Position of the retail and wholesale sector on the Draft Data Protection Regulation in view of the trilogue 2015
|
|
- Frederick Carroll
- 8 years ago
- Views:
Transcription
1 2 September 2015 Position of the retail and wholesale sector on the Draft Data Protection Regulation in view of the trilogue 2015 We support the efforts of EU legislators to create a harmonised data protection framework. The draft Data Protection Regulation ( Regulation ) will not only set higher standards for the protection of individuals privacy, it will also establish the same rules for all companies. Eliminating a large number of varying data protection rules will be a major step forward for companies operating cross-border. The EU institutions aim to achieve a balance between business and consumer interests. This balance should be fair and we therefore support a risk-based approach. A high level of individual protection should be balanced with adequate safeguards for businesses legitimate commercial use of personal data. One of our priorities is for a Regulation that will create fair and reasonable rules for all companies processing personal data. The Regulation should therefore be appropriate for all types of business models and avoid imposing disproportionate obligations on companies that process data as a subsidiary activity to their main business. Below we focus on the most important issues from retail and wholesale perspective. Full Harmonisation We hope that the original aim of creating a fully harmonised data protection framework will not be abandoned. The number of provisions that allow scope for Member States to diverge in their implementation of some of the Regulation undermines true harmonisation: (collective redress independent from the data subject s mandate (Art.76.2), employment (Art.82), data protection officer (Art.35), public authorities (Art.1), etc.). If this approach is pursued, companies will still have to deal with a patchwork of rules. The original purpose of the Regulation will erode, which will seriously harm the EU s competitiveness towards third country businesses. A specific example: Establishing a compliance hotline within a global company Currently, establishing a compliance hotline across the EU is subjected to different rules and requires separate approvals/notifications. For example, while anonymous reporting is prohibited in some countries, in others it is necessary to provide an anonymous reporting channel. It often takes years to have all the group companies integrated in the same system. Even under the draft Regulation these issues would continue. The Regulation leaves it up to the Member States to adopt data protection rules in the employment context. This means that for example consulting the hotline with the works council would be subject to different rules across the EU.
2 Data Protection Officer (DPO) The experience of our member companies shows that qualified, independent and reasonably resourced DPOs can play a major role in ensuring a company s privacy compliance. An inhouse DPO knows the company best. Therefore, their assessment is fundamental for ensuring privacy compliance. At the same time, appointing a DPO is a non-bureaucratic approach and a cost saving solution for some companies. The rules for the appointment and the qualifications of a DPO should be the same across the EU. We are concerned that if Member States are free to decide on a mandatory or voluntary DPO appointment, this would lead to divergent standards within the EU and would result in an uneven playing field for companies operating cross-border. This would be against the spirit of the Regulation. Ideally, the DPO appointment should depend on the risks involved in the company s data processing operations and on the nature of the business (whether it is purely data-driven or whether data processing is a subsidiary activity to the main business). Therefore, the SMEs and micro-enterprises which do not process personal data as their core business (for example smaller retailers) should be exempt from appointing a DPO. If thresholds are to be set, they should not depend on the mere number of employees or consumers whose personal data are being processed but on the degree of risk attached to the processing. We therefore propose to revise Article 35 as follows: 1. The controller and the processor shall designate a data protection officer, where: (a) the processing is carried out by a public authority or body; or (c) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purpose, the number of the individuals concerned or individuals processing personal data imply regular and systematic monitoring of data subjects or high level of risk. [The text in 1(c) is based on the Commission s proposal modifications proposed by EuroCommerce.] 1a (NEW). The obligation referred to in paragraph 1 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a high risk for the rights and freedoms of data subject such as discrimination, identity theft or fraud, unauthorized reversal of pseudonymisation, financial loss, damage to the reputation, loss of confidentiality of data protected by professional secrecy or any other economic or social disadvantage [The text in 1a(NEW) is new and has been proposed by EuroCommerce.] We also believe that there should be clearer incentives for appointing a DPO, such as: eliminating the need to consult a regulator in case of risky processing; or exempting group companies from putting in place data processing and transfer agreements if a DPO is appointed (group privilege). Many of our members operating internationally have experienced that signing the intra-group agreements has not automatically increased the level of data protection but rather it led to more administrative burden. In group companies any disputes arising from non-compliance are solved internally based on internal data protection policies and practices. We therefore support revising Article 34 as follows: 2. The controller or processor acting on the controller's behalf shall consult the data protection officer, or in case a data protection officer has not been appointed, the supervisory authority prior to the processing of personal data in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where: [The text in bold has been already proposed by the EP. We support this proposal.] 2
3 We also support revising Article 22 as follows: 3a. The controller that appointed a data protection officer shall have the right to transmit personal data inside the EU within the group of undertakings the controller is part of, where such processing is necessary for legitimate internal administrative purposes between connected business areas of the group of undertakings and an adequate level of data protection as well as the interests of the data subjects are safeguarded by internal data protection provisions or equivalent codes of conduct as referred to in Article 38. [The text in 3a has been proposed by the EP we support this proposal and suggest additional changes in bold/italics.] Fines We support dissuasive level of fines for data protection violations. However, we are not in favour of the Regulation s approach of basing those fines on the company s global annual turnover. This approach disconnects the sanction from the actual violation. This may be good in targeting companies that process personal data as their core business. For companies processing personal data as a subsidiary activity to their main business (for example selling goods) this would be disproportionate. We think that as a rule of law, the calculation of fines should be linked primarily to a combination of: (1) the profit or the generated savings that a company made in relation to the data processing that involved the violation, and (2) the actual risk or violation to the data subjects fundamental rights, and (3) the nature of the business (purely data-driven or data processing as a subsidiary activity to the main business). In order to achieve fair and appropriate results, a company s annual turnover can only be of minor interest and if at all serve as a mere overall cap. Profiling Data analysis is crucial for the development of the commerce sector to be more effective and innovative. Profiling not only allows customers to receive offers that are relevant to their needs, rather than being bothered by mass mailings covering products they do not want. Profiling is also used to evaluate patterns of consumer behaviour to improve measures needed for fraud detection, credit evaluation, managing product safety, warranties, purchase and transportation management and product and process quality improvement. We support better privacy safeguards related to profiling. However, we think that rather than creating a right not to be subject to profiling, profiling should be allowed under certain conditions the main condition being that profiling does not result in harm to individuals. Therefore, we support a risk-based approach and requirement for explicit consent for profiling likely to cause harm. Profiling that would cause insignificant effects and of which the consumer would need to be properly informed, could be possible under other legal bases, such as legitimate interest. Consent We support the requirement of unambiguous consent for the processing of non-sensitive data. Calling for explicit consent will increase burdens for businesses and will be annoying for consumers. Obliging consumers to carry out repeated box ticking could mean that they risk ignoring important information about how their personal data are being processed. 3
4 We therefore support revising Article 6 as follows: 1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given unambiguous consent to the processing of their personal data for one or more specific purposes; [The text in 1a has been revised by the Council we support this proposal.] Data portability We are concerned that a provision that was meant to address mainly user-generated data and social media could have unintended consequences for retail if interpreted too broadly. The Regulation should clarify that the right to data portability would not oblige businesses to disclose confidential business information. Any provision that would require a retailer to transfer consumer profile information into a competing retailer s system could have serious competition implications. Therefore, we support including safeguards, such as intellectual property rights. Trade secrets should also be added. We therefore propose revising Article 18 as follows: 2aa. The right referred to in paragraph 2 shall not apply, if disclosing personal data would infringe intellectual property rights or reveal trade secrets in relation to the processing of those personal data. [The text in 2aa has been proposed by the Council we support this proposal and suggest additional changes in bold/italics.] Data Protection Impact Assessment (PIA) and record keeping We are in favour of PIA as a mechanism helping companies maintain their corporate data protection responsibility but combined with a risk-based approach. This means that only certain risky processing operations should require a PIA. The fact that many individuals personal data are being processed is not risky per se. It is the nature and the consequences of the processing that matter. We are sceptical about the requirement to consult on the intended risky processing with individuals or their representatives (Art.33.4). It is unclear how this obligation would work in practice, for example whether only notification rather than agreement of the concerned persons was required, what would be the required timeframe, etc. The provision is vague and would lead to uncertainty. There are already sufficient safeguards in the draft Regulation, such as an obligation to consult a regulator (or a DPO) if there are high risks involved in the processing (Art.34). We therefore propose to delete Article The controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of the processing operations. [The deletion of point 4 has been proposed by the Parliament we support this deletion.] We also think that requiring data controllers to perform a data protection compliance review (Art. 32a) and to review the PIA every two years (Art.33a) will be extremely burdensome, especially for the SMEs. We think that the here are already sufficient safeguards in the draft Regulation, as above. We therefore propose to delete Article 32a and 33a. 4
5 In addition we support that SMEs are exempt from certain compliance obligations, such as record keeping obligations (Art. 28) as long as the processing does not involve high risks for individuals. For many small shops whose core activities do not involve the processing of personal data the prescriptive record keeping duties would add additional burdens and costs. We support a risk-based approach. This means that there should be varying levels of obligation based on the risk of the data processing undertaken by a particular business. We therefore support revising Article 28 as follows: 4. The obligations referred to in paragraphs 1 and 2a shall not apply to: (b) an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a high risk for the rights and freedoms of data subject such as discrimination, identity theft or fraud, unauthorized reversal of pseudonymisation, financial loss, damage to the reputation, loss of confidentiality of data protected by professional secrecy or any other economic or social disadvantage [The text in 4b has been revised by the Council we support Council s proposal.] Encouraging Corporate Responsibility We believe that the best data protection standards are set within the companies that build their robust privacy culture. We therefore support the idea that the Regulation encourages companies to do so even more by offering incentives and regulatory reliefs. In particular, the following measures were a big step forward in improving the overall level of data protection amongst our members: Appointing an independent and qualified DPO Implementing a code of conduct Undergoing external audits / certification We support the approach of promoting these measures by law. The following are particularly suited as possible incentives: Facilitating intra-group data transfers for internal or administrative purposes Providing regulatory reliefs for companies that have adopted codes of conduct Considering mitigating factors when imposing sanctions Doing away with registration and reporting requirements We remain fully at your disposal for any further information we can give you on this topic. 5
6 Comparative chart of the draft General Data Protection Regulation with the retail and wholesale sector recommendations Article number Commission s proposal EP s position Council s position Retail/wholesale recommendations 6 (a) the data subject has given consent to the processing of their personal data for one or more specific purposes; (a) the data subject has given (explicit) consent to the processing of their personal data for one or more specific purposes; 1. (a) the data subject has given unambiguous consent to the processing of their personal data for one or more specific purposes; 1. (a) the data subject has given unambiguous consent to the processing of their personal data for one or more specific purposes; 18 2aa. The right referred to in paragraph 2 shall not apply if disclosing personal data would infringe intellectual property rights in relation to the processing of those personal data. 22 3a. The controller shall have the right to transmit personal data inside the Union within the group of undertakings the controller is part of, where such processing is necessary for legitimate internal administrative purposes between connected business areas of the group of undertakings and an adequate level of data protection as well as the interests of the data subjects are safeguarded by internal data protection provisions or equivalent codes of conduct as referred to in Article 38. 2aa. The right referred to in paragraph 2 shall not apply, if disclosing personal data would infringe intellectual property rights or reveal trade secrets in relation to the processing of those personal data. 3a. The controller that appointed a data protection officer shall have the right to transmit personal data inside the EU within the group of undertakings the controller is part of, where such processing is necessary for legitimate internal administrative purposes between connected business areas of the group of undertakings and an adequate level of data protection as well as the interests of the data subjects are safeguarded by internal data protection provisions or equivalent codes of conduct as referred to in Article 38.
7 28 4. b) an enterprise or an organisation employing fewer than 250 persons that is processing personal data only as an activity ancillary to its main activities. 32a Deleted 4 (b) an enterprise or an organisation employing fewer than 250 persons that is unless the processing personal data only as an activity ancillary to its main activities it carries out is likely to result in a high risk for the rights and freedoms of data subject such as discrimination, identity theft or fraud, unauthorized reversal of pseudonymisation, financial loss, damage to the reputation, loss of confidentiality of data protected by professional secrecy or any other economic or social disadvantage Respect to Risk 1. The controller, or where applicable the processor, shall carry out a risk analysis of the potential impact of the intended data processing on the rights and freedoms of the data subjects, assessing whether its processing operations are likely to present specific risks 2. The following processing operations are likely to present specific risks: (a) processing of personal data relating to more than 5000 data subjects during any consecutive 12- month period; (b) processing of special categories of personal data as referred to in Article 9(1), location data or data on children or employees in large scale filing systems; (c) profiling on which measures are based that produce legal effects concerning the individual or 4 (b) an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a high risk for the rights and freedoms of data subject such as discrimination, identity theft or fraud, unauthorized reversal of pseudonymisation, financial loss, damage to the reputation, loss of confidentiality of data protected by professional secrecy or any other economic or social disadvantage. Deleted 7
8 similarly significantly affect the individual; (d) processing of personal data for the provision of health care, epidemiological researches, or surveys of mental or infectious diseases, where the data are processed for taking measures or decisions regarding specific individuals on a large scale; (e) automated monitoring of publicly accessible areas on a large scale; (f) other processing operations for which the consultation of the data protection officer or supervisory authority is required pursuant to point (b) of Article 34(2); (g) where a personal data breach would likely adversely affect the protection of the personal data, the privacy, the rights or the legitimate interests of the data subject; (h) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects; (i) where personal data are made accessible to a number of persons which cannot reasonably be expected to be limited. 3. According to the result of the risk analysis: (a) where any of the processing operations referred to in points (a) or (b) of paragraph 2 exist, controllers not established in the 8
9 33 4. The controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of Union shall designate a representative in the Union in line with the requirements and exemptions laid down in Article 25; (b) where any of the processing operations referred to in points (a), (b) or (h)of paragraph 2 exist, the controller shall designate a data protection officer in line with the requirements and exemptions laid down in Article 35; (c) where any of the processing operations referred to in points (a), (b), (c), (d), (e), (f), (g) or (h) of paragraph 2 exist, the controller or the processor acting on the controller's behalf shall carry out a data protection impact assessment pursuant to Article 33; (d) where processing operations referred to in point (f) of paragraph 2 exist, the controller shall consult the data protection officer, or in case a data protection officer has not been appointed, the supervisory authority pursuant to Article The risk analysis shall be reviewed at the latest after one year, or immediately, if the nature, the scope or the purposes of the data processing operations change significantly. Where pursuant to point (c) of paragraph 3 the controller is not obliged to carry out a data protection impact assessment, the risk analysis shall be documented. Deleted 4. The controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of Deleted 9
10 33a the processing operations. Data protection compliance review 1. At the latest two years after the carrying out of an impact assessment pursuant to Article 33(1), the controller or the processor acting on the controller's behalf shall carry out a compliance review. This compliance review shall demonstrate that the processing of personal data is performed in compliance with the data protection impact assessment. 2. The compliance review shall be carried out periodically at least once every two years, or immediately when there is a change in the specific risks presented by the processing operations. 3. Where the compliance review results show compliance inconsistencies, the compliance review shall include recommendations on how to achieve full compliance. 4. The compliance review and its recommendations shall be documented. The controller and the processor and, if any, the controller's representative shall make the compliance review available, on request, to the supervisory authority. 5. If the controller or the processor has designated a data protection officer, he or she shall be involved in the compliance review proceeding. the processing operations. Deleted The controller or processor acting on the controller's behalf 2. The controller or processor acting on the controller's behalf 2. The controller or processor acting on the controller's behalf 2. The controller or processor acting on the controller's behalf 10
11 shall consult the supervisory authority prior to the processing of personal data in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where: shall consult the data protection officer, or in case a data protection officer has not been appointed, the supervisory authority prior to the processing of personal data in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where: shall consult the supervisory authority prior to the processing of personal data where a data protection impact assessment as provided for in Article 33 indicates that the in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the would result in a high risks involved for the data subjects where: in the absence of measures to be taken by the controller to mitigate the risk. shall consult the data protection officer, or in case a data protection officer has not been appointed, the supervisory authority prior to the processing of personal data in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where: The controller and the processor shall designate a data protection officer in any case where: (a) the processing is carried out by a public authority or body; or 1. The controller and the processor shall designate a data protection officer in any case where : (a) the processing is carried out by a public authority or body; or 1. The controller and or the processor may, or where required by Union or Member State law shall designate a data protection officer in any case where:. 1. The controller and the processor shall designate a data protection officer in any case where: (a) the processing is carried out by a public authority or body (b) the processing is carried out by an enterprise employing 250 persons or more; or (c) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects. (b) the processing is carried out by an enterprise employing 250 persons or more a legal person and relates to more than 5000 data subjects in any consecutive 12-month period; or (c) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects; or (d) the core activities of the controller or the processor consist of processing special categories of data pursuant to Article 9(1), location data or (c) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purpose, the number of the individuals concerned or individuals processing personal data imply regular and systematic monitoring of data subjects or high level of risk. 11
12 data on children or employees in large scale filing systems (a) (NEW). The obligation referred to in paragraph 1 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a high risk for the rights and freedoms of data subject such as discrimination, identity theft or fraud, unauthorized reversal of pseudonymisation, financial loss, damage to the reputation, loss of confidentiality of data protected by professional secrecy or any other economic or social disadvantage. 12
Comments and proposals on the Chapter IV of the General Data Protection Regulation
Comments and proposals on the Chapter IV of the General Data Protection Regulation Ahead of the trialogue negotiations later this month, EDRi, Access, Panoptykon Bits of Freedom, FIPR and Privacy International
More informationInsurance Europe key messages on the European Commission's proposed General Data Protection Regulation
Position Paper Insurance Europe key messages on the European Commission's proposed General Data Protection Regulation Our reference: SMC-DAT-12-064 Date: 3 September 2012 Related documents: Proposal for
More informationData Protection in Clinical Studies Implications of the New EU General Data Protection Regulation
June 19, 2012 Practice Group(s): Health Care Life Sciences Data Protection in Clinical Studies Implications of the New EU General Data Protection Regulation By Mathias Schulze Steinen and Daniela Bohn
More informationEUROPEAN PARLIAMENT 2009-2014. Committee on Industry, Research and Energy. of the Committee on Industry, Research and Energy
EUROPEAN PARLIAMT 2009-2014 Committee on Industry, Research and Energy 2012/0011(COD) 26.02.2013 OPINION of the Committee on Industry, Research and Energy for the Committee on Civil Liberties, Justice
More informationThe Role and Function of a Data Protection Officer in the European Commission s Proposed General Data Protection Regulation. Initial Discussion Paper
The Role and Function of a Data Protection Officer in the European Commission s Proposed General Data Protection Regulation 1. Introduction Initial Discussion Paper The data protection officer ( DPO )
More informationProposal of regulation Com 2012 11/4 Directive 95/46/EC Conclusion
Page 1 sur 155 Proposal of regulation Com 2012 11/4 Directive 95/46/EC Conclusion Legal nature of the instrument Règlement Directive Directly applicable act in internal law 91 articles 34 articles Art.
More informationGuidelines on Data Protection. Draft. Version 3.1. Published by
Guidelines on Data Protection Draft Version 3.1 Published by National Information Technology Development Agency (NITDA) September 2013 Table of Contents Section One... 2 1.1 Preamble... 2 1.2 Authority...
More informationComments and proposals on the Chapter II of the General Data Protection Regulation
Comments and proposals on the Chapter II of the General Data Protection Regulation Ahead of the trialogue negotiations in September, EDRi, Access, Panoptykon Bits of Freedom, FIPR and Privacy International
More informationAMENDMENTS TO THE DRAFT DATA PROTECTION REGULATION PROPOSED BY BITS OF FREEDOM
AMENDMENTS TO THE DRAFT DATA PROTECTION REGULATION PROPOSED BY BITS OF FREEDOM On 25 January 2012, the European Commission published a proposal to reform the European data protection legal regime. One
More information5419/16 ADD 1 VH/np 1 DGD 2C
Council of the European Union Brussels, 17 March 2016 (OR. en) Interinstitutional File: 2012/0011 (COD) 5419/16 ADD 1 DRAFT STATEMT OF THE COUNCIL'S REASONS Subject: DATAPROTECT 2 JAI 38 MI 25 DIGIT 21
More informationEU Data Protection Reforms Challenges for Business
www.pwc.com Contents EU Data Protection Reforms Challenges for Business July 2014 1. Introduction 2. The need for change 3. Changes and challenges 4. Recommendations 5. Conclusion 6. For a deeper conversation
More informationA guide for in-house lawyers
A guide for in-house lawyers June 2015 The Proposed EU General Data Protection Regulation Index Introduction to the Regulation - 3 Progress of the Regulation - 4 Using this Guide - 5 Conceptual Overview
More informationCredit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information
Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information INTRODUCTION Privacy legislation establishes legal privacy rights for individuals and sets enforceable
More informationThe Data Protection Landscape. Before and after GDPR: General Data Protection Regulation
The Data Protection Landscape Before and after GDPR: General Data Protection Regulation Data Protection regulations across Europe Current regulations & guidance European Directives 95/46/EC (Data Protection)
More informationThe potential legal consequences of a personal data breach
The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.
More informationPRESIDENT S DECISION No. 40. of 27 August 2013. Regarding Data Protection at the European University Institute. (EUI Data Protection Policy)
PRESIDENT S DECISION No. 40 of 27 August 2013 Regarding Data Protection at the European University Institute (EUI Data Protection Policy) THE PRESIDENT OF THE EUROPEAN UNIVERSITY INSTITUTE, Having regard
More informationslaughter and may The new EU Data Protection Regulation revolution or evolution?
slaughter and may The new EU Data Protection Regulation revolution or evolution? BRIEFING April 2012 Reform of Europe s data protection regime moved one step closer this January with the publication of
More informationFactsheet on the Right to be
101010 100101 1010 101 Factsheet on the Right to be 100 Forgotten ruling (C-131/12) 101 101 1) What is the case about and what did 100 the Court rule? 10 In 2010 a Spanish citizen lodged a complaint against
More information1 Data Protection Principles
Today, our personal information is being collected, shared, stored and analysed everywhere. Whether you are browsing the internet, talking to a friend or making an online purchase, personal data collection
More informationHow To Regulate Data Processing In European Union
Analysis The Proposed Data Protection Regulation: What has the Council agreed so far? Steve Peers, Professor of Law, University of Essex Twitter: @StevePeers 8 December 2014 Introduction Back in January
More informationCorporate Policy. Data Protection for Data of Customers & Partners.
Corporate Policy. Data Protection for Data of Customers & Partners. 02 Preamble Ladies and gentlemen, Dear employees, The electronic processing of virtually all sales procedures, globalization and growing
More informationData and Cyber Laws Up-date 9 July 2015
Data and Cyber Laws Up-date 9 July 2015 Janine Regan Alexia Zuber Viktoria Protokova Simon Holdsworth charlesrussellspeechlys.com Topics Updates on the key aspects of, and commentary on, the proposed GDPR
More informationData Protection Ensuring high level of privacy while promoting business innovation and competition
Data Protection Ensuring high level of privacy while promoting business innovation and competition Tele2 AB, Skeppsbron 18 P.O Box 2094, SE-103 13 STOCKHOLM, SWEDEN Tel +46 8 5620 0000, Fax +46 8 5620
More informationData protection compliance checklist
Data protection compliance checklist What is this checklist for? This checklist is drawn up on the basis of analysis of the relevant provisions of European law. Although European law aims at harmonizing
More informationFIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS
FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS As a world leader in electronic commerce and payment services, First Data Corporation and its subsidiaries ( First Data entity or entities ),
More informationDraft GDPR and health-related scientific research: Where do we stand with the EU Council?
Draft GDPR and health-related scientific research: Where do we stand with the EU Council? Gauthier Chassang, Lawyer BIOBANQUES Infrastructure, INSERM US013, France Data Protection for health: Enabling
More informationAIRBUS GROUP BINDING CORPORATE RULES
1 AIRBUS GROUP BINDING CORPORATE RULES 2 Introduction The Binding Corporate Rules (hereinafter BCRs ) of the Airbus Group finalize the Airbus Group s provisions on the protection of Personal Data. These
More informationOVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively.
Joint work between experts from the Article 29 Working Party and from APEC Economies, on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities in
More informationI. EBF KEY PRIORITIES. A. Data breach notification
D1391E-2012 29.10.2012 EUROPEAN BANKING FEDERATION PROPOSED AMENDMENTS TO THE EUROPEAN COMMISSION PROPOSAL FOR A REGULATION ON THE PROTECTION OF INDIVIDUALS WITH REGARD TO THE PROCESSING OF PERSONAL DATA
More informationNew EU Data Protection legislation comes into force today. What does this mean for your business?
24 th May 2016 New EU Data Protection legislation comes into force today. What does this mean for your business? After years of discussion and proposals, the General Data Protection Regulation ( GDPR )
More information13772/14 GS/np 1 DG D 2C
Council of the European Union Brussels, 3 October 2014 (OR. en) Interinstitutional File: 2012/0011 (COD) 13772/14 DATAPROTECT 129 JAI 730 MI 726 DRS 120 DAPIX 137 FREMP 164 COMIX 503 CODEC 1926 NOTE From:
More informationExplanatory notes VAT invoicing rules
Explanatory notes VAT invoicing rules (Council Directive 2010/45/EU) Why explanatory notes? Explanatory notes aim at providing a better understanding of legislation adopted at EU level and in this case
More informationComparison of the Parliament and Council text on the General Data Protection Regulation
Comparison of the Parliament and Council text on the General Data Protection Regulation General comments The Council text and the Parliament text are both based on the Commission's proposal and as such
More information***I DRAFT REPORT. EN United in diversity EN 2012/0011(COD) 17.12.2012
EUROPEAN PARLIAMT 2009-2014 Committee on Civil Liberties, Justice and Home Affairs 17.12.2012 2012/0011(COD) ***I DRAFT REPORT on the proposal for a regulation of the European Parliament and of the Council
More informationAccountability: Data Governance for the Evolving Digital Marketplace 1
Accountability: Data Governance for the Evolving Digital Marketplace 1 1 For the past three years, the Centre for Information Policy Leadership at Hunton & Williams LLP has served as secretariat for the
More informationSUPPLEMENTARY INTERNAL RULES IMPLEMENTING REGULATION (EC) N 45/2001 IN RELATION TO THE DATA PROTECTION OFFICER
SUPPLEMENTARY INTERNAL RULES IMPLEMENTING REGULATION (EC) N 45/2001 IN RELATION TO THE DATA PROTECTION OFFICER 10 September 2009 page 1 / 8 SUPPLEMENTARY INTERNAL RULES IMPLEMENTING REGULATION (EC) N 45/2001
More informationConsultation document on the Review of the Insurance Mediation Directive (IMD) Commission Staff Working Paper
Consultation document on the Review of the Insurance Mediation Directive (IMD) Commission Staff Working Paper This document is a working document of the Internal Market and Services Directorate General
More informationClause 1. Definitions and Interpretation
