Presentation on theme: "Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help."— Presentation transcript:
Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help of the data protection policy of the DaimlerChrysler AG
CoCv1_eng2 Current situation Technical convergence promotes a worldwide exchange of goods and services. Competition becomes more and more a global challenge. Increase in possibilities of matching and processing personal data collected for various purposes. Raise of the potential risks for a fraudulent use of personal data. Increase of the sensitivity of consumers regarding the handling of their personal data. Development and integration of data security and data protection concepts in their products and services is crucial for global acting companies.
CoCv1_eng3 Tendencies of the privacy legislation worldwide Increase in enacting data protection laws worldwide, but different national legal requirements due to the lack of a globally competent legislator. Tendency of incorporating data protection and privacy issues in laws governing electronic commerce especially in Asian countries. Influence of the EC-Directive and national laws of Asia/Pacific and Latin-America restricting the transborder data flow. Data protection and privacy legislation is on the way to an international law convergence.
CoCv1_eng4 Legal situation with regard to transborder data flows A transborder transfer of personal data is only permitted if the third country ensures an adequate level of data protection. Requirement results from the EC-Directive on data protection and the privacy acts of Australia, Hong Kong, Taiwan, Argentina. Currently a transfer is only permitted in the following cases: From the EU/EEC to Hungary, Switzerland, Canada (with restrictions). From the EU/EEC to the US provided that the US- American company adheres to the Safe Harbor Principles and is subject to the jurisdiction of the Federal Trade Commission or another institution which effectively ensures the compliance with these principles.
CoCv1_eng5 Legal situation with regard to transborder data flows Exceptions from the requirement to provide an adequate level of data protection: Unambiguous consent of the data subject; The transfer is necessary for the performance of a contract between the data subject and the controller or for precontractual measures taken in response to the data subject’s request; or The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party; or
CoCv1_eng6 Legal situation with regard to transborder data flows Exceptions from the requirement to provide an adequate level of data protection: The transfer is necessary to protect the vital interests of the data subject. Since each transfer has to be assessed on its own merits, the reliance on the exemptions is not sufficient for companies which transfer data worldwide for diverse purposes.
CoCv1_eng7 Options for global acting companies Obtain the consent to the transfer to substandard countries from the data subject. Adduce adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights; like Incorporate contractual clauses/model clauses. Implement Codes of Conduct.
CoCv1_eng8 Pros Individual solutions are possible. Efforts then if its necessary. Cons Option not expressly provided by all nationals laws providing for restrictions on transborder data flows. Due to the different national requirements, it can be difficult to obtain a legally effective consent. Information about and consent to a transfer to a substandard country. Consent solution
CoCv1_eng9 Cons A consent could be withheld or revoked, mere consideration leads to a complication of the data processing process. In case of a transmission of employee’s data it might be necessary to participate the workers council. Consent solution
CoCv1_eng10 Pros Specific solution for each specific case, consideration of peculiarities possible. Efforts then if its necessary. Cons Increased expenditure for administration due to the obligation to incorporate and to update each single contract. No contribution to increase the awareness of the concerned employees. Notification/approval by the respective dpa required. Contractual clauses Contract
CoCv1_eng11 Pros Formally adopted by the European Commission being a sufficient safeguard for providing an adequate level of data protection. Cons No uniform application by the dpa’s. Alterations have to be approved. Contains the obligation for the data importer to cooperate with the competent supervisory authority, has to observe its decisions with regard to the data transferred. Standard contractual clauses
CoCv1_eng12 Pros Possibility to make use of the tendency of law convergence and provision of a global solution. Easy to implement, control and to update. Low expenses for law enforcement. Uniform procedures within the company as a marketing tool. Cons Approval by the respective data protection authorities required. Codes of Conduct
CoCv1_eng13 Cons Current procedure to get Codes of Conduct Community- wide approved is burdensome and bureaucratic. Several options: Decision by the European Commission pursuant to Art. 26 para.4 of the EU Data Protection Directive. Community-wide validity of an approval by one data protection authority, accordingly the participation of the other Member States and the Commission has to be ensured. Codes of Conduct
CoCv1_eng14 Codes of Conduct are the best solution to cope with the legal requirements for transborder data flow.
CoCv1_eng15 Principles and requirements for the collection and processing of personal data. Requirements for the transfer of personal data to third parties, including data exchange within the Group. Rights of the data subject. Requirement to maintain confidentiality. Principles of data security. Requirements for the involvement of third parties, including in case of a data processing on behalf. Responsibilities and sanctions. Internal law enforcement. Content of Codes of Conduct
CoCv1_eng16 Appointment of a Chief Officer Corporate Data Protection (CPO) with worldwide responsibility that reports directly to the Board of Management. Infrastructure of locally responsible Data protection coordinators for the different regions of the world. Coordination of the Data protection coordinators by regular meetings conducted by the CPO. Internal law enforcement within the DaimlerChrysler Group
CoCv1_eng17 Thank you for your attention. For further questions mail to firstname.lastname@example.org