GDPR.

Size: px
Start display at page:

Download "GDPR. https://www.eugdpr.org/eugdpr.org.html"

Transcription

1 GDPR

2 GDPR FAQs When is the GDPR coming into effect? Frequently Asked Questions about the incoming GDPR. The GDPR was approved and adopted by the EU Parliament in April The regulation will take effect after a two-year transition period and, unlike a Directive it does not require any enabling legislation to be passed by government; meaning it will be in force May In light of a uncertain 'Brexit' - I represent a data controller in the UK and want to know if I should still continue with GDPR planning and preparation? If you process data about individuals in the context of selling goods or services to citizens in other EU countries then you will need to comply with the GDPR, irrespective as to whether or not you the UK retains the GDPR post-brexit. If your activities are limited to the UK, then the position (after the initial exit period) is much less clear. The UK Government has indicated it will implement an equivalent or alternative legal mechanisms. Our expectation is that any such legislation will largely follow the GDPR, given the support previously provided to the GDPR by the ICO and UK Government as an effective privacy standard, together with the fact that the GDPR provides a clear baseline against which UK business can seek continued access to the EU digital market. (Ref: Who does the GDPR affect? The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company s location. What are the penalties for non-compliance? Organizations can be fined up to 4% of annual global turnover for breaching GDPR or 20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement. What constitutes personal data? Any information related to a natural person or Data Subject, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an address, bank details, posts on social networking websites, medical information, or a computer IP address. What is the difference between a data processor and a data controller? A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller. Do data processors need 'explicit' or 'unambiguous' data subject consent - and what is the difference? The conditions for consent have been strengthened, as companies will no longer be able to utilise long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily

3 accessible form, with the purpose for data processing attached to that consent - meaning it must be unambiguous. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Explicit consent is required only for processing sensitive personal data - in this context, nothing short of opt in will suffice. However, for non-sensitive data, unambiguous consent will suffice. What about Data Subjects under the age of 16? Parental consent will be required to process the personal data of children under the age of 16 for online services; member states may legislate for a lower age of consent but this will not be below the age of 13. What is the difference between a regulation and a directive? A regulation is a binding legislative act. It must be applied in its entirety across the EU, while a directive is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to decide how. It is important to note that the GDPR is a regulation, in contrast the the previous legislation, which is a directive. Does my business need to appoint a Data Protection Officer (DPO)? DPOs mustbe appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37). If your organization doesn t fall into one of these categories, then you do not need to appoint a DPO. How does the GDPR affect policy surrounding data breaches? Proposed regulations surrounding data breaches primarily relate to the notification policies of companies that have been breached. Data breaches which may pose a risk to individuals must be notified to the DPA within 72 hours and to affected individuals without undue delay. Will the GDPR set up a one-stop-shop for data privacy regulation? The discussions surrounding the one-stop-shop principle are among the most highly debated and are still unclear as the standing positions are highly varied. The Commission text has a fairly simple and concise ruling in favor of the principle, the Parliament also promotes a lead DPA and adds more involvement from other concerned DPAs, the Council s view waters down the ability of the lead DPA even further. A more in depth analysis of the one-stop-shop policy debate can be found here.

4 GDPR Key Changes An overview of the main changes under GDPR and how they differ from the previous directive The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established. Although the key principles of data privacy still hold true to the previous directive, many changes have been proposed to the regulatory policies; the key points of the GDPR as well as information on the impacts it will have on business can be found below. Increased Territorial Scope (extra-territorial applicability) Arguably the biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company s location. Previously, territorial applicability of the directive was ambiguous and referred to data process 'in context of an establishment'. This topic has arisen in a number of high profile court cases. GPDR makes its applicability very clear - it will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. The GDPR will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behaviour that takes place within the EU. Non-Eu businesses processing the data of EU citizens will also have to appoint a representative in the EU. Penalties Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or 20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement. Consent The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Data Subject Rights Breach Notification Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to result in a risk for the rights and freedoms of individuals. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, without undue delay after first becoming aware of a data breach.

5 Right to Access Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to data transparency and empowerment of data subjects. Right to be Forgotten Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. It should also be noted that this right requires controllers to compare the subjects' rights to "the public interest in the availability of the data" when considering such requests. Data Portability GDPR introduces data portability - the right for a data subject to receive the personal data concerning them, which they have previously provided in a 'commonly use and machine readable format' and have the right to transmit that data to another controller. Privacy by Design Privacy by design as a concept has existed for years now, but it is only just becoming part of a legal requirement with the GDPR. At it s core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. More specifically - 'The controller shall..implement appropriate technical and organisational measures..in an effective way.. in order to meet the requirements of this Regulation and protect the rights of data subjects'. Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing. Data Protection Officers Currently, controllers are required to notify their data processing activities with local DPAs, which, for multinationals, can be a bureaucratic nightmare with most Member States having different notification requirements. Under GDPR it will not be necessary to submit notifications / registrations to each local DPA of data processing activities, nor will it be a requirement to notify / obtain approval for transfers based on the Model Contract Clauses (MCCs). Instead, there will be internal record keeping requirements, as further explained below, and DPO appointment will be mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences. Importantly, the DPO: Must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices May be a staff member or an external service provider Contact details must be provided to the relevant DPA Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge Must report directly to the highest level of management Must not carry out any other tasks that could results in a conflict of interest.

6 Controversial Topics An overview of controversial topics likely debated during the Trilogue negotiations, including the stance of each EU body from their respective adopted drafts of the GDPR. Many of the key points of the regulation are clear and documented similarly across the three current drafts, but many details still needed to be hammered out and some points come with enough variability to warrant their own comparison between drafts. Below is an analysis of the topics which are likely to have been the subject of much debate during the Trilogue negotiation process. Data Portability The right to data portability has its own article (18) in the commission and council proposal documents, but is part of the right to access article (15) in the parliament text. The relevant quotes from each draft are as follows: Commission text: Where the data subject has provided the personal data and the processing is based on consent or on a contract, the data subject shall have the right to transmit those personal data and any other information provided by the data subject and retained by an automated processing system, into another one, in an electronic format which is commonly used, without hindrance from the controller from whom the personal data are withdrawn. Parliament text: Where the data subject has provided the personal data where the personal data are processed by electronic means, the data subject shall have the right to obtain from the controller a copy of the provided personal data in an electronic and interoperable format which is commonly used and allows for further use by the data subject without hindrance from the controller from whom the personal data are withdrawn. Where technically feasible and available, the data shall be transferred directly from controller to controller at the request of the data subject. Council text: The right [to data portability] shall not apply if disclosing personal data would infringe intellectual property rights in relation to the processing of those personal data. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured and commonly used and machine-readable format. It is important to note that all texts only apply portability to data provided by the data subject, and the Commission and Council texts only apply to data which is processed based on consent or contract, leaving out personal data processed by other lawful means. The most important differences come in the Parliament s caveat of only requiring direct transfer where technically feasible and available as well as the Council s addition of the need for data to be machine readable and also excluding data that would infringe intellectual property rights if disclosed. The predominant concerns arising from the supporters of data portability see the Parliament s text as a potential drag on overall effectiveness if corporations are simply unwilling to improve their technology in order to comply. On the other hand, critics of the idea worry that forcing data portability with such a broad scope will lead to disproportionate cost and effort in industries with no consumer lock-in. One-Stop-Shop

7 As one of the key drivers behind creating a new regulation was the harmonization of data protection laws throughout Europe, the one-stop-shop principle seems like a sensible addition. However, the principle is not as simple in practice as it can appear on paper, and the original Commission proposal has been modified heavily by its subsequent GDPR adoptions. The proposal from the Commission in article 15 is by far the simplest and most general approach: Where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union, and the controller or processor is established in more than one Member State, the supervisory authority of the main establishment of the controller or processor shall be competent for the supervision of the processing activities of the controller or the processor in all Member States. The Parliament took issue over the potential infringement of data subject rights when they are not able to easily lodge a complaint with a competent lead DPA if, for instance, contact is made difficult by language or financial means. In article 54a of its adopted text, the Parliament still relies on a lead DPA for the doling out of legal remedies, but it requires the cooperation of all concerned DPAs. The amount of concerned DPAs will also be greatly increased as a provision is also added for data subjects to lodge complaints with their local DPA in order for it then to work with the lead DPA on behalf of the data subject. Finally, the role of the Data Protection Board is increased in its ability to decide in the situation of an unclear lead DPA and its ultimate ruling in the event of the invoking of the consistency mechanism. The Council has arguably the most watered-down version of a one-stop-shop in its adopted general approach. It provides each DPA with the competence to enforce the GDPR in its own state, and requires the lead DPA to consult with and share all information with every concerned DPA. It also allows any concerned DPA to refer a case to the Data Protection Board should it feel that the lead DPA has not taken its opinion into account. Overall, this increases the amount of red tape involved to a point beyond the initial intention of the one-stop-shop principle and allows for the potential of capricious referrals that undermine the authority of the lead DPA and potentially put a strain on the Data Protection Board, which is set up under the GDPR but not allocated any specific funding or infrastructure. The pervasive debate throughout the one-stop-shop principle is the balancing act between reducing red tape by harmonizing data protection laws across Europe and ensuring the rights of data subjects are secured by their availability of legal redress with the appropriate DPA. Data Protection Officers The designation of a Data Protection Officer (DPO), covered in article 35, has somewhat similar views coming from both the Commission and Parliament. They agree that a DPO is mandatory wherever the data processing is carried out by a public authority or a company (controller or processor) whose core activities consist of processing operations which require regular and systematic monitoring of data subjects. They also agree that companies passing certain thresholds should be mandated to appoint a DPO, yet they differ on the exact metric. Finally, Parliament adds that a DPO should be mandatory for all enterprises that process 'Special categories' of data, including information such as health data or religious and political beliefs. The Commission text requires any enterprise over 250 employees, while the Parliament text calls for those processing the personal data of over 5000 data subjects in any 12 month period. The Council does not mandate the appointment of a DPO unless it is required by EU or member state law. Its members themselves had varying views during the debate prior to the release of the general approach, so it will be interesting to see how vigorously the Council fights for this relaxation of DPO appointments against both other authorities who seem to hold similar positions.

8 Sources ons/2015/ _gdpr_recommendations_annex_en.pdf

9 Summary of Articles Contained in the GDPR Regulation of the European Parliament and of the Council on the protection of individuals with regard to processing of personal data and on the free movement of such data Table of Contents Chapter 1: General Provisions Article 1: Subject matter and objectives Article 2: Material scope Article 3: Territorial scope Article 4: Definitions Chapter 2: Principles Article 5: Principles relating to personal data processing Article 6: Lawfulness of processing Article 7: Conditions for consent Article 8: Conditions applicable to child's consent in relation to information society services Article 9: Processing of special categories of personal data Article 10: Processing of data relating to criminal convictions and offences Article 11: Processing which does not require identification Chapter 3: Rights of the Data Subject Section 1: Transparency and Modalities Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject Section 2: Information and Access to Data Article 13: Information to be provided where personal data are collected from the data subject Article 14: Information to be provided where personal data have not been obtained from the data subject Article 15: Right of access by the data subject Section 3: Rectification and Erasure Article 16: Right to rectification Article 17: Right to erasure ('right to be forgotten') Article 18: Right to restriction of processing Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing Article 20: Right to data portability Section 4: Right to object and automated individual decision making Article 21: Right to object Article 22: Automated individual decision-making, including profiling Section 5: Restrictions Article 23: Restrictions Chapter 4: Controller and Processor Section 1: General Obligations

10 Article 24: Responsibility of the controller Article 25: Data protection by design and by default Article 26: Joint controllers Article 27: Representatives of controllers not established in the Union Article 28: Processor Article 29: Processing under the authority of the controller or processor Article 30: Records of processing activities Article 31: Cooperation with the supervisory authority Section 2: Security of personal data Article 32: Security of processing Article 33: Notification of a personal data breach to the supervisory authority Article 34: Communication of a personal data breach to the data subject Section 3: Data protection impact assessment and prior consultation Article 35: Data protection impact assessment Article 36: Prior Consultation Section 4: Data protection officer Article 37: Designation of the data protection officer Article 38: Position of the data protection officer Article 39: Tasks of the data protection officer Section 5: Codes of conduct and certification Article 40: Codes of Conduct Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification Bodies Chapter 5: Transfer of personal data to third countries of international organizations Article 44: General Principle for transfer Article 45: Transfers of the basis of an adequacy decision Article 46: Transfers subject to appropriate safeguards Article 47: Binding corporate rules Article 48: Transfers or disclosures not authorised by union law Article 49: Derogations for specific situations Article 50: International cooperation for the protection of personal data Chapter 6: Independent Supervisory Authorities Section 1: Independent status Article 51: Supervisory Authority Article 52: Independence Article 53: General conditions for the members of the supervisory authority Article 54: Rules on the establishment of the supervisory Authority Section 2: Competence, Tasks, and Powers Article 55: Competence Article 56: Competence of the lead supervisory authority Article 57: Tasks

11 Article 58: Powers Article 59: Activity Reports Chapter 7: Co-operation and Consistency Section 1: Co-operation Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned Article 61: Mutual Assistance Article 62: Joint operations of supervisory authorities Section 2: Consistency Article 63: Consistency mechanism Article 64: Opinion of the Board Article 65: Dispute resolution by the Board Article 66: Urgency Procedure Article 67: Exchange of information Section 3: European Data Protection Board Article 68: European Data Protection Board Article 69: Independence Article 70: Tasks of the Board Article 71: Reports Article 72: Procedure Article 73: Chair Article 74: Tasks of the Chair Article 75: Secretariat Article 76: Confidentiality Chapter 8: Remedies, Liability, and Sanctions Article 77: Right to lodge a complaint with a supervisory authority Article 78: Right to an effective judicial remedy against a supervisory authority Article 79: Right to an effective judicial remedy against a controller or processor Article 80: Representation of data subjects Article 81: Suspension of proceedings Article 82: Right to compensation and liability Article 83: General conditions for imposing administrative fines Article 84: Penalties Chapter 9: Provisions relating to specific data processing situations Article 85: Processing and freedom of expression and information Article 86: Processing and public access to offical documents Article 87: Processing of the national identification number Article 88: Processing in the context of employment Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes Article 90: Obligations of secrecy Article 91: Existing data protection rules of churches and religious associations Chapter 10: Delegated Acts and Implementing Acts

12 Article 92: Exercise of the delegation Article 93: Committee procedure Chapter 11: Final provisions Article 94: Repeal of Directive 95/46/EC Article 95: Relationship with Directive 2002/58/EC Article 96: Relationship with previously concluded Agreements Article 97: Commission Reports Article 98: Review of other union legal acts on data protection Article 99: Entry intro force and application

13 GDPR Timeline of Events An overview of key GDPR events from proposal, amendment, approval, adoption to enforcement. Previous Legislation 1995 October 24th, Data Protection Directive 95/46/EC created to regulate the processing of personal data Legislative Proposals 2012 January 25th, initial proposal for updated data protection regulation by the European Commission 2014 March 12th, the European Parliament approved its own version of the regulation in its first reading 2015 June 15th, the Council of the European Union approved its version in its first reading, known as the general approach, allowing the regulation to pass into the final stage of legislation known as the Trilogue Trilogue Timeline 2015 June 24th, meeting covering: o Package approach: Objective of Luxembourg Presidency for the proposed directive o Agreement on the overall roadmap for Trilogue negotiations o General method and approach for delegated and implementing acts 2015 July 14th, meeting covering: o Territorial scope (Article 3), Representative (Article 25) o International transfers (Chapter V), related definitions 2015 September 16-17th, meeting covering: o Data protection principles (Chapter II) o Data subject rights (Chapter III) o Controller and Processor (Chapter IV) 2015 September 29-30th, meeting covering: o Data protection principles (Chapter II) o Data subjects rights (Chapter III) o Controller and Processor (Chapter IV) 2015 October 15th, Trilogue covering: o Independent Supervisory Authorities (Chapter VI) o Cooperation and consistency (Chapter VII) o Remedies, liability and sanctions (Chapter VIII)

14 2015 October 28th, meeting covering: o Independent Supervisory Authorities (Chapter VI) o Cooperation and consistency (Chapter VII) o Remedies, liability and sanctions (Chapter VIII) 2015 November 11-12th, meeting covering: o Objectives and material scope (Chapter I) o Specific regimes (Chapter IX) 2015 November 24th, meeting covering: o All open issues from Chapter I to IX 2015 December 10th, meeting covering: o Delegated and Implementing Acts (Chapter X) o Final provisions (Chapter XI) o Remaining issues 2015 December 15th, meeting covering: o Delegated and Implementing Acts (Chapter X) o Final provisions (Chapter XI) o Remaining issues Approval & Adoption 2015 December 15th, the Parliament and Council have come to an agreement, and the text will be final as of the Official signing to take place in early January of January o April 8th - Adopted by the Council of the European Union o April 16th - Adoption by the European Parliament o May - Regulation will enter into force 20 days after it is published in the EU Official Journal Enforcement May - Following a 2 year post-adoption grace period, the GDPR will become fully enforceable throughout the European Union.

15 How did we get here? OECD Guidelines An overview of important regulatory events leading up to the GDPR. Although there is no doubt that the rules and regulations surrounding data privacy needed updating, both the GDPR and the Directive 95/46/EC are based on an even older set of principles that still hold true today. The Organisation for Economic Co-operation and Development (OECD) published its Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, which was a set of recommendations endorsed by both the EU and the US that set out to protect personal data and the fundamental human right of privacy. The document was originally adopted on 23 September 1980 and proposed the following eight principles for the processing of personal data: Collection Limitation Principle There should be limits to the collection of personal data, data should be obtained by lawful and fair means, and where appropriate, with the knowledge or consent of the data subject. Data Quality Principle Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date. Purpose Specification Principle The purpose for the collection of data should be specified at the time of collection and data should not be used for anything other than its original intention without again notifying the data subject. Use Limitation Principle Personal data should not be used for purposes outside of the original intended and specified purpose, except with the consent of the data subject or the authority of the law. Security Safeguards Principle Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data. Openness Principle There should be a general policy of openness about developments, practices and policies with respect to personal data. Individuals should have easy access to information about their personal data, who is holding it, and what they are using it for. Individual Participation Principle An individual should have the right to know if a controller has data about him/her and to have access to that data in an intelligible form for a charge, if any, that is not excessive. An individual should also have the right to challenge a controller for refusing to grant access to his/her data, as well as challenging the accuracy of the data. Should such data be found to be inaccurate, the data should be erased or rectified. Accountability Principle Data controllers should be accountable for complying with the measures detailed above.

16 These guidelines were the basis of many national laws regarding data privacy, however, they were nonbinding and the levels of data protection varied greatly even amongst different EU member states. Directive 95/46/EC The Data Protection Directive 95/46/EC of 24 October 1995 was the European Union s answer to the division of privacy regulations across the EU. It s major goals included the harmonization of data protection laws and the transfer of personal data to third countries outside of the Union. It established independent public authorities called Data Protection Authorities (DPAs) in each member state in order to supervise the application of this directive and serve as the regulatory body for interactions with businesses and citizens. It also provided for the allowance of transfers of personal data to third countries, on the condition that said countries were authorized as having adequate levels of protection for the data that would be guaranteed to be comparable to those protections within the EU. Overall, the directive stays true to the original recommendation of the OECD and the core concepts of privacy as a fundamental human right. GDPR Proposal Although Directive 95/46/EC was meant to bring together the laws of different member states, it was still a directive, which left some room for interpretation during the transposition into individual national law. This fact, along with today s rapidly changing data landscape, has led to the necessity for another update to the regulatory environment of the EU. The incoming GDPR is a much larger piece of legislation and the changes it brings, along with the impacts it will have among businesses, can be found in our key points summary here. Most importantly, as a regulation and not a directive, it will become immediately enforceable law in all member states. The main principles on privacy are still true to form with both the previous directive and the OECD guidelines, however, social media and cloud storage were not a reality in 1995 as only about 1% of the European population was using the internet. With modern technology, we are creating more personal data than ever before, and the processing of that data has become ubiquitous. The GDPR is meant to update the standards to fit today s technology while remaining general to simply protect the fundamental rights of individuals throughout future waves of innovation. CJEU Cases There have been two recent cases brought before the Court of Justice of the European Union (CJEU) dealing with data privacy in the run-up to the GDPR. The case of Weltimmo affects the realm of one-stop-shop regulation within the EU, and the case ruling Safe Harbour invalid affects the realm of EU-US data transfers. Weltimmo Case An already controversial topic, the idea of a one-stop-shop for data privacy regulation first arose out of the previous directive, intending to cut some of the red tape for businesses. However, the Weltimmo case on 1 October 2015 resulted in the ruling that companies must comply with local data privacy laws if they have establishments in member states outside that which holds their European headquarters. Although the GDPR was already attempting to fix this imperfect system before the CJEU ruling, there are still many issues to be worked out. Chief among these is the split between the DPA s of businesses and individuals. Regulators wish to make life easier for businesses by allowing them to only register and deal with one national DPA, yet they

17 also want individuals to be able to go to their own respective DPA, which may very well be different from the businesses. For more analysis on the debate surrounding one-stop-shop in the GDPR, click here. Collapse of Safe-Harbour Agreement Only 5 days after the Weltimmo ruling, the CJEU came down with another ruling affecting data privacy, this time declaring the Safe Harbour scheme for EU-US data transfers to be invalid. While it was not the only way to transfer data to the US from the EU, around 4,500 companies relied on this framework as their main legal basis for transfers. The case was originally brought about by Austrian student Max Schrems, following the NSA revelations by Edward Snowden. It was ruled that the US public authorities were not only outside of the scope of Safe Harbour, but also have conflicting laws that prevail over the scheme in certain circumstances. It is yet to be seen if the extended scope of the GDPR (affecting all of the businesses processing EU personal data) will entirely replace the Safe Harbour scheme. There is also hope for a so called Safe Harbour 2.0 to relieve the pressure on businesses to find other legal forms of data transfer, which would likely be in effect well before the GDPR.

EU GENERAL DATA PROTECTION REGULATION

EU GENERAL DATA PROTECTION REGULATION EU GENERAL DATA PROTECTION REGULATION GENERAL INFORMATION DOCUMENT This resource aims to provide a general factsheet to Asia Pacific Privacy Authorities (APPA) members, in order to understand the basic

More information

THE GENERAL DATA PROTECTION REGULATION: A BRIEF OVERVIEW (*)

THE GENERAL DATA PROTECTION REGULATION: A BRIEF OVERVIEW (*) THE GENERAL DATA PROTECTION REGULATION: A BRIEF OVERVIEW (*) The first IBM Personal Computer was introduced just over 35 years ago, on August 12, 1981. The first-generation iphone was introduced in the

More information

ARTICLE 29 DATA PROTECTION WORKING PARTY

ARTICLE 29 DATA PROTECTION WORKING PARTY ARTICLE 29 DATA PROTECTION WORKING PARTY 17/EN WP 256 Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules (updated) Adopted on 29 November 2017 INTRODUCTION

More information

EU General Data Protection Regulation (GDPR)

EU General Data Protection Regulation (GDPR) A Brief Overview of the EU General Data Protection Regulation (GDPR) November 2017 What is the GDPR? After several years in the making, on 8 April 2016 the European Council finally adopted Regulation

More information

General Personal Data Protection Policy

General Personal Data Protection Policy General Personal Data Protection Policy Contents 1. Scope, Purpose and Users...4 2. Reference Documents...4 3. Definitions...5 4. Basic Principles Regarding Personal Data Processing...6 4.1 Lawfulness,

More information

The EU General Data Protection Regulation (GDPR) A briefing for the digital advertising industry

The EU General Data Protection Regulation (GDPR) A briefing for the digital advertising industry The EU General Data Protection Regulation (GDPR) A briefing for the digital advertising industry 1 Contents Introduction 5 Brexit: GDPR or New UK Law? 8 The eprivacy Directive 10 The GDPR: 10 Key Areas

More information

WHAT PAYROLL PROFESSIONALS NEED TO KNOW ABOUT THE GENERAL DATA PROTECTION

WHAT PAYROLL PROFESSIONALS NEED TO KNOW ABOUT THE GENERAL DATA PROTECTION WHAT PAYROLL PROFESSIONALS NEED TO KNOW ABOUT THE GENERAL DATA PROTECTION REGULATION (GDPR) WHAT PAYROLL PROFESSIONALS NEED TO KNOW ABOUT THE GENERAL DATA PROTECTION REGULATION (GDPR) Published by: The

More information

GDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges

GDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges Cyber Risk 1 GDPR and Canadian organizations: Addressing key challenges The regulation

More information

Guidance on the General Data Protection Regulation: (1) Getting started

Guidance on the General Data Protection Regulation: (1) Getting started Guidance on the General Data Protection Regulation: (1) Getting started Guidance Note IR03/16 20 th February 2017 Gibraltar Regulatory Authority Information Rights Division 2 nd Floor, Eurotowers 4, 1

More information

The Committee of Ministers, under the terms of Article 15.b of the Statute of the Council of Europe,

The Committee of Ministers, under the terms of Article 15.b of the Statute of the Council of Europe, Recommendation CM/Rec(2015)5 of the Committee of Ministers to member States on the processing of personal data in the context of employment (Adopted by the Committee of Ministers on 1 April 2015, at the

More information

Data Flow Mapping and the EU GDPR

Data Flow Mapping and the EU GDPR Data Flow Mapping and the EU GDPR Adrian Ross LLB (Hons), MBA GRC Consultant IT Governance Ltd 29 September 2016 www.itgovernance.co.uk Introduction Adrian Ross GRC Consultant Infrastructure services Business

More information

The General Data Protection Regulation An Overview

The General Data Protection Regulation An Overview The General Data Protection Regulation An Overview Published: May 2017 Brunel House, Old Street, St.Helier, Jersey, JE2 3RG Tel: (+44) 1534 716530 Guernsey Information Centre, North Esplanade, St Peter

More information

General Data Protection Regulation. The changes in data protection law and what this means for your church.

General Data Protection Regulation. The changes in data protection law and what this means for your church. General Data Protection Regulation The changes in data protection law and what this means for your church. 1 Contents Page 5 Page 6 Page 7 Page 8 Page 9 Page 10 Page 11 Page 12 Page 18 Page 20 Page 23

More information

Policy Document for: Data Protection (GDPR) Approved by Directors: September Due for Review: September Statement of intent

Policy Document for: Data Protection (GDPR) Approved by Directors: September Due for Review: September Statement of intent Policy Document for: Data Protection (GDPR) Approved by Directors: September 2017 Due for Review: September 2020 1. Statement of intent Timu Academy Trust is required to keep and process certain information

More information

The Sage quick start guide for businesses

The Sage quick start guide for businesses General Data Protection Regulation (GDPR): The Sage quick start guide for businesses Contents Introduction 3 Infographic: GDPR at a Glance 4 The basics 5 The GDPR in summary 5 Individual rights and informing

More information

Data Protection Policy

Data Protection Policy Reference: Date Approved: April 2015 Approving Body: Board of Trustees Implementation Date: August 2015 Supersedes: 2.0 Stakeholder groups Governance Committee, Board of Trustees consulted: Target Audience:

More information

The (Scheme) Actuary as a Data Controller

The (Scheme) Actuary as a Data Controller The (Scheme) Actuary as a Data Controller Keith Webster and Ian Stevens Partners, CMS Cameron McKenna LLP June 2014 Discussion Areas New IFOA guidance Data Protection Act refresher Compliance obligations

More information

Getting Ready for the GDPR

Getting Ready for the GDPR Getting Ready for the GDPR Ann Cartwright Information Governance Lead Sefton Council for Voluntary Service (CVS) Registered Charity No. 1024546. Company Limited by Guarantee No. 2832920. Suite 3B, 3rd

More information

The General Data Protection Regulation: What does it mean for you?

The General Data Protection Regulation: What does it mean for you? The General Data Protection Regulation: What does it mean for you? We are here to help The changes being introduced in the EU General Data Protection Regulation 2016 (GDPR) will be the biggest shake-up

More information

Customer Data Protection. Temenos module for the General Data Protection Regulation (GDPR)

Customer Data Protection. Temenos module for the General Data Protection Regulation (GDPR) Customer Data Protection Temenos module for the General Data Protection Regulation (GDPR) Contents Glossary 03 GDPR Geographical Scope 03 GDPR implementation status 03 Overview of GDPR 03 Financial Institutions

More information

How employers should comply with GDPR

How employers should comply with GDPR 02 Mind your business Prepare for GDPR How employers should comply with GDPR Recommendations for employer compliance with GDPR The scope of the impact of the GDPR cannot be overstated. The GDPR will impact

More information

WSGR Getting Ready for the GDPR Series

WSGR Getting Ready for the GDPR Series WSGR Getting Ready for the GDPR Series Overview, main concepts, principles and obligations Cédric Burton Of Counsel Laura De Boel Senior Associate Christopher Kuner Senior Privacy Counsel WSGR Webinar,

More information

Committee on Civil Liberties, Justice and Home Affairs WORKING DOCUMENT. Committee on Civil Liberties, Justice and Home Affairs

Committee on Civil Liberties, Justice and Home Affairs WORKING DOCUMENT. Committee on Civil Liberties, Justice and Home Affairs EUROPEAN PARLIAMT 2009-2014 Committee on Civil Liberties, Justice and Home Affairs 06.07.2012 WORKING DOCUMT on the protection of individuals with regard to the processing of personal data and on the free

More information

What is GDPR and Should You Care?

What is GDPR and Should You Care? What is GDPR and Should You Care? Ingram Micro Inc. 1 Overview of Privacy Climate & Concerns 2 2 Today We Live In A World Where Advertisers read key words in your Facebook posts and emails and decide what

More information

Getting Ready for the. General Data Protection Regulation GDPR. A Guide by Mason Hayes & Curran. Dublin, London, New York & San Francisco. MHC.

Getting Ready for the. General Data Protection Regulation GDPR. A Guide by Mason Hayes & Curran. Dublin, London, New York & San Francisco. MHC. Getting Ready for the General Data Protection Regulation GDPR 2018 Dublin, London, New York & San Francisco A Guide by Mason Hayes & Curran MHC.ie The contents of this publication are to assist access

More information

General Data Privacy Regulation: It s Coming Are You Ready?

General Data Privacy Regulation: It s Coming Are You Ready? General Data Privacy Regulation: It s Coming Are You Ready? Presenters Tristan North Worldwide ERC Government Affairs Adviser, Moderator William R. Tehan General Counsel, Graebel Companies, Inc. Hank A.

More information

New General Data Protection Regulation - an introduction

New General Data Protection Regulation - an introduction New General Data Protection Regulation - an introduction Netnod spring meeting 2017 Johan Hübner, Partner, Advokat Erika Hammar, Associate Agenda Background Why you need to care about the new data privacy

More information

EU data protection reform

EU data protection reform EU data protection reform Background and insight A Whitepaper Executive summary The Irish Data Protection Acts 1988 and 2003 gave effect to the European Data Protection Directive 95/46/EC. The existing

More information

The Top 10 Operational Impacts of the EU s General Data Protection Regulation

The Top 10 Operational Impacts of the EU s General Data Protection Regulation The Top 10 Operational Impacts of the EU s General Data Protection Regulation www.iapp.org IAPP - International Association of Privacy Professionals The Top 10 Operational Impacts of the EU s General Data

More information

with Xavier Darmstaedter Managing Partner GEDAPRE DACOTA Consulting

with Xavier Darmstaedter Managing Partner GEDAPRE DACOTA Consulting with Xavier Darmstaedter Managing Partner GEDAPRE DACOTA Consulting xada@gedapre.eu tel 0475-41.03.22 xavier.darmstaedter@dacota.eu Gent, 3 October 2017 4 facts 1. We are not really in control of our personal

More information

THE EU GENERAL DATA PROTECTION REGULATION AND INTERNATIONAL AIRLINES SPECIAL UPDATE

THE EU GENERAL DATA PROTECTION REGULATION AND INTERNATIONAL AIRLINES SPECIAL UPDATE OCTOBER 2017 EU, COMPETITION, TRADE AND REGULATORY THE EU GENERAL DATA PROTECTION REGULATION AND INTERNATIONAL AIRLINES SPECIAL UPDATE The EU General Data Protection Regulation (GDPR) becomes effective

More information

ARTICLE 29 Data Protection Working Party

ARTICLE 29 Data Protection Working Party ARTICLE 29 Data Protection Working Party 05/EN WP108 Working Document Establishing a Model Checklist Application for Approval of Binding Corporate Rules Adopted on April 14 th, 2005 This Working Party

More information

General Optical Council. Data Protection Policy

General Optical Council. Data Protection Policy General Optical Council Data Protection Policy Authors: Lisa Sparkes Version: 1.2 Status: Live Date: September 2013 Review Date: September 2014 Location: Internet / Intranet Document History Version Date

More information

General comments on GDPR

General comments on GDPR Expertise Areas : > New Technologies, Privacy & ICT > E-payment, E-finance & Internet Banking > Intellectual Property > E-health & Telemedicine > Cinema, Media, Entertainment, Sport & Gaming > Commercial

More information

CANDIDATE DATA PROTECTION STANDARDS

CANDIDATE DATA PROTECTION STANDARDS CANDIDATE DATA PROTECTION STANDARDS I. OBJECTIVE The aim of these Candidate Data Protection Standards ( Standards ) is to provide adequate and consistent safeguards for the handling of candidate data by

More information

St Mark s Church of England Academy Data Protection Policy

St Mark s Church of England Academy Data Protection Policy St Mark s Church of England Academy Data Protection Policy 1 Contents Purpose:... Error! Bookmark not defined. Scope:... Error! Bookmark not defined. Procedure:... Error! Bookmark not defined. Definitions:...

More information

GDPR Webinar : Overview & practical compliance steps. 23 October 2017

GDPR Webinar : Overview & practical compliance steps. 23 October 2017 GDPR Webinar : Overview & practical compliance steps 23 October 2017 1 Dr Michelle Goddard Director Policy & Communication, EFAMRO Mattias Strandberg Skribent, dagensanalys.se copyright efamro 2010 2 About

More information

GDPR. Guidance on Employee Personal Data

GDPR. Guidance on Employee Personal Data GDPR Guidance on Employee Personal Data Introduction The General Data Protection Regulation (GDPR), due to come into force on 25 May 2018, will impose significant new burdens on organisations across Europe

More information

AmCham s HR Committee s

AmCham s HR Committee s AmCham s HR Committee s GDPR / Data Privacy Roundtable 19. SEPTEMBER 2017 THE REGULATION REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural

More information

GDPR. The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council 27 April

GDPR. The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council 27 April www.thalesgroup.com/uk SECURE COMMUNICATIONS AND INFORMATION SYSTEMS The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council 27 April 2016 Contents What is the

More information

GDPR. Legalities, Policies and Process Part 3 of our series on GDPR and its impact on the recruitment industry

GDPR. Legalities, Policies and Process Part 3 of our series on GDPR and its impact on the recruitment industry GDPR Legalities, Policies and Process Part 3 of our series on GDPR and its impact on the recruitment industry Who are we? Dillistone Group Plc, a public company listed on the AIM market of the London stock

More information

Preparing for the General Data Protection Regulation (GDPR)

Preparing for the General Data Protection Regulation (GDPR) Preparing for the General Data Protection Regulation (GDPR) 10 Steps For Schools... Introduction The new EU General Data Protection Regulation (GDPR) comes into force in the UK on 25th May 2018. This regulation

More information

Parliament of Romania Chamber of Deputies Committee for information technologies and communications

Parliament of Romania Chamber of Deputies Committee for information technologies and communications Parliament of Romania Chamber of Deputies Committee for information technologies and communications The reform of the EU Data Protection framework Building trust in a digital and global world 9/10 October

More information

COUNCIL OF EUROPE COMMITTEE OF MINISTERS. RECOMMENDATION No. R (89) 2 OF THE COMMITTEE OF MINISTERS TO MEMBER STATES

COUNCIL OF EUROPE COMMITTEE OF MINISTERS. RECOMMENDATION No. R (89) 2 OF THE COMMITTEE OF MINISTERS TO MEMBER STATES COUNCIL OF EUROPE COMMITTEE OF MINISTERS RECOMMENDATION No. R (89) 2 OF THE COMMITTEE OF MINISTERS TO MEMBER STATES ON THE PROTECTION OF PERSONAL DATA USED FOR EMPLOYMENT PURPOSES 1 (Adopted by the Committee

More information

A Parish Guide to the General Data Protection Regulation (GDPR)

A Parish Guide to the General Data Protection Regulation (GDPR) A Parish Guide to the General Data Protection Regulation (GDPR) What s happening and why is it important? The law is changing. Currently, the Data Protection Act 1998 governs how you process personal data

More information

GDPR Compliance Checklist

GDPR Compliance Checklist GDPR Compliance Checklist GDPR Compliance Checklist This GDPR Compliance Checklist sets out the key requirements that the General Data Protection Regulation will introduce into EU Privacy law on 25 May

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Name of Chair: Mr David Mann Name of Headteacher: Mrs Eileen Bissell Name of person Responsible: Mrs Eileen Bissell Adopted and Agreed on: October 2015 Date of Review: October 2018

More information

The Proposed Digital Content Directive and its Implications for the Data Economy

The Proposed Digital Content Directive and its Implications for the Data Economy The Proposed Digital Content Directive and its Implications for the Data Economy Christiane Wendehorst XXXII Nordic Conference on Legal Informatics, 13 November 2017 Proposed Digital Content Directive

More information

Data Protection. Policy

Data Protection. Policy Data Protection Policy Why do we need this policy? What does the policy apply to? Which parts of SQA are affected? SQA is committed to adopting best practice in protecting the personal information of all

More information

Contents. Introduction 1. Territorial scope 3. Supervisory authority 4. Data governance and accountability 5. Export of personal data 14

Contents. Introduction 1. Territorial scope 3. Supervisory authority 4. Data governance and accountability 5. Export of personal data 14 GDPR checklist Contents Introduction 1 Territorial scope 3 Supervisory authority 4 Data governance and accountability 5 Export of personal data 14 Joint controllers 16 Processors 17 Lawful grounds to process

More information

Data Protection Policy

Data Protection Policy Preston and District Data Protection Policy The University of the Third Age Scope of the policy This policy applies to the work of Preston & District U3A (hereafter the U3A ). The policy sets out the requirements

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY 1. Introduction This policy is intended to provide information about how the School will use (or process ) personal data about individuals including: Current, past and prospective pupils; Parents, carers

More information

Accelerate Your Response to the EU General Data Protection Regulation (GDPR) with Oracle Cloud Applications

Accelerate Your Response to the EU General Data Protection Regulation (GDPR) with Oracle Cloud Applications Accelerate Your Response to the EU General Data Protection Regulation (GDPR) with Oracle Cloud Applications O R A C L E W H I T E P A P E R D E C E M B E R 2 0 1 7 Disclaimer The purpose of this document

More information

Discussion Paper on innovative uses of consumer data by financial institutions

Discussion Paper on innovative uses of consumer data by financial institutions Datum 28 juli 2016 Referentie OD15800 NVB response to the European Banking Authority Consultation form Discussion Paper on innovative uses of consumer data by financial institutions The EBA invites comments

More information

Guidelines on the protection of personal data in IT governance and IT management of EU institutions

Guidelines on the protection of personal data in IT governance and IT management of EU institutions Guidelines on the protection of personal data in IT governance and IT management of EU institutions Postal address: rue Wiertz 60 - B-1047 Brussels Offices: rue Montoyer 30 - B-1000 Brussels E-mail : edps@edps.europa.eu

More information

Data Protection Policy

Data Protection Policy Data Protection Policy StCH Data Protection Policy - POL 53 vs1 - July 2016 1 Document Control Table Document Title: Data Protection Policy Document Ref: POL 53 Author (name and job title): Karen Anderson,

More information

Data Protection Policy

Data Protection Policy THE CIPPENHAM SCHOOLS TRUST Data Protection Policy *Date for revision: Summer Term 2018 Responsibility for policy: Responsibility for operational: Trustees Trustees Reviewed by Directors: *subject to any

More information

EUROPEAN UNION. Brussels, 27 March 2013 (OR. en) 2011/0374 (COD) PE-CONS 80/12 CONSOM 164 MI 853 JUSTCIV 382 CODEC 3131 OC 774

EUROPEAN UNION. Brussels, 27 March 2013 (OR. en) 2011/0374 (COD) PE-CONS 80/12 CONSOM 164 MI 853 JUSTCIV 382 CODEC 3131 OC 774 EUROPEAN UNION THE EUROPEAN PARLIAMT THE COUNCIL Brussels, 27 March 2013 (OR. en) 2011/0374 (COD) PE-CONS 80/12 CONSOM 164 MI 853 JUSTCIV 382 CODEC 3131 OC 774 LEGISLATIVE ACTS AND OTHER INSTRUMTS Subject:

More information

Draft European Parliament & European Commission Agreement. on the establishment of a "Transparency Register"

Draft European Parliament & European Commission Agreement. on the establishment of a Transparency Register Draft European Parliament & European Commission Agreement on the establishment of a "Transparency Register" (For: Organisations and individuals working as independent engaged in EU policy making and policy

More information

Public Consultation on a proposal for a mandatory Transparency Register

Public Consultation on a proposal for a mandatory Transparency Register Public Consultation on a proposal for a mandatory Transparency Register Response prepared by Transport & Environment (T&E) EU Transparency Register : 58744833263-19 May 2016 A. GENERAL PART (7 questions)

More information

Memorandum of understanding between the Competition and Markets Authority and the Office of Communications concurrent competition powers

Memorandum of understanding between the Competition and Markets Authority and the Office of Communications concurrent competition powers 8 February 2016 Memorandum of understanding between the Competition and Markets Authority and the Office of Communications concurrent competition powers Contents Page Foreword... 2 Memorandum of Understanding

More information

THE GENERAL DATA PROTECTION REGULATION: GUIDANCE ON THE ROLE OF THE DATA PROTECTION OFFICER

THE GENERAL DATA PROTECTION REGULATION: GUIDANCE ON THE ROLE OF THE DATA PROTECTION OFFICER THE GENERAL DATA PROTECTION REGULATION: GUIDANCE ON THE ROLE OF THE DATA PROTECTION OFFICER Contents 1 Introduction 2 2 Key messages 3 3 The requirement to appoint a Data Protection Officer 4 3.1 Public

More information

Comments on Chapter IV Part I Controller and processor 25/08/2015 Page 1

Comments on Chapter IV Part I Controller and processor 25/08/2015 Page 1 Comments on Chapter IV Part I Controller and processor 25/08/2015 Page 1 Bitkom represents more than 2,300 companies in the digital sector, including 1,500 direct members. With more than 700,000 employees,

More information

GENERAL TERMS AND CONDITIONS FOR USING THE JUVENTUS eprocurement PORTAL

GENERAL TERMS AND CONDITIONS FOR USING THE JUVENTUS eprocurement PORTAL GENERAL TERMS AND CONDITIONS FOR USING THE JUVENTUS eprocurement PORTAL 1 INTRODUCTION JUVENTUS Football Club S.p.A. (hereinafter "JUVENTUS") is data controller of JUVENTUS eprocurement, an e-business

More information

Data protection (GDPR) policy

Data protection (GDPR) policy Data protection (GDPR) policy January 2018 Version: 1.0 NHS fraud. Spot it. Report it. Together we stop it. Version control Version Name Date Comment 1.0 Trevor Duplessis 22/01/18 Review due Dec 2018 OFFICIAL

More information

Regulates the way data controllers process personal data

Regulates the way data controllers process personal data GUIDANCE NOTE ON THE DATA PROTECTION ACT 1998 This guidance note gives an overview of how the Data Protection Act 1998 (the Act ) applies to clubs (including class associations) and recognised training

More information

UK Research and Innovation (UKRI) Data Protection Policy

UK Research and Innovation (UKRI) Data Protection Policy UK Research and Innovation (UKRI) Data Protection Policy Document Information Revision History Version Comment Date By 0.1 Draft Policy created July 2017 DH 0.2 Revision post review by information manager

More information

Guidelines on the management body of market operators and data reporting services providers

Guidelines on the management body of market operators and data reporting services providers Guidelines on the management body of market operators and data reporting services providers 28 September 2017 ESMA70-154-271 Table of Contents 1 Scope... 3 2 Definitions... 4 3 Purpose... 5 4 Compliance

More information

New EU-GDPR: Challenges for Universities and Research Organisations

New EU-GDPR: Challenges for Universities and Research Organisations New EU-GDPR: Challenges for Universities and Research Organisations Prof. Dr. Ing. Ramin Yahyapour CIO Georg-August-Universität Göttingen and University Medical Centre Director GWDG EUNIS workshop for

More information

DATA PROTECTION AUTHORITY IN POLAND

DATA PROTECTION AUTHORITY IN POLAND DATA PROTECTION AUTHORITY IN POLAND Urszula Góral The Cardinal Wyszyński University in Warsaw Bureau of the Inspector General for Persona Data Protection, Poland Generalny Inspektor Ochrony Danych Osobowych

More information

Humber Information Sharing Charter

Humber Information Sharing Charter External Ref: HIG 01 Review date November 2016 Version No. V07 Internal Ref: NELC 16.60.01 Humber Information Sharing Charter This Charter may be an uncontrolled copy, please check the source of this document

More information

Privacy Policy PURPOSE SCOPE POLICY. Data Collection

Privacy Policy PURPOSE SCOPE POLICY. Data Collection Privacy Policy PURPOSE 1. To ensure Training & Assessment Mentor maintains the privacy of personal information provided to Training & Assessment Mentor from Staff and Students. SCOPE 2. This document describes

More information

The Data Protection Regulation for Europe

The Data Protection Regulation for Europe The Data Protection Regulation for Europe Magnus Stenbeck, Karolinska Institutet Dept of Clinical Neuroscience and The Research Data Inquiry (U 2016:04) The data protection regulation in the EU Old system

More information

The General Data Protection Regulation (GDPR): Getting in good shape for the deadline Copenhagen, 19 September 2017 Janus Friis Bindslev Partner,

The General Data Protection Regulation (GDPR): Getting in good shape for the deadline Copenhagen, 19 September 2017 Janus Friis Bindslev Partner, The General Data Protection Regulation (GDPR): Getting in good shape for the deadline Copenhagen, 19 September 2017 Janus Friis Bindslev Partner, Deloitte, Cyber Advisory Table of Contents Introduction

More information

Official Journal of the European Union. (Acts whose publication is obligatory)

Official Journal of the European Union. (Acts whose publication is obligatory) 5.11.2003 L 287/1 I (Acts whose publication is obligatory) REGULATION (EC) No 1946/2003 OF THE EUROPEAN PARLIAMT AND OF THE COUNCIL of 15 July 2003 on transboundary movements of genetically modified organisms

More information

The new EU data protection Regulation: The business opportunity beyond legal compliance. Kalliopi Spyridaki Chief Privacy Strategist, Europe

The new EU data protection Regulation: The business opportunity beyond legal compliance. Kalliopi Spyridaki Chief Privacy Strategist, Europe The new EU data protection Regulation: The business opportunity beyond legal compliance Kalliopi Spyridaki Chief Privacy Strategist, Europe Content The GDPR: background, content & principles What does

More information

Breaking the myth How your marketing activities can benefit from the GDPR December 2017

Breaking the myth How your marketing activities can benefit from the GDPR December 2017 www.pwc.be Breaking the myth How your marketing activities can benefit from the GDPR December 2017 1. Introduction As opposed to a widespread belief, the GDPR aims to reinforce customers rights, whilst

More information

(Legislative acts) DIRECTIVE 2014/55/EU OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 16 April 2014 on electronic invoicing in public procurement

(Legislative acts) DIRECTIVE 2014/55/EU OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 16 April 2014 on electronic invoicing in public procurement 6.5.2014 L 133/1 I (Legislative acts) DIRECTIVES DIRECTIVE 2014/55/EU OF THE EUROPEAN PARLIAMT AND OF THE COUNCIL of 16 April 2014 on electronic invoicing in public procurement (Text with EEA relevance)

More information

15724/1/17 REV 1 KM/CB/ek 1 DGE2B

15724/1/17 REV 1 KM/CB/ek 1 DGE2B Council of the European Union Brussels, 19 December 2017 (OR. en) Interinstitutional File: 2017/0228 (COD) 15724/1/17 REV 1 TELECOM 359 COMPET 870 MI 957 DATAPROTECT 216 JAI 1203 CODEC 2072 NOTE From:

More information

FORESTRY AND LAND MANAGEMENT (SCOTLAND) BILL

FORESTRY AND LAND MANAGEMENT (SCOTLAND) BILL FORESTRY AND LAND MANAGEMENT (SCOTLAND) BILL EXPLANATORY NOTES INTRODUCTION 1. As required under Rule 9.3.2A of the Parliament s Standing Orders, these Explanatory Notes are published to accompany the

More information

5853/12 GS/np 1 DG H 2B

5853/12 GS/np 1 DG H 2B COUNCIL OF THE EUROPEAN UNION Brussels, 27 January 2012 5853/12 Inte rinstitutional File: 2012/0011 (COD) DATAPROTECT 9 JAI 44 MI 58 DRS 9 DAPIX 12 FREMP 7 COMIX 61 CODEC 219 PROPOSAL from: European Commission

More information

10349/14 GS/np 1 DG D 2B

10349/14 GS/np 1 DG D 2B COUNCIL OF THE EUROPEAN UNION Brussels, 28 May 2014 10349/14 Interinstitutional File: 2012/0011 (COD) DATAPROTECT 85 JAI 375 MI 467 DRS 74 DAPIX 73 FREMP 106 COMIX 292 CODEC 1384 NOTE from: Presidency

More information

EU General Data Protection Regulation (GDPR) Point of View for ERP and HRMS Operations. For private circulation only.

EU General Data Protection Regulation (GDPR) Point of View for ERP and HRMS Operations. For private circulation only. EU General Data Protection Regulation (GDPR) Point of View for ERP and HRMS Operations For private circulation only Risk Advisory Preface Does the EU GDPR impact organisations in India? Yes! This new law

More information

KRONOS WORLDWIDE, INC. SAFE HARBOR PRIVACY POLICY Effective December 1, 2009 Amended and Restated as of July 20, 2012

KRONOS WORLDWIDE, INC. SAFE HARBOR PRIVACY POLICY Effective December 1, 2009 Amended and Restated as of July 20, 2012 . SAFE HARBOR PRIVACY POLICY Amended and Restated as of July 20, 2012 I. OBJECTIVES The objective of this policy is to comply with applicable laws and regulations and document the processes and procedures

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Title: Data Protection Policy Ref:CP005 Version:2 Approval Body: Corporation via Audit & Risk Committee Date:24th March 2015 Review Date: 24th March 2018 Lead Person: Director, Institutional Effectiveness

More information

EU General Data Protection Regulation (GDPR) A Point of View for Technology Sector Organisations. For private circulation only.

EU General Data Protection Regulation (GDPR) A Point of View for Technology Sector Organisations. For private circulation only. EU General Data Protection Regulation (GDPR) A Point of View for Technology Sector Organisations For private circulation only Risk Advisory Preface Does the EU GDPR impact organisations in India? Yes!

More information

TWELVE STEP PLAN TO BECOME COMPLIANT WITH THE GENERAL DATA PROTECTION REGULATION

TWELVE STEP PLAN TO BECOME COMPLIANT WITH THE GENERAL DATA PROTECTION REGULATION TWELVE STEP PLAN TO BECOME COMPLIANT WITH THE GENERAL DATA PROTECTION REGULATION Awareness Data Stream Map Communication Rights of the subject Legal basis Consent Data Breaches Privacy by design and PIA

More information

Breakthrough Data Protection Policy Approved by Lead Organisation: November 2017 Next Review Date: November 2018

Breakthrough Data Protection Policy Approved by Lead Organisation: November 2017 Next Review Date: November 2018 Breakthrough Data Protection Policy Approved by Lead Organisation: November 2017 Next Review Date: November 2018 Introduction The Partner organisations within the Breakthrough Programme need to collect

More information

European Parliament resolution of 8 March 2011 on the revision of the General Product Safety Directive and market surveillance (2010/2085(INI))

European Parliament resolution of 8 March 2011 on the revision of the General Product Safety Directive and market surveillance (2010/2085(INI)) P7_TA(2011)0076 General product safety and market surveillance European Parliament resolution of 8 March 2011 on the revision of the General Product Safety Directive and market surveillance (2010/2085(INI))

More information

Consultation Paper. Draft Regulatory Technical Standards

Consultation Paper. Draft Regulatory Technical Standards EBA/CP/2017/09 29 June 2017 Consultation Paper Draft Regulatory Technical Standards on the criteria for determining the circumstances in which the appointment of a central contact point pursuant to Article

More information

ON PREVENTION OF CONFLICT OF INTEREST IN DISCHARGE OF PUBLIC FUNCTIONS LAW ON PREVENTION OF CONFLICT OF INTEREST IN DISCHARGE OF PUBLIC FUNCTIONS

ON PREVENTION OF CONFLICT OF INTEREST IN DISCHARGE OF PUBLIC FUNCTIONS LAW ON PREVENTION OF CONFLICT OF INTEREST IN DISCHARGE OF PUBLIC FUNCTIONS Republika e Kosovës Republika Kosovo - Republic of Kosovo Kuvendi - Skupština - Assembly Law No. 04/L-051 ON PREVENTION OF CONFLICT OF INTEREST IN DISCHARGE OF PUBLIC FUNCTIONS Assembly of Republic of

More information

guide to the General Data Protection Regulation

guide to the General Data Protection Regulation guide to the General Data Protection Regulation May 2017 2016 Bird & Bird All Rights Reserved - 1 In publishing a draft General Data Protection Regulation in January 2012, the European Commission fired

More information

EBA/CP/2013/12 21 May Consultation Paper

EBA/CP/2013/12 21 May Consultation Paper EBA/CP/2013/12 21 May 2013 Consultation Paper Draft Regulatory Technical Standards On Passport Notifications under Articles 35, 36 and 39 of the proposed Capital Requirements Directive Consultation Paper

More information

Public consultation on the targeted revision of EU consumer law directives

Public consultation on the targeted revision of EU consumer law directives Contribution ID: 9bc8877a-52d8-47ac-9e3a-d76c3fe675ca Date: 08/10/2017 16:48:05 Public consultation on the targeted revision of EU consumer law directives Fields marked with * are mandary. About you *

More information

Data Privacy Policy for Employees and Employee Candidates in the European Union

Data Privacy Policy for Employees and Employee Candidates in the European Union Data Privacy Policy for Employees and Employee Candidates in the European Union This Data Privacy Policy is effective as of February 1, 2014 1. Data Privacy Policy Overview 1.1 Under Armour, Inc. (the

More information

Data Privacy Bootcamp: GDPR

Data Privacy Bootcamp: GDPR Data Privacy Bootcamp: GDPR preparing for the general data protection regulation Data Privacy Bootcamp: GDPR Preparing for the General Data Protection Regulation Rebecca Eisner Partner Mayer Brown Oliver

More information

GDPR Webinar 4: Data Protection Impact Assessments

GDPR Webinar 4: Data Protection Impact Assessments Webinar 4: Data Protection Impact Assessments T-Minus 365 Days (May 25, 2017) Presenters: Peter Blenkinsop peter.blenkinsop@dbr.com Hilary Wandall General Counsel & Chief Data Governance Officer, TRUSTe

More information

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION, Regulation (EC) No 1071/2009 of the European Parliament and of the Council of 21 October 2009 establishing common rules concerning the conditions to be complied with to pursue the occupation of road transport

More information

GDPR - HOW IS INDUSTRY ADDRESSING THE LEGISLATION

GDPR - HOW IS INDUSTRY ADDRESSING THE LEGISLATION GDPR - HOW IS INDUSTRY ADDRESSING THE LEGISLATION 25 January 2017 https://www.surveymonkey.co.uk/r/7x9lwlz 1 Agenda 1. Setting the scene 2. The major elements of the GDPR 3. Impact for organisations and

More information

Preparing for GDPR 27th September, Reykjavik

Preparing for GDPR 27th September, Reykjavik Preparing for GDPR 27th September, Reykjavik Introduction Who I am? Solicitor fromlondon Worked in digital industry for the last 7years Specialized in Privacy for the last 7 years and did some consulting

More information