Data protection and e-commerce: implementation aids and realisation proposals by the Federal Data Protection Commissioner



Similar documents
EUROPEAN ECONOMIC AREA JOINT PARLIAMENTARY COMMITTEE. REPORT on E-Commerce and EEA legislation

Towards Effective Internet Governance

Declaration of Internet Rights Preamble

G20 HIGH-LEVEL PRINCIPLES ON FINANCIAL CONSUMER PROTECTION

Align Technology. Data Protection Binding Corporate Rules Controller Policy Align Technology, Inc. All rights reserved.

UMHLABUYALINGANA MUNICIPALITY SERVICE LEVEL MANAGEMENT POLICY

Align Technology. Data Protection Binding Corporate Rules Processor Policy Align Technology, Inc. All rights reserved.

of 28 September 2007 (Status as of 1 April 2010)

Exception: If the player is already in possession of a FIBA Identity Card, the card number should be indicated on the list.

Under European law teleradiology is both a health service and an information society service.

BCS, The Chartered Institute for IT Consultation Response to:

COMPLYING WITH THE E-COMMERCE REGULATIONS 2002

LAW FOR THE ELECTRONIC DOCUMENT AND ELECTRONIC SIGNATURE. Chapter two. ELECTRONIC DOCUMENT AND ELECTRONIC SIGNATURE

Electronic Transactions Act and Digital Signature Act: Background, Major Provisions and Implication

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof,

Apprenticeship Standard for Paralegal (Level 3) Assessment Plan

Australian Charities and Not-for-profits Commission: Regulatory Approach Statement

Application of Data Protection Concepts to Cloud Computing

How To Respect The Agreement On Trade In Cyberspace

Guidelines on Executive Order on Information and Consent Required in Case of Storing and Accessing Information in End-User Terminal Equipment

Note that the following document is copyright, details of which are provided on the next page.

APES 325 Risk Management for Firms

ALTERNATIVE DISPUTE RESOLUTION METHODS. e-business Issue.

2015 No PROFESSIONAL QUALIFICATIONS. The European Union (Recognition of Professional Qualifications) Regulations 2015

Federal law on certification services in the area of the electronic signature

An Act to provide for the facilitation of the use of electronic transactions and signatures and for related matters.

The Professional Standards Team is also available to discuss any aspect of the Code with you, so please do contact us if you have any queries.

DSTI/ICCP/REG(98)10/FINAL Or. Eng.

COMMISSION REGULATION (EU)

LAW FOR THE ELECTRONIC DOCUMENT AND ELECTRONIC SIGNATURE

Building Public Trust: Ethics Measures in OECD Countries

Code of Practice on Electronic Invoicing in Europe

Code of Practice on Electronic Invoicing in Europe

NSW Data & Information Custodianship Policy. June 2013 v1.0

Corporate Governance Code for Banks

FINANCIAL AND ADMINISTRATIVE FRAMEWORK AGREEMENT. between. the EUROPEAN UNION represented by the EUROPEAN COMMISSION. and. the UNITED NATIONS

AUSTRALIAN DIRECT MARKETING ASSOCIATION SUBMISSION PRODUCTIVITY COMMISSION DRAFT RESEARCH REPORT

CHARTER OF ETHICS AND BEHAVIOUR

The eighth data protection principle and international data transfers

Merchants and Trade - Act No 28/2001 on electronic signatures

BLOOM AND WAKE (ELECTRICAL CONTRACTORS) LIMITED QUALITY ASSURANCE MANUAL

GENERAL TERMS AND CONDITIONS FOR THE USE OF THE ENTSO-E TRANSPARENCY PLATFORM

Education programme standards for the registered nurse scope of practice Approved by the Council: June 2005

ELECTRONIC COMMERCE DIRECTIVE, DIRECTIVE 2000/31/EC OF THE EUROPEAN PARLIAMENT AND

retained in a form that accurately reflects the information in the contract or other record,

GUIDE TO ACHIEVING COMPLIANCE a South African perspective

INSURANCE BROKERS CODE OF PRACTICE

A comparison of 4 international guidelines for CSR

ELECTRONIC TENDERING - AN OVERVIEW

Cloud Computing Consumer Protocol

DIRECTIVE 2009/38/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Reporting of Taxable Payments to Contractors in the Building and Construction Industry. Consultation Paper

Cyber Security Recommendations October 29, 2002

Regulations Players Agents

LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT

General Syllabus for Third Cycle Studies for the Degree of

E-COMMERCE GOES MOBILE: SEEKING COMPETITIVENESS THROUGH PRIVACY

Recommendations for companies planning to use Cloud computing services

Comments and Responses by FoeBuD for the EU Consultation on RFID, April 2008

MEMORANDUM OF UNDERSTANDING. Between THE UNION DES ASSOCIATIONS EUROPEENNES DE FOOTBALL (HEREAFTER UEFA) And

Comparison of internet connection records in the Investigatory Powers Bill with Danish Internet Session Logging legislation

Pursuant to Convention No. 108 of the Council of Europe for the protection of persons with regard to the automated processing of personal data;

An Introduction to PRINCE2

Veterans Review Board

Organisation de Coopération et de Développement Economiques Organisation for Economic Co-operation and Development

Bill. Electronic Signatures 1)

Funding Regulations Regulations of the Swiss National Science Foundation on research grants

NHS Constitution. Access to health services:

SCOPE OF APPLICATION AND DEFINITIONS

Information Governance Framework

Mexico. Rodolfo Trampe, Jorge Díaz, José Palomar and Carlos López. Von Wobeser y Sierra, S.C.

General Terms and Conditions for the Purchase and Maintenance of Hardware

OECD/G20 Base Erosion and Profit Shifting Project. Action 13: Country-by-Country Reporting Implementation Package

School Management Committees of Primary and Secondary Schools

IBA Business and Human Rights Guidance for Bar Associations. Adopted by the IBA Council on 8 October 2015

Electronic Commerce ELECTRONIC COMMERCE ACT Act. No Commencement LN. 2001/ Assent

1st June Internet Access Service Provider (IASP) Sub-Code for the Communications and Multimedia Industry Malaysia

ELECTRONIC TRANSACTIONS ACT 1999 BERMUDA 1999 : 26 ELECTRONIC TRANSACTIONS ACT 1999

GENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS

TGA key performance indicators and reporting measures

A Changing Commission: How it affects you - Issue 1

Terms and Conditions of Use in the RCTSaai Federation

According to section 53 of the Insurance Act the insurance intermediary is only empowered with respect to the transaction in which it takes part to:

Service Quality Standards (SQSs) and Criteria

SRI LANKA AUDITING PRACTICE STATEMENT 1013 ELECTRONIC COMMERCE EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS

Appendix 15 CORPORATE GOVERNANCE CODE AND CORPORATE GOVERNANCE REPORT

PRIVATE HEALTH INSURANCE INTERMEDIARIES. DOCUMENT 1: Self-Audit Guide for All Members of PHIIA JUNE 2015 VERSION 2

Directors and Officers Liability Insurance

PRINCIPLES OF THE TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY. Introduction

CODE OF ETHICS. CARLO GAVAZZI IMPIANTI S.p.A

INTERNATIONAL AUDITING PRACTICE STATEMENT 1013 ELECTRONIC COMMERCE EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS

Hazel Cottage Studio Weston-on-the-Green. Hazel Cottage Studio Weston-on-the-Green OX25 3QX OX25 3QX BRIEFING

National Standards for Disability Services. DSS Version 0.1. December 2013

Oversight of payment and securities settlement systems by the Swiss National Bank

Guidelines for State Agency Management of Volunteer Activity

Securing Information in an Outsourcing Environment (Guidance for Critical Infrastructure Providers) Executive Overview Supplement.

General Syllabus for Third Cycle Studies for the Degree of Doctor in Cognitive Science

Act on the Contractor s Obligations and Liability when Work is Contracted Out (1233/2006) (as amended by several Acts, including 678/2015)

INSURANCE BROKERS CODE OF PRACTICE

Transcription:

Federal Data Protection and Information Commissioner FDPIC Data protection and e-commerce: implementation aids and realisation proposals by the Federal Data Protection Commissioner Electronic business e-commerce permits the worldwide exchange of goods and services. A great future is forecast for this new form of business. The analysts expect sales of up to 500 billion dollars in the year 2002. Even if it seems that the technical problems can be resolved there is a lack of confidence and above all legal security with respect to e-commerce. The conventional world of business is well regulated. Thanks to the existence of these regulations there is a certain transparency and legal security for all concerned. These laws establish security which leads to the feeling of confidence. In other words fixed rules are the basis for confidence. But what legal culture provides the basis for commerce on the Internet? Additional legal and technical outlay are both necessary to ensure that data are not abused on the net and that legal disputes can be dealt with immediately and efficiently as in traditional business transactions. In real world business transactions client models arise which are not very clearly defined. No one would want to fill in a questionnaire every time they visit a department store. As a rule the acquisition and passing on of data is limited to a restricted circle in the local environment. In the case of e-commerce, in contrast, everything is based on data. Every purchase permits deductions about the person, his needs and his financial position. Consequently, data protection is of prime importance. To reinforce user confidence in e-commerce and to protect personal data the Federal Data Protection Commissioner presents a series of implementation aids and realisation proposals which can be helpful to enterprises in the implementation of a customer-friendly, transparent data processing policy which complies in full with the provisions of the law. Feldeggweg 1, 3003 Berne Phone +41 58 463 74 84, Fax +41 58 465 99 96 www.edoeb.admin.ch

Minimum requirements for the protection of privacy in the electronic commerce environment - The provisions for the protection of privacy contained in the Data Protection Law (DPL) can reinforce the generation of user confidence in the services offered by electronic commerce. - The Swiss Data Protection Law offers flexible solutions for the processing of personal data by private individuals (Art. 4 and 13 DPL) and is compiled on a technologically neutral basis. Consequently an amendment of the law is not immediately necessary. - However, legal provisions alone are not sufficient to protect the privacy of e- commerce users. In particular the users must be informed and their awareness heightened. - Mid-term user awareness should be promoted by further education measures. - To reinforce user confidence in electronic business the service providers should (as stipulated by the DPL) process client data transparently. The operators should inform the user on which personal data they want to use and for what purpose. When personal data from a contractual relationship are processed for other purposes (e.g. marketing, publicity) the user should have an option. - Technologies such as cryptographic procedures, authentication procedures and other data protection-friendly technologies, e.g. the utilisation of anonymisation tools, are suitable for data security. These should be used in the electronic business environment and made available to the user. - Finally the protection of privacy, in particular transparent data processing, can reinforce user confidence in electronic commerce. This can certainly be used as a competitive advantage for Swiss enterprises. 2/6

Key elements for the development of electronic commerce - E-commerce is one-to-one-business i.e. it is based exclusively on personal contact. Consequently the consumer will react cautiously if he is flooded with advertising and information without flanking confidence-forming measures. Many enterprises already compile databases in order personalize their offer. This further weakens consumer confidence if the persons concerned are not duly informed. - Authorities hold a key position in the construction of the framework within which e-commerce should be conducted. Protection of privacy heads the list of priorities. - The problem privacy must be adequately resolved to stabilise the market for the long-term success of e-commerce. A significant factor in this respect is which law will be applicable for the pursuit of claims. In the USA the law of the supplier is applicable in litigation. However, the law at the consumer's domicile should be applicable. Only like this will the consumer be able to win confidence in the range of e-commerce services offered in the future. On international level, the emphasis should be placed on the following aspects: - Confidence forming measures (in particular protection of privacy) must be implemented efficiently. - The synthesis of state regulations and codes of conduct as well as technological solutions such as digital signature, privacy enhancing technologies (PET) must be interoperable and internationally recognised. - The OECD should contribute to the implementation of the above-mentioned points in dialogue with all concerned (business, authorities, consumers and other international organisations). In Switzerland the emphasis should be placed as follows: - Swiss representatives on international bodies continue to support further measures to establish consumer confidence in e-commerce. - A combination of both models state regulations and codes of conduct is certainly welcome. The codes of conduct, however, must protect consumers at least as effectively as state regulations. If the codes of conduct are not able to develop the required degree of efficacy, state regulations for consumer protection are required. - The e-commerce plan of action that already has been compiled in Switzerland must be implemented rapidly. In particular, confidence forming measures (education, information, protection of privacy) must be in the front line of the public approach. 3/6

Data protection conform configuration of a website and the advantages entailed We recommend that website operators develop a policy for the protection of privacy, on the one hand to meet the legal requirements (transparency, information, options, security, authorisations). On the other hand the confidence of their customers and future users can be built up in this way. In particular the following aspects should be covered: - Information on the data protection legislation the specific offer is subject to should be placed where it is easily visible. Further, data protection practice on the website should be explained in easily understandable language. In particular, a statement of which data are acquired and used and for what purpose is essential. - The user should also be given a choice with respect to the restriction of utilisation (e.g. compilation of customer profiles) and the passing on (e.g. for advertising purposes) of his data. - Appropriate security measures must be taken in the framework of the intended purpose with respect to the correctness and completeness of the data (e.g. encoding and authentication methods) and to ensure they are up-to-date. - Finally reference should be made to the mode and manner of implementing legal claims. Certain processing operations with Internet user data could violate the data protection provisions. Consequently personal data should not be acquired, passed on or made accessible to third parties without the knowledge of the user. Hints on the compilation of a data processing statement for Internet services Data processing statements should inform the user of a website on the protection of privacy procedures practised by the service provider. This is a significant step towards gaining the user's confidence. Prerequisite is that the statement shows the required precision. Only like this the user will be put in the position to decide freely whether and how he wants to allow his personal data to be processed. We recommend that Swiss companies offering services via the Internet practice a transparent data processing policy by developing such statements and featuring them on their website. The data requirement of the company must be examined, the current data protection practices analysed and clear guidelines on the handling of personal data drawn up before beginning with the compilation of a data processing statement. The data processing statement can be drawn up on the basis of these facts. It has to comply with data protection law and correspond to the effective data processing. 4/6

We recommend not to start drawing up the data processing statement until at least the following questions have been answered: - How are personal data acquired and where from (internal / external sources)? - What purposes are personal data collected for? - What purposes are personal data used for? - Who is responsible for the control of the personal data collected? - How and where are personal data stored? - For what purposes are personal data exchanged with third parties? - Are there already any guidelines or provisions for the collection, processing and the passing on of this data? - Is viewing and correcting the data already possible? The statement should inform the user at least about the following factors: - What legal provisions govern the provider's data processing practice? - What personal data are collected and for what purposes? - What data are passed on to third parties and for what purposes? - What choices are open to the user for the processing of his data? - What rights (in particular the right of information and correction) has the user? - Who answers questions on the processing of personal data? - What security measures are applied for the protection of personal data? Finally, the statement must be positioned on the website easily accessible for the user. 5/6

Efficacy of protection of privacy with self-regulation models The most important criterion in the evaluation of codes of conduct for the protection of privacy is their implementability. The percentage of association members who keep to the rules and whether it is possible to impose sanctions against a member for non-compliance with the code of conduct play a significant role in the evaluation of implementability. Further such a code of conduct must be transparent i.e. set out in generally understandable language. Respect of the code of conduct ought to be a prerequisite for admission to the relevant business association. Binding external controls or sanctions should back up compliance with the code of conduct. After all, it is of decisive importance that the persons concerned are not left to their own devices but receive assistance and support. Apart from this, at least the following fundamental principles must be integrated in the code of conduct: - Clear information of the persons concerned on the type of data acquired, the utilisation purpose, the recipient and the choices for restriction of utilisation and communication. - Grant of the rights of information and correction and measures for data processing security. - Right of appeal to an independent instance. Criteria for the protection of privacy by means of a code of conduct A code of conduct can be useful for the establishment of confidence. Nevertheless, codes of conduct are no alternative to laws; they are merely a complement to legal provisions. Every effort must be made to ensure that such codes of conduct include at least the following elements: - Clear and understandable information, above all with respect to the nature and way in which personal data are processed. - User's fundamental right to options on the utilisation of his data. - Effective legal enforcement mechanisms. - Creation of uniform criteria for the recognition of codes of conduct (international criteria). - It is imperative that both the authorities and the business world be integrated in the recognition of code of conduct process. - The content must provide information on data processing, delivery, compensation as well as on the law applicable in the event of dispute. Last update: March 2012 6/6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information