Automatic inter-state exchange of data: Safeguarding data protection and fundamental rights

Similar documents
DRAFT MOTION FOR A RESOLUTION

Article 29 Working Party

ARTICLE 29 Data Protection Working Party

Opinion 7/2010 on European Commission's Communication on the global approach to transfers of Passenger Name Record (PNR) data to third countries

on the Proposal for a Council Regulation on Administrative Cooperation in the field of Excise Duties

The New EU General Data Protection Regulation (GDPR)

ARTICLE 29 Data Protection Working Party

Man and Machine - Data Protection Policy

10472/18 JC/NC/jk ECOMP.2.B. Council of the European Union Brussels, 14 September 2018 (OR. en) 10472/18. Interinstitutional File: 2017/0248 (CNS)

Working Party on the Protection of Individuals with regard to the Processing of Personal Data

EU General Data Protection Regulation vs. Swiss Data Protection Act (in the Private Sector 1 )

I. The PNR agreements

Opinion 8/2009 on the protection of passenger data collected and processed by duty-free shops at airports and ports

Data Processing Addendum

Data Processing Addendum

TEXTS ADOPTED Provisional edition. State of play of negotiations with the United Kingdom

PRIVACY NOTICE Use of Information Data Controller and Data Processor

Yves Mersch: The role of euro banknotes as legal tender

Moxtra, Inc. DATA PROCESSING ADDENDUM

THE IRON MOUNTAIN GDPR JARGON BUSTER

HOW TO EXECUTE THIS DPA:

Data protection clauses in commercial contracts. Amy Chandler & Paul Jonson

DATA PROCESSING ADDENDUM

DATA PROCESSING ADDENDUM

IRIS Group of Companies Customer Data Processing Terms

The Controller and Processor Data Protection Binding Corporate Rules of BMC Software

The Serious Organised Crime Agency s operation and use of the ELMER database

DATA PROCESSING ADDENDUM

Contract Modifications

Note: Changes from Commission Decision 2002/16/EC are marked in redline

TWILIO INC. EC DATA PROTECTION AGREEMENT

Council of the European Union Brussels, 22 October 2015 (OR. en) Mr Jeppe TRANHOLM-MIKKELSEN, Secretary-General of the Council of the European Union

Mobius Life Limited Data Privacy Notice

Twilio Data Protection Addendum ( DPA ) (GDPR, Binding Corporate Rules, Privacy Shield, and Standard Contractual Clauses) (Revision June 2018)

DATA PROCESSING ADDENDUM

All Sorts UK Limited Data Protection Policy 17 th May 2018

Data Protection Cayman Islands

(Legislative acts) DIRECTIVES

Banks Sheridan Limited Data Protection Privacy Policy 19 May 2018

ATRiD: Harmonizing the rules on the allocation of taxing rights within the EU and in the relations with third countries

BINDING CORPORATE RULES

GDPR Data Processing Addendum (DPA) Instructions for Area 1 Security Customers

We take privacy and security of your information seriously and will only use such personal information as set out in this Privacy Notice.

INFORMATION ON THE PROCESSING OF PERSONAL DATA

Council of the European Union Brussels, 20 May 2016 (OR. en)

Position Paper. DG Justice consultation on the protection of personal data

AMENDMENTS by the Committee on Civil Liberties, Justice and Home Affairs

URBAN AIRSHIP DATA PROCESSING ADDENDUM with EU Standard Contractual Clauses. (Revised September 2017)

1) The procedure followed by the Commission in establishing technical standards and the exercise of delegated powers

Customer GDPR Data Processing Agreement

DATA PROCESSING ADDENDUM

DATA PROCESSING AGREEMENT

Amgen Binding Corporate Rules (BCRs) Public Document

AML et Protection des données : un mariage difficile? 26 September 2017

EN Official Journal of the European Union L 77/77

MOTION FOR A RESOLUTION

CUSTOMER DATA PROCESSING ADDENDUM

Answer-to-Question- 1

ANTI-MONEY LAUNDERING AND COUNTER-TERRORISM FINANCING POLICY IFD - INSTITUIÇÃO FINANCEIRA DE DESENVOLVIMENTO, S.A.

INFORMATION ON THE PROCESSING OF PERSONAL DATA

We have seen and generally support the comments made by Law Society of England and Wales in its response (the Law Society Response).

CLOUDINARY DATA PROCESSING ADDENDUM

ABI response to ICO consultation on GDPR consent guidance

AWS GDPR DATA PROCESSING ADDENDUM

EUROPEAN UNION. Brussels, 23 July 2014 (OR. en) 2012/0168 (COD) LEX 1569 PE-CONS 75/1/14 REV 1 EF 84 ECOFIN 270 CODEC 808

DATA PROCESSING ADENDUM

INFORMATION ON THE PROCESSING OF PERSONAL DATA

Appropriate Policy Document

(recast) (Text with EEA relevance)

RBI GDPR DATA PROCESSING ADDENDUM

Transborder data transfers briefly explained

ARTICLE 29 Data Protection Working Party

Privacy Policy and Personal Data

VALUE ADDED TAX COMMITTEE (ARTICLE 398 OF DIRECTIVE 2006/112/EC) WORKING PAPER NO 921 REV

INFORMATION ON THE PROCESSING OF PERSONAL DATA

Effective flow of personal data post-brexit

DECRIMINALIZATION OF TAX LAW BY ADMINISTRATIVE PENALTIES ON TAX DUTIES

Data Processing Appendix

(Legislative acts) REGULATIONS

Risk assessment and the choice of conformity assessment procedures in the EU. Nike Bönnen European Commission TBT Committee, Geneva, 13 June 2017

TEXTS ADOPTED Provisional edition

ANTI-MONEY LAUNDERING POLICY. (2 nd Edition)

DATA PROCESSING AGREEMENT

INFORMATION ON THE PROCESSING OF PERSONAL DATA

ECB Guide on options and discretions available in Union law. Consolidated version

COMMISSION OF THE EUROPEAN COMMUNITIES COMMUNICATION FROM THE COMMISSION TO THE COUNCIL AND THE EUROPEAN PARLIAMENT

DATA PROCESSING ADDENDUM

INTERNATIONAL SOS. Data Protection Policy. Version 1.8

KCSP Data Protection Policy

Reasoned Opinion of the House of Commons. Concerning a draft Regulation on a Common European Sales Law for the European Union 1

(Legislative acts) DIRECTIVES

Excerpt from White paper on the requirements of the GDPR to business activities of debt collection agencies

Data Protection Privacy Notice for people not directly involved in the accident

COMMISSION STAFF WORKING DOCUMENT IMPACT ASSESSMENT. Accompanying the document. Proposal for a Regulation of the European Parliament and the Council

DATA PROTECTION LAWS OF THE WORLD. Czech Republic

DATA PROTECTION POLICY. AtonLine Limited

INFORMATION ON THE PROCESSING OF PERSONAL DATA

Life Assurance. Cross-border activities entirely or mainly carried out outside the home Member State

Bank Handlowy w Warszawie S.A. PRIVACY NOTICE

Preamble. The purpose of this Policy is to protect NIB s reputation and promote a transparent business practice.

Transcription:

Automatic inter-state exchange of data: Safeguarding data protection and fundamental rights Giuseppe Busia Secretary General of the Italian Data Protection Authority Article 29 Working Party 1

The Article 29 Working Party Independent European advisory body on data protection and privacy set up under Article 29 of Directive 95/46/EC Brings together representatives of data protection authorities of the European Union and a representative of the Commission Its main tasks (Article 30 of Directive 95/46/EC and Article 15 of Directive 2002/58/EC) are: to examine any question covering the application of the national measures adopted under the two Directives in order to contribute to the uniform application of such measures; to give the Commission an opinion on the level of protection in the Community and in third countries; to advise the Commission on any proposed amendment of the Directives, on any additional or specific measures to safeguard data protection rights and on any other proposed Community measures affecting such rights and freedoms; to give an opinion on codes of conduct drawn up at Community level; to make recommendations on all matters relating to the protection of persons with regard to the processing of personal data in the Community Joint EBF-FBF Tax Conference 2014 - Paris, 22 September 2014 2

Reconciling interests: fight to tax evasion and fundamental rights The legitimate fight against tax evasion should be pursued with full respect for individuals fundamental rights, namely the right to private life and the protection of personal data as required by European and International legal instruments: Treaty on the Functioning of the European Union: Article 16 Charter of Fundamental Rights (Articles 7 and 8) European Convention on Human Rights: Article 8 Convention for the Protection of Individuals with regard to Automatic processing of Personal Data - Convention 108/1981 OECD Privacy Guidelines Joint EBF-FBF Tax Conference 2014 - Paris, 22 September 2014 3

CRS: challenges for data protection Personal data related to a large amount of individuals Exponential increase of the risks inherent to the data Automatic exchange (on annual basis) Need for a clear definition of the purpose Need for necessity and proportionality Need for transparency and data subjects rights Joint EBF-FBF Tax Conference 2014 - Paris, 22 September 2014 4

CJEU Data Retention Judgment CJEU Judgment of 8 April 2014 (Case C-293/12 and C-594/12) declared the Data Retention Directive to be invalid. The Court found that the Directive: entails a wide-ranging and particularly serious interference with the fundamental rights to privacy and to the protection of personal data; fails to sufficiently circumscribe such interference to ensure that it is limited to what is strictly necessary for the purpose of fighting serious crime, thereby leaving it too open for Member States to decide on the scope of data retention; fails to define the guarantees surrounding data retention, i.e. objective criteria to determine the retention periods, appropriate technical and organisational security measures and conditions for the access and use of the data by competent national authorities. Consequences for automatic processing of data: National legislators, authorities and institutions should be aware of the principles stated by the CJEU, which apply a fortiori to those processing operations designed to monitor behaviors which do not have a criminal connotation, also in view of avoiding the negative consequences of further invalidations. Joint EBF-FBF Tax Conference 2014 - Paris, 22 September 2014 5

Data Protection principles (1) Legal basis: Multilateral/bilateral agreements should contain substantive data protection provisions (not a mere reference to DP tools). Moreover, national procedures (involvement of Parliament, DPA) should be respected to create adequate, clear and foreseable legal basis (Article 6a of Directive 95/46) Data transfers: Transfers from the EU to third countries are only allowed if said third countries ensure an adequate level of protection (Article 25 of Directive 95/46). Legitimate transfers may also take place if based on the specific legal basis foreseen by Article 26 (e.g. the transfer is necessary on important public interest grounds, provided that such an interest is clearly defined and overrides the data subject s right to privacy). WP29 Opinion (WP114): repeated, mass or structural transfers of personal data should be governed by appropriate agreements which should be legally binding and fully take into account the data protection safeguards. Purpose limitation: Any inter-state agreeement should clearly identify the purposes for which data are collected and validly used (Article 6b of Directive 95/46). What s «tax evasion»? (legal acts, illegal acts, serious financial crimes?) Necessity and proportionality: Need to prove the necessity of the processing and that the required data are the mininum necessary for attaining the purpose (Article 6c of Directive 95/46) Data Retention: Any decision to retain data must be subject to appropriate differentiation, limitations, exceptions (see Data Retention Judgment). Need to define appropriate data retention timing (Article 6e of Directive 95/46) 6

Data Protection principles (2) Transparency: Clear information should leave data subjects in a position to understand what is happening to their personal data and how to exercise their rights. Any restriction or exemption to transparency rules should be limited and justified, respecting the strict criteria of Article 13 of Directive 95/46 Data subjects rights: Appropriate mechanisms for an easy exercise of rights (any restriction should be limited and justified: article 13 of Directive 95/46) Controllership: Data controllers (and data processors) should be clearly identified. A correct allocation of controllership is a crucial step to ensure compliance and data subjects rights (Article 2d and 2e of Directive 95/46). Controllers should choose processors providing sufficient guarantees (Article 17.3 of Directive 95/46) Onward transfers: Data controllers should ensure guarantees for onward transfers in particular ensuring that data are not used for other purposes without appropriate safeguards Security measures: Strict security measures to avoid accidental or unlawful destruction or unauthorised disclosure/access and other unlawful form of processing (Article 17.1 of Directive 95/46) Privacy impact assessment: Members states should consider to implement an agreed Privacy Impact Assessment to ensure that DP safeguards are addressed, and a consistent standard is applied for the practical implementation of CRS Joint EBF-FBF Tax Conference 2014 - Paris, 22 September 2014 7

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback