Data protection issues on an EU outsourcing
|
|
- Olivia Chandler
- 7 years ago
- Views:
Transcription
1 Data protection issues on an EU outsourcing Saam Golshani, Alastair Gorrie and Diego Rigatti, Orrick Herrington & Sutcliffe Outsourcing can mean subcontracting a process to a third-party company in the interest of lowering firm costs, focusing on the core competencies of a particular business, or making more efficient use of labour, capital, technology and resources. It can involve the transfer of the management and day-to-day operation of an entire business function to an external service provider, with the resulting need for a large data exchange. flows of personal data are necessary to the expansion of international trade. In the EU, the economic and social integration that has taken place as a result of the establishment of the internal market has led to an increase in cross-border flows of personal data between those involved in a private, or public, capacity in economic and social activity in the member states. Directive 95/46/EC on data protection (Directive) aims to protect the rights and freedoms of individuals in the processing of their personal data, while ensuring the free movement of such data between member states. Applicable EC law provides that the data controller is responsible for the acts and omissions of the data processor, and so it is advisable that the data controller instructs and selects its data processor only after a thorough assessment of the candidates. This is important even if the parties have agreed by contract to allocate their responsibilities so that, for example, all liabilities are transferred to the supplier. While such clauses can be effective between contracting parties, they are not in relation to the data subject, who remains a third party with respect to the contractual relationship. There are three different legal relationships that arise regarding the treatment of personal data in a contract for outsourcing services: Contractual (and/or in tort, depending on the jurisdiction), between the data subject and the data controller. Contractual, between the data controller and the data processor. The transfer of personal data beyond the EU (third countries) is also on the rise (see box, Outsourcing trends). The Directive allows such transfers to third countries that ensure an adequate level of data protection. Transfers to countries not considered to provide an adequate level of protection are allowed as long as the inadequacies are contractually remedied. Against this background, this chapter examines: The role of the data controller and data processor in the processing of data in the EU. Some general pre-contractual issues to be considered when negotiating an outsourcing services agreement in the EU. The contract drafting and implementation issues that need to be addressed to ensure that an agreement complies with EC data protection and privacy (DP&P) law. National law governing the transfer of personal data in three EU member states (France, Italy and the UK) as well as specific contractual considerations that arise in these jurisdictions. The data controller and data processor On a data processing, the data controller determines the purpose and manner in which any personal data is to be processed, while the data processor processes the personal data on behalf of the data controller. On an outsourcing, the customer is and remains the data controller while the supplier takes the role of the data processor. In tort, between the data subject and the data processor. In any case, the data controller remains liable for the non-compliance of the data processor with applicable law, because the latter acts on behalf of the former. While the agreement between the supplier and the customer cannot affect their responsibilities to the data subject, for clarity, a proper allocation of duties among the parties is important. For example, it may be useful to set out which party must prepare the privacy information letter to the data subject in compliance with DP&P law (information letter), or which party must acquire the data subject s consent to the processing. This will help to determine which party bears any penalties imposed in the case of breach of the law. A thorough risk assessment of DP&P issues at the pre-contractual stage will help the parties to allocate their rights and duties appropriately. Once a contract is in place, the parties should periodically review their arrangement, to: Assess the level of compliance with DP&P law. Identify appropriate action to remedy any non-compliance. Amend the outsourcing agreement accordingly whenever appropriate (note that this must be in writing, as by law a written agreement is required to appoint a data processor). CROSS-BORDER HANDBOOKS 23 This chapter was first published in the Outsourcing Handbook 2007/08 and is reproduced with the permission of the publisher, Practical Law Company.
2 Outsourcing 2007/08 Pre-contractual negotiations During the pre-contractual phase, the customer should assess the DP&P risks involved in the proposed outsourcing and determine whether the potential supplier could adequately manage these risks. The risk assessment should take into account: The kind of data to be processed. The method and frequency of the transfer. Whether electronic or automated means of processing will be used. Whether the supplier will be assigned the responsibility of serving the information letter on the data subject. Based on the above risk assessment, the customer should make a first selection of potential suppliers, create a shortlist and, eventually, start negotiations with the best candidates. During the negotiations the customer should carry out (even if informally) a due diligence exercise on the above issues. This should be completed before the drafting of the contract so that appropriate contractual terms can be drafted to suit the circumstances. The potential suppliers should ensure that they can guarantee adequate policies and procedures to process data. Those policies and procedures must be stricter when the data to be transferred and/or shared is more sensitive or its transfer is frequent or material. outsourcing trends Outsourcing continues to increase rapidly: the trend from 2003 to 2008 shows an increase by 40% in value. The most interesting growth is occurring in the information technology sector (IT operations, databases, services and infrastructure, e-business processing, call centres and related business processes). Faster electronic communication capabilities mean significant flows of financial and personal data (for example, name, address, dependents and age) including sensitive personal data (such as health insurance data and lifestyle data relating to investment requirements). Outsourcing services offered by foreign companies continue to expand, particularly by companies resident in non-eu jurisdictions. Some of these jurisdictions meet the EC adequacy requirements (for example, Argentina, Canada and Guernsey), while others, which are probably the most interesting from an outsourcing perspective, are not currently considered to have adequate legislative frameworks (for instance, Australia and India). Some of the latter, including Australia and India, have announced their intention to move towards the standards set by the data protection and privacy-related EC directives, to attract customers. Another interesting trend is the globalisation of back office support services including administrative, accounting and financial services. This involves multiple centres spread across different continents and time zones where they have offices, subsidiary companies and third party processing arrangements, and resulting significant personal data flows. Ensuring compliance with the law: contract drafting and implementation issues When drafting an outsourcing services agreement it is important to bear in mind the following duties: Duty of confidentiality of processing. Under the Directive, a data processor must not process data except on instructions from the data controller, unless he is required to do so by law. Duty of security of processing. The data controller must protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access (in particular, where the processing involves the transmission of data over a network) and against all other forms of processing that are unlawful or inconsistent with the purposes for which the data has been collected. To ensure compliance with these duties, the parties to an outsourcing agreement should: Accurately measure the risks involved in data processing. Specify the scope and purpose of the service to be provided in the agreement. Adopt and implement adequate DP&P policies setting out measures and procedures for processing. DP&P policies help set the parameters of the data processor s duties, as well as the risks involved and the relative compliance costs to be borne. The policies adopted must ensure a level of security appropriate to the risks presented by both the processing and the nature of the data to be protected (for example, personal or sensitive data). Technical and organisational measures must remain fully effective during the life of the outsourcing agreement. Once the agreement is underway, the customer should periodically inspect the supplier s facilities where data is processed. The issues that the customer should consider when undertaking such an inspection include whether: The data is being processed legally. The procedures to ensure safekeeping of records are being followed. The procedures to keep certain records in restricted-access filing systems are being followed. Minimum security measures are being met. Generally, the greater access the customer has to inspect, monitor and control the supplier s DP&P policies, the better able it is to assess its own compliance with the law as a data controller. (See also box, Outsourcing services agreements: contractual clauses.) 24 CROSS-BORDER HANDBOOKS This chapter was first published in the Outsourcing Handbook 2007/08 and is reproduced with the permission of the publisher, Practical Law Company.
3 Outsourcing services agreements: contractual clauses To ensure compliance with data processing duties, an outsourcing services agreement in the EU typically includes provisions regarding: The designation of the supplier as data processor. Usually the instructions to the data processor are detailed in writing, and set out the purpose and means of processing. Indemnity. The supplier should indemnify the customer for any loss, damage or claim arising as a result of the supplier s failure to meet its data processing obligations. Examples of such failure by the supplier may be: non-compliance with the instructions of the customer; The level and/or skills of the personnel involved in data processing. The customer can require that the personnel who will be undertaking the data processing have specific skills. A mechanism to veto substitution of personnel. If an agreement states that a specific person (or personnel) is to be data processor, the agreement should provide the customer a right to veto the substitution of that person (or personnel). The supplier s duty to disclose its data protection and privacy (DP&P) policies. This helps the customer ensure that the supplier is complying with the requirements of the applicable law for the type of processing that is taking place. Right of access to the supplier s premises. This right of access is useful as it helps the customer determine the extent to which the supplier s DP&P policies have been implemented. processing the data for a purpose other than the one for which it has been instructed; or contrary to the data subject s consent, communicating the data to third parties. Termination. It is advisable to provide for the termination of the agreement and/or insert a penalty clause for breach of DP&P duties, to deter any unlawful conduct. Additional measures. It is advisable to insert some provisions that can have a positive effect on day-to-day operations. For instance, it may be useful to stipulate in the contract that the customer s databases at the supplier s premises be segregated. This may, for instance, make inspections by the customer easier to perform and allow quicker and better responses to enquiries by data subjects. Obligation of the supplier to co-operate with the customer in any claims against it. The customer, as data controller, always remains liable for any breach of the DP&P law by the supplier as data processor. This clause should stipulate that the supplier will inform the customer of any breach of the law, and co-operate with the customer s defence. The outsourcing services agreement should be able to be amended easily to account for any changes to DP&P law that may require modification of the supplier s instructions and policies or the kind of data that is to be processed. Other additional measures may be required, depending on the type of processing to be performed and the specific needs of the parties. National law issues: France Parties to an outsourcing contract must comply with the provisions of Act no of 6 August 2004, amending Act no of 6 January 1978 on Data Processing, Data Files and Individual Liberties, which implements the Directive. The customer always remains the data controller as it created the file containing the personal data, uses it and decides on its content and end purpose. Before any outsourcing, the customer must notify the French Data Protection Authority (Commission nationale informatique et libertés) (CNIL) that data processing is to be carried out by an external service provider. If the outsourcing is organised after the creation of the data file, the customer must notify the CNIL before any outsourcing of that file (it is advisable to include this obligation to notify as a contractual clause). The customer must ensure that the supplier is aware of the fact that it is processing legally protected data on behalf of the data controller. Under French law, the outsourcing contract must contain a number of fundamental clauses: The supplier must undertake to comply with the law regarding data protection, particularly regarding security of processing and the purpose of the data usage. The supplier must undertake to ensure the confidentiality of the file entrusted to it. Note that failure to comply with the provisions of data protection law relating to the security and/or confidentiality of personal data may involve the criminal liability of the customer as well as of the supplier. As a result, it is advisable to include the following clause in the agreement: the supplier undertakes to apply, and cause to be applied, professional secrecy relating to the data, in particular nominative data, that the customer, itself bound by professional secrecy, may communicate to it for the purpose of its assignment. The contract must stipulate the main conditions under which the services will be provided, in particular the price for each service, time limits, guarantees and responsibilities. If the supplier provides services that could give rise to copyright or data producer rights over the database or software used for the processing of the files or data, an assignment clause should be drafted if the customer wants to continue to use that software or database, either itself or with another service provider. French law does not prevent transfers of personal data to third countries. CROSS-BORDER HANDBOOKS 25 This chapter was first published in the Outsourcing Handbook 2007/08 and is reproduced with the permission of the publisher, Practical Law Company.
4 Outsourcing 2007/08 An outsourcing agreement with a supplier in a third country that ensures an adequate level of protection is not subject to the CNIL s prior authorisation. The customer must only notify the CNIL of its intentions to outsource before this occurs (see above). If the outsourcing agreement is to be concluded with a supplier in a third country that does not ensure an adequate level of protection, the customer can only transfer the personal data if one of the following conditions is fulfilled: The data subject has expressly consented to the transfer. The transfer is necessary to comply with the law (Article 68, Act no of 6 January 1978). On 15 November 2007, the privacy authority turned its attention to inbound call centres, in particular those providing customer care, support and after sale assistance. It issued a recommendation emphasising the importance of compliance with the rules of the Data Protection Code, and explaining in more detail and in practical terms how to better implement its principles. This followed other recommendations, guidelines and instructions directed at different industries (for example, banks, private and public employers, small- and medium-sized enterprises, recruitment companies and head hunters). When personal data is to be transferred to third countries, rules similar to those in France apply (see above, National law issues: France). They set out the instances when personal data can be transferred; the following are of most relevance to outsourcing: The CNIL grants prior authorisation. The CNIL grants prior authorisation if the processing will sufficiently protect individuals privacy, liberties and fundamental rights. The CNIL usually determines this level of protection by assessing the contractual clauses. Note that the European Commission has developed model contractual clauses on the protection of data subjects. It is advisable to include one of these clauses in the contract. National law issues: Italy The Directive was first implemented in Italy in 1996, by Act 675/96. The law was reformed in 2003, when the Data Protection Code (Codice in materia di protezione dei dati personali) came into force, which also implemented Directive 2002/58/EC on the protection of privacy in the electronic communications sector. There is no regulation that specifically covers data protection in the context of outsourcing, although the Italian privacy authority (Garante per la Privacy) has issued recommendations for suppliers working on telecommunications networks, that is, outbound and inbound call centres. On 30 May 2007, the privacy authority issued a recommendation to call centres active in marketing campaigns and operations, that is, outbound call centres. The recommendation reminded call centres to: Stop using data collected for purposes beyond the scope of that which the data subject has consented to. Send data subjects information letters, as required by law. Obtain data subjects consent for the use of their details for marketing purposes and to clean old databases still in use. Stop using data where such consent is absent, or has been revoked. If the data subject has given his express consent (where the transfer concerns sensitive written data). If the transfer is necessary for the performance of obligations resulting from a contract to which the data subject is party or for performance of a contract concluded in the data subject s interest. If the processing concerns data relating to legal persons, bodies or associations. If the jurisdiction to which the data is to be transferred has been deemed to guarantee an adequate level of protection. If the parties have inserted the European Commission s model privacy clauses in the contract on the protection of data subjects (see above, National law issues: France). In the case of a transfer to a US company, if such a company complies with the safe harbour requirements as set by the US Department of Commerce. (These requirements were set after negotiation with the EC privacy authorities.) National law issues: UK The Data Protection Act 1998 (DPA) implements the Directive. The UK data protection authority, the Information Commissioner s Office, has issued good practice guidance on outsourcing and data protection. Where the data controller outsources the processing of personal information to a third party, it remains responsible for that processing and is ultimately liable for any breaches of the DPA by the data processor. The data controller must put in place appropriate technical and organisational measures to ensure protection of the personal information it processes, regardless of whether it is processing such information itself or arranging for a third party to do so. The data controller should consider the: Sort of information it possesses. Periodically check their compliance, as data processors, with the DP&P rules. The terms and conditions of the outsourcing agreement must ensure that the above duties are fulfilled. Potential for harm that may result from its misuse. Technology available to process the information. Associated costs of ensuring an appropriate level of security. 26 CROSS-BORDER HANDBOOKS This chapter was first published in the Outsourcing Handbook 2007/08 and is reproduced with the permission of the publisher, Practical Law Company.
5 To appoint a data processor, the data controller must first enter into a written contract with the third party that is to be responsible for the processing of the information. To fulfil the requirements of the DPA, the contract must: Ensure that the data processor only uses and discloses the personal information in line with the data controller s instructions. Require the data processor to take appropriate security measures to protect that information. Where the processing of personal information is to be transferred to a third party based outside the European Economic Area, the DPA requires that there be an adequate level of protection in place. This can be ensured by following the good practice recommendations, which are: Select a reputable organisation offering suitable guarantees about its ability to ensure the security of personal data. Make sure the contract with the data processor is enforceable. Make sure the data processor has appropriate security measures in place. Make sure that the data processor appropriately checks on its staff. Audit the data processor regularly to ensure it is fulfilling its commitments. Require the data processor to report security breaches or other problems. Have procedures in place to deal with security breaches. The parties can also use the model contract clauses approved by the European Commission for transfers to third party organisations acting on the data controller s behalf. CROSS-BORDER HANDBOOKS 27 This chapter was first published in the Outsourcing Handbook 2007/08 and is reproduced with the permission of the publisher, Practical Law Company.
Clause 1. Definitions and Interpretation
[Standard data protection [agreement/clauses] for the transfer of Personal Data from the University of Edinburgh (as Data Controller) to a Data Processor within the European Economic Area ] In this Agreement:-
More informationBANKING UNIT BANKING RULES OUTSOURCING BY CREDIT INSTITUTIONS AUTHORISED UNDER THE BANKING ACT 1994
BANKING UNIT BANKING RULES OUTSOURCING BY CREDIT INSTITUTIONS AUTHORISED UNDER THE BANKING ACT 1994 Ref: BR/14/2009 OUTSOURCING BY CREDIT INSTITUTIONS AUTHORISED UNDER THE BANKING ACT 1994 INTRODUCTION
More informationGSK Public policy positions
Safeguarding Personally Identifiable Information A Summary of GSK s Binding Corporate Rules The Issue The processing of Personally Identifiable Information (PII) 1 and Sensitive Personally Identifiable
More informationRecommendations for companies planning to use Cloud computing services
Recommendations for companies planning to use Cloud computing services From a legal standpoint, CNIL finds that Cloud computing raises a number of difficulties with regard to compliance with the legislation
More informationStandard conditions of purchase
Standard conditions of purchase 1 OFFER AND ACCEPTANCE 2 PROPERTY, RISK & DELIVERY 3 PRICES & RATES The Supplier shall provide all Goods and Services in accordance with the terms and conditions set out
More informationPolicy and Procedure for approving, monitoring and reviewing personal data processing agreements
Policy and Procedure for approving, monitoring and reviewing personal data processing agreements 1 Personal data processing by external suppliers, contractors, agents and partners Policy and Procedure
More informationProcessor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries
Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Sopra HR Software as a Data Processor Sopra HR Software, 2014 / Ref. : 20141120-101114-m 1/32 1.
More informationData Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document
Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1
More information(a) the kind of data and the harm that could result if any of those things should occur;
Cloud Computing This information leaflet aims to advise organisations on the factors they should take into account in considering engaging cloud computing. It explains the relevance of the Personal Data
More informationThe potential legal consequences of a personal data breach
The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.
More informationTHE PUBLIC RELATIONS CONSULTANTS ASSOCIATION. Find A PR agency Terms and Conditions for Clients
THE PUBLIC RELATIONS CONSULTANTS ASSOCIATION Find A PR agency Terms and Conditions for Clients 1 Introduction 1.1 Find A PR agency is the PRCA s impartial search and referral service for organisations
More informationPrivacy and Cloud Computing for Australian Government Agencies
Privacy and Cloud Computing for Australian Government Agencies Better Practice Guide February 2013 Version 1.1 Introduction Despite common perceptions, cloud computing has the potential to enhance privacy
More informationTerms and Conditions of Use and Sale as at 1 st January 2009
Terms and Conditions of Use and Sale as at 1 st January 2009 The present standard terms and conditions of use and sale, also called the Contract, are concluded between the following parties: - with capital
More informationtechnical factsheet 176
technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection
More informationData controllers and data processors: what the difference is and what the governance implications are
ICO lo : what the difference is and what the governance implications are Data Protection Act Contents Introduction... 3 Overview... 3 Section 1 - What is the difference between a data controller and a
More informationGUIDANCE NOTE OUTSOURCING OF FUNCTIONS BY ENTITIES LICENSED UNDER THE PROTECTION OF INVESTORS (BAILIWICK OF GUERNSEY) LAW, 1987
GUIDANCE NOTE OUTSOURCING OF FUNCTIONS BY ENTITIES LICENSED UNDER THE PROTECTION OF INVESTORS (BAILIWICK OF GUERNSEY) LAW, 1987 CONTENTS Page 1. Introduction 3-4 2. The Commission s Policy 5 3. Outsourcing
More informationOUTSOURCING, HOSTING AND DATA PRIVACY ISSUES
OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES 4 April 2013 James Castro-Edwards Solicitor Monica Salgado Advogada / Portuguese Lawyer OUR TEAM Speechly Bircham is an ambitious, full-service law firm with
More informationAppendix 11 - Swiss Data Protection Act
GLEIF- LOU Restricted Appendix 11 - Swiss Data Protection Act GLEIF Revision Version: 1.0 2015-09-23 Master Copy page 2 of 11 Applicable Provisions of the Swiss Data Protection Act (DPA) including the
More informationMexico. Rodolfo Trampe, Jorge Díaz, José Palomar and Carlos López. Von Wobeser y Sierra, S.C.
Mexico Rodolfo Trampe, Jorge Díaz, José Palomar and Carlos López Market overview 1 What kinds of outsourcing take place in your jurisdiction? In Mexico, a subcontracting regime (understood as the regime
More informationData Protection Act 1998. Guidance on the use of cloud computing
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
More informationThe Manitowoc Company, Inc.
The Manitowoc Company, Inc. DATA PROTECTION POLICY 11FitzPatrick & Associates 4/5/04 1 Proprietary Material Version 4.0 CONTENTS PART 1 - Policy Statement PART 2 - Processing Personal Data PART 3 - Organisational
More informationCorporate Policy. Data Protection for Data of Customers & Partners.
