1 Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data *) For the purposes of these Corporate Guidelines, Third Countries are all those countries, which do not provide an adequate level of data privacy protection within the meaning of Article 25 of EU Directive 95/46/EC of October 24, 1995 (Official Journal No. L281/31). Countries which ensure an adequate level of data privacy protection include the member states of the European Union (EU), the other states that are party to the European Economic Area (EEA) Agreement and those states recognized by the Commission of the European Union as providing an adequate level of data protection;
2 - 2 - Table of Contents Page 1. Objective and scope of application Binding character of the Guidelines Relationship to statutory regulations 3 2. Definitions 4 3. Principles for Processing Personal Data Legitimacy of Data Processing Purpose Transparency Data quality Transfer of Personal Data within a Third Country or to another Third Country Special categories of Personal Data Direct marketing/market research or opinion polling Automated individual person-related decisions Data security Confidentiality of Data Processing Data Processing Contracts 8 4. Rights of the Data Subject 8 5. Procedural issues Implementation in the Siemens Subsidiary Questions and complaints 9 6. Publicity 9 7. Monitoring compliance 9
3 Objective and scope of application The objective of these binding corporate guidelines ( Guidelines ) is to safeguard Personal Data which needs to be transferred within the Siemens Group of companies worldwide in the course of business processes. For this purpose, it is essential also for Siemens Subsidiaries with their seat in Third Countries to establish harmonized data privacy protection and data security standards for the processing of Personal Data within the meaning of the EU Data Protection Directive and thus to assure that these companies also provide an adequate level of data privacy protection and sufficient guarantees within the meaning of the EU Directive regarding the protection of the right to privacy and the exercise of related rights. These Guidelines provide a framework for the Processing of Personal Data relating to Siemens employees, Customers and Suppliers, other business partners, prospective partners and other Data Subjects by Siemens Subsidiaries based in Third Countries, regardless of the origin of this Personal Data. 1.1 Binding character of the Guidelines The provisions of these Guidelines become binding on all Siemens Subsidiaries (see Section 2 Definitions ) with a seat in Third Countries as soon as such Siemens Subsidiaries commit to Siemens Aktiengesellschaft ( Siemens AG ) in a binding manner to comply with these Guidelines. The Guidelines are to be brought to the attention of employees of the affected Siemens Subsidiaries and are to be observed by all such employees. Companies other than Siemens Subsidiaries, in which Siemens AG maintains a direct or indirect holding, may voluntarily make a legally binding commitment to comply with these Guidelines. Siemens AG maintains an electronic register of all Siemens Subsidiaries based in Third Countries which have made a written commitment to comply with these Guidelines. If such a commitment ends (e.g. through withdrawal, revocation, termination, expiration, or divestiture from the Siemens Group), this should also be entered in the register; in this case the commitments arising from these Guidelines shall continue to apply to the Processing of Personal Data that is performed up to the expiry of the commitment. If a Siemens Subsidiary has not yet made a commitment to comply with these Guidelines, the permissibility of the Data Transfer to this Subsidiary is to be reviewed in each individual case and is to be assured through appropriate special measures (see Clause 3.5). 1.2 Relationship to statutory regulations Existing statutory obligations are not affected by these Guidelines. Each Siemens Subsidiary must itself review (e.g. through its data privacy protection officer or legal department) whether such statutory regulations exist (e.g. data privacy protection laws) and, where they exist, must assure their adherence and compliance. If statutory regulations, which apply in Third Countries, conflict with the obligations imposed by these Guidelines, the affected Siemens Subsidiary must inform immediately so that the conflict can be entered into the register according to Section 1.1 and must also inform the Siemens Subsidiaries in EU/EEA states (see footnote on page 1), which had already transferred Personal Data to the relevant
4 - 4 - Siemens Subsidiary, even if these statutory obligations take effect after the Personal Data has been transferred. In such cases, Siemens AG will collaborate with the affected Siemens Subsidiary to find a practical solution within the meaning of the EU Data Protection Directive and will document such a solution in the register (see 1.1, Section 2). The fundamental implementation of these Guidelines is the responsibility of the executive management of the individual Siemens Subsidiary in the Third Country; in individual cases, the performance of the Guidelines is with the unit in the Siemens Subsidiary whose professional task it is to process Personal Data. 2. Definitions The terms used in these Guidelines are defined as follows: Agent: natural or legal person who processes Personal Data on behalf of a Responsible Principal. Consent: an indication of volition obtained without coercion and with an awareness of the facts and circumstance, by which the Data Subject accepts the Processing of his/her Personal Data *). Customers and Suppliers: natural and legal persons with whom business relations exist or are planned. Data Subject: each identified or identifiable natural person whose data is processed. An identifiable person is one who can be identified, directly or indirectly, e.g., by reference to an identification number. Personal Data: all information relating to a Data Subject. Processing of Personal Data or Data Processing: any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as the collection, storage, retention, adaptation, modification, reading, retrieval, use, transmission by Data Transfer, blocking, erasure or destruction. Responsible Principal: in connection with Third Parties, the legally independent Siemens Subsidiary whose business operations cause Data Processing. Dependent branches, places of business and permanent establishments are part of the Responsible Principal. Siemens Subsidiary: Siemens Aktiengesellschaft and any company, in which Siemens Aktiengesellschaft owns or controls, directly or indirectly, the majority of the voting rights; Third Country: countries referred to in the footnote on page 1. Third Party: any natural or legal person not imputed to the Responsible Principal. *) Particular requirements for Consent can arise from the respective.national law and can be significant for the effectiveness of Consent.
5 - 5 - Transfer of Personal Data or Data Transfer: the disclosure of Personal Data to Third Parties, the transmission of such data to Third Parties, or the process of making such data available to Third Parties in any form for inspection or retrieval. 3. Principles for Processing Personal Data The following principles apply to Processing Personal Data by Siemens Subsidiaries in Third Countries and are to be adhered to. 3.1 Legitimacy of Data Processing The Personal Data referred to in Section 1, Paragraph 2 may be Processed only if at least one of the following prerequisites is fulfilled: The Data Subject has given its effective consent. Processing serves the purpose of a contractual relationship or contract-similar trust relationship with the Data Subject. Data Processing is required to maintain the Responsible Principal's justified interests and there are no grounds for assuming that the Data Subject has an overriding legitimate interest in precluding Data Processing. Processing is stipulated or permitted in accordance with national law or regulations. These Guidelines shall be complied with in any case. 3.2 Purpose Personal Data may only be collected and processed for specified, unambiguous and lawful purposes. Siemens Subsidiaries based in Third Countries, which have committed to comply with these Guidelines, are obligated to adhere to the purpose of Data Transfer when storing or otherwise using Personal Data transferred to them by a Siemens Subsidiary from an EU/EEA state (see footnote on Page 1). The purpose of Data Processing may only be changed with the Consent of the Data Subject or if permitted by the national law to which the data exporter from the EU/EEA state is subject. 3.3 Transparency Data Subjects whose Personal Data is transferred by a Siemens Subsidiary from an EU/EEA state (see footnote on page 1) must be provided with the following information by the receiving Siemens Subsidiary in the Third Country (in consultation with the data exporter, where applicable): identity of the Responsible Principal in the Third Country and of the data exporter in the EU/EEA state. purpose of Data Transfer other information to the extent required for reasons of equity, e.g. - rights of information, rectification and erasure - right of objection if Personal Data is used for advertising.
