Presentation is loading. Please wait.

Presentation is loading. Please wait.

TRANSBORDER DATA FLOWS INA MEIRING. THE PROTECTION OF PERSONAL INFORMATION ACT (“POPI”) > 'personal information' means information relating to an identifiable,

Published byChristian Edwards Modified over 7 years ago

Similar presentations

Presentation on theme: "TRANSBORDER DATA FLOWS INA MEIRING. THE PROTECTION OF PERSONAL INFORMATION ACT (“POPI”) > 'personal information' means information relating to an identifiable,"— Presentation transcript:

1 TRANSBORDER DATA FLOWS INA MEIRING

2 THE PROTECTION OF PERSONAL INFORMATION ACT (“POPI”) > 'personal information' means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to- > (a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person; > (b) information relating to the education or the medical, financial, criminal or employment history of the person; > (c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person; > (d) the biometric information of the person; 2

3 PERSONAL INFORMATION > (e) the personal opinions, views or preferences of the person; > (f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; > (g) the views or opinions of another individual about the person; and > (h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person. 3

4 PROCESSING > 'processing' means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including- > (a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use; > (b) dissemination by means of transmission, distribution or making available in any other form; or > (c) merging, linking, as well as restriction, degradation, erasure or destruction of information; 4

5 EXAMPLES OF DATA EXPORTS > Multinational organisations > Data base is transferred when a company is sold > Employee data base is kept offshore > E-mail with personal details is sent offshore > Internal directory of names, telephone numbers is made available to all branches (also those located in third countries). > Cloud service provider in a third country > Payroll service provider in a third country > Question: has personal data been transferred? 5

6 PROHIBITION: TRANSBORDER DATA > A responsible party in the Republic may not transfer personal information about a data subject to a third party who is in a foreign country unless- > (a) the third party who is the recipient of the information is subject to a law, binding corporate rules or binding agreement which provide an adequate level of protection that- > (i) effectively upholds principles for reasonable processing of the information that are substantially similar to the conditions for the lawful processing of personal information relating to a data subject who is a natural person and, where applicable, a juristic person; and > (ii) includes provisions, that are substantially similar to this section, relating to the further transfer of personal information from the recipient to third parties who are in a foreign country; 6

7 EXCEPTIONS > (b) the data subject consents to the transfer; > (c) the transfer is necessary for the performance of a contract between the data subject and the responsible party, or for the implementation of pre-contractual measures taken in response to the data subject's request; > (d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party; or 7

8 EXCEPTIONS > (e) the transfer is for the benefit of the data subject, and- > (i) it is not reasonably practicable to obtain the consent of the data subject to that transfer; and > (ii) if it were reasonably practicable to obtain such consent, the data subject would be likely to give it. > 'binding corporate rules' means personal information processing policies, within a group of undertakings, which are adhered to by a responsible party or operator within that group of undertakings when transferring personal information to a responsible party or operator within that same group of undertakings in a foreign country; and > 'group of undertakings' means a controlling undertaking and its controlled undertakings. 8

9 HURDLES > A business must comply with local requirements regarding the processing of personal data. > Is personal data transferred to a third country? > Do you make use of an operator to do so? > Security measures: Identify risks (internal and external) > Establish safeguards - regularly verify implementation and ensure that it is kept updated > If so – justified? 9

10 DATA PROTECTION DIRECTIVE: EU > On 4 May 2016, the official texts of the Regulation and the Directive were published in the EU Official Journal in all the official languages. > The Directive became effective on 5 May 2016 and EU Member States have to transpose it into their national law by 6 May 2018. > Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) 10

11 DATA PROTECTION DIRECTIVE: EU > The Data Protection Directive applies to countries of the European Economic Area (EEA), which includes all EU countries and in addition, non-EU countries Iceland, Liechtenstein and Norway. > Special precautions need to be taken when personal data is transferred to countries outside the EEA that do not provide EU-standard data protection. > The Directive requires that data transfers should not be made to non-EU /non-EEA countries that do not ensure adequate levels of protection. > However, several exceptions (or "derogations") to this rule could be applicable. 11

12 CIA TRIAD* 12 Availability Confidentiality Integrity *Information Security and Privacy by Thomas J. Shaw Esq., Editor

13 Date Legal notice: Nothing in this presentation should be construed as formal legal advice from any lawyer or this firm. Readers are advised to consult professional legal advisors for guidance on legislation which may affect their businesses. ©2016 Werksmans Incorporated trading as Werksmans Attorneys. All rights reserved.