[Standard data protection [agreement/clauses] for the transfer of Personal Data from the University of Edinburgh (as Data Controller) to a Data Processor within the European Economic Area ] In this Agreement:-
More informationThe reform of the EU Data Protection framework - Building trust in a digital and global world. 9/10 October 2012
The reform of the EU Data Protection framework - Building trust in a digital and global world 9/10 October 2012 Questionnaire addressed to national Parliaments Please, find attached a number of questions
More informationImproving self-regulation through (law-based) Corporate Data Protection Officials *
Improving self-regulation through (law-based) Corporate Data Protection Officials * Article by Christoph Klug ** The rise of globalization and multinational corporations is creating a pressing need for
More informationECB-PUBLIC OPINION OF THE EUROPEAN CENTRAL BANK. of 12 November 2015. on the regulation of companies acquiring credit (CON/2015/45)
EN ECB-PUBLIC OPINION OF THE EUROPEAN CENTRAL BANK of 12 November 2015 on the regulation of companies acquiring credit (CON/2015/45) Introduction and legal basis On 5 November 2015 the European Central
More informationCOMMISSION REGULATION (EU) No /.. of XXX
EUROPEAN COMMISSION Brussels, XXX [ ](2013) XXX draft COMMISSION REGULATION (EU) No /.. of XXX on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC on privacy
More informationEuropean Privacy Reporter
Is this email not displaying correctly? Try the web version or print version. ISSUE 02 European Privacy Reporter An Update on Legal Developments in European Privacy and Data Protection November 2012 In
More informationHow To Respect The Agreement On Trade In Cyberspace
CHAPTER 14 ELECTRONIC COMMERCE Article 14.1: Definitions For the purposes of this Chapter: computing facilities means computer servers and storage devices for processing or storing information for commercial
More informationAnnex 1: Detailed outline
Annex 1: Detailed outline Key issues Possible text for proposal for a directive/regulation Comments/Explanations on ongoing and periodic transparency requirements for issuers, and holders, of securities
More informationBig Data for Mutuals. Marc Dautlich 25 November 2013
Big Data for Mutuals Marc Dautlich 25 November 2013 Agenda BIG DATA What is it? OPPORTUNITIES What are they? LEGAL CHALLENGES How do we overcome them? LEGAL REFORM What can we do now to minimise impact?
More informationAlign Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved.
Align Technology Data Protection Binding Corporate Rules Controller Policy Contents INTRODUCTION 3 PART I: BACKGROUND AND ACTIONS 4 PART II: CONTROLLER OBLIGATIONS 6 PART III: APPENDICES 13 2 P a g e INTRODUCTION
More informationOption Table - Directive on Statutory Audits of Annual and Consolidated Accounts
Option Table - Directive on Statutory Audits of Annual and Consolidated Accounts The purpose of this document is to highlight the changes in the options available to Member States and Competent Authorities
More informationProcessor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries
Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Sopra HR Software as a Data Processor Sopra HR Software, 2014 / Ref. : 20141120-101114-m 1/32 1.
More informationBinding Corporate Rules ( BCR ) Summary of Third Party Rights
Binding Corporate Rules ( BCR ) Summary of Third Party Rights This document contains in its Sections 3 9 all provision of the Binding Corporate Rules (BCR) for Siemens Group Companies and Other Adopting
More information7.0 Information Security Protections The aggregation and analysis of large collections of data and the development
7.0 Information Security Protections The aggregation and analysis of large collections of data and the development of interconnected information systems designed to facilitate information sharing is revolutionizing
More information7.08.2 Privacy Rules for Customer, Supplier and Business Partner Data. Directive 7.08 Protection of Personal Data
Akzo Nobel N.V. Executive Committee Rules 7.08.2 Privacy Rules for Customer, Supplier and Business Partner Data Source Directive Content Owner Directive 7.08 Protection of Personal Data AkzoNobel Legal
More informationINTERNATIONAL PHARMACEUTICAL PRIVACY CONSORTIUM COMMENTS IN RESPONSE TO THE CALL FOR EVIDENCE ON EU DATA PROTECTION PROPOSALS
INTERNATIONAL PHARMACEUTICAL PRIVACY CONSORTIUM COMMENTS IN RESPONSE TO THE CALL FOR EVIDENCE ON EU DATA PROTECTION PROPOSALS I. INTRODUCTION The International Pharmaceutical Privacy Consortium (IPPC)
More informationData Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document
Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1
More information12555/15 CHS/KR/np 1 DGD 2C
Council of the European Union Brussels, 2 October 2015 (OR. en) Interinstitutional File: 2012/0010 (COD) 12555/15 NOTE From: To: Presidency Council No. prev. doc.: 12266/15 No. Cion doc.: 5833/12 Subject:
More informationThe EBF would like to take the opportunity to note few general remarks on key issues as follows:
Ref.:EBF_001314 Brussels, 17 June 2013 Launched in 1960, the European Banking Federation is the voice of the European banking sector from the European Union and European Free Trade Association countries.
More informationtechnical factsheet 176
technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection
More informationPersonal Data Act (1998:204);
Personal Data Act (1998:204); issued 29 April 1998. Be it enacted as follows. General provisions Purpose of this Act Section 1 The purpose of this Act is to protect people against the violation of their
More information10227/13 GS/np 1 DG D 2B
COUNCIL OF THE EUROPEAN UNION Brussels, 31 May 2013 10227/13 Interinstitutional File: 2012/0011 (COD) DATAPROTECT 72 JAI 438 MI 469 DRS 104 DAPIX 86 FREMP 77 COMIX 339 CODEC 1257 NOTE from: Presidency
More informationThe Impact of EU Data Protection Legislation. Thomas Rivera Hitachi Data Systems
Privacy PRESENTATION vs Data TITLE Protection: GOES HERE The Impact of EU Data Protection Legislation Thomas Rivera Hitachi Data Systems SNIA Legal Notice The material contained in this tutorial is copyrighted
More informationMicrosoft response to the Ministry of Justice Call for Evidence on EU Data Protection Proposal - Regulation COM(2012)11.
Microsoft response to the Ministry of Justice Call for Evidence on EU Data Protection Proposal - Regulation COM(2012)11 6 th March 2012 Executive Summary Microsoft welcomes the very idea of a Regulation
More informationINFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER
INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE
More informationCOMMISSION STAFF WORKING DOCUMENT. on the existing EU legal framework applicable to lifestyle and wellbeing apps. Accompanying the document
EUROPEAN COMMISSION Brussels, 10.4.2014 SWD(2014) 135 final COMMISSION STAFF WORKING DOCUMENT on the existing EU legal framework applicable to lifestyle and wellbeing apps Accompanying the document GREEN
More informationBasel Committee on Banking Supervision. Consolidated KYC Risk Management
Basel Committee on Banking Supervision Consolidated KYC Risk Management October 2004 Table of contents Introduction...4 Global process for managing KYC risks...5 Risk management...5 Customer acceptance
More informationLaw. on Payment Services and Payment Systems. Chapter One GENERAL PROVISIONS. Section I Subject and Negative Scope. Subject.
Law on Payment Services and Payment Systems 1 Law on Payment Services and Payment Systems (Adopted by the 40th National Assembly on 12 March 2009; published in the Darjaven Vestnik, issue 23 of 27 March
More informationPRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES
PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES TECHNICAL COMMITTEE OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS FEBRUARY 2005 Preamble The IOSCO Technical Committee
More informationGuidelines on operational functioning of colleges
EIOPA-BoS-14/146 EN Guidelines on operational functioning of colleges EIOPA Westhafen Tower, Westhafenplatz 1-60327 Frankfurt Germany - Tel. + 49 69-951119-20; Fax. + 49 69-951119-19; email: info@eiopa.europa.eu
More informationOperational Risk Publication Date: May 2015. 1. Operational Risk... 3
OPERATIONAL RISK Contents 1. Operational Risk... 3 1.1 Legislation... 3 1.2 Guidance... 3 1.3 Risk management process... 4 1.4 Risk register... 7 1.5 EBA Guidelines on the Security of Internet Payments...
More informationDo you have a private life at your workplace?
Do you have a private life at your workplace? Privacy in the workplace in EC institutions and bodies Giovanni Buttarelli In the course of his supervisory activities, the EDPS has published positions on
More informationCouncil of the European Union Brussels, 5 March 2015 (OR. en)
Council of the European Union Brussels, 5 March 2015 (OR. en) Interinstitutional File: 2013/0027 (COD) 6788/15 LIMITE TELECOM 59 DATAPROTECT 23 CYBER 13 MI 139 CSC 55 CODEC 279 NOTE From: Presidency To:
More informationData Protection Policy.
Data Protection Policy. Data Protection Policy Foreword 2 Foreword Ladies and Gentlemen, In the information age, we offer customers the means to be always connected, even in their cars. This requires data
More informationHIPAA S BUSINESS ASSOCIATE REQUIREMENTS FOR PATHOLOGISTS AND LABORATORIES
HIPAA S BUSINESS ASSOCIATE REQUIREMENTS FOR PATHOLOGISTS AND LABORATORIES What is HIPAA? The Health Insurance Portability and Accountability Act of 1996 ( HIPAA ) establishes new privacy requirements for
More informationFinancial Services Regulatory Commission Antigua and Barbuda Division of Gaming Customer Due Diligence Guidelines for
Division of Gaming Customer Due Diligence Guidelines for Interactive Gaming & Interactive Wagering Companies November 2005 Customer Due Diligence for Interactive Gaming & Interactive Wagering Companies
More informationPrivacy Policy. February, 2015 Page: 1
February, 2015 Page: 1 Revision History Revision # Date Author Sections Altered Approval/Date Rev 1.0 02/15/15 Ben Price New Document Rev 1.1 07/24/15 Ben Price Verify Privacy Grid Requirements are met
More informationRegistration must be carried out by a top executive or a number of executives having the power to commit the whole company in the EU.
Questions and answers 1- What is the purpose of The Initiative? Why are we doing this? The purpose of the Supply Chain Initiative is to promote fair business practices in the food supply chain as a basis
More informationBCS, The Chartered Institute for IT Consultation Response to:
BCS, The Chartered Institute for IT Consultation Response to: A Comprehensive Approach to Personal Data Protection in the European Union Dated: 15 January 2011 BCS The Chartered Institute for IT First
More informationEBF preliminary position on the European Commission proposal for an insurance mediation directive (Recast)
EBF Ref.: D2142F 10.01.13 Launched in 1960, the European Banking Federation is the voice of the European banking sector from the European Union and European Free Trade Association countries. The EBF represents
More informationPrivacy and Transparency for Consumer Trust and Consumer Centrality
1 1 2 2 Ecommerce Europe is the association representing around 5000+ companies selling products and/or services online to consumers in Europe. Ecommerce Europe is a major stakeholder in policy issues
More informationAlixPartners, LLP. General Data Protection Statement
AlixPartners, LLP General Data Protection Statement GENERAL DATA PROTECTION STATEMENT 1. INTRODUCTION 1.1 AlixPartners, LLP ( AlixPartners ) is committed to fulfilling its obligations under the data protection
More information235.1. Federal Act on Data Protection (FADP) Aim, Scope and Definitions
English is not an official language of the Swiss Confederation. This translation is provided for information purposes only and has no legal force. Federal Act on Data Protection (FADP) 235.1 of 19 June
More informationThe European General Data Protection Regulation. A guide for the insurance industry
The European General Data Protection Regulation A guide for the insurance industry IMPORTANT NOTE: This guide is based on the politically agreed compromise text agreed by the European Commission, EU Parliament
More informationA Guide to the Financial Services Regulations
A Guide to the Financial Services Regulations Contents Chapter 1 2 Introduction to the Financial Services Regulations Legislative Background Chapter 2 3 Overview of FSR Regulated Activities Authorisation
More informationLEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT
LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT 2300 Pursuant to its authority from Article 59 of the Rules of Procedure of the Croatian Parliament, the Legislation Committee determined the revised text
More informationCESR Consultation Paper on UCITS Management Company Passport
News Bulletin October 24, 2008 CESR Consultation Paper on UCITS Management Company Passport Background On 30 th September 2008, the Committee of European Securities Regulators ( CESR ) issued a consultation
More informationCorporate Governance Developments in Greece
Corporate Governance Developments in Greece, Managing Partner, Tsibanoulis & Partners 1. Background The following presentation examines the Corporate Governance rules for listed companies according to
More informationAmCham EU position on the General Data Protection Regulation
AmCham EU position on the General Data Protection Regulation 11 July 2012 American Chamber of Commerce to the European Union Avenue des Arts/Kunstlaan 53, 1000 Brussels, Belgium Telephone 32-2-513 68 92
More information16140/14 GS/tt 1 DG D 2C
Council of the European Union Brussels, 1 December 2014 (OR. en) Interinstitutional File: 2012/0011 (COD) 16140/14 DATAPROTECT 181 JAI 961 MI 950 DRS 163 DAPIX 183 FREMP 220 COMIX 645 CODEC 2375 NOTE From:
More information9565/15 CHS/VH/np 1 DGD2C
Council of the European Union Brussels, 11 June 2015 (OR. en) Interinstitutional File: 2012/0011 (COD) 9565/15 NOTE From: To: Presidency Council No. prev. doc.: 9398/15 Subject: DATAPROTECT 97 JAI 420
More informationT H E G O V E R N M E N T
[Symbol of the State of Israel] RESHUMOT (Official Gazette) BILLS T H E G O V E R N M E N T Shvat 7, 5768 356 January 14, 2008 Page Electronic Commerce Bill, 5768 2008..................................
More informationPrivacy and Electronic Communications Regulations
ICO lo Notification of PECR security breaches Privacy and Electronic Communications Regulations Contents Introduction... 2 Overview... 2 Relevant security breaches... 3 What is a service provider?... 3
More information005ASubmission to the Serious Data Breach Notification Consultation
005ASubmission to the Serious Data Breach Notification Consultation (Consultation closes 4 March 2016 please send electronic submissions to privacy.consultation@ag.gov.au) Your details Name/organisation
More informationSUBSIDIARY LEGISLATION 426.02 ELECTRONIC COMMERCE (GENERAL) REGULATIONS
ELECTRONIC COMMERCE (GENERAL) [S.L.426.02 1 SUBSIDIARY LEGISLATION 426.02 ELECTRONIC COMMERCE (GENERAL) REGULATIONS 24th October, 2006 LEGAL NOTICE 251 of 2006, as amended by Legal Notices 426 of 2007
More informationHow To Protect Your Data In European Law
Corporate Data Protection Code of Conduct for the Protection of the Individual s Right to Privacy in the Handling of Personal Data within the Deutsche Telekom Group 2010 / 04 We make ICT strategies work
More informationData protection at the cost of economic growth?
Data protection at the cost of economic growth? Elina Pyykkö* ECRI Commentary No. 11/November 2012 The Data Protection Regulation proposed by the European Commission contains important elements to facilitate
More informationCOMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS
EUROPEAN COMMISSION Brussels, XXX [ ](2011) XXX draft COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS
More informationCouncil of the European Union Brussels, 15 January 2015 (OR. en) NOTE German delegation Working Party on Information Exchange and Data Protection
Council of the European Union Brussels, 15 January 2015 (OR. en) Interinstitutional File: 2012/0011 (COD) 14705/1/14 REV 1 LIMITE DATAPROTECT 146 JAI 802 MI 805 DRS 135 DAPIX 150 FREMP 178 COMIX 568 CODEC
More informationCOMPLIANCE FRAMEWORK AND REPORTING GUIDELINES
COMPLIANCE FRAMEWORK AND REPORTING GUIDELINES DRAFT FOR CONSULTATION June 2015 38 Cavenagh Street DARWIN NT 0800 Postal Address GPO Box 915 DARWIN NT 0801 Email: utilities.commission@nt.gov.au Website:
More informationapest Practices and Advantages of Using a Novel Proposal
TEXTUAL PROPOSAL POSSIBLE PROVISIONS ON STATE ENTERPRISES AND ENTERPRISES GRANTED SPECIAL OR EXCLUSIVE RIGHTS OR PRIVILEGES In line with the proposed content developed in the Initial Position Paper proposed
More informationTechnical non-paper on open Internet provisions and related end-user rights (3/6/2015)
Technical non-paper on open Internet provisions and related end-user rights (3/6/2015) This non-paper has been prepared as technical assistance upon the co-legislators' request on 2/6 and shall not be
More information