Free movement of information and data protection, including international aspects

Similar documents
ARTICLE 29 Data Protection Working Party

COMMISSION DELEGATED REGULATION (EU) No /.. of XXX

AGREEMENT BETWEEN THE EUROPEAN COMMUNITY AND ITS MEMBER STATES UNDER ARTICLE 4 OF THE KYOTO PROTOCOL. Note by the secretariat

10366/15 VH/np DGD 2C LIMITE EN

(Legislative acts) DIRECTIVES

Public consultation addressing the interface between chemical, product and waste legislation

Public consultation addressing the interface between chemical, product and waste legislation

Public consultation on non-binding guidelines on methodology for reporting non-financial information

Composition of the European Parliament

15489/14 TA/il 1 DG E 2 A

This document is meant purely as a documentation tool and the institutions do not assume any liability for its contents

Fixing Directors' Remuneration in Europe. Governance, Regulation and Disclosure

Chapter IV Guidelines on preparing proposals, implementation, and transposition

TOOL #38. DRAFTING THE EXPLANATORY MEMORANDUM

Proposal for a COUNCIL DECISION

Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Recent developments in the ECJ s jurisprudence on Public Procurement. Prof Christopher H. Bovis

on remuneration policies and practices related to the sale and provision of retail banking products and services

(Legislative acts) DIRECTIVE 2014/55/EU OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 16 April 2014 on electronic invoicing in public procurement

Council of the European Union Brussels, 10 November 2016 (OR. en)

COMMISSION OPINION. of

EBA/CP/2013/12 21 May Consultation Paper

The European Commission s strategy on Corporate Social Responsibility (CSR) : achievements, shortcomings and future challenges

DIRECTIVE (EU) 2018/958 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

IMPLEMENTATION OF ARTICLE 33 and ARTICLE 41 OF DIRECTIVE 2009/73/EC regarding Gas Storage

Official Journal of the European Union REGULATIONS

Position paper on WFD

FINAL REPORT ON THE DRAFT RTS AND ITS ON THE EBA REGISTER UNDER THE PSD2 EBA/RTS/2017/10 EBA/ITS/2017/ December 2017.

Proposal for a COUNCIL DECISION

ARTICLE 29 DATA PROTECTION WORKING PARTY

Implementation of the 2014 procurement directives across EU Member States

B C ISO/IEC INTERNATIONAL STANDARD. General criteria for the operation of various types of bodies performing inspection

COMMISSION OPINION. of

COMMISSION OF THE EUROPEAN COMMUNITIES COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL

Framework for Action for the management of small drinking water supplies

REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL. on benchmarking of diversity practices under Directive 2013/36/EU

Comments on Chapter IV Part I Controller and processor 25/08/2015 Page 1

Meijers Committee standing committee of experts on international immigration, refugee and criminal law

REPORT ON THE IMPLEMENTATION OF DIRECTIVE 91/383/EEC SUPPLEMENTING THE MEASURES TO ENCOURAGE IMPROVEMENTS IN THE SAFETY AND HEALTH AT WORK

MODERNISING THE CIVIL SERVICE Francisco Cardona OECD, Sigma Programme

Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

A. INTRODUCTION 01 B. ORDINARY LEGISLATIVE PROCEDURE IN MORE DETAIL 06 C. SPECIAL LEGISLATIVE PROCEDURES: WHERE THE CONSULTATION PROCESS APPLIES 07

EDPS Opinion on safeguards and derogations under Article 89 GDPR in the context of a proposal for a Regulation on integrated farm statistics

August THE APPOINTMENT OF THE AUDITOR AND THE DURATION OF THE AUDIT ENGAGEMENT: Striving for a Workable Single Market in the EU

ARTICLE 29 DATA PROTECTION WORKING PARTY

by Mogens Aarestrup Vind and Fie Anna Aaby Hansen, Eversheds Advokataktieselskab 1

COUNCIL OF THE EUROPEAN UNION. Brussels, 29 February /12 ENER 77 ENV 161 DELACT 14. "A" ITEM NOTE from: Permanent Representatives Committee

COMMISSION OF THE EUROPEAN COMMUNITIES. Amended proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

JUDGMENT OF THE COURT (Sixth Chamber) 15 July 2004 (1)

COUNCIL OF THE EUROPEAN UNION. Brussels, 27 October /06 Interinstitutional File: 2006/ 0018(COD) ENT 124 ENV 569 CODEC 1173 OC 826

Case T-387/04. EnBW Energie Baden-Württemberg AG v Commission of the European Communities

EBA/RTS/2017/ December Final Report. Draft regulatory technical standards. on central contact points under Directive (EU) 2015/2366 (PSD2)

PUBLIC COUNCILOF THEEUROPEANUNION. Brusels,11March /14. InterinstitutionalFile: 2012/0011(COD) LIMITE

EUROPEAN CENTRAL BANK

JC May Joint Committee Final Report on guidelines for complaints-handling for the securities (ESMA) and banking (EBA) sectors

JC June Joint Committee Final Report on guidelines for complaints-handling for the securities (ESMA) and banking (EBA) sectors

ARTICLE 29 Data Protection Working Party

EUROPEAN COUNCIL Brussels, 31 May 2013 (OR. en)

GUIDELINES ON SOUND REMUNERATION POLICIES EBA/GL/2015/22 27/06/2016. Guidelines

Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

EUROPEAN PARLIAMENT. Committee on Civil Liberties, Justice and Home Affairs ***II DRAFT RECOMMENDATION FOR SECOND READING

Treaty on stability, coordination and governance in the Economic and Monetary Union (2 March 2012)

COUNCIL OF THE EUROPEAN UNION. Brussels, 2 March /09 ADD 1 REV 1. Interinstitutional File: 2008/0002 (COD) DENLEG 51 CODEC 893

Official Journal L 124, 23/05/1996 P

Council of the European Union Brussels, 4 February 2019 (OR. en)

CONTEXT AND CONTENT OF THE PROPOSAL

Espoo, Finland, 25 February 1991

DRAFT OPINION. EN United in diversity EN. European Parliament 2016/0404(COD) of the Committee on Legal Affairs

9057/1/17 REV 1 AW/gb 1 DG G 3A

COUNCIL OF THE EUROPEAN UNION. Brussels, 26 November 2013 (OR. en) 16162/13 Interinstitutional File: 2013/0213 (COD)

ECB-PUBLIC OPINION OF THE EUROPEAN CENTRAL BANK. of 4 October 2017

CONFERENCE OF THE REPRESENTATIVES OF THE GOVERNMENTS OF THE MEMBER STATES. Brussels, 3 December 2007 (OR. fr) CIG 15/07

COMMISSION DECISION. of 8 December concerning national provisions notified by Denmark on certain industrial greenhouse gases

Committee on Agriculture and Rural Development

7324/18 GDLC/LP/JU/ik 1 DGB 1B

POLICY ON CONSULTATIONS IN THE FIELD OF SUPERVISION AND ENFORCEMENT. 1. Aim of this paper

RECOMMENDATIONS. (Text with EEA relevance) (2014/897/EU)

Consultation Paper Draft technical standards on third-party firms providing STS verification services under the Securitisation Regulation

EUROPEAN COMMISSION Secretariat-General -JUSTICE- DISCLAIMER

The European Commission s strategy on Corporate Social Responsibility (CSR) : achievements, shortcomings and future challenges

Transposition of Directive 2008/6/EC Dr. Robert Pochmarski, LL.M. (EUI) CERP Plenary May, Dublin

Royal Decree of 29 April 1999 on the authorisation of external services for technical inspections at the workplace (Belgian Official Gazette 2.9.

***I DRAFT REPORT. EN United in diversity EN. European Parliament 2016/0404(COD)

GDPR Webinar 9: Automated Processing & Profiling

ANNEXES. to the COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL

COUNCIL OF THE EUROPEAN UNION. Brussels, 27 April 2004 (OR. en) 5565/1/04 REV 1. Interinstitutional File: 2003/0214 (AVC) AVIATION 17 OC 44

EUROPEAN DATA PROTECTION SUPERVISOR

EBA/GL/2015/01 18 March Final report

Dr. Danguolė Bublienė THE IMPLEMENTATION OF THE CONSUMER RIGHTS DIRECTIVE: KEY ISSUES

Chapter 7. The interface between member states and the European Union

OECD RECOMMENDATION OF THE COUNCIL FOR ENHANCED ACCESS AND MORE EFFECTIVE USE OF PUBLIC SECTOR INFORMATION [C(2008)36]

EN United in diversity EN A7-0170/27. Amendment

Public consultation on non binding guidelines on methodology for reporting non financial information

Guidelines on the management body of market operators and data reporting services providers

EUROPEAN PARLIAMENT. Committee on Civil Liberties, Justice and Home Affairs (8958/2004 C6-0198/ /0813(CNS))

Transcription:

EUROPEAN COMMISSION DIRECTORATE GENERAL XV Internal Market and Financial Services Free movement of information, company law and financial information Free movement of information and data protection, including international aspects XV/5027/97-EN final WP 8 Working Party on the Protection of Individuals with regard to the Processing of Personal Data Working Document: Notification Adopted by the Working Party on 3 December 1997

1. INTRODUCTION Section IX 1 of Chapter II of directive 95/46/EC on the protection of individuals with regard to the processing of personal data and the free movement of such data ( the directive ) deals with notification of processing operations to the national supervisory authorities ( the authorities ). The working party, following the mandate laid down in art. 30 1 a) of the directive, started discussions during its second meeting on the possible implementation of the provisions of the directive on notification. Working Documents dealing specifically with simplification and exemption from the obligation to notify data processing to the authorities were presented by the French, Dutch and UK delegations. In connection with simplification and exemption from the obligation to notify, the German delegation presented a working document on the role in Germany of the independent data protection official (in house data protection official) referred to in article 18 paragraph 2 of the directive. 2 Discussion on this topic continued during the third meeting following a presentation of representatives of data protection officials from Germany. It was recognised that the Working Party could usefully give some guidance on the interpretation of the relevant provisions of the directive. The experience of some delegations in applying current national provisions which bear a significant resemblance with the ones of the directive could provide an indication of the functioning of the different options set-out in the directive. The discussion showed that the specification of purposes at the time of notification plays an important role on the application of the principle of purpose specification. 3 The role of the notified purposes in current national legislation varies in the different legal systems, and the level of detail in the description of such purposes varies not only between Member States but also within Member States. The Working Party agreed to exchange models of notification forms to study the type of purpose specification in the different Member States. Such models were distributed during the third meeting. An earlier version of the present paper was discussed at the fourth meeting. Examples of description of the purpose of processing operations carried out by a bank a medical practice and a telephone company were exchanged at the fifth meeting and served as a basis for discussion. The following section outlines the legislative history of the relevant provisions of the directive. Section three summarises some of the main features of the current legislative 1 Especially articles 18 to 20. 2 Working document 1 discussed during the second meeting. 3 Sometimes referred to as finality principle. 2

situation at national level. The final section draws some preliminary conclusions and some questions as to the way the working party should proceed in relation to notification. 2. LEGISLATIVE HISTORY OF THE RELEVANT PROVISIONS OF THE DIRECTIVE. The original Commission proposal 4 contained two provisions dealing with notification: article 7 dealing with public-sector files and article 11 dealing with private sector files. Recital 13 made it clear that the aim of the two provisions was the same: ensuring the transparency essential to the exercise by the data subject of the right to access to data relating to him. Notification was compulsory only in relation to files the data in which might be communicated. Several Parliamentary amendments substantially modified these provisions. The amended proposal, following the parliamentary amendments, restructured the whole system of notification. The distinction between public and private sector was abolished and the rules on notification applied to all processing operations. The explanatory memorandum, however, underlined that the potential extension of the obligation to notify had to be read in conjunction with the introduction of exemptions from and simplifications to notification. The overall aim of notification was also modified: it should serve as the basis for selective monitoring of the legitimacy of processing operations by the supervisory authority. Several aspects of the modified proposal contribute in effect to limit unnecessary bureaucratic requirements. A single notification could cover a set of processing operations intended to serve a single purpose. Furthermore data controllers were not required to give excessive details as notification should only mention the categories of data subjects, recipients and data. Notification was not required for data processing relating to members and usual contacts by non profit seeking bodies mentioned in art. 8 2 d. Finally notification of non automatic processing of personal data was made optional. The amended proposal did not however aim simply at limiting or simplifying the obligations to notify but, following the wishes of Parliament, aimed at establishing a three tier system which, while avoiding excessive bureaucratic requirements, would provide different levels of safeguards in relation to the risks posed by different types of processing operations. A system of preventive authorisation was introduced in relation to processing operations presenting specific risks. The explanatory report referred to the processing of sensitive data, to black lists and to operations aimed at informing third parties of the solvency of individuals as examples of processing operations which might require prior checking. The final text of the provisions on notification maintained the overall structure of the amended proposal. However simplification and exemptions from the obligation to notify were added in relation to public registers and where the data controller appoints in compliance with national law an in house data protection official. 4 COM(90) 314 final- SYN 287. 3

Recital 48 makes it clear that the purpose of the notification procedures is the disclosure of the purpose and the main features of the processing operation in order to monitor its compliance with data protection legislation. Recital 52 states that ex post-facto monitoring is the ordinary form of monitoring by the authorities. Recital 53 and 54 confirm that prior checking represents a somewhat exceptional procedure to be used only in relation to specific risks. 3. CURRENT SITUATION IN NATIONAL LAW Notification of data processing to the authorities currently exists in all national data protection laws. However the extent of the obligation to notify varies. In Spain, Luxembourg, Austria, Portugal, Sweden and United Kingdom broadly all processing operations which fall within the scope of application of data protection law 5 need to be notified to the data protection authorities. Some of these countries are currently simplifying the notification requirements or introducing exemptions from the obligation to notify. The general systems of notification have in some cases proven to be very resource consuming for the data protection authorities. Furthermore it turned out to be difficult to perform any substantive monitoring on the basis of notifications. In Belgium and in the Netherlands most current and less risky type of processing operations have been exempted from notification by means of an act of the government under the general data protection legislation. The exemptions cover a very large proportion of all data processing (estimates of about 80%). In France most current and less risky type of operations are subject to a simplified notification in which the data controller simply declares to process data in accordance with a so called norme simplifiée predefined by the Commission Nationale Informatique et Libertés (CNIL). Forty such normes simplifiées have been defined so far and they cover a large majority of processing operations (75% of notifications for 1995 were simplified notifications). In Italy, several exemptions from notification have been introduced by decrees adopted under the general data protection legislation. These exemptions apply to certain categories of processing operations and are subject the detailed conditions. In Denmark 6, Germany, Ireland and Finland the obligation to notify covers only certain types of processing operations. 7 5 In some of these countries data protection law currently applies only to data processed by automated means. Other types of processing operations may in some countries not be covered by data protection law. In the UK as example Personal data held for domestic or recreational purposes, information that the law requires to be made public, national security, payroll, pensions and accounts purposes, unincorporated members clubs, and mailing lists are exempted from the application of most of the provisions of the data protection act. 6 In Denmark the obligation to notify covers all processing operations in the public sector but only certain types of processing operations in the private sector. 4

The notification is normally done by means of special paper forms. In Belgium it is also possible to notify on computer diskettes. 8 In the UK the registration can be done partly over the phone, the applicant must however fill-in a pre-printed form giving complementary information. The notification forms can normally cover all types of processing operations. In the UK, however, special templates have been created. These templates are normal notification forms in which all the parts which are normally relevant for a given type of data controllers have been highlighted. The notification forms normally include details of the data controller and of the processing operations such as type of data that are processed, purposes of the processing operations, persons who have access to the data etc. A key element of the notification is the description of the purpose of the processing operation. The practice in relation to the specification of purposes varies in the Member States. In Belgium and in the UK a list of pre-defined processing purposes is enclosed with the notification form. Data controllers would therefore normally choose one of these predefined purposes. 9 However in neither country are data controllers obliged to refer to one of the predefined purposes. They may instead add a description of the purpose in free text. The debates during the second meeting and the models of notification exchanged during the third meeting have shows that data controllers tend to give very short and often generic descriptions of the purpose of their processing operation. In most of the Member States the analysis of the compatibility of the operation with the finality of the processing in a posteriori enforcement is not made in relation to the abstract description of the processing but with reference to the material purpose of the concrete operation at hand. The indication of overly generic purposes at the time of notification deprives notification of its function. Generic description of the purpose does not allow the data protection authorities to ascertain whether a processing operation complies with the law, and has very little use for the members of the public consulting the public register of processing operations. 7 In Germany federal public sector bodies must notify to the Federal Commissioner for data protection and Länder bodies with the Commissioners of the Länder. This is not however required in all Länder. In the private sector only credit reference operators, direct marketers and organisations processing data on behalf of others are required to notify. In Finland data processing for direct marketing, opinion or market research, directory assistance must be notified. 8 This type of notification is encouraged by a substantially lower notification fee. 9 There are about 54 such purposes in Belgium and 70 in the UK. 5

4. CONCLUSIONS Notification contributes to the respect of the principles of the directive because the data controllers, in order to notify, must assess and describe their processing operations, define in advance what data are to be used and for which purpose. In order to perform adequately these functions and contribute to the transparency of data processing the given information must not be general but specific. It is particularly important that the purposes of the processing operations be adequately specified. Too generic definitions of the purpose of the processing operations devoid the system of notifications of its usefulness. Neither the data subjects nor the supervisory authorities will be in a position to assess the notified operation nor the compatibility of the various operations planned or performed by data controllers with the purpose for which the data were originally collected or further processed. Assessing the compatibility of any given operation with the purpose for which the data were originally collected and which may have had to be notified to the data protection authority is one of the most difficult and important tasks in supervising compliance with data protection legislation. The working party is determined to develop common methods for the assessment of the compatibility of the purpose of processing operations. Significant divergences in the description of the purpose of the processing operations in the different Member States would not only represent a burden for data controllers but could jeopardise the equivalence of the level of protection within the Community. The analysis of the current national arrangements for notification shows that there are not fundamental differences of approach in the way the purpose is described in the Member States. However the type and the amount of details that are provided vary according to the various national procedures and according to the structure of the notification forms. The experience of the Member States that have such arrangements shows that predefined lists of the most common purposes are appreciated by data controllers and simplify the handling of notifications by the authorities. The working party will keep studying the possibility of defining standardised description of the purpose of common processing operations to serve as a guidance to data controllers. Excessively bureaucratic requirements in relation to notification not only represent a burden for business but undermine the whole rationale of notification by becoming an excessive burden for the data protection authorities. Several countries have introduced or have shown an in interest in simplified notification or in exemptions from notification. Under the directive simplified notification or exemptions from the obligation to notify can be granted in relation to processing operations which are unlikely to affect adversely the rights and freedoms of data subjects. Several elements must be specified in relation to such processing operations. 10 Simplified notification or exceptions can also be granted where the controller, in compliance with national law, appoints an in house data protection official. Such an 10 [..] the purposes of the processing, the data or categories of data undergoing processing, the category or categories of data subject, the recipients or categories of recipient to whom the data are to be disclosed and the length of time the data are to be stored.(article 18 paragraph 2). 6

official must ensure that the rights and freedoms of the data subjects are unlikely to be adversely affected by the processing operations. In order to do so according to the directive the official must at least ensure in an independent manner the application of the national provisions taken pursuant to the directive and keep the register of processing operations containing the items of information which would normally appear in the public register of processing operations. ² The introduction of in house data protection officials limits the need of centralised supervision. The working party supports the introduction of such officials be it on a compulsory or on a voluntary basis. It is however necessary that such officials be given the means to perform their tasks in an effective manner. Should the powers and resources granted to in house data protection officials be insufficient to ensure that the rights and freedoms of the data subject are unlikely to be adversely affected, the derogations from the ordinary notification requirements would no longer be justified. The effective independence of such officials in ensuring the application of data protection law is essential in guaranteeing the rights of the data subjects and in order to ensure compliance with data protection legislation. Adequate guarantees should be offered to ensure the of the data protection officials in the performance of their functions independence especially from management. A certain degree of consistency exists in relation to the categories of operations which are unlikely to affect adversely the rights and freedoms of the data subjects. They include data processing in relation to payroll management, accounting, partners and shareholders, customers and suppliers etc. The working party is determined to keep working towards the definition of a list of processing operations which, quite independently from the procedural arrangements adopted by the Member States for the transposition of the relevant provisions of the directive, could be used as reference in deciding which operations are less likely to affect adversely the rights and freedoms of the data subjects. Notifying by other means than paper forms makes notification more efficient both for data controllers and for the authorities. The working party supports the use of such forms of notification as a way to reduce compliance costs for economic operators and allow for a less costly and more efficient supervision by the authorities. One of the functions of notification is to inform the public about existing processing operations by means of the public register of processing operations. The working party considers it very important to make the register easily accessible to the public. The working party looks with interest to the projects making the public registers available via the world wide web. The working party notes the need to adopt adequate safeguards to avoid that the personal data included in the registers of processing operations be used improperly. 7

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback