Privacy Law: A Global Legal Perspective - Bowmans

Privacy Law: A Global Legal Perspective on Data Protection Relating to Advertising and Marketing

Published in Cooperation with the

1

2

3

4

5

6

7

8

9

10

https://www.galalaw.com/

mailto:[email protected]

11

12

13

14

PRIVACY LAW – ARGENTINA

1 PRIVACYLAW

1.1 HowisprivacyregulatedinArgentina?

PrivacyrightswereincorporatedintotheArgentinelegalsystemwiththe1994constitutionalreform,astheresultoftheincorporationofthehabeasdataprocedure.Sincethen,privacyrightshaveacquiredconstitutional protection, being considered as fundamental rights that cannot be suppressed orrestrictedwithoutsufficientcause.Inaddition,theNationalCivilandCommercialCode(Section1770)and several international treaties executed by Argentina have recognized privacy rights asfundamentalrights.

Ingeneralterms,theArgentinedataprotectionsystemfollowstheEuropeanlegalregime.Moreover,in2003,theEuropeanUnionissuedaresolutionestablishingthatArgentinahadalevelofprotectionconsistentwith theprotection grantedby theDataProtectionDirective95/46/ECwith respect topersonaldata.

1.2 Whatarethekeylawsregulatingprivacy?Pleasepointoutnationallaws,localorstate-specificlaws, sector-specific laws, and self-regulatory frameworks, with special focus on advertingaspects.

Thecurrentlegalframeworkregulatingprivacyisvastandcomplex,themainregulations—includingthosefocusingonadvertisingaspects—areasfollows:(a) DataProtectionLawNo25,326(“DPL”);

(b) DPLRegulatoryDecree1558/2001;

(c) ProvisionsissuedbytheNationalDirectorateofDataProtection(“DPND”);

(d) PDPA-Disposition No 4/2004, approving the Ethic Code of the Association of Direct andInteractiveMarketing(“AMDIA”);

(e) LawNo26,951(the“Do-Not-CallLaw”),creatingthe“Do-Not-CallRegistry”andexpandingtheprotectionofdataowners’rights.Thisregulationallowsadataownertoblockcontactfromcompanies advertising, selling or giving away products and services. Companies offeringproductsandservicesbytelephonicmeansmustregisterwiththeAgencyandconsultthelistofblockednumbersonamonthlybasisbeforeengaginginmarketingcalls.Furthermore,LawNo2,014oftheCityofBuenosAiresandLawNo14,326oftheProvinceofBuenosAireshavecreatedtheirowndo-not-callregistries,withintheirjurisdiction;

(f) PDPA-Disposition18/2015,approvingthe“PrivacyGoodPracticeGuidefortheDevelopmentof Apps and Software”which establishes that a privacy policy should be clear and easilyaccessibleforusers. Inaddition, theprivacypolicyforappsdesignedforuseonphonesortabletsmustbeshowninausefulway forusers,bearing inmindthesizerestrictions thatapplytothesedevices;

(g) PDPA-Disposition20/2015,regulatingthecollectionofphotos,films,soundsoranyotherdataindigitalformatthroughunmannedaerialvehiclesordrones;

(h) PDPA-Disposition60/2016,concerningaspectsoftheinternationaltransferofpersonaldata.The transfer of personal data to countries that have not enacted adequate legislation onpersonal data protection is forbidden. Additionally, this Disposition approves two sets ofstandard model clauses for data controller to data controller transfers as well as datacontrollertodataprocessortransfers;

15


(i) Access to Public Information Law No 27,275, creating the Agency of Access to PublicInformation (“AAPI”) as its controlling authority. The Agency — which is autarchic andindependent—iscurrentlyresponsible fortheapplicationof theDPLandtheDo-Not-CallLaw;and

(j) AAPI-ResolutionNo14/2018,settingouttheinformationwhichownersandusersofpublicandprivatedatabaseshavetoincludeontheirwebsites,aswellasinanyothercommunicationor advertising, that guarantees the data subject’s knowledge of his/her rights andhow toexercisethem.

1.3 Howisprivacylawenforced?Pleaseaddressbothregulatorsandself-regulatorybodies.

TheNationalDirectorateofDataProtection(“DPND”),which ispartof theNationalDepartmentofJusticeandHumanRights,wasthedataprotectionauthoritysinceitwasformedin2001.However,EmergencyDecreeNo746/2017designatedtheAAPIastheauthoritychargedwiththeapplicationoftheDPLand,sincethen,theAAPIhasreplacedtheformerenforcementauthority,andiscurrentlythegovernmentagencytaskedwithenforcingtheDPL.

Amongotherresponsibilities,theAAPIisinchargeof:

(a) operating a registry of databases (keeping records of the registration and renewal ofdatabases);

(b) enforcingtheDPLandtheDo-Not-CallLaw,carryingoutinspectionsandimposingsanctions;and

(c) creatingnewdispositionsandregulationsrelatedtodataprotectionmatters.

The Agency is also responsible for assuring the effective exercise of the right of access to publicinformationandtheenforcementoftransparencywithinthepublicsector.

The AAPI’s inspections/audit proceedings can be ex officio or initiated upon a complaint. Theadministrativeprocess that theAAPImust follow to investigate and imposepenalties is setout inSections 31 and 32 of the DPL, in Decree 1558/2001 and Decree 1160/2010. The administrativedecisionscanbeappealedbeforethejudicialcourts.

InadditiontotheAAPI,therearespecificregulatorsforcertainindustrysectors,suchastheArgentineCentralBank(“BCRA”)whichregulatesdatahandledby financial institutions.Therearealsomanynon-governmentalorganisations(NGOs)exclusivelydedicatedtodataprotectionmatters,butwithnoenforcement authority, such as: Argentina Cyber Secure (www.argentinacibersegura.org/);AssociationfortheCivilRights(adc.org.ar/)andArgentinaInternetChamber(www.cabase.org.ar/),amongothers.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinArgentina?

TheDPLappliestoindividualsorlegalentitiescarryingoutthetreatmentorprocessingofpersonaldataofArgentineanresidents,regardlessofwheresuchtreatmentisperformed.

PursuanttotheDPL,theregistrationofdatabasesisalegaldutywhichismandatoryforalllocaldatacontrollersanddataprocessors.

16


2.2 DoesprivacylawinArgentinaapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

Yes,companiesoutsidethecountrythattreat,orprocess,dataofArgentineanresidentsmustcomplywithlocallawandregulations.

3 PERSONALINFORMATION

3.1 Howispersonalinformation/personaldatadefinedinArgentina?

“Personaldata”isdefinedbytheDPLasanytypeofinformationthatrelatestoidentifiedoridentifiableindividualsorlegalentities.

3.2 Whatcategoriesofpersonalinformation/personaldataareconsideredsensitive(eg,children,biometric, health, video, geo-location, financial)? Are there specific obligations aroundsensitiveinformation?

“Sensitivedata”isdefinedinSection2oftheDPLasanypersonalinformationrevealingracialorethnicorigin, political views, religious beliefs, philosophical or moral stands, union affiliations or anyinformationreferringtohealthorsexual lifeofan individual.Asageneralprinciple,sensitivedatacollection,processingand/ortreatmentisforbiddenunlessexpresslyauthorizedbylaw.

AsstatedinSection7oftheDPL,individualscannotbecompelledtoprovidesensitivedata.Moreover,sensitivedatacanonlybecollectedand/ortreatedincaseswheretherearecircumstancesofgeneralinterestauthorizedbylaw,orforstatisticalorscientificpurposes,providedthatdataownerscannotbe identified.Section7alsoprovides that it isprohibited tocreate files,banksorregistersstoringinformationthatdirectlyor indirectlyrevealssensitivedata.Notwithstanding, theCatholicChurch,religious associations, andpolitical and labororganizations are entitled to keep a register of theirmembers.

Datareferringtocriminalrecordscanbetreatedonlybythecompetentpublicauthorities,withintheframeworkestablishedbythecorrespondinglawsandregulations.

Furthermore,Section8providesthatpublicorprivatehealthinstitutions,aswellasmedicalscienceprofessionals,areentitledtocollectandtreatsuchpersonaldataasrelatetothephysicalormentalcondition of patients who make use of their services, or who are or have been in their care, inpursuanceoftheprinciplesofprofessionalconfidentiality.

3.3 Whatarethekeyprivacyprinciplesthatcompaniesneedtofollowregardingtheirprocessingofpersonalinformation/personaldata(eg,transparency,choice,purposelimitation)?

As stated by Sections 4 and 10 of the DPL, the following fundamental principles apply to dataprocessing,namely:

(a) Personaldatacollectedmustbetrue,adequate,relevantandnotexcessiveinrelationtothescopeandpurposeforwhichthedatahasbeenobtained.

(b) Thecollectionofpersonaldatacannotbedonebyunfairorfraudulentmeans.

17


(c) Personaldatasubjecttotreatmentcannotbeusedforpurposesdifferentfromorincompatiblewiththosepurposesforwhichitwascollected.

(d) Personaldatamustbestoredinsuchawayasenablesthedataownertoexercisehis/herrightofaccess.

(e) Thedatamustbedestroyedonceithasceasedtobenecessaryorrelevanttothepurposesforwhichithasbeencollected.

(f) Those responsible or involved in any part of data processing are bound by the duty ofconfidentiality.

4 ROLES

4.1 Does privacy law assign different roles to companies based on how they process personalinformation/personaldata(eg,controllerversusprocessor)?Ifso,howdotheserolesaffectobligationsandcontractualrequirements?

No.

5 OBLIGATIONS

5.1 Please summarize the key obligations required by privacy law, with special focus onadvertising(eg,postingaprivacypolicy,keepingrecordsofprocessingoperations,appointingaprivacyofficer,registeringwithaprivacyauthority,conductingriskimpactassessments).

AccordingtoProvision4/2009oftheDPND,allmarketingcommunicationsinArgentinamustinclude:

(a) informationtorecipientsontheirrighttorequesttheirexclusionfromtherelevantdatabase;

(b) anopt-outmechanism;and

(c) twolegaltranscriptions(inSpanish)statingthedatasubject’srighttorequesttheremovalof,orablockon,thedatasubject’snamefromthedatabase(Section27oftheDPL).

Unsolicitedcommunicationsorthosesentwithoutconsentmustevidencetheirmarketingnatureinanoticeable manner. For emails, their subject field must read “Advertisement” and cannot includeanythingelse.

6 DATASECURITYANDBREACH

6.1 HowisdatasecurityregulatedinArgentina?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

Issuedin2018,Resolution47/2018oftheAAPIapprovedrecommendedsecuritymeasuresfortheprocessingandconservationofpersonaldata,which include recommendations in connectionwithpersonal data, whether or not stored by electronicmeans. These aim at ensuring the continuousimprovementoftheadministration,planningandcontrolofinformationsecurity.

18


Therearetwosetsofrecommendations:

(a) AnnexIdealswith:(i) thecollectionofdata;(ii) controlofaccesstodata;(iii) controlofmodifications;(iv) backupandrecovery;(v) vulnerabilitymanagement;(vi) informationdestruction;(vii) securityincidents;and(viii) developmentenvironment;

(b) AnnexIIincludesrecommendationsregarding:(i) thecollectionofdata;(ii) controlofaccesstodata;(iii) informationconservation;(iv) informationdestruction;and(v) securityincidents.

It is important to point out that, whilst previous regulations provided for mandatory securitymeasures,Resolution47/2018establishesasetof“recommendations”thatcanbeadoptedornot,oreven replaced by othermore effectivemeasures based on the practices and circumstances of theprocessingofpersonaldata.Moreover, theResolutiondoesnot imposeanyparticulardatastoragetechnological method or solution, allowing database controllers to make their own IT solutiondecisions.

6.2 HowaredatabreachesregulatedinArgentina?Whataretherequirementsforrespondingtodatabreaches?

InArgentina,theobligationtoreportdatasecurityincidentsisnotlegallyestablished.UndertheDPL,thereisnospecificlegalobligationtoreportdatabreachestoauthorities.Suchanobligationhasnotbeenregulatedandhasnotbeenestablishedbyanyparticularreportstotheauthoritiesortheaffectedindividuals.

Itisworthmentioningthatthereisabill,submittedtoCongressbytheArgentineExecutivePowerinSeptember2018,whichis intendedtoamendandreplacetheDPL,whichaddresses, indetail,databreachincidentsandtheproceedingstobefollowedif theyhappen, followingtheEUGeneralDataProtectionRegulation(“GDPR”).

7 INDIVIDUALRIGHTS

7.1 Whatprivacyrightsdoindividualshavewithrespecttotheirpersonalinformation/personaldata?

The main rights for data owners contained in the DPL are the right of information, access andsuppression.AccordingtoSection14of theDPL,dataownershavetheright torequestandobtaininformationonanypersonaldataincludedinadatabase.Moreover,thedatacontrollermustprovide

19


this informationwithin tencalendardaysofnotification, freeofcharge.Datasubjectscanexercisetheserightseverysixmonthsormore,unlessalegitimateinterestisproven.

Additionally,dataownershavetherighttorequestthattheirdataisrectified,updatedordeletedfromdatabases. The data controller must rectify, update or delete the personal data within five daysfollowingadataowner’srequest.

8 MARKETINGANDONLINEADVERTISING

8.1 Howaremarketing communications (eg, emails, texts, pushnotifications) regulated fromaprivacyperspective?

AllmarketingcommunicationsmustcomplywiththeregulationsprovidedbySection27oftheDPL,DecreeNo1558/2001,DispositionNo4/2009andResolutionNo14/2018,amongothers.

According toDispositionNo4/2009, allmarketing communications in the countrymust include anotificationtorecipientsoftheirrighttorequesttheirexclusionfromtherelevantdatabase,thewayto exercise such right and the transcription of certain legal provisions (in Spanish). In addition,unsolicitedorcommunicationsorthosesentwithoutconsentmustevidencetheirmarketingnatureinanoticeablemanner;whensentthroughe-mail,theirsubjectmustincludetheterm“Advertisement”(“Publicidad”).Companiescarryingoutdirectmarketingcampaignsmustinformrecipientsontheirrighttooptout,theproceduretoexercisesuchrightandquotecertainlegalprovisionsandensurethattheyimplementeffectivemechanismstofulfillallpotentialopt-outrequests.

In 2014, the Do-Not-Call Law created the Do-Not-Call Registry, expanding the protection of dataowner’srights.Thisregulationallowsthedataownertoblockcontactfromcompaniesadvertising,sellingorgivingawayproductsandservices.Companiesofferingproductsandservicesbytelephonemust register with the Agency and check on a monthly basis the list of blocked numbers beforeengaginginmarketingcalls.

ResolutionNo14/2018establishesthattheownersandusersofpublicandprivatedatabaseshavetoinclude in theirwebsites, aswell as in any other communication or advertising, particularly datacollectionforms,informationthatguaranteesthedataowner’sknowledgeofhis/herrightsandhowto exercise them. Moreover, this Resolution requires controllers and users of public and privatedatabasestoclearlyandexpresslydisclosetheinformationrequiredbySection6ofDPL,including:

(a) thepurposeofthedataprocessing,

(b) anypossiblerecipientsofdata,

(c) theexistenceofthedatabaseandtheidentityofthedatacontroller,

(d) whetherprovidingthedataismandatoryornot,and

(e) rightsdataownershave,

priortoanydatacollectionandspecificallymentioninghowdatasubjectsmayexercisetheirrights.

Likewise,thefollowingwordingmustbeincluded(inSpanish):“THEAGENCYOFACCESSTOPUBLICINFORMATION,astheControllingAuthorityofLawNo25,326,hastheattributionofattendingtoanyclaimsandallegationsfiledbythoseaffectedintheirrightsfornon-complianceofthecurrentdataprotectionregulation”.

20


These regulations are applicable in all cases of marketing addressed to Argentine residents,irrespectiveofthecountryorjurisdictionfromwhichthemarketingcommunicationsaredelivered.

8.2 How is theuseof tracking technologies (eg, cookies,pixels, SDKs) regulated fromaprivacyperspective?

Theuseofcookies,pixelsorothertrackingtechnologieshasnotbeenregulatedyet,norparticularlyaddressed in any of the AAPI recommendations. However, by application of the DPL’s principles,companiestryingtoobtaininformationthroughtrackingtechnologiesmustobtaintheuser’sconsenttocollectinformation.

8.3 Howistargetedadvertisingandbehavioraladvertisingregulatedfromaprivacyperspective?

Targeted advertising and behavioral advertising are not specifically regulated by local law. Theregulationsdescribedinquestion8.1alsoapplytothesetypeofadvertisingactivities.

8.4 What type of notice and consent do advertisers need to share data with third parties forcustomermatching(eg,FacebookCustomAudiencesorviaLiveRamp)?

