Data Breach Notification: what EU law means for your information security strategy

Size: px
Start display at page:

Download "Data Breach Notification: what EU law means for your information security strategy"

Transcription

1 Data Breach Notification: what EU law means for your information security strategy Olivier Proust December 8, 2011 Hunton & Williams LLP

2 Key points 1. Introduction 2. Overview of data breach requirements under the e-privacy Directive 3. Data breach laws in selected EU Member States and key differences 4. Best practices 5. Conclusion: what can be expected of future regulation? 2

3 1. Introduction 3

4 What is a security breach? 4

5 Recent examples 5

6 What are the goals? 6

7 2. Overview of the e-privacy Directive 7

8 Personal Data Breach «A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service» 8

9 Scope Limited to personal data breaches Limited to telecoms/isps Possible extension of data breach requirements in the context of the EU s data protection framework review (Directive 95/46/EC) 9

10 Personal Data Breach Requirements In the case of a personal data breach, telecoms/isps must, without undue delay, notify: The competent authority Subscribers/individuals - if the breach is likely to adversely affect their personal data or privacy Notice is not required if: Appropriate technological protection measures are implemented Protection measures were applied to data concerned 10

11 Data breach notification Notification to the individuals: Nature of the personal data breach Contact points where more information can be obtained Recommend measures to mitigate the possible adverse effects of the personal data breach Notification to the competent authority: Consequences of the personal data breach Measures proposed or taken by the provider to address the breach 11

12 Need for harmonization Need to harmonize breach notification procedures across EU Member States, particularly in terms of: Notification thresholds Content and time of notification Exceptions relating to technological protection measures EC public consultation on data breach notifications (July 2011) Deadline September 9, 2011 May result in additional rules complementing the existing legal framework 12

13 Risks for non-compliance Financial loss Regulators may audit companies Fines and/or sanctions Reputational damage 13

14 2. Data breach laws in selected EU Member States 14

15 FRANCE 15

16 Ordinance of August 24, 2011 Scope Only applies to electronic communication service providers (e.g., telecom operators, ISPs) Data security breach Any security breach that accidentally or unlawfully results in the destruction, loss, alteration, disclosure of, or unauthorized access to personal data 16

17 Notification Requirement In the event of a breach, telecoms and ISPs must, without undue delay, notify: The French Data Protection Authority (CNIL), and Affected individuals - if the breach is likely to adversely affect their personal data Notice is not required in certain circumstances: If the company has implemented appropriate information security measures, and Has demonstrated this implementation to the CNIL In the absence of such measures, the CNIL may impose on the company to notify its subscribers about the breach 17

18 Conditions for Notifying Breaches The conditions for notifying security breaches are unclear Additional legislation is expected in the near future The CNIL also may issue practical guidance 18

19 Risks for Non-Compliance Sanctions 5 years imprisonment 300,000 fine Warning Reputational damage 19

20 GERMANY 20

21 Current Legal Framework for Data Security Breaches Comprehensive statutory breach notification requirement Different from the e-privacy Directive In force since September 2009, DPA guidance issued in December 2010 Broad scope, applies to all companies subject to: Federal Data Protection Act (FDPA) (private entities and undertakings governed by public law which compete on the market acting as data controllers) Telecommunications Act (telecom providers) Telemedia Act (website providers) 21

22 Types of Data Covered Sensitive data as defined in the FDPA (e.g., data about racial or ethnic origin, religion or health related data) Data subject to professional or official secrecy (e.g., data held by lawyers, notaries, doctors) Data concerning criminal acts or administrative offenses Data on bank or credit card accounts Customer data or traffic data as defined in the Telecoms Act Customer data or usage data as defined in the Telemedia Act (e.g., data held by electronic information and communication service providers, including registration or usage data that may identify an individual online user) 22

23 Requirements Legal requirements are triggered if two conditions are met: Unlawful disclosure: Data have been transferred unlawfully, OR Third parties have accessed data otherwise Serious impact for the rights or protected interests of individual (e.g., identity theft, financial damage, social disadvantages) Notification of both the competent Federal or state DPA and the individuals concerned Notification must happen without undue delay, as soon as appropriate measures to secure the data have been undertaken and any law enforcement investigation is no longer effected 23

24 Content of Notification To the individual concerned, must include: Description of the type of unlawful disclosure Recommendations for measures to limit possible negative consequences To the DPA, must, in addition, include a description of: Possible negative consequences of the unlawful disclosure Description of the measures taken by the data controller In case of disproportionate effort, in particular because of the number of individuals concerned, instead, the general public must be informed by: Advertising of at least half a page In at least two daily newspapers that are published throughout Germany 24

25 THE NETHERLANDS 25

26 Bill in Dutch Parliament Bill to implement e-privacy Directive adopted by Lower House Bill would address data security breaches, cookie requirements, net neutrality, etc. On-going debate in the Upper House Implementation date unclear 26

27 Scope Limited to telecom sector Only applies to electronic communication service providers (e.g., telecom operators, ISPs) Breach notification requirement across all sectors part of the revision of Dutch Data Protection Act that is currently being considered Broad application Any security breach that accidentally or unlawfully results in the destruction, loss, alteration, disclosure of, or unauthorized access to, personal data 27

28 Conditions for Notifying Breaches Dutch Bill closely follows text of e-privacy Directive with regard to data breach notification requirements In the event of a breach, telecoms and ISPs must, without undue delay, notify: The Dutch Telecoms Authority (OPTA), and Affected individuals If the breach is likely to adversely affect their personal data Initial assessment by the company, OPTA can overrule Exemptions: If company has implemented appropriate security measures, and Has sufficiently demonstrated this to the OPTA Mandatory data breaches register 28

29 UNITED KINGDOM 29

30 DPA Key Requirements No general legal obligation to notify under Data Protection Act 1998 BUT The UK Information Commissioner s Office (ICO) has issued guidance on data breach notification and operates a voluntary notification scheme for serious data breaches Notification expected for serious breaches where: Potential for harm to individuals Large volume of data compromised Compromised data are sensitive 30

31 Privacy and Electronic Communications (EC Directive) Regulations 2011 (PECR) Amended 2003 e-privacy Regulations to include mandatory breach notification to ICO for public electronic communication service providers (i.e., telcoms and ISPs) Notification must include a description of: Circumstances of breach Consequences Measures taken to address breach Notify subscribers where breach likely to adversely affect personal data or privacy of subscriber, except where demonstrate to ICO that security measures have been implemented that render the data unintelligible on unauthorised access Maintain inventory of breaches 31

32 Sector-specific requirements Mandatory notification for financial services organizations regulated by the Financial Services Authority (FSA) 32

33 ICO Enforcement Monetary penalties for serious breaches Up to 500,000 for serious breaches of DPA and PECR Test: serious contravention of data protection principles AND likely to cause substantial damage or distress AND deliberate OR Data Controller knew, or ought to have known, that the breach would occur AND likely cause damage/distress AND failed to take reasonable steps to prevent Note: Applies to all DPA breaches, not just security breaches PECR Fixed penalty of 1,000 on service providers that fail to notify Audit rights Third party information notice 33

34 4. Best practices 34

35 Security measures e-privacy Directive says : Access to personal data must be authorized and must have a legal purpose Personal data must be protected against accidental or unlawful destruction, accidental loss or alteration, and unauthorized or unlawful storage, processing, access or disclosure A security policy must be implemented Additional and specific security requirements under national law 35

36 Organizational measures Appoint a data protection officer Internal coordination and communication (e.g., a standard operating procedure for handling data security breaches) Internal policies for employees Privacy-by-design 36

37 Legal measures Comply with local data protection laws (i.e., registrations, privacy notices, data transfer mechanisms, etc.) Data processor clauses in service provider agreements Maintain an inventory of data security breaches 37

38 5. Conclusion 38

39 Towards a general data breach notification requirement? Recital 59 of the e-privacy Directive EU Commission s Communication proposing a Comprehensive approach on personal data protection in the EU, released on November 4, 2010 On-going revision of the EU Data Protection Directive 95/46/EC 39

40 Contact Olivier Proust Associate, Hunton & Williams +32 (0) Visit 40

Data Leak Protection legal framework and managing the challenges of a security breach

Data Leak Protection legal framework and managing the challenges of a security breach Data Leak Protection legal framework and managing the challenges of a security breach ACC Europe's Annual Conference 2009 June 7-9, 2009 Geneva Alexander Duisberg Partner, Bird & Bird LLP About Bird &

More information

NEWSFLASH GDPR N 8 - New Data Protection Obligations

NEWSFLASH GDPR N 8 - New Data Protection Obligations GDPR N 8 May 2017 NEWSFLASH GDPR N 8 - New Data Protection Obligations Following the adoption of the new EU General Data Protection Regulation (GDPR) on 27 April 2016, most organisations began to re-examine

More information

The GDPR and NIS Directive: Risk-based security measures and incident notification requirements

The GDPR and NIS Directive: Risk-based security measures and incident notification requirements The GDPR and NIS Directive: Risk-based security measures and incident notification requirements Adrian Ross LLB (Hons), MBA GRC Consultant IT Governance Ltd 4 May 2017 Introduction Adrian Ross GRC consultant

More information

Introductory guide to data sharing. lewissilkin.com

Introductory guide to data sharing. lewissilkin.com Introductory guide to data sharing lewissilkin.com Executive Summary Most organisations carry out some form of data sharing, whether it be data sharing between organisations within the group or with external

More information

Breach Notification Form

Breach Notification Form Breach Notification Form Report a breach of personal data to the Data Protection Commission Use this form if you are a Data Controller that wishes to contact us to report a personal data breach that has

