EU General Data Protection Regulation vs. Swiss Data Protection Act (in the Private Sector 1 )
|
|
- Beatrice Lane
- 6 years ago
- Views:
Transcription
1 EU General Data Protection Regulation vs. Swiss Data Protection Act (in the Private Sector 1 ) October 26, 2017 Version 4.01 David Rosenthal (david.rosenthal@homburger.ch) Updates and more infos: Material scope 2 Comparable 2 Comparable 2 The GDPR excludes all purely personal and household activities from scope; under the DPA, the exclusion is slightly narrower. Territorial scope 3 Comparable PILA 139 Comparable PILA 139 The DPA has slightly broader territorial applicability. Definitions 4 Comparable 3 Comparable 4 On the face of it, the DPA defines personal data slightly narrower as to when a person is identifiable. However, in practice it will likely be the same, with both following a "relative approach". Personal data today includes data of legal persons under the DPA, but will no longer in the future. The new DPA will adopt the controller processor terminology, and will give up the "personality profiles" as a sensitive personal data type. Instead, it will provide provisions on profiling and data breaches (both defined slightly different than under the GDPR). 1 Excluding provisions on processing by public authorities and excluding provisions concerning authorities and procedures in the Union (e.g., coordination among supervisory authorities) 2 All statements made herein are based on the draft bill published by the Federal Council on September 15, 2017 for deliberation by the Swiss Federal Parliament. We do not expect it to change significantly. I450381v2
2 2 17 The GDPR states that consent must be "freely given, specific, informed and unambiguous" to be valid, which corresponds to the current definition of consent under the DPA; however, the GDPR defines consent by affirmative action more narrowly than under the current and future DPA (e.g., no preticked boxes, as opposed to the current and future DPA). Principles of processing** 5 Comparable 4, 5, 7Comparable 5 The GDPR and new DPA are express on particular aspects of proportionality (such as data minimization and data retention); the revised DPA is less express on the principle of transparency than the GDPR. The GDPR expressly requires controller to be able to demonstrate compliance ("accountability"), which the current and future DPA does not, but in practice, the requirement already exists today. Lawfulness of processing** Conditions for consent** 6 Less strict 12, 13Less strict 26, 27The current and future DPA follows different concept (a legal justification is required only in case of a violation of personality, namely in the case that the processing principles are violated); under the GDPR, a "justification" (legal ground) is required for each processing (e.g., consent, performance of a contract, compliance with EU law, legitimate interests). 7 Less strict 4 Less strict 5 The GDPR requires that request for consent is clearly distinguishable from the other matters and suggests that it is normally not permitted to "bundle" the consent to the processing of personal data required for the performance of a contract with the consent to another processing of personal data (i.e. the
3 3 17 consent for such other processing must be obtained separately and optional in order to be "freely"). The current and revised DPA does not prohibit such bundling, if done correctly. Consent by children* 8 Less strict CC 19c Less strict CC 19c Swiss Civil Code grants children capable of judgment more rights to decide on their own personality. Special categories of data** 9 Less strict 3 Comparable 4 Under the GDPR and revised DPA, sensitive personal data includes biometric and genetic data used in order to identify a person. Under the current DPA this is not the case. However, under both the current and new DPA, consent has to be express in the case of special categories of data (or profiling). The GDPR permits processing of sensitive personal data only with explicit consent or in specific, limited other cases (e.g., employment law, legal defense, public data, public interest). Under the DPA this is not the case; only onward transfers to other controllers require a justification (e.g., consent, statutory obligation or overriding private or public interest). Data related to criminal convictions offences No obligation to maintain possibility of 10 Less strict 3 Less strict 4 Processing according to the GDPR only permitted where authorized by law. Under the DPA this category of data is merely considered sensitive personal data and treated accordingly. 11 Comparable 4, 7 Comparable 5, 6, 7
4 4 17 identification of data subjects* Modalities for the exercise of the rights of the data subject* *** Information to be provided (direct collection of data)** *** 12 Stricter 5, 8, Comparable 23, 9, 10, 24, 12 25, 28 The GDPR allows for refusal or possibility to impose charges in case of manifestly unfounded or excessive requests (repetitive requests may be excessive); deadline to respond may be extended from one by two additional months. The current DPA is stricter on the imposing of charges; the future DPA may be comparable on this point with the GDPR (yet to be defined). 13 Less strict 4, 14 Stricter 17, The current DPA requires (express) information at the time of collection only 18, 19in cases of systematic collection of sensitive personal data (in addition to the principle of transparency), and less minimum information than under the GDPR. The future DPA will provide for similar information obligations as does the GDPR, with the list of minimum information being shorter (but providing for information on the countries of processing), but worded more openly (nonconclusive list of minimum information) than the GDPR. The exemptions and possibilities to limit the information are comparable. An overriding private interest can be relied on, as well, but only if personal data is not shared with other controllers.
5 5 17 Information to be provided (indirect collection of data)** *** 14 Less strict 4, 14 Stricter 17, See foregoing comments. 18, 19 Right of access** *** 15 Less strict 8, 9, 10 Comparable 23, Under the GDPR, some additional information (e.g., on data subject's rights, 24, 25safeguards in case of international transfers, automated decisions and their logic) needs to be provided; no copy has to be provided if this negatively affects third parties; access right is not limited to data files as under the current DPA. The right of access under the future DPA will be comparable with the GDPR (with slightly different information obligations), however, with fewer exceptions (no reliance on business secrets, privilege and other overriding private interest if personal data is shared with group companies, regulators and other controllers). Right to rectification** 16 Comparable 5 Stricter 28 The GDPR also provides for right to obtain completion. The exemptions under the revised DPA will be more narrowly (statutory obligation, public archival interest, but not overriding private interests). Right to erasure (right to be forgotten)** 17 Less strict 12, Less strict 26, The exemptions are defined more narrowly and specifically under the GDPR 13, 15 27, 28than under the current and future DPA (e.g., freedom of expression, compliance with law, legal claims, public archival purposes); an overriding
6 6 17 private interest as such is not sufficient to refuse erasure of data under the GDPR. The current and future DPA provides for a broad right to object; the controller can justify non-compliance with an objection based on overriding private interest, among other things. The GDPR requires reasonable steps to inform other controllers of the data subject's request, which the current and future DPA does not. Right to restriction of processing** Notification of rectification, erasure or restriction** Right to data portability** 18 Less strict 12, Less strict 26, Under the current and future DPA, the right to restrict the processing is less 13, 15 27, 28absolute (balancing of interest); the GDPR provides for a more absolute right in certain cases (e.g., pending the verification of correctness of data, or following the objection by the data subject while the controller verifies its grounds for processing). 19 Less strict 15 Less strict 28 Under the GDPR, requests for rectification and erasure have to be passed along to previous data recipients. Under Swiss law, a court can order that third parties are informed. 20 No provision No provision Data subjects may require a controller to return personal data that the data subjects have provided to them and have been processed automatically on the basis of a contract or other consent. The data has to be provided in a machine-readable form and, if technically feasible, directly to another controller as directed by the data subject.
7 7 17 Right to object** 21 Less strict 12, Less strict 26, The GDPR only addresses right to object when the processing is based on a 13, 15 27, 28private or public interest, is done for direct marketing or occurs for scientific, historical, research or statistical purposes. The GDPR requires that data subject must be informed about the right "separately from any other information". The current and future DPA provides for a broad right to object; the controller can justify non-compliance with an objection based on overriding private interest, among other things. Automated individual decision making including profiling** *** 22 No provision Less strict 19 The GDPR grants right of data subject not to be subject of decisions based solely on automated processing ("automated processing" shall also include any form of profiling) that produces legal effects or similarly affects the data subject, with exceptions (such as conclusion or performance of contract or explicit consent); furthermore, such processing has to meet certain standards to safeguard the data subjects, such as granting a right to human intervention. The future DPA will provide for a similar provision which, however, is less strict in terms that no human intervention and separate information needs to be provided in cases where automated individual decisions are based on express consent or for the conclusion or performance of a contract insofar such contract corresponds what the data subject has requested.
8 8 17 Restrictions of rights of data subject and processing principles by law Responsibility of controller Data protection by design and default* 23 Comparable 13 Comparable 27 The GDPR provides for various predefined cases under which the EU and Member States can limit (or justify non-compliance with) data subject rights and the processing principles (e.g., the protection of "rights and freedoms of others" and enforcement of civil claims). Under the current and future DPA, however, restrictions may be justified more generally on the basis of "legitimate (private) interests". 24 Comparable 7, 12, 13 Comparable 7, 26, The GDPR requires that controller must be able to demonstrate that its 27 processing is in compliance. The current and revised DPA does not expressly provide for this, but de facto the requirement exists as well. 25 Less strict 4, 7 Comparable 5, 6 The GDPR is express on these principles, and so will the future DPA. Under the current DPA, data protection by design is required already implicitly. The GDPR requires that by default only the data necessary for the purpose is processed; publication shall require the individual's intervention. The future DPA will require that unless the data subject directs otherwise, pre-settings shall provide for the least possible processing of personal data offered by default (does not apply if the data subject has agreed otherwise). Joint controllers* 26 Comparable 7 Comparable 6 The GDPR requires that joint controllers set forth their allocation of responsibilities in an arrangement. The current and future DPA does not require any kind of formal arrangement.
9 9 17 Representative of non-union based controllers in the Union* Processor arrangements* *** 27 No provision No provision Under the GDPR, controllers and processors outside the EU have to mandate a representative (its liability remains unclear, though) in the EU except if their processing subject to the GDPR is occasional, not concerning significant amounts of sensitive personal data and not risky. 28 Less strict 10a Comparable 8 The GDPR requires that sub-processors are approved in writing by the controller; in case of general approval, controller must be informed of new sub-processor and has to have a right to object. This approval requirement will also be introduced under the future DPA. The GDPR provides for specific content of controller-processor arrangements (e.g., processing of data only on documented instructions by controller, assisting controller in compliance matters). The GDPR provides for standard clauses approved by the Commission. Persons acting for controllers or processors* 29 Comparable 7, 10aComparable 6, 8, 22 The GDPR is more express on their duty towards the controller or processor. Records of processing activities* 30 Less strict 7, 11aComparable 11 The GDPR requires that each controller and processor maintains a record of its processing activities, except for enterprises with less than 250 employees with regard to processing that involves no sensitive data, is only occasional
10 10 17 and involves no risks. The current DPA provides for obligation to register certain data files with the data protection authority, or maintain a corresponding record if a data protection officer has been appointed. The future DPA will provide for an obligation to maintain a record of processing activities comparable to the GDPR, with a slightly different, broader exemption. Obligation to cooperate with the supervisory authority* 31 Comparable 29 Comparable 44 Security of processing* *** Notification of a data breach to the supervisory authority* 32 Comparable 7 Comparable 7 The GDPR is more express on what is required. Under the DPA, more specific requirements are to be regulated in an ordinance. 33 No provision Less strict 22 The GDPR provides for a formal obligation to notify data breaches (i.e. breaches of security leading to unauthorized disclosure or other processing) to the data protection authority within 72 hours except where unlikely to result in a risk for the data subjects. The GDPR also provides for an obligation to maintain a record of "any" data breach. The future DPA will also introduce a data breach notification obligation, but the authority will need to be notified only if there is a high risk for the data
11 11 17 subjects. The notification has to occur as soon as possible. Communication of a data breach to the data subject* Data protection impact assessment* 34 Less strict 2, 7 Comparable 22 The GDPR provides for obligation to inform data subject in any event if the breach is likely to result in a high risk for the data subject. Under the revised DPA, a formal obligation to notify data subjects exists in the case that the notification is necessary to protect their interests. 35 Less strict 7 Comparable 20 The GDPR is more formal on the obligation to perform a data protection impact assessment and defines the cases in which this is necessary ("high risk" cases, e.g., large scale processing of sensitive personal data). The GDPR also provides for consultation of data subjects "where appropriate", and that supervisory authorities may define "high risk" cases. The future DPA will also provide for a formal obligation to conduct and document a data protection impact assessment comparable to the GDPR, but already defines specific cases where such an assessment is necessary and may be stricter than under the GDPR (e.g., profiling). Prior consultation of supervisory authority* 36 No provision Comparable 21 The GDPR provides for obligation to consult supervisory authority if, following a data protection impact assessment, a case remains "high risk" despite the mitigation measures taken; response shall be provided within eight plus six weeks. The future DPA will provide for a similar provision, with the exception that the authority does not need to consulted if instead the internal data
12 12 17 protection counsel is consulted. Designation of a data protection officer* 37 Less strict 11a, ODPA 12a/b Less strict 9 The GDPR requires data protection officer for controllers and processors who require regular and systematic monitoring of data subjects on a large scale or process sensitive personal data on a large scale. The future DPA provides for the appointment of a "data protection counsel", which is not mandatory in any event. In the case of a data protection impact assessment, no consultation of the authority is necessary if instead the counsel is consulted. Position of the data protection officer* 38 Comparable ODPA Comparable 9 12a/b Tasks of the data protection officer* 39 Comparable ODPANo provision 9 Under the GDPR, the officer shall also monitor compliance and be the contact 12a/b point for the supervisory authority, but is not required to maintain the records of all data files (as under the DPA). The future DPA will not define the duties of the data protection counsel. Codes of conduct 40 No provision Comparable 10 The GDPR provides for (private) codes of conduct that can be approved and published by the competent authorities. The future DPA will provide for a similar provision.
13 13 17 Monitoring of approved codes of conduct* 41 No provision No provision The GDPR provides that a (private) body may monitor compliance with the codes of conduct and impose (private) sanctions (e.g., exclusion from the code). Certifications* 42 Comparable 11 Comparable 12 The GDPR provides for certifications also for the purposes of safeguarding transborder data flows to countries without an adequate level of statutory data protection. The GDPR provides for a "European Data Protection Seal". The current DPA provides for certifications of processing activities and products, the future DPA will also allow for the certification of services. Certification body* 43 Comparable 11 Comparable 12 General principle of cross-border data transfers** *** 44 Comparable 6 Comparable 13 Transfers with an adequacy decision** *** 45 Comparable 6 Comparable 13 The current DPA does not provide for binding adequacy decisions by a supervisory authority; it remains the responsibility of the exporter to assess the adequacy. In the future, the DPA will provide for such decisions, as does the GDPR. The GDPR provides that existing adequacy findings shall remain valid for the
14 14 17 time being. It also provides for criteria to assess adequacy. Transfers based on a safeguard** *** 46 Comparable 6 Comparable 13 The GDPR permits transfers also on the basis of approved codes of conduct, approved certifications. If non-standard contractual clauses are to be used, approval by the supervisory authority is necessary. The GDPR also provides that existing standard clauses shall remain valid for the time being. The current and future DPA provide for both standard and non-standard contractual safeguards. Non-standard contractual safeguards are subject to review by the authority. Transfers by way of binding corporate rules** *** Transfers or disclosures not authorized by EU law** *** Derogations for specific situations** 47 Less formal 6 Comparable 13 The GDPR requires approval of binding corporate rules (BCRs) and defines what they must provide for. Under the future DPA, BCRs need to be approved, as well. 48 Comparable 6 Comparable 13, 14GDPR provides for a "blocking statute" concerning foreign orders to produce data if such production is not done through legal mutual assistance (or the like) or on one of the other grounds for lawful transfers pursuant to the GDPR. Under Swiss law, Art. 271 Swiss Penal Code may be triggered in such cases. 49 Stricter 6 Comparable 14 The GDPR also permits transfers in case of establishment, exercise or defense of legal claims not only before a court (as does the current DPA) or in case of non-repetitive transfers concerning a limited number of data subjects
15 15 17 *** for compelling legitimate (private) interests (but the supervisory authority has to be informed in the latter case). The future DPA will remove the limitation as to court proceedings. However, overriding private interests do not provide for an exemption under the current and future DPA. Supervisory authority powers** *** Right to lodge a complaint with the supervisory authority 58 Less strict 29 Comparable 43, Under the GDPR, the supervisory authority has the power to issue orders to 44, the controller or processor as regards their processing of data and 45, 59administrative fines. Under the future DPA, the authority can investigate matters and issue orders to controllers and processors, but not issue any fines. Fines are to be issued by the cantonal criminal prosecution authorities Less strict 28, 29Comparable 43 Under the GDPR, data subjects can not only submit complaints concerning their individual cases, they have a right to receive information on the progress or outcome from the supervisory authority and go to court if the supervisory authority does not deal with the complaint in time. Under the future DPA, there will be a similar provision, but the authority may refuse to investigate cases deemed not significant. Right to an effective judicial remedy against a controller or processor 79 Comparable 15, Comparable 28, The GDPR is not clear on claims against controllers and processors not CC 28 CC 28established in the Union.
16 16 17 Representation of a data subjects by an organization 80 Comparable CPC 89 Comparable CPC 89 Administrative fines 83 No provision No provision Fines issued by supervisory authority under the GDPR are either up to 10m EUR or 2% of total worldwide annual turnover (whichever is higher) or up to 20m EUR or 4% of total worldwide annual turnover (whichever is higher), depending on the provision violated. Penalties 84? 34 Stricter 54, 55, 56, Penalties under the GDPR are to be set forth by the Member States. Under the future DPA, a number of violations of the DPA or lack of cooperation with the supervisory authority can result in criminal fines against responsible 57, 58individuals (acting intentionally) of up to CHF 250'000. Processing of personal data by media 85 Comparable 10, 13Comparable 25 Exemptions restrictions of obligations under the GDPR to be set forth by the Member States. Processing of national identification numbers 87? Specific conditions under the GDPR to be set forth by Member States. Processing in the employment context 88? CO 328b CO Specific conditions under the GDPR to be set forth by Member States. 328b
17 17 17 Processing for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes 89? Exemptions restrictions of obligations under the GDPR to be set forth by the Member States. Obligations of secrecy 90? 9, 13 18, Member States may define specific rules to reconcile the data protection and 24, 27secrecy obligations. * GDPR: Maximum administrative sanction of EUR 10 million or 2%, whichever is higher. ** GDPR: Maximum administrative sanction of EUR 20 million or 4%, whichever is higher. *** Future DPA: Fines for individuals acting intentionally of up to CHF 250'000; in cases of fines of up to CHF 50'000, it is possible to fine the corporate entity instead.
Michael R. Cohen CIPP/US, CIPP/E Gray Plant Mooty. Overview of the EU General Data Protection Regulation (GDPR)
Michael R. Cohen CIPP/US, CIPP/E Gray Plant Mooty Overview of the EU General Data Protection Regulation (GDPR) WHAT YOU NEED TO KNOW ABOUT THE EU GENERAL DATA PROTECTION REGULATION (GDPR) What is the GDPR?
More informationThe Controller and Processor Data Protection Binding Corporate Rules of BMC Software
The Controller and Processor Data Protection Binding Corporate Rules of BMC Software 4 August 2015 Table of Contents Introduction 2 PART I: BACKGROUND AND ACTIONS 3 PART II: BMC AS A CONTROLLER 5 PART
More informationAll Sorts UK Limited Data Protection Policy 17 th May 2018
All Sorts UK Limited Data Protection Policy 17 th May 2018 1. Introduction This Policy sets out the obligations of All Sorts UK Limited, a company registered in England under number 03534972, whose registered
More informationBanks Sheridan Limited Data Protection Privacy Policy 19 May 2018
Banks Sheridan Limited Data Protection Privacy Policy 19 May 2018 1. Introduction This Policy sets out the obligations of Banks Sheridan Limited ( the Company ) regarding data protection and the rights
More informationThe GDPR Possible Impact on the Life Sciences and Healthcare Sectors
February 14, 2017 The GDPR Possible Impact on the Life Sciences and Healthcare Sectors Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016, (the GDPR ) came into force
More informationAmgen Binding Corporate Rules (BCRs) Public Document
Amgen Binding Corporate Rules (BCRs) Public Document Introduction: Amgen is a biotechnology leader committed to serving patients with grievous illness. Binding Corporate Rules (BCRs) express Amgen s commitment
More informationThe New EU General Data Protection Regulation (GDPR)
The New EU General Data Protection Regulation (GDPR) The clock has started on the biggest change to the European data protection regime in 20 years. After four years of negotiation, the new EU General
More informationThe GDPR how to prepare MiFID II where are we now? Wednesday 21 February 2018
The GDPR how to prepare MiFID II where are we now? Wednesday 21 February 2018 GDPR so far The EU General Data Protection Regulation (Regulation (EU) 2016/679) comes into effect on 25 May 2018 Aims to protect:
More informationPension Trustees. Final Countdown to the GDPR
Pension Trustees Final Countdown to the GDPR Introduction The General Data Protection Regulation (GDPR) will come into force in all EU Member States in May 2018. It is not a radical departure from the
More informationThe new data protection law main changes at a glance
Newsletter July 2017 The new data protection law main changes at a glance Overview of the main differences between the General Data Protection Regulation (GDPR), the and the pre-draft of the new Swiss
More informationWhat does GDPR and the new Data Protection Act mean to Brokers/Intermediaries?
YYYYYYYYYYY The New Class 2016-2017 Report 2: General Date Protection Regulation (GDPR) What does GDPR and the new Data Protection Act mean to Brokers/Intermediaries? 1 2 Contents The Insurance Institute
More informationEuropean Union General Data Protection Regulation
European Union General Data Protection Regulation Policy 25 May 2018 Bendigo and Adelaide Bank Limited ABN 11 068 049 178 General Data Protection Regulation (GDPR) Application This GDPR section of our
More informationMoxtra, Inc. DATA PROCESSING ADDENDUM
Moxtra, Inc. DATA PROCESSING ADDENDUM This Data Processing Addendum ( DPA ) forms a part of the Terms of Service found at http://moxtra.com/terms-of-service/, unless Company has entered into a superseding
More informationGeneral Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) January 2018 Lockton Companies After several years of extensive negotiation, the European Union (EU) adopted the General Data Protection Regulation (GDPR) 1 on
More informationCreating a Big Data Strategy: Managing Risk and Enabling Innovation
Creating a Big Data Strategy: Managing Risk and Enabling Innovation Meghan Farmer and Brooke McGuffey 2016 Kilpatrick Townsend What is Big Data? Traditional definition: high-volume, high-velocity and/
More informationWorking Party on the Protection of Individuals with regard to the Processing of Personal Data
EUROPEAN COMMISSION DIRECTORATE GENERAL XV Internal Market and Financial Services Free movement of information, company law and financial information Free movement of information and data protection, including
More informationDATA PROCESSING ADDENDUM
Page 1 of 20 DATA PROCESSING ADDENDUM This Data Processing Addendum ( DPA ) forms a part of the Customer Terms of Service found at https://slack.com/terms-of-service, unless Customer has entered into a
More informationData Processing Appendix
Company Name* Execution Date *Company name indicated must conform to the name on customer s Master Subscription Agreement executed with SugarCRM. This Data Processing Appendix on the processing of personal
More informationPrivacy vs Data Protection: The Impact of EU Data Protection Legislation
Privacy vs Data Protection: The Impact of EU Data Protection Legislation Thomas Rivera / Hitachi Data Systems Original Author: SNIA Security TWG SNIA Legal Notice The material contained in this tutorial
More informationLAMP Services Limited Privacy Notice v1.2 4 th March Controller
1. Controller LAMP Services Limited is the Controller under the EU General Data Protection Regulation (EU GDPR). LAMP Services Limited is incorporated in England, company registration number 04967967.
More informationThe General Data Protection Regulation (GDPR) and its Impact on U.S. Healthcare Rebecca L. Rakoski, Esq.
The General Data Protection Regulation (GDPR) and its Impact on U.S. Healthcare Rebecca L. Rakoski, Esq. Managing Partner rrakoski@xpanlawgroup.com What Happened on May 25th? GDPR Scope (Art. 1): Applies
More informationDATA PROTECTION LAWS OF THE WORLD. Czech Republic
DATA PROTECTION LAWS OF THE WORLD Czech Republic Downloaded: 15 July 2018 CZECH REPUBLIC Last modified 24 May 2018 LAW The General Data Protection Regulation (Regulation (EU) 2016/679) (" GDPR") is a European
More informationDATA PROCESSING AGREEMENT
DATA PROCESSING AGREEMENT This Data Processing Agreement ( DPA or Agreement ), entered into by the CPI customer identified on the applicable CPI services agreement for CPI services ( Customer ) and the
More informationThe EU s General Data Protection Regulation enters into force on 25 May 2018
May 2018 The EU s General Data Protection Regulation enters into force on 25 May 2018 Keeping our customers data safe is nothing new to us. Protecting the information and the personal data that our customer
More informationPrivacy Policy Statement
Privacy Policy Statement QuoteDevil is committed to protecting and respecting your privacy. It is the intention of this privacy policy statement to explain to you the information practices of QuoteDevil
More informationTwilio Data Protection Addendum ( DPA ) (GDPR, Binding Corporate Rules, Privacy Shield, and Standard Contractual Clauses) (Revision June 2018)
Twilio Data Protection Addendum ( DPA ) (GDPR, Binding Corporate Rules, Privacy Shield, and Standard Contractual Clauses) (Revision June 2018) Once fully executed, this DPA forms a part of the agreement
More informationNavigating Cross Border Document Transfers in Investigations. Privacy Considerations and Practical Tips
Navigating Cross Border Document Transfers in Investigations Privacy Considerations and Practical Tips 1 Key Perspectives Europe: privacy is a fundamental right The object of laws on processing of personal
More informationDATA SUBJECT ACCESS REQUEST POLICY AND PROCEDURE
DATA SUBJECT ACCESS REQUEST POLICY AND PROCEDURE CONTENTS 1. PURPOSE.... SCOPE.... POLICY STATEMENT... 4. PROCEDURE... How should DSARs be processed after receiving... Fees... Subject access requests made
More informationInternational data transfers and Schrems White & Case. Aqeel Kadri and Tim Hickman
International data transfers and Schrems White & Case Aqeel Kadri and Tim Hickman 9 March 2016 Overview of EU data protection law Currently, each EU Member State has its own national data protection law,
More informationRevising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPR Richard Campo, CISM GRC Consultant IT Governance Ltd 1 Sept 2016 www.itgovernance.co.uk TM Introduction Richard Campo GRC consultant Data protection
More informationMan and Machine - Data Protection Policy
Man and Machine - Data Protection Policy 1. Introduction This Policy sets out the obligations of Man and Machine Ltd, whose registered office is at Unit 8 Thame 40, Jane Morbey Road, Thame, Oxfordshire,
More informationYour Right Hand Finance Ltd (YRH) Subject Request Policy
Your Right Hand Finance Ltd (YRH) Subject Request Policy CONTENTS 1 Purpose... 2 2 Scope... 2 3 Policy Statement... 2 4 Procedure... 2 4.1 How should SRFs be processed after receiving... 2 4.2 Fees...
More informationData Protection Notice pursuant to the General Data Protection Regulation (GDPR)
Data Protection Notice pursuant to the General Data Protection Regulation (GDPR) The Endress+Hauser Group ( Endress+Hauser, we or us ) attaches great importance to the protection of your personal data.
More informationWHY SHOULD YOUR ORGANISATION WORRY ABOUT DATA PROTECTION?
