1 Who is this guide designed for?
|
|
- Elmer Bond
- 6 years ago
- Views:
Transcription
1
2
3 Contents 1 Who is this guide designed for? What does the GDPR change regarding the duty to inform? Who must be informed and when? Where and how to inform? Layered information Basic information (first layer) Additional information (second layer) Controller Purpose Legitimation Recipients Rights Origin... 14
4 1 Who is this guide designed for? The General Data Protection Regulation 1 (hereinafter, the GDPR), published in May 2016 and applicable as of 25 May 2018, directly applies throughout the European Union, covering the protection of individuals regarding the processing of personal data and the free circulation of these data. As of May 2018, the GDPR shall replace the current Organic Data Protection Law 2 (hereinafter, LOPD) and its implementing regulation RD- 1720/2007. It introduces a series of changes and developments that current processing operations must adapt to before the date of full implementation. The specific purpose of this Guide is to offer best practices to comply with the duty to inform data subjects, under the principle of transparency, of the circumstances and conditions of data processing and their rights. This guide only covers this specific purpose, and must be complemented with other guides issued by the Data Protection Agency to implement the GDPR. This Guide is designed firstly for Data 3 Controllers subject to the GDPR, as well as professionals who contribute, either within their Organisations or as Data 4 Processors, to advising Data Controllers on their obligations under the Regulation. This guide is also designed for individuals who carry out or will carry out the role of Data 5 Protection Officer (hereinafter, DPO), a new position in our field, afforded a significant role by the GDPR. 2 What does the GDPR change regarding the duty to inform? Currently, the LOPD establishes the following obligations regarding the information to be provided to data subjects when data is requested: If there is a file or processing, its purpose and recipient. Whether a response is mandatory or not, and its consequences. The possibility of exercising the rights of access, rectification, erasure and objection. The identity and contact details of the data controller. 1 Official State Gazette (BOE): 2 Official State Gazette (BOE): 3 Controller : natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing 4 Processor : natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller 5 Data Protection Officer : natural or legal person, employed as a staff member or under a service contract, who informs and advises the Controller, the Processor and other employees on their obligations under the GDPR and monitors compliance, cooperating and acting as a point of contact with Control Authorities GUIDE TO COMPLY WITH THE DUTY TO INFORM 2
5 From now, the GDPR adds additional requirements regarding the need to inform data subjects, generalising the concept of Processing 6, and incorporating the following details: The contact details of the Data Protection Officer, if any The legal basis or legitimation for processing The period or criteria for storing information The existence of automated decisions or creation of profiles The possibility of transfers to Third Countries The right to bring a claim before Control Authorities And, if the data are not obtained from the data subject: The source of the data Categories of data Therefore, the procedures, models or forms designed pursuant to the LOPD must be reviewed and adapted by Data Controllers prior to the full implementation of the GDPR, incorporating the new requirements pursuant to the guidelines in this guide. As the new requirements extend and do not contradict the obligation to inform set forth in the LOPD, we recommend revising and applying this adaptation as soon as possible. For more details, please consult Articles 13 and 14 of the GDPR regarding the right to information of data subjects. 3 Who must be informed and when? The obligation to inform data subjects of how their data are processed lies with the Data Controller. Information must be provided to data subjects at the time the data is requested, prior to collection or recording, if the data is obtained directly from the data subject. If the data is not obtained from the data subject, under legitimate transfer, or from publicly accessible sources, the Controller shall inform data subjects within a reasonable period, but in any case: within a month from obtaining the personal data before or in the first communication with the data subject before the data have been communicated to other recipients, if at all This obligation must be met with no need for any request, and the controller must be able to subsequently accredit that the obligation to inform has been satisfied. 6 Processing : any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (the GDPR does not use the concept of file ) GUIDE TO COMPLY WITH THE DUTY TO INFORM 3
6 When is there NO obligation to inform? There is only no need to inform when the data subject already has the information, or if the data does not come from the data subject, when: communication is impossible or requires disproportionate effort the record or communication is expressly established by Union or Member State law when the data must remain confidential due to a legal duty to secrecy 4 Where and how to inform? Information collection procedures can be varied and, therefore, the methods for informing data subjects must adapt to the circumstances of each means used to collect or record data. For example, some of the most common data collection methods, and therefore, the methods used to inform, could be: Paper forms Web browsing or forms Personal activity data Telephone interviews Mobile application records Sensor data (IoT) Furthermore, communications to the data subject regarding data that is already available, or additional processing, can be sent by means including: Post Electronic messaging Pop-up notifications in services and applications The characteristics of each of these means vary regarding extension, availability of space, legibility, the possibility of linking information, etc. In any case, information must be provided to data subjects: in a clear and simple language in a concise, transparent, understandable way that is easy to access 5 Layered information To make the greater requirement for information introduced by the GDPR compatible with presenting it in a concise, easily understandable manner, Data Protection Authorities recommend adopting a layered or level-based information model. The multi-level approach to information consists of: presenting basic information first, in a summarised format, at the time and via the means used to collect the data sending second-level additional information, presenting the rest of the information in a detailed manner, using a means suitable for its presentation, understanding and, if required, storage GUIDE TO COMPLY WITH THE DUTY TO INFORM 4
7 The set of information required by the GDPR can be grouped into specific headings for the purpose of organisation and presentation, particularly regarding the summarised information to be presented in the first layer or level. For example, one recommended grouping and the information to be presented in each layer or level is: Heading Controller (of data processing) Purpose (of the processing) Legitimation (for the processing) Recipients (of transfers) Rights (of data subjects) Origin (of data) Basic information (1st layer, summarised) Identity of the Data Controller Simple description of the purpose of processing, including creating profiles Legal basis of processing Intention to Transfer or not Intention to Transfer, or not, to third countries Reference to exercising rights. Source of the data (when not from the data subject) Additional information (2nd layer, detailed) Controller contact details Identity and contact details of the representative Data Protection Officer contact details Extended description of the purpose of processing Periods or criteria for storing information Automated decisions, profiles and applied logic Details of the legal basis of processing, in the case of legal obligation, public interest or legitimate interest. Obligation or not to provide data and the consequences of no doing so Recipients or categories of recipients Adequacy decisions, guarantees, binding corporate rules or applicable specific situations How to exercise rights to access, rectification, erasure and portability of data, and restriction or opposition to processing Right to withdraw consent provided Right to bring a claim before the Control Authority Detailed information on the origin of data, even if they come from publicly accessible sources Categories of data processed We recommend always presenting the first five headings ( Controller, Purpose, Legitimation, Recipients and Rights ), only adding the sixth heading Origin if the data do not come from the data subject. It is important to note that this multi-level approach was introduced to make the Data Controller s task easier when designing procedures and forms, and so that data subjects receive the most relevant information in a quick, simple manner, but without any prejudice to the principles of lawfulness, loyalty and transparency set forth in the GDPR. GUIDE TO COMPLY WITH THE DUTY TO INFORM 5
8 6 Basic information (first layer) The preferred manner of presenting this first layer is in table format (similar to how nutritional information is presented on food), ensuring that this information is within the field of view of the data subject, depending on the means used to collect the information. It must be clearly identified with a title such as Basic information on data protection On an application form, for example, the basic information must be in the same field of view as the space for consenting to the application (signature on paper, or the send button on an electronic form); it must also be included in the copy available to the data subject. If this is not feasible due to design restrictions, a note or warning must be included in the field of view of the signature, informing the data subject where the table with information on data protection is located. Example: before signing the application, please read the basic information on data protection available ( on the back, in the footer, etc. ) Legitimation refers to the legal basis for processing; this is regulated in the GDPR 7, with the following possibilities 8 : Performance of a contract Compliance with a legal obligation Public interest or Exercising Public Authority Legitimate interest of the Controller or Legitimate interest of a third party Consent from the data subject When a processing operation has various purposes, the legitimation of the main purpose for processing shall be noted here. Recipients must always be included in the basic information, even if there is no plan to communicate data to third parties, as this contributes to data subjects understanding the processing better. Example: Data shall not be transferred to third parties, except under legal obligation Rights must also always appear in the basic information, although a brief reference to the most common rights can be made, as well as reference to the relevant heading in the additional information. Example: You have the right to access, rectify and erase data, as well as other rights, as explained in the additional information section 7 For more details, please see Article 6 of the GDPR on the lawfulness of processing 8 This does not include legitimation based on the protection of vital interests of the data subject or another individual. For more information, see below, in the relevant heading of the additional information. GUIDE TO COMPLY WITH THE DUTY TO INFORM 6
9 Finally, in addition to the summarised information table, there must be a clear indication of where or how to access second-level additional information. Example: You can consult additional and detailed information on Data Protection ( text instructions, hyperlink, etc. ) Example of Basic information on paper A trivial case of summarised information, in table format, used on a paper form to subscribe to a magazine, for example, could be: Basic information on Data Protection Controller Ediciones Warren&Brandeis, S.A. Purpose Managing subscription Legitimation Performance of a contract Data shall not be transferred to third parties, Recipients except under legal obligation To access, rectify and erase data, as well as Rights other rights, as explained in the additional information section You can consult additional and detailed Additional information on Data Protection on our website: information Note that, although this is a paper form, a hyperlink to additional information has been included as it is assumed that this is a case of limited space. Example of Basic information in electronic format A case of summarised information used on a web form, for example, to request the download of certain documentation which requires registering in a commercial information distribution list, could be: Controller Purpose Legitimation Recipients Rights Additional information Basic information on Data Protection Ediciones Warren&Brandeis, S.A. more info To manage sending commercial information and marketing materials more info Consent from the data subject more info Other Warren&Brandeis, Inc. group companies Data Processors outside the EU, adhered to the Privacy Shield more info To access, rectify and erase data, as well as other rights, as explained in the additional information section more info You can consult additional and detailed information on Data Protection on our website: GUIDE TO COMPLY WITH THE DUTY TO INFORM 7
10 Note that the example includes a hyperlink with the basic information provided, which would lead to the relevant heading in the additional information. This practice is recommended when informing via electronic means. Example of Basic information during a telephone interview Basic information must be provided during a telephone interview as a clear and concise statement, ensuring that the individual has understood the information provided, before collecting information. The individual will be offered additional information by another means, but if the data subject requires any clarification, they must be provided with a complementary statement with the additional information from the heading they requested. 7 Additional information (second layer) The information provided in the second layer must provide complete details on the summarised information, as well as add the additional information required by the GDPR that was not included in the first layer. The information provided in this second layer must be complete, i.e., do not omit information because it was already included in the basic information. How can additional information be provided? How this second layer is provided also depends on the characteristics of the means used to inform, although there must be no limit to the length of the information. In this case, the possibilities are more flexible: Additional information on paper: On the same form (e.g., on the back) As an appendix or supplement provided to the data subject, which they can keep As clearly visible information on posters, panels, leaflets, etc., of which a copy can be requested for keeping. Electronic additional information On a specific website via a hyperlink As a document available for download from a URL As an attachment to an sent to the data subject Additional information by telephone: A statement offered to the data subject, as a supplement or alternative to offering additional information available online, or sent by post or . What language should I use? The language used must be clear, concise and understandable. As a style guide, you can follow these guidelines: We suggest using a well structured format, based on questions and answers, following the headings described above. GUIDE TO COMPLY WITH THE DUTY TO INFORM 8
11 You must seek a balance between conciseness and accuracy; avoid circumlocution, unnecessary explanations or confusing details Avoid overusing legal quotations, confusing jargon, or terms that are ambiguous or have little meaning for the recipients What information should be included in each heading? The length or level of detail for each heading will depend on the complexity of the specific circumstances. The sections below explain the variations applicable to each heading, including practical examples related to the hypothetical cases used above ( Ediciones Warren & Brandeis, S.A. ). Transparency and loyalty can also be improved by voluntarily providing additional information that is not required by the GDPR on: Best practices, guarantees and additional measures applied Uses and practices that will be expressly avoided in order to contribute to improving personal data protection and generating trust in data subjects. 7.1 Controller Although the identity of the data controller will have been provided in the basic information, this must be completed in the additional information to include the following details: Identity and contact details of the Controller and, where appropriate 9, their representative Contact details 10 of the Data Protection Officer, if any The contact details must include, as appropriate, a postal address and an electronic address, if available. It is preferable to always provide a localised postal address, although a PO Box can also be provided. The electronic address could be, for example, an address or a URL that leads to an electronic contact application or form. Example: Who is the Data Controller for your data? Identity: Ediciones Warren&Brandeis, S.A. - Tax ID: A Postal address: Calle Universidad de Harvard, nro Madrid Telephone: info@warrenbrandeis.com Data Protection Officer: DPO contact: 9 If the Controller is not established in the European Union, they must appoint a representative in the Union. For more information, see Article 27 of the GDPR 10 There is no need to provide the identity of the Data Protection Officer, merely their contact details GUIDE TO COMPLY WITH THE DUTY TO INFORM 9
12 7.2 Purpose In addition to the summarised purpose provided in the first layer, more details must be given on the purposes of processing the personal data, including the period during which such personal data shall be stored or, when this is not possible, the criteria used to determine this period. Remember that the purpose limitation principle establishes that the data will only be collected for specific, explicit and legitimate purposes, and they will not be further processed in a manner that is incompatible with those purposes. When further processing of personal data is planned for a purpose other than that for which they were collected, the data subject will be provided information on this other purpose and any relevant additional information before such further processing. Data subjects will also be informed of any automated decisions, including creating profiles and, at least in such cases, significant information will be provided on the logic applied, as well as the importance and expected consequences for the data subject of such processing 11. Example: For what purpose do we process your personal data? At Warren & Brandeis we process the information provided by individuals for the purpose of ( managing sending the information requested / providing data subjects with offers on products and services of interest / ) For the purpose of ( offering you products and services according to your interest / improving your user experience ), we will create a commercial profile based on the information provided. No automated decisions will be made based on this profile. How long will we store your data? The personal data provided shall be stored ( for the duration of the commercial relationship, / if the data subject does not request erasure / for a period of xx years after the last confirmation of interest ). Avoid including purposes that are too generic or unspecific, which may lead to further processing that exceeds the reasonable expectations of the data subject. 11 For more information on automated decisions, see Article 22 of the GDPR GUIDE TO COMPLY WITH THE DUTY TO INFORM 10
13 7.3 Legitimation As indicated for the basic information, this heading refers to the legal basis for processing. In addition to the basic information offered in the first layer, the following must be indicated, as appropriate: Legitimation based on performance of a contract: When processing is necessary to perform a contract (mercantile, labour, administrative, etc.) the data subject is party to, or to apply pre-contractual measures, a reference will be made to the contract or type of contract involved, with sufficient detail to ensure no ambiguity. Legitimation based on compliance with a legal obligation: When processing is necessary to comply with a legal obligation applicable to the data controller, i.e., an obligation under Union law or domestic law, there must be an unambiguous mention of the legally binding rule imposing the obligation. Legitimation based on Public Interest or Exercising Public Authority: When processing is necessary to comply with public interest or exercise public authority conferred to the data controller (as in the case of the public sector), there will also be an unambiguous mention of the legally binding rule conferring the public powers or qualifying the activity as being in the public interest. Legitimation based on the Legitimate Interest of the Controller, or a third party: When processing is necessary to satisfy the legitimate interests pursued by the data controller or a third party, these interests shall be specified. It is considered best practice to include a summary weighting the legitimacy 12 compared to the interests, and rights and freedoms of the data subject when this contributes to the principle of transparency. Legitimation based on consent from the data subject: When the legitimation of the main purpose does not fall under any of the above legal bases, consent to process their personal data must be requested from the data subject and noted in this section 13. If the main purpose is legitimated by any of the legal bases mentioned above, but any specific purpose requires consent from the data subject, both grounds for legitimation shall be noted. In this later case, the data subject must be informed that the main purpose is not subject to consent for the data not required for this main purpose as otherwise consent would not be considered to be freely granted. 12 Determining when a specific interest of the Controller can be classified as legitimate is beyond the scope of this guide. For more information, see Article 29 Working Party Opinion 06/2014 on the concept of legitimate interest, available at: 13 Consent management conditions are beyond the scope of this guide. For more information, see Article 29 Working Party Opinion 15/2011 on the definition of consent, available at: GUIDE TO COMPLY WITH THE DUTY TO INFORM 11
14 If there is a legal or contractual requirement to communicate data, or it is a necessary requirement to sign a contract, as may occur in the first three cases of legitimation, the data subject must be informed if they are obliged to provide personal data, as well as the consequences of not doing so. Finally, the GDPR also includes protecting the vital interests of the data subject or another individual among the possible legal bases for processing. This has not been included among the legitimation grounds as it is considered a residual circumstance, applicable to special, urgent or unexpected situations, and must not be a general cause for legitimating processing. Example: What is the legitimation for processing your data? The legal basis for processing your data is the performance of a subscription contract for the magazines in our order portfolio ( according to the terms and conditions stated in ) Products and services are offered based on the consent requested; in no case does withdrawing this consent affect the performance of the subscription contract Avoid practices such as including pre-checked boxes in consent management procedures, taking into account the requirement imposed by the GDPR that consent must be given by means of a clear affirmative action that reflects the free, specific, informed and unequivocal will of the data subject. 7.4 Recipients When the personal data collected are to be legitimately transferred or communicated, information must be given on the identity of the recipients, if they have been clearly predetermined, or the categories of recipients, if they have not been determined in advance. Specifically, it is also advisable to provide information on any Processors whose legitimacy for processing is to perform the processing contract, especially if this entails transfers to third countries. Example: What recipients will receive your data? Data will be communicated to other Warren&Brandeis, Inc. business group companies for internal administrative purposes, including processing the personal data of customers or employees. Warren&Brandeis, Inc. has Binding Corporate Rules, approved by the European Data Protection Committee and available at: Warren&Brandeis S.A contracts its virtual infrastructure according to a cloud computing model via AWS and under the EU-US Privacy Shield agreement. - Information available at: GUIDE TO COMPLY WITH THE DUTY TO INFORM 12
15 When personal data are to be transferred to a third country or international organisation, data subjects must be informed of the conditions affecting the transfer, and specifically of the existence or absence of a Commission adequacy decision regarding the third country or international organisation. When the controller provides suitable or appropriate guarantees, information on these guarantees will be provided, as will the means to obtain a copy thereof, or of the fact that they have been provided. Such guarantees could be: 7.5 Rights binding legal instruments between public authorities or bodies binding corporate rules 14 within a group of undertakings standard data protection clauses codes of conduct certification mechanisms This heading must offer information on the rights of data subjects in relation to the Controller, according to the GDPR. These are: Right to request access to the personal data of the data subject Right to request their rectification or erasure Right to request restriction of processing Right to object to processing Right to data portability The Controller must provide clear information on how the data subject can exercise these rights by providing them with forms and explaining how to contact the Controller to file their request. Optionally, the Controller can refer the data subject to the relevant Control Authority for additional information on their rights. If consent has been given for a specific purpose, the data subject must also be informed of their right to withdraw consent at any time, and that this will not affect the lawfulness of processing based on consent prior to withdrawal. Furthermore, data subjects must also be informed that they can bring a claim before the Data Protection Control Authority, particularly if they have not been able to exercise their rights, and how to contact the authority. 14 binding corporate rules : personal data protection policies which are adhered to by a controller or processor established in the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity GUIDE TO COMPLY WITH THE DUTY TO INFORM 13
16 Example: What are your rights when you provide data? Any individual is entitled to obtain confirmation on whether Warren&Brandeis is processing their personal data or not. Individuals have the right to access their personal data, request the rectification of inaccurate data or, if appropriate, request their erasure when the data are no longer necessary for the purposes for which they were collected, among other grounds. In certain circumstances, individuals can request the restriction of processing of their data. In this case, we will only store them to file or defend any claims. In certain circumstances and based on their specific situation, individuals may object to the processing of their data. Warren&Brandeis will cease processing data, except for compelling legitimate reasons, or to file or defend any claims. ( ) The above example does not cover all situations. It is not intended to cover all possible information, nor is it a model applicable to all processing operations; on the contrary, its only purpose is to illustrate a possible style of information in specific cases, with the minimum information that should be offered. 7.6 Origin The heading on the origin of data only needs to be included if the personal data have not been obtained from the data subject because they come from a legitimate transfer or a publicly accessible source. The means for providing this information will usually be different from those used to inform data subjects when collecting data. The most suitable means could be: Post Instant messaging The suitability of the means must be weighted against the need to demonstrate compliance with the duty to inform. In the case of mail or , the most suitable practice is: include the basic information in the notification informing the data subject of processing, expanded with the summarised Origin heading attach the additional or full information as an appendix or supplement, including the extended Origin heading optionally, include a link to the additional information in electronic format In the case of instant messaging, you can only include a brief reference to the nature of the communication plus a link to the additional information in electronic format; therefore, this means should only be used when there is no other possibility. An informative statement by telephone does not seem appropriate. GUIDE TO COMPLY WITH THE DUTY TO INFORM 14
17 In this case, the information provided must be: the source of the personal data and, where appropriate, if they come from unrestricted publicly accessible sources the categories of personal data processed, indicating any sensitive personal data Example: How have we obtained your data? The personal data processed by Warren&Brandeis S.A come from other Warren&Brandeis Inc. group businesses. The categories of data processed are: o Identification data o Identification codes o Postal or electronic addresses o Commercial information o Economic data No sensitive personal data is processed GUIDE TO COMPLY WITH THE DUTY TO INFORM 15
18
Privacy Policy Hafliger Films SpA
Hafliger Films SpA, with registered office at Via B. Buozzi no. 14-20089 Rozzano (MI), has for many years considered it of fundamental importance to protect the personal details of customers and suppliers,
More informationRights of Individuals under the General Data Protection Regulation
Rights of Individuals under the General Data Protection Regulation 2018 Contents Introduction... 2 Glossary... 3 Personal data... 3 Processing... 3 Data Protection Commission... 3 Data Controller... 3
More informationPrivacy Policy. In this data protection declaration, we use, inter alia, the following terms:
Last updated: 20/04/2018 Privacy Policy We are very delighted that you have shown interest in our enterprise. Data protection is of a particularly high priority for the management of VITO (Vlakwa). The
More informationElement Finance Solutions Ltd Data Protection Policy
Element Finance Solutions Ltd Data Protection Policy CONTENTS Section Title 1 Introduction 2 Why this Policy Exists 3 Data Protection Law 4 Responsibilities 5 6 7 8 9 10 Data Protection Impact Assessments
More informationthe processing of personal data relating to him or her.
Privacy Policy We are very delighted that you have shown interest in our enterprise. Data protection is of a particularly high priority for the management of the Hotel & Pensionat Björkelund. The use of
More informationTechnical Requirements of the GDPR
Technical Requirements of the GDPR Purpose The purpose of this white paper is to list in detail all the technological requirements mandated by the new General Data Protection Regulation (GDPR) laws with
More informationContract Services Europe
Contract Services Europe Procedure for Handling of Page 1 of 10 1. INTRODUCTION This procedure document supplements the data request and subject access request (SAR) provisions set out in DPS Contract
More informationACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION
ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION Document Control Owner: Distribution List: Data Protection Officer Relevant individuals who access, use, store or
More informationIslam21c.com Data Protection and Privacy Policy
Islam21c.com Data Protection and Privacy Policy Purpose of this policy The purpose of this policy is to communicate to staff, volunteers, donors, non-donors, supporters and clients of Islam21c the approach
More informationPrivacy Policy CARGOWAYS Logistik & Transport GmbH
Privacy Policy CARGOWAYS Logistik & Transport GmbH We are very delighted that you have shown interest in our enterprise. Data protection is of a particularly high priority for the management of the CARGOWAYS
More informationCOMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2
COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September 2018 Table of Contents 1. Scope, Purpose and Application to Employees 2 2. Reference Documents 2 3. Definitions 3 4. Data Protection Principles
More informationCreative Funding Solutions Limited Data Protection Policy
Creative Funding Solutions Limited Data Protection Policy CONTENTS Section Title 1 Introduction 2 Why this Policy Exists 3 Data Protection Law 4 Responsibilities 5 6 7 8 9 10 Data Protection Impact Assessments
More informationGDPR Privacy Policy. The data protection policy of AlphaMed Press is based on the terms found in the GDPR.
GDPR Privacy Policy PRIVACY POLICY The privacy and security of data are a priority for AlphaMed Press and our management and staff. While accessing and using our website does not require your submission
More informationPrivacy Policy. Data Controller - the entity that determines the purposes, conditions and means of the processing of personal data
Privacy Policy Datacenter.com (referred to as we, us, our, Datacenter or the Company ) is committed to protecting your privacy and handling your data in an open and transparent manner. The personal data
More informationThis Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).
PRIVACY POLICY Data Protection Policy 1. Introduction This Data Protection Policy (this Policy ) sets out how Brital Foods Limited ( we, us, our ) handle the Personal Data we Process in the course of our
More informationData Protection and Privacy Policy PORTOBAY GROUP Version I
Data Protection and Privacy Policy PORTOBAY GROUP 2018-03-07 Page 1 of 12 Contents Commitment to Data Protection and Privacy... 3 Definitions... 3 Entity Responsible for Processing... 4 Contact information
More informationGeneral Data Protection Regulation BT s amendments to the proposed Regulation on the protection of individuals with regard to the processing of
General Data Protection Regulation BT s amendments to the proposed Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General
More informationPRIVACY POLICY OF THE WEB SITE
PRIVACY POLICY OF THE ERANOS FOUNDATION Introductory remarks The Eranos Foundation respects your privacy! Privacy policy EU Norm 2016-769 GDPR 1 We do not sell or distribute any information that we acquire
More information- GDPR (General Data Protection Regulation) is the new Data Protection Regulation of the European Union;
PRIVACY NOTICE INTRODUCTION During the operation of the website data controller processes the data of persons registered on the website in order to be able to provide them with adequate services. Service
More informationDISCLOSURE ON THE PROCESSING OF PERSONAL DATA LAST REVISION DATE: 25 MAY 2018
DISCLOSURE ON THE PROCESSING OF PERSONAL DATA LAST REVISION DATE: 25 MAY 2018 Introduction This disclosure on the processing of personal data (hereinafter, the "Disclosure") is provided pursuant to Art.
More informationPrivacy Policy Kühnreich & Meixner GmbH Kühnreich & Meixner GmbH Kühnreich & Meixner GmbH Kühnreich & Meixner GmbH 1. Definitions
Privacy Policy We are very delighted that you have shown interest in our enterprise. Data protection is of a particularly high priority for the management of the Kühnreich & Meixner GmbH. The use of the
More informationPRIVACY POLICY PRIVACY POLICY
PRIVACY POLICY 1 A. GENERAL PART 1.1. COLLECTION AND PROCESSING OF USER DATA Within the scope of the availability of the website hosted in www.alpinushotel.com and of the services and communications made
More informationDATA PROTECTION POLICY THE HOLST GROUP
DATA PROTECTION POLICY THE HOLST GROUP INTRODUCTION The purpose of this document is to provide a concise policy regarding the data protection obligations of The Holst Group. The Holst Group is a data controller
More informationDEPARTMENT OF JUSTICE AND EQUALITY. Data Protection Policy
DEPARTMENT OF JUSTICE AND EQUALITY Data Protection Policy May 2018 Contents Page 1. Introduction 3 2. Scope 3 3. Data Protection Principles 4 4. GDPR - Rights of data subjects 6 5. Responsibilities of
More informationPrivacy Policy Section A Section B Section C Section D
Privacy Policy The PIKO Solar Portal of KOSTAL Solar Electric GmbH is available at https://www.piko-solar-portal.com. This portal allows customers to monitor photovoltaic systems using KOSTAL inverters.
More informationWithin the meanings of applicable data protection law (in particular EU Regulation 2016/679, the GDPR ):
Privacy Policy Introduction Ikano S.A. ( Ikano ) respects your privacy and is committed to protect your Personal Data by being compliant with this privacy policy ( Policy ). In addition to Ikano, this
More informationPart B of this Policy sets out the rights that all individuals have in relation to the collection and use of your personal information
Date: 15 Feb 2018 Issue No: 1 Page: 1 of 15 Site: UK Kingspan Insulation Limited ("Kingspan") has issued this Data Protection Policy for its customers. The term customer refers to those that receive a
More informationPrivacy Policy of
Privacy Policy of www.bitminutes.com This Application collects some Personal Data from its Users. Owner and Data Controller BitMinutes Inc Owner contact email: privacy@bitminutes.com Types of Data collected
More informationData Subject Requests Procedure
Subject Requests Procedure Subject Requests Procedures Issued By: Legal Effective Date: Review Date:.0 Contents 1. Introduction... 3 2. Purpose... 3 3. Responsibilities... 3 3.1 All Staff and Volunteers...
More informationInformation leaflet about processing of personal data (
Information leaflet about processing of personal data (www.magyarfoldgazkereskedo.hu) In accordance with articles 13 and 14 of the regulation (EU) 2016/679 OF the European Parliament and of the Council
More informationThis guide is for informational purposes only. Please do not treat it as a substitute of a professional legal
What is GDPR? GDPR (General Data Protection Regulation) is Europe s new privacy law. Adopted in April 2016, it replaces the 1995 Data Protection Directive and marks the biggest change in data protection
More informationData Subject Access Request Form
Please read the Guidance Notes which accompany this form before completing the form. Please complete the form in block capitals. Please submit your completed request form as a secure email attachment to
More informationIdentity of the controller: CHARVAT CTS a.s., ID No.: , with the registered office at Okrinek 53, Podebrady, Czech Republic, Postcode
Dear all, Welcome to the website of CHARVÁT CTS a.s. We appreciate your interest in our company. Protection of personal data you share with us is our priority and we have taken all the steps for you to
More informationWhat You Need to Know About Addressing GDPR Data Subject Rights in Pivot
What You Need to Know About Addressing GDPR Data Subject Rights in Pivot Not Legal Advice This document is provided for informational purposes only and must not be interpreted as legal advice or opinion.
More informationData Protection Policy
Data Protection Policy Data Protection Policy Version 3.00 May 2018 For more information, please contact: Technical Team T: 01903 228100 / 01903 550242 E: info@24x.com Page 1 The Data Protection Law...
More informationIn this data protection declaration, we use, inter alia, the following terms:
Privacy Policy We are very delighted that you have shown interest in our enterprise. Data protection is of a particularly high priority for the management of Z&J Technologies GmbH. The use of the Internet
More informationData Protection. Code of Conduct for Cloud Infrastructure Service Providers
Data Protection Code of Conduct for Cloud Infrastructure Service Providers 27 JANUARY 2017 Introduction... 3 1 Structure of the Code... 5 2 Purpose... 6 3 Scope... 7 4 Data Protection Requirements... 9
More informationArkadin Data protection & privacy white paper. Version May 2018
Arkadin Data protection & privacy white paper Version May 2018 Table of Contents 1- About Arkadin 4 2- Objectives 6 3- What does the GDPR cover? 8 4- What does the GDPR require? 10 5- Who are the data
More informationData Privacy Policy. of Eisenmann Übersetzungsteam - Suzanne Eisenmann - translation team
Data Privacy Policy of Eisenmann Übersetzungsteam - Suzanne Eisenmann - translation team We are delighted that you have shown interest in our enterprise. Data protection is of a particularly high priority
More informationLegal basis of processing. Place MODE AND PLACE OF PROCESSING THE DATA
Privacy Policy of www.florence-apartments.net This Application collects some Personal Data from its Users. Owner and Data Controller Florence Apartments Sas - via Curtatone, 2-50123 Firenze Owner contact
More informationPersonal Data Protection Policy
PALEOLOGOS S.A. Personal Data Protection Policy Date of entry into force of this policy May 17, 2018 The primary objective of this policy is to provide general guidelines regarding the protection of Personal
More informationDISCLOSURE PURSUANT TO ART. 13 EU REGULATION No. 2016/679 (GDPR) Customers and prospects
DISCLOSURE PURSUANT TO ART. 13 EU REGULATION No. 2016/679 (GDPR) Customers and prospects The company SORMA S.p.A., with registered office in Mestre (VE), 30174, Via Don Tosatto, no. 8, as the data controller
More informationGeneral Data Protection Regulation (GDPR) - A CANDDi perspective
General Data Protection Regulation (GDPR) - A CANDDi perspective 1 - Summary With General Data Protection Regulation less than 12 months away there is a legal requirement for all businesses to have taken
More informationPrivacy policy SIdP website EU 2016/679
Privacy policy SIdP website EU 2016/679 Categories of data subjects: Website users and users of the members-only area Update of the privacy policy: 30/08/2018 The present document contains the information
More informationPrivacy Policy. 1. Definitions
Privacy Policy We are very delighted that you have shown interest in our enterprise. Data protection is of a particularly high priority for the management of the Austro Control. The use of the Internet
More informationData subject ( Customer or Data subject ): individual to whom personal data relates.
Privacy Policy 1. Information on the processing of personal data We hereby inform you in this document about the principles and procedures for processing your personal data and your rights, in accordance
More informationIt is the policy of DMNS Networks PTE LTD (the Company ) to protect the privacy of the users of our Website and Services.
Privacy Policy It is the policy of DMNS Networks PTE LTD (the Company ) to protect the privacy of the users of our Website and Services. The use of our Website is possible without any indication of your
More informationINFORMATION NOTE ON DATA PROCESSING
INFORMATION NOTE ON DATA PROCESSING Online contact Name and contact details of the Data Controller and the representative of the Data Controller Name of the Data Controller: Head office: Correspondence
More informationINFORMATION ON THE PROCESSING OF PERSONAL DATA. (to be inserted in the link at the bottom of the page "privacy policy")
INFORMATION ON THE PROCESSING OF PERSONAL DATA (to be inserted in the link at the bottom of the page "privacy policy") Pra'delle Torri S.r.l. Holiday Centre with head office at Viale Altanea 201 - Pra'
More informationTHE NEW GENERAL DATA PROTECTION REGULATION IMPLICATIONS FOR ENTERPRISES. Forum financier du Brabant wallon
THE NEW GENERAL DATA PROTECTION REGULATION IMPLICATIONS FOR ENTERPRISES Forum financier du Brabant wallon 14.12.2017 Data Protection should be part of every company s or organisation s DNA Do you process
More informationGeneral Data Protection Regulation (GDPR) Key Facts & FAQ s
General Data Protection Regulation (GDPR) Key Facts & FAQ s GDPR comes into force on 25 May 2018 GDPR replaces the Data Protection Act 1998. The main principles are much the same as those in the current
More informationUWC International Data Protection Policy
UWC International Data Protection Policy 1. Introduction This policy sets out UWC International s organisational approach to data protection. UWC International is committed to protecting the privacy of
More informationOnline Ad-hoc Privacy Notice
Online Ad-hoc Privacy Notice Last revised: 24 May 2018 Table of contents 1 About us and our Surveys... 2 2 What is personal data?... 2 3 Use of personal data... 2 3.1 Categories of personal data that are
More informationToucan Telemarketing Ltd.
Toucan Telemarketing Ltd. GDPR Data Protection Policy Introduction Toucan Telemarketing is committed to protecting the rights and freedoms of data subjects and safely and securely processing their data
More informationPrivacy Policy November 30th, 2017
Privacy Policy November 30th, 2017 THIS PAGE INTENTIONALLY LEFT BLANK Table of Contents 1 PREFACE 4 2 DEFINITIONS 4 3 NAME AND ADDRESS OF THE CONTROLLER 6 4 COOKIES 6 5 COLLECTION OF GENERAL DATA AND INFORMATION
More informationPrivacy Statement for Use of the Certification Service of Swisscom (sales name: "All-in Signing Service")
Swisscom (sales name: "All-in Signing Service") General Privacy is a matter of trust, and your trust is important to us. Handling personal data in a responsible and legally compliant manner is a top priority
More informationCEM Benchmarking Privacy Policy
CEM Benchmarking Privacy Policy Final Draft: 18/05/18 Next Review Date: 22/05/19 Page 1 Contents Page 1 Outline 3 2 Categories of personal data 3 3 Sources of personal data 3 4 Purposes 4 5 Lawful basis
More informationIn compliance with the requirements of the EU General Data Protection Regulation (GDPR, Articles 13, 14 and 30)
3UAS-libraries Privacy Notice for customer information In compliance with the requirements of the EU General Data Protection Regulation (GDPR, Articles 13, 14 and 30) Created on: 15.03.2019 1. Controllers
More informationIn this data protection declaration, we use, inter alia, the following terms:
Privacy Policy We are very delighted that you have shown interest in our enterprise. Data protection is of a particularly high priority for the management of the Hotel Arnika. The use of the Internet pages
More informationHaaga-Helia University of Applied Sciences Privacy Notice for the Laura Recruitment Service
Haaga-Helia University of Applied Sciences Privacy Notice for the Laura Recruitment Service In compliance with the requirements of the EU General Data Protection Regulation (GDPR, Articles 13, 14 and 30)
More informationData Processing Clauses
Data Processing Clauses The examples of processing clauses below are proposed pending the adoption of standard contractual clauses within the meaning of Article 28.8 of general data protection regulation.
More informationSketching for UX Designers Website & Newsletter Privacy Policy
Sketching for UX Designers Website & Newsletter Privacy Policy Summary This summary points out the most important parts of the Sketching for UX Designers (www.sketchingforux.com) Privacy Policy. In an
More informationGDPR Data Protection Policy
GDPR Data Protection Policy Volleyball England 2018 VE Data Protection Policy May 2018 Page 1 GDPR Data Protection Policy 1. Introduction This Policy sets how the English Volleyball Association Limited
More informationPersonal Data collected for the following purposes and using the following services:
PRIVACY POLICY www.marquise-tech.com This Website collects some Personal Data from its Users. POLICY SUMMARY Personal Data collected for the following purposes and using the following services: Contacting
More informationHaaga-Helia University of Applied Sciences Privacy Notice for Urkund Plagiarism Detection Software
Haaga-Helia University of Applied Sciences Privacy Notice for Urkund Plagiarism Detection Software In compliance with the requirements of the EU General Data Protection Regulation (GDPR, Articles 13, 14
More informationINFORMATIVE NOTICE ON PERSONAL DATA PROCESSING
INFORMATIVE NOTICE ON PERSONAL DATA PROCESSING Re: Informative notice on data processing pursuant to Art. 13 of Legislative Decree 196/2003 as amended, to Art. 13 of EU Regulation 2016/679 and to Italian
More informationPrivacy Policy. As of May 7, 2018
Privacy Policy As of May 7, 2018 We are delighted that you have shown interest in our Website, located at , (the Website ), which is Ubex AI AG (the Company ). Data protection is
More informationSaba Hosted Customer Privacy Policy
Saba Hosted Customer Privacy Policy Last Revised 23 May 2018 1. Introduction Saba is committed to protecting information which can be used to directly or indirectly identify an individual ( personal data
More informationGDPR RECRUITMENT POLICY
> General characteristics Company Credendo Export Credit Agency Date 12/12/2018 Version 1.2 Classification Public Status Final Document reference GDPR Recruitment Policy Revision frequency Ad hoc Document
More informationContributed by Djingov, Gouginski, Kyutchukov & Velichkov
Contributed by Djingov, Gouginski, Kyutchukov & Velichkov General I Data Protection Laws National Legislation General data protection laws The Personal Data Protection Act implemented the Data Protection
More informationGDPR data subject rights
data subject rights Date: February 2018 Author: Information compliance team (EP) Version: 0.1 (draft, awaiting final version of Data Protection Bill) Classification: Open gives people certain rights in
More informationIn this data protection declaration, we use the following terms: a.) Personal data
GDPR POLICY Overview Data protection is of highest priority for us. The use of our website is possible without any indication of personal data; however, if a data subject wants to use special enterprise
More information1 About GfK and the Survey What are personal data? Use of personal data How we share personal data... 3
Privacy Notice For ad-hoc CAWI (without target list) V1.0 June 4, 2018 Contents 1 About GfK and the Survey... 2 2 What are personal data?... 2 3 Use of personal data... 2 4 How we share personal data...
More informationPRIVACY NOTICE (TIER 4)
Page: 1 of 6 1. Scope All data subjects whose personal data is collected, in line with the requirements of the GDPR. 2. Responsibilities 2.1 The Data Protection Officer / GDPR Owner is responsible for
More informationName: Aho Terhi Title: ecommerce Manager. Phone: terhi.aho(at)finavia.fi Name: Närvänen Carita Title: Development Manager
PRIVACY POLICY Date: 19 June, 2018 (translated from last revised Finnish version) EU General Data Protection Regulation, articles 13 and 14 1. Data controller Finavia Corporation Business ID: 2302570-2
More informationData processing policy
Data processing policy MBM Adventures Kft. Data protection policy I. The data controller and his/her availabilities MBM Adventures Kft (registered seat: 1068 Budapest, Király utca 80, website: www.mbmadventures.com,
More informationData Processing Agreement
Data Processing Agreement Merchant (the "Data Controller") and Nets (the "Data Processor") (separately referred to as a Party and collectively the Parties ) have concluded this DATA PROCESSING AGREEMENT
More informationPrivacy Notices under #GDPR: Have you noticed my notice?
Privacy Notices under #GDPR: Have you noticed my notice? As you all know by now the General Data Protection Regulation (GDPR) is here and it is (as predicted) starting to get various people fired up ready
More informationUniversal Robots A/S, Energivej 25, 5220 Odense, Denmark
Privacy Policy of Universal Robots Privacy Policy applies for This Privacy Policy applies for the Personal Data Universal Robots collects about individuals, customers,, suppliers (including third party
More informationPS Mailing Services Ltd Data Protection Policy May 2018
PS Mailing Services Ltd Data Protection Policy May 2018 PS Mailing Services Limited is a registered data controller: ICO registration no. Z9106387 (www.ico.org.uk 1. Introduction 1.1. Background We collect
More informationPRIVACY POLICY SECTION 1 CONTACTS
PRIVACY POLICY SECTION 1 CONTACTS Topics related to personal data collection and processing are the responsibility of the Person in Charge for Personal Data Processing. Any communication on this topic
More informationPRIVACY POLICY FOR WEB AND ONLINE TRADING PLATFORM
1348009.9 PRIVACY POLICY FOR WEB AND ONLINE TRADING PLATFORM Why does CellMark have a privacy policy? CellMark AB ( CellMark or we ) cares about your privacy. Therefore, we always strive to protect your
More informationEU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?
EU GDPR and Email The EU General Data Protection Regulation (GDPR) is the new legal framework governing the use of the personal data of European Union (EU) citizens across all EU markets. It replaces existing
More informationSCHOOL SUPPLIERS. What schools should be asking!
SCHOOL SUPPLIERS What schools should be asking! Page:1 School supplier compliance The General Data Protection Regulation (GDPR) comes into force on 25 May 2018 and will be applied into UK law via the updated
More informationGLOBAL DATA PROTECTION POLICY
GLOBAL DATA PROTECTION POLICY BRS UK Version 1.0 TABLE OF CONTENTS SCOPE 2 COLLECTION AND PROCESSING USE OF YOUR PERSONAL DATA 2 Compliance with the European data protection law and any additional applicable
More informationData Protection Policy
Data Protection Policy Introduction Stewart Watt & Co. is law firm and provides legal advice and assistance to its clients. It is regulated by the Law Society of Scotland. The personal data that Stewart
More informationRights of data subjects
Rights of data subjects This document provides more detailed information about the rights that the General Data Protection Regulation endows on data subjects regarding their data and that are to be respected
More informationThis Privacy Policy applies to all clients of Laura Turini Esq. s Studio Legale and of Studio Brevetti
Privacy Policy for clients and those contacting us This Privacy Policy applies to all clients of Laura Turini Esq. s Studio Legale and of Studio Brevetti Turini S.r.l. and also to all users of the websites
More informationPrivacy Statement for Use of the Trust Service of Swisscom IT Services Finance S.E., Austria
Privacy Statement for Use of the Trust Service of Swisscom IT Services Finance S.E., Austria General Privacy is a matter of trust, and your trust is important to us. Handling personal data in a responsible
More informationImplementing the new GDPR: what does it mean for Universities?
Implementing the new GDPR: what does it mean for Universities? Case study Alumni Portal Cosimo Monda Director - European Centre on Privacy and Cybersecurity Maastricht University Twitter: @ecpcmaastricht
More informationHaaga-Helia University of Applied Sciences Privacy Notice for JUSTUS publication data storage service
Haaga-Helia University of Applied Sciences Privacy Notice for JUSTUS publication data storage service In compliance with the requirements of the EU General Data Protection Regulation (GDPR, Articles 13,
More informationThis Privacy Statement applies to data processing carried out by:
I. Name and Contact Details of the Data Controller This Privacy Statement applies to data processing carried out by: Data Controller: Rand Refinery P.O. Box 565, Germiston 1400, South Africa Tel.: +27
More informationData Processing Agreement
In accordance with the European Parliament- and Council s Directive (EU) 2016/679 of 27th April 2016 (hereinafter GDPR) on the protection of physical persons in connection with the processing of personal
More informationMore detailed information, including the information about your rights is available below.
Depending on the content of the correspondence, your data will be processed for the purposes of conclusion and performance of the agreement to which you are a party, to fulfil the legal obligation of the
More informationInformation Resources, Inc. ( IRI ) Global Privacy Policy Part I. May 25, 2018 Version 0.1 Chief Privacy Officer / Data Protection Steering Committee
Information Resources, Inc. ( IRI ) Global Privacy Policy Part I May 25, 2018 Version 0.1 Chief Privacy Officer / Data Protection Steering Committee 1 Table of contents 1. Purpose... 3 2. Message from
More informationDATA PROTECTION IN RESEARCH
DATA PROTECTION IN RESEARCH Document control Applicable to: All employees and research students Date first approved February 2006 Date first amended May 2015 Date last amended May 2015 Approved by Approval
More informationWE ARE COMMITTED TO PROTECTING YOUR PERSONAL DATA
WE ARE COMMITTED TO PROTECTING YOUR PERSONAL DATA In accordance with the new Regulation (EU) 2016/679 on the protection of personal data (GDPR), we ask you to give your consent on the use of Cookies, for
More informationINFORMATION MEMORANDUM ON DATA PROCESSING
INFORMATION MEMORANDUM ON DATA PROCESSING Dear customers and business partners, the document you are reading contains basic information about the way how we process your personal data. We appreciate the
More informationGDPR and the Privacy Shield
GDPR and the Privacy Shield Mark Prinsley Partner +44 20 3130 3900 mprinsley@mayerbrown.com Kendall Burman Counsel + 202 263 3210 kburman@mayerbrown.com Speakers Kendall Burman Counsel Washington DC Mark
More informationEU GDPR: The General Data Protection Regulation
EU GDPR: The General Data Protection Regulation A Brief Overview Duke Privacy The General Data Protection Regulation Became effective May 25, 2018. Formally codifies privacy as a fundamental right and
More information