Download ppt "TRANSBORDER DATA FLOWS INA MEIRING. THE PROTECTION OF PERSONAL INFORMATION ACT (“POPI”) > 'personal information' means information relating to an identifiable,"

Similar presentations

Re-use of PSI Data Protection Issues Cécile de Terwangne Professor at the Law Faculty, Research Director at CRIDS University of Namur (Belgium) 2 nd LAPSI.

Re-use of PSI Data Protection Issues Cécile de Terwangne Professor at the Law Faculty, Research Director at CRIDS University of Namur (Belgium) 2 nd LAPSI.
PRIVACY ASPECTS OF RE-USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR

PRIVACY ASPECTS OF RE-USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR
Data Protection & Privacy in the Information Age COMNET – Legal Frameworks for ICTs Malta 2013 Dr Antonio Ghio Dr Jeanine Rizzo.

Data Protection & Privacy in the Information Age COMNET – Legal Frameworks for ICTs Malta 2013 Dr Antonio Ghio Dr Jeanine Rizzo.
DATA PROTECTION and Research University Research Ethics Committee – 30.05.2008 David Cauchi David Cauchi Office of the Commissioner for Data Protection.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
DATA PRIVACY IN SOUTH AFRICAN LAW Brendan Hughes 2 nd International Direct Marketing Conference September 2006.

DATA PRIVACY IN SOUTH AFRICAN LAW Brendan Hughes 2 nd International Direct Marketing Conference September 2006.
The movement of legal services between the European Union and Switzerland: Polish and Swiss legal solutions after Poland's accession to the EU Inga Kawka,

The movement of legal services between the European Union and Switzerland: Polish and Swiss legal solutions after Poland's accession to the EU Inga Kawka,
DATA PROTECTION and Research University Research Ethics Committee – 08.05.2006 David Cauchi Office of the Data Protection Commissioner.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
The European Union legal framework for clinical data access: The European Union legal framework for clinical data access: potential challenges and opportunities.

The European Union legal framework for clinical data access: The European Union legal framework for clinical data access: potential challenges and opportunities.
INTERNET and CODE OF CONDUCT

INTERNET and CODE OF CONDUCT
Anomalous Aspects of Transfer of Personal Data from the E.U. to the U.S. Stephen R. Bell Willkie Farr & Gallagher ABA Section of International Law New.

Anomalous Aspects of Transfer of Personal Data from the E.U. to the U.S. Stephen R. Bell Willkie Farr & Gallagher ABA Section of International Law New.
Data Protection: The Law. EU & Irish Legislation Data Protection Directive 95/46/EC Electronic Privacy Directive 2002/58/EC EUROPOL etc Data Protection.

Data Protection: The Law. EU & Irish Legislation Data Protection Directive 95/46/EC Electronic Privacy Directive 2002/58/EC EUROPOL etc Data Protection.
Class 13 Internet Privacy Law European Privacy.

Class 13 Internet Privacy Law European Privacy.
Attorney at the Bars of Paris and Brussels Database exploitation & Data protection Thibault Verbiest Amsterdam 1 April 2005

Attorney at the Bars of Paris and Brussels Database exploitation & Data protection Thibault Verbiest Amsterdam 1 April 2005
Data Protection Overview

Data Protection Overview
 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.

 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.
Data Protection for Church of Scotland Congregations

Data Protection for Church of Scotland Congregations
Lawyer at the Brussels Bar Lecturer at the University of Strasbourg Assistant at the University of Brussels Data Protection & Electronic Communications.

Lawyer at the Brussels Bar Lecturer at the University of Strasbourg Assistant at the University of Brussels Data Protection & Electronic Communications.
The Protection of Personal Information Act

The Protection of Personal Information Act

Similar presentations

Ads by Google