2. TASK OF DPO IN INTERNATIONAL DATA TRANSFERS
|
|
- Edmund Parsons
- 5 years ago
- Views:
Transcription
1 INTERNATIONAL DATA TRANSFERS AND CODES OF CONDUCT Ana María Martínez Bermejo Spanish Data Protection Agency 1. INTERNATIONAL DATA TRANSFERS 2. TASK OF DPO IN INTERNATIONAL DATA TRANSFERS 3. CODES OF CONDUCT 1
2 1. INTERNATIONAL DATA TRANSFERS GLOBALIZATION The internet and new technologies Centralization of processes and activities Shared Technological resources Lower costs Resources distribution (scale economies) Service provider guaranty 2
3 GLOBALIZATION TRANSBOUNDARY COMMUNICATION OF DATA FLOWS Personal data: company asset Data protection: fundamental right BALANCE Business Interests individual rights MAIN ACTIVITIES INVOLVING INTERNATIONAL DATA TRANSFERS Customer call centers Online marketing Management and technical support of the data base of customers, providers, etc International projects in the framework of multinational companies Global policy group Centralization of Human resources management Administrative work services Better quality of services and accuracy under a global iniciative. 3
4 INTERNATIONAL DATA TRANSFERS Data protection safeguards International data transfer Data processing in the country of origin: safeguards of the exporter Goal: to ensure an adequate level of protection in the area of the International data transfer (exporter- importer) Protection mechanisms in the destination country Safeguards for the exercise of the individual rights Data protection authority Avoid onwards transfers of data to other countries Safeguards to be provided by the importer of the data Importer-exporter contractual clauses Liability Restrictions on onward transfers Security measures and supervision DEFINITIONS International Personal Data Transfer Data processing that implies their transmission outside the territory of the European Economic Area, whether as an assignment or data disclosure, or for the purpose of data processing on behalf of the data controller established in a State Member territory Transmission inside the territory of the European Economic Area = data disclosure Member States of the EEA: Member States of the EU + Norway, Iceland and Liechtenstein 4
5 DEFINITIONS Data Exporter The natural person or legal entity, public or private situated in a Member State, who carries out a transfer of personal data to a third country Data Importer The natural person or legal entity, public or private who received the data in the event of their international transfer to a third country, whether is a data controller or data processor Data Subject The natural person to whom the data undergoing processing pertain EUROPE LEGAL FRAMEWORK - Convention 108 of the European Council (Art 12) - European Union Directive on Data Protection 95/46 EC (Arts. 25 and 26) - Decisions of the European Commission REGULATIONS OF THE MEMBER STATES SPAIN Organic Law 15/1999 of 13 December on the Protection of Personal Data (LOPD) - Articles Royal Decree 1720/2007 of 21 December, which approves the regulation implementing LOPD (RLOPD) - Title VI. International data transfers. Arts Title IX. Chapter V. Procedures regarding international data transfer Arts
6 INTERNACIONAL PERSONAL DATA TRANSFERS THIRD COUNTRIES WICH DON T PROVIDE ADEQUATE LEVEL OF PROTECTION EXCEPTIONS ART 26.1 D95/46 EC STANDARD CONTRACTUAL CLAUSES/ BCRs THIRD COUNTRIES WITH ADEQUATE LEVEL OF PROTECTION ARGENTINA SWITZERLAND INTERNATIONAL DATA TRANSFERS TO THIRD COUNTRIES WITH AN ADEQUATE LEVEL OF PROTECTION TO THIRD COUNTRIES WITHOUT AN ADEQUATE LEVEL OF PROTECTION (SAFEGUARDS) 6
7 THIRD COUNTRIES WITH AN ADEQUATE LEVEL OF PROTECTION Art. 25 Directive 95/46 EC Member States of EU Member States of the EEA (Norway, Iceland, Liechtenstein) European Commission Adequacy Decision -Switzerland, Argentina, Guernsey, Man Island, Faroe Island, Jersey, Andorra, Israel, Uruguay -Canada (Personal Information and Electronic Documents Act) and USA (Safe Harbour) Member State Adequacy Decision THIRD COUNTRIES WHICH DO NOT ENSURE AN ADEQUATE LEVEL OF PROTECTION Art 26.1 Directive 95/46 EC The transfer may take place when: The data subject has given his consent The transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken in response to the data subject s request The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party 7
8 The transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims The transfer is necessary in order to protect vital interests of the data subject The transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case THIRD COUNTRIES WHICH DO NOT ENSURE AN ADEQUATE LEVEL OF PROTECTION Art 26.2 Directive 95/46 EC Standard Contractual Clauses from controller/exporter to controller/importer - European Commission Decision 2001/497EC - European Commission Decision 2004/915 EC Standard Contractual Clauses from controller/exporter to processor/ importer - European Commission Decision 2010/87 EC Standard Contractual Clauses from processor/exporter to sub-processor/importer (Spanish Data Protection Agency) 8
9 STANDARD CONTRACTUAL CLAUSES FROM PROCESSOR/EXPORTER TO SUB-PROCESSOR/IMPORTER (Spanish Data Protection Agency) Controller The client of the Data Exporter Data exporter The individual or legal entity, public or private, or administrative entity located in Spanish territory that realises a personal data transfer to a third country, acting as data processor Data importer The sub-processor who agrees on receiving from the data exporter personal data for further processing on his account, according with his instructions, the established in the framework contract and the terms of the clauses, and not subject to the system of a third country to ensure the adequate protection within the meaning of the Directive 95/46 EC 9
10 Sub-processor Any processor engaged by the data importer or by any other sub-processor who agrees to receive from the data importer or from any other sub-processor thereof, personal data exclusively for subsequent processing activities that could be done on behalf of the data exporter, in accordance with his instructions with the established on the framework contract, the terms of clauses and the terms STANDARD CONTRACTUAL CLAUSES FROM PROCESSOR/EXPORTER TO SUB-PROCESSOR/IMPORTER Decission 2010/87/UE (Recital 23) Contractual framework that comprises two agreements Controller-processor agreement: Agreement for processor/exporter-subprocessor in a third country. 10
11 Controller/Processor Agreement Signed on a case-by-case basis by the controller(customer) Reference to contractual safeguards authorised for IDTs. Safeguards. - Applicable law: Law of the controller - Authorisation for subcontracting Agreement for processor/exporter-subprocessor in a third country. Data processor: Exporter authorised by the SPDA. The controller is not a party to the agreement Authorises IDTs, including future IDTs (general contracts terms and conditions): - Potential controllers/customers - New authorisations unnecessary. 11
12 Decision 2010/87/UE safeguards adapted: - Applicable law: Law of the Exporter - Information on subsequent sub-processors - Third-party beneficiary clause - Cooperation with the SDPA EEA Third countries Controller Subprocessor Data importer Controller Controller Processor Data exporter Subprocessor Data importer Subprocessor Data importer SLA Data Controller Notification PROCEDURE OF NOTIFICATION AND AUTHORISATION OF INTERNATIONAL DATA TRANSFERS CC Processor - Subprocessor Authorisation of the SDPA Director 12
13 THIRD COUNTRIES WHICH DO NOT ENSURE AN ADEQUATE LEVEL OF PROTECTION Art 26.2 Directive 95/46 EC BINDING CORPORATE RULES Tailor-made solution for multinational corporate groups to ensure an adequate level of protection in order to transfer personal data out of the EEA Binding or legally enforceable Corporate in the sense that consist of the rules in place in multinational companies, usually set up under the responsibility of the headquarters For international data transfers as the main reason for their existence BCRs Regulation: Working Group art 29 WP12 (24 July 1998) Working Document Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive WP74 (3 June 2003) Working Document on Transfers of personal data to third countries: Applying Article 26 (2) of the EU Data Protection Directive to Binding Corporate Rules for International Data Transfers WP107 (14 April 2005) Working Document Setting Forth a Co-Operation Procedure for Issuing Common Opinions on Adequate Safeguards Resulting From Binding Corporate Rules WP108 (14 April 2005) Working Document Establishing a Model Checklist Application for Approval of Binding Corporate Rules WP153 (24 June 2008) Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules WP154 (24 June 2008) Working Document Setting up a framework for the structure of Binding Corporate Rules WP155 (24 June 2008) Working Document on Frequently Asked Questions (FAQs) related to Binding Corporate Rules (As last Revised and adopted on 8 April 2009) WP 195 (6 June 2018) Working Document Setting up a table with the elements and principles to be found in Processor Binding Corporate Rules 13
14 THE BINDING NATURE INTERNALLY Binding on the members of the group Binding on the employees EXTERNALLY Enforceability by the data subjects Enforceability by the data protection authorities INTERNATIONAL DATA TRANSFERS IN THE PROPOSAL FOR A GENERAL DATA PROTECTION REGULATION TO THIRD COUNTRIES WITH AN ADEQUATE LEVEL OF PROTECTION TO THIRD COUNTRIES WITHOUT AN ADEQUATE LEVEL OF PROTECTION the transfers may take place: Binding corporate rules Standard Data Protection Clauses adopted by the Commission Standard Data Protection Clauses adopted by a Supervisory Authority Contractual Clauses between the controller or processor and the recipient of the data authorised by a Supervisory Authority Where the conditions mentioned in the regulation would take place. 14
15 2. TASKS OF DATA PROTECTION OFFICERS IN INTERNATIONAL DATA TRANSFERS KEEP AND MAINTAIN A REGISTER OF PROCESSING OPERATIONS CARRIED OUT BY THE CONTROLLER ART 18.2 Directive 95/46 EC ART 18.a) Croatian Data Protection Act (CDPA) ART Croatian Data Protection Act (CDPA) The register must contain some information: THE COUNTRY WHERE THE DATA HAVE BEEN TRANSFERRED FOREIGN USER OF SUCH PERSONAL DATA THE PURPOSE OF THIS TRANSFER 15
16 INFORM AND ADVISE THE CONTROLLER ABOUT HIS OBLIGATIONS IN INTERNATIONAL DATA TRANSFERS INFORM DATA SUBJECT (with any exception foreseen by law) Art Directive 95/46 EC SENSITIVE DATA OBTAIN THE CONSENT OF THE DATA SUBJECT (with any exception foreseen by law) Art.7 Directive 95/46 EC CONTRACT BINDING THE PROCESSOR TO THE CONTROLLER: International Data transfers from controller to processor Art.17.3 Directive 95/46 EC_ Decision 2010/87 EC SAFEGUARDS Standard Contractual Clauses - Applicable data protection law: law of the controller - Security measures and supervision - Third-party beneficiary clause - Liability - Restrictions on onward transfers - Cooperation with Supervisory Authorities 16
17 SAFEGUARDS BCRs -Privacy Principles: transparency, purpose limitation, data quality -Security measures -Individual s rights of access, rectification and objection to processing -Restrictions on onward transfers ENSURE THAT DATA SUBJECTS ARE INFORMED OF THEIR RIGHTS RIGHT OF ACCESS, RECTIFICATION, CANCEL AND OBJECTION Arts. 12,13,14 Directive 95/46 EC RIGHT TO LODGE A COMPLAINT Art. 22 Directive 95/46 EC - BEFORE THE DATA PROTECTION AUTHORITIES - BEFORE THE COURT - IN BCR_ INTERNAL COMPLAINT HANDLING PROCESS CLAIM LIABILITY Art. 23 Directive 95/46 EC - Redress - Compensation 17
18 THIRD PARTY BENEFICIARY RIGHT: The contractual clauses or corporate rules grant rights to data subjects to enforce some clauses or the rules as third party beneficiaries International transfers based on Standard Contractual Clauses and BCR OBTAIN A COPY OF THE CLAUSES OR CORPORATE RULES International transfers based on Standard Contractual Clauses and BCR ENQUIRE THE PARTIES ABOUT THE PROCESSING OF THEIR DATA International transfers based on Standard Contractual Clauses and BCR COOPERATE WITH DATA PROTECTION AUTHORITIES REPLYING TO REQUEST FROM THE SUPERVISORY AUTHORITY CONSULTING WITH THE SUPERVISORY AUTHORITY ACTING AS THE CONTACT POINT FOR THE SUPERVISORY AUTHORITY ON ISSUES RELATED TO THE INTERNATIONAL DATA TRANSFER DEPOSITING A COPY OF THE CONTRACTS, UPON REQUEST OR IF REQUIRED International transfers based on Standard Contractual Clauses and BCR COOPERATING IN AUDITS 18
19 OTHER TASKS IN BCR SET-UP A NETWORK OF PRIVACY OFFICERS (WP 153,154) - FOR HANDLING COMPLAINTS - FOR OVERSEEING AND ENSURING COMPLIANCE WITH THE RULES 3. CODES OF CONDUCT 19
20 They shall contain specific rules or standards that permit the harmonisation of the data processing done by subscribers, facilitate the exercise of the rights of the data subjects and compliance of the provisions of laws DRAWN UP BY: Public or Private Controllers, representative organisations of the sector and other bodies to which they belongs By means of: Sectorial agreements, administrative agreements, company decisions The codes of conduct shall have the status of codes of ethics or good professional practice and shall be binding on subscribers The codes of conduct shall be voluntary The sectorial codes of conduct shall refer to all or part of the processing carried out by entities pertaining to the same sector, and shall be drawn up by representative organisations of the sector, at least within its territorial scope of application The codes of conduct promoted by a company shall refer to all the processing it carries out 20
21 CONTENT The codes of conduct shall include, at least, with a sufficient degree of precision: The clear and precise delimitation of its scope of application, the activities to which the code refers and the processing subject to it The specific provisions for the application of the principles of data protection The establishment of procedures facilitating the exercise by data subjects of their rights of access, rectification, erasure and objection The establishment of standards for the compliance by subscribers of obligations established in the Law The determination of the assignments and international transfers of data that, if appropriate, are planned, indicating the guarantees that must be adopted; Training actions on data protection aimed at those who process data, particularly with regard to their relationship with data subjects The mechanisms for supervision through which it guarantees compliance by subscribers of that established in the code of conduct 21
22 The code of conduct shall have attached as a schedule a list of subscribers, which shall be kept up-to-date CLAUSES for obtaining the consent of data subjects to the processing or disclosure of their data for informing data subjects of the processing, when the data is not obtained from them MODELS Models for the exercise by data subjects of their rights of access, rectification, erasure and objection Models of clauses for compliance with the applicable formal requirements for contracting a data processor, if appropriate The codes of conduct may include any other additional commitment taken on by the subscribers for better compliance with the current legislation on data protection They may also contain any other commitment established by the promoting entities and, in particular on The adoption of additional security measures to those required in the Law The identification of the categories of recipients or importers of data The specific measures adopted on the protection of minors or specific groups of data subjects The establishment of a seal of quality identifying subscribers to the code 22
23 OBLIGATIONS Maintain accessible to the public the updated information on the promoting entities, the content of the code of conduct, the procedures for subscription and guarantee of compliance and the list of subscribers to which the previous Article refers.. Such information shall be presented clearly and concisely and shall be permanently accessible by electronic means. Send to the Supervisory Authority an annual report on the activities carried out to disseminate the code of conduct and promote subscription to it, the actions for verifying compliance with the code and their results, the complaints and claims handled and the process they have undergone and any other aspect that the promoting entitys deem relevant. Periodically evaluate the effectiveness of the code of conduct, measuring the degree of satisfaction of the data subjects and, if appropriate, updating the contents to adapt it to the general or sectoral legislation on the protection of data that is in force at any time. This evaluation shall take place, at least, every four years, unless adaptation of the commitments of the code to an amendment of the applicable legislation is required earlier. Promote accessibility of all persons, paying particular attention to those with a disability or of advanced age, to the information available on the code of conduct. 23
24 Hvala lijepa 24
International data transfers and Schrems White & Case. Aqeel Kadri and Tim Hickman
International data transfers and Schrems White & Case Aqeel Kadri and Tim Hickman 9 March 2016 Overview of EU data protection law Currently, each EU Member State has its own national data protection law,
More informationAmgen Binding Corporate Rules (BCRs) Public Document
Amgen Binding Corporate Rules (BCRs) Public Document Introduction: Amgen is a biotechnology leader committed to serving patients with grievous illness. Binding Corporate Rules (BCRs) express Amgen s commitment
More informationAdopted on 12 July 2010
ARTICLE 29 DATA PROTECTION WORKING PARTY 00070/2010/EN WP 176 FAQs in order to address some issues raised by the entry into force of the EU Commission Decision 2010/87/EU of 5 February 2010 on standard
More informationThe GDPR how to prepare MiFID II where are we now? Wednesday 21 February 2018
The GDPR how to prepare MiFID II where are we now? Wednesday 21 February 2018 GDPR so far The EU General Data Protection Regulation (Regulation (EU) 2016/679) comes into effect on 25 May 2018 Aims to protect:
More informationMRS Brexit Survival Guide: EU-UK Data transfers November
2018 MRS. All rights reserved. November 2018 No part of this publication may be reproduced or copied in any form or by any means, or translated, without the prior permission in writing of MRS. MRS Brexit
More informationDATA PROCESSING AGREEMENT
DATA PROCESSING AGREEMENT This Data Processing Agreement ( DPA or Agreement ), entered into by the CPI customer identified on the applicable CPI services agreement for CPI services ( Customer ) and the
More informationTwilio Data Protection Addendum ( DPA ) (GDPR, Binding Corporate Rules, Privacy Shield, and Standard Contractual Clauses) (Revision June 2018)
Twilio Data Protection Addendum ( DPA ) (GDPR, Binding Corporate Rules, Privacy Shield, and Standard Contractual Clauses) (Revision June 2018) Once fully executed, this DPA forms a part of the agreement
More informationTHE IRON MOUNTAIN GDPR JARGON BUSTER
THE IRON MOUNTAIN GDPR JARGON BUSTER DON T KNOW YOUR BCRS FROM YOUR DPOS? IF SO, YOU RE NOT ALONE. The new EU General Data Protection Regulation (GDPR for short, and yet another set of initials you ll
More informationMember Circular March Implementation of the EU General Data Protection Regulation 2016/679 General Guidance to Members
Member Circular March 2018 Implementation of the EU General Data Protection Regulation 2016/679 General Guidance to Members Introduction Regulation (EU) 2016/679 containing the General Data Protection
More informationGuidance on International Transfers / Eighth Principle
Guidance on International Transfers / Eighth Principle This guidance document outlines the considerations for transferring personal data from Jersey to other jurisdictions. This guidance relates to the
More informationEU Data Processing Addendum
EU Data Processing Addendum This EU Data Processing Addendum ( Addendum ) is made and entered into by and between AlienVault, Inc., a Delaware corporation ( AlienVault ) and the customer specified in the
More informationData Processing Addendum
Data Processing Addendum Based on the General Data Protection Regulation (GDPR) and European Commission Decision 2010/87/EU - Standard Contractual Clauses (Processors) This Data Processing Addendum ( DPA
More informationDATA PROCESSING ADDENDUM
DATA PROCESSING ADDENDUM This Data Processing Addendum ( DPA ) forms part of the Master Purchase Agreement, Customer Agreement, Channel Partner Agreement, End User License Agreement or other written agreement
More informationData Processing Addendum
Data Processing Addendum This Data Processing Addendum ( DPA ) forms part of the Agreement(s) and is entered by and between the Customer and the Service Provider on the Effective Date. For the avoidance
More informationMoxtra, Inc. DATA PROCESSING ADDENDUM
Moxtra, Inc. DATA PROCESSING ADDENDUM This Data Processing Addendum ( DPA ) forms a part of the Terms of Service found at http://moxtra.com/terms-of-service/, unless Company has entered into a superseding
More informationThe Controller and Processor Data Protection Binding Corporate Rules of BMC Software
The Controller and Processor Data Protection Binding Corporate Rules of BMC Software 4 August 2015 Table of Contents Introduction 2 PART I: BACKGROUND AND ACTIONS 3 PART II: BMC AS A CONTROLLER 5 PART
More informationStandard contractual clauses for the transfer of personal data to third countries - Frequently asked questions
MEMO/05/3 Brussels, 7 January 2005 Standard contractual clauses for the transfer of personal data to third countries - Frequently asked questions Directive 95/46/EC, on the protection of individuals with
More informationEU Data Protection Directive 95/46/EC FREQUENTLY ASKED
EU Data Protection Directive 95/46/EC FREQUENTLY ASKED PROMOTING DATA PROTECTION Disclaimer All material, information or part thereof available here is meant for public awareness only. DSCI expressly disclaims
More informationHOW TO EXECUTE THIS DPA:
DATA PROCESSING ADDENDUM (GDPR, and EU Standard Contractual Clauses) (Rev. April 20, 2018) This Data Processing Addendum ( DPA ) forms part of the Master Subscription Agreement or other written or electronic
More informationDATA PROCESSING ADENDUM
W www.exponea.com C +421 948 127 332 sales@exponea.com A Exponea, Twin City B, Mlynské Nivy 12 821 09 Bratislava, SK DATA PROCESSING ADENDUM Exponea s.r.o. registered in the Commercial Register maintained
More informationURBAN AIRSHIP DATA PROCESSING ADDENDUM with EU Standard Contractual Clauses. (Revised September 2017)
URBAN AIRSHIP DATA PROCESSING ADDENDUM with EU Standard Contractual Clauses (Revised September 2017) This Data Processing Addendum ( Addendum ) forms part of the Master Subscription Agreement or the online
More informationDATA PROCESSING ADDENDUM
Page 1 of 20 DATA PROCESSING ADDENDUM This Data Processing Addendum ( DPA ) forms a part of the Customer Terms of Service found at https://slack.com/terms-of-service, unless Customer has entered into a
More informationDATA PRIVACY & FAIR PROCESSING NOTICE
Scope All data subjects whose data is processed by TC Debt Solutions, which is part of Thomson Cooper Accountants. Responsibilities Thomson Cooper Partner Mark Mitchell (mmitchell@thomsoncooper.com) is
More informationWorking Party on the Protection of Individuals with regard to the Processing of Personal Data
EUROPEAN COMMISSION DIRECTORATE GENERAL XV Internal Market and Financial Services Free movement of information, company law and financial information Free movement of information and data protection, including
More informationMichael R. Cohen CIPP/US, CIPP/E Gray Plant Mooty. Overview of the EU General Data Protection Regulation (GDPR)
Michael R. Cohen CIPP/US, CIPP/E Gray Plant Mooty Overview of the EU General Data Protection Regulation (GDPR) WHAT YOU NEED TO KNOW ABOUT THE EU GENERAL DATA PROTECTION REGULATION (GDPR) What is the GDPR?
More informationData Transfer Policy Version 1.1 Last amended: 18 September 2014 Policy Owner: Governance Team
Data Transfer Policy Version 1.1 Last amended: 18 September 2014 Policy Owner: Governance Team The University of Nottingham ( the University ) Tri-Campus Data Transfer Policy Background and Statement of
More informationINFORMATION ON THE PROCESSING OF PERSONAL DATA
INFORMATION ON THE PROCESSING OF PERSONAL DATA PRIVACY NOTICE In order to be compliant with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection
More informationBINDING CORPORATE RULES
BINDING CORPORATE RULES CONTROLLER PRINCIPLES INTRODUCTION At Marsh & McLennan Companies (MMC), we respect and are committed to protecting the privacy, security and integrity of Personal Information 1
More informationTWILIO INC. EC DATA PROTECTION AGREEMENT
EUROPEAN CUSTOMERS WHO CHOOSE TO ENTER INTO THIS AGREEMENT MUST: 1. Complete all appropriate blanks throughout the agreement. 2. Print and sign agreement. 3. Send a copy of the agreement to Twilio by email
More informationDATA PROCESSING ADDENDUM
DATA PROCESSING ADDENDUM This Data Processing Addendum ( DPA ) is made between Cognito, LLC., a South Carolina corporation ( Cognito Forms ) and {OrganizationLegalName} ( Customer or Controller or {Organization}
More informationManaging data transfers between US and EU and everywhere else
Managing data transfers between US and EU and everywhere else Mozelle W. Thompson is CEO of Thompson Strategic Consulting where he provides innovative legal, policy and business advice to innovative companies
More informationDATA PROCESSING AGREEMENT/ADDENDUM
DATA PROCESSING AGREEMENT/ADDENDUM This Data Processing Agreement ( DPA ) is made and entered into as of this day of, 2018 forms part of our Terms and Conditions (available at www.storemaven.com/terms-of-service)
More informationCUSTOMER DATA PROCESSING ADDENDUM
CUSTOMER DATA PROCESSING ADDENDUM This Data Processing Addendum ( DPA ) and applicable Attachments apply when HP acts as a Data Processor and processes Customer Personal Data on behalf of Customer in order
More informationINFORMATION ON THE PROCESSING OF PERSONAL DATA
INFORMATION ON THE PROCESSING OF PERSONAL DATA PRIVACY NOTICE In order to be compliant with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection
More informationEuropean Union General Data Protection Regulation
European Union General Data Protection Regulation Policy 25 May 2018 Bendigo and Adelaide Bank Limited ABN 11 068 049 178 General Data Protection Regulation (GDPR) Application This GDPR section of our
More informationSUMMARY OF BINDING CORPORATE RULES
SUMMARY OF BINDING CORPORATE RULES July 1 st, 2015 1 Table of Contents 1. Preamble... 3 2. Definitions... 3 3. Endorsement... 4 4. Entity with delegated data protection responsibilities... 4 5. Description
More informationLifesize, Inc. Data Processing Addendum
Last updated May 1, 2018 Lifesize, Inc. Data Processing Addendum This Lifesize, Inc. Data Processing Addendum ( Addendum ) forms part of the Terms of Service (the Agreement ) between Lifesize, Inc. ( Lifesize
More informationDATA PROCESSING AGREEMENT
DATA PROCESSING AGREEMENT This Data Processing Agreement (the DPA ), entered into by the Customer and the company Ganttic OÜ (company registration number 11979702) having its registered office at Lai tn
More informationON24 DATA PROCESSING ADDENDUM
ON24 DATA PROCESSING ADDENDUM This Data Processing Addendum ( Addendum ) is entered into by and between ON24 Inc., on behalf of itself and its Affiliates ( ON24 ), and Client, on behalf of itself and its
More informationDATA PROCESSING ADDENDUM
This Data Processing Addendum (the DPA ) forms part of Telia Bedriftsavtale or other written or electronic agreement between the Parties for the purchase of telecommunication services, and regulates any
More informationDATA PROCESSING AGREEMENT (GDPR, Privacy Shield, and Standard Contractual Clauses)
DATA PROCESSING AGREEMENT (GDPR, Privacy Shield, and Standard Contractual Clauses) This Data Processing Agreement ("DPA") forms part of the Master Services and Subscription Agreement between Customer and
More informationGROUP PRIVACY POLICY. Adopted June 20th, 2017 by each of the Boards of Carnegie Holding AB and Carnegie Investment Bank AB (publ).
GROUP PRIVACY POLICY Adopted June 20th, 2017 by each of the Boards of Carnegie Holding AB and Carnegie Investment Bank AB (publ). 1 PURPOSE AND SCOPE 1.1 The aim of this policy is to establish uniform,
More informationAXA GROUP BINDING CORPORATE RULES
AXA GROUP BINDING CORPORATE RULES Background AXA Group is committed to maintaining the privacy of data obtained in the course of its business activities and complying with applicable laws and regulations
More informationDATA PROCESSING ADDENDUM
DATA PROCESSING ADDENDUM (European Union GDPR) (May 2018) This Data Processing Addendum ( DPA ) forms part of the Pancake Laboratories Inc, DBA ShortStack.com ( ShortStack) Terms and Conditions (https://www.shortstack.com/terms-andconditions/),
More informationTEREX CORPORATION DATA PROTECTION POLICY
TEREX CORPORATION DATA PROTECTION POLICY Terex Data Protection Policy Page 1 Index 1.0 Policy Statement, Purpose and Scope... 3 2.0 Requirements... 3 2.1 Data Protection Principles... 3 2.2 Communication
More informationData Processing Appendix
Company Name* Execution Date *Company name indicated must conform to the name on customer s Master Subscription Agreement executed with SugarCRM. This Data Processing Appendix on the processing of personal
More informationGDPR DATA PROCESSING ADDENDUM INSTRUCTIONS FOR JOSTLE CUSTOMERS
GDPR DATA PROCESSING ADDENDUM INSTRUCTIONS FOR JOSTLE CUSTOMERS WHO SHOULD EXECUTE THIS DPA: If you have determined that you qualify as a data controller under the GDPR, and need a data processing addendum
More informationBanks Sheridan Limited Data Protection Privacy Policy 19 May 2018
Banks Sheridan Limited Data Protection Privacy Policy 19 May 2018 1. Introduction This Policy sets out the obligations of Banks Sheridan Limited ( the Company ) regarding data protection and the rights
More informationTransborder data transfers briefly explained
Federal Data Protection and Information Commissioner FDPIC Transborder data transfers briefly explained For the attention of federal bodies and private industry (Last modified: January 2017) 1) What is
More informationAegon Asset Management Europe ICAV ( the Fund ) Data Protection Policy
Aegon Asset Management Europe ICAV ( the Fund ) Data Protection Policy Contents Definitions.. 2 The Product... 2 Fund Board Governance... 2 Delegation of the Processing of Personal Data... 2 Data Protection
More informationAdopted on 26 November 2014
14/EN WP 226 Working Document Setting Forth a Co-Operation Procedure for Issuing Common Opinions on Contractual clauses Considered as compliant with the EC Model Clauses Adopted on 26 November 2014 This
More informationUnderstanding Privacy Regulatory Restrictions on Trans Border Data Flow
Understanding Privacy Regulatory Restrictions on Trans Border Data Flow Peter J Reid, CIPP EDS Chief Privacy Officer Office: 972-605-0641 Mobile: 214-546-7089 Email: peter.j.reid@eds.com / / / 1 / Aug
More informationBank Handlowy w Warszawie S.A. PRIVACY NOTICE
PRIVACY NOTICE In order to be compliant with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing
More informationDATA PROTECTION LAWS OF THE WORLD. Czech Republic
DATA PROTECTION LAWS OF THE WORLD Czech Republic Downloaded: 15 July 2018 CZECH REPUBLIC Last modified 24 May 2018 LAW The General Data Protection Regulation (Regulation (EU) 2016/679) (" GDPR") is a European
More informationGDPR Data Processing Addendum (DPA) Instructions for Area 1 Security Customers
Area 1 Security, Inc. 142 Stambaugh Street Redwood City, CA 94063 EU GDPR DPA GDPR Data Processing Addendum (DPA) Instructions for Area 1 Security Customers Who should execute this DPA: If you qualify
More informationADMIRAL MARKETS AS PRIVACY POLICY
ADMIRAL MARKETS AS PRIVACY POLICY Effective from 21.10.2016 1. GENERAL PROVISIONS 1.1 Definitions used in the procedure: Client means any natural or legal person who has entered into client agreement with
More informationMan and Machine - Data Protection Policy
Man and Machine - Data Protection Policy 1. Introduction This Policy sets out the obligations of Man and Machine Ltd, whose registered office is at Unit 8 Thame 40, Jane Morbey Road, Thame, Oxfordshire,
More informationEU General Data Protection Regulation vs. Swiss Data Protection Act (in the Private Sector 1 )
EU General Data Protection Regulation vs. Swiss Data Protection Act (in the Private Sector 1 ) October 26, 2017 Version 4.01 David Rosenthal (david.rosenthal@homburger.ch) Updates and more infos: http://www.homburger.ch/dataprotection
More informationDATA PROCESSING ANNEX
Page 1 (5) 1 BACKGROUND AND PURPOSE DATA PROCESSING ANNEX 1.1 The terms of this Annex shall apply to the Agreement between Solibri Oy and/or its Subsidiary/Subsidiaries (Solibri Oy and the Subsidiaries
More informationINFORMATION ON THE PROCESSING OF PERSONAL DATA
INFORMATION ON THE PROCESSING OF PERSONAL DATA PRIVACY NOTICE In order to be compliant with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection
More informationEvolution of international data transfers notified at the Register. 1 July
SPANIISH DATA PROTECTIION AGENCY REPORT ON IINTERNATIIONAL DATA TRANSFERS EX OFFFFI ICIO SECTTORI IALL INSPECTTI I ION OFF SPAIN COLLOMBI IA ATT CALLLL CENTTRES JJULLY 22000077 INDEX I I. BACKGROUND &
More informationGDPR : We protect your data
GDPR : We protect your data Dear customer, From the 25th May 2018 the new law of Personal Data Protection (GDPR) will enter into force. At Almagest Wealth Management S.A., we understand your need to be
More informationNote: Changes from Commission Decision 2002/16/EC are marked in redline
Note: Changes from Commission Decision 2002/16/EC are marked in redline Commission Decision of 27 December 20015 February 2010 on standard contractual clauses for the transfer of personal data to processors
More informationPrivacy Policy Statement
Privacy Policy Statement QuoteDevil is committed to protecting and respecting your privacy. It is the intention of this privacy policy statement to explain to you the information practices of QuoteDevil
More informationDATA PROCESSING ADDENDUM (INCLUDING EU STANDARD CONTRACTUAL CLAUSES)
DATA PROCESSING ADDENDUM (INCLUDING EU STANDARD CONTRACTUAL CLAUSES) This Data Processing Addendum ( DPA ) shall become effective without any further action by the parties: (a) if Customer signing this
More informationINFORMATION ON THE PROCESSING OF PERSONAL DATA
INFORMATION ON THE PROCESSING OF PERSONAL DATA PRIVACY NOTICE In order to be compliant with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection
More informationPROXY FORM ( 1 ) WITH THIS FORM
PROXY FORM ( 1 ) for representation in Ordinary General Meeting of Mediaset S.p.A. (the Company ), to be held on single call on June 27 th, 2018, as set forth in the notice of the shareholders meeting
More informationDATA PROCESSING ADDENDUM
DATA PROCESSING ADDENDUM Based on the General Data Protection Regulation (GDPR) and European Commission Decision 2010/87/EU - Standard Contractual Clauses (Processors) This Data Processing Addendum ( DPA
More informationData Protection Post-Brexit
Brexit Law your business, the EU and the way ahead Data Protection Post-Brexit What to expect and how to prepare March 2019 Understanding the practical implications of Brexit for data protection compliance,
More informationINFORMATION ON THE PROCESSING OF PERSONAL DATA
INFORMATION ON THE PROCESSING OF PERSONAL DATA PRIVACY NOTICE In order to be compliant with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection
More informationFUNDS MANAGED BY GOLDMAN SACHS ASSET MANAGEMENT - FAIR PROCESSING NOTICE EFFECTIVE DATE: 25 MAY 2018
FUNDS MANAGED BY GOLDMAN SACHS ASSET MANAGEMENT - FAIR PROCESSING NOTICE EFFECTIVE DATE: 25 MAY 2018 PURPOSE AND APPLICATION OF THIS NOTICE Goldman Sachs Group, Inc. and its subsidiaries (each a Goldman
More informationVanguard Group (Ireland) Limited Vanguard Funds plc Vanguard Investment Series plc Privacy policy. May 2018
Vanguard Group (Ireland) Limited Vanguard Funds plc Vanguard Investment Series plc Privacy policy May 2018 Vanguard Group (Ireland) Limited (the Manager ), Vanguard Funds plc ( VF ), and Vanguard Investment
More informationPRIVACY NOTICE. I. Indication of the data controller
PRIVACY NOTICE In order to be compliant with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing
More informationPrivacy Policy. For the purposes of Data Protection Legislation the data controller is the Company.
Privacy Policy Ashoka India Equity Investment Trust plc (the "Company"), or any third party service provider, functionary, or agent appointed by the Company acting on its behalf (together, the "Fund",
More informationNON-ESTABLISHED VAT REFUND APPLICATION PROCEDURES
NON-ESTABLISHED VAT REFUND APPLICATION PROCEDURES What are the applicable regulations? Council Directive 2006/112/EC, of 28 November 2006. Council Directive 2008/9/EC, of 12 February 2008. Council Directive
More informationCustomer GDPR Data Processing Agreement
Customer GDPR Data Processing Agreement This Customer Data Processing Agreement reflects the requirements of the European Data Protection Regulation ( GDPR ) as it comes into effect on May 25, 2018. Bench
More informationARTICLE 29 Data Protection Working Party
ARTICLE 29 Data Protection Working Party 02294/07/EN WP 143 8 th Directive on Statutory Audits Opinion 10/2007 by the Article 29 Working Party Adopted on 23 November 2007 This Working Party was set up
More informationDATA PROCESSING ADDENDUM (GDPR and EU Standard Contractual Clauses)
DATA PROCESSING ADDENDUM (GDPR and EU Standard Contractual Clauses) Rev. 1 May 2018 This Data Processing Addendum ( DPA ) forms part of the product or services agreement ( Agreement ) or other written
More informationADMIRAL MARKETS UK LTD PRIVACY POLICY
ADMIRAL MARKETS UK LTD PRIVACY POLICY Valid as of 2nd of December 2016 1. GENERAL PROVISIONS 1.1 Definitions used in the procedure: Client means any natural or legal person who has entered into client
More informationCOMMISSION OF THE EUROPEAN COMMUNITIES COMMISSION STAFF WORKING PAPER
COMMISSION OF THE EUROPEAN COMMUNITIES Brussels, 13.02.2002 SEC(2002) 196 COMMISSION STAFF WORKING PAPER The application of Commission Decision 520/2000/EC of 26 July 2000 pursuant to Directive 95/46 of
More informationDATA PROCESSING ADDENDUM
DATA PROCESSING ADDENDUM This Data Processing Addendum ( DPA ) forms a part of the Databricks Terms of Service found at https://www.databricks.com/termsofservice, unless Subscriber has entered into a superseding
More informationROSETTA STONE LTD. PROCESSING ADDENDUM
ROSETTA STONE LTD. PROCESSING ADDENDUM This Data Processing Addendum (this DPA ) forms part of the order document(s) (each a Service Order ) and Services Agreement (collectively, the Agreement ), entered
More informationPrudential Requirements for Electronic Money Institutions authorised under S.I. No. 183 of European Communities (Electronic Money) Regulations
2011 Prudential Requirements for Electronic Money Institutions authorised under S.I. No. 183 of 2011 - European Communities (Electronic Money) Regulations 2011 December 2011 Contents Contents 2 1 Introduction
More informationPERSONAL DATA PROCESSING BY GOLDMAN SACHS FAIR PROCESSING NOTICE FOR REPRESENTATIVES OF CLIENTS AND PROSPECTIVE CLIENTS EFFECTIVE DATE: 25 MAY 2018
PERSONAL DATA PROCESSING BY GOLDMAN SACHS FAIR PROCESSING NOTICE FOR REPRESENTATIVES OF CLIENTS AND PROSPECTIVE CLIENTS EFFECTIVE DATE: 25 MAY 2018 PURPOSE AND APPLICATION OF THIS NOTICE Goldman Sachs
More informationGDPR Data Processing Addendum
GDPR Data Processing Addendum Effective Date 24 May 2018 This Data Processing Addendum for the GDPR (Addendum) is made as of the Effective Date by and between Fresh Relevance Ltd incorporated and registered
More informationCOMMISSION OF THE EUROPEAN COMMUNITIES
COMMISSION OF THE EUROPEAN COMMUNITIES Brussels, COMMISSION DECISION of pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the Safe
More informationAssessment of the impact of activity on the protection of personal data. 1. Subject of the protection of personal data of. Hexpol Compounding s.r.o.
HEXPOL COMPOUNDING Assessment of the impact of activity on the protection of personal data 1. Subject of the protection of personal data of The subject of the protection of personal data shall include:
More informationLAMP Services Limited Privacy Notice v1.2 4 th March Controller
1. Controller LAMP Services Limited is the Controller under the EU General Data Protection Regulation (EU GDPR). LAMP Services Limited is incorporated in England, company registration number 04967967.
More informationPERSONAL DATA PROCESSOR AGREEMENT
1 PERSONAL DATA PROCESSOR AGREEMENT PARTIES This personal data processor agreement ( Processor Agreement ) has been entered into between: Buyer/Client/Customer ( Controller ), and The company within the
More informationINFORMATION ON THE PROCESSING OF PERSONAL DATA
INFORMATION ON THE PROCESSING OF PERSONAL DATA PRIVACY NOTICE In order to be compliant with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection
More informationSECTION 1 IDENTITY AND CONTACT DETAILS OF THE DATA CONTROLLER
INFORMATION DOCUMENT REGARDING PERSONS UNDER ARTICLES 13 AND 14 OF THE EUROPEAN COMMUNITIES REGULATION 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL OF 27 APRIL 2016 (THE STATEMENT ) The Regulation
More information(Non-legislative acts) DIRECTIVES
L 176/28 EN Official Journal of the European Union 10.7.2010 II (Non-legislative acts) DIRECTIVES COMMISSION DIRECTIVE 2010/42/EU of 1 July 2010 implementing Directive 2009/65/EC of the European Parliament
More informationFACT SHEET. Automatic exchange of information (AEOI)
FACT SHEET Automatic exchange of information (AEOI) In a joint statement, a number of countries, including all major financial centres and Liechtenstein, have announced that they will introduce the new
More informationData Privacy Notice. Who are we and why do we register and use personal data?
Data Privacy Notice Who are we and why do we register and use personal data? Danske Bank A/S is a financial institution that offers financial advice and services to its clients. In the course of our business,
More informationBroadbean Technology Limited - Data Processing Agreement (25th May 2018)
Broadbean Technology Limited - Data Processing Agreement (25th May 2018) This agreement and its associated schedules shall come into force with effect from 25 th May 2018 and shall from that date replace
More informationMentorcliQ Data Processing Agreement
MentorcliQ Data Processing Agreement This MentorcliQ Data Processing Agreement ( DPA ), that includes the Standard Contractual Clauses adopted by the European Commission, as applicable, reflects the parties
More informationData Processing Addendum
Data Processing Addendum Based on the General Data Protection Regulation (GDPR) This Data Processing Addendum ( Addendum ) forms part of your relevant Planet estream terms and conditions, defined as an
More informationCOMMISSION DELEGATED REGULATION (EU) /... of amending Delegated Regulation (EU) No 231/2013 as regards safe-keeping duties of depositaries
EUROPEAN COMMISSION Brussels, 12.7.2018 C(2018) 4377 final COMMISSION DELEGATED REGULATION (EU) /... of 12.7.2018 amending Delegated Regulation (EU) No 231/2013 as regards safe-keeping duties of depositaries
More information2. FROM WHICH SOURCES THE BANK COLLECTS YOUR PERSONAL DATA?
P R I V A C Y N O T I C E Last updated May 2018 Eurobank Cyprus Ltd ( the Bank ) wishes to inform you why and how the Bank collects and processes your personal data as well as of your rights under local
More informationInstitutional Investment Advisors Limited
Institutional Investment Advisors Limited Privacy Notice This Privacy Notice explains how we use the personal information that Institutional Investment Advisors collects or generates in relation to our
More information