More information

UWC International Data Protection Policy

UWC International Data Protection Policy UWC International Data Protection Policy 1. Introduction This policy sets out UWC International s organisational approach to data protection. UWC International is committed to protecting the privacy of

More information

DATA PROCESSING AGREEMENT

DATA PROCESSING AGREEMENT DATA PROCESSING AGREEMENT This Data Processing Agreement ( DPA ) is entered into between: A. The company stated in the Subscription Agreement (as defined below) ( Data Controller ) and B. Umbraco A/S Haubergsvej

More information

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Plan a Pragmatic Approach to the new EU Data Privacy Regulation AmChamDenmark event: EU Compliant & Cyber Resistant Plan a Pragmatic Approach to the new EU Data Privacy Regulation Janus Friis Bindslev, Partner Cyber Risk Services, Deloitte 4 February 2016 Agenda General

More information

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

EU GDPR and  . The complete text of the EU GDPR can be found at  What is GDPR? EU GDPR and Email The EU General Data Protection Regulation (GDPR) is the new legal framework governing the use of the personal data of European Union (EU) citizens across all EU markets. It replaces existing

More information

Eco Web Hosting Security and Data Processing Agreement

Eco Web Hosting Security and Data Processing Agreement 1 of 7 24-May-18, 11:50 AM Eco Web Hosting Security and Data Processing Agreement Updated 19th May 2018 1. Introduction 1.1 The customer agreeing to these terms ( The Customer ), and Eco Web Hosting, have

More information

ENFORCEMENT POWERS. The EU Perspective. Olivier Proust. Associate Hunton & Williams LLP

ENFORCEMENT POWERS. The EU Perspective. Olivier Proust. Associate Hunton & Williams LLP ENFORCEMENT POWERS The EU Perspective Olivier Proust Associate Hunton & Williams LLP What is enforcement within the EU? Broad sense: Any action leading to better compliance Awareness raising activities

More information

DATA PROTECTION LAWS OF THE WORLD. Bahrain

DATA PROTECTION LAWS OF THE WORLD. Bahrain DATA PROTECTION LAWS OF THE WORLD Bahrain Downloaded: 7 April 2018 BAHRAIN Last modified 25 January 2017 LAW There is currently no standalone data protection law in Bahrain. A draft is being reviewed before

More information

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy. I. OBJECTIVE ebay s goal is to apply uniform, adequate and global data protection

More information

Contributed by Djingov, Gouginski, Kyutchukov & Velichkov

Contributed by Djingov, Gouginski, Kyutchukov & Velichkov Contributed by Djingov, Gouginski, Kyutchukov & Velichkov General I Data Protection Laws National Legislation General data protection laws The Personal Data Protection Act implemented the Data Protection

More information

DATA PROTECTION LAWS OF THE WORLD. Germany

DATA PROTECTION LAWS OF THE WORLD. Germany DATA PROTECTION LAWS OF THE WORLD Germany Downloaded: 25 November 2017 GERMANY Last modified 26 January 2017 LAW The main legal source of data protection in Germany is the Federal Data Protection Act (

More information

How to Navigate International Privacy and Data Security Developments Beyond the US and the EU, Namely Canada January 30, 2019

How to Navigate International Privacy and Data Security Developments Beyond the US and the EU, Namely Canada January 30, 2019 How to Navigate International Privacy and Data Security Developments Beyond the US and the EU, Namely Canada January 30, 2019 Melissa Krasnow, VLP Law Group LLP, Minneapolis, Email: mkrasnow@vlplawgroup.com

More information

General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR) BCD Travel s Response to the EU General Data Protection Regulation (GDPR) November 2017 Page 1 Response to the EU GDPR Copyright 2017 by BCD Travel N.V. All rights reserved. November 2017 Copyright 2017

More information

Core Elements of HIPAA The Privacy Rule establishes individuals privacy rights and addresses the use and disclosure of protected health information ( PHI ) by covered entities and business associates The

More information

Liechtenstein. General I Data Protection Laws. Contributed by Wanger Advokaturbüro. National Legislation. National Regulatory Authority.

Liechtenstein. General I Data Protection Laws. Contributed by Wanger Advokaturbüro. National Legislation. National Regulatory Authority. Contributed by Wanger Advokaturbüro General I Data Protection Laws National Legislation General data protection laws The Data Protection Act (the DPA ) dated 14 March 2002 and the relevant Ordinance on

More information

DATA PROTECTION POLICY THE HOLST GROUP

DATA PROTECTION POLICY THE HOLST GROUP DATA PROTECTION POLICY THE HOLST GROUP INTRODUCTION The purpose of this document is to provide a concise policy regarding the data protection obligations of The Holst Group. The Holst Group is a data controller

More information

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ). PRIVACY POLICY Data Protection Policy 1. Introduction This Data Protection Policy (this Policy ) sets out how Brital Foods Limited ( we, us, our ) handle the Personal Data we Process in the course of our

More information

AIRMIC ENTERPRISE RISK MANAGEMENT FORUM

AIRMIC ENTERPRISE RISK MANAGEMENT FORUM AIRMIC ENTERPRISE RISK MANAGEMENT FORUM Date 10 November 2016 Name Nick Gibbons Position, PARTNER BLM T: 0207 457 3567 E: Nick.Gibbons@blmlaw.com SUMMARY Cyber crime is now a daily reality Every business

More information

Dealing with Security and Security Breaches

Dealing with Security and Security Breaches BEIJING BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG LONDON LOS ANGELES NEW YORK PALO ALTO SAN FRANCISCO SHANGHAI SINGAPORE SYDNEY TOKYO WASHINGTON, D.C. Dealing with Security and Security Breaches

More information

Upcoming PIPEDA Changes What is changing and what to do about it

Upcoming PIPEDA Changes What is changing and what to do about it Upcoming PIPEDA Changes What is changing and what to do about it Danny Pehar Global Television Cyber Security Expert 02 Danny Pehar Put Text Here This slide is 100% editable. Adapt it to your needs and

More information

Subject: Kier Group plc Data Protection Policy

Subject: Kier Group plc Data Protection Policy Kier Group plc Data Protection Policy Subject: Kier Group plc Data Protection Policy Author: Compliance Document type: Policy Authorised by: Kier General Counsel & Company Secretary Version 3 Effective

More information

LCU Privacy Breach Response Plan

LCU Privacy Breach Response Plan LCU Privacy Breach Response Plan Sept 2018 Prevention Communication & Notification Evaluation of Risks Breach Containment & Preliminary Assessment Introduction The Credit Union makes every effort to safeguard

More information

GDPR: A QUICK OVERVIEW

GDPR: A QUICK OVERVIEW GDPR: A QUICK OVERVIEW 2018 Get ready now. 29 June 2017 Presenters Charles Barley Director, Risk Advisory Services Charles Barley, Jr. is responsible for the delivery of governance, risk and compliance

More information

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite? Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite? Minnesota RIMS 39 th Annual Seminar Risk 2011-2012: Can You Hack

More information

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

PPS is Private Practice Software as developed and produced by Rushcliff Ltd. Rushcliff Ltd Data Processing Agreement This Data Processing Agreement ( DPA ) forms part of the main terms of use of PPS, PPS Express, PPS Online booking, any other Rushcliff products or services and

More information

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2 COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September 2018 Table of Contents 1. Scope, Purpose and Application to Employees 2 2. Reference Documents 2 3. Definitions 3 4. Data Protection Principles

More information

Motorola Mobility Binding Corporate Rules (BCRs)

Motorola Mobility Binding Corporate Rules (BCRs) Motorola Mobility Binding Corporate Rules (BCRs) Introduction These Binding Privacy Rules ( Rules ) explain how the Motorola Mobility group ( Motorola Mobility ) respects the privacy rights of its customers,

More information

Introduction to the Personal Data (Privacy) Ordinance

Introduction to the Personal Data (Privacy) Ordinance Introduction to the Personal Data (Privacy) Ordinance Personal Data (Privacy) Ordinance Legislative Background Personal Data (Privacy) Ordinance came into effect on 20 December 1996 Amendment of the Ordinance

More information

General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions

General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions General Data Protection Regulation Frequently Asked Questions (FAQ) This document addresses some of the frequently asked questions regarding the General Data Protection Regulation (GDPR), which goes into

More information

Regulating Cyber: the UK s plans for the NIS Directive

Regulating Cyber: the UK s plans for the NIS Directive Regulating Cyber: the UK s plans for the NIS Directive September 2017 If you are a digital service provider or operate an essential service then new security and breach notification obligations may soon

More information

Stopsley Community Primary School. Data Breach Policy

Stopsley Community Primary School. Data Breach Policy Stopsley Community Primary School Data Breach Policy Contents Page 1 Introduction... 3 2 Aims and objectives... 3 3 Policy Statement... 4 4 Definitions... 4 5 Training... 5 6 Identification... 5 7 Risk

More information

Privacy Policy GENERAL

Privacy Policy GENERAL Privacy Policy GENERAL This document sets out what information Springhill Care Group Ltd collects from visitors, how it uses the information, how it protects the information and your rights. Springhill

More information

Data Processing Clauses

Data Processing Clauses Data Processing Clauses The examples of processing clauses below are proposed pending the adoption of standard contractual clauses within the meaning of Article 28.8 of general data protection regulation.

More information

Data Protection in Switzerland Update Following the Safe Harbor Decision. 21 October 2015 / 6 February 2016 Christian Wyss

Data Protection in Switzerland Update Following the Safe Harbor Decision. 21 October 2015 / 6 February 2016 Christian Wyss Data Protection in Switzerland Update Following the Safe Harbor Decision 21 October 2015 / 6 February 2016 Christian Wyss Agenda Data Protection in Switzerland The Safe Harbor Decision How to Restore Compliance?

More information

How the GDPR will impact your software delivery processes

How the GDPR will impact your software delivery processes How the GDPR will impact your software delivery processes About Redgate 230 17 202,000 2m Redgaters and counting years old customers SQL Server Central and Simple Talk users 91% of the Fortune 100 use

More information

The Role of the Data Protection Officer

The Role of the Data Protection Officer The Role of the Data Protection Officer Adrian Ross LLB (Hons), MBA GRC Consultant IT Governance Ltd 28 July 2016 www.itgovernance.co.uk Introduction Adrian Ross GRC consultant Infrastructure services

More information

Data Processing Agreement for Oracle Cloud Services

Data Processing Agreement for Oracle Cloud Services Data Processing Agreement for Oracle Cloud Services Version January 12, 2018 1. Scope, Order of Precedence and Term 1.1 This data processing agreement (the Data Processing Agreement ) applies to Oracle

More information

Privacy Law Doing Business In Canada

Privacy Law Doing Business In Canada Privacy Law Doing Business In Canada Does Canada Have Privacy Legislation? Federal Legislation Canada has a comprehensive legal framework that governs the collection, retention, use and disclosure of the

More information

Archive Legislation: archiving in the United Kingdom. The key laws that affect your business

Archive Legislation:  archiving in the United Kingdom. The key laws that affect your business Archive Legislation: Email archiving in the United Kingdom The key laws that affect your business Contents Laws regulating archiving, who they apply to and the penalties 3 Who is affected? 3 All private

More information

Data Breach Notification Policy

Data Breach Notification Policy Data Breach Notification Policy Policy Owner Department University College Secretary Professional Support Version Number Date drafted/date of review 1.0 25 May 2018 Date Equality Impact Assessed Has Prevent

More information

ADMA Briefing Summary March

ADMA Briefing Summary March ADMA Briefing Summary March 2013 www.adma.com.au Privacy issues are being reviewed globally. In most cases, technological changes are driving the demand for reforms and Australia is no exception. From

More information

Introduction to the Personal Data (Privacy) Ordinance

Introduction to the Personal Data (Privacy) Ordinance Introduction to the Personal Data (Privacy) Ordinance 1 Personal Data (Privacy) Ordinance Legislative Background Personal Data (Privacy) Ordinance came into effect on 20 December 1996 Amendment of the

More information

GDPR - Are you ready?

GDPR - Are you ready? GDPR - Are you ready? Anne-Marie Bohan and Michael Finn 24 March 2018 Matheson Ranked Ireland s Most Innovative Law Firm Financial Times 2017 International Firm in the Americas International Tax Review

More information

Introduction to the Personal Data (Privacy) Ordinance

Introduction to the Personal Data (Privacy) Ordinance Introduction to the Personal Data (Privacy) Ordinance Personal Data (Privacy) Ordinance Legislative Background Personal Data (Privacy) Ordinance came into effect on 20 December 1996 Amendment of the Ordinance

More information

DATA BREACH POLICY [Enniskillen Presbyterian Church]

DATA BREACH POLICY [Enniskillen Presbyterian Church] DATA BREACH POLICY [Enniskillen Presbyterian Church] Enniskillen Presbyterian Church is committed to complying with data protection legislation and will take appropriate technical and organisational measures

More information

Data Protection System of Georgia. Nina Sarishvili Head of International Relations Department

Data Protection System of Georgia. Nina Sarishvili Head of International Relations Department Data Protection System of Georgia Nina Sarishvili Head of International Relations Department 14/12/2016 Legal Framework INTERNATIONAL INSTRUMENTS CoE 108 Convention AP on Supervisory Authorities and Trans-

More information

All you need to know and do to comply with the EU General Data Protection Regulation

All you need to know and do to comply with the EU General Data Protection Regulation All you need to know and do to comply with the EU General Data Protection Regulation Table of contents Introduction... 3 Challenges, requirements, and action plans GDPR is borderless... Broadened personal

More information

2. Who we collect information (data) from & why we collect it

2. Who we collect information (data) from & why we collect it 1. Introduction Our Privacy Policy applies to the personal data that Ambrey collects and uses. References in this Privacy Policy to Ambrey, we, us or our mean Ambrey Limited and the Ambrey Group of companies:

More information

Creative Funding Solutions Limited Data Protection Policy

Creative Funding Solutions Limited Data Protection Policy Creative Funding Solutions Limited Data Protection Policy CONTENTS Section Title 1 Introduction 2 Why this Policy Exists 3 Data Protection Law 4 Responsibilities 5 6 7 8 9 10 Data Protection Impact Assessments

More information

THE NEW GENERAL DATA PROTECTION REGULATION IMPLICATIONS FOR ENTERPRISES. Forum financier du Brabant wallon

THE NEW GENERAL DATA PROTECTION REGULATION IMPLICATIONS FOR ENTERPRISES. Forum financier du Brabant wallon THE NEW GENERAL DATA PROTECTION REGULATION IMPLICATIONS FOR ENTERPRISES Forum financier du Brabant wallon 14.12.2017 Data Protection should be part of every company s or organisation s DNA Do you process

More information

This information accompanies the online data sharing best practice guidance commissioned by ACE

This information accompanies the online data sharing best practice guidance commissioned by ACE Data Protection - What the regulations say This information accompanies the online data sharing best practice guidance commissioned by ACE The guidance cannot be relied upon as legal advice. This document

More information

New Data Protection Laws

New Data Protection Laws Richard E. Mackey Jr. Vice President, Consulting Boston New York San Francisco Sacramento Charlotte Washington DC The deadline has been a moving target but come March 1, Massachusetts new data protection

More information

Data Processing Agreement

Data Processing Agreement Data Processing Agreement Merchant (the "Data Controller") and Nets (the "Data Processor") (separately referred to as a Party and collectively the Parties ) have concluded this DATA PROCESSING AGREEMENT

More information

Knowing and Implementing the GDPR Part 3

Knowing and Implementing the GDPR Part 3 Knowing and Implementing the GDPR Part 3 11 a.m. ET, 16:00 GMT March 29, 2017 Welcome & Introductions Panelists Your Host Dave Cohen IAPP Knowledge Manager Omer Tene Vice President Research & Education

More information

PS Mailing Services Ltd Data Protection Policy May 2018

PS Mailing Services Ltd Data Protection Policy May 2018 PS Mailing Services Ltd Data Protection Policy May 2018 PS Mailing Services Limited is a registered data controller: ICO registration no. Z9106387 (www.ico.org.uk 1. Introduction 1.1. Background We collect

More information

DATA PROTECTION BY DESIGN

DATA PROTECTION BY DESIGN DATA PROTECTION BY DESIGN Preparing for Europe s New Security Regulations Summary In 2018, the European Union will begin to enforce the provisions of the General Data Protection Regulation (GDPR), a new

More information

Element Finance Solutions Ltd Data Protection Policy

Element Finance Solutions Ltd Data Protection Policy Element Finance Solutions Ltd Data Protection Policy CONTENTS Section Title 1 Introduction 2 Why this Policy Exists 3 Data Protection Law 4 Responsibilities 5 6 7 8 9 10 Data Protection Impact Assessments

More information

Data Protection Policy

Data Protection Policy The Worshipful Company of Framework Knitters Data Protection Policy Addressing the General Data Protection Regulation (GDPR) 2018 [EU] and the Data Protection Act 1998 (DPA) [UK] For information on this

More information

First aid toolkit for the management of data breaches. Mary Deligianni Senior Associate 15 February 2018

First aid toolkit for the management of data breaches. Mary Deligianni Senior Associate 15 February 2018 First aid toolkit for the management of data breaches Mary Deligianni Senior Associate 15 February 2018 What is a personal data breach? Breach of security which leads to the accidental or unlawful destruction,

More information

Cayman Islands Data Protection Law Guide Book

Cayman Islands Data Protection Law Guide Book Cayman Islands Data Protection Law Guide Book 2017 Guide Book Cayman Islands Data Protection Law, 2017 1. Background and Overview On 27 March 2017 the Data Protection Law, 2017 (Law) was passed by the

More information

German Data Processing Addendum MailChimp

German Data Processing Addendum MailChimp Customer EU Data Processing Addendum This Data Processing Addendum ("DPA"), forms part of the Agreement between The Rocket Science Group LLC d/b/a MailChimp ("MailChimp") and CK Coaching Köln ("Customer")

More information

Cybersecurity Considerations for GDPR

Cybersecurity Considerations for GDPR Cybersecurity Considerations for GDPR What is the GDPR? The General Data Protection Regulation (GDPR) is a brand new legislation containing updated requirements for how personal data of European Union

More information

You can find a brief summary of this Privacy Policy in the chart below.

You can find a brief summary of this Privacy Policy in the chart below. In this policy Shine TV Limited with registered office at Shepherds Building Central, Charecroft Way, Shepherds Bush, London, W14 0EE, UK (Company or we) informs you about how we collect, use and disclose

More information

Summary Comparison of Current Data Security and Breach Notification Bills

Summary Comparison of Current Data Security and Breach Notification Bills Topic S. 117 (Nelson) S. (Carper/Blunt) H.R. (Blackburn/Welch) Comments Data Security Standards The FTC shall promulgate regulations requiring information security practices that are appropriate to the

More information

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your). Our Privacy Policy 1 Purpose Mission Australia is required by law to comply with the Privacy Act 1988 (Cth) (the Act), including the Australian Privacy Principles (APPs). We take our privacy obligations

More information

Customer EU Data Processing Addendum

Customer EU Data Processing Addendum From: MailChimp Legal Team To: TC - Info - Heart of the City Subject: MailChimp Data Processing Addendum Date: 10 May 2018 13:15:11 Attachments: ATT00001.png Customer EU Data Processing Addendum This Data

More information

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION Document Control Owner: Distribution List: Data Protection Officer Relevant individuals who access, use, store or

More information

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know The General Data Protection Regulation (GDPR) The eprivacy Regulation (epr) The Network and Information Security Directive

More information

POMONA EUROPE ADVISORS LIMITED

POMONA EUROPE ADVISORS LIMITED POMONA EUROPE ADVISORS LIMITED Personal Information Notice Pomona Europe Advisors Limited (Pomona, we/us/our) wants you to be familiar with how we collect, use and disclose personal information. This Personal

More information

Website and Marketing Privacy Policy

Website and Marketing Privacy Policy Website and Marketing Privacy Policy In this policy Endemol Shine UK and its group of companies (Company or we) informs you about how we collect, use and disclose personal data from and about you and your

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Addressing the General Data Protection Regulation (GDPR) 2018 [EU] and the Data Protection Act (DPA) 2018 [UK] For information on this Policy or to request Subject Access please

More information

APF!submission!!draft!Mandatory!data!breach!notification! in!the!ehealth!record!system!guide.!

APF!submission!!draft!Mandatory!data!breach!notification! in!the!ehealth!record!system!guide.! enquiries@privacy.org.au http://www.privacy.org.au/ 28September2012 APFsubmission draftmandatorydatabreachnotification intheehealthrecordsystemguide. The Australian Privacy Foundation (APF) is the country's

More information

Data Breach Incident Management Policy

Data Breach Incident Management Policy Data Breach Incident Management Policy Policy Number FCP2.68 Version Number 1 Status Draft Approval Date: First Version Approved By: First Version Responsible for Policy Responsible for Implementation

More information

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10 GDPR AMC SAAS AND HOSTED MODULES UK version AMC Consult A/S June 26, 2018 Version 1.10 INDEX 1 Signatures...3 2 General...4 3 Definitions...5 4 Scoping...6 4.1 In scope...6 5 Responsibilities of the data

More information

EU data security and privacy trends

EU data security and privacy trends EU data security and privacy trends Top issues for HR and global mobility 26 29 October 2014 Disclaimer EY refers to the global organization, and may refer to one or more, of the member firms of Ernst

More information

INNOVENT LEASING LIMITED. Privacy Notice

INNOVENT LEASING LIMITED. Privacy Notice INNOVENT LEASING LIMITED Privacy Notice Table of Contents Topic Page number KEY SUMMARY 2 ABOUT US AND THIS NOTICE 3 USEFUL WORDS AND PHRASES 4 WHAT INFORMATION DO WE COLLECT? 4 WHY DO WE PROCESS YOUR

More information

ITU Asia-Pacific Centres of Excellence Training on Conformity and Interoperability. Session 2: Conformity Assessment Principles

ITU Asia-Pacific Centres of Excellence Training on Conformity and Interoperability. Session 2: Conformity Assessment Principles ITU Asia-Pacific Centres of Excellence Training on Conformity and Interoperability Session 2: Conformity Assessment Principles 12-16 October 2015 Beijing, China Keith Mainwaring ITU Expert Agenda 1. Context

More information

Privacy Breach Policy

Privacy Breach Policy 1. PURPOSE 1.1 The purpose of this policy is to guide NB-IRDT employees and approved users on how to proceed in the event of a privacy breach, and to demonstrate to stakeholders that a systematic procedure

More information

General Legal Requirements under the Act and Relevant Subsidiary Legislations. Personal data shall only be processed for purpose of the followings:

General Legal Requirements under the Act and Relevant Subsidiary Legislations. Personal data shall only be processed for purpose of the followings: General Legal Requirements regarding the Personal Data Protection ( PDP ) Principles under the PDP Act 2010 ( Act ) and the relevant Subsidiary Legislations PDP Principles General Principle Data users

More information

DATA SECURITY - DATA PROTECTION ACT

DATA SECURITY - DATA PROTECTION ACT DATA SECURITY - DATA PROTECTION ACT Data Security - Data Protection Act Many businesses are totally reliant on the data stored on their PCs, laptops, networks, mobile devices and in the cloud. Some of

More information

HIPAA-HITECH: Privacy & Security Updates for 2015

HIPAA-HITECH: Privacy & Security Updates for 2015 South Atlantic Regional Annual Conference Orlando, FL February 6, 2015 1 HIPAA-HITECH: Privacy & Security Updates for 2015 Darrell W. Contreras, Esq., LHRM Gregory V. Kerr, CHPC, CHC Agenda 2 OCR On-Site

More information

Privacy and Data Protection Policy

Privacy and Data Protection Policy Privacy and Data Protection Policy Introduction 1. The Ripple Pond is committed to ensuring the secure and safe management of personal data held by the Charity in relation to Beneficiaries, Staff, Trustees,

More information

Learning Management System - Privacy Policy

Learning Management System - Privacy Policy We recognize that visitors to our Learning Management System (LMS) may be concerned about what happens to information they provide when they make use of the system. We also recognize that education and

More information

Within the meanings of applicable data protection law (in particular EU Regulation 2016/679, the GDPR ):

Within the meanings of applicable data protection law (in particular EU Regulation 2016/679, the GDPR ): Privacy Policy Introduction Ikano S.A. ( Ikano ) respects your privacy and is committed to protect your Personal Data by being compliant with this privacy policy ( Policy ). In addition to Ikano, this

More information

Building a Privacy Management Program

Building a Privacy Management Program Building a Privacy Management Program February 26, 2013 Office of the Information and Privacy Commissioner of Alberta Session Overview Reasons for having a PMP Strategies to deal with current and future

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Introduction The purpose of this document is to provide a concise policy regarding the data protection obligations of Youth Work Ireland. Youth Work Ireland is a data controller

More information

General Data Protection Regulation (GDPR) The impact of doing business in Asia

General Data Protection Regulation (GDPR) The impact of doing business in Asia SESSION ID: GPS-R09 General Data Protection Regulation (GDPR) The impact of doing business in Asia Ilias Chantzos Senior Director EMEA & APJ Government Affairs Symantec Corporation @ichantzos Typical Customer

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Data Protection Policy Version 3.00 May 2018 For more information, please contact: Technical Team T: 01903 228100 / 01903 550242 E: info@24x.com Page 1 The Data Protection Law...

More information

Security Breach Notification Reflections on the U.S. Experience

Security Breach Notification Reflections on the U.S. Experience Compliance & Regulatory Matters Data Privacy Security Breach Notification Reflections on the U.S. Experience Bojana Bellamy Director of Data Privacy Accenture Brief History of Breach Notification Laws

More information

RVC DATA PROTECTION POLICY

RVC DATA PROTECTION POLICY RVC DATA PROTECTION POLICY POLICY and PROCEDURES Responsibility of Data Protection Officer Review Date July 2019 Approved by CEC Author D.Hardyman-Rice CONTENTS PAGE 1) Policy Statement 3 2) Key definitions

More information

The HIPAA Omnibus Rule

The HIPAA Omnibus Rule The HIPAA Omnibus Rule What You Should Know and Do as Enforcement Begins Rebecca Fayed, Associate General Counsel and Privacy Officer Eric Banks, Information Security Officer 3 Biographies Rebecca C. Fayed

More information

Critical Information Infrastructure Protection Law

Critical Information Infrastructure Protection Law Critical Information Infrastructure Protection Law CCD COE Training 8 September 2009 Tallinn, Estonia Maeve Dion Center for Infrastructure Protection George Mason University School of Law Arlington, Virginia.

More information

1. Introduction and Overview 3

1. Introduction and Overview 3 Data Breach Policy Contents 1. Introduction and Overview 3 1.1 What is a Serious Information Governance Incident? 3 1.2 What causes a SIGI? 3 1.3 How can a SIGI be managed? 4 2. How to manage an incident

More information

Data Processing Agreement DPA

Data Processing Agreement DPA Data Processing Agreement DPA between Clinic Org. no. «Controller». and Calpro AS Org. nr. 966 291 281. «Processor» If the parties have executed a Data Management Agreement, the Date Management Agreement

More information

University Privacy Campaign. Introduction to the Personal Data (Privacy) Ordinance

University Privacy Campaign. Introduction to the Personal Data (Privacy) Ordinance University Privacy Campaign Introduction to the Personal Data (Privacy) Ordinance 1 Personal Data (Privacy) Ordinance Legislative Background Personal Data (Privacy) Ordinance came into effect on 20 December

More information

Canada's New Anti-spam Law Are you prepared? Tricia Kuhl (Blakes) Dara Lambie (Blakes) Presented to ACC Ontario Chapter May 9, 2012

Canada's New Anti-spam Law Are you prepared? Tricia Kuhl (Blakes) Dara Lambie (Blakes) Presented to ACC Ontario Chapter May 9, 2012 Canada's New Anti-spam Law Are you prepared? Tricia Kuhl (Blakes) Dara Lambie (Blakes) Presented to ACC Ontario Chapter May 9, 2012 OVERVIEW Background & Status Breadth & Scope Penalties & Liability Compliance

More information