14 March MedTech Europe: GDPR National Legislation State of Play Webinar
|
|
- Alison Andrews
- 5 years ago
- Views:
Transcription
1 14 March 2018 MedTech Europe: GDPR National Legislation State of Play Webinar
2 GDPR National Legislation State of Play - Germany Susanne Werry, Senior Associate Clifford Chance LLP
3 Interaction of the GDPR and the German data Protection law General Overview - GDPR GDPR as one comprehensive European law on data protection GDPR Aim: Abolishment of fragmentation via full harmonization Adopted on 27 May 2016 Enforceable as of 25 May 2018 Directly applicable as a regulation But: Opening clauses allow for local law amendments regarding certain areas
4 Interaction of the GDPR and the German data Protection law General Overview - German data Protection law First country in Europe to pass an implementation law Germany: First country in Europe to pass an implementation law German Data Protection Amendment Act containing the new German Federal Data Protection Act (Bundesdatenschutzgesetz-neu, BDSGnew ) was enacted and published on 5 July 2017 Entry into force: on 25 May 2018 together with the GDPR Replaces current German Federal Data Protection Act (Bundesdatenschutzgesetz) Consequence: BDSG-new and GDPR will both be applicable in Germany as of 25 May 2018
5 The New German Data Protection law Material Scope BDSG-new contains regulations for public and private sector For private companies the BDSG-new sets rules, e.g. for: video surveillance of public places (Sec.4 BDSG-new), data processing for other purposes, than initially intended (Sec. 24 BDSG-new), data processing in the context of employment (Sec. 26 BDSG-new), data processing related to consumer credits (Sec. 30 BDSG-new), scoring and credit checks (Sec. 31 BDSG-new), limitation of rights of the data subject (Sec BDSG-new), designation of a DPO (Sec. 38 BDSG-new), administrative fines, criminal provisions (Sec BDSG-new), procedural rules for private and public lawsuits (Sec. 20, 44 BDSG-new). But: Criticism as to the question of compliance of these rules with the GDPR
6 The New German Data Protection law Geographical Scope Broad geographical scope of application The new BDSG-new applies where: the controller or processor processes personal data in Germany; the processing of personal data occurs in the context of activities of a German establishment of the controller or processor; or where a European establishment does not exist, the processing occurs within the territorial scope of the GDPR.
7 The New German Data Protection law Details Examples of regulations with high relevance for Med Tech Companies Collection and use of employee data (Section 26 BDSG-new) Special categories of data (in particular Section 22 BDSG-new) Processing of data for research purposes and statistical purposes (Section 27 BDSG-new) Appointment of Data Protection Officers (Section 38 BDSG-new) Sanctions (Section 41 et seqq. BDSG-new)
8 GDPR National Legislation State of Play - Netherlands Erik Vollebregt, Partner Axon Lawyers
9 Implementation in the Netherlands Uitvoeringswet AVG (implementation act GDPR) As we speak still in full swing of being amended in Parliament No amendments specifically relevant to medtech industry Still also has to go through Senate and then declared applicable by Royal Decree DPA advised about it on 6 April 2017 DPA foresees an active educational role too Many administrative law and enforcement related recommendations Vote in Parliament on 13 March
10 What s interesting in the implementation act? Article 19 cooperation protocols with other CAs in NL (typical Dutch thing) Exercise of discretion under article 9 (4) GPDR: Article 24 UAVG re processing that is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law - additional requirements in Article 24 (b), (c) and (d): Research must be in general interest Asking consent must be impossible or prohibitively difficult Safeguards against unjustifiable damage to data subjects privacy Seems to exclude commercial research given general interest criterion What about vigilance and PMS data?
11 What s interesting in the implementation act? Exercise of discretion under article 9 (4) GPDR: Article 30 IAVG exceptions re data concerning health Processing of data concerning health allowed for government, pension funds, employers or institutions active on their behalf for execution of tasks and reintegration (Art 30 (1) article 9 (2) (b) GDPR) implementation of secrecy like in article 9 (2) (h) GDPR Processing of data concerning health allowed by schools and rehabilitation services insofar as necessary for their tasks (Art 30 (2) implementation of secrecy like in article 9 (2) (h) GDPR Processing of data concerning health for HCP, health institutions and social services insofar as necessary for their tasks and insurance companies (Art 30 (3) article 9 (2) (h) GDPR) Processing on the above three bases only by persons under professional or contractual secrecy (Article 30 (4)) Unclear if this includes contractual third parties referred to in Article 9 (2) (h) GDPR Issue (service providers to HCPs and health institutions) If treatment or care require it then processing of data concerning health can be mixed with processing of other categories of sensitive data (Article 30 (5)
12 What s interesting in the implementation act? Convenient implementation table to check exercise of national discretion
13 What else is going on? DPA is trying to scale up but finds that very difficult Everybody is trying to poach their people DPA has announced it wants to set examples in the healthcare industry as soon as GDPR is applicable Make sure it s not you DPA is quite focused on DPIA and technical stuff All enforcement cases result in public reports that are published
14 GDPR National Legislation State of Play - Spain Jesús Yañez Colomo, Partner ECIJA
15 AUTONOMY OF PATIENT National Legislation Characteristics (I)
16 Regional Legislation Characteristics (II)
17 Regional Legislation Characteristics (II)
18 Regional Legislation Characteristics (II)
19 Clinical Trial (I) RD 1090/2015, applies to all requests for authorization of a Clinical Trial and to requests for substantial modifications or notifications concerning the authorized ECs that are in progress or for which the report of results carried out as of January 13, To authorize a Multicenter Clinical Trial in Spain, the authorization issued by the AEMPS is required, and it is only necessary for an accredited CEIm to issue its positive opinion, which will be unique and binding (Article 12.2a), and the conformity at the center by contract. The process of processing authorization requests is simplified. Expires at 2 years if no subject is recruited and it is obligatory to publish results one year after the end date of the same. The AEMPS on its website will facilitate the registration of Clinical Trials with medicines for human use, through a database of free and free use, to serve as a source of information on clinical studies to any citizen.
20 Clinical Trial (II) Non-commercial clinical research: Research carried out by the researchers without the participation of the pharmaceutical industry or medical devices, which has all the following characteristics: The Sponsor is a university, hospital, public scientific organization, non-profit organization, patient organization or individual researcher. Ownership of the research data belongs to the Sponsor from the first moment of the study. There are no agreements between the developer and third parties that allow the use of the data for regulatory uses or that generate an industrial property. Design, realization, recruitment, data collection and communication of research results are kept under the control of the Sponsor. Due to their characteristics, these studies can not be part of a program of development for a marketing authorization of a product. New model of a single clinical trial contract for Spain. It will be signed with all the centers and will be sent to the CEIm. It will be agreed by the Interterritorial Council of the National Health System and the different autonomous communities. One of the problems will be the possible margin of negotiation with this unique model in special cases, although in principle independent trials improve. In this way, a centralized authorization for Europe is established, with a higher level of competence and effectiveness among centers.
21 Preparing for the GDPR Rethinking consent Under the GDPR, in order for consent to be validly given, the same has to meet a new set of onerous requirements. Among other criteria, consent has to be given in by a clear affirmative act that reflects a manifestation of free, specific, informed and unequivocal will of the data subject to accept the processing of personal data. Moreover, it has to be given in an intelligible language. Where does the problem arise? The GDPR does not accept that existing consents remain valid if they do not meet the new requirements of the law. Thus, companies that process a significant part of data with a consent basis (such as in the medical technology sector) must revisit their consent processes and ensure that the same are compliant with the new EU standards. A possible way to achieve this end would be to conduct a gap analysis for all consents obtained.
22 Conducting Risk Analysis All entities that process personal data are now required to conduct a risk analysis of each processing activity. Said analysis is a new comprehensive process that range from assessing processors to international transfers and categories of data. Whenever said analysis result in a high risk from a data protection standpoint (which, among other aspects, it is easy to occur with processing of health data), controllers are must perform an Privacy Impact Assessment (PIA) prior to the processing. Although conducting a PIA could, in theory, translate into an extra cost for the company, not performing a PIA whenever the same is required could result in both reputational damages as well as high penalties (ranging to a maximum of 4% of the company s last year world wide turnover or EUR, whichever is deemed higher).
23 Addressing data subject s right to portability Among other new rights, data subjects are now entitled to receive personal data concerning them, which have been supplied to a controller, in a structured format, commonly used and readable, and transmit them to another controller without being prevented by the controller to which the data were given. On the medical technology industry, the issue of data portability is particularly important as patients can now request companies for data from their medical devices to be transferred to another provider. On this note, while the GDPR does not impose that technically compatible systems are maintained by controllers, it also sets down that data subjects shall have the right to receive the personal data concerning him or her ( ) without hindrance from the controller to which the personal data have been provided. One way to avoid possible issues pertaining to the exercise of this right is to think ahead, redesign systems and ensure that adequate procedures are in place.
24 GDPR National Legislation State of Play - France Olivier Proust, Partner Fieldfisher LLP
25 MedTech Europe: GDPR s implementation into French law Overview of the French data protection law Existing French data protection Act: French Data Protection Act of 6 January 1978 This Act was updated 19 times (last update: 20 janvier 2017) Amendment of the French Data Protection Act: Draft Bill amending French Data Protection adopted in a first hearing by the National Assembly (latest version: February 13th, 2018) Adds new provisions including for the health sector (art. 9, 4 / 36, 5 / 87 GDPR) Draft bill will be discussed in the Senate s public session from March 20th, 2018
26 MedTech Europe: GDPR s implementation into French law Processing of sensitive personal data: principle Changes in line with the GDPR but the introduction of the word supposed creates some uncertainty as to whether French law would comply fully with the GDPR.
27 MedTech Europe: GDPR s implementation into French law Processing of sensitive personal data: exceptions
28 MedTech Europe: GDPR s implementation into French law Additional limitations that apply to health data The draft Bill itself does not prescribe additional measures with regard to the processing of genetic data, biometric data and health data, and gives this competence to the CNIL to prescribe such additional measures. Additional changes in this respect can be expected.
29 MedTech Europe: GDPR s implementation into French law Prior consultation of the DPA New scope of Chapter IX is broader because applies to processing in the health sector in general, and not just for medical research purposes. Cf. CNIL s existing referentials MR001, MR002 and MR003
30 MedTech Europe: GDPR s implementation into French law Consent of minors This age was set at 16 years under the version of the Bill that was introduced in the National Assembly on December 13th, 2017 but was lowered to 15 years after the adoption of the text by the National Assembly. NB: the fact that consent must be obtained jointly by the minor and a parent or legal guardian.
