I. Personal data and its use in the business to business environment.



Similar documents
Insurance Europe key messages on the European Commission's proposed General Data Protection Regulation

Public Consultation regarding Data Sharing and Governance Bill. Contribution of Office of the Data Protection Commissioner

Privacy Policy for Data Collected by Blue State Digital s Clients

Application of Data Protection Concepts to Cloud Computing

QUESTIONNAIRE ON CONTRACT RULES FOR ONLINE PURCHASES OF DIGITAL CONTENT AND TANGIBLE GOODS

technical factsheet 176

Oliver Brettle London. Employee Monitoring in the UK and Generally: Concerns Beyond the EU Data Protection Directive

Data protection issues on an EU outsourcing

Align Technology. Data Protection Binding Corporate Rules Controller Policy Align Technology, Inc. All rights reserved.

AlixPartners, LLP. General Data Protection Statement

Privacy Statement. What Personal Information We Collect. Australia

d. Members shall not conduct their business in a manner which tends to bring either BRBA or the BMF or its membership into disrepute.

The Data Protection Landscape. Before and after GDPR: General Data Protection Regulation

Credit Union Code for the Protection of Personal Information

Data Protection in Ireland

An overview of UK data protection law

Corporate Policy. Data Protection for Data of Customers & Partners.

Privacy Policy. Ignite your local marketing

COMPLYING WITH THE E-COMMERCE REGULATIONS 2002

PRIVACY POLICY. "Personal Information" comprising:

Office 365 Data Processing Agreement with Model Clauses

Westpac Business Debit MasterCard Application

The Regulation of Unfair Practices in TV and Radio Advertisements

PRIVACY POLICY AND INFORMATION ON COOKIES

The HR Skinny: Effectively managing international employee data flows

MEMBI PRIVACY POLICY

Privacy Policy for Data Collected by Blue State Digital

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

1. TYPES OF INFORMATION WE COLLECT.

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

E-COMMERCE GOES MOBILE: SEEKING COMPETITIVENESS THROUGH PRIVACY

The new EU Clinical Trials Regulation How NHS research and patients will benefit

Article 29 Working Party Issues Opinion on Cloud Computing

Align Technology. Data Protection Binding Corporate Rules Processor Policy Align Technology, Inc. All rights reserved.

DailyMailz may collect and process the following personal information about you:

Big Data for Mutuals. Marc Dautlich 25 November 2013

Appendix A Data Protection and Marketing Regulatory Considerations for the European Union

Principal Members. February 1, Review of Australia s Consumer Policy Framework Productivity Commission PO Box 1428 Canberra ACT 2616

ROYAL AUSTRALASIAN COLLEGE OF SURGEONS

MIS Privacy Statement. Our Privacy Commitments

CONSULTATION ON A POSSIBLE STATUTE FOR A EUROPEAN PRIVATE COMPANY (EPC)

The kinds of personal information we collect and hold vary depending on the services we are providing, but generally can include:

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

PRIVATE HEALTH INSURANCE INTERMEDIARIES CODE OF CONDUCT JUNE 2015 VERSION 2

Corporate Compliance: A Global Perspective

The eighth data protection principle and international data transfers

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

Personal Data Protection Policy

Data Protection Good Practice Note

Personal information, for purposes of this Policy, includes any information which relates to an identified or an identifiable person.

PRIVACY NOTICE. Last Updated: March 24, 2015

A list of CIArb subsidiaries relevant to this notice and their activities is set out below.

Draft guidance for registered pharmacies providing internet and distance sale, supply or service provision

EU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update. By Stephen H. LaCount, Esq.

If you have any questions about our privacy practices, please refer to the end of this privacy policy for information on how to contact us.

QUEENSLAND COUNTRY HEALTH FUND. privacy policy. Queensland Country Health Fund Ltd ABN better health cover shouldn t hurt

DATA PROMOTIONAL OFFERS ARKETING TO CHILDREN CODE OF PRACTICE FINANCIAL SERVICES CHARITIES NVIRONMENTAL RESPONSIBILITY MARKETING

Please read this Policy carefully. Your continued use of our sites means that you understand and consent to the terms of this Policy.

EUROPEAN PARLIAMENT AND COUNCIL DIRECTIVE. on a common framework for electronic signatures

Ecommerce Applications 2009/10. E-Commerce Applications UK e-commerce Regulations

This Applicant Privacy Notice Continental Europe is dated: July 2012 WILLIS.COM: PRIVACY NOTICE

Federated Access Management

Important information about your credit card account ( Account )

Privacy Policy documents for

Factsheet on the Right to be

The Manitowoc Company, Inc.

PRIVATE HEALTH INSURANCE INTERMEDIARIES. DOCUMENT 1: Self-Audit Guide for All Members of PHIIA JUNE 2015 VERSION 2

Guidance Note. on the. Use of Internet for Insurance Activities

ESTRO PRIVACY AND DATA SECURITY NOTICE

PERSONAL DATA PROTECTION POLICY RELATING TO CIGNA EUROPE INSURANCE COMPANY S.A.-N.V. SINGAPORE BRANCH

AUSTRALIA S NEW PRIVACY LAWS - WHAT LAWYERS NEED TO KNOW ABOUT THEIR OWN PRACTICES

EU Employment Law Euro Info Centre December 2006

BCS, The Chartered Institute for IT Consultation Response to:

The Impact on Marketing-Related Activities of the Data Protection Act and Related Legislation

PRIVACY POLICY Personal information and sensitive information Information we request from you

slaughter and may The new EU Data Protection Regulation revolution or evolution?

PRIVATE HEALTH INSURANCE INTERMEDIARIES PRACTICE CODES JUNE 2015 VERSION 2

FUNDRAISING STANDARDS BOARD STAGE 3 ADJUDICATION REPORT

Australian Privacy Principle 7 direct marketing

Johnson Controls Privacy Notice

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information

I loved reading the terms & conditions! said no one, ever. term deposit terms + conditions

Chapter 7: Australian Privacy Principle 7 Direct marketing

How To Get A Health Insurance Policy From Mybupa

COMMENTARY. Hong Kong Strengthens Its Personal Data. on Direct Marketing JONES DAY

ANZ Privacy Policy PROTECTING YOUR PRIVACY 07.15

.eu Domain Name Registration. Terms and Conditions

Dublin City University

THE CLAIMS MANAGEMENT CODE ( the Code )

AUSTRALIAN DIRECT MARKETING ASSOCIATION SUBMISSION PRODUCTIVITY COMMISSION DRAFT RESEARCH REPORT

1. Introduction. 2. Sectoral Areas Affected. 3. Data Security. 4. Data Breach Requirements. 5. Traffic Data

Direct marketing The new rules 1

TNS UK PRIVACY & COOKIE POLICY FOR SURVEYS ( Policy )

MRS Policy Unit. Submission to Which? task force on consent and lead generation in the direct marketing industry

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS

ONLINE SAVINGS ACCOUNT.

PROTECTION OF PERSONAL INFORMATION

Policy Document Control Page

GSK Public policy positions

Transcription:

RESPONSE FROM THE DIRECT MARKETING ASSOCIATION (UK) LTD. TO THE EUROPEAN COMMISSION'S CONSULTATION ON THE IMPLEMENTATION OF DIRECTIVE 95/46 EC ON THE PROTECTION OF INDIVIDUALS WITH REGARD TO THE PROCESSING OF PERSONAL DATA AND ON THE FREE MOVEMENT OF SUCH DATA. A. INTRODUCTION The Direct Marketing Association (UK) Ltd (DMA) welcomes the opportunity to respond to the consultation in connection with the preparation of the European Commission's first report on the implementation of the Data Protection Directive ("the Directive") The DMA and its Members The DMA is Europe's largest trade association in the marketing and communications sector, with over 870 corporate members and positioned in the top 5% of UK trade associations by income. 11.14 billion was spent on direct marketing activity in 2001 (DMA Census of the Direct Marketing Industry 2001/2). The DMA represents both advertisers, who market their products using direct marketing techniques, and specialist suppliers of direct marketing services to those advertisers - for example, advertising agencies, mailing houses, list brokers, computer bureaux, database companies, etc. The DMA also administers the Mailing Preference Service and other self-regulatory mechanisms designed to protect consumers. On behalf of its membership, the DMA promotes best practice, through its Codes, in order to maintain and enhance consumers' trust and confidence in the direct marketing industry. The Direct Marketing Authority is an independent body that monitors industry compliance. B SUMMARY OF DMA's RESPONSE I. Personal data and its use in the business to business environment. The DMA is concerned that the current definition of personal data may catch data such as job title and business e-mail address, which should not be considered personal data if it is simply used to ensure that communications reach the right employee

II. Applicable law and jurisdiction Differences between the national laws in the Member States mean that multinational companies with branches and subsidiary companies throughout the EEA should only have to comply with the data protection legislation in the EEA country where their principal office is located. III Transfer of Personal Data to third countries and use of contracts Globalisation and the growth of the Internet mean that the Directive needs to be amended to allow greater use of company group wide security/privacy policies as a method of allowing transfers to third countries. IV. Sensitive Personal Data The definition causes problems for business in that they may be inadvertently holding sensitive personal data. Data subjects do not gain any real benefit from the extra protection. The category should therefore be deleted. V. Right of Access - Data Subject Access Requests Owing to the increase in the amount of data held on data subjects, data controllers should be exempt from providing a full data subject access request when to do so would involve a disproportionate effort on the part of the data controller VI. Notification The notification system is a regulatory burden on businesses and ties up resources at the national data protection authorities. Our view is that the requirement to notify should be removed. C SPECIFIC COMMENTS ON THE DIRECTIVE 1. Personal Data and its use in the business-to-business environment (Article 2 Definitions) We are concerned about the issue that name, job title and workplace e-mail addresses may be considered to be personal data. This poses problems for companies as often they only hold this information for the purpose of ensuring that the communication reaches the correct person in the other organisation. The growth of Internet and e-mail usage since the Directive was passed makes reform in this area essential. The Direct Marketing Association (UK)

Limited in their Code of Practice (2 nd Edition) suggest a simple test for determining whether or not such data is personal or business data which is as follows:" if the job holder changes will there be any changes to the data other than the change in the jobholder's name, If the answer is yes then the data is personal data, if no then it is business data." DMA recommendation is for an exemption from the definition of personal data for basic contact information (name, job title and workplace e-mail address) about an employee held either by the employer or by another organisation, which has a relationship with the employer. We accept that in the case of sole traders and partnerships this basic information would remain personal data. Employees already have sufficient protection through the duty of trust and confidence between an employer and an employee to cover unlawful disclosure of an employee's e-mail address by an employer. We are aware that the European Commission has launched a first stage consultation on the protection of workers personal data. We believe that Directive 95/46 provides sufficient protection for workers personal data. The UK Information Commissioner is in the final stages of producing The Employment Practices Data Protection Code, which deals with issues of workers personal data. We would suggest that there is no need for action at the European level in this field and it should be left up to national data protection authorities to clarify the application of Directive 95/46 to workers personal data. DMA recommendation is that there is no need for further action to protect workers personal data. 2. Applicable law and jurisdiction (Article 4) The Directive was introduced under the Internal Market provisions and was designed to harmonise data protection legislation throughout the EEA. However there are differences in implementation between Member States, for example some require an opt -in approach fo personal data being passed on to third parties, whereas others require an opt -out approach. This makes it difficult for members of the DMA, who are increasingly becoming involved in pan European marketing programmes. Many companies, particularly SMEs, do not have the resources either to check the data protection legislation in the 15 Member States internally or to afford the costs for professional advice in this area. This position will only worsen with expansion of the EU to include the current candidate countries from Central and Eastern Europe. Furthermore there is a problem for companies who have offices throughout the EEA. Each individual office may have to notify the relevant data protection authority and comply with the national law in the country where the office is located. The company is likely also to be transferring personal data relating to employees and customers between different countries within the EEA. Clearly the current legislative situation is not practical in today's business world.

DMA recommendation is that, if notification is retained, there should be a system whereby a company can have one notification in the EEA country where its principal office is located. This would cover it for all the other countries in the EEA, where it has offices. Similarly the Data Protection Authority in the country where the company had notified would take the lead in any enforcement action. The company would only have to comply with the data protection legislation in the country where the notification was made and the Directive. 3. Sensitive Personal Data - (Article 8) In the direct marketing arena it is perfectly possible for a data controller to inadvertently hold sensitive personal data, such as medical or health information, about a data subject, which is for the benefit of the individual. The data controller may not always have the explicit consent of the data subject or be able to process the sensitive data under one of the exemptions. DMA recommendation is for the definition of sensitive personal data to be abolished. Whether or not the processing of sensitive personal data was fair could be dealt with under the fair processing code in Article 7. 4. Right of Access - Data Subject Access Requests ( Article 12) There are problems with this right for both data controllers and data subjects. Data controllers, particularly SMEs can find it expensive in time and resources to comply with a data subject access request, especially if they hold a large amount of information about the data subject. The increasing use of e-mail has caused part of the problem. It is quite likely that the data subject is only interested in one particular piece of information or is looking for confirmation from the data controller that the data subject' s record has been changed as requested. DMA recommendation is for there to be a exemption for data controllers where a disproportionate effort would be required on the part of the data controller to comply with a data subject access request. 5. Notification (Article 18) We do not see the need for the notification provisions to remain. The national data protection authorities can take enforcement action against companies, who are in breach of data protection legislation, regardless of whether the companies have notified or not. Many businesses see notification as a regulatory burden. We accept that there may be certain benefits for consumers and other businesses in knowing that a particular company has notified its national data protection authorities of its activities, but on balance we believe that the requirement to notify should be removed. This would free up resources at the national protection authorities and allow more resources to be diverted to enforcement action. DMA recommendation is for this article to be deleted.

6. Transfer of Personal Data to third countries and use of contracts (Articles 25 and 26) Developments since 1995 have meant that these Articles need revision. Firstly the growth of the Internet, in particular e-mail and online shopping, since 1995 has been one of the profound changes to the way business-to-business and business to consumers communicate with each other. Secondly globalisation has meant an increase in the number of global companies who have branches or subsidiary companies within the EEA and need to store and access customer and employee information on a global basis. This has meant that there is a far greater amount of personal data, which is being transmitted from the EEA to other third countries than was the case in 1995. Although the agreement with the USA on the Safe Harbor Principles is a welcome development, there are problems with it, in particular the fact that it does not extend to the financial services. industry. The number of countries that have been given adequate level of protection status is limited. It is also not practical to expect companies with multiple branches and subsidiaries to enter into multiple contractual arrangements within the group for the transfer of personal data. Many global companies have sought to develop group wide security and privacy policies, and rely on the provisions in Article 26 (2). It is interesting to note that the use of these policies has been one of the reasons why the 1995 Directive has become the global standard. DMA recommendation is that there should be specific reference to group wide security and privacy policies as a means of complying with Article 26(2). The national data protection authorities clearly do not have the resources to approve every security/privacy policy and therefore prior approval by the authority should not be required. Rather there should be a presumption that such a security or privacy policy provides an adequate level of protection until proved otherwise through enforcement action taken as a result of a complaint by an individual. D. COMMENTS ON ISSUES RAISED IN THE QUESTIONNAIRES 1.Use of the Internet. As already noted above in the comments on Articles 25 and 26, the growth of the internet has been one of the major developments in the online world since 1995. The DMA has actively been involved in giving consumers confidence to shop online, through its membership of the Alliance for Electronic Business (AEB), a partnership between the following UK organisations, Confederation of British Industry, Intellect, and the e-centre. The AEB, together with the UK Consumers Association has set up Trust UK as an initiative to accredit the on -line codes of practice of associations and organisations whose members' websites display an e-hallmark. This initiative has the endorsement of the UK Government.. The DMA has achieved Trust UK approval for its codes of Practice on Electronic Commerce and Commercial Communications to Children Online. All DMA members have to comply

with the codes, and those who carry out e-business must therefore display the Trust UK logo, which provides a means for consumers to complain about web trading activities. The DMA believes that the use of such codes of practice is way to encourage consumer confidence rather than a specific legislation dealing with data protection issues and the Internet. E.CONCLUSION The DMA welcomes the extensive consultation process, which the European Commission is engaging in this revision of the Directive. A representative from the DMA will be attending the conference at the end of September. Please contact us if you wish to discuss any of the points raise in this consultation in greater detail. The Direct Marketing Association (UK) Limited 30 August 2002

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information