Response to the European Commission s consultation on the legal framework for the fundamental right to protection of personal data

Advertisement


Advertisement
Similar documents
Consultation on the future of European Insolvency Law

Planned Healthcare in Europe for Lothian residents

EXECUTIVE SUMMARY. Measuring money laundering at continental level: The first steps towards a European ambition. January 2011 EUROPEAN COMMISSION

REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL

2 ND CALL FOR PROPOSALS 27 October January 2009

CABINET OFFICE THE CIVIL SERVICE NATIONALITY RULES

SURVEY ON THE TRAINING OF GENERAL CARE NURSES IN THE EUROPEAN UNION. The current minimum training requirements for general care nurses

1. Perception of the Bancruptcy System Perception of In-court Reorganisation... 4

Anna Sapota* Jagielonian University in Kraków, Poland

Common Minimum Standard

This factsheet contains help and information for financial advisers who wish to advise their clients who live in Europe.

The Act imposes foreign exchange restrictions, i.e. performance of certain actions requires a relevant foreign exchange permit.

The coordination of healthcare in Europe

EUF STATISTICS. 31 December 2013

- Assessment of the application by Member States of European Union VAT provisions with particular relevance to the Mini One Stop Shop (MOSS) -

OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES

CENTRAL BANK OF CYPRUS

TPI: Traffic Psychology International on a common European curriculum for postgraduate education in traffic psychology

Students: undergraduate and graduate students who are currently enrolled in universities

International Hints and Tips

RETAILERS ATTITUDES TOWARDS CROSS- BORDER TRADE AND CONSUMER PROTECTION

EU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update. By Stephen H. LaCount, Esq.

Equity Release Schemes in the European Union

International Factors Group Model Law of Factoring

ERASMUS FOR YOUNG ENTREPRENEURS : A NEW EXCHANGE PROGRAMME

Achieving Global Cyber Security Through Collaboration

Size and Development of the Shadow Economy of 31 European and 5 other OECD Countries from 2003 to 2015: Different Developments

Data Centre Pricing in Europe 2013 to 2018

UNCITRAL legislative standards on electronic communications and electronic signatures: an introduction

Towards a Single Market for Occupational Pensions Without Tax Obstacles

AGENDA ITEM IV: EU CITIZEN'S RIGHTS

Introduction. Fields marked with * are mandatory.

Finance information for postgraduate students

FEDERATION EUROPEENNE DE LA MANUTENTION Product Group. industrial trucks. A brief guide for identification of noncompliant. - Exhaust Emission -

ERASMUS+ MASTER LOANS

Panel: How broadband policy can contribute to deploy secured and universal broadband access. Presentation:

CASH BENEFITS IN RESPECT OF SICKNESS AND MATERNITY SUBJECT TO EU COORDINATION

BEST PRACTICES/ TRENDS/ TO-DOS

Cash machine withdrawal in the EU (+Norway and Iceland)

Central Securities Depository Regulation

Need to send money abroad securely?

INNOBAROMETER THE INNOVATION TRENDS AT EU ENTERPRISES

COMMUNICATION FROM THE COMMISSION

THE ROLE OF PUBLIC SUPPORT IN THE COMMERCIALISATION OF INNOVATIONS

Operational Companies VAT Indirect Taxes. Why Luxembourg: VAT advantages for commercial companies*

Family benefits Information about health insurance country. Udbetaling Danmark Kongens Vænge Hillerød. A. Personal data

New environmental liabilities for EU companies

Market analysis on Factoring in EU 25+2

TOMTOM BONUS INTERNATIONAL MAP INDONESIA PROMOTION HOW TO CLAIM

Single Euro Payments Area

ARE THE POINTS OF SINGLE CONTACT TRULY MAKING THINGS EASIER FOR EUROPEAN COMPANIES?

SEPA. Changes in the Payment System Implementation of the European SEPA Regulations for Kuna and Euro Payments

This Webcast Will Begin Shortly

Window Film Legislation in Europe

Cooperation in Securing National Critical Infrastructure

International Compliance

LANDWELL. Solicitors. Life Sciences Unit

Effects of using International Financial Reporting Standards (IFRS) in the EU: public consultation

ERASMUS+ MASTER LOANS

Statewatch Briefing ID Cards in the EU: Current state of play

Mondelēz International entity which issued the PO matches Mondelēz International entity to which you issue your invoice

10TH EDITION MERGER CONTROL VADEMECUM FILING THRESHOLDS AND CLEARANCE CONDITIONS IN THE 29 EUROPEAN JURISDICTIONS

Answers to the Green Paper Towards an integrated European market for card, internet and mobile payments

Ownership transfer Critical Tax Issues. Johan Fall, Anders Ydstedt March, 2010

Supporting CSIRTs in the EU Marco Thorbruegge Head of Unit Operational Security European Union Agency for Network and Information Security

Summary of Data Protection Requirements When transferring Data Outside the UK End Users

ERASMUS+ MASTER LOANS

ORGANISATION FOR ECONOMIC CO-OPERATION AND DEVELOPMENT

CIVIL SERVICE NATIONALITY RULES GUIDANCE ON CHECKING ELIGIBILITY

e-sens Electronic Simple European Networked Services Rome,

PREPARATORY ACTION IN THE FIELD OF SPORT. Administrative and Financial Management Handbook

4. We understand this to mean that each provider state will need to ensure indemnity arrangements are in place to cover healthcare provided in that

EVALUATION GUIDE CALL FOR PROPOSALS 22/11 SUPPORT FOR THE DEVELOPMENT OF ON AND OFF-LINE INTERACTIVE WORKS

The European Union Savings Tax Directive. An historic guide

User tracking: Scope and Implementation eprivacy Directive Article 5(3)

Introduction & background. 1 - About you. Case Id: b823b29e bc79-92aaa8fb9093. Consultation document

The innovation value chain:

Data Protection Policy Information for Clients

Parking card for people with disabilities in the European Union:

ÖNORM EN The European Standard EN has the status of an Austrian Standard. Edition: Standards group B

Hungarian comments on the Green Paper on Mortgage Credit in the EU, COM(2005) 327 final

Europe. NEW OPPORTUNITIES FOR DIVIDEND WITHHOLDING TAX REFUNDS EU / EEA Tax Exempt Entities Handbook

DRAFT AMENDING BUDGET N 6 TO THE GENERAL BUDGET 2014 GENERAL STATEMENT OF REVENUE

MALTA TRADING COMPANIES IN MALTA

The Future European Constitution

Date: 1 May Call for Expressions of Interest. Dear Colleagues,

PROJECT: EURO-AUDITS THE EUROPEAN ROAD SAFETY AUDITOR TRAINING SYLLABUS APPENDIX E SURVEY RESULTS. October 2007

Multi-Jurisdictional Study: Cloud Computing Legal Requirements. Julien Debussche Associate January 2015

The European Entrepreneur Exchange Programme

Contract Work in Switzerland. A Brief Guide

Computing our Future Computer programming and coding in schools in Europe. Anja Balanskat, Senior Manager European Schoolnet

PORTABILITY OF SOCIAL SECURITY AND HEALTH CARE BENEFITS IN ITALY

PLANT PROTECTION AND BIOCIDAL PRODUCT AUTHORISATION IN EUROPE

Definition of Public Interest Entities (PIEs) in Europe

IMPEL. European Union network for the Implementation and Enforcement of Environmental Law

Credit transfer to Customer account with AS "Meridian Trade Bank" EUR, USD free of charge * Other countries currency information in the Bank

TOWARDS PUBLIC PROCUREMENT KEY PERFORMANCE INDICATORS. Paulo Magina Public Sector Integrity Division

ESC-ERC Recommendations for the Use of. Automated External Defibrillators (AEDs) in Europe

EU Intellectual Property Law and Ownership in Employment Relationships

International ACH: Payment Gateway to Europe

Advertisement
Transcription:

Stockholm: Göteborg: Malmö: 105 24 Stockholm Box 57 Box 4221 Fax 08 640 94 02 401 20 Göteborg 203 13 Malmö Plusgiro: 12 41-9 Org. Nr: 556134-1248 www.intrum.se Bankgiro: 730-4124 info@se.intrum.com Response to the European Commission s consultation on the legal framework for the fundamental right to protection of personal data 1. Introduction 1.1 Information on the Intrum Justitia Group The Intrum Justitia Group (hereinafter Intrum Justitia ), with head office in Sweden, is Europe s leading provider of credit management services (CMS) to businesses and government authorities. Intrum Justitia has more than 90,000 clients and around 3,300 employees in 23 markets within Europe. Intrum Justitia helps its clients to improve sales, profitability and cash flow and the company s mission is to be a catalyst for a sound economy. Intrum Justitia facilitates business and helps creating sound economies by making trade smooth, safe and fair. For further information on Intrum Justitia, please refer to www.intrum.com. Earlier this decade it became obvious that both Intrum Justitia and its clients would benefit from the coordination of the Intrum Justitia group s operations and an expanded offering. In 2007 Intrum Justitia took a formal decision to begin the strategic transformation from a group with local debt collection operations to a European CMS company. The goal is a harmonious company with a uniform organization and a shared vision: to be the leading CMS company in Europe. As part of this transformation Intrum Justitia carried out a project involving the establishment of a shared data centre in the Netherlands, which included transfers of personal data from Intrum Justitia companies in more than 20 member states to the shared data centre, as further described in Sections 1.2 and 1.3. Intrum Justitia s ambition is to enable better and more professional technological solutions for the handling of personal data to ensure an increased level of security for both Intrum Justitia s clients and the data subjects. Intrum Justitia is convinced that the project has contributed a value to the society in this respect. Moreover, the storing of personal data at a high-security data centre prevents and precludes unauthorized access to the relevant files by any third party. LEGAL#4853616v12 In its day-to-day operations Intrum Justitia faces difficulties due to national data protection laws. Through the project mentioned above, Intrum Justitia has gained insight into deviations in data protection laws in the various member states. Intrum Justitia has experienced the limitations and obstacles that the current EU data protection regime causes to a business operating on a multinational scale. Therefore, by submitting this memorandum, Intrum Justitia wishes to contribute with its view on the questions asked by the European Commission.

1.2 The establishment of a shared data centre One important action for Intrum Justitia in becoming the leading European CMS company has been to establish a shared data centre to create a more cost-effective and secure IT-infrastructure. Intrum Justitia decided to move the existing local data servers from its subsidiaries in 23 European countries into two data centres in the Netherlands. For this purpose a separate legal entity, Intrum Justitia Data Centre B.V. (the Data Centre ), was established in Amsterdam, the Netherlands, in the end of 2007. The aim of the Data Centre is to provide high quality IT-services to the local Intrum Justitia entities according to their requirements and based on current technology at market comparable cost. The benefits of the Data Centre are e.g. increased service to Intrum Justitia s clients, scalable environment for growth and new services, operational security, reduction of business risk since all core systems and critical data are redundant, improved local IT support to the business and higher quality of service. 1.3 Preparation for the transfers The services performed by the Data Centre involve mainly the hosting of Intrum Justitia s IT-systems, including personal data stored and processed in such systems. Intrum Justitia carried out a thorough and comprehensive legal analysis (the Project ) in order to ensure that the personal data on the servers located in each local country were transferred to the Data Centre in full compliance with applicable local data protection laws. The countries involved in the Project are set out in Annex 1. As part of the Project, data protection aspects of the transfers were investigated in each country involved. A Processor Frame Agreement was entered into between the Dutch Intrum Justitia company (being the Dutch data controller) and the Data Centre (being the data processor on behalf of all Intrum Justitia entities). Each transferring Intrum Justitia entity signed a Participation Agreement to join the Processor Frame Agreement. In each jurisdiction involved, local external law firms with data protection expertise were engaged to provide responses to a questionnaire dealing with relevant aspects of local applicable data protection laws and to review and propose mandatory amendments to the Participation Agreements if and where necessary. In addition, the local counsels reported all mandatory actions required for a lawful transfer, as well as any recommended actions. The Dutch law firm Van Doorne and the Swedish law firm Mannheimer Swartling were engaged to structure and coordinate the legal work involved. 1.4 Cost for the Project The Project was initiated in November 2007 and is expected to be completed in 2010. Intrum Justitia has incurred costs amounting to approximately EUR 400,000 1 for the legal services provided in the Project. 1 This amount has been taken as a onetime cost and has already been accounted for in the books of Intrum Justitia. 2

2. Deviations in data protection legislation within the EU 2.1 Significant variations in local data protection laws During the Project it has become clear to Intrum Justitia that the data protection laws of the various member states implementing the Data Protection Directive 2 vary to a significant extent. In Section 2.2-2.7 below we will account for some of the divergences encountered during the Project. 2.2 The definition of personal data The data protections laws in most countries involved in the Project apply to natural persons only. However, in a couple of countries (e.g. Estonia, Austria and Italy) Intrum Justitia learnt that the scope of the data subjects are extended to legal persons. Although Switzerland is not a member of the EU, it could be noted that also the Swiss data protection laws cover legal persons. In these countries the scope of the transferred data was naturally more extensive than in the other countries. Further, in Switzerland this lead to an obligation to notify the transfer to the local data protection authority (see clause 2.4 below). 2.3 The definition of data controller and data processor In most countries local counsels considered the local Intrum Justitia entities to be the controller of the personal data processed in relation to Intrum Justitia s clients. In these countries, the definition of controller was rather similar, such as the person who determines the purposes and manner, or the purposes, content and use of the processing. However, in some countries local counsels came to the conclusion that Intrum Justitia was not a data controller but a data processor of its clients personal data and that the clients remained the controllers. In Estonia Intrum Justitia was advised that the controller is defined as a natural or legal person who processes personal data or at whose request personal data is processed. In Italy Intrum Justitia was informed that the controller is the party in possession of the personal data. Transfers from local Intrum Justitia entities which were considered data processors had to be treated in a different manner than the transfers from entities where the Intrum Justitia entities were considered to be controllers. For example, where the Intrum Justitia entities were considered data processors it became necessary to obtain consents from all Intrum Justitia s clients before the transfers to the Netherlands could take place. Needless to say, obtaining the consents proved to be a time consuming and complicated process. We understand that the Article 29 Working Party is carrying out work in relation to the definitions of data controller and data processor. For companies like Intrum Justitia, which are acting cross-border, it is of vital importance that the definitions of data 2 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. 3

controller and data processor are harmonised in all member states and Intrum Justitia supports any attempts to find harmonized definitions. 2.4 Notification with local data protection authorities During the Project the notification duty became the issue which differed the most between the countries involved and, consequently, caused the most work. In the majority of the countries, the transfer of personal data from a controller in one member state to a processor in another member state does not trigger a notification duty with the national data protection authority, since the countries have implemented several exceptions from the main duty to notify. However, the exceptions differ significantly in scope and detail. For example, Spanish law does not stipulate any exceptions from the notification duty and Portugal has only made an exception for filing systems which contain publicly accessible information. It should also be noted that among the countries involved in the project, only a few member states (e.g. Sweden, the Netherlands and Germany), have implemented an exception from notification when the relevant company has appointed a data protection officer (and notified the Data Protection Authority of such appointment). In some countries (e.g. Portugal, France and Spain) the transfers as such had to be notified to the Data Protection Authority. In Switzerland, the transfer of personal data relating to legal persons lead to a notification duty in relation to the entire transfer. In some countries (e.g. Latvia, Lithuania, Hungary and Ireland) the transfers as such did not require notification but the new processor (the Data Centre) had to be notified to the Data Protection Authority. Obviously, the discrepancies in notification duties cause significant work for companies operating in multiple member states. 2.5 Information duty The requirements regarding the duty to inform the data subjects varied in the involved countries. The reason seem to be the result of different implementation of the relevant provisions of the data protection directive, but also differences in the practices of the local data protection authorities. Examples of differences are (i) the scope of the information to be provided, (ii) the form in which it shall be provided, and (iii) the time when it should be provided. In most countries, the transfer did not require Intrum Justitia to inform the data subjects (although this was often recommended). However, for example, Hungarian and Slovakian laws stipulate that, although the transfer as such does not trigger an information duty, the data subjects must be informed of the appointment or change of the data processor, even though the data controller remains the same. Under Hungarian law, such information should be given prior to the transfer and could be provided by advertising in a newspaper or by posting a notification on Intrum Justitia s website. Slovakian laws do not specify any formal requirement as to how such information 4

should be provided, but stipulate that the data subjects must be informed at first opportunity after the appointment or change of the data processor, however, no later than three months after such change. The differences in the content, form and timing of the information duty constitutes yet another obstacle for companies working cross-border, given that such companies must comply with the deviating local data protection laws of all countries where the companies operate. 2.6 Security measures All countries involved in the Project had implemented the provisions of the data protection directive stipulating that the controller must take appropriate technical and organizational measures to protect the personal data which is being processed and that a data processor must take the same measures. In most member states the laws do not specify such technical and organizational measures. Hence, the laws appear to be technology neutral. However, in a few countries (e.g. Spain, Italy and Poland) Intrum Justitia has been advised that the laws contain detailed regulations listing all measures to be taken. The regulations in Spain, Italy and Poland caused Intrum Justitia to study the specific provisions of the laws in such countries in order to make sure that the security implemented at the Data Center fulfilled the requirements set out in the various local laws. In relation to the requirements under Polish law, Intrum Justitia had to draft a specific action plan in cases of security incidents. The various security requirements constitute yet another example where the member states lack harmonized rules and where this causes additional work and cost for companies operating cross-border. 2.7 Surveillance of employees During the Project, the question of whether the Data Centre would monitor employees of the local companies was raised by various local countries. Since the Data Centre will not perform any such monitoring, the issue of deviations in the involved countries data protection laws in this respect was not investigated further. Even though this issue was never investigated during the Project, Intrum Justitia has become aware of that some European countries have legislation limiting the right to process e.g. employees e-mails and use of the employers IT. In line with all other data protection aspects, these legislations should be harmonized within the member states. 5

3. National data protection issues related to credit reports and access to state registers 3.1 General On a separate note, and not in direct relation to the Data Protection Directive, Intrum Justitia would also like to highlight the national propensity to guard the rights of data subjects to such a degree that it causes an unhealthy economic climate that is not supportive of sound and good business relationships and restricts the reclaim of debt. While we wish to stress that Intrum Justitia respects the rightful protection of personal data and the rights of data subjects, there are nevertheless two issues Intrum Justitia wishes to address. 3.2 Credit reports There are several instances where national legislation restricts the freedom of commercial companies to i.e. issue credit reports and credit decisions to potential creditors, both within an individual member state and cross border within the EU. Such restrictions limit the possibility to verify creditworthiness and as a consequence, creditors may refrain from establishing a new business relationship based on a lack of solid credit information about a potential trading partner. Alternatively, creditors who go forward with a new business relationship regardless of the fact that a credit report could not be issued, run the risk of later realising that the business should not have been initiated due to e.g. late or outstanding payments. Evidently, the restrictions for the issuing of credit reports severely limit the pursuit of a healthy business environment and may lead to missed business opportunities for creditors. 3.3 Access to state registers Another aspect of the detrimental effect national data protection laws have in the member states are the restrictions imposed on commercial companies to consult state registers to verify addresses and other contact information in the pursuit of tracing debtors in debt recovery cases. Accessing state registers are usually reserved for bailiffs only. In other cases, information can be obtained through national registers by requesting, by mail, information on individual cases and in addition paying a fee for each request (for example in Slovakia). The difficulties in verifying debtors addresses make it significantly more difficult for creditors to reclaim late or missed payments. In addition, it does not help in ensuring that commercial companies, such as Intrum Justitia, can assist in and facilitate the recovery of debt. Intrum Justitia s goal is to be a catalyst for a sound economy, but this goal is difficult to reach as long as these obstacles exist. 6

4. Conclusions Intrum Justitia has learnt from the Project that there are major barriers to overcome in order for national data protection laws to enable new technology solutions and facilitate for companies operating cross-border on the European market. It came as quite a surprise to Intrum Justitia that the transfers included in the Project, which were limited to transfers of personal data within Europe, and even within the same group of companies, could require so much work at such high cost. It is clear that only large companies with solid finances can cover the costs involved in a compliance project like the Project and, consequently, that smaller multinational companies face great difficulties in covering the costs that are associated with complying with national data protection laws based on the Data Protection Directive. To Intrum Justitia it is obvious that the current legal framework does not meet the challenges of companies aiming at operating on a single European market and that further harmonization is a necessity. The issues relating to credit reports and access to state registers are not directly related to EU laws and the Data Protection Directive. However, Intrum Justitia still believes that these issues should be highlighted since they create legal barriers for the smooth operation of businesses in the internal market, both when acting in an individual member state and across border within the EU. Finally, Intrum Justitia would like to take the opportunity to support the view of the Expert Group on Credit Histories as stated in its report dated May 2009: The various national approaches to data protection are also reflected in differences in the authorised purposes and the authorised actors for exchanging credit data, which can be an issue when sharing credit data cross border. Therefore, it is strongly recommended that the Commission organise discussions with data protection authorities in order to elaborate a common set of practices and a common interpretation of the Data Protection Directive across the EU, with regards to the processing of credit data both nationally and crossborder. December 2009 On behalf of the Intrum Justitia Group, Lars Wollung CEO and President Pia Skaerbak Head of Public Affairs at Intrum Justitia 7

ANNEX 1 COUNTRIES INVOLVED IN THE PROJECT Austria Belgium Czech Republic Denmark England Estonia Finland France Germany Hungary Ireland Italy Latvia Lithuania Norway The Netherlands Poland Portugal Scotland Slovakia Spain Sweden Switzerland 8