31 MedTech Europe: GDPR s implementation into French law Rights of the data subjects
32 GDPR National Legislation State of Play - UK Cynthia O Donoghue, Partner ReedSmith LLP
33 INTRODUCTION The draft Data Protection Bill Aims to empower individuals to take control of their personal data and assist organisations in the lawful processing of personal data. Updates the data protection laws of the UK (repealing the Data Protection Act 1998). Currently being debated in Parliament. Will ensure the data protection standards of the GDPR are enshrined in UK law post-brexit. Additional functions to the ICO. Modernises and adds to the list of data protection offences.
34 OVERVIEW Part 1 Preliminary: sets out definitions (including personal data, processing, data subject and controller / processor). Part 2 General processing: scope of the GDPR, lawful bases of processing, children, special categories of personal data, automated decisionmaking, exemptions, transfer of personal data outside the EU, provision for archiving, research and statistical purposes. Part 5 The Information Commissioner: the role and powers of the ICO. Part 6 Enforcement: offences and defences.
35 Points of interest special category data Special category data (s.10) Includes: health data, genetic data, biometric data that might identify an individual, data concerning sex life, data concerning racial or ethnic origin. Tighter rules apply processing is permitted but the reasons are narrower. Relevant grounds for processing special category data Explicit consent (but can be withdrawn). Processing necessary in the interests of public health, including ensuring high standards of medicinal products or medical devices. Processing necessary for medical diagnosis, the provision of healthcare or treatment, so long as this is under the supervision of a responsible health professional. Processing necessary for scientific research or statistical purposes.
36 Points of interest new offences Two new criminal offences: (1) Re-identification of de-identified personal data (s.171) - Knowingly or recklessly re-identifying information that is de-identified (anonymised) personal data without the consent of the data controller responsible for the deidentification. Recommended by the National Data Guardian for Health and Care. Particularly relevant to researchers using huge data sets which are often pseudonymised to protect individual privacy. (2) Alteration etc of personal data to prevent disclosure (s.173) The alteration, defacing, blocking, erasure, destruction or concealment of information with the intention of preventing disclosure. Researchers and tech companies must review their best practice procedures in handling Subject Access Requests.
37 Points of interest unlawful retention and accountability Extended criminal offence of unlawful retention of data Considering and documenting how long data should be retained is a new focus. Unlawful retention of data without the consent of the controller even if the data was initially obtained lawfully (s.170(c)). Directors liability The Bill goes beyond the GDPR in boardroom accountability. Includes directors personal liability where a company breaches data protection legislation (s.191). Extends to managers, company secretary and other officers. Also applies if the offence was caused by neglect.
38 Points of interest children and consent Children and consent Article 8 of the GDPR states that children are able to give lawful consent to the processing of their personal data when they are at least 16 years old. The GDPR allows for Member States to lower the age, but no lower than 13. The Bill confirms that UK children from age 13 can give consent for the processing of their personal data in relation to information services.
The GDPR Possible Impact on the Life Sciences and Healthcare Sectors
February 14, 2017 The GDPR Possible Impact on the Life Sciences and Healthcare Sectors Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016, (the GDPR ) came into force
More informationEU General Data Protection Regulation vs. Swiss Data Protection Act (in the Private Sector 1 )
EU General Data Protection Regulation vs. Swiss Data Protection Act (in the Private Sector 1 ) October 26, 2017 Version 4.01 David Rosenthal (david.rosenthal@homburger.ch) Updates and more infos: http://www.homburger.ch/dataprotection
More informationMichael R. Cohen CIPP/US, CIPP/E Gray Plant Mooty. Overview of the EU General Data Protection Regulation (GDPR)
Michael R. Cohen CIPP/US, CIPP/E Gray Plant Mooty Overview of the EU General Data Protection Regulation (GDPR) WHAT YOU NEED TO KNOW ABOUT THE EU GENERAL DATA PROTECTION REGULATION (GDPR) What is the GDPR?
More informationAppropriate Policy Document
Appropriate Policy Document Schedule 1, Part 4, Data Protection Act 2018 July 2018 Privacy Notice - Appropriate Policy Document v2.docx Page 1 of 8 Contents 1 Introduction... 3 2 Relevant Schedule 1 conditions
More informationInterim guidance notes on UK data protection in post-marketing pharmacovigilance
Interim guidance notes on UK data protection in post-marketing pharmacovigilance Pharmaceutical Information and Pharmacovigilance Association (PIPA) Approval Status Authors: PIPA Version: 2.0 Date: 25
More informationAll Sorts UK Limited Data Protection Policy 17 th May 2018
All Sorts UK Limited Data Protection Policy 17 th May 2018 1. Introduction This Policy sets out the obligations of All Sorts UK Limited, a company registered in England under number 03534972, whose registered
More informationThe New EU General Data Protection Regulation (GDPR)
The New EU General Data Protection Regulation (GDPR) The clock has started on the biggest change to the European data protection regime in 20 years. After four years of negotiation, the new EU General
More informationDATA PROTECTION LAWS OF THE WORLD. Czech Republic
DATA PROTECTION LAWS OF THE WORLD Czech Republic Downloaded: 15 July 2018 CZECH REPUBLIC Last modified 24 May 2018 LAW The General Data Protection Regulation (Regulation (EU) 2016/679) (" GDPR") is a European
More informationPREPARING FOR THE EU GDPR IN RESEARCH SETTINGS
PREPARING FOR THE EU GDPR IN RESEARCH SETTINGS May 22, 2018 1 1 This guidance document is based on information available as of May 22, 2018. As the GDPR is enforced and further guidance is provided this
More informationInternational data transfers and Schrems White & Case. Aqeel Kadri and Tim Hickman
International data transfers and Schrems White & Case Aqeel Kadri and Tim Hickman 9 March 2016 Overview of EU data protection law Currently, each EU Member State has its own national data protection law,
More informationThe General Data Protection Regulation (GDPR): action plan for pension scheme trustees
The General Data Protection Regulation (GDPR): action plan for pension scheme trustees July 2017 (revised March 2018) Pension briefing HIGHLIGHTS The European General Data Protection Regulation (GDPR)
More informationPension Trustees. Final Countdown to the GDPR
Pension Trustees Final Countdown to the GDPR Introduction The General Data Protection Regulation (GDPR) will come into force in all EU Member States in May 2018. It is not a radical departure from the
More informationData Processing Addendum
Data Processing Addendum This Data Processing Addendum ( DPA ) forms part of the Agreement(s) and is entered by and between the Customer and the Service Provider on the Effective Date. For the avoidance
More informationNew legislation brings changes to how data is handled
New legislation brings changes to how data is handled April 2018 Lockton Companies New European Union (EU) data protection rules may require changes to how businesses handle personal data even if the businesses
More informationRevising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPR Richard Campo, CISM GRC Consultant IT Governance Ltd 1 Sept 2016 www.itgovernance.co.uk TM Introduction Richard Campo GRC consultant Data protection
More informationRequirements of explicit consent
THIS DOCUMENT IS AN ENGLISH TRANSLATION OF THE INFORMATION PUBLISHED BY THE DUTCH PROTECTION AUTHORITY ON 18 OCTOBER 2018 IN RELATION TO THE INTERPLAY OF PSD2/GDPR. THIS IS A COURTESY TRANSLATION PROVIDED
More informationA guide for the insurance industry
A guide for the insurance industry IMPORTANT NOTE: This guide is based on the text of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural
More informationWhat does GDPR and the new Data Protection Act mean to Brokers/Intermediaries?
YYYYYYYYYYY The New Class 2016-2017 Report 2: General Date Protection Regulation (GDPR) What does GDPR and the new Data Protection Act mean to Brokers/Intermediaries? 1 2 Contents The Insurance Institute
More informationCHARITY & NFP LAW BULLETIN NO. 419
CHARITY & NFP LAW BULLETIN NO. 419 APRIL 25, 2018 EDITOR: TERRANCE S. CARTER IMPLICATIONS OF THE EU S GENERAL DATA PROTECTION REGULATION IN CANADA By Esther Shainblum & Sepal Bonni * A. INTRODUCTION The
More informationAmgen Binding Corporate Rules (BCRs) Public Document
Amgen Binding Corporate Rules (BCRs) Public Document Introduction: Amgen is a biotechnology leader committed to serving patients with grievous illness. Binding Corporate Rules (BCRs) express Amgen s commitment
More informationThe GDPR how to prepare MiFID II where are we now? Wednesday 21 February 2018
The GDPR how to prepare MiFID II where are we now? Wednesday 21 February 2018 GDPR so far The EU General Data Protection Regulation (Regulation (EU) 2016/679) comes into effect on 25 May 2018 Aims to protect:
More informationThe Controller and Processor Data Protection Binding Corporate Rules of BMC Software
The Controller and Processor Data Protection Binding Corporate Rules of BMC Software 4 August 2015 Table of Contents Introduction 2 PART I: BACKGROUND AND ACTIONS 3 PART II: BMC AS A CONTROLLER 5 PART
More informationTEREX CORPORATION DATA PROTECTION POLICY
TEREX CORPORATION DATA PROTECTION POLICY Terex Data Protection Policy Page 1 Index 1.0 Policy Statement, Purpose and Scope... 3 2.0 Requirements... 3 2.1 Data Protection Principles... 3 2.2 Communication
More informationMobius Life Limited Data Privacy Notice
Mobius Life Limited Data Privacy Notice Introduction This data privacy notice confirms how Mobius Life Limited (referred to hereafter as our, us, we or MLL ) obtains, manages, uses, retains and destroys
More informationSouthern Golden Retriever Rescue Data Protection Policy
Southern Golden Retriever Rescue Data Protection Policy Date: 16.05.18 V3 Next Policy Review Date by Trustees: May 2019 Contents 1. Introduction... 2 2. Policy... 2 3. Responsibilities... 2 4. Definitions...
More informationBanks Sheridan Limited Data Protection Privacy Policy 19 May 2018
Banks Sheridan Limited Data Protection Privacy Policy 19 May 2018 1. Introduction This Policy sets out the obligations of Banks Sheridan Limited ( the Company ) regarding data protection and the rights
More informationDATA PROTECTION AND PERSONAL INFORMATION FAIR PROCESSING POLICY
Directorate of Clinical and Quality Assurance & Trust Secretary DATA PROTECTION AND PERSONAL INFORMATION FAIR PROCESSING POLICY Reference: CQP013 Version: 1.1 This version issued: 07/03/13 Result of last
More informationAegon Asset Management Europe ICAV ( the Fund ) Data Protection Policy
Aegon Asset Management Europe ICAV ( the Fund ) Data Protection Policy Contents Definitions.. 2 The Product... 2 Fund Board Governance... 2 Delegation of the Processing of Personal Data... 2 Data Protection
More informationDATA PROCESSING AGREEMENT
DATA PROCESSING AGREEMENT This Data Processing Agreement ( DPA or Agreement ), entered into by the CPI customer identified on the applicable CPI services agreement for CPI services ( Customer ) and the
More informationMoxtra, Inc. DATA PROCESSING ADDENDUM
Moxtra, Inc. DATA PROCESSING ADDENDUM This Data Processing Addendum ( DPA ) forms a part of the Terms of Service found at http://moxtra.com/terms-of-service/, unless Company has entered into a superseding
More informationGDPR DATA PROCESSING ADDENDUM INSTRUCTIONS FOR JOSTLE CUSTOMERS
GDPR DATA PROCESSING ADDENDUM INSTRUCTIONS FOR JOSTLE CUSTOMERS WHO SHOULD EXECUTE THIS DPA: If you have determined that you qualify as a data controller under the GDPR, and need a data processing addendum
More informationGDPR : We protect your data
GDPR : We protect your data Dear customer, From the 25th May 2018 the new law of Personal Data Protection (GDPR) will enter into force. At Almagest Wealth Management S.A., we understand your need to be
More informationPERSONAL DATA PROCESSOR AGREEMENT
1 PERSONAL DATA PROCESSOR AGREEMENT PARTIES This personal data processor agreement ( Processor Agreement ) has been entered into between: Buyer/Client/Customer ( Controller ), and The company within the
More informationDATA PROTECTION LAWS OF THE WORLD. Angola vs Czech Republic
DATA PROTECTION LAWS OF THE WORLD Angola vs Czech Republic Downloaded: 15 July 2018 ANGOLA CZECH REPUBLIC Last modified 24 January 2018 LAW Data Protection Law (Law no. 22/11 of 17 June), Electronic Communications
More informationDATA PROCESSING ADDENDUM
Page 1 of 20 DATA PROCESSING ADDENDUM This Data Processing Addendum ( DPA ) forms a part of the Customer Terms of Service found at https://slack.com/terms-of-service, unless Customer has entered into a
More informationWorking Party on the Protection of Individuals with regard to the Processing of Personal Data
EUROPEAN COMMISSION DIRECTORATE GENERAL XV Internal Market and Financial Services Free movement of information, company law and financial information Free movement of information and data protection, including
More informationLAMP Services Limited Privacy Notice v1.2 4 th March Controller
1. Controller LAMP Services Limited is the Controller under the EU General Data Protection Regulation (EU GDPR). LAMP Services Limited is incorporated in England, company registration number 04967967.
More informationThe new data protection law main changes at a glance
Newsletter July 2017 The new data protection law main changes at a glance Overview of the main differences between the General Data Protection Regulation (GDPR), the and the pre-draft of the new Swiss
More informationData Protection Cayman Islands
Data Protection Cayman Islands Author: Martin S. Lane, Partner In June 2017, The Data Protection Law (the DP Law ) was published in the Cayman Islands Official Gazette. The DP Law will be brought into
More informationSECTION 1 IDENTITY AND CONTACT DETAILS OF THE DATA CONTROLLER
INFORMATION DOCUMENT REGARDING PERSONS UNDER ARTICLES 13 AND 14 OF THE EUROPEAN COMMUNITIES REGULATION 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL OF 27 APRIL 2016 (THE STATEMENT ) The Regulation
More informationMember Circular March Implementation of the EU General Data Protection Regulation 2016/679 General Guidance to Members
Member Circular March 2018 Implementation of the EU General Data Protection Regulation 2016/679 General Guidance to Members Introduction Regulation (EU) 2016/679 containing the General Data Protection
More informationWHO IS RESPONSIBLE FOR LOOKING AFTER YOUR PERSONAL DATA?
OVERVIEW of this Policy and Commitments to Privacy within Dual At Dual ("we", "us", "our"), we regularly collect and use information which may identify individuals ("personal data"), including insured
More informationLOCAL GOVERNMENT ASSOCIATION TEMPLATE MEMORANDUM OF UNDERSTANDING FOR LGPS FUNDS
LOCAL GOVERNMENT ASSOCIATION TEMPLATE MEMORANDUM OF UNDERSTANDING FOR LGPS FUNDS 1. This template memorandum of understanding has been prepared for the Local Government Association. We understand that
More informationLOCAL GOVERNMENT PENSION SCHEME (LGPS) GENERAL DATA PROTECTION REGULATION - THE IMPLICATIONS FOR THE LGPS
LOCAL GOVERNMENT PENSION SCHEME (LGPS) GENERAL DATA PROTECTION REGULATION - THE IMPLICATIONS FOR THE LGPS INTRODUCTION Thank you for providing us with a list of questions and background information in
More informationARTICLE 29 Data Protection Working Party
ARTICLE 29 Data Protection Working Party Brussels, 11th April 2018 Mr Clemens-Martin Auer e-health Network Member State co-chair Director General Federal Ministry of Health, Austria Subject: Agreement
More informationGlobalaw-MCI Webinar Tuesday, 12 July at 4 pm CEST. Featured Speakers. Karin McGinnis Susanne Klein LL.M. Dr. Benno Barnitzke LL.M.
Globalaw-MCI Webinar Tuesday, 12 July at 4 pm CEST Featured Speakers Karin McGinnis Susanne Klein LL.M. Dr. Benno Barnitzke LL.M. David Marchese Attorney, Member, Moore & Van Allen, PLLC, USA Rechtsanwältin
More informationGeneral Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) January 2018 Lockton Companies After several years of extensive negotiation, the European Union (EU) adopted the General Data Protection Regulation (GDPR) 1 on
More informationData Protection Notice pursuant to the General Data Protection Regulation (GDPR)
Data Protection Notice pursuant to the General Data Protection Regulation (GDPR) The Endress+Hauser Group ( Endress+Hauser, we or us ) attaches great importance to the protection of your personal data.
More informationCLOUDINARY DATA PROCESSING ADDENDUM
CLOUDINARY DATA PROCESSING ADDENDUM This Data Processing Addendum ( DPA ) forms part of the agreement for the subscription by the Customer to the Cloudinary Service ("Subscription Agreement") between Cloudinary
More informationThe contract is important so that both parties understand their responsibilities and liabilities.
Contracts At a glance Whenever a controller uses a processor it needs to have a written contract in place. The contract is important so that both parties understand their responsibilities and liabilities.
More informationGilead Transparency Reporting Methodological Note
Gilead Transparency Reporting Methodological Note Contents 1 Introduction... 2 2 Definition of Transfers of Value... 2 3 Definition and management of Cross-Border Spend... 3 4 Which Recipients of Transfers
More informationGDPR: Frequently Asked Questions to Brokers Ireland, February 2018.
GDPR: Frequently Asked Questions to Brokers Ireland, February 2018. 1. Does my Firm require a Data Protection Officer ( DPO )? Not necessarily, but the legislation and current guidance is not definitive.
More informationBINDING CORPORATE RULES
BINDING CORPORATE RULES CONTROLLER PRINCIPLES INTRODUCTION At Marsh & McLennan Companies (MMC), we respect and are committed to protecting the privacy, security and integrity of Personal Information 1
More informationPrivacy vs Data Protection: The Impact of EU Data Protection Legislation
Privacy vs Data Protection: The Impact of EU Data Protection Legislation Thomas Rivera / Hitachi Data Systems Original Author: SNIA Security TWG SNIA Legal Notice The material contained in this tutorial
More informationON24 DATA PROCESSING ADDENDUM
ON24 DATA PROCESSING ADDENDUM This Data Processing Addendum ( Addendum ) is entered into by and between ON24 Inc., on behalf of itself and its Affiliates ( ON24 ), and Client, on behalf of itself and its
More informationPension Trustees Final Countdown To GDPR
Pension Trustees Final Countdown To GDPR " ROBERT HANIVER SENIOR ASSOCIATE/TECHNOLOGY MASON HAYES & CURRAN " STEPHEN GILLICK PARTNER/PENSIONS MASON HAYES & CURRAN The General Data Protection Regulation
More informationProcessing under the GDPR: risk and liability shifts
Processing under the GDPR: risk and liability shifts October 2016 With the GDPR now technically in force, and just over 18 months before it applies in Member States, we look at how this new regime will
More informationCover option 2. The Interplay of HIPAA, Privacy and Data Security Principles, and Health Information Interoperability. Subtitle or Company Name
The Interplay of HIPAA, Privacy and Data Security Principles, and Health Information Interoperability Cover option 2 MedInnovation Boston Subtitle or Company Name June 25, 2018 Colin J. Zick Month Day,
More informationGilead Transparency Reporting Methodological Note
Gilead Transparency Reporting Methodological Note Contents 1 Introduction... 2 2 Definition of Transfers of Value... 2 3 Definition and management of Cross-Border Spend... 3 4 Which Recipients of Transfers
More informationPrivacy Statement v 1.1
Privacy Statement v 1.1 Context and Overview This notice will take effect from 25/05/2018 Burke Insurances Ltd. is committed to protecting and respecting your privacy. It is the intention of this privacy
More informationThe BVRLA Guide to. The General Data Protection Regulation British Vehicle Rental and Leasing Association
The BVRLA Guide to The General Data Protection Regulation British Vehicle Rental and Leasing Association BVRLA Guide to the General Data Protection Regulation March 2018 Table of Contents Introduction...
More informationData Processing Addendum
Data Processing Addendum This Data Processing Addendum (" DPA "), forms part of the Agreement or other written or electronic agreement between Pleo Technologies ApS (" Pleo ) and Customer for the purchase
More informationNewsletter NEW DATA PROTECTION REGIMES IN THE EU AND JAPAN: Similarities and Differences. Atsumi & Sakai
Newsletter Atsumi & Sakai NEW DATA PROTECTION REGIMES IN THE EU AND JAPAN: Similarities and Differences ATSUMI & SAKAI TOKYO LONDON FRANKFURT www.aplaw.jp/en NEW DATA PROTECTION REGIMES IN THE EU AND JAPAN:
More informationDATA PROTECTION NOTICE
DATA PROTECTION NOTICE Who are we? We are the Trustees of the Pension Scheme for the Nursing and Midwifery Council and Associated Employers (the Scheme). We collect, hold and use personal information to
More informationARE YOU READY FOR THE NEW DATA PROTECTION LAWS?
ARE YOU READY FOR THE NEW DATA PROTECTION LAWS? GETTING READY FOR THE GDPR PART ONE DATA PROTECTION LAWS ARE CHANGING DATA PROTECTION LAWS ARE CHANGING On 25 May 2018, the General Data Protection Regulation
More informationPrivacy Policy Statement
Privacy Policy Statement QuoteDevil is committed to protecting and respecting your privacy. It is the intention of this privacy policy statement to explain to you the information practices of QuoteDevil
More informationTHE CRD AND EUROPEAN DATA PROTECTION LAWS: POTENTIAL CONFLICTS
EUROFINAS European Federation of Finance House Associations 267, Av. de Tervuren B 1150 Bruxelles +32/2/778 05 60 Fax : +32/2/778 05 79 Email: eurofinas@eurofinas.org Web: www.eurofinas.org THE CRD AND
More informationCPI PROPERTY GROUP. Group Data Protection Policy. 25 May Summary
CPI PROPERTY GROUP Group Data Protection Policy Summary This Group Data Protection Policy ( Data Protection Policy ) stipulates the rules for personal data protection in the CPI PROPERTY GROUP ( CPIPG
More informationWHAT DOES THE GDPR MEAN FOR PENSIONS? HANDY GUIDE
WHAT DOES THE GDPR MEAN FOR PENSIONS? HANDY GUIDE The General Data Protection Regulation How will the pensions industry be affected? The pensions industry processes huge amounts of personal data - member's
More informationROSETTA STONE LTD. PROCESSING ADDENDUM
ROSETTA STONE LTD. PROCESSING ADDENDUM This Data Processing Addendum (this DPA ) forms part of the order document(s) (each a Service Order ) and Services Agreement (collectively, the Agreement ), entered
More informationArk Syndicate Management Limited. Privacy and Transparency Notice. Version 1
Ark Syndicate Management Limited Privacy and Transparency Notice Insurance Market Information Notice Insurance is the pooling and sharing of risk in order to provide protection against a possible eventuality.
More informationBAYER PRIVACY POLICY FOR PHARMACOVIGILANCE DATA
Policy last updated: [2018-07-06] BAYER PRIVACY POLICY FOR PHARMACOVIGILANCE DATA Bayer takes product safety and your privacy seriously Bayer develops and markets prescription and over the counter medicines
More informationWHAT DOES THE GDPR MEAN FOR PENSIONS?
WHAT DOES THE GDPR MEAN FOR PENSIONS? The General Data Protection Regualtion How will the pensions industry be affected? The pensions industry processes huge amounts of personal data - member's names,
More informationWelcome To Your Data Protection Journey. Paula Tighe Information Governance Executive
Welcome To Your Data Protection Journey Paula Tighe Information Governance Executive Legal Statement All information in this presentation is protected under copy right and where indicated protected under
More informationDATA PROTECTION ADDENDUM
DATA PROTECTION ADDENDUM In the event an agreement ( Underlying Agreement ) entered into by and between (i) either Sunovion Pharmaceuticals Inc. or its subsidiary, Sunovion Pharmaceuticals Europe Ltd.
More informationData protection information for customers and interested parties
Data protection information for customers and interested parties Status 25.05.2018 Information on data protection regarding our processing under Articles 13, 14 and 21 of the General Data Protection Regulation
More informationData Processing Addendum
Data Processing Addendum Based on the General Data Protection Regulation (GDPR) and European Commission Decision 2010/87/EU - Standard Contractual Clauses (Processors) This Data Processing Addendum ( DPA
More informationIRIS Group of Companies Customer Data Processing Terms
IRIS Group of Companies Customer Data Processing Terms Definitions (any other capitalised terms not contained in this section will be as defined in the IRIS Software Group General Terms & Conditions (
More informationYMCA SOUTH AUSTRALIA Privacy Policy
Policy Title: Author: YMCA SOUTH AUSTRALIA Created by: 1 P a g e Policy Title: Author: 1. Introduction considers the privacy of individuals, staff, volunteers, clients, Member Associations and associated
More informationCreating a Big Data Strategy: Managing Risk and Enabling Innovation
Creating a Big Data Strategy: Managing Risk and Enabling Innovation Meghan Farmer and Brooke McGuffey 2016 Kilpatrick Townsend What is Big Data? Traditional definition: high-volume, high-velocity and/
More informationCCPA and GDPR Comparison Chart
Resource ID: w-016-7418 LAURA JEHL AND ALAN FRIEL, BAKERHOSTETLER LLP, WITH PRACTICAL LAW DATA PRIVACY ADVISOR Search the Resource ID numbers in blue on Westlaw for more. A Chart comparing some of the
More informationDATA PROCESSING AGREEMENT
DATA PROCESSING AGREEMENT This Data Processing Agreement (the DPA ), entered into by the Customer and the company Ganttic OÜ (company registration number 11979702) having its registered office at Lai tn
More informationHIPAA vs. GDPR vs. NYDFS - the New Compliance Frontier. March 22, 2018
1 HIPAA vs. GDPR vs. NYDFS - the New Compliance Frontier March 22, 2018 2 Today s Panel: Kimberly Holmes - Moderator - Vice President, Health Care, Cyber Liability & Emerging Risks, TDC Specialty Underwriters,
More informationBE PREPARED FOR THE NEW EU DATA REGULATION
BE PREPARED FOR THE NEW EU DATA REGULATION TECHNOLOGY MAY-RATHON Pulina Whitaker Dr. Axel Spies Charles Dauthier May 12, 2016 2016 Morgan, Lewis & Bockius LLP SECTION 01 EU-US DATA TRANSFER EU-US Data
More informationEU Data Processing Addendum
EU Data Processing Addendum This EU Data Processing Addendum ( Addendum ) is made and entered into by and between AlienVault, Inc., a Delaware corporation ( AlienVault ) and the customer specified in the
More informationWHY SHOULD YOUR ORGANISATION WORRY ABOUT DATA PROTECTION?
WHY SHOULD YOUR ORGANISATION WORRY ABOUT DATA PROTECTION? Friday, September 26, 2014 Luncheon, Hôtel Métropole, Geneva Isabelle Hering Attorney-at-law Nyon WHO IS CONCERNED AND SHOULD WORRY? Natural persons
More informationRBI GDPR DATA PROCESSING ADDENDUM
RBI GDPR DATA PROCESSING ADDENDUM 1. SCOPE 1.1. This GDPR Data Processing Addendum ( DPA ) applies to RBI s processing of personal data on Customer s behalf under the Agreement. With regard to such processing,
More informationBlockchain, data protection, and the GDPR
Blockchain, data protection, and the GDPR v1.0 25.05.2018 Contributors: Natalie Eichler, Silvan Jongerius, Greg McMullen, Oliver Naegele, Liz Steininger, Kai Wagner Introduction GDPR was created before
More informationData Processing Appendix
Data Processing Appendix This Data Processing Appendix (the Appendix ) is attached to and forms part of the Supplier General Terms and Conditions (the Agreement ) between Nebula Oy ( Supplier ) and customer
More informationTwilio Data Protection Addendum ( DPA ) (GDPR, Binding Corporate Rules, Privacy Shield, and Standard Contractual Clauses) (Revision June 2018)
Twilio Data Protection Addendum ( DPA ) (GDPR, Binding Corporate Rules, Privacy Shield, and Standard Contractual Clauses) (Revision June 2018) Once fully executed, this DPA forms a part of the agreement
More informationGuidance: The new EU General Data Protection Regulation: Implications for Australia
Guidance: The new EU General Data Protection Regulation: Implications for Australia Introduction After years of negotiations, the new EU General Data Protection Regulation (GDPR) was passed in 2016, bringing
More information2. FROM WHICH SOURCES THE BANK COLLECTS YOUR PERSONAL DATA?
P R I V A C Y N O T I C E Last updated May 2018 Eurobank Cyprus Ltd ( the Bank ) wishes to inform you why and how the Bank collects and processes your personal data as well as of your rights under local
More informationGDPR CCPA LGPD. Protected information
Stricter data protection laws are on the rise. While only a couple of years ago, data protection legislations and requirements were frequently marginalized and the position of the data protection officer
More informationa publication of the health care compliance association SEPTEMBER 2018
hcca-info.org Compliance TODAY a publication of the health care compliance association SEPTEMBER 2018 Strengthening the relationship between DOJ attorneys and compliance professionals an interview with
More informationGilead Transparency Reporting Methodological Note
Gilead Transparency Reporting Methodological Note Contents 1 Introduction... 2 2 Definition of Transfers of Value... 2 3 Definition and management of Cross-Border Spend... 3 4 Which Recipients of Transfers
More informationINFORMATION ON THE PROCESSING OF PERSONAL DATA
INFORMATION ON THE PROCESSING OF PERSONAL DATA PRIVACY NOTICE In order to be compliant with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection
More informationCNPD Course: Data Protection Basics
CNPD Course: Data Protection Basics The obligations of controllers Esch-sur-Alzette (Belval) Mathilde Stenersen 4-6 July 2017 Legal department Introduction to data protection 1. Introduction 2. Basic concepts
More informationDATA PROCESSING TERMS DEFINITIONS
DATA PROCESSING TERMS DEFINITIONS Agency: means KTS Events Limited (company registration number 05289039) and any business entity from time to time controlling, controlled by, or under common control or
More informationMRS Brexit Survival Guide: EU-UK Data transfers November
2018 MRS. All rights reserved. November 2018 No part of this publication may be reproduced or copied in any form or by any means, or translated, without the prior permission in writing of MRS. MRS Brexit
More informationThe California Consumer Privacy Act: Overview and Comparison to the EU GDPR
The California Consumer Privacy Act: Overview and Comparison to the EU GDPR Introduction During the months preceding the European Union s General Data Protection Regulation (GDPR) go-live, which occurred
More information