EU Data Protection Compliance Trends - What US Companies Need to Know. 30 January 2013
|
|
- Pauline Parrish
- 8 years ago
- Views:
Transcription
1 EU Data Protection Compliance Trends - What US Companies Need to Know 30 January 2013
2 Session Contents Why European data protection rules matter and an introduction to the main privacy rules Transferring data outside of Europe the Compliance Options Outsourcing A brief UK perspective on privacy compliance A French perspective on privacy compliance A German perspective on privacy compliance Concluding remarks 2
3 Your Speakers Today Ann La France London, UK Caroline Egan Birmingham, UK Stephanie Faber Paris, France Andreas Fillmann Frankfurt, Germany 3
4 INTRODUCTORY OVERVIEW
5 Why Does EU Data Protection Law Matter Why European DP law matters to US companies Applies to European subsidiaries in their domestic processing of personal data (even when US parent is Safe Harbor certified) Applies when they transfer/allow access to personal data from US or outside EEA. Our focus on transfers of data outside Europe Though based on EU Directive there are differences in implementation in individual countries Applies to all types of personal data Employee Customer Supplier 5
6 Why Does EU Data Protection Law Matter Downsides of non-compliance? Fines and regulatory sanctions substantial and increasing See table on next slide Reputational damage - name and shame policy of regulators Employee data - damaged employee relations Potential conflicts with US law - eg Sarbanes Oxley and whistleblowing in France 6
7 Examples of Fines Imposed by EU DPAs Country/DPA Date Company Fine imposed Reason UK (ICO) Jan 2013 Sony 250,000 GBP Failing to prevent personal data of Playstation users being hacked UK (ICO) Oct 2012 The Prudential 50,000 GBP Mixing up accounts of two customers UK (ICO) May 2012 NHS Trust 325,000 GBP Failure to prevent sensitive personal data being sold on internet auction site France (CNIL) March 2011 Google 100,000 EUR Collection of Wi-Fi and login/ data during its Street View operations; France (CNIL) July 2011 Association Lexeek 10,000 EUR and injunction Published legal cases online containing parties names Germany (Hamburg DPA) Hamburger Sparkasse 200,000 EUR Using neuromarketing techniques without customer consent Spain (AEPD) April 2007 Zeppelin Television 1,000,000 EUR Failure to protect personal data of 7000 applicants for Big Brother 7 Netherlands (OPTA) Dec 2011 DollarRevenue 1,000,000 EUR Installing adware/spyware software on 22million computers
8 Why Does EU Data Protection Law Matter Existing law tough; new law tougher? Proposed new European Data Protection Regulation Harmonised stricter rules Regulation direct effect no scope to alter Much higher penalties Up to 2% of global turnover Mandatory data breach notification Requirement to appoint Data Protection Officer Territorial application - applies even if no European presence if market to Europe or monitor European citizens 8
9 Timescale for Implementation A long way to being finalised Earliest date for finalising Regulation 2014 Implementation 2018? 9
10 Overview of EU Data Protection Rules Key terms Personal data Data controller Data processor especially as these terms not used in Safe Harbor Processing Transfer outside EEA - including allowing access Sensitive personal data EEA EU plus Norway, Iceland and Liechtenstein 10
11 Overview of EU Data Protection Rules Data protection compliance principles Must have justification consent or other permitted purpose Notice to individuals about usage of their data (privacy policy) Accurate and up to date Sufficient and not excessive for purpose Destroyed when no longer needed for purpose Compliance with individual's rights - eg providing information on request Kept secure (and higher security required for sensitive data) Only transferred outside EEA if adequate protection 11
12 TRANSFERS OUTSIDE OF THE EEA
13 Compliance Options When Transferring Data Outside the EEA Approved country Switzerland, Argentina, Australia, Canada, Israel, Uruguay US Safe Harbor (some sectors excluded) EC approved Model Clauses Controller to Controller Controller to Processor Binding Corporate Rules - within multi-national groups NB: EU law treats group companies as separate third parties 13
14 Safe Harbor Advantages/Disadvantages Safe Harbor Geographical limitations Issues with onward transfers Some sectors excluded eg financial services, telecoms Check exact certification Lack of fit for pure processors Long term future? 14
15 EU Model Clauses - Advantages/Disadvantages EU standard model clauses Must be used unamended Jurisdictional issues governing law of exporting country Notification/prior approval in many countries Service providers becoming more familiar with them Sub-contracting further complications 15
16 EU Standard Model Clauses Complexity of contracting an administrative nightmare! Non-EU operations EU operations
17 Binding Corporate Rules - Advantages/Disadvantages Binding corporate rules Only apply within multi-national groups Favoured by many regulators Costly and time consuming Involves getting approval of regulators in all affected countries, through lead regulator up to a year Useful if a lot of data being transferred/accessed 17
18 Overview on Compliance Options In theory straightforward In practice tricky EU requirements not business-friendly getting third parties to agree additional requirements of local regulators/national laws The UK position least prescriptive least red tape particular sensitivities 18
19 OUTSOURCING OVERVIEW OF PRIVACY ISSUES
20 Outsourcing Nature of outsourcing Providing services to other group members External providers Examples Global HR databases Global hosting Using external marketing companies Cloud computing» Data may be transferred to multiple jurisdictions Frequently involve sub-contracting 20
21 Outsourcing Practical issues You appointing service provider who will access/use data from Europe You as service provider to third parties or member of group either to EU clients or US parent and its European affiliates Understanding who is data controller and who is data processor; usually service provider is processor Virtually all obligations on data controller Considering privacy issues at the outset Increasing willingness of processors to address customer compliance issues 21
22 Practical Issues (continued) If personal data comes to you first, before you appoint processor/sub-processor Compliance for transfer to you Compliance for transfer to processor/sub-processor 22
23 Outsourcing Appointing a Processor Processor Agreement always needed - even if processor is in the EEA, or recipient is Safe Harbor certified ("basic processor agreement") Due diligence - up front and ongoing Mandatory terms of basic processor agreement Only process on data controller's instructions Take appropriate technical and organisational measures to keep data secure, proportionate to amount and sensitivity of data Security - major priority of regulators, especially in UK» Encryption in transit and when accessed from mobile devices» Possibly always encryption? Strongly advisable terms Notify data breaches within 24/48 hours Obligation to take remedial measures if breach Audit rights 23 Often involve sub-processing
24 EU Processor Model Clauses 2010 Not very business friendly Don't apply if initial processor is inside EEA Audit requirement compulsory Must identify in agreement security measures to be taken Appointing sub-processors Significant formalities Requires notification to and consent of controller Can give generic consent» May be okay within groups» Risky if arm's length transaction 24
25 UK Hot Topics Data security Encryption Data breach reporting Not mandatory Aggravating factor in fines Power to fine Data breach Liability for processors Not having agreement in place Not checking security measures Inaccurate data 25
26 A FRENCH PERSPECTIVE ON PRIVACY COMPLIANCE
27 Cloud Computing CNIL s (French DPA) guidance on Cloud (June 2012) : Similar to opinion of WP 29 Also contains a list of contractual requirements failing which data controller will not be compliant; as well as proposed clauses 27
28 Data for Litigation Disclosure Cultural difference: no pre-trial discovery in France Guidelines of the CNIL (cooperation through Hague and data minimization) So called French Blocking Statute on business data 28
29 Employment Related Issues Whistle-blowing specific restrictions Works councils often have to be consulted prior to implementation of processing and/or transfers Employee consent not deemed freely given Pre-employment vetting: CNIL Guidelines Employee monitoring Any other areas of particular concern to the CNIL (social security number, ethnic origin, etc.) 29
30 Marketing Implementation of eprivacy Directive Marketing by , fax, telephone (automated calls and calls) Opt in or opt out Marketing for similar products and services Cookies Location data Data subjects rights: Fair information Right to object and/or prior consent Hot topics Issue of combination of data by Google and recommendations by WP 29 lead by CNIL (French DPA) Recommendations of Irish DPA to Facebook CNIL currently working on: smartphone apps, facial recognition 30
31 A GERMAN PERSPECTIVE ON PRIVACY COMPLIANCE
32 Germany Overview of Compliance Rules Data Protection Officer General duty to register a company with the data protection authority Notification is not necessary if the company has appointed its own Data Protection Officer (more than 9 people are engaged with data processing) Proper use of data processing programs Familiarize management and employees with data protection rules and regulations Note: DPO can only dismissed only for cause Employee data Employee data can only be processed if necessary for the administration of the employment relationship Works Council s approval (if established) is required for personal data transfer: Before/instead of obtaining the employees consent When establishing a whistle blower hotline 32
33 Germany Overview of Compliance Rules Data Transfer No exemption for data transfer/processing within company groups Within the EU/EEA: a permission for data transfer from a data protection authority or a notification is not required In case of outsourcing direct marking activities a written agreement for the processing of personal data is required which meets 10 conditions Companies using online marketing tools by outsourcing data collection and processing services in Germany should enter into an agreement with the service provider as data controller and should collect data on their own website to be protected in case of insolvency of the service provider (recent high court decision). To third countries: admissible, if an adequate data protection level is guaranteed, for example Approved country EU Model Clauses (data protection authority may request inspection of the Model Clause Agreement) BCR With permission of the data protection authority 33
34 Germany Overview of Compliance Rules Safe Harbor» Düsseldorfer Kreis (informal association of the German data protection authorities for the private sector), April 2010:» A German data exporter needs to examine the data importer s self-certification according to the Safe Harbor Agreement» Accordingly, the German data exporter has to obtain evidence showing how the US company fulfills its duties to provide information to the data subject, and has to be able to prove this check upon request of the DP authorities» A US company should declare that they are giving the information to the data subject 34
35 Germany Overview of Compliance Rules Data Breach According to German Data Protection Act a data breach duty applies, if: Sensitive personal data. personal data subject to professional secrecy, personal data related to criminal/administrative offences, personal data relating to bank or credit card accounts, certain telecommunication and online data are abused or lost and an unauthorized party(s) acquires knowledge; In case of telecommunications and online data there is a threat of interference with the interest of the concerned individual(s); and Threat of significant harm for the individual DPO have to notify the data protection authority and the individuals without delay: Must include description of the type of unlawful disclosure and recommendation measures to limit the possible consequences Information to the individuals directly or via two newspapers publicly Information to individuals has to observe various further issues (e.g. pending criminal investigations) 35 Internet use/cookies Cookies should be used for statistical purposes only and not for transmitting user data Website privacy rules should address the cookie aspect and the opportunity to object
36 CONCLUDING REMARKS
37 For questions regarding CLE credit, please contact: Robin Hallagan
38 QUESTIONS
39 Contact Us Ann La France T: +44 (0) Caroline Egan T: +44 (0) Stephanie Faber T: Andreas Fillmann andreas.fillmann@squiresanders.com T:
40 Worldwide Locations North America Latin America Europe & Middle East Asia Pacific Cincinnati Northern Virginia Bogotá+ Beirut+ Leeds Beijing Cleveland Columbus Palo Alto Phoenix Buenos Aires+ Caracas+ Berlin Birmingham London Madrid Hong Kong Perth Houston San Francisco La Paz+ Bratislava Manchester Seoul Los Angeles Miami Tampa Washington DC Lima+ Panamá+ Brussels Bucharest+ Moscow Paris Shanghai Singapore New York West Palm Beach Santiago+ Budapest Prague Sydney Santo Domingo Frankfurt Kyiv Riyadh Warsaw Tokyo 40 + Independent Network Firm
ediscovery: Managing Costs & Avoiding Pitfalls
ediscovery: Managing Costs & Avoiding Pitfalls Presented by: Joseph P. Grasser joseph.grasser@squiresanders.com Carrie E. Jantsch carrie.jantsch@squiresanders.com 2 Overview Managing Costs How to Address
More informationediscovery: Trends & Challenges
ediscovery: Trends & Challenges Joseph P. Grasser Carrie E. Jantsch January 28, 2014 Overview Trends & Challenges Mobile Device Electronic Discovery and BYOD Policies How BYOD Policies Complicate E-Discovery
More informationU.S. Information Privacy Law
U.S. Information Privacy Law Ivan Rothman Joseph Grasser January 28, 2014 Introduction and Agenda Sources of US Privacy Law Some Basic Concepts Sectors of US Privacy Law Non-Sector Specific Issues Privacy
More informationIRS Offshore Voluntary Disclosure Initiative Round Two
View this email as a webpage. February 2011 www.ssd.com IRS Offshore Voluntary Disclosure Initiative Round Two On February 8, 2011 the US Internal Revenue Service (the IRS) announced its second, much anticipated,
More informationMarketing and Branding in Recruitment. Robert Wegenek Squire Patton Boggs (UK) LLP
Marketing and Branding in Recruitment Robert Wegenek Squire Patton Boggs (UK) LLP MARKETING AND BRANDING IN RECRUITMENT B2B and B2C Branding, taglines, slogans Above the line : advertising in traditional
More informationOUTSOURCING, HOSTING AND DATA PRIVACY ISSUES
OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES 4 April 2013 James Castro-Edwards Solicitor Monica Salgado Advogada / Portuguese Lawyer OUR TEAM Speechly Bircham is an ambitious, full-service law firm with
More informationCyber security: A major issue for Australian business
Cyber Security: A major issue for Australian business: February 2016 1 Cyber security: A major issue for Australian business Contents Introduction and background Is your industry particularly vulnerable
More informationCouncil of Development Finance Agencies -- Negotiating PPP/P3 Agreements
Council of Development Finance Agencies -- Negotiating PPP/P3 Agreements August 7, 2013 Greg Daniels + 1 614 365 2789 greg.daniels@squiresanders.com Bruce Gabriel + 1 216 479 8746 bruce.gabriel@squiresanders.com
More informationExecutive Compensation and Stock Options Presented by Candace L. Quinn. 37 Offices in 18 Countries
Presented by Candace L. Quinn 37 Offices in 18 Countries 10/18/2012 2 Executive Compensation and Stock Options Overview of Presentation I.What is Executive Compensation and What are the Components? II.Developments
More informationCloud Computing: A Primer on Legal Issues, Including Privacy and Data Security Concerns. Privacy and Information Management Practice / Washington, DC
Cloud Computing: A Primer on Legal Issues, Including Privacy and Data Security Concerns Privacy and Information Management Practice / Washington, DC Disclaimer THIS PRESENTATION IS TO ASSIST IN A GENERAL
More informationData and Cyber Laws Up-date 9 July 2015
Data and Cyber Laws Up-date 9 July 2015 Janine Regan Alexia Zuber Viktoria Protokova Simon Holdsworth charlesrussellspeechlys.com Topics Updates on the key aspects of, and commentary on, the proposed GDPR
More informationDOING BUSINESS IN CALIFORNIA Real Estate Transactions
Presentation for Japanese Business Persons: DOING BUSINESS IN CALIFORNIA Real Estate Transactions Part 3 Basics of Deed of Trust Financing Transactions Presented by: Noriyuki Shimoda Admitted in Japan
More informationData protection issues on an EU outsourcing
Data protection issues on an EU outsourcing Saam Golshani, Alastair Gorrie and Diego Rigatti, Orrick Herrington & Sutcliffe www.practicallaw.com/8-380-8496 Outsourcing can mean subcontracting a process
More informationProcessor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries
Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Sopra HR Software as a Data Processor Sopra HR Software, 2014 / Ref. : 20141120-101114-m 1/32 1.
More informationEmployment Webinar: Brexit What Now for HR and Legal? 1 July 2016
Employment Webinar: Brexit What Now for HR and Legal? 1 July 2016 Today s Presenters David Whincup Partner Labour & Employment Janette Lucas Partner Labour & Employment Supinder Sian Partner Labour & Employment
More informationData Protection compliance in Spain Mission Impossible?
Data Protection compliance in Spain Mission Impossible? May 2012 Further information If you would like further information on any aspect of Data Protection and Privacy in Spain please contact the person
More informationData Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014
Data Protection Avoiding Information Commissioner Fines Caroline Egan 5 June 2014 Why is data protection a hot topic in pensions? Pension schemes hold large amounts of personal data Individuals more aware
More informationThe Data Protection Landscape. Before and after GDPR: General Data Protection Regulation
The Data Protection Landscape Before and after GDPR: General Data Protection Regulation Data Protection regulations across Europe Current regulations & guidance European Directives 95/46/EC (Data Protection)
More informationData Protection and Cloud Computing: an Overview of the Legal Issues
Data Protection and Cloud Computing: an Overview of the Legal Issues Christopher Kuner Partner, Hunton & Williams, Brussels Research Assistant, University of Copenhagen Nordic IT Law Conference Copenhagen,
More informationChina s New Enterprise Bankruptcy Law
China s New Enterprise Bankruptcy Law 12. / 17. November, 2007 By Stefan Peters, Frankfurt / Shanghai Office Overview A. Introduction 1. Introduction of Squire, Sanders & Dempsey L.L.P. 2. Previous Laws
More informationEnvironment, Health And Safety. Ensuring Your Company s European Operations are Compliant with New EU Regulations and Enforcement Measures
Environment, Health And Safety Ensuring Your Company s European Operations are Compliant with New EU Regulations and Enforcement Measures WHAT IS THE THREAT TO YOUR COMPANY S COMPLIANCE RECORD AND GOOD
More informationA PRACTICAL GUIDE TO MANAGING AND RESOLVING BUSINESS DISPUTES IN CHINA
A PRACTICAL GUIDE TO MANAGING AND RESOLVING BUSINESS DISPUTES IN CHINA squiresanders.com North America Cincinnati / Cleveland / Columbus / Houston / Los Angeles / Miami / New York / Northern Virginia /
More informationNew EU Data Protection legislation comes into force today. What does this mean for your business?
24 th May 2016 New EU Data Protection legislation comes into force today. What does this mean for your business? After years of discussion and proposals, the General Data Protection Regulation ( GDPR )
More informationArticle 29 Working Party Issues Opinion on Cloud Computing
Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,
More informationData Protection for the Financial Services Sector
BEIJING BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG LONDON LOS ANGELES NEW YORK PALO ALTO SAN FRANCISCO SHANGHAI SINGAPORE SYDNEY TOKYO WASHINGTON, D.C. Data Protection for the Financial Services
More informationThe prospects for data breach laws in 22 European countries
The prospects for data breach laws in 22 European countries Stewart Dresner, Chief Executive Privacy Laws & Business Wednesday, 4 November 2009 16 30-17 45: PARALLEL SESSION A: Ooopsss!!!!! Where did I
More informationFRANCE. Chapter XX OVERVIEW
Chapter XX FRANCE Merav Griguer 1 I OVERVIEW France has an omnibus privacy, data protection and cybersecurity framework law. As a member of the European Union, France has implemented the EU Data Protection
More informationHOW TO HANDLE A WHISTLEBLOWER REPORT IN THE EU
HOW TO HANDLE A WHISTLEBLOWER REPORT IN THE EU 10 April 2014 Monica Salgado Advogada registered with the Portuguese Ordem dos Advogados Registered European Lawyer with the SRA Kirsti Laird Solicitor, (qualified
More informationData Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document
Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1
More informationDATA TRANSFERS WITHIN A MULTINATIONAL GROUP SAFELY NAVIGATING EU DATA PROTECTION RULES
DATA TRANSFERS WITHIN A MULTINATIONAL GROUP SAFELY NAVIGATING EU DATA PROTECTION RULES MAY 2013 INTRODUCTION Multinational corporations increasingly have a need to share their data throughout their group.
More informationFinancial services regulation in Australia
Financial services regulation in Australia FEBRUARY What you need to know Financial services regulation in Australia February 2016 1 What you need to know Key points Do you do business in Australia or
More informationOverview of Employment and Employee Privacy Laws and Key Trends in Austria
P a g e 1 Privacy Interviews with Experts August 2011 Toronto / Washington DC / Brussels www.nymity.com Rainer Knyrim Attorney and Partner Preslmayr Attorneys at Law Vienna, Austria Overview of Employment
More informationGlobal Privacy and Data Security in the Cloud September 14, 2011 Miriam Wugmeister
2011 Morrison & Foerster LLP All Rights Reserved mofo.com Global Privacy and Data Security in the Cloud September 14, 2011 Miriam Wugmeister Presenter Miriam Wugmeister Morrison & Foerster LLP New York
More informationHazardous substances. Our capabilities in Paris
Hazardous substances Our capabilities in Paris 2013 Hogan Lovells - Hazardous substances: Our capabilities in Paris i Contents Our expertise in relation to hazardous substances 1 Sophisticated advice
More informationGlobal Real Estate Outlook
Global Real Estate Outlook August 2014 The Hierarchy of Economic Performance, 2014-2015 China Indonesia India Poland South Korea Turkey Australia Mexico United Kingdom Sweden United States Canada South
More informationAlign Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved.
Align Technology Data Protection Binding Corporate Rules Processor Policy Confidential Contents INTRODUCTION TO THIS POLICY 3 PART I: BACKGROUND AND ACTIONS 4 PART II: PROCESSOR OBLIGATIONS 6 PART III:
More informationEthical hotlines and whistleblowing ensuring businesses are not in conflict with local laws
Ethical hotlines and whistleblowing ensuring businesses are not in conflict with local laws 16 January 2014 Robert Bond, CCEP Partner and Notary Public Our Team Speechly Bircham is an ambitious, full-service
More informationFIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS
FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS As a world leader in electronic commerce and payment services, First Data Corporation and its subsidiaries ( First Data entity or entities ),
More informationAlign Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved.
Align Technology Data Protection Binding Corporate Rules Controller Policy Contents INTRODUCTION 3 PART I: BACKGROUND AND ACTIONS 4 PART II: CONTROLLER OBLIGATIONS 6 PART III: APPENDICES 13 2 P a g e INTRODUCTION
More informationOVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively.
Joint work between experts from the Article 29 Working Party and from APEC Economies, on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities in
More informationData Protection Compliance In Spain 2015
Data protection compliance in Spain Mission impossible? Data Protection Compliance in Spain 2015 1 Contents Introduction Personal data Notification of date files Information Consent Security measures
More informationThe eighth data protection principle and international data transfers
Data Protection Act 1998 The eighth data protection principle and international data transfers The Information Commissioner s recommended approach to assessing adequacy including consideration of the issue
More informationCorporate Policy. Data Protection for Data of Customers & Partners.
Corporate Policy. Data Protection for Data of Customers & Partners. 02 Preamble Ladies and gentlemen, Dear employees, The electronic processing of virtually all sales procedures, globalization and growing
More information01/ 02/ 03/ 04/ 05/ Beyond borders Deloitte Discovery April 23 rd 2015 Cyprus 1 Going beyond borders to move our clients ahead Deloitte Discovery Services - Deloitte Legal 2 The Deloitte
More informationLoan Trading under LMA Documentation A Guide for Traders and In-house Counsel
Loan Trading under LMA Documentation A Guide for Traders and In-house Counsel 2 Further information If you would like further information on any aspect of this note, please contact a person mentioned below
More informationAIRBUS GROUP BINDING CORPORATE RULES
1 AIRBUS GROUP BINDING CORPORATE RULES 2 Introduction The Binding Corporate Rules (hereinafter BCRs ) of the Airbus Group finalize the Airbus Group s provisions on the protection of Personal Data. These
More informationMulti-Jurisdictional Study: Cloud Computing Legal Requirements. Julien Debussche Associate January 2015
Multi-Jurisdictional Study: Cloud Computing Legal Requirements Julien Debussche Associate January 2015 Content 1. General Legal Framework 2. Data Protection Legal Framework 3. Security Requirements 4.
More informationDATA PROTECTION AND THE NEW FACE OF PRIVACY COMPLIANCE
34 Baltzer Science Publishers EU WATCH DATA PROTECTION AND THE NEW FACE OF PRIVACY COMPLIANCE By Jeroen Terstegge* We are about to have a new type of compliance officer on the block. The soon to be enacted
More informationNavigating the Privacy Law Landscape - US and Europe
21 January, 2015 Navigating the Privacy Law Landscape - US and Europe Roberta Anderson, Partner, K&L Gates, Pittsburgh Friederike Gräfin von Brühl, Senior Associate, K&L Gates, Berlin Etienne Drouard,
More informationInformation Security Risks when going cloud. How to deal with data security: an EU perspective.
Separating fact from fiction about new software licensing /SaaS/ cloud computing models: advantages, disadvantages and ethical implications. Information Security Risks when going cloud. How to deal with
More informationLuxembourg Doing deals in the Grand Duchy, an English lawyer's perspective
Luxembourg Doing deals in the Grand Duchy, an English lawyer's perspective Tom Whelan (Partner, Hogan Lovells International LLP) Erin Anderson (Senior Associate, Hogan Lovells International LLP), Camille
More informationSouth East Asia: Data Protection Update
Data Privacy and Security Team To: Our Clients and Friends September 2013 South East Asia: Data Protection Update Europe has had data protection laws in place for over a decade. Such laws regulate how
More informationGSK Public policy positions
Safeguarding Personally Identifiable Information A Summary of GSK s Binding Corporate Rules The Issue The processing of Personally Identifiable Information (PII) 1 and Sensitive Personally Identifiable
More informationPersonal information, for purposes of this Policy, includes any information which relates to an identified or an identifiable person.
PART I: INTRODUCTION AND BACKGROUND Purpose This Data Protection Binding Corporate Rules Policy ( Policy ) establishes the approach of Fluor to compliance with European data protection law and specifically
More informationBinding Corporate Rules ( BCR ) Summary of Third Party Rights
Binding Corporate Rules ( BCR ) Summary of Third Party Rights This document contains in its Sections 3 9 all provision of the Binding Corporate Rules (BCR) for Siemens Group Companies and Other Adopting
More informationEmployee monitoring in France. January 2010. Contents. Legal Framework 1
Employee monitoring in France January 2010 Contents Legal Framework 1 Principal situations where an individual's privacy is restricted in the workplace 1 Potential disciplinary sanctions applied to employees
More informationOSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data
OSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data Terms Adopting company an OSRAM associated company in Germany or overseas
More informationEU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update. By Stephen H. LaCount, Esq.
EU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update By Stephen H. LaCount, Esq. Overview The European Union Data Protection Directive 95/46/EC ( Directive ) went effective in
More informationAn overview of UK data protection law
An overview of UK data protection law Our team Vinod Bange Partner +44 (0)20 7300 4600 v.bange@taylorwessing.com Graham Hann Partner +44 (0)20 7300 4839 g.hann@taylorwessing.com Chris Jeffery Partner +44
More informationJUDGMENT ON THE SPANISH TAX LEASE SYSTEM
JUDGMENT ON THE SPANISH TAX LEASE SYSTEM CASE T-719/13 PYMAR / COMMISSION Contents 1. Background 2. Judgment of the GCEU of 17 December 2015 in Case T- 719/13, PYMAR / Commission 3. Effects of the Judgment
More informationTilburg University. U.S. Subpoenas and European data protection legislation Moerel, Lokke; Jansen, Nani; Koëter, Jeroen
Tilburg University U.S. Subpoenas and European data protection legislation Moerel, Lokke; Jansen, Nani; Koëter, Jeroen Published in: International Data Privacy Law Document version: Preprint (usually an
More informationThe potential legal consequences of a personal data breach
The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.
More informationat the pace of business Leadership development In-house programs available! The Leadership Express Series Ottawa, ON
Africa Cape Town Johannesburg Pretoria Asia Bangkok Beijing Ho Chi Minh City Hong Kong Jakarta Kuala Lumpur Mumbai New Delhi Seoul Shanghai Shenzhen Singapore Tokyo Europe Amsterdam Athens Barcelona Berlin
More informationLiberating the Power of Service The right of establishment The case of lawyers
Liberating the Power of Service The right of establishment The case of lawyers Second Bruges European Business Conference College of Europe Jacques Derenne, Partner, Hogan Lovells, Brussels Associate Professor,
More informationLiberating the Power of Service The right of establishment The case of lawyers. Second Bruges European Business Conference College of Europe
Liberating the Power of Service The right of establishment The case of lawyers Second Bruges European Business Conference College of Europe Jacques Derenne, Partner, Hogan Lovells, Brussels Associate Professor,
More informationEU Data Protection and Information Security for Banking & Financial Service sectors 4 th December 2014
EU Data Protection and Information Security for Banking & Financial Service sectors 4 th December 2014 Janine Regan, Associate George Willis, Associate charlesrussellspeechlys.com Janine Regan Associate
More informationHealth Care Entities Get Clarity from FCC on Telephone Communications
10 August 2015 Practice Group(s): Health Care Telecom, Media and Technology Health Care Entities Get Clarity from FCC on Telephone Communications By Martin L. Stern, Samuel R. Castic, Ryan J. Severson
More informationInhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten. MHC.ie
Inhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten MHC.ie Rewriting the Past Oisin Tobin otobin@mhc.ie Agenda 1. Background 2. Findings and impact: a) Jurisdiction b) A
More informationThe HR Skinny: Effectively managing international employee data flows
The HR Skinny: Effectively managing international employee data flows Topics we will cover today Laws affecting HR data flows HR international data protection challenges and strategic solutions Case study
More informationLaunch of Mutual Recognition of Funds Between Mainland China and Hong Kong
June 2015 Practice Group: Investment Management, Hedge Funds and Alternative Investments Launch of Mutual Recognition of Funds Between Mainland China and Hong Kong By Choo Lye Tan On 22 May 2015, the Securities
More informationtechnical factsheet 176
technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection
More informationSEC Staff Addresses Third-Party Endorsements of Investment Advisers on Social Media Websites
April 2014 Practice Groups: Investment Management, Hedge Funds and Alternative Investments Private Equity SEC Staff Addresses Third-Party Endorsements of By Michael W. McGrath and Sonia R. Gioseffi On
More informationCuba Sanctions Update: Removal of Cuba from Terrorism List Will Result in Modest Easing of Trade Sanctions
Cuba Sanctions Update: Removal of Cuba from Terrorism List Will Result in Modest Easing of Trade Sanctions A legal analysis prepared at the request of the Cuba Study Group 9 April 2015 By Stephen F. Propst,
More informationCloud computing and personal data protection. Gwendal LE GRAND Director of technology and innovation CNIL
Cloud computing and personal data protection Gwendal LE GRAND Director of technology and innovation CNIL 1 Data protection in Europe Directive 95/46/EC Loi 78-17 du 6 janvier 1978 amended in 2004 (France)
More informationPRACTICAL LAW DATA PROTECTION MULTI-JURISDICTIONAL GUIDE 2012/13. The law and leading lawyers worldwide
PRACTICAL LAW MULTI-JURISDICTIONAL GUIDE 2012/13 The law and leading lawyers worldwide Essential legal questions answered in 30 key jurisdictions Analysis of critical legal issues AVAILABLE ONLINE AT WWW.PRACTICALLAW.COM/DATAPROTECTION-MJG
More informationTHINK Global: Risk and return
Changing context of real estate returns in a globalised world Data generating art This document is solely for the use of professionals and is not for general public distribution. Using data from Fig.1
More informationKey issues in data protection: a pan-european view
Key issues in data protection: a pan-european view 19 th March 2014 Nicola Fulford, Kemp Little LLP, UK Andreas Peschel-Mehner, SKW Schwarz, Germany Marco Bellezza, Portolano Cavallo, Italy Emmanuel Schulte,
More informationPrivacy & Data Security: The Future of the US-EU Safe Harbor
Privacy & Data Security: The Future of the US-EU Safe Harbor NAOMI MCBRIDE, LISA J. SOTTO AND BRIDGET TREACY, HUNTON & WILLIAMS LLP, WITH PRACTICAL LAW US INTELLECTUAL PROPERTY & TECHNOLOGY AND UK IP&IT
More informationChina Publishes Draft Rules on Protection of Information Network Dissemination Rights
China Publishes Draft Rules on Protection of Information Network Dissemination Rights 1 China Publishes Draft Rules on Protection of Information Network Dissemination Rights On 22 April, 2012, the Supreme
More informationPassive infrastructure sharing
Passive infrastructure sharing 2 Why sharing? Passive infrastructure sharing started with mobile phone towers. Mobile network operators allowed each other to hang antennas on their mast sites, resulting
More informationSummary of Data Protection Requirements When transferring Data Outside the UK End Users
Summary of Data Protection Requirements When transferring Data Outside the UK End Users 14 May 2010 Background to transfers of the Data outside the UK Data can be transferred in a couple of ways in relation
More informationThe Telephone Consumer Protection Act: Compliance Developments and What to Expect in 2015
The Telephone Consumer Protection Act: Compliance Developments and What to Expect in 2015 November 2014 Mark W. Brennan, Partner Overview Overview of the TCPA Recent Developments Issues to Watch What You
More informationAcquisition Transaction Reinsurance: Key Concepts SEAN KEYVAN AND JEREMY WATSON, SIDLEY AUSTIN LLP
Acquisition Transaction Reinsurance: Key Concepts SEAN KEYVAN AND JEREMY WATSON, SIDLEY AUSTIN LLP Agenda Introduction to Reinsurance Reinsurance in the context of an Acquisition Transaction Regulatory
More informationPrivacy and Electronic Communications Regulations
ICO lo Notification of PECR security breaches Privacy and Electronic Communications Regulations Contents Introduction... 2 Overview... 2 Relevant security breaches... 3 What is a service provider?... 3
More informationImportant aspects of the new Regulation third country data transfers
Important aspects of the new Regulation third country data transfers Dr. Christopher Kuner Senior Of Counsel Wilson Sonsini Goodrich & Rosati, Brussels 3 rd European Data Protection Days Berlin, 14 May
More informationEU Data Protection Reforms Challenges for Business
www.pwc.com Contents EU Data Protection Reforms Challenges for Business July 2014 1. Introduction 2. The need for change 3. Changes and challenges 4. Recommendations 5. Conclusion 6. For a deeper conversation
More informationCrossing Borders New Guidance on the Transfer of Personal Data outside Hong Kong
Legal Update Privacy & Security Hong Kong 20 January 2015 Crossing Borders New Guidance on the Transfer of Personal Data outside Hong Kong Section 33 of the Hong Kong Personal Data (Privacy) Ordinance
More informationFraudulent Insurance Claims A Mucky Present and a Murky Future
Fraudulent Insurance Claims A Mucky Present and a Murky Future Dan Screene, Senior Associate Insurance Litigation Practice Group London 12 February 2013 The fraud epidemic Economic landscape Losses to
More informationAUDITING AND ENFORCEMENT AT THE SPANISH DPA. EXPERIENCE WITH OUTSOURCING TO COUNTRIES WITH A NON ADEQUATE LEVEL OF PROTECTION
AUDITING AND ENFORCEMENT AT THE SPANISH DPA. EXPERIENCE WITH OUTSOURCING TO COUNTRIES WITH A NON ADEQUATE LEVEL OF PROTECTION CONFERENCE ON CROSS-BORDER DATA FLOW & PRIVACY October 15 16, 2007 Washington,
More informationCOMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS
EUROPEAN COMMISSION Brussels, XXX [ ](2011) XXX draft COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS
More informationPolicy and Procedure for approving, monitoring and reviewing personal data processing agreements
Policy and Procedure for approving, monitoring and reviewing personal data processing agreements 1 Personal data processing by external suppliers, contractors, agents and partners Policy and Procedure
More informationBriefly summarised, SURFmarket has submitted the following questions to the Dutch DPA:
UNOFFICIAL TRANSLATION Written opinion on the application of the Wet bescherming persoonsgegevens [Dutch Data Protection Act] in the case of a contract for cloud computing services from an American provider
More informationMerger Control Issues and Private Equity Transactions
Merger Control Issues and Private Equity Transactions Further information If you would like further information on any aspect of Merger Control and Private Equity Transactions please contact a person mentioned
More informationData Protection HEADLINE PART Developments: Implications HEADLINE for the PART Insurance 2 Sector Strategies for Compliance
Data Protection HEADLINE PART Developments: 1 Implications HEADLINE for the PART Insurance 2 Sector Strategies for Compliance Sub-headline Arial 18pt dark gray Optional Name Arial 13pt italic white Venue
More informationData Protection Standard
Data Protection Standard Processing and Transfer of Personal Data in Aker Solutions (Binding Corporate Rules) Aker Solutions www.akersolutions.com Table of contents 1 Introduction... 3 1.1 Scope... 3 1.2
More informationData Privacy Regulation Comes of Age in Asia
Data Privacy Regulation Comes of Age in Asia 1 Data Privacy Regulation Comes of Age in Asia Data Privacy Regulation Comes of Age in Asia A Sea Change There has been an explosion of new data privacy regulation
More informationROEHAMPTON UNIVERSITY DATA PROTECTION POLICY
ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY Originated by: Data Protection Working Group: November 2008 Impact Assessment: (to be confirmed) Recommended by Senate: 28 January 2009 Approved by Council:
More informationData Protection, Software Licenses and other Legal Issues in the Cloud
Data Protection, Software Licenses and other Legal Issues in the Cloud Dr. Hendrik Schöttle Rechtsanwalt, Fachanwalt für IT-Recht OSDC 2012, Nuremberg 26. April 2012 Overview Introduction Data Protection
More informationGDPR & Service Providers ( Cloud Focus )
OASIS / EEMA Digital Enterprise Europe 2015 Building Trust in the Hyperconnected World 8 July 2015 GDPR & Service Providers ( Cloud Focus ) Kuan Hon Senior Researcher, Cloud Legal Project & Microsoft Cloud
More informationARTICLE 29 DATA PROTECTION WORKING PARTY
ARTICLE 29 DATA PROTECTION WORKING PARTY 00658/13/EN WP 204 Explanatory Document on the Processor Binding Corporate Rules Adopted on 19 April 2013 This Working Party was set up under Article 29 of Directive
More information