Corporate Policy. Data Protection for Data of Customers & Partners. 02 Preamble Ladies and gentlemen, Dear employees, The electronic processing of virtually all sales procedures, globalization and growing
More informationGUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4
GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4 PREFACE The following provides general guidance on data protection
More informationAIRBUS GROUP BINDING CORPORATE RULES
1 AIRBUS GROUP BINDING CORPORATE RULES 2 Introduction The Binding Corporate Rules (hereinafter BCRs ) of the Airbus Group finalize the Airbus Group s provisions on the protection of Personal Data. These
More informationFirm Registration Form
Firm Registration Form Firm Registration Form This registration form should be completed by firms who are authorised and regulated by the Financial Conduct Authority. All sections of this form are mandatory.
More informationFRANCE. Chapter XX OVERVIEW
Chapter XX FRANCE Merav Griguer 1 I OVERVIEW France has an omnibus privacy, data protection and cybersecurity framework law. As a member of the European Union, France has implemented the EU Data Protection
More informationApplication of Data Protection Concepts to Cloud Computing
Application of Data Protection Concepts to Cloud Computing By Denitza Toptchiyska Abstract: The fast technological development and growing use of cloud computing services require implementation of effective
More informationAPPLICANT VERIFICATION SERVICES TERMS AND CONDITIONS OF USE
APPLICANT VERIFICATION SERVICES TERMS AND CONDITIONS OF USE 1 P a g e Contents 1. Interpretation and Definitions 2. Commencement and Term 3. Recitals and Relationship 4. Services 5. Systems and Software
More informationLEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT
LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT 2300 Pursuant to its authority from Article 59 of the Rules of Procedure of the Croatian Parliament, the Legislation Committee determined the revised text
More informationSummary of Data Protection Requirements When transferring Data Outside the UK End Users
Summary of Data Protection Requirements When transferring Data Outside the UK End Users 14 May 2010 Background to transfers of the Data outside the UK Data can be transferred in a couple of ways in relation
More informationSCOTLAND S COMMISSIONER FOR CHILDREN AND YOUNG PEOPLE STANDARD CONDITIONS OF CONTRACT FOR SERVICES
SCOTLAND S COMMISSIONER FOR CHILDREN AND YOUNG PEOPLE STANDARD CONDITIONS OF CONTRACT FOR SERVICES 1 1 Definitions In these conditions:- We means Scotland s Commissioner for Children and Young People,
More information(INDIVIDUALS ONLY) IndContPkge Version: 1.7 Updated: 18 Jul. 03
INDEPENDENT CONTRACTOR PACKAGE (INDIVIDUALS ONLY) IndContPkge Version: 1.7 Updated: 18 Jul. 03 Contents Preface 2 Checklist 3 Helpful Hints 4 Frequently Asked Questions 5 Agreement with an Independent
More informationTEXTURA AUSTRALASIA PTY LTD ACN 160 777 088 ( Textura ) CONSTRUCTION PAYMENT MANAGEMENT SYSTEM TERMS AND CONDITIONS OF USE
TEXTURA AUSTRALASIA PTY LTD ACN 160 777 088 ( Textura ) CONSTRUCTION PAYMENT MANAGEMENT SYSTEM TERMS AND CONDITIONS OF USE Welcome to the Textura Construction Payment Management ( CPM ) System. By clicking
More informationThe eighth data protection principle and international data transfers
Data Protection Act 1998 The eighth data protection principle and international data transfers The Information Commissioner s recommended approach to assessing adequacy including consideration of the issue
More informationBRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS
BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS Mat Wright www.britishcouncil.org CONTENTS Purpose of the code 1 Scope of the code 1 The British Council s data protection commitment and
More informationData and Cyber Laws Up-date 9 July 2015
Data and Cyber Laws Up-date 9 July 2015 Janine Regan Alexia Zuber Viktoria Protokova Simon Holdsworth charlesrussellspeechlys.com Topics Updates on the key aspects of, and commentary on, the proposed GDPR
More informationArticle 29 Working Party Issues Opinion on Cloud Computing
Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,
More informationViva Energy may from time to time amend, delete or supplement these Terms and Conditions. Any change takes effect from the earlier of:
SHELL CARD ONLINE TERMS AND CONDITIONS VERSION: AUGUST 2014 1. SCOPE 1.1 These Terms and Conditions apply to use of the Shell Card Online (SCOL) web programme accessible via www.vivaenergy.com.au, by a
More informationThe Use of Cloud Computing for the Storing and Accessing of Client Information: Some Practical and Ethical Considerations
The Use of Cloud Computing for the Storing and Accessing of Client Information: Some Practical and Ethical Considerations Jeffrey D. Scott Jeffrey D. Scott, Legal Professional Corporation Practice Advisors
More informationCloud Computing. Introduction
Cloud Computing Introduction This information leaflet aims to advise organisations which are considering engaging cloud computing on the factors they should consider. It explains the relationship between
More informationAlign Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved.
Align Technology Data Protection Binding Corporate Rules Processor Policy Confidential Contents INTRODUCTION TO THIS POLICY 3 PART I: BACKGROUND AND ACTIONS 4 PART II: PROCESSOR OBLIGATIONS 6 PART III:
More informationList of the general good provisions applicable to insurance and reinsurance intermediaries FEBRUARY 2011
List of the general good provisions applicable to insurance and reinsurance intermediaries FEBRUARY 2011 The general good provisions have been listed in compliance with the conditions envisaged by the
More informationPrivacy and Electronic Communications Regulations
ICO lo Notification of PECR security breaches Privacy and Electronic Communications Regulations Contents Introduction... 2 Overview... 2 Relevant security breaches... 3 What is a service provider?... 3
More informationData Protection Policy
Data Protection Policy CONTENTS Introduction...2 1. Statement of Intent...2 2. Fair Processing or Privacy Statement...3 3. Data Uses and Processes...4 4. Data Quality and Integrity...4 5. Technical and
More informationData Protection in Ireland
Data Protection in Ireland 0 Contents Data Protection in Ireland Introduction Page 2 Appointment of a Data Processor Page 2 Security Measures (onus on a data controller) Page 3 8 Principles Page 3 Fair
More informationsingapore american school
Background The Singapore Personal Data Protection Act - 2012 (PDPA) establishes a data protection law that comprises various rules governing the collection, use, disclosure, and care of personal data.
More informationGuidance on Personal Data Protection in Cross-border Data Transfer 1
Guidance on Personal Data Protection in Cross-border Data Transfer PART 1: INTRODUCTION Section 33 of the Personal Data (Privacy) Ordinance (the Ordinance ) prohibits the transfer of personal data to places
More informationPRIVACY POLICY Personal information and sensitive information Information we request from you
PRIVACY POLICY Business Chicks Pty Ltd A.C.N. 121 566 934 (we, us, our, or Business Chicks) recognises and values the protection of your privacy. We also understand that you want clarity about how we manage
More informationPRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES
PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES TECHNICAL COMMITTEE OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS FEBRUARY 2005 Preamble The IOSCO Technical Committee
More informationAlixPartners, LLP. General Data Protection Statement
AlixPartners, LLP General Data Protection Statement GENERAL DATA PROTECTION STATEMENT 1. INTRODUCTION 1.1 AlixPartners, LLP ( AlixPartners ) is committed to fulfilling its obligations under the data protection
More informationApplication to access Chesters Trade
Application to access Chesters Trade Please fill in all details below: Account Number Company Name Company Phone Number Fax Number Contact Name Mobile Number Email Address Please review the Terms of Use
More informationEU Data Protection Reforms Challenges for Business
www.pwc.com Contents EU Data Protection Reforms Challenges for Business July 2014 1. Introduction 2. The need for change 3. Changes and challenges 4. Recommendations 5. Conclusion 6. For a deeper conversation
More informationBriefly summarised, SURFmarket has submitted the following questions to the Dutch DPA:
UNOFFICIAL TRANSLATION Written opinion on the application of the Wet bescherming persoonsgegevens [Dutch Data Protection Act] in the case of a contract for cloud computing services from an American provider
More informationECSA EuroCloud Star Audit Data Privacy Audit Guide
ECSA EuroCloud Star Audit Data Privacy Audit Guide Page 1 of 15 Table of contents Introduction... 3 ECSA Data Privacy Rules... 4 Governing Law... 6 Sub processing... 6 A. TOMs: Cloud Service... 7 TOMs:
More informationTERMS & CONDITIONS of SERVICE for MSKnote. Refers to MSKnote Limited. Refers to you or your organisation
TERMS & CONDITIONS of SERVICE for MSKnote Definitions: "Us or Our or We or Company" You or Your or Client Refers to MSKnote Limited Refers to you or your organisation Information about us: We are MSKnote
More informationQUEENSLAND COUNTRY HEALTH FUND. privacy policy. Queensland Country Health Fund Ltd ABN 18 085 048 237. better health cover shouldn t hurt
QUEENSLAND COUNTRY HEALTH FUND privacy policy Queensland Country Health Fund Ltd ABN 18 085 048 237 better health cover shouldn t hurt 1 2 contents 1. Introduction 4 2. National Privacy Principles 5 3.
More information(Short Form) Terms and Conditions. Version 1.2 dated 17 February 2015. Please note:
(Short Form) Terms and Conditions Version 1.2 dated 17 February 2015 Please note: The Agreement comprises two parts: Particulars Terms and Conditions (Short Form) Terms and Conditions Page 2 of 7 Terms
More informationVET (WA) Ministerial Corporation Purchase of Training Services Process Terms and Conditions
VET (WA) Ministerial Corporation Purchase of Training Services Process Terms and Conditions NOVEMBER 2013 EDITION TABLE OF CONTENTS 2. RESPONDENT S PARTICIPATION IN THE PROCUREMENT PROCESS 7 3. GENERAL...
More informationAn overview of UK data protection law
An overview of UK data protection law Our team Vinod Bange Partner +44 (0)20 7300 4600 v.bange@taylorwessing.com Graham Hann Partner +44 (0)20 7300 4839 g.hann@taylorwessing.com Chris Jeffery Partner +44
More informationCompliance Management Systems
Certification Scheme Y03 Compliance Management Systems ISO 19600 ONR 192050 Issue V2.1:2015-01-08 Austrian Standards plus GmbH Dr. Peter Jonas Heinestraße 38 A-1020 Vienna, Austria E-Mail: p.jonas@austrian-standards.at
More informationPersonal Information Protection Act. Information Sheet 12: 1. Service Providers Outside Canada: Notification, Policies and Practices
: Notification, Policies and Practices Personal Information Protection Act Information Sheet 12 Introduction Organizations in Alberta operate in an increasingly global business environment. Large and small
More informationService Schedule for Business Email Lite powered by Microsoft Office 365
Service Schedule for Business Email Lite powered by Microsoft Office 365 1. SERVICE DESCRIPTION Service Overview 1.1 The Service is a hosted messaging service that delivers the capabilities of Microsoft
More informationThis Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.
Microsoft Online Subscription Agreement Amendment adding Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Proposal ID MOSA number Microsoft to complete This Amendment
More informationService Schedule for BT Business Lite Web Hosting and Business Email Lite powered by Microsoft Office 365
1. SERVICE DESCRIPTION 1.1 The Service enables the Customer to: set up a web site(s); create a sub-domain name associated with the web site; create email addresses. 1.2 The email element of the Service
More informationCloud Computing in a Government Context
Cloud Computing in a Government Context Introduction There has been a lot of hype around cloud computing to the point where, according to Gartner, 1 it has become 'deafening'. However, it is important
More informationModule 12 Managed Services TABLE OF CONTENTS. Use Guidelines
1 Module 12 Managed Services Version 3.0 TABLE OF CONTENTS 1. AGREED TERMS AND INTERPRETATION... 2 2. TERM OF... 4 3. TRANSITION IN... 4 4. SERVICES... 10 5. SERVICE LEVELS... 12 6. CHANGE CONTROL... 13
More informationINTERNATIONAL SOS. Data Protection Policy. Version 1.05
INTERNATIONAL SOS Data Protection Policy Document Owner: LCIS Division Document Manager: Group General Counsel Effective: December 2008 Revised: 2015 All copyright in these materials are reserved to AEA
More informationwww.corrs.com.au OFFSHORING Data the new privacy laws
www.corrs.com.au OFFSHORING Data the new privacy laws OFFSHORING DATA THE NEW PRIVACY LAWS Transfer of data by Australian organisations to other jurisdictions is increasingly common. This is a result of
More informationAlign Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved.
Align Technology Data Protection Binding Corporate Rules Controller Policy Contents INTRODUCTION 3 PART I: BACKGROUND AND ACTIONS 4 PART II: CONTROLLER OBLIGATIONS 6 PART III: APPENDICES 13 2 P a g e INTRODUCTION
More informationInformation Sheet: Cloud Computing
info sheet 03.11 Information Sheet: Cloud Computing Info Sheet 03.11 May 2011 This Information Sheet gives a brief overview of how the Information Privacy Act 2000 (Vic) applies to cloud computing technologies.
More information07/2013. Specific Terms and Conditions Mobile Device Management
07/2013 Specific Terms and Conditions Mobile Device Management GENERAL PROVISIONS 1. Offer and Agreement 1.1 The present contractual terms and conditions (hereinafter referred to as Terms and Conditions
More informationData Processing Agreement for Oracle Cloud Services
Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services
More informationManaging Outsourcing Arrangements
Guidance Note GGN 221.1 Managing Outsourcing Arrangements 1. This Guidance Note provides further detail on the requirements for managing material outsourcing arrangements (refer Prudential Standard GPS
More informationCommission on E-Business, IT and Telecoms Task Force on Privacy and the Protection of Personal Data
International Chamber of Commerce The world business organization Department of Policy and Business Practices Commission on E-Business, IT and Telecoms Task Force on Privacy and the Protection of Personal
More informationAnnex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015
Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015 The following comprises a checklist of areas that genomic research organizations or consortia (collectively referred
More informationHeslop & Platt Solicitors Limited
TERMS OF BUSINESS Heslop & Platt Solicitors Limited 1. Introduction and Definitions 1.1 In these terms of business, the following words and phrases have the following meanings: Initial Client Letter Client
More informationLandmark House. Experian Way. NG2 Business Park. Nottingham NG80 1ZZ
EXPERIAN LIMITED: AGREEMENT FOR PURCHASE OF AGENCY SERVICES (FOR MANAGING AGENTS AND CONSULTANCY FIRMS) This Agreement is made between: - Full company name Registered Office (or, if applicable, principal
More informationAccording to section 53 of the Insurance Act the insurance intermediary is only empowered with respect to the transaction in which it takes part to:
Argentina MANZANO, LÓPEZ SAAVEDRA & RAMIREZ CALVO Martin Manzano and Ignacio Shaw mmanzano@mlsrc.com.ar; ishaw@mlsrc.com.ar 1. Insurance intermediation activities 1.1 Is the distribution of insurance products
More informationSouth East Asia: Data Protection Update
Data Privacy and Security Team To: Our Clients and Friends September 2013 South East Asia: Data Protection Update Europe has had data protection laws in place for over a decade. Such laws regulate how
More informationACT on Payment Services 1 ) 2 ) of 19 August 2011. Part 1 General Provisions
ACT on Payment Services 1 ) 2 ) of 19 August 2011 Part 1 General Provisions Article 1. This Act sets out rules for the provision of payment services, including: 1) the conditions for provision of payment
More informationOutsourcing Risk Guidance Note for Banks
Outsourcing Risk Guidance Note for Banks Part 1: Definitions Guideline 1 For the purposes of these guidelines, the following is meant by: a) outsourcing: an authorised entity s use of a third party (the
More informationArticle 1: Subject. Article 2: Orders - Order Confirmation
GENERAL CONDITIONS OF PURCHASE Article 1: Subject 1.1 The following general conditions of purchase (the "General Conditions") establish the contractual conditions governing the purchase of raw materials,
More informationBP NEW ZEALAND PURCHASE ORDER GENERAL TERMS
BP NEW ZEALAND PURCHASE ORDER GENERAL TERMS 1. DEFINITIONS AND INTERPRETATION 1.1 In these General Terms, the following terms shall have the following meaning: BP Affiliate shall mean the BP entity stated
More informationon the transfer of personal data from the European Union
on the transfer of personal data from the European Union BCRsseptembre 2008.doc 1 TABLE OF CONTENTS I. PRELIMINARY REMARKS 3 II. DEFINITIONS 3 III. DELEGATED DATA PROTECTION MANAGER 4 IV. MICHELIN GROUP
More informationPMA MODELS PTY LTD CONTRACTOR OFFER LETTER
PMA MODELS PTY LTD CONTRACTOR OFFER LETTER We are pleased to engage you ( the Contractor ) to provide services to PMA Models Pty Ltd A.C.N. 137 597 829 ( the Company ) on the terms set out in this agreement.
More informationGENERAL TERMS AND CONDITIONS FOR THE SUPPLY OF GOODS AND SERVICES
GENERAL TERMS AND CONDITIONS FOR THE SUPPLY OF GOODS AND SERVICES 1 Interpretation 1.1 Definitions. In these Conditions, the following definitions apply: Business Day means a day (other than a Saturday,
More informationElectronic business conditions of use
Electronic business conditions of use This document provides Water Corporation s Electronic Business Conditions of Use. These are to be applied to all applications, which are developed for external users
More informationGARANTE PER LA PROTEZIONE DEI DATI PERSONALI WHEREAS
[doc. web n. 1589969] Spamming: How to Lawfully Email Advertising Messages GARANTE PER LA PROTEZIONE DEI DATI PERSONALI Prof. Stefano Rodotà, President, Prof. Giuseppe Santaniello, Vice-President, Prof.
More informationREQUEST FOR QUOTE. RFQ Reference Number: RFQ <<INSERT e.g SWR 03-11/12>> <<Enter Course Name>>
REQUEST FOR QUOTE RFQ Reference Number: RFQ Date of Issue: Name of Business Unit: Address: Contact Person: Telephone: Email:
More informationNOTE: SERVICE AGREEMENTS WILL BE DRAFTED BY RISK SERVICES SERVICE AGREEMENT
NOTE: SERVICE AGREEMENTS WILL BE DRAFTED BY RISK SERVICES SERVICE AGREEMENT Between: And: XXXXXX (the Contractor") Langara College 100 West 49 th Avenue Vancouver, BC V5Y 2Z6 (the College") The College
More informationGUIDELINE ON THE APPLICATION OF THE OUTSOURCING REQUIREMENTS UNDER THE FSA RULES IMPLEMENTING MIFID AND THE CRD IN THE UK
GUIDELINE ON THE APPLICATION OF THE OUTSOURCING REQUIREMENTS UNDER THE FSA RULES IMPLEMENTING MIFID AND THE CRD IN THE UK This Guideline does not purport to be a definitive guide, but is instead a non-exhaustive
More informationFIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS
FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS As a world leader in electronic commerce and payment services, First Data Corporation and its subsidiaries ( First Data entity or entities ),
More informationData Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014
Data Protection Avoiding Information Commissioner Fines Caroline Egan 5 June 2014 Why is data protection a hot topic in pensions? Pension schemes hold large amounts of personal data Individuals more aware
More informationNew EU Data Protection legislation comes into force today. What does this mean for your business?
24 th May 2016 New EU Data Protection legislation comes into force today. What does this mean for your business? After years of discussion and proposals, the General Data Protection Regulation ( GDPR )
More informationTHE TRANSFER OF PERSONAL DATA ABROAD
THE TRANSFER OF PERSONAL DATA ABROAD MARCH 2014 THIS NOTE CONSIDERS THE SITUATION OF AN IRISH ORGANISATION OR BUSINESS SEEKING TO TRANSFER PERSONAL DATA ABROAD FOR STORAGE OR PROCESSING, IN LIGHT OF THE
More informationINFORMATION SECURITY POLICY. Contents. Introduction 2. Policy Statement 3. Information Security at RCA 5. Annexes
INFORMATION SECURITY POLICY Ratified by RCA Senate, February 2007 Contents Introduction 2 Policy Statement 3 Information Security at RCA 5 Annexes A. Applicable legislation and interpretation 8 B. Most
More informationCorporate ICT & Data Management. Data Protection Policy
90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control
More informationPrivacy Policy Draft
Introduction Privacy Policy Draft Please note this is a draft policy pending final approval Alzheimer s Australia values your privacy and takes reasonable steps to protect your personal information (that
More informationTerms and Conditions of Offer and Contract (Works & Services) Conditions of Offer
Conditions of Offer A1 The offer documents comprise the offer form, letter of invitation to offer (if any), these Conditions of Offer and Conditions of Contract (Works & Services), the Working with Queensland
More informationOVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively.
Joint work between experts from the Article 29 Working Party and from APEC Economies, on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities in
More information