WHY SHOULD YOUR ORGANISATION WORRY ABOUT DATA PROTECTION? Friday, September 26, 2014 Luncheon, Hôtel Métropole, Geneva Isabelle Hering Attorney-at-law Nyon WHO IS CONCERNED AND SHOULD WORRY? Natural persons
More informationCHARITY & NFP LAW BULLETIN NO. 419
CHARITY & NFP LAW BULLETIN NO. 419 APRIL 25, 2018 EDITOR: TERRANCE S. CARTER IMPLICATIONS OF THE EU S GENERAL DATA PROTECTION REGULATION IN CANADA By Esther Shainblum & Sepal Bonni * A. INTRODUCTION The
More informationData Processing Addendum
Data Processing Addendum This Data Processing Addendum ( DPA ) forms part of the Agreement(s) and is entered by and between the Customer and the Service Provider on the Effective Date. For the avoidance
More informationThe General Data Protection Regulation (GDPR): action plan for pension scheme trustees
The General Data Protection Regulation (GDPR): action plan for pension scheme trustees July 2017 (revised March 2018) Pension briefing HIGHLIGHTS The European General Data Protection Regulation (GDPR)
More informationData Processing Addendum
Data Processing Addendum Based on the General Data Protection Regulation (GDPR) and European Commission Decision 2010/87/EU - Standard Contractual Clauses (Processors) This Data Processing Addendum ( DPA
More informationHOW TO EXECUTE THIS DPA:
DATA PROCESSING ADDENDUM (GDPR, and EU Standard Contractual Clauses) (Rev. April 20, 2018) This Data Processing Addendum ( DPA ) forms part of the Master Subscription Agreement or other written or electronic
More informationTransborder data transfers briefly explained
Federal Data Protection and Information Commissioner FDPIC Transborder data transfers briefly explained For the attention of federal bodies and private industry (Last modified: January 2017) 1) What is
More informationBINDING CORPORATE RULES
BINDING CORPORATE RULES CONTROLLER PRINCIPLES INTRODUCTION At Marsh & McLennan Companies (MMC), we respect and are committed to protecting the privacy, security and integrity of Personal Information 1
More informationGeneral Data Protection Regulation (GDPR) Data Protection Notice
General Data Protection Regulation (GDPR) Data Protection Notice Innovative Sensor Technology IST AG attaches great importance to the protection of your personal data. We therefore conduct our business
More informationGuidance: The new EU General Data Protection Regulation: Implications for Australia
Guidance: The new EU General Data Protection Regulation: Implications for Australia Introduction After years of negotiations, the new EU General Data Protection Regulation (GDPR) was passed in 2016, bringing
More informationAegon Asset Management Europe ICAV ( the Fund ) Data Protection Policy
Aegon Asset Management Europe ICAV ( the Fund ) Data Protection Policy Contents Definitions.. 2 The Product... 2 Fund Board Governance... 2 Delegation of the Processing of Personal Data... 2 Data Protection
More informationGlobalaw-MCI Webinar Tuesday, 12 July at 4 pm CEST. Featured Speakers. Karin McGinnis Susanne Klein LL.M. Dr. Benno Barnitzke LL.M.
Globalaw-MCI Webinar Tuesday, 12 July at 4 pm CEST Featured Speakers Karin McGinnis Susanne Klein LL.M. Dr. Benno Barnitzke LL.M. David Marchese Attorney, Member, Moore & Van Allen, PLLC, USA Rechtsanwältin
More informationEU Data Processing Addendum
EU Data Processing Addendum This EU Data Processing Addendum ( Addendum ) is made and entered into by and between AlienVault, Inc., a Delaware corporation ( AlienVault ) and the customer specified in the
More informationDATA PROCESSING AGREEMENT/ADDENDUM
DATA PROCESSING AGREEMENT/ADDENDUM This Data Processing Agreement ( DPA ) is made and entered into as of this day of, 2018 forms part of our Terms and Conditions (available at www.storemaven.com/terms-of-service)
More informationNew legislation brings changes to how data is handled
New legislation brings changes to how data is handled April 2018 Lockton Companies New European Union (EU) data protection rules may require changes to how businesses handle personal data even if the businesses
More informationData Privacy is important please read the statement below.
Duties of disclosure upon collection of personal data from the data subject in accordance with Article 13 paragraphs 1, 2, and 4, as well as Article 21 paragraph 3 of the EU General Data Protection Regulation
More informationData Processing Appendix
Data Processing Appendix This Data Processing Appendix (the Appendix ) is attached to and forms part of the Supplier General Terms and Conditions (the Agreement ) between Nebula Oy ( Supplier ) and customer
More informationImpact of the European General Data Protection Regulation on U.S. M&A
CLIENT MEMORANDUM Impact of the European General Data Protection Regulation on U.S. M&A March 26, 2018 The winds of change will shortly sweep across the data privacy landscape in the European Union ( E.U.
More informationData protection information under the EU General Data Protection Regulation in Italy
Data protection information under the EU General Data Protection Regulation in Italy May, 2018 The following information provides an overview of how we process personal data and rights under data protection
More informationprivacy notice who is responsible for processing your personal data and who you can contact in this regard reasons for processing your data
privacy notice privacy notice This privacy notice provides an overview of how Pancyprian Insurance Ltd (the Company ) processes your personal data. Personal data refers to any information relating to you
More informationPRIVACY POLICY FOR CUSTOMER, PROSPECT AND PARTNER REGISTER
Page 1 (8) PRIVACY POLICY FOR CUSTOMER, PROSPECT AND PARTNER REGISTER This privacy policy has been modified latest on: [May 2 nd, 2018] 1 DATA CONTROLLER Solibri Oy (Business ID 1058643-9) ( Solibri )