6 - 6 - Such information does not need to be furnished if this is required for the protection of either the Data Subject or for the rights and obligations of other persons, or the Data Subject has already been informed, or the cost and effort associated with it is unreasonable, or the data is publicly accessible and the provision of information is unreasonable due to the multitude of cases concerned. 3.4 Data quality Personal Data must be factually correct and if necessary kept up to date. Appropriate measures are to be taken to assure that inaccurate or incomplete data is corrected or erased. Data Processing has to be arranged with the objective to collect, process or use only such Personal Data as is required i.e., as little Personal Data as possible. In particular, use is to be made of the possibility of anonymous or pseudonymous data, provided that the cost and effort involved is commensurate with the desired purpose. Statistical evaluations or studies based on anonymous data or data used with pseudonyms are not relevant for data privacy protection purposes, provided that such data cannot be used to identify the Data Subject. Personal Data, which are no longer required for the business purposes for which they were originally collected and stored, are to be erased, subject to adherence to the statutory retention provisions. 3.5 Transfer of Personal Data within a Third Country or to another Third Country Transfer of Personal Data received from a Siemens Subsidiary of an EU/EEA state (see footnote on page 1) to another location in the same Third Country or to another Third Country is only permissible, if at least one of the following prerequisites are fulfilled: The Data Subject has given its effective consent. Transfer is used to determine the intended purpose of a contractual relationship or contractsimilar trust relationship with the Data Subject. The recipient shows an adequate level of data privacy protection within the context of these Guidelines; should the recipient be a Siemens Subsidiary, which has undertaken to comply with these Guidelines, it is not necessary to verify whether adequate data privacy protection is shown. 3.6 Special categories of Personal Data Special categories of Personal Data, e.g., information about a person s racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, health, or sex life, may not be processed as a general principle. Should such information be required, the explicit Consent ( opt-in ) of the Data Subject must be obtained, unless the Data Subject is not in a position to give his/her Consent (e.g. medical emergency), or the Data Subject has already placed the affected data in the public domain, or the Processing is essential for the purpose of establishing, exercising or defending legal claims, provided that there are no grounds for assuming that the Data Subject has an overriding legitimate interest in ensuring that such data is not processed, or the Processing is permitted by national law (e.g., registration/protection of minorities). This also applies if Personal Data is collected in a Third Country.
7 Direct marketing/market research or opinion polling Processing of Personal Data for the purposes of direct marketing, market research or opinion polling is generally permissible, provided that such use is compatible with the purpose for which such data were originally collected and provided that more stringent regulations are not imposed by national law (e.g. Consent required). The Data Subject, however, has the right to object to his/her data being used for this purpose at any time *). In this case, the data are to be blocked for this purpose. 3.8 Automated individual person-related decisions If Personal Data is processed for the purpose of making automated individual person-related decisions, the legitimate interests of the Data Subject must be ensured through appropriate measures. Decisions which have negative legal consequences for the Data Subject or substantially prejudice the Data Subject, may not be reached exclusively on the basis of an automated individual person-related procedure designed to evaluate an individual s personal characteristics (e.g. creditworthiness) i.e., decisions may not be exclusively based on the use of information technology. Automated procedures may generally only be used as a tool for the decision-making process. An exception to this tool-only principle applies only if the interests of the Data Subject are protected by providing him/her with information about the logic of how such a decision is reached and by giving him/her the opportunity to review and comment. In case the Data Subject submits comments, the Responsible Principal must review its decision. 3.9 Data security Responsible Principals are to take appropriate technical and organizational measures to ensure the requisite data security, which protects Personal Data against unintended or unlawful erasure, alteration or loss as well as against unauthorized disclosure or unauthorized access. These measures relate in particular to computers (servers and workstations), networks or communication links and applications, and arise from the implementation of the internal Siemens Corporate Information Security Guide, which is also binding for the Siemens Subsidiaries in Third Countries, which covers not just data relating to natural persons, but the entire procedure of information processing Confidentiality of Data Processing Only personnel, who are authorized and have been specially instructed in compliance with data privacy protection requirements, may collect, process or use Personal Data. Personal Data may not be used for employees private purposes and may not be transferred or otherwise made available to unauthorized persons. For this purpose, unauthorized persons include, e.g., also employees, unless they need the Personal Data in order to fulfil professional tasks imposed on them Data Processing Contracts If a Siemens Subsidiary in a Third Country contracts for Processing of Personal Data from Third Parties, the following applies additionally: *) If provided by national law, the Data Subject is to be informed by the Responsible Principal about his/her right to object.
8 - 8 - An Agent is to be selected, who ensures the required technical and organizational data security measures required to perform Data Processing that is compliant with data privacy protection. The performance of Data Processing must be governed by a written or otherwise documented contract, which specifies the rights and obligations of the Agent. The Agent is to be contractually obligated to process the data obtained from the Responsible Principal only as provided in the contract and in accordance with the instructions issued by the Responsible Principal. Data Processing for the Agent s own purposes or for the purposes of a Third Party must be contractually excluded. The Responsible Principal retains responsibility for the legitimacy of the Data Processing and is the contact person for the Data Subject (Customers and Suppliers, employees, etc). 4. Rights of the Data Subject The Data Subject has specific mandatory rights as regards his/her Personal Data: The Data Subject can demand information (including, in writing) about any Personal Data stored about him/her and about its origin and the purposes for which it is being stored. For Data Transfers, the Data Subject also has the right to information about the recipient (or categories of recipients) of such Personal Data. The Data Subject has no right to information if the disclosure is in connection with business or trade secrets. The Data Subject has the right of rectification if his/her Personal Data is shown to be inaccurate or incomplete. The Data Subject has the right of blocking his/her Personal Data, if neither their accuracy or inaccuracy can be determined. The Data Subject has the right of erasure of his/her Personal Data if the Data Processing was impermissible or the Personal Data for the purpose of the Data Processing are no longer required. If there are statutory retention obligations, then the blocking of the Personal Data takes precedence over the erasure. The Data Subject has the right of objection if his/her Personal Data is used for - advertising purposes, or - market research or opinion polling purposes. The Data Subject also has a general right of objection which is to be taken into account if a review reveals that, due to the Data Subject s special personal situation, his/her legitimate interests override those of the Responsible Principal. The Data Subject can exercise these rights out of court at no cost and against the transferring Siemens Subsidiary in an EU/EEA state.
9 Procedural issues 5.1 Implementation in the Siemens Subsidiary The relevant executive management of the Siemens Subsidiary in the Third Country is responsible for assuring that these Guidelines are implemented. A key aspect of such implementation is assuring that employees are instructed appropriately. Employee instruction also includes informing personnel that violations of these Guidelines may give rise to consequences under criminal, liability or employment law. 5.2 Questions and complaints Data Subjects can contact Siemens AG Chief Data Privacy Protection Officer or the locally responsible person according to Section 7 and/or, where available, the responsible national regulatory or supervisory authority at any time if they have any questions or complaints. In any inquiry, the Siemens Subsidiary in the Third Country and Chief Data Privacy Protection Officer are obligated to cooperate with the data privacy protection supervisory authorities of the country, in which the transferring Siemens Subsidiary has its seat, and to respect their opinions. Also, the transferring Siemens Subsidiary in an EU/EEA state (see footnote on page 1) has the right to review the Data Processing with the recipient Siemens Subsidiary in the Third Country in individual cases. Such transferring Siemens Subsidiary will assert any rights, which the Data Subject is ascertained to have, and will support the Data Subjects, who have suffered damages through violations of the obligations imposed by these Guidelines, in the assertion of their rights against the responsible Siemens Subsidiary in the Third Country. 6. Publicity These Guidelines shall be made available to Data Subjects in an appropriate manner, e.g., over the Internet. 7. Monitoring compliance In addition to the internal auditing function of Siemens AG and the Siemens Subsidiary in the Third Country, the respective responsible person in the Siemens Subsidiary in the Third Country for data privacy protection monitors compliance with these Guidelines as data privacy protection coordinator. Such monitoring is the responsibility of the information security officer ( InfoSec Officer ) or other person appointed by the executive management of the Siemens Subsidiary in the Third Country. These persons shall be supported by the executive management and respective managers and notified in the event that complaints are brought forward or the obligations resulting from these Guidelines are violated. In these cases, the data privacy protection coordinators consult the Chief Data Privacy Protection Officer of Siemens AG, whose decisions taken with respect to the elimination of said data privacy protection violations shall be respected by the relevant executive management of the Siemens Subsidiary in the Third Country. All employees and other Data Subjects can contact the data privacy protection coordinators or the Siemens AG Chief Data Privacy Protection Officer at any time with questions, helpful suggestions or complaints.
10 The Siemens AG Chief Data Privacy Protection Officer is the contact for problem cases, for issues of fundamental principles and for support in implementing these Guidelines. Contact address: Siemens AG Chief Data Privacy Protection Officer / CDP Wittelsbacherplatz 2 D Munich Internet:
Binding Corporate Rules ( BCR ) Summary of Third Party Rights This document contains in its Sections 3 9 all provision of the Binding Corporate Rules (BCR) for Siemens Group Companies and Other Adopting
Corporate Policy. Data Protection for Data of Customers & Partners. 02 Preamble Ladies and gentlemen, Dear employees, The electronic processing of virtually all sales procedures, globalization and growing
Data Protection Policy. Data Protection Policy Foreword 2 Foreword Ladies and Gentlemen, In the information age, we offer customers the means to be always connected, even in their cars. This requires data
Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1
Corporate Data Protection Code of Conduct for the Protection of the Individual s Right to Privacy in the Handling of Personal Data within the Deutsche Telekom Group 2010 / 04 We make ICT strategies work
1 AIRBUS GROUP BINDING CORPORATE RULES 2 Introduction The Binding Corporate Rules (hereinafter BCRs ) of the Airbus Group finalize the Airbus Group s provisions on the protection of Personal Data. These
Binding Corporate Rules Privacy (BCRP) Binding Corporate corporate Rules rules Privacy for (BCRP) the protection of personal Telekom Group rights in the handling of personal data within the Deutsche Telekom
Directive for the transfer of personal data to third countries outside the EEA (Munich Re reinsurance group directive on third-country data transfer) Information correct at 1 July 2013 - 2 - Contents 1
Guidelines on Data Protection Draft Version 3.1 Published by National Information Technology Development Agency (NITDA) September 2013 Table of Contents Section One... 2 1.1 Preamble... 2 1.2 Authority...
GENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS December 2005 2 GENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS I. OBJECTIVE... 1 II. SCOPE... 1 III. APPLICATION OF LOCAL LAWS...
Personal Data Act (1998:204); issued 29 April 1998. Be it enacted as follows. General provisions Purpose of this Act Section 1 The purpose of this Act is to protect people against the violation of their
PRESIDENT S DECISION No. 40 of 27 August 2013 Regarding Data Protection at the European University Institute (EUI Data Protection Policy) THE PRESIDENT OF THE EUROPEAN UNIVERSITY INSTITUTE, Having regard
Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Sopra HR Software as a Data Processor Sopra HR Software, 2014 / Ref. : 20141120-101114-m 1/32 1.
Align Technology Data Protection Binding Corporate Rules Controller Policy Contents INTRODUCTION 3 PART I: BACKGROUND AND ACTIONS 4 PART II: CONTROLLER OBLIGATIONS 6 PART III: APPENDICES 13 2 P a g e INTRODUCTION
Page 1 sur 155 Proposal of regulation Com 2012 11/4 Directive 95/46/EC Conclusion Legal nature of the instrument Règlement Directive Directly applicable act in internal law 91 articles 34 articles Art.
LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT 2300 Pursuant to its authority from Article 59 of the Rules of Procedure of the Croatian Parliament, the Legislation Committee determined the revised text
AlixPartners, LLP General Data Protection Statement GENERAL DATA PROTECTION STATEMENT 1. INTRODUCTION 1.1 AlixPartners, LLP ( AlixPartners ) is committed to fulfilling its obligations under the data protection
Data Protection Standard Processing and Transfer of Personal Data in Aker Solutions (Binding Corporate Rules) Aker Solutions www.akersolutions.com Table of contents 1 Introduction... 3 1.1 Scope... 3 1.2
Data protection compliance checklist What is this checklist for? This checklist is drawn up on the basis of analysis of the relevant provisions of European law. Although European law aims at harmonizing
RPM INTERNATIONAL INC. AND ITS SUBSIDIARIES AND OPERATING COMPANIES SAFE HARBOR PRIVACY NOTICE EFFECTIVE AS OF: August 12, 2015 This Notice sets forth the principles followed by RPM International Inc.,
Supplier Instructions for Processing of Personal Data 1 PURPOSE SOS International has legal and contractual obligations on the matters of data protection and IT security. As a part of these obligations
FIRST DATA CORPORATION SUMMARY: BINDING CORPORATE RULES FOR DATA PRIVACY AND PROTECTION SUMMARY: BINDING CORPORATE RULES FOR DATA PRIVACY AND PROTECTION v 1.3 Supersedes: v 1.2 Summary Owner: Corporate
ATMD Bird & Bird Singapore Personal Data Protection Policy Contents 1. PURPOSE 1 2. SCOPE 1 3. COMMITMENT TO COMPLY WITH DATA PROTECTION LAWS 1 4. PERSONAL DATA PROTECTION SAFEGUARDS 3 5. ATMDBB EXCEPTIONS:
SAFE HARBOR PRIVACY NOTICE EFFECTIVE: July 1, 2005 AMENDED: July 15, 2014 This Notice sets forth the principles followed by United Technologies Corporation and its operating companies, subsidiaries, divisions
OBJECTS AND REASONS This Bill would provide for (a) the regulation of the collection, keeping, processing, use or dissemination of personal data; (b) the protection of the privacy of individuals in relation
Akzo Nobel N.V. Executive Committee Rules 7.08.2 Privacy Rules for Customer, Supplier and Business Partner Data Source Directive Content Owner Directive 7.08 Protection of Personal Data AkzoNobel Legal
Linde Integrity Line Process and Data Protection Policy 1 July 2007 Page 2 of 10 Table of Contents Preamble 3 1 Scope of application 3 2 Definitions 3 3 Submitting Reports Regular Channels 3 4 Submitting
eprivacyseal GmbH Criteria catalogue EU November 2013 The EPS data privacy seal certifies for the respective applicant that its product or service is in line with the detailed criteria in the following
Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection
PART I: INTRODUCTION AND BACKGROUND Purpose This Data Protection Binding Corporate Rules Policy ( Policy ) establishes the approach of Fluor to compliance with European data protection law and specifically
Information Booklet Data Compliance And Your Obligations What is Data Protection? It is the safeguarding of the privacy rights of individuals in relation to the processing of personal data. The Data Protection
Safeguarding Personally Identifiable Information A Summary of GSK s Binding Corporate Rules The Issue The processing of Personally Identifiable Information (PII) 1 and Sensitive Personally Identifiable
CROATIAN PARLIAMENT 1364 Pursuant to Article 88 of the Constitution of the Republic of Croatia, I hereby pass the DECISION PROMULGATING THE ACT ON PERSONAL DATA PROTECTION I hereby promulgate the Act on
Office of the Data Protection Commissioner of The Bahamas Data Protection (Privacy of Personal Information) Act, 2003 A Guide for Data Controllers 1 Acknowledgement Some of the information contained in
The Manitowoc Company, Inc. DATA PROTECTION POLICY 11FitzPatrick & Associates 4/5/04 1 Proprietary Material Version 4.0 CONTENTS PART 1 - Policy Statement PART 2 - Processing Personal Data PART 3 - Organisational
Privacy Rules for Customer, Supplier and Business Partner Data Contact details Philips Privacy Office c/o Philips International BV, Amstelplein 2, 1096 BC, the Netherlands. E-mail: Philips_Privacy_Office@philips.com
Data Protection A Guide for Users EUROPEAN PARLIAMENT Contents Contents 3 Introduction 4 Data protection standards making a difference in the European Parliament 5 Data protection the actors 6 Data protection
CLOUD COMPUTING FOR ehealth DATA PROTECTION ISSUES GLOBAL FORUM 2009 ICT & The Future of the Internet - Monday, October 19 th 2009 email@example.com Introduction & Structure ENISA Working Group
Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information INTRODUCTION Privacy legislation establishes legal privacy rights for individuals and sets enforceable
101010 100101 1010 101 Factsheet on the Right to be 100 Forgotten ruling (C-131/12) 101 101 1) What is the case about and what did 100 the Court rule? 10 In 2010 a Spanish citizen lodged a complaint against
Law No. 677/2001 on the Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of Such Data, amended and completed The Romanian Parliament adopts the present law.
on the transfer of personal data from the European Union BCRsseptembre 2008.doc 1 TABLE OF CONTENTS I. PRELIMINARY REMARKS 3 II. DEFINITIONS 3 III. DELEGATED DATA PROTECTION MANAGER 4 IV. MICHELIN GROUP
Align Technology Data Protection Binding Corporate Rules Processor Policy Confidential Contents INTRODUCTION TO THIS POLICY 3 PART I: BACKGROUND AND ACTIONS 4 PART II: PROCESSOR OBLIGATIONS 6 PART III:
CORK INSTITUTE OF TECHNOLOGY DATA PROTECTION POLICY APPROVED BY GOVERNING BODY ON 30 APRIL 2009 INTRODUCTION Cork Institute of Technology is committed to a policy of protecting the rights and privacy of
University of Limerick Data Protection Compliance Regulations June 2015 1. Purpose of Data Protection Compliance Regulations 1.1 The purpose of these Compliance Regulations is to assist University of Limerick
1 LAWS OF MALAYSIA Act 709 PERSONAL DATA PROTECTION ACT 2010 2 Laws of Malaysia ACT 709 Date of Royal Assent...... 2 June 2010 Date of publication in the Gazette......... 10 June 2010 Publisher s Copyright
PRACTICAL LAW MULTI-JURISDICTIONAL GUIDE 2012/13 The law and leading lawyers worldwide Essential legal questions answered in 30 key jurisdictions Analysis of critical legal issues AVAILABLE ONLINE AT WWW.PRACTICALLAW.COM/DATAPROTECTION-MJG
Table of contents: *** In Europe the issue of personal data protection is settled by European Parliament s and European Council s Directive 95/46/WE of October 24, 1995 (which is basis of Polish regulations)
Opinion on a Notification for Prior Checking received from the Data Protection Officer of the European Training Foundation Regarding the Processing Operations to Manage Calls for Tenders Brussels, 22 April
INTERNATIONAL SOS Data Protection Policy Document Owner: LCIS Division Document Manager: Group General Counsel Effective: December 2008 Revised: 2015 All copyright in these materials are reserved to AEA
PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE ADOPTED ON 9 th January 2008 TABLE OF CONTENTS Page No. 1 Introduction...3 2 Glossary...3 3 Types of Personal Data held by Us...3 4 Obligations
Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,
PROTECTION OF PERSONAL INFORMATION Definitions Privacy Officer - The person within the Goderich Community Credit Union Limited (GCCU) who is responsible for ensuring compliance with privacy obligations,
Page: 1 di 16 CODE OF ETHICS Previous version: n. 00 Issued and approved: Board of Directors of DSN Date: 29 Maggio 2008 Page: 2 di 16 INTRODUCTION d'amico Società di Navigazione S.p.A. (hereinafter the
English is not an official language of the Swiss Confederation. This translation is provided for information purposes only and has no legal force. Federal Act on Data Protection (FADP) 235.1 of 19 June
APPENDIX 8 THE DATA PROTECTION REGULATION OF SZIGET KULTURÁLIS MENEDZSER IRODA KORLÁTOLT FELELŐSSÉGŰ TÁRSASÁG Sziget Kulturális Menedzser Iroda Kft. (the Data Controller ) executes the processing and protection
DATA PROTECTION ACT 2002 The Basics Purpose of the Act Balance the rights of an individual with an organisation s legitimate need to process personal data Promote openness and transparency Establish and
EXPLANATORY MEMORANDUM FEDERATION OF EUROPEAN DIRECT MARKETING EUROPEAN CODE OF PRACTICE FOR THE USE OF PERSONAL DATA IN DIRECT MARKETING FEDMA represents the direct marketing sector at the European level.
technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection
International Data Protection Policy Revised April 2013 Table of Contents Statement from the President and CEO... 5 Visteon International Data Protection Policy... 6 1.0 Purpose... 6 2.0 Scope... 6 3.0
Introduction Canada is part of a global economy based on the creation, processing, and exchange of information. The technology underlying the information economy provides a number of benefits that improve
LAW FOR PROTECTION OF PERSONAL DATA Prom. SG. 1/4 Jan 2002, amend. SG. 70/10 Aug 2004, amend. SG. 93/19 Oct 2004, amend. SG. 43/20 May 2005, amend. SG. 103/23 Dec 2005, amend. SG. 30/11 Apr 2006, amend.
1 Data Protection Policy Version 1: June 2014 1 2 Contents 1. Introduction 3 2. Policy Statement 3 3. Purpose of the Data Protection Act 1998 3 4. The principles of the Data Protection Act 1998 4 5 The
Data Protection Policy and Application July 2009 Produced for staff of the House of Commons Service by the Department of Resources Information Rights and Information Security (IRIS) Service Data Policy:
EU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update By Stephen H. LaCount, Esq. Overview The European Union Data Protection Directive 95/46/EC ( Directive ) went effective in
Code of Conduct For Subscribers WHEREAS: A. The Bureau is in the business, amongst others, of producing credit reports B. Subject always to Credit Reporting Agencies Act 2010 and any other applicable legislation,
ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY Originated by: Data Protection Working Group: November 2008 Impact Assessment: (to be confirmed) Recommended by Senate: 28 January 2009 Approved by Council:
February, 2015 Page: 1 Revision History Revision # Date Author Sections Altered Approval/Date Rev 1.0 02/15/15 Ben Price New Document Rev 1.1 07/24/15 Ben Price Verify Privacy Grid Requirements are met
1 NB: Unofficial translation Personal Data Act (523/1999) Chapter 1 General provisions Section 1 Objectives The objectives of this Act are to implement, in the processing of personal data, the protection
EXPLANATORY MEMORANDUM FEDERATION OF EUROPEAN DIRECT MARKETING EUROPEAN CODE OF PRACTICE FOR THE USE OF PERSONAL DATA IN DIRECT MARKETING FEDMA represents the direct marketing sector at the European level.
Data Protection in Ireland 0 Contents Data Protection in Ireland Introduction Page 2 Appointment of a Data Processor Page 2 Security Measures (onus on a data controller) Page 3 8 Principles Page 3 Fair
1 Scope 1 (1) These terms and conditions (the T&C HYPE Enterprise Express ) together with the description of the Software Services provided by HYPE accepted by Customer by completing the HYPE Enterprise
UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION The Data Protection Act 1998 (DPA) was passed in order to implement the EU Data Protection Directive (95/46/EC) and applies to all data relating to, and
Protection of Personal Data RPC001147_EN_WB_L_1 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Responsibility of Employees
1 Unofficial Translation Principles Concerning the Protection of Personal Data in the Workplace: Guidelines for Employee Monitoring * The Office for Personal Data Protection, September 2007 In accordance
GUIDE ON DATA PROTECTION REQUIREMENTS IN THE CONTEXT OF CLOUD COMPUTING SERVICES CONTENT 1. WHY A CLOUD COMPUTING GUIDE?... 2 2. WHAT IS CLOUD COMPUTING?... 4 3. WHAT ARE THE ROLES OF THE CLOUD SERVICES
ECSA EuroCloud Star Audit Data Privacy Audit Guide Page 1 of 15 Table of contents Introduction... 3 ECSA Data Privacy Rules... 4 Governing Law... 6 Sub processing... 6 A. TOMs: Cloud Service... 7 TOMs: