Data Protection in Switzerland Update Following the Safe Harbor Decision. 21 October 2015 / 6 February 2016 Christian Wyss

Similar documents
Plan a Pragmatic Approach to the new EU Data Privacy Regulation

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

Privacy by Design, Security by Design

1. Right of access. Last Approval Date: May 2018

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

New Spanish Regulation Tightens Up Data Protection Requirements RAFI AZIM-KHAN, JOHN NICHOLSON, ALESSANDRO LIOTTA, AND DOMINIC HODGKINSON

Privacy Policy Effective May 25 th 2018

Developments in Global Data Protection & Transfer: How They Impact Third-Party Contracts

GDPR - Are you ready?

Privacy Statement for Use of the Certification Service of Swisscom (sales name: "All-in Signing Service")

Changing times in Swiss Data Privacy: new opportunities? Microsoft Security Day 27 April 2017 Clara-Ann Gordon

ADMA Briefing Summary March

This guide is for informational purposes only. Please do not treat it as a substitute of a professional legal

PRIVACY COMMITMENT. Information We Collect and How We Use It. Effective Date: July 2, 2018

What is GDPR? Editorial: The Guardian: August 7th, EU Charter of Fundamental Rights, 2000

UWTSD Group Data Protection Policy

Catalent Inc. Privacy Policy v.1 Effective Date: May 25, 2018 Page 1

Privacy Policy... 1 EU-U.S. Privacy Shield Policy... 2

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

Brasenose College ICT Systems Privacy Notice (v1.2)

EU data security and privacy trends

1 About GfK and the Survey What are personal data? Use of personal data How we share personal data... 3

Subject: Kier Group plc Data Protection Policy

VIACOM INC. PRIVACY SHIELD PRIVACY POLICY

Data Breach Notification: what EU law means for your information security strategy

DATA PROTECTION POLICY THE HOLST GROUP

HF Markets SA (Pty) Ltd Protection of Personal Information Policy

SANMINA CORPORATION PRIVACY POLICY. Effective date: May 25, 2018

DATA PROTECTION BY DESIGN

EU Data Protection Agreement

Data Protection System of Georgia. Nina Sarishvili Head of International Relations Department

Privacy Policy. Company registry number: Budapest, Gönczy Pál utca em. Homepage: contact: Phone:

Privacy Shield Policy

Privacy Statement for Use of the Trust Service of Swisscom IT Services Finance S.E., Austria

How the GDPR will impact your software delivery processes

I domobile PRIVACY POLICY Version The privacy of all of our Users is very important to us. When you, as an App-user, use the Service

General Data Protection Regulation (GDPR) Key Facts & FAQ s

Emsi Privacy Shield Policy

Motorola Mobility Binding Corporate Rules (BCRs)

Technical Requirements of the GDPR

Disruptive Technologies Legal and Regulatory Aspects. 16 May 2017 Investment Summit - Swiss Gobal Enterprise

Privacy Policy Identity Games

Online Ad-hoc Privacy Notice

Data Processing Agreement

Data Protection Policy

SECURITY STATE OF THE INDUSTRY

CNH Industrial Privacy Policy. This Privacy Policy relates to our use of any personal information you provide to us.

VERSION 1.3 MAY 1, 2018 SNOWFLY PRIVACY POLICY SNOWFLY PERFORMANCE INC. P.O. BOX 95254, SOUTH JORDAN, UT

G DATA Whitepaper. The new EU General Data Protection Regulation - What businesses need to know

PS Mailing Services Ltd Data Protection Policy May 2018

Introductory guide to data sharing. lewissilkin.com

THE NEW GENERAL DATA PROTECTION REGULATION IMPLICATIONS FOR ENTERPRISES. Forum financier du Brabant wallon

Liechtenstein. General I Data Protection Laws. Contributed by Wanger Advokaturbüro. National Legislation. National Regulatory Authority.

CTI BioPharma Privacy Notice

Privacy Notice. Lonsdale & Marsh Privacy Notice Version July

VISTRA ZURICH AG - PRIVACY NOTICE

Data Processing Agreement for Oracle Cloud Services

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

Within the meanings of applicable data protection law (in particular EU Regulation 2016/679, the GDPR ):

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

Top Five Privacy and Data Security Issues for Nonprofit Organizations

Islam21c.com Data Protection and Privacy Policy

DATA PROTECTION ISACA MALTA CHAPTER BIENNIAL CONFERENCE Saviour Cachia Commissioner for Information and Data Protection

Rights of Individuals under the General Data Protection Regulation

1 Privacy Statement INDEX

Data Processing Agreement

EU Data Protection Agreement

Workday s Robust Privacy Program

PRIVACY POLICY PRIVACY POLICY

Contributed by Djingov, Gouginski, Kyutchukov & Velichkov

Recruitment Privacy Notice

Data Protection Policy

Impacts of the GDPR in Afnic - Registrar relations: FAQ

Data Privacy for Multinationals: How to Build and Implement a Compliance Plan

DATA PROTECTION POLICY

PRIVACY POLICY FOR WEB AND ONLINE TRADING PLATFORM

SURGICAL REVIEW CORPORATION Privacy Policy

Cisco Spark and GDPR. Thomas Flambeaux. Collaboration Consulting Solution Engineer, Security and Compliance. Cisco Connect 2018 Copenhagen April 12th

Go West! Political, legal and operational aspects of cooperation between Europol and the United States

Data Privacy for Multinationals: How to Build and Implement a Compliance Plan

Implementing the new GDPR: what does it mean for Universities?

CD STRENGTH LLC. A MASSACHUSETTS, USA BASED COMPANY

Privacy Notice - General Data Protection Regulation ( GDPR )

Privacy Policy GENERAL

Creative Funding Solutions Limited Data Protection Policy

Under the GDPR, you have the following rights, which we will always work to uphold:

ANGAZA PRIVACY POLICY. Last Modified: May/24/2018

DATA PROCESSING AGREEMENT

Data Protection Policy

PRIVACY NOTICE STORM RECRUITMENT UNIT 11, 2 ND FLOOR CHARLESLAND CENTRE, GREYSTONES, CO. WICKLOW 1. INTRODUCTION

Privacy Policy. Data Controller - the entity that determines the purposes, conditions and means of the processing of personal data

PRIVACY ACROSS THE POND

Office Properties Income Trust Privacy Notice Last Updated: February 1, 2019

Depending on the Services or information you request from us, we may ask you to provide the following personal information:

Jefferies EMEA Privacy Notice

Website and Marketing Privacy Policy

All you need to know and do to comply with the EU General Data Protection Regulation

Transcription:

Data Protection in Switzerland Update Following the Safe Harbor Decision 21 October 2015 / 6 February 2016 Christian Wyss

Agenda Data Protection in Switzerland The Safe Harbor Decision How to Restore Compliance? What's next? EU Data Protection Regulation Questions & Answers Data Protection Switzerland 2

Personal Data All information relating to an identified or identifiable person. Person means natural or legal persons (this is different in most EU Member States) Data irrevocably made anonymous does not constitute personal data. Data Protection Switzerland 3

Sensitive Personal Data religious, ideological, political or trade union-related views or activities health, intimate sphere or racial origin social security administrative or criminal proceedings/sanctions. NOT SENSITIVE: income, net worth, financial statements, trade secrets Data Protection Switzerland 4

Personality Profile a collection of data that permits an assessment of essential characteristics of the personality of a natural person Data Protection Switzerland 5

Principles of Data Processing (1/2) Legality: All processing of data must be undertaken in a lawful manner., i.e. in compliance with the Swiss Data Protection Act. Data must not be collected unlawfully, e.g. by fraud, deceit, or violence. Transparency: All data must be processed in good faith. Therefore, any person whose data is processed needs to know whether, to what extent, and for what purpose the personal data is used. Appropriation: Personal data may only be processed for purposes indicated at the time of collection, evident from the circumstances, or that are provided for by law. Data Protection Switzerland 6

Principles of Data Processing (2/2) Reasonableness: Data processing and access to data must be limited to the extent necessary to accomplish the purpose Data not needed anymore for the purpose shall be deleted or stored separately if necessary to comply with record keeping obligations. Accuracy: Data processors must ensure that their data is correct and up-to-date. Wrong data must be revised. Any data subject may ask that wrong data be rectified. Data Security: Personal data must be protected against unauthorized processing by appropriate organizational and technical means. Data Protection Switzerland 7

Two Streams to Ensure Compliance Stream 1: Transfer to Third Parties or Processing of Sensitive Data or Personality Profiles Internal Data Protection Officer (more than 900 Swiss companies), or Register databases with Swiss Federal Data Protection Commissioner Stream 2: Transfer Abroad Transfer to EU countries Transfer to EU countries and then to other countries Transfer to other countries specific consent, or Data Transfer Agreements, or Binding Corporate Rules Data Protection Switzerland 8

Safe Harbor Decision (1/3) http://curia.europa.eu/juris/document/document.jsf;jsessionid=9ea7d2dc30dd033c1f3f50e84186b1029997aff2d16e.e34kaxilc3qmb40rc h0saxurbxn0?text=&docid=169195&pageindex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=478537 Data Protection Directive EC 95/46: Transfer abroad only to countries with adequate level of protection United States: No comprehensive data protection laws, but specific areas of protection (financial data, health data, minors, spam e-mails etc.) Safe Harbor: US recipient deemed located in country with adequate level of protection. Safe Harbor provides for carve-out for national security and public interest, but was adopted before 9/11. Data Protection Switzerland 9

Safe Harbor Decision (2/3) Maximilian Schrems, Austrian law student, contracted with Facebook Ireland, a subsidiary of Facebook, Inc., to use facebook (as millions of other European users) January to June 2013: Edward Snowden leaks secret information from the US National Security Agency 25 June 2013: Schrems complained with the Irish Data Protection Commissioner: Facebook does not protect my data from access by US government entities. Commissioner relied on Safe Harbor and refused to investigate. Data Protection Switzerland 10

Safe Harbor Decision (3/3) High Court asked the CJEU whether the EU Commission Decision 2000/520 regarding the Safe Harbor is binding CJEU: (1) National data protection authorities are responsible for monitoring, with complete independence, compliance with EU rules on the protection of individuals with regard to the processing of such data. (2) Commission Decision 2000/520 is invalid, mainly because it did not adequately consider European citizen's fundamental rights (Charter of Fundamental Rights of the European Union, Article 7 Respect for private and family life, Article 8 Protection of personal Data) Data Protection Switzerland 11

How to Restore Compliance Identify relevant U.S. companies in the Safe Harbor Framework http://safeharbor.export.gov/list.aspx Enter into Data Transfer Agreements (by end of January 2016) EU Standard Model Clauses Swiss Model Data Transfer Agreement Binding Corporate Rules Specific Consent for each Transfer Redirect Data Transfers from EU to US via Switzerland? Data Protection Switzerland 12

How to Restore Compliance Swiss Federal Data Proction Commissioner requires that data subjects be informed about potential data access by US government institutions: When transferring data to the United States, we use all required mechanisms to ensure compliance with Swiss and European data protection laws. Where US law imposes a conflicting obligation, however, US organizations must comply with the law. Thus, United States public authorities such as the NSA, the FBI or other federal agencies might access your data in the course of intelligence collection, surveillance, law enforcement, or other programs in excess of what would be allowed under Swiss and European data protection laws. Also, many safeguards that are provided under US law are mostly available to US citizens or legal residents only. Legality and reasonableness of this requirement is questionable, though. Data Protection Switzerland 13

EU US Privacy Shield (Update February 2016) New framework for transatlantic data flows replacing the Safe Harbor, which will protect the fundamental rights of EU citizens when their personal data is transferred to U.S. companies Access of U.S. authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms Details have not yet been published Next steps: EU Commission to draft adequacy decision, Article 29 Working Party and Member States Committee to review Data Protection Switzerland 14

EU Data Protection Regulation http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf Data Protection Switzerland 15

EU Data Protection Regulation DRAFT I: January 2012 EU Commission presents Draft Regulation Proposal DRAFT II: March 2014 EU Parliament adopts draft Data Protection Regulation Draft III: June 2015 EU Council approves amended draft Data Protection Regulation Data Protection Switzerland 16

EU Data Protection Regulation 24 June 2015: Kick-off trilogue meeting Commission, Parliament and Counsel aimed at finding a compromise by end of 2015 14 July 2015: Second trilogue meeting 2016: Possible compromise on draft regulation by triolgue meeting 2018: Expected entry into force of Data Protection Regulation Safe Harbor Decision will likely delay the process. Data Protection Switzerland 17

EU Data Protection Regulation One binding regulation directly enforcable in all EU Members States, national rules on employee data protection may survive New category: Pseudonymous data More stringent regime for processing sensitive data and personality profiles; genetic data will be considered senstitive Higher threshold for showing legitimate grounds for data processing New rights of data portability, right to be forgotten Heavier fines of 2% of annual worldwide turnover Data Security Breach Notification Data Protection Switzerland 18

Contact Details Christian Wyss Partner lic. iur., LL.M., Attorney at Law VISCHER AG Aeschenvorstadt 4 4010 Basel Switzerland cwyss@vischer.com +41 58 211 33 39 Data Protection Switzerland 19

Thank you. Zürich Schützengasse 1 Postfach 1230 CH-8021 Zürich Tel +41 58 211 34 00 Fax +41 58 211 34 10 Basel Aeschenvorstadt 4 Postfach 526 CH-4010 Basel Tel +41 58 211 33 00 Fax +41 58 211 33 10 Data Protection Switzerland 20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback