General Legal Requirements under the Act and Relevant Subsidiary Legislations. Personal data shall only be processed for purpose of the followings:

Similar documents
UWC International Data Protection Policy

DATA PROTECTION IN RESEARCH

Guardian Electrical Compliance Ltd DATA PROTECTION GDPR REGULATIONS POLICY

Exercising Your Data Access Rights under the Personal Data (Privacy) Ordinance (Frequently Asked Questions and Answers)

Subject: Kier Group plc Data Protection Policy

The British Museum. Data Protection Code of Practise. 1 Introduction

Cayman Islands Data Protection Law Guide Book

Motorola Mobility Binding Corporate Rules (BCRs)

Data Protection Policy

DEPARTMENT OF JUSTICE AND EQUALITY. Data Protection Policy

Rights of Individuals under the General Data Protection Regulation

UWTSD Group Data Protection Policy

Introduction to the Personal Data (Privacy) Ordinance

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

PRIVACY POLICY PRIVACY POLICY

Data Protection Policy

Islam21c.com Data Protection and Privacy Policy

DATA PROTECTION POLICY THE HOLST GROUP

VIACOM INC. PRIVACY SHIELD PRIVACY POLICY

Privacy and Data Protection Policy

Introduction to the Personal Data (Privacy) Ordinance

Privacy Policy... 1 EU-U.S. Privacy Shield Policy... 2

University Privacy Campaign. Introduction to the Personal Data (Privacy) Ordinance

Introduction to the Personal Data (Privacy) Ordinance

Access Rights and Responsibilities. A guide for Individuals and Organisations

Technical Requirements of the GDPR

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

1 Privacy Statement INDEX

Privacy Notice - General Data Protection Regulation ( GDPR )

Cognizant Careers Portal Privacy Policy ( Policy )

HF Markets SA (Pty) Ltd Protection of Personal Information Policy

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

DCU Guide to Subject Access Requests. Under Irish Data Protection Legislation

RVC DATA PROTECTION POLICY

Data Protection Policy

TALENTUM Limited Liability Company PRIVACY NOTICE

PRIVACY NOTICE VOLUNTEER INFORMATION. Liverpool Women s NHS Foundation Trust

PRIVACY POLICY. 3.1 This policy does not apply to the collection, holding, use or disclosure of personal information that is an employee record.

Proper Handling of Data Access Request and Charging of Data Access Request Fee by Data Users 1

Introductory guide to data sharing. lewissilkin.com

HOW WE USE YOUR INFORMATION

DATA PROTECTION POLICY

Cognizant Careers Portal Terms of Use and Privacy Policy ( Policy )

HPE DATA PRIVACY AND SECURITY

DATA PROTECTION A GUIDE FOR USERS

Privacy Policy. This document describes the privacy policy of United TLD Holdco Ltd (T/A Rightside Registry).

Liechtenstein. General I Data Protection Laws. Contributed by Wanger Advokaturbüro. National Legislation. National Regulatory Authority.

Data Protection Policy

BRIDGEWATER SURGERIES. Privacy Notice

NWQ Capital Management Pty Ltd. Privacy Policy. March 2017 v2

KSi Malta Privacy Policy

HBW LAW LTD T/A HESELTINE BRAY & WELSH

ADMA Briefing Summary March

Learning Management System - Privacy Policy

Privacy Notice. General Information Protection Regulation ( GDPR )

Terms & Conditions. Privacy, Health & Copyright Policy

VISTRA (CYPRUS) LTD. PRIVACY NOTICE

Data Subject Access Request Form

General Data Protection Regulation (GDPR) Key Facts & FAQ s

SOUTHFIELD SCHOOL PROCEDURE FOR RECEIVING AND RESPONDING TO SUBJECT ACCESS REQUESTS

Privacy Policy. Company registry number: Budapest, Gönczy Pál utca em. Homepage: contact: Phone:

PRIVACY POLICY Last Updated May, 2018

Privacy Policy. Data Controller - the entity that determines the purposes, conditions and means of the processing of personal data

Vistra International Expansion Limited PRIVACY NOTICE

Within the meanings of applicable data protection law (in particular EU Regulation 2016/679, the GDPR ):

Online Ad-hoc Privacy Notice

PERSONAL DATA PROCESSING POLICY FOR SUPPLIER

Data Protection Policy

Contract Services Europe

Privacy Policy GENERAL

1 About GfK and the Survey What are personal data? Use of personal data How we share personal data... 3

Argyll Self Catering Privacy Statement 2018

Part B of this Policy sets out the rights that all individuals have in relation to the collection and use of your personal information

Polemic is a business involved in the collection of personal data in the course of its business activities and on behalf of its clients.

DATA PROTECTION ISACA MALTA CHAPTER BIENNIAL CONFERENCE Saviour Cachia Commissioner for Information and Data Protection

THE NEW GENERAL DATA PROTECTION REGULATION IMPLICATIONS FOR ENTERPRISES. Forum financier du Brabant wallon

If you have any questions about this notice, please contact the Head Master.

About Mark Bullock & Company Chartered Surveyors

CTI BioPharma Privacy Notice

Catalent Inc. Privacy Policy v.1 Effective Date: May 25, 2018 Page 1

NOTICE OF PERSONAL DATA PROCESSING

Rowing Canada Aviron. Online Registration System - Protection of Personal Privacy. Policy Statement

INNOVENT LEASING LIMITED. Privacy Notice

Data Protection. Guidance Notes

Website Privacy Policy

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

Xpress Super may collect and hold the following personal information about you: contact details including addresses and phone numbers;

Data Protection Policy

Privacy Policy CARGOWAYS Logistik & Transport GmbH

This Privacy Policy governs our processing of all personal data provided to us at Environmental Essentials in relation to our E-learning services.

GLOBAL DATA PROTECTION POLICY

Data Protection Policy

INFORMATION NOTE ON DATA PROCESSING

KIN GROUP PTY LTD PRIVACY POLICY

GDPR Data Protection Policy

Privacy Policy. In this data protection declaration, we use, inter alia, the following terms:

Index Introduction... 3

Baseline Information Security and Privacy Requirements for Suppliers

DATA PROCESSING AGREEMENT

Privacy Policy Wealth Elements Pty Ltd

Transcription:

General Legal Requirements regarding the Personal Data Protection ( PDP ) Principles under the PDP Act 2010 ( Act ) and the relevant Subsidiary Legislations PDP Principles General Principle Data users shall not process the personal data of data subject unless the data subject has given consent on the processing of the personal data, whereby: the consent from the data subject must be recorded and maintained properly; if the form of consent also concerns another matter, the requirement to obtain consent shall be presented distinguishable in its appearance; if the data subject is under the age of eighteen (18) years, consent must be obtained from parents, guardian or person who has parental responsibility on the data subject; and if the data subject is incapable of managing his own affairs, consent must be obtain from a person appointed by court to manage the affairs of the data subject or person authorized in writing by the data subject to act on his behalf Data users may process personal data about a data subject if the processing is necessary for the followings: (f) performance of contract to which the data subject is the party; taking steps at the request of the data subject with a view to enter into a contract; compliance with any legal obligation to which data user is the subject, other than obligation in a contract; protection of vital interests of data subject; administration of justice; and exercise of any functions conferred on any person by or under any law. Personal data shall only be processed for purpose of the followings: lawful purpose directly related to an activity of the data user; 1

processing of personal data is necessary for or directly related to that purpose; and personal data is adequate but not excessive in relation to that purpose. Sensitive Personal Data Sensitive personal data is defined as any personal data consisting of information as to the physical or mental health or condition of a data subject; his political opinions; his religious beliefs or other beliefs of a similar nature; the commission or alleged commission by him of any offence; or any other personal data as the Minister may determine by order published in the Gazette Sensitive personal data may only be processed under the following circumstances: explicit consent for the processing has been obtained from the date subject; the processing is necessary for the followings: (i) for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data user in connection with employment; (ii) in order to protect the vital interests of the data subject or another person, in a case where either consent cannot be given by or on behalf of the data subject or the data user cannot reasonably be expected to obtain the consent of the data subject; (iii) in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld; (iv) for medical purposes and is undertaken by a healthcare professional or a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a healthcare professional; (v) for the purpose of, or in connection with, any legal proceedings; (vi) for the purpose of obtaining legal advice; 2

(vii) for the purposes of establishing, exercising or defending legal rights; (viii) for the administration of justice; (ix) for the exercise of any functions conferred on any person by or under any written law; (x) for any other purposes as the Minister thinks fit; or the information contained in the personal data has been made public as a result of steps deliberately taken by the data subject Notice and Choice Principle Data users shall inform the data subject via written notice regarding the followings: (f) (g) (h) personal data of the data subject is being processed by or on behalf of data user and also provide description of the personal data to the data subject; purpose for which the personal data is collected and further processed; information available to the data user as the source of personal data; data subject s right to request access and correction to the personal data and how to contact the data user with any inquiries or complaints in respect of the personal data; third party(ies) of which the data user had or may disclosed the personal data; choices and means the data user offers the data subject in limiting the process of personal data; whether it is obligatory or voluntary for the data subject to supply personal data; and consequences if the data subject fails to supply personal data when he is obligated to do so. The written notice shall be given as soon as practicable by the data user: when the data subject is first asked by the data user to provide the personal data; when the data user first collects the personal data of the data subject; or before the data user uses the personal data for a purpose other than the purpose for which the data was collected or discloses the personal data to third party. 3

The written notice shall be in English and national language and the data subject shall be provided with a clear and readily accessible means to exercise his choice. In order for the data subject to be able to request access and correction to the personal data kept by the data user, the data user shall at least provide the data subject with the details of the followings: designation of the contact person; phone number; fax number; email address; and such other related information. Disclosure Principle Personal data shall not be disclosed without the consent of the data subject, except for the purpose: for which the personal data was to be disclosed at the time of collection; directly related to the purpose mentioned in paragraph (i) above; or to any party other than a third party of the class of third parties listed in the written notice to the data subject. Personal data of a data subject may be disclosed by a data user for any purpose other than the purpose for which the personal data was to be disclosed at the time of its collection or any other purpose directly related to that purpose, only under the following circumstances: the data subject has given his consent to the disclosure; the disclosure: (i) is necessary for the purpose of preventing or detecting a crime, or for the purpose of investigations; or (ii) was required or authorized by or under any law or by the order of a court; 4

the data user acted in the reasonable belief that he had in law the right to disclose the personal data to the other person; the data user acted in the reasonable belief that he would have had the consent of the data subject if the data subject had known of the disclosing of the personal data and the circumstances of such disclosure; or the disclosure was justified as being in the public interest in circumstances as determined by the Minister. Data users shall keep and maintain a list of disclosure to third parties in relation to personal data of the subject data that has been or being processed by a third party. Security Principle When processing personal data, the data user shall take practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access, disclosure, alteration or destruction by considering the followings: nature of the personal data and the harm that would result from such loss, misuse, modification, unauthorized or accidental access, alteration or destruction; place or location where the personal data is stored; security measures incorporated into any equipment which the personal data is stored; measures taken in ensuring the reliability, integrity and competence of personnel having access to the personal data; and measures taken to ensure secure transfer of the personal data. When the processing of personal data is carried out by a data processer on behalf of the data user, the data user shall ensure that the data processor: provides sufficient guarantees in respect of technical and organizational security measures governing the processing to be carried out; and 5

takes reasonable steps to ensure compliance with those measures. Security Policy Data users shall develop and implement a security policy. Data users shall ensure the security policy complies with the security standard set out from time to time by the PDP Commissioner. Data users shall ensure that the security standard in the processing data be complied with by any data processor that carries out the processing of data on behalf of the data user. Retention Principle Personal data shall not be kept longer than necessary. The data user shall take all reasonable steps to ensure that all personal data is destroyed or permanently deleted if it no longer required. Retention standard Data users shall retain the personal data in accordance with the retention standard set out from time to time by the PDP Commissioner. Data Integrity Principle Data users shall take reasonable steps to ensure that the personal data is accurate, complete, not misleading and kept up-to-date in relation to the purpose of collecting and further processing the personal data, including any directly related purpose. 6

Data integrity standard Data users shall process the personal data in accordance with the data integrity standard set out from time to time by the PDP Commissioner. Access Principle Data subjects shall be given access to his personal data held by the data user and be able to correct the personal data in the event that the personal data is inaccurate, incomplete, misleading or not up-to-date. The request to such access or correction shall be complied by the data user not later than twenty one (21) days upon receipt of such request. Upon receipt of a request for access or correction, data users shall acknowledge the receipt of such request. In the event that the data user could not comply with the request within the said period, the data user shall inform the data subject accordingly in writing before the expiration of the said period. However, the data user shall comply in whole with the request not later than fourteen (14) days after the expiration of the twenty one (21) days. The request for access can be refused on the following grounds: the data user is not supplied with such information as he may reasonably require in order to satisfy himself as to the identity of the requestor or where the requestor claims to be a relevant person, in order to satisfy himself: (i) as to the identity of the data subject in relation to whom the requestor claims to be the relevant person; and (ii) that the requestor is the relevant person in relation to the data subject; 7

the data user is not supplied with such information as he may reasonably require to locate the personal data to which the data access request relates; the burden or expense of providing access is disproportionate to the risks to the data subject s privacy in relation to the personal data in the case in question; the data user cannot comply with the data access request without disclosing personal data relating to another individual who can be identified from that information, unless that other individual has consented to the disclosure of the information to the requestor or it is reasonable in all the circumstances to comply with the data access request without the consent of the other individual; any other data user controls the processing of the personal data to which the data access request relates in such a way as to prohibit the first-mentioned data user from complying, whether in whole or in part, with the data access request; (f) providing access would constitute a violation of an order of a court; (g) providing access would disclose confidential commercial information; or (h) such access to personal data is regulated by another law. The request for corrections can be refused on the following grounds: the data user is not supplied with such information as he may reasonably require in order to satisfy himself as to the identity of the requestor or where the requestor claims to be a relevant person, in order to satisfy himself: (i) as to the identity of the data subject in relation to whom the requestor claims to be the relevant person; and (ii) that the requestor is the relevant person in relation to the data subject; the data user is not supplied with such information as he may reasonably require to ascertain in what way the personal data to which the data correction request relates is inaccurate, incomplete, misleading or not up-to-date; he data user is not satisfied that the personal data to which the data correction request relates is inaccurate, incomplete, misleading or not up-to-date; he data user is not satisfied that the correction which is the subject of the data correction request is accurate, complete, not misleading or up-to-date; or 8

any other data user controls the processing of the personal data to which the data correction request relates in such a way as to prohibit the first-mentioned data user from complying, whether in whole or in part, with the data correction request. The term such information as he may reasonably require means the name, identification card number, address and such other information as the PDP Commissioner may determine. 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback