1 / 31

EU Data Privacy Essentials

EU Data Privacy Essentials. Welcome. This training course was developed by WeComply , a leading provider of ethics and compliance training since 1999. The course is also available online from any Internet-connected computer.

lgurley
Télécharger la présentation

EU Data Privacy Essentials

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. EU Data Privacy Essentials

  2. Welcome This training course was developed by WeComply, a leading provider of ethics and compliance training since 1999. The course is also available online from any Internet-connected computer. WeComply offers 60+ courses on a wide range of business ethics and compliance topics. Each course helps employees spot key compliance issues and respond appropriately. This course is designed and licensed for classroom use in parallel with WeComply's online course on the same topic. This course may not be hosted on a learning management system or distributed to employees individually by electronic or other means without WeComply's prior authorization. For more information about this course or others, whether for classroom use or online access, please e-mail info@wecomply.com or call 1-866-WeComply.

  3. Memorandum Thank you for taking the time to participate in our EU Data Privacy Essentials training course. This 35-minute course will explain the laws and regulations regarding the collection, storage, use and other processing of personal data within the EU. Keep in mind that this material is provided for informational purposes only and is not intended as legal advice. If you have any questions regarding our privacy or security practices or would like to report a possible violation, please contact your supervisor. 1 of 26

  4. Overview As individuals we regularly disclose personal data Public and private entities collect and process this data for many legitimate purposes Under EU law, we have the right to expect that our data— • Will not be used for purposes we did not originally intend • Will not be passed on to other than chosen entities Those who collect and process personal data must do so under strict conditions and only for legitimate purposes Individuals may complain and obtain redress for misuse of their data anywhere in EU Violators face significant legal actions and penalties 2 of 26

  5. Commitment to Compliance Our organisation is committed to complying with EU data privacy laws and regulations All employees who input, access or disclose personal data need to understand how to handle that information Consequences of failure to comply: • Administrative, civil or criminal proceedings against the organisation • Suspension or blocking of transfers of information • Lawsuits brought by individuals whose privacy rights have been violated • Losses of reputation, employee morale, retention and recruitment, and employee/customer goodwill 3 of 26

  6. EU Data Privacy Data privacy laws in the EU — • Regulate the online and offline processing of personal data • Apply to every organisation that collects and uses personal information in EU Laws are intended to — • Impose restrictions on the processing of personal data within EU • Impose even tighter restrictions on processing of sensitive data • Prohibit transfers of personal data outside EU absent privacy protections and safeguards "Personal data" covers all information related to identified/identifiable individual "Processing" covers all forms of collecting, storing, transmitting and using personal data 4 of 26

  7. The Directive Data Protection Directive contains framework of data privacy laws Each EU Member State has national law implementing Directive Data processors must — • Collect and process personal data only when there is a legal basis for doing so • Process data with Directive's privacy protections and safeguards • Transfer personal data outside EU only to those providing adequate protections and safeguards • Respond to complaints regarding breaches • Collaborate with national data protection supervisory authorities 5 of 26

  8. The Directive (Cont’d) Data Protection Directive contains framework of data privacy laws Each EU Member State has national law implementing Directive Data processors must — • Collect and process personal data only when there is a legal basis for doing so • Process data with Directive's privacy protections and safeguards • Transfer personal data outside EU only to those providing adequate protections and safeguards • Respond to complaints regarding breaches • Collaborate with national data protection supervisory authorities 6 of 26

  9. FAQs Data Controllers, Processors and Subjects The Directive uses these terms to refer to the parties involved in data-processing transactions: • Data Controllers are the people or entities that collect and process personal data. For example, a medical practitioner is typically the controller of his or her patients' data, a company is the controller of its clients' and employees' data, and a library is the controller of its borrowers' data. • Data Processors are service providers and other third parties that process personal data on behalf of another organisation. Payroll-processing companies and IT service providers are typical types of data processors. • Data Subjects are the identified or identifiable people to whom specific personal data relates. We are all data subjects to one degree or another. 7 of 26

  10. Legal Bases Directive permits collection, storage, use and other processing of personal data only if one of these circumstances applies: • Data subject has unambiguously given consent • Processing is required by contract • Processing is required by a legal obligation • Processing is necessary to protect vital interests of data subject • Processing is necessary to perform tasks of public interest or tasks carried out by public body Directive provides exemption for data used solely for journalistic purposes or for artistic or literary expression 8 of 26

  11. Legal Bases (Cont’d) Directive permits collection, storage, use and other processing of personal data only if one of these circumstances applies: • Data subject has unambiguously given consent • Processing is required by contract • Processing is required by a legal obligation • Processing is necessary to protect vital interests of data subject • Processing is necessary to perform tasks of public interest or tasks carried out by public body Directive provides exemption for data used solely for journalistic purposes or for artistic or literary expression 9 of 26

  12. Please Note… Limits on What Data May Be Processed The Directive prohibits the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of any data concerning one's health or sex life unless one of the exception criteria is met. 10 of 26

  13. Processing Personal Data Requirements for processing personal data: • Must be collected only for explicit and legitimate purposes and processed legally and fairly • Must be relevant and not excessive • Must be accurate and updated as necessary • Subjects must be able to rectify, remove or block incorrect data • Must not be kept longer than necessary • Must be appropriately protected against destruction, loss, alteration and disclosure 11 of 26

  14. Notice Requirements Data controllers must provide data subjects with — • Identity of data controller • Data collected and purpose(s) for collection • Processing of data within EU countries • Transfer of data to non-EU countries and degree of protection provided by recipient • Category of individuals with access to data • Rights to access and correct data • Information about Internet "cookies" In most Member States, notice may be provided electronically 12 of 26

  15. Access Directive requires data controllers to have written contracts with all data processors All Member States require contracts to include — • Agreement on conditions for processing data • Express undertaking by data processor to implement protective measures • Mechanism for verifying that data processor complied with contractual duties Other requirements vary significantly among Member States 13 of 26

  16. Handling Sensitive Data Special restrictions on handling of "sensitive data" • Health information • Racial or ethnic origin • Political opinions or religious/philosophical beliefs • Trade-union membership • Data on one's sex life Sensitive data may not be processed without explicit opt-in consent • Consent not required if processing is necessary for establishing legal claims, absent "overriding privacy interest" Processing of sensitive data may also require prior approval from national Data Protection Authorities 14 of 26

  17. Other Rights and Duties Registration • Directive requires data controllers to register with national DPA before processing personal data • Member States have implemented in different ways Access Rights • Data controllers must allow data subjects to request/correct data • Data controller may refuse request only if data subject recently made similar request Right to Object • Individuals may object to any processing of personal data "on compelling legitimate grounds" • Scope of this right is matter of national law 15 of 26

  18. Other Rights and Duties (Cont’d) Registration • Directive requires data controllers to register with national DPA before processing personal data • Member States have implemented in different ways Access Rights • Data controllers must allow data subjects to request/correct data • Data controller may refuse request only if data subject recently made similar request Right to Object • Individuals may object to any processing of personal data "on compelling legitimate grounds" • Scope of this right is matter of national law 16 of 26

  19. Transferring Personal Data Transfer of personal data is considered legitimate under Directive only if it is — • Within boundaries of EU, Iceland, Liechtenstein and Norway • To recipients providing "adequate data protection" • Those in Andorra, Argentina, the Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, Switzerland and Uruguay • Participants in U.S. Safe Harbor Framework • To recipients with "adequate safeguards" at time of transfer • Pursuant to several narrow exemptions from data-transfer requirements 17 of 26

  20. Transferring Personal Data (Cont’d) Transfer of personal data is considered legitimate under Directive only if it is — • Within boundaries of EU, Iceland, Liechtenstein and Norway • To recipients providing "adequate data protection" • Those in Andorra, Argentina, the Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, Switzerland and Uruguay • Participants in U.S. Safe Harbor Framework • To recipients with "adequate safeguards" at time of transfer • Pursuant to several narrow exemptions from data-transfer requirements 18 of 26

  21. Handling Complaints Data subjects may request that data controller remedy situation Those who do not receive adequate answer from data controller may file complaint with national DPA Data controllers must — • Respond to all complaints of misuse of data under their control • Investigate complaints and redress legitimate grievances If personal data is inaccurate or unlawfully obtained, data subjects may — • Demand that data controllers correct, block or erase it • Demand that data controller notify those who have seen it 19 of 26

  22. Handling Complaints (Cont’d) Data subjects may request that data controller remedy situation Those who do not receive adequate answer from data controller may file complaint with national DPA Data controllers must — • Respond to all complaints of misuse of data under their control • Investigate complaints and redress legitimate grievances If personal data is inaccurate or unlawfully obtained, data subjects may — • Demand that data controllers correct, block or erase it • Demand that data controller notify those who have seen it 20 of 26

  23. Compliance Guidelines Reduce risk of regulatory action by — • Understanding what personal data we collect and process, and to whom we disclose it • Obtaining consent to process sensitive data • Reviewing contracts with data processors • Determining whether laws of Member State require us to register with privacy regulators • Responding promptly to requests for access/correction • Ensuring that personal data is secure and handled only by trained personnel • Monitoring new developments and adjusting procedures accordingly 21 of 26

  24. Looking Ahead... European Commission currently is reviewing general EU legal framework on protection of personal data Policy objectives: • Modernise EU legal system for protection of personal data • Strengthen individuals' rights while reducing administrative formalities to ensure free flow of personal data • Improve clarity and coherence of EU rules for personal data protection Commission proposed its reforms in January 2012 • Proposal will be considered by European Parliament and EU Member States • If adopted, will take effect two years from date of adoption 22 of 26

  25. Looking Ahead... (Cont’d) European Commission currently is reviewing general EU legal framework on protection of personal data Policy objectives: • Modernise EU legal system for protection of personal data • Strengthen individuals' rights while reducing administrative formalities to ensure free flow of personal data • Improve clarity and coherence of EU rules for personal data protection Commission proposed its reforms in January 2012 • Proposal will be considered by European Parliament and EU Member States • If adopted, will take effect two years from date of adoption 23 of 26

  26. Looking Ahead... (Cont’d) European Commission currently is reviewing general EU legal framework on protection of personal data Policy objectives: • Modernise EU legal system for protection of personal data • Strengthen individuals' rights while reducing administrative formalities to ensure free flow of personal data • Improve clarity and coherence of EU rules for personal data protection Commission proposed its reforms in January 2012 • Proposal will be considered by European Parliament and EU Member States • If adopted, will take effect two years from date of adoption 24 of 26

  27. Looking Ahead... (Cont’d) European Commission currently is reviewing general EU legal framework on protection of personal data Policy objectives: • Modernise EU legal system for protection of personal data • Strengthen individuals' rights while reducing administrative formalities to ensure free flow of personal data • Improve clarity and coherence of EU rules for personal data protection Commission proposed its reforms in January 2012 • Proposal will be considered by European Parliament and EU Member States • If adopted, will take effect two years from date of adoption 25 of 26

  28. Final Quiz 26 of 26

  29. About WeComply WeComply is a leading provider of customized ethics and compliance training solutions. We are committed to providing the best-of-breed training content, technology and customer service. • Specializing in ethics and compliance training since 1999 • 60+ ethics and compliance training courses in 42 languages • Content partners include the Association of Corporate Counsel (ACC), Proskauer Rose and White & Case • 500+ clients of all sizes and in all industries 1-866-WeComply

  30. Course-Delivery Options WeComply offers training courses in multiple delivery formats to reach all employees -- not just those with computers: 1-866-WeComply • Online – available 24/7 from any computer • Mobile – tablets and smartphones • Offline optionswhen Internet access is unavailable: • PowerPoint with presenter notes for classroom training • PDF booklets with tear-off certifications • CD-ROM/intranet with tracking via e-mail • Phone-based training and certification

  31. Online Training Benefits While classroom training has certain advantages, it can be challenging to implement in large and/or geographically dispersed companies. Consider these advantages of online training: • Better Attendance • Higher Completion Rates • Less Impact on Productivity • Perfect for New Hires • Convenient for Remote Locations • Available in 42 Foreign Languages • Easy Access to Courses • Periodic Refreshers Blended Benefits Get the best of both worlds by providing classroom training where feasible and online training elsewhere – all centrally tracked and organized for easy monitoring and reporting.

More Related