DATRET/EXPGRP (2009) 6 FINAL 11 10 2010. Document 6



Similar documents
SERIES A : GUIDANCE DOCUMENTS. Document Nr 3

Official Journal of the European Communities

Option Table - Directive on Statutory Audits of Annual and Consolidated Accounts

ECB-PUBLIC OPINION OF THE EUROPEAN CENTRAL BANK. of 16 October on the central register of bank accounts (CON/2015/36)

EUROPEAN CENTRAL BANK

COMMISSION OF THE EUROPEAN COMMUNITIES. Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Position Paper 4. Closer understanding of the term third party networks and service providers" in relation to its application in Directive 2006/24/EC

Council of the European Union Brussels, 28 July 2015 (OR. en)

Insurance Europe key messages on the European Commission's proposed General Data Protection Regulation

Proposal of regulation Com /4 Directive 95/46/EC Conclusion

REPORT ON. CONFIDENTIALITY AND DATA PROTECTION IN THE ACTIVITY OF FIUs 1. (Good practices)

EUROPEAN DATA PROTECTION SUPERVISOR

on the transfer of personal data from the European Union

GENERAL LOGISTICS CONDITIONS

Best execution under MIFID

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT

CESR Level 3 Guidelines on MiFID Transaction reporting

Basel Committee on Banking Supervision. Consolidated KYC Risk Management

AMENDMENTS TO THE DRAFT DATA PROTECTION REGULATION PROPOSED BY BITS OF FREEDOM

5419/16 ADD 1 VH/np 1 DGD 2C

EXPLANATORY MEMORANDUM TO THE DATA RETENTION (EC DIRECTIVE) REGULATIONS No. 2199

Council of the European Union Brussels, 26 June 2015 (OR. en)

COUNCIL OF THE EUROPEAN UNION. Brussels, 15 April /10 Interinstitutional File: 2008/0140 (CNS) SOC 240 JAI 270 MI 94

DIRECTIVE 2006/95/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. of 12 December 2006

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 February /05 LIMITE COPEN 35 TELECOM 10

5581/16 AD/NC/ra DGE 2

Explanatory notes VAT invoicing rules

Message 791 Communication from the Commission - SG(2012) D/50777 Directive 98/34/EC Notification: 2011/0188/D

EBA FINAL draft Regulatory Technical Standards

Authorisation Requirements and Standards for Debt Management Firms

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

What is a Contracting Authority?

The reform of the EU Data Protection framework - Building trust in a digital and global world. 9/10 October 2012

COUNCIL OF THE EUROPEAN UNION. Brussels, 23 June 2010 (OR. en) 10858/10 Interinstitutional File: 2009/0009 (CNS) FISC 60

EUROPEAN UNION. Brussels, 12 July 2002 (OR. en) PE-CONS 3636/ /0189 (COD) LEX 365 ECO 217 CODEC 778

CCBE RECOMMENDATIONS FOR THE IMPLEMENTATION OF THE DATA RETENTION DIRECTIVE

ARTICLE 29 DATA PROTECTION WORKING PARTY

Act on Investment Firms /579

Mapping of outsourcing requirements

The transfer of personal data to third countries and international organisations by EU institutions and bodies. Position paper

How To Write A Letter To The European Commission On A Number Of Issues

COMMISSION REGULATION (EU) / of XXX

4-column document Net neutrality provisions (including recitals)

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS

The eighth data protection principle and international data transfers

CROATIAN PARLIAMENT 242

ARTICLE 29 - DATA PROTECTION WORKING PARTY

Regulations concerning measures to combat money laundering and the financing of terrorism, etc.

General Protocol relating to the collaboration of the insurance supervisory authorities of the Member States of the European Union March 2008

ARTICLE 29 DATA PROTECTION WORKING PARTY

ECB-PUBLIC. OPINION OF THE EUROPEAN CENTRAL BANK of 3 February 2016 on the deposit guarantee scheme (CON/2016/6)

At its meeting held on 11 and 12 February 2004 the Working Party completed the third reading of the above Proposal.

10227/13 GS/np 1 DG D 2B

DRAFT GUIDANCE DOCUMENT ON THE LOW VOLTAGE DIRECTIVE TRANSITION

AIRBUS GROUP BINDING CORPORATE RULES

CENTRAL BANK OF MALTA

INERTIA ETHICS MANUAL

PRESIDENT S DECISION No. 40. of 27 August Regarding Data Protection at the European University Institute. (EUI Data Protection Policy)

Merchants and Trade - Act No 28/2001 on electronic signatures

PROVISIONAL REQUEST TO CESR FOR TECHNICAL ADVICE

Guidelines on data protection in EU financial services regulation

EBA/GL/2012/06 22 November Guidelines. on the assessment of the suitability of members of the management body and key function holders

GUIDANCE NOTE ON THE CONCEPT OF RELIANCE

Council of the European Union Brussels, 5 March 2015 (OR. en)

Monitoring and Reporting Drafting Team Monitoring Indicators Justification Document

European Public Sector Information Platform Topic Report No / 3. The amendment of the PSI directive: where are we heading?

INFORMATION AND CONDITIONS CONCERNING THE USE OF PAYMENT SERVICES ACCORDING TO THE PAYMENT SERVICES LAW OF 2009 (L.128(I)/2009)

EBA s Proposed Definition of Shadow Banking poses Risks to the Real Economy

Communication for undertakings that distribute nonmainstream financial products (such as CFD s, binary options, etc.) online

E U R O P E A N E C O N O M I C A R E A

Under European law teleradiology is both a health service and an information society service.

Guidelines on operational functioning of colleges

ECB-PUBLIC. 2. General observations

Official Journal of the European Union

COMMISSION DELEGATED REGULATION (EU) /... of

Guideline on good pharmacovigilance practices (GVP)

SUPPLEMENTARY INTERNAL RULES IMPLEMENTING REGULATION (EC) N 45/2001 IN RELATION TO THE DATA PROTECTION OFFICER

ADDITIONAL TERMS AND CONDITIONS FOR 800/900 SERVICES AND FACILITIES

EUROPEAN PARLIAMENT AND COUNCIL DIRECTIVE. on a common framework for electronic signatures

Multi-Jurisdictional Study: Cloud Computing Legal Requirements. Julien Debussche Associate January 2015

Guideline on good pharmacovigilance practices (GVP)

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.

Transcription:

DATRET/EXPGRP (2009) 6 FINAL 11 10 2010 EXPERTS GROUP "THE PLATFORM FOR ELECTRONIC DATA RETENTION FOR THE INVESTIGATION, DETECTION AND PROSECUTION OF SERIOUS CRIME" ESTABLISHED BY COMMISSION DECISION 2008/324/EC SERIES A: GUIDANCE DOCUMENTS Document 6 Closer understanding of the possibilities of providers to store traffic data in a Member State other than the Member State of origin of the data ( Central Data Storage ), in relation to its application in Directive 2006/24/EC version of 11 October 2010 (final) Scope The aim of this document is to discuss the situation where companies centralise the storage under Directive 2006/24 for commercial reasons and not the situation where national law of a MS requires central storage within that MS. The paper does not deal with the question of the applicable law to data retention which is closely linked to the centralised storage. This difficult legal issue will be the subject of a separate Position Paper Document. The issue is currently also discussed - but from a slightly different perspective - in the Article 29 Working Party on Data Protection. Date and Status This is the final version that was unanimously adopted by the Expert Group on Monday 11 October 2010. A disclaimer applies (see at the end of the document). Aspects of EU Directive 2006/24/EC covered in this paper Articles 1(1), 3 and 8 Retention and Storage The term "Central Data Storage will only be used in this paper in relation to the possibilities of providers to store traffic data in a Member State other than the Member State of origin of the data. Page 1 of 7 FINAL

Key Observations Directive 2006/24 is silent about the place of storage. Under those conditions, the principles of the Internal Market, must be applied, with the following result: a provider is allowed to store the data on the territory of another MS than the MS where the data were generated or processed, in the meaning of Article 3 of the Directive. Moreover: Any obligation imposed by a MS for the data to be retained on its own territory, is a restriction to the principle of free flow of data within the EU. Such a restriction is in principle not allowed for data protection considerations, but could be justified for reasons of public policy subject to the conditions imposed by the case law of the ECJ. The law of the originating Member State determines the storage period, i.e. the data retention legislation of the originating MS applies to the data. The providers wishing to store data in a central data base in EU should proceed to the (physical and[/or] logical) separation of the data originating from different MS, because of the lack of harmonisation of the directive (retention periods, different definitions of serious crime, etc) in order to ensure data security and to facilitate the application of the national legislation of each originating MS. In any case, national law must not only ensure the effectiveness of the Data Retention Directive but also of the Data Protection Directive. This means for instance that data should be stored only once except for back-up for security reasons and/or business continuity of the system (data minimisation), that the data subjects whose personal data are retained can effectively exercise their rights and that data protection authorities of the originating Member State can effectively fulfil their tasks. Specific attention is needed for data security measures. The rules on applicable law determine what MS must be considered as the MS where the data were generated or processed (further: 'originating MS). The main legal provisions relevant for applicable law are Article 4 of Directive 95/46, Article 15 of Directive 2002/58 and Article 3 of Directive 2006/24. Those legal provisions will be explained in a separate Guiding Document (see above). Page 2 of 7 FINAL

Central Data Storage within EU B.1. Objective and context of the Data Retention Directive The objective of the Data Retention Directive 2006/24/EC is to harmonise MSs' provisions concerning the obligation of the providers of publicly available electronic communications services to retain certain data in order to ensure that these data are available for the purpose of investigation of serious crime (art. 1). The data must be retained in such a way that they can be transmitted to the competent public authorities upon request (art. 8). Article 3 provides that data listed in Article 5 "are retained in accordance with the provisions [of Article 5], to the extent that those data are generated or processed by providers of publicly available electronic communications services or of a public communications network within their jurisdiction in the process of supplying the communications services concerned." The provisions of the Data Retention Directive apply without prejudice to the provisions of the Data Protection Directive 95/46. 1 The principles and provisions of the latter apply to any processing based on the Data Retention Directive unless the latter explicitly derogates from the former Directive. The provisions of the Data Retention Directive apply without prejudice to the provisions of Directive 2002/58. The Data Retention Direction is a specific derogation of an obligation under data protection law, in particular Article 6 of that directive. The Data Retention Directive does not contain a specific provision on the "territoriality" of storage of the relevant data. It does not prohibit the storage of data in different MSs. Article 4 of the Directive 95/46/EC has specific relevance: It provides that each MS shall apply its national provisions to the processing of personal data, where the processing is carried out in the context of the activities of an establishment of the controller (provider) on the territory of the MS. When the same controller is established on the territory of several MS, he must take the 1 In this context, several articles (2, 3, 7, 9, 13, 14) and recitals (1, 2, 15, 16, 18, 19, 25) of Directive 2006/24 are relevant. Page 3 of 7 FINAL

necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable (see further under 'applicable law'). Any approach to the problem of central data storage should guarantee (a) that the obligations of the providers can be performed, (b) the aim of the Data Retention Directive is ensured and (c) the rights of the data subjects are efficiently and effectively protected. B.2. Data to be stored The provision of electronic communications services generates, at different stages, a large amount of information that the providers of communication services have to retain, often cooperating with each other. The meaning of Art. 3 of Directive 2006/24 is to delimit the scope of the retention obligation and minimize the economic and organisational burden on providers (see recital 23). Each provider has to store, when generated or processed, only the data necessary, within his jurisdiction, to provide his own communication service. Thus the provider is - in principle - not required to keep additional data generated or processed by other providers in the process of supplying a given communication service, nor to generate or process data for retention as a result of Directive 2006/24. B.3. May the data identified in Article 5 Directive 2006/24 be stored by parties other than the providers? The data can also be stored by parties other than the provider. Article 6(5) of Directive 2002/58 (read in the light of Articles 2, lett. e) and 16 of Directive 95/46) introduces particular guarantees for the processing of traffic data, restricting it "to persons acting under the authority of providers of the public communications networks and publicly available electronic communications services handling billing or traffic management, customer enquiries, fraud detection, Page 4 of 7 FINAL

marketing electronic communications services or providing a value added service" and only to the data "necessary for the purposes of such activities". These guarantees do not exclude that data are processed by a third party, provided that he acts under the authority of the provider. In the terminology of Directive 95/46, the third party must be considered to be a 'processor', not a 'controller'. 2 B.4. Could the data be stored within a MS other than that from which they originate? Neither Directive 2006/24/EC nor Directive 2002/58 contain specific provisions about the application of the law of the Member State where data are stored; as a consequence Directive 95/46 is applicable. The objective of Directive 95/46 is to ensure: free flow of such data within EU, and in that context; protection of individuals with regard to the processing of personal data. According to the above, any obligation imposed by a MS regarding the retention of the data within its own territory could be considered as a restriction of the principle of free flow of data within EU established by Directive 95/46. In principle, such restriction is not allowed. However, it is not excluded that MSs under national law introduce such restriction, provided that it proves that such restriction is necessary for a reason recognised in the Treaty (public policy; public security) or for another reason mentioned in Article 13 of Directive 95/46, and not disproportionate. 2 According to its Article 2, 'controller' shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law. 'Processor' shall mean a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller. Page 5 of 7 FINAL

B.5. Retention periods, security measures and supervision by DPA's. In case of different retention periods between the "originating MS" and the "storage MS", the legislation of the "originating MS" should apply. The storage provider must retain the data for the period required by the data retention legislation of the "originating MS", in order to be able to comply with its obligations to transmit them to the competent public authorities upon request. More concrete, he should take all the necessary measures (logical or physical) to keep separate the data originating from different MS and/or from different providers. Account should also be taken of Article 17 (3) of Directive 95/46, second indent, which makes reference to the security of processing, and which defines the law that has to be respected in this regard. As a consequence, storage provider will have to respect the law of the MS where the storage takes place, adopting the "appropriate technical and organizational measures to protect personal data". Moreover, the security measures provided for by Article 7 Directive 2006/24 should also be applied. The jurisdiction of the national Data Protection Authorities (DPAs) is determined by Article 28.6 of Directive 95/46: "[e]ach supervisory authority is competent, whatever the national law applicable to the processing in question, to exercise, on the territory of its own MS, the powers conferred on it in accordance with paragraph 3. (...)". Furthermore, cooperation among national DPAs is foreseen: "(...) Each authority may be requested to exercise its powers by an authority of another MS. The supervisory authorities shall cooperate with one another to the extent necessary for the performance of their duties, in particular by exchanging all useful information". In short, the competent authority is the authority of the MS in which the processing takes place, who checks the lawfulness of the processing in the State in which the data are stored. He may be requested to exercise its powers by the authority of the MS of origin of the data. Disclaimer Page 6 of 7 FINAL

The views and opinions expressed in this document are not necessarily shared by all Members of the Expert Group "the Platform for Electronic Data Retention for the investigation, detection and prosecution of serious crime" and do not constitute legal advice. For details about the origin and status of the guidance contained in this document refer to the accompanying document "Introduction to the Series". The opinions expressed in this document do not necessarily reflect the views of the European Commission which accepts no responsibility or liability whatsoever with regard its contents. Page 7 of 7 FINAL

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information