More informationSECTION 1 IDENTITY AND CONTACT DETAILS OF THE DATA CONTROLLER
INFORMATION DOCUMENT REGARDING PERSONS UNDER ARTICLES 13 AND 14 OF THE EUROPEAN COMMUNITIES REGULATION 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL OF 27 APRIL 2016 (THE STATEMENT ) The Regulation
More informationPrivacy Statement v 1.1
Privacy Statement v 1.1 Context and Overview This notice will take effect from 25/05/2018 Burke Insurances Ltd. is committed to protecting and respecting your privacy. It is the intention of this privacy
More informationEven If You Are a U.S. Company, Don t Ignore the GDPR: Complying with the EU s New Data Privacy Law
Even If You Are a U.S. Company, Don t Ignore the GDPR: Complying with the EU s New Data Privacy Law On May 25, 2018, the European Union (EU)'s General Data Protection Regulation (GDPR) comes into force,
More informationDATA PROTECTION LAWS OF THE WORLD. Angola vs Czech Republic
DATA PROTECTION LAWS OF THE WORLD Angola vs Czech Republic Downloaded: 15 July 2018 ANGOLA CZECH REPUBLIC Last modified 24 January 2018 LAW Data Protection Law (Law no. 22/11 of 17 June), Electronic Communications
More informationPension Trustees Final Countdown To GDPR
Pension Trustees Final Countdown To GDPR " ROBERT HANIVER SENIOR ASSOCIATE/TECHNOLOGY MASON HAYES & CURRAN " STEPHEN GILLICK PARTNER/PENSIONS MASON HAYES & CURRAN The General Data Protection Regulation
More informationData Privacy Statement
1/7 Data Privacy Statement Bank J. Safra Sarasin Ltd ( Bank ) has issued this Data Privacy Statement in light of the Swiss Federal Act on Data Protection ( DPA ) and its upcoming revision as well as the
More informationEUROPEAN LAWYER REFERENCE SERIES
Switzerland Lenz & Staehelin Dr Lukas Morscher & Christian Meisser 1. LEGISLATION 1.1 Name/title of the law In Switzerland, the processing of personal data by private persons and federal bodies is regulated
More informationMember Circular March Implementation of the EU General Data Protection Regulation 2016/679 General Guidance to Members
Member Circular March 2018 Implementation of the EU General Data Protection Regulation 2016/679 General Guidance to Members Introduction Regulation (EU) 2016/679 containing the General Data Protection
More informationPRIVACY NOTICE. I. Indication of the data controller
PRIVACY NOTICE In order to be compliant with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing
More informationDATA PROCESSING ADDENDUM
This Data Processing Addendum (the DPA ) forms part of Telia Bedriftsavtale or other written or electronic agreement between the Parties for the purchase of telecommunication services, and regulates any
More informationINFORMATION ON THE PROCESSING OF PERSONAL DATA
INFORMATION ON THE PROCESSING OF PERSONAL DATA PRIVACY NOTICE In order to be compliant with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection
More informationCNPD Course: Data Protection Basics
CNPD Course: Data Protection Basics The obligations of controllers Esch-sur-Alzette (Belval) Mathilde Stenersen 4-6 July 2017 Legal department Introduction to data protection 1. Introduction 2. Basic concepts
More informationDATA PROCESSING AGREEMENT
DATA PROCESSING AGREEMENT This Data Processing Agreement (the DPA ), entered into by the Customer and the company Ganttic OÜ (company registration number 11979702) having its registered office at Lai tn
More informationData Privacy Notice of Sumitomo Mitsui Banking Corporation, Brussels Branch ( SMBC )
Data Privacy Notice of Sumitomo Mitsui Banking Corporation, Brussels Branch ( SMBC ) 1 ABOUT THIS NOTICE 1.1 Company issuing this Notice Sumitomo Mitsui Banking Corporation Brussels Branch, Neo Building,
More informationIRIS Group of Companies Customer Data Processing Terms
IRIS Group of Companies Customer Data Processing Terms Definitions (any other capitalised terms not contained in this section will be as defined in the IRIS Software Group General Terms & Conditions (
More informationLOCAL GOVERNMENT PENSION SCHEME (LGPS) GENERAL DATA PROTECTION REGULATION - THE IMPLICATIONS FOR THE LGPS
LOCAL GOVERNMENT PENSION SCHEME (LGPS) GENERAL DATA PROTECTION REGULATION - THE IMPLICATIONS FOR THE LGPS INTRODUCTION Thank you for providing us with a list of questions and background information in
More informationCLOUDINARY DATA PROCESSING ADDENDUM
CLOUDINARY DATA PROCESSING ADDENDUM This Data Processing Addendum ( DPA ) forms part of the agreement for the subscription by the Customer to the Cloudinary Service ("Subscription Agreement") between Cloudinary
More informationWHO IS RESPONSIBLE FOR LOOKING AFTER YOUR PERSONAL DATA?
OVERVIEW of this Policy and Commitments to Privacy within Dual At Dual ("we", "us", "our"), we regularly collect and use information which may identify individuals ("personal data"), including insured
More informationINFORMATION ON THE PROCESSING OF PERSONAL DATA
INFORMATION ON THE PROCESSING OF PERSONAL DATA PRIVACY NOTICE In order to be compliant with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection
More informationData Processing Addendum
Data Processing Addendum This Data Processing Addendum (" DPA "), forms part of the Agreement or other written or electronic agreement between Pleo Technologies ApS (" Pleo ) and Customer for the purchase
More informationPRIVACY NOTICE LAST UPDATED: SEPT. 2018
PRIVACY NOTICE LAST UPDATED: SEPT. 2018 HOW THE BANK USES YOUR PERSONAL DATA This privacy notice provides an overview of how Hellenic Bank Public Company Ltd (the Bank ) processes your personal data. Personal
More informationDATA PROCESSING ADDENDUM
DATA PROCESSING ADDENDUM This Data Processing Addendum ( DPA ) forms part of the Master Purchase Agreement, Customer Agreement, Channel Partner Agreement, End User License Agreement or other written agreement
More informationData Privacy Notice. Who are we and why do we register and use personal data?
Data Privacy Notice Who are we and why do we register and use personal data? Danske Bank A/S is a financial institution that offers financial advice and services to its clients. In the course of our business,
More informationDATA PROCESSING ADENDUM
W www.exponea.com C +421 948 127 332 sales@exponea.com A Exponea, Twin City B, Mlynské Nivy 12 821 09 Bratislava, SK DATA PROCESSING ADENDUM Exponea s.r.o. registered in the Commercial Register maintained
More informationStates of Guernsey EU General Data Protection Regulation (GDPR) - High-level impact assessment
CI Advisory EU General Data Protection Regulation (GDPR) - High-level impact assessment Basis for this report This document has been prepared only for the and solely for the purpose and on the terms agreed
More information1. Personal data processed by NOVO BANCO as the data controller
INFORMATION ABOUT THE PROCESSING OF YOUR PERSONAL DATA NOVO BANCO, S.A., with its registered office at Avenida da Liberdade, n.º 195, 1250-142 Lisbon, with share capital of 5.900.000.000,00, registered
More informationINTERNATIONAL SOS. Data Protection Policy. Version 1.8
INTERNATIONAL SOS Data Protection Policy Document Owner: LCIS Division Document Manager: Group General Counsel Effective: December 2008 2017 All copyright in these materials are reserved to AEA International
More informationNewsletter NEW DATA PROTECTION REGIMES IN THE EU AND JAPAN: Similarities and Differences. Atsumi & Sakai
Newsletter Atsumi & Sakai NEW DATA PROTECTION REGIMES IN THE EU AND JAPAN: Similarities and Differences ATSUMI & SAKAI TOKYO LONDON FRANKFURT www.aplaw.jp/en NEW DATA PROTECTION REGIMES IN THE EU AND JAPAN:
More information14 March MedTech Europe: GDPR National Legislation State of Play Webinar
14 March 2018 MedTech Europe: GDPR National Legislation State of Play Webinar GDPR National Legislation State of Play - Germany Susanne Werry, Senior Associate Clifford Chance LLP Interaction of the GDPR
More informationGDPR DATA PROCESSING ADDENDUM INSTRUCTIONS FOR JOSTLE CUSTOMERS
GDPR DATA PROCESSING ADDENDUM INSTRUCTIONS FOR JOSTLE CUSTOMERS WHO SHOULD EXECUTE THIS DPA: If you have determined that you qualify as a data controller under the GDPR, and need a data processing addendum
More informationGDPR CCPA LGPD. Protected information
Stricter data protection laws are on the rise. While only a couple of years ago, data protection legislations and requirements were frequently marginalized and the position of the data protection officer
More informationThe Era of GDPR Data Privacy, Two Months In: Do you have a Data Transfer Agreement handy? July 31, 2018
The Era of GDPR Data Privacy, Two Months In: Do you have a Data Transfer Agreement handy? July 31, 2018 Upcoming Events: Sign up on our web site Associate Safety Professional (ASP) Examination Preparation,
More informationINFORMATION ON THE PROCESSING OF PERSONAL DATA
INFORMATION ON THE PROCESSING OF PERSONAL DATA PRIVACY NOTICE In order to be compliant with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection
More informationPREPARING FOR THE EU GDPR IN RESEARCH SETTINGS
PREPARING FOR THE EU GDPR IN RESEARCH SETTINGS May 22, 2018 1 1 This guidance document is based on information available as of May 22, 2018. As the GDPR is enforced and further guidance is provided this
More informationData Transfer Policy Version 1.1 Last amended: 18 September 2014 Policy Owner: Governance Team
Data Transfer Policy Version 1.1 Last amended: 18 September 2014 Policy Owner: Governance Team The University of Nottingham ( the University ) Tri-Campus Data Transfer Policy Background and Statement of
More informationThe contract is important so that both parties understand their responsibilities and liabilities.
Contracts At a glance Whenever a controller uses a processor it needs to have a written contract in place. The contract is important so that both parties understand their responsibilities and liabilities.
More informationCUSTOMER DATA PROCESSING ADDENDUM
CUSTOMER DATA PROCESSING ADDENDUM This Data Processing Addendum ( DPA ) and applicable Attachments apply when HP acts as a Data Processor and processes Customer Personal Data on behalf of Customer in order
More informationThe EU-US Privacy Shield: A How-To Guide
July 19, 2016 The EU-US Privacy Shield: A How-To Guide Published in Law360 The EU safe harbor framework, unveiled in 2000, allowed certified U.S. companies to receive personal data of EU residents in compliance
More informationThe General Data Protection Regulation s Impact on M&A
The General Data Protection Regulation s Impact on M&A PRACTICAL ADVICE ON HOW TO CONTINUE A SMOOTH M&A PROCESS Presented by Avi Gesser, Davis Polk partner, Litigation/Cybersecurity Pritesh P. Shah, Davis
More informationDATA PROTECTION STATEMENT
DATA PROTECTION STATEMENT The company Deutsche Verkehrs-Assekuranz-Vermittlungs-GmbH (DVA) collects and processes your personal data in accordance with the relevant data protection rules, in particular
More informationA guide for the insurance industry
A guide for the insurance industry IMPORTANT NOTE: This guide is based on the text of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural
More informationaddress
DATA CONTROLLER DATA PROTECTION OFFICER (DPO) PERSONAL DATA PROCESSED Company name: Danieli & C. Officine Meccaniche S.p.A. Address: Via Nazionale n. 41, 33042 Buttrio (UD) Telephone number (+3904321958111)
More informationAppropriate Policy Document
Appropriate Policy Document Schedule 1, Part 4, Data Protection Act 2018 July 2018 Privacy Notice - Appropriate Policy Document v2.docx Page 1 of 8 Contents 1 Introduction... 3 2 Relevant Schedule 1 conditions
More informationCCPA and GDPR Comparison Chart
Resource ID: w-016-7418 LAURA JEHL AND ALAN FRIEL, BAKERHOSTETLER LLP, WITH PRACTICAL LAW DATA PRIVACY ADVISOR Search the Resource ID numbers in blue on Westlaw for more. A Chart comparing some of the
More informationL 145/30 Official Journal of the European Union
L 145/30 Official Journal of the European Union 31.5.2011 REGULATION (EU) No 513/2011 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 11 May 2011 amending Regulation (EC) No 1060/2009 on credit rating
More informationAXA GROUP BINDING CORPORATE RULES
AXA GROUP BINDING CORPORATE RULES Background AXA Group is committed to maintaining the privacy of data obtained in the course of its business activities and complying with applicable laws and regulations
More information