The processing of personal data for advertising ormarketing purposes, including data sharing, isallowedwithout prior consentwhen the data is limited to the creation of consumer profiles thatcategorisepersonalpreferencesandsimilartypesofbehavior,and/orwhenthedataownersaresolelyidentifiedbytheirbelongingtogenericgroupsandtheindividualdataisstrictlynecessarytomarketoradvertisetotheindividual(Section27,DPLRegulatoryDecree1558/2001).

8.5 Aretherespecificprivacyrulesgoverningdatabrokers?

No.

8.6 Howissocialmediaregulatedfromaprivacyperspective?

Socialmedia isnotspecificallyregulated.However,generalprinciplesarising fromtheDPLand itsregulationsanddispositionsapplyalsotosocialmedia.

8.7 Howareloyaltyprogramsandpromotionsregulatedfromaprivacyperspective?

Loyalty programs and promotions are subject to the rights and obligations arising from the dataprotectionlegalframework.

9 DATATRANSFER

9.1 Are there any requirements or restrictions concerning data transfer (eg, restrictions ontransferringdataoutsidethecountryorbetweengroupcompanies)?

Pursuant to the DPL, the transfer of personal data to countries that have not enacted adequatelegislationonpersonaldataprotectionisforbidden.Disposition60/2016providesthatpersonaldatacanbetransferredtothefollowingcountrieswithoutanyfurthersafeguardbeingnecessary:memberstatesoftheEuropeanUnionandtheEuropeanEconomicArea,Switzerland,GuernseyandJersey,theIsleofMan,theFaroeIslands,Canada(onlyprivatesector),NewZealand,AndorraandUruguay.Local

21


authorityhasconsideredtheEUCommission’sdecisionsontheadequacyoftheprotectionofpersonaldatainthirdcountriestodeterminewhichjurisdictionsaredeemedadequateforthedatatransfer.

TheDisposition has also approved two sets of standardmodel clauses for data controller to datacontrollertransfersaswellasdatacontrollertodataprocessortransfers.ThesemodelsarebasedontheEUModelContractsforthetransferofpersonaldatatothirdcountries.

Furthermore, Resolution 159/2018 issued by the AAPI set out ‘Guidelines and Basic Contents ofBindingCorporateRules’fortheinternationalfreeflowofpersonaldataamongcompaniesofthesameeconomicgroup.TheguidelinesarealignedwithSection47oftheGDPR,addressingissuessuchasbasicconditionsforthelegalityofthetransfer,procedurestoensuredatasubjects’rights,jointliabilityofparties,applicablejurisdictionincaseofcontroversiesandAAPIauditingrights.

Argentinecompaniestransferringpersonaldatatoaffiliatesincountrieswithout‘adequate’personaldatalegislation,basedoncorporaterulesotherthanthoseestablishedbyResolution159/2018,mustsubmitthemtotheAAPIforitsapproval.

9.2 Arethereanyotherissuescompaniesneedtoconsiderwhentransferringdata(eg,privilegeissueswhentransferringdatabetweengroupcompanies)?

Asmentioned in question 9.1, Disposition 159/18 sets out guidelines for companies to draft andimplementbindingcorporaterulesor“BCR”s,whichregulateintra-groupinternationaltransfersofpersonaldata.

Locallawandregulationsencouragecompaniestoimplementaprivacypolicywhichregulatestheirpersonaldatacollection,treatmentandprocessingandsecuritymechanisms.TheAAPIcanrequestcompany’sprivacypolicyandBCRsuponinspections.

10 VIOLATIONS

10.1 Whatarethepotentialpenaltiesorsanctionsforviolationsofprivacyordatasecuritylaw?

Penalties are established in Sections 31 and 32 of the DPL, in Decree 1558/2001 and Decree1160/2010. The AAPI may apply sanctions for any violations of the Argentine Data ProtectionRegulations.Thesanctionscaninclude,warnings,suspensions,finesandclosureorcancellationofthefile, registerordatabase,withoutprejudice toanyapplicable civilor criminal liabilities.Thereareprecedentsfortheauthorityfiningcompanieswhichfailtocomplywiththedataprotectionlegislation,althoughsuchfinesareusuallylow.

Inaddition,Section157oftheCriminalCodeprovidesthatimprisonmentofbetweenonemonthandtwoyearsmaybeimposedonanypersonwho:

(a) knowinglyandunlawfully,orbyviolatingdataconfidentialityandsecuritysystems,accessesapersonaldatabase;

(b) unlawfullyprovidesordisclosestothirdpartiesinformationregisteredinapersonaldatabasethatshouldbekeptconfidentialbyprovisionoflaw;or

(c) unlawfullyinsertsdatainadatabase.

22


PenaltiesimposedbySections117and157oftheCriminalCodewillbeincreasediftheperpetratorisapublicofficer.

10.2 Doindividualshaveaprivaterightofaction?Whatarethepotentialremedies?

Anyonewithalegitimateinterest—individualorcompany—mayfileanadministrativeclaimbeforetheAAPI.TheAAPImayalsostartapreliminaryinvestigationexparte.PursuanttotheregularprocesssetoutintheAdministrativeProceedingsRegulation,administrativedecisionscanbeappealedbeforethejudicialcourts.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofArgentinawhichaffectprivacy?

No.

11.2 Arethereanyhottopicsorlawsonthehorizonthatcompaniesneedtoknow?

In2018,theArgentineExecutiveOfficeintroducedanewbillintendedtoreplacetheDPLenactedin2000, which has become outdated in relation to technological and legal developments, especiallyregardingthepassingoftheGDPR.

TheBillintroducesnewdefinitionsalignedwiththeEUregulations,suchastheconceptofdatabase,personaldataandsensitivedata.Atthesametime,theBillintroducesnewconceptsregardinggeneticdata,biometricdata,economicgroups,securityincidentsandinternationaltransfer.Also,itlimitsthescopeoftheconceptofdatasubjectstohumanpersons.

Amongotherchanges,theBillintroducesnewgroundsforthecollectionandprocessingofpersonaldataotherthanconsent,suchaslegitimateinterests;theobligationtoreportanysecurityincidenttothecontrollingauthorityandtodatasubjects;andincreasesthepenaltiesforinfringements.

Ifpassedintolaw,theBillprovidesforatwo-yeartransitionperiod.

Anotherbill already inCongress— likely soon tobe enacted, and related todataprotection— isintendedtoregulateinternetserviceproviders’liability.

Finally, several regulations are expected to be issued under the Information Technologies andCommunications LawNo 27,078, which are likely to have a direct impact on data processing fortelecommunicationproviders.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainArgentina?

No.

23


12 OPINIONQUESTIONS

12.1 Whatchanges in theprivacy landscapehaveyouobservedover thepast fewyears? Inyouropinion,whatpropelled/triggeredthesechanges?

Theglobalprivacylandscapeisconstantlychanging.Dataisregardedaspowerandevenconsideredasthenewcommodity;atthesametime,datasubjectsandregulatorsareincreasingdemandingdataprivacy to avoid personal data violation. The global scenery drives Argentina to the imminentenactmentofanewlaw,inlinewiththeGDPR.

12.2 Whatdoyouenvisiontheprivacylandscapewilllooklikein5years?

RecentadministrativechangesintheAAPI,togetherwithexpectedlegislativechanges,alongwiththeDPLBill,whichisalignedwithGDPR,mayleadtoadifferentscenariointheupcomingyears.

It is expected that local law and regulationswill be alignedwith international standards and theprinciplesestablishedbytheGDPR.

12.3 Whataresomeofthechallengescompaniesfaceduetothechangingprivacylandscape?

Inthecurrentchangingprivacylandscape,companies’challengeswillbealignedwiththeonestheyarenowfacingintheEuropeanUnion.

24

25

PRIVACY LAW – AUSTRALIA

1 PRIVACYLAW

1.1 HowisprivacyregulatedinAustralia?

PrivacyisregulatedinAustraliathroughlegislationataFederalandState/Territorylevel.

At theFederal level, thePrivacyAct1988 (Cth) (“PrivacyAct”) regulates thehandlingofpersonalinformationby federalgovernmentagenciesandorganizationswitha turnoverofAU$3millionormore,aswellascertainotherprivateorganizationsregardlessofturnover.Smallbusinesses(withaturnoverof less thanAU$3million)arenot regulatedby thePrivacyAct.ThePrivacyAct includes13AustralianPrivacyPrinciples(“APP”s)whichsetoutthestandards,rightsandobligationsaroundthecollection,use,storageanddisclosureofpersonalinformation.

TheOfficeoftheAustralianInformationCommissioner(“OAIC”)istheindependentnationalregulatorforprivacyandfreedomofinformation,andisresponsibleforpromotingandenforcingprivacylawinAustralia.

EachAustralianStateandTerritoryhasitsownlegislativeoradministrativeregimewhichisdiscussedinfurtherdetailbelow.


ThereareanumberofdifferentlawsinAustraliathatregulateprivacy:

(a) Federallevel:

(i) ThePrivacyActistheprimarypieceoflegislationthatregulatesprivacyattheFederallevel. The Privacy Act also regulates how private sector health service providerscollectandhandlehealthinformation,butdoesnotapplytoStateandTerritorypublicsectorhealthserviceproviders.

(ii) TheIncomeTaxAssessmentAct1936(Cth)andTaxationAdministrationAct1953(Cth)regulatethehandlingofTaxFileNumbers,includingoffencesforunauthoriseduse,disclosure,collectionorrequestsforTaxFileNumbers.

(b) EachAustralianStateandTerritoryhasitsownlegislativesystemoradministrativeregimetomanagetheprivacyofindividuals:(i) NewSouthWales

• TheHealthRecordsInformationPrivacyAct2002regulatesprivatesectorhealth organizations, health service providers and businesses with aturnoverofmorethanAU$3millionthatholdhealthinformation.

• TheNSWPrivacyandPersonal InformationProtectionAct1998regulateshow State agenciesmanage personal information in accordance with the12informationprotectionprinciples.

• TheNSWInformationPrivacyCommissioneradministersbothcomplaintsmade under the Health Records Information Privacy Act 2002 and thePrivacyandPersonalInformationProtectionAct1998.

26


(ii) Victoria• The Health Records Act 2001 regulates organizations that hold health

information.• TheVictorianCharterofHumanRightsalsocontainsarighttobefreefrom

unlawfulorarbitraryinterferencewithprivacy.• The Victorian Privacy and Data Protection Act 2014 establishes

10information privacy principles that regulate how public sectororganizationsandprivateorganizations carryingout functions for andonbehalf of Victorian public sector organizations can handle personalinformationandcreatesacomplaintscheme.

(iii) AustralianCapitalTerritory• TheHealthRecords(PrivacyandAccess)Act1997regulatesorganizations

that hold health information and manages complaints for health recordprivacy issues. The ACT Office of the Health Services Commissionerconciliatescomplaints.

• TheACTalsoprotectspersonalinformationthroughtheInformationPrivacyAct 2014. This regulates how private sector agencies handle personalinformation,aswellasprivatecompaniescontractedtoprovideservicesfortheACTgovernment.ThisisadministeredbytheACTInformationPrivacyCommissioner.

(iv) Tasmania• The Personal Information Protection Act 2004 contains 10 information

protectionprinciples,andprovidestherightforanindividualtocomplaintotheTasmanianOmbudsmanifpersonalinformationhasbeenmismanaged.The information protection principles apply to State bodies and privateorganization where they have entered into contract with a personalinformation custodian relating to the collection, use or storage of thepersonalinformation.

(v) WesternAustralia• TheFreedomofInformationAct1992includessomeprinciplesrelatedtothe

disclosureandamendmentofpersonal informationdisclosed toStateandlocalgovernmentagencies.

(vi) NorthernTerritory• The Information Act 2002 regulates how health information ismanaged;

complaintsareheardbytheNTOfficeoftheInformationCommissioner.

(vii) SouthAustralia• TheStategovernmenthasasetofinformationprivacyprinciples.Complaints

aremanagedbytheSouthAustralianPrivacyCommittee.

(viii) Queensland• TheInformationPrivacyAct2009regulateshowthepublicsectormanages

personal information. The Queensland Office of the InformationCommissionerreceivescomplaints.

27



ThePrivacyActisadministeredbytheOAIC.TheOAIChasanumberofregulatorypowersunderthePrivacyActanditspreferredregulatoryapproachistofacilitatevoluntarycomplianceandworkwithentitiestoencouragebestpractice.

TheOAICCommissionermayalso takemoreseriousregulatoryactionsuchas(butnot limited to)accepting an enforceableundertaking,making adetermination, or applying to the court for a civilpenaltyorderforabreachofapenaltyprovision.

Therearevariousregulatorybodies intheAustralianStatesthatrespondtocomplaintsrelatingtohealthinformationormanagementofinformationbyaStategovernmentorganizationorcontractor(seequestion1.2).

Australiadoesnothaveanyself-regulatorybodiesforprivacymatters.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinAustralia?

The Privacy Act applies to “entities” which consist of Australian Federal government agencies,organizationswithanannualturnoverofmorethanAU$3millionandtheirrelatedcompanies,aswellas some other organizations regardless of turnover, including health service providers andorganizationsthattradeinpersonalinformation.

An“organization” includesan individual (includingasole trader),abodycorporate,apartnership,unincorporatedassociationoratrust.

It does not include a small business operator, registered political party, or a State or Territoryauthority.

2.2 DoesprivacylawinAustraliaapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

Yes, the Privacy Act applies to the overseas activities of Australian organizations and to foreignorganizationsthathavean“Australianlink”.AnorganizationisconsideredtohaveanAustralianlinkif:

(a) thereisanorganizationallink:eg,theorganizationisacompanyincorporatedinAustralia,oratrustcreatedinAustralia;or

(b) theorganizationcarriesonbusinessinAustraliaoranexternalterritory,andcollectsorholdspersonaldatainAustraliaoranexternalterritory.

Putanotherway,ifanindividualislocatedinAustralia,thecollectionoftheirpersonalinformationbyaforeignentityisdeemedtohavehappenedinAustralia.

28



3.1 Howispersonalinformation/personaldatadefinedinAustralia?

The Privacy Act defines “personal information” as “information or an opinion about an identifiedindividual,oranindividualwhoisreasonablyidentifiable:

(a) whethertheinformationoropinionistrueornot;and

(b) whethertheinformationoropinionisrecordedinmaterialformornot”.


ThePrivacyActdefines“sensitiveinformation”as:

(a) informationoranopinionaboutanindividual’s:

(i) racialorethnicorigin;

(ii) politicalopinions;

(iii) membershipofapoliticalassociation;

(iv) religiousbeliefsoraffiliation;

(v) philosophicalbeliefs;

(vi) membershipofaprofessionalortradeassociation;

(vii) membershipofatradeunion;

(viii) sexualorientationorpractices;or

(ix) criminalrecord,

thatisalsopersonalinformation;

(b) healthinformationaboutanindividual;

(c) geneticinformationaboutanindividualthatisnototherwisehealthinformation;

(d) biometricinformationthatistobeusedforthepurposeofautomatedbiometricverificationorbiometricidentification;or

(e) biometrictemplates.


Thereare13AustralianPrivacyPrinciples(“APP”s)containedwithinthePrivacyActthatcompanies(which are subject to the Privacy Act) need to follow regarding their processing of personalinformation:

(a) APP1—Openand transparentmanagementofpersonal information: This includeshavingaclearanduptodatecompanyprivacypolicy.

(b) APP2—Anonymityandpseudonymity:Companiesshouldallowindividualstheoptiontoremain anonymous or to use a pseudonym, except where impracticable or a prescribedexceptionapplies.

29


(c) APP3—Collectionofsolicitedpersonal information: Companiesmayonlysolicitandcollectpersonalinformationwhereitisreasonablynecessaryforthecompanies’functionsoractivities.Inaddition,companiesmayonlysolicitandcollectpersonalinformationwhichissensitiveinformationiftheindividualconsentstothesensitiveinformationbeingcollected,unlessanexceptionapplies.

(d) APP4—Dealingwithunsolicitedpersonalinformation:Ifacompanyreceivesunsolicitedpersonalinformation,thecompanyisrequiredtodeterminewhetheritwouldotherwisehavegrounds onwhich to collect it. If the company does have such grounds, itmay retain thepersonalinformation,provideditcomplieswiththeremainingAPPs.Ifthecompanydoesnothavesuchgrounds,itmustdestroyorde-identifythepersonalinformation.

(e) APP5—Notificationofthecollectionofpersonalinformation:Acompanythatcollectspersonalinformationaboutanindividualisrequiredtotakereasonablestepseithertonotifythe individual of certain matters or to ensure the individual is aware of those matters(includingthecompany’sidentityandcontactdetails,thefactandcircumstancesofcollection,thepurposesofcollection,andwhetherthecompanyislikelytodisclosepersonalinformationtooverseasrecipients).

(f) APP6—Useordisclosureofpersonalinformation:Acompanycanonlyuseordisclosepersonalinformationforapurposeforwhichitwascollected(ie,theprimarypurpose),unlessthe individual has consented to a secondary use or disclