landscape Before and after GDPR: General Data Protection Regulation Data Protection regulations across Europe Current regulations & guidance European Directives 95/46/EC (Data Protection)

More information

An overview of UK data protection law

An overview of UK data protection law An overview of UK data protection law Our team Vinod Bange Partner +44 (0)20 7300 4600 v.bange@taylorwessing.com Graham Hann Partner +44 (0)20 7300 4839 g.hann@taylorwessing.com Chris Jeffery Partner +44

More information

Data Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014

Data Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014 Data Protection Avoiding Information Commissioner Fines Caroline Egan 5 June 2014 Why is data protection a hot topic in pensions? Pension schemes hold large amounts of personal data Individuals more aware

More information

New EU Data Protection legislation comes into force today. What does this mean for your business?

New EU Data Protection legislation comes into force today. What does this mean for your business? 24 th May 2016 New EU Data Protection legislation comes into force today. What does this mean for your business? After years of discussion and proposals, the General Data Protection Regulation ( GDPR )

More information

GSK Public policy positions

GSK Public policy positions Safeguarding Personally Identifiable Information A Summary of GSK s Binding Corporate Rules The Issue The processing of Personally Identifiable Information (PII) 1 and Sensitive Personally Identifiable

More information

Information Management Compliance and Data protection.

Information Management Compliance and Data protection. Information Management Compliance and Data protection. Technology, Media & Telecommunications Information is the life blood of every business. Yet how you use that information is increasingly regulated.

More information

Appendix 11 - Swiss Data Protection Act

Appendix 11 - Swiss Data Protection Act GLEIF- LOU Restricted Appendix 11 - Swiss Data Protection Act GLEIF Revision Version: 1.0 2015-09-23 Master Copy page 2 of 11 Applicable Provisions of the Swiss Data Protection Act (DPA) including the

More information

Commission on E-Business, IT and Telecoms Task Force on Privacy and the Protection of Personal Data

Commission on E-Business, IT and Telecoms Task Force on Privacy and the Protection of Personal Data International Chamber of Commerce The world business organization Department of Policy and Business Practices Commission on E-Business, IT and Telecoms Task Force on Privacy and the Protection of Personal

More information

Cloud Computing. Introduction

Cloud Computing. Introduction Cloud Computing Introduction This information leaflet aims to advise organisations which are considering engaging cloud computing on the factors they should consider. It explains the relationship between

More information

A clean and open Internet: Public consultation on procedures for notifying and acting on illegal content hosted by online intermediaries

A clean and open Internet: Public consultation on procedures for notifying and acting on illegal content hosted by online intermediaries A clean and open Internet: Public consultation on procedures for notifying and acting on illegal content hosted by online intermediaries Questions marked with an asterisk * require an answer to be given.

More information

Data and Cyber Laws Up-date 9 July 2015

Data and Cyber Laws Up-date 9 July 2015 Data and Cyber Laws Up-date 9 July 2015 Janine Regan Alexia Zuber Viktoria Protokova Simon Holdsworth charlesrussellspeechlys.com Topics Updates on the key aspects of, and commentary on, the proposed GDPR

More information

The Art of Constructing Global Whistleblowing Programmes

The Art of Constructing Global Whistleblowing Programmes The Art of Constructing Global Whistleblowing Programmes Mark E. Schreiber Chair, Privacy & Data Protection Group Steering Committee Edwards Wildman Palmer LLP 111 Huntington Avenue Boston, MA 02199 617-239-0585

More information

The eighth data protection principle and international data transfers

The eighth data protection principle and international data transfers Data Protection Act 1998 The eighth data protection principle and international data transfers The Information Commissioner s recommended approach to assessing adequacy including consideration of the issue

More information

Data Protection & Cyber Security Law Update 1 st October 2015

Data Protection & Cyber Security Law Update 1 st October 2015 Data Protection & Cyber Security Law Update 1 st October 2015 Robert Bond, Partner Janine Regan, Associate Viktoria Protokova, Data Protection Executive charlesrussellspeechlys.com Brief introduction to

More information

The potential legal consequences of a personal data breach

The potential legal consequences of a personal data breach The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.

More information

(a) the kind of data and the harm that could result if any of those things should occur;

(a) the kind of data and the harm that could result if any of those things should occur; Cloud Computing This information leaflet aims to advise organisations on the factors they should take into account in considering engaging cloud computing. It explains the relevance of the Personal Data

More information

Global Privacy and Data Security in the Cloud September 14, 2011 Miriam Wugmeister

Global Privacy and Data Security in the Cloud September 14, 2011 Miriam Wugmeister 2011 Morrison & Foerster LLP All Rights Reserved mofo.com Global Privacy and Data Security in the Cloud September 14, 2011 Miriam Wugmeister Presenter Miriam Wugmeister Morrison & Foerster LLP New York

More information

Data Protection and Information Security: The top 5 risks for 2013 1 November 2012

Data Protection and Information Security: The top 5 risks for 2013 1 November 2012 Robert Bond Head of Data Protection & Information Law Group Data Protection and Information Security: The top 5 risks for 2013 1 November 2012 Our team Speechly Bircham is an ambitious, full-service law

More information

Dealing with data breaches in Europe and beyond

Dealing with data breaches in Europe and beyond Dealing with data breaches in Europe and beyond Karin Retzer and Joanna Łopatowska Morrison & Foerster LLP www.practicallaw.com/6-505-9638 The use of increasingly advanced technology means that the ways

More information

Definition of Public Interest Entities (PIEs) in Europe

Definition of Public Interest Entities (PIEs) in Europe Definition of Public Interest Entities (PIEs) in Europe FEE Survey October 2014 This document has been prepared by FEE to the best of its knowledge and ability to ensure that it is accurate and complete.

More information

Key issues in data protection: a pan-european view

Key issues in data protection: a pan-european view Key issues in data protection: a pan-european view 19 th March 2014 Nicola Fulford, Kemp Little LLP, UK Andreas Peschel-Mehner, SKW Schwarz, Germany Marco Bellezza, Portolano Cavallo, Italy Emmanuel Schulte,

More information

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively.

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively. Joint work between experts from the Article 29 Working Party and from APEC Economies, on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities in

More information

Inhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten. MHC.ie

Inhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten. MHC.ie Inhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten MHC.ie Rewriting the Past Oisin Tobin otobin@mhc.ie Agenda 1. Background 2. Findings and impact: a) Jurisdiction b) A

More information

Cyber Security : preventing and mitigating incidents. Alexander Brown Robert Allen

Cyber Security : preventing and mitigating incidents. Alexander Brown Robert Allen Cyber Security : preventing and mitigating incidents Alexander Brown Robert Allen 07 & 08 October 2015 Cyber Security context of the threat The magnitude and tempo of [cyber security attacks], basic or

More information

Marketing under AIFMD The Final Countdown Series. Getting a Grip - the Article 42 registration process under AIFMD. Devarshi Saksena.

Marketing under AIFMD The Final Countdown Series. Getting a Grip - the Article 42 registration process under AIFMD. Devarshi Saksena. Marketing under AIFMD The Final Countdown Series Getting a Grip - the Article 42 registration process under AIFMD Devarshi Saksena Catherine Weeks Simmons & Simmons LLP Friday 06 June 2014 Introduction:

More information

This factsheet contains help and information for financial advisers who wish to advise their clients who live in Europe.

This factsheet contains help and information for financial advisers who wish to advise their clients who live in Europe. Financial Conduct Authority Factsheet No.025 Investment advisers Passporting This factsheet contains help and information for financial advisers who wish to advise their clients who live in Europe. Introduction

More information

Data protection policy

Data protection policy Data protection policy Introduction 1 This document is the data protection policy for the Nursing and Midwifery Council (NMC). 2 The Data Protection Act 1998 (DPA) governs the processing of personal data

More information

Visa Information 2012

Visa Information 2012 Visa Information This document is intended to provide you with information on obtaining the correct visa to enter Australia to attend the Global Eco Asia-Pacific Tourism Conference however it is a guideline

More information

Operational Companies VAT Indirect Taxes. Why Luxembourg: VAT advantages for commercial companies*

Operational Companies VAT Indirect Taxes. Why Luxembourg: VAT advantages for commercial companies* Operational Companies VAT Indirect Taxes Why : VAT advantages for commercial companies* Why : VAT advantages for commercial companies as an international decision-making, financing or distribution hub:

More information

A guide for in-house lawyers

A guide for in-house lawyers A guide for in-house lawyers June 2015 The Proposed EU General Data Protection Regulation Index Introduction to the Regulation - 3 Progress of the Regulation - 4 Using this Guide - 5 Conceptual Overview

More information

Office 365 Data Processing Agreement with Model Clauses

Office 365 Data Processing Agreement with Model Clauses Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081

More information

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Sopra HR Software as a Data Processor Sopra HR Software, 2014 / Ref. : 20141120-101114-m 1/32 1.

More information

Data Processing Agreement for Oracle Cloud Services

Data Processing Agreement for Oracle Cloud Services Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services

More information

Firm Registration Form

Firm Registration Form Firm Registration Form Firm Registration Form This registration form should be completed by firms who are authorised and regulated by the Financial Conduct Authority. All sections of this form are mandatory.

More information

International Compliance

International Compliance YOUR FREE COPY - NEW - Additional countries outside European Union LEGAL WHITE PAPER International Compliance Legal requirements international einvoicing European Union & Selected Countries Worldwide International

More information

EU Competition Law. Article 101 and Article 102. January 2010. Contents

EU Competition Law. Article 101 and Article 102. January 2010. Contents EU Competition Law January 2010 Contents Article 101 The requirements of Article 101(1) Exemptions under Article 101(3) Article 102 Dominant position Abuse of a dominant position Procedural issues Competition

More information

Security breach! A closer look from a data protection law perspective November 2014 Gabriel Voisin (Associate)

Security breach! A closer look from a data protection law perspective November 2014 Gabriel Voisin (Associate) Security breach! A closer look from a data protection law perspective November 2014 Gabriel Voisin (Associate) Why is this a challenge? When personal data is compromised, mandatory or recommended notification

More information

Corporate Policy. Data Protection for Data of Customers & Partners.

Corporate Policy. Data Protection for Data of Customers & Partners. Corporate Policy. Data Protection for Data of Customers & Partners. 02 Preamble Ladies and gentlemen, Dear employees, The electronic processing of virtually all sales procedures, globalization and growing

More information

4. We understand this to mean that each provider state will need to ensure indemnity arrangements are in place to cover healthcare provided in that

4. We understand this to mean that each provider state will need to ensure indemnity arrangements are in place to cover healthcare provided in that Medical Defence Union response to consultation on European Commission s proposals for Directive on the application of patients rights in cross-border healthcare Introduction 1. The Medical Defence Union

More information

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS As a world leader in electronic commerce and payment services, First Data Corporation and its subsidiaries ( First Data entity or entities ),

More information

Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved.

Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved. Align Technology Data Protection Binding Corporate Rules Controller Policy Contents INTRODUCTION 3 PART I: BACKGROUND AND ACTIONS 4 PART II: CONTROLLER OBLIGATIONS 6 PART III: APPENDICES 13 2 P a g e INTRODUCTION

More information

ECSA EuroCloud Star Audit Data Privacy Audit Guide

ECSA EuroCloud Star Audit Data Privacy Audit Guide ECSA EuroCloud Star Audit Data Privacy Audit Guide Page 1 of 15 Table of contents Introduction... 3 ECSA Data Privacy Rules... 4 Governing Law... 6 Sub processing... 6 A. TOMs: Cloud Service... 7 TOMs:

More information

New environmental liabilities for EU companies

New environmental liabilities for EU companies New environmental liabilities for EU companies The ELD applies to all businesses that operate within the EU, even if the parent company is located outside of the EU. The ELD applies to all businesses,

More information

EFPIA HCP/HCO DISCLOSURE CODE

EFPIA HCP/HCO DISCLOSURE CODE EFPIA HCP/HCO DISCLOSURE CODE EFPIA CODE ON DISCLOSURE OF TRANSFERS OF VALUE FROM PHARMACEUTICAL COMPANIES TO HEALTHCARE PROFESSIONALS AND HEALTHCARE ORGANISATIONS Adopted by the EFPIA Statutory General

More information

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid. Microsoft Online Subscription Agreement Amendment adding Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Proposal ID MOSA number Microsoft to complete This Amendment

More information

EU Data Protection and Information Security for Banking & Financial Service sectors 4 th December 2014

EU Data Protection and Information Security for Banking & Financial Service sectors 4 th December 2014 EU Data Protection and Information Security for Banking & Financial Service sectors 4 th December 2014 Janine Regan, Associate George Willis, Associate charlesrussellspeechlys.com Janine Regan Associate

More information

Privacy vs Data Protection. PRESENTATION TITLE GOES HERE Eric A. Hibbard, CISSP, CISA Hitachi Data Systems

Privacy vs Data Protection. PRESENTATION TITLE GOES HERE Eric A. Hibbard, CISSP, CISA Hitachi Data Systems Privacy vs Data Protection PRESENTATION TITLE GOES HERE Eric A. Hibbard, CISSP, CISA Hitachi Data Systems Introduction The terms privacy and data protection are often used interchangeable In reality they

More information

on the transfer of personal data from the European Union

on the transfer of personal data from the European Union on the transfer of personal data from the European Union BCRsseptembre 2008.doc 1 TABLE OF CONTENTS I. PRELIMINARY REMARKS 3 II. DEFINITIONS 3 III. DELEGATED DATA PROTECTION MANAGER 4 IV. MICHELIN GROUP

More information

Towards a Single Market for Occupational Pensions Without Tax Obstacles

Towards a Single Market for Occupational Pensions Without Tax Obstacles Towards a Single Market for Occupational Pensions Without Tax Obstacles May 25 9:00 AM 9:45 AM Peter Schonewille, European Commission, DG TAXUD/E/3 Competence Centre for Pension Research, University of

More information

EU Data Protection Reforms Challenges for Business

EU Data Protection Reforms Challenges for Business www.pwc.com Contents EU Data Protection Reforms Challenges for Business July 2014 1. Introduction 2. The need for change 3. Changes and challenges 4. Recommendations 5. Conclusion 6. For a deeper conversation

More information

Data Processing Agreement for Oracle Cloud Services

Data Processing Agreement for Oracle Cloud Services Data Processing Agreement for Oracle Cloud Services Version November 3, 2015 1. Scope and order of precedence This agreement (the Data Processing Agreement ) applies to Oracle s Processing of Personal

More information

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

Binding Corporate Rules ( BCR ) Summary of Third Party Rights Binding Corporate Rules ( BCR ) Summary of Third Party Rights This document contains in its Sections 3 9 all provision of the Binding Corporate Rules (BCR) for Siemens Group Companies and Other Adopting

More information

EU Regulatory Trends in Data Protection & Cybersecurity What should be on the industry s agenda?

EU Regulatory Trends in Data Protection & Cybersecurity What should be on the industry s agenda? EU Regulatory Trends in Data Protection & Cybersecurity What should be on the industry s agenda? Dr. Jörg Hladjk Counsel European Data Protection & Privacy Practice Hunton & Williams, Brussels Cyber Security

More information

Launching a Whistleblower Hotline Across Europe

Launching a Whistleblower Hotline Across Europe WhitePaper Launching a Whistleblower Hotline Across Europe 10/15/12 Table of Contents Abstract. 2 Issues Faced by Multinationals When Launching a European Hotline..2 Three-Step Process for Developing a

More information

Align Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved.

Align Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved. Align Technology Data Protection Binding Corporate Rules Processor Policy Confidential Contents INTRODUCTION TO THIS POLICY 3 PART I: BACKGROUND AND ACTIONS 4 PART II: PROCESSOR OBLIGATIONS 6 PART III:

More information

Visa options for Sporting Events

Visa options for Sporting Events Visa options for Sporting Events Visa information While this fact sheet provides an outline of the most common visa options for those travelling to Australia to participate in a sporting event, please

More information

The Perks of Doing Business in Malta

The Perks of Doing Business in Malta The Perks of Doing Business in Malta Legal and Tax Opportunities Dr Charles Cassar CCLex.com Malta London 1 2012 2013 - CCLex.com Overview About the Firm Business Environment Legal basics Tax Considerations

More information

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements Policy and Procedure for approving, monitoring and reviewing personal data processing agreements 1 Personal data processing by external suppliers, contractors, agents and partners Policy and Procedure

More information

Reporting practices for domestic and total debt securities

Reporting practices for domestic and total debt securities Last updated: 4 September 2015 Reporting practices for domestic and total debt securities While the BIS debt securities statistics are in principle harmonised with the recommendations in the Handbook on

More information

Market Barriers A European Online Gambling Study 2012

Market Barriers A European Online Gambling Study 2012 Market Barriers A European Online Gambling Study 2012 An impartial and comprehensive evaluation of the current legal, regulatory and market landscape for online gambling in Europe Contents Contents Market

More information

Data Protection Standard

Data Protection Standard Data Protection Standard Processing and Transfer of Personal Data in Aker Solutions (Binding Corporate Rules) Aker Solutions www.akersolutions.com Table of contents 1 Introduction... 3 1.1 Scope... 3 1.2

More information

AlixPartners, LLP. General Data Protection Statement

AlixPartners, LLP. General Data Protection Statement AlixPartners, LLP General Data Protection Statement GENERAL DATA PROTECTION STATEMENT 1. INTRODUCTION 1.1 AlixPartners, LLP ( AlixPartners ) is committed to fulfilling its obligations under the data protection

More information

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4 GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4 PREFACE The following provides general guidance on data protection

More information

Clause 1. Definitions and Interpretation

Clause 1. Definitions and Interpretation [Standard data protection [agreement/clauses] for the transfer of Personal Data from the University of Edinburgh (as Data Controller) to a Data Processor within the European Economic Area ] In this Agreement:-

More information

Crossing Borders New Guidance on the Transfer of Personal Data outside Hong Kong

Crossing Borders New Guidance on the Transfer of Personal Data outside Hong Kong Legal Update Privacy & Security Hong Kong 20 January 2015 Crossing Borders New Guidance on the Transfer of Personal Data outside Hong Kong Section 33 of the Hong Kong Personal Data (Privacy) Ordinance

More information

On the edge Lexis PSL Restructuring & Insolvency

On the edge Lexis PSL Restructuring & Insolvency On the edge Lexis PSL Restructuring & Insolvency Data protection law for insolvency practitioners November 2014 Welcome to your third edition of On the edge, a series of guides highlighting a selection

More information

GUIDE ON DATA PROTECTION REQUIREMENTS IN THE CONTEXT OF CLOUD COMPUTING SERVICES

GUIDE ON DATA PROTECTION REQUIREMENTS IN THE CONTEXT OF CLOUD COMPUTING SERVICES GUIDE ON DATA PROTECTION REQUIREMENTS IN THE CONTEXT OF CLOUD COMPUTING SERVICES CONTENT 1. WHY A CLOUD COMPUTING GUIDE?... 2 2. WHAT IS CLOUD COMPUTING?... 4 3. WHAT ARE THE ROLES OF THE CLOUD SERVICES

More information

Central Securities Depository Regulation

Central Securities Depository Regulation Central Securities Depository Regulation Alignment of T+2 Settlement Period Central Securities Depository Regulation Alignment of T+2 Settlement Period The European Commission has proposed new legislation

More information

BHF Southern African Conference

BHF Southern African Conference BHF Southern African Conference Navigating the complexities of the new legislative framework Peter Hill, Director: IT Governance Network TOPICS TO BE COVERED The practical implementation of the PPI Act

More information

The prospects for data breach laws in 22 European countries

The prospects for data breach laws in 22 European countries The prospects for data breach laws in 22 European countries Stewart Dresner, Chief Executive Privacy Laws & Business Wednesday, 4 November 2009 16 30-17 45: PARALLEL SESSION A: Ooopsss!!!!! Where did I

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection

More information

Data controllers and data processors: what the difference is and what the governance implications are

Data controllers and data processors: what the difference is and what the governance implications are ICO lo : what the difference is and what the governance implications are Data Protection Act Contents Introduction... 3 Overview... 3 Section 1 - What is the difference between a data controller and a

More information

Johnson Controls Privacy Notice

Johnson Controls Privacy Notice Johnson Controls Privacy Notice Johnson Controls, Inc. and its affiliated companies (collectively Johnson Controls, we, us or our) care about your privacy and are committed to protecting your personal

More information

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1 Protection of Personal Data RPC001147_EN_WB_L_1 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Responsibility of Employees

More information

Human Resources Policy documents. Data Protection Policy

Human Resources Policy documents. Data Protection Policy Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and

More information

Privacy & Data Security: The Future of the US-EU Safe Harbor

Privacy & Data Security: The Future of the US-EU Safe Harbor Privacy & Data Security: The Future of the US-EU Safe Harbor NAOMI MCBRIDE, LISA J. SOTTO AND BRIDGET TREACY, HUNTON & WILLIAMS LLP, WITH PRACTICAL LAW US INTELLECTUAL PROPERTY & TECHNOLOGY AND UK IP&IT

More information

41 T Korea, Rep. 52.3. 42 T Netherlands 51.4. 43 T Japan 51.1. 44 E Bulgaria 51.1. 45 T Argentina 50.8. 46 T Czech Republic 50.4. 47 T Greece 50.

41 T Korea, Rep. 52.3. 42 T Netherlands 51.4. 43 T Japan 51.1. 44 E Bulgaria 51.1. 45 T Argentina 50.8. 46 T Czech Republic 50.4. 47 T Greece 50. Overall Results Climate Change Performance Index 2012 Table 1 Rank Country Score** Partial Score Tendency Trend Level Policy 1* Rank Country Score** Partial Score Tendency Trend Level Policy 21 - Egypt***

More information