Download presentation
Presentation is loading. Please wait.
Published byMorgan Gibson Modified over 8 years ago
1
Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna
2
CMS - p2 Overview Directive on the protection of individuals with regard to the processing of personal data (95/46/EC) Implementation- France Ireland Luxembourg Minimum standard- Laws of member states still of protection relevant Baseline for international data protection/privacy laws
3
CMS - p3 Scope Processing of - wholly or partly by automatic means personal data - which form part of a filing system or are intended to form part of a filing system Exemptions - National Security - Crime and Taxation - Domestic Purposes National laws - equipment situated in the UK for the apply in the processing of data place of establishment
4
CMS - p4 Essential Definitions personal data- any information relating to an identified or identifiable natural person (“data subject”) processing- any operation or set of operations which is performed upon personal data whether or not by automatic means filing system- any structured set of personal data accessible according to specific criteria controller- a natural or legal person, public authority, agency or body who alone or jointly with others determines the purposes and means of the processing of personal data processor- a natural or legal person etc which processes personal data on behalf of the controller
5
CMS - p5 Principles of data quality Fair and lawful processing Collected and processed for specified and legitimate purposes Adequate, relevant and not excessive in relation to the purpose for which they are processed Accurate and up-to-date Kept no longer than necessary
6
CMS - p6 Notification prior notification of processing required except categories of processing unlikely to affect adversely the rights and freedoms of data subjects details to be notified –name/purposes/categories of data subject and data/recipients/proposed transfers to third countries/description of security measures sanctions –criminal penalties
7
CMS - p7 Legitimate Processing unambiguous consent necessary for the performance of or entering into a contract with the data subject necessary to comply with a legal obligation necessary to protect the data subjects vital interests necessary for the exercise of official functions necessary for the legitimate interests of the controller or third party recipients except where this prejudices the rights or freedoms of the data subject special categories of processing –racial/ethnic origin –political opinions –religious/philosophical beliefs –trade union membership –health or sex life
8
CMS - p8 Information to be given to Data Subjects identity of the controller purposes of processing further information to be fair - recipients - obligatory/voluntary/consequences - right of access/rectification at the time of obtaining from a person other than the data subject and at least prior to disclosure unless this involves disproportionate effort
9
CMS - p9 Rights of Data Subjects at reasonable intervals/without excessive delay or expense –confirmation of processing, purposes, categories of data and recipients –communication in intelligible form of the data and if available the source of the data –logic involved in automated decision making rectification, erasure or blocking of data and notification to third parties unless involving disproportionate effort compensation for damage and distress
10
CMS - p10 Transfer of data to non-EU members No transfer to a non-EU member state unless: –adequate level of protection –unambiguous consent of the data subject –necessary for the performance of a contract with the data subject –necessary for pre-contractual measures in response to data subjects request –necessary for conclusion of a contract with a third party in the data subject’s interests –necessary or legally required in the public interest or for the establishment, exercise or defence of legal claims –necessary to protect the interests of the data subject –disclosure from a public register
11
CMS - p11 Transfer of data to non-EU members cont’d Member state authorises transfer with adequate safeguards for the protection of privacy and rights and freedoms of individuals Community approved standard contractual clauses offering sufficient safeguards –controller to controller –controller to processor
12
CMS - p12 US ‘Safe Harbor’ 180 signatories Principles –Notice- purposes - contacts - types of third party disclosure - clear/conspicuous language - at time of asking or as soon as practical thereafter (before use for another purposes/disclosure) –Choice- opt out - disclosure - incompatible purpose - clear/conspicuous/readily available mechanisms - opt in - sensitive information
13
CMS - p13 US ‘Safe Harbor’ cont’d Onward transfer- notice and choice principles apply - agent/processor - subscription to principles - subject to directive - contractual safeguards - no responsibility - unless knowledge actual or constructive and reasonable steps to prevent or stop Security - reasonable precautions to protect data from loss, misuse and unauthorised access, disclosure, alteration and distribution Data Integrity- relevant for purpose - not incompatible with purpose - reasonable steps to ensure data is reliable/accurate/complete/current
14
CMS - p14 US ‘Safe Harbor’ cont’d Access -access - ability to correct/amend/delete inaccurate information - subject to disproportionality and rights of other individuals Enforcement -mechanisms for ensuring compliance -recourse for non-compliance -Readily available/affordable -Investigation/resolution -Award of damages -follow up verification of compliance -obligation to remedy problems -rigorous sanctions for non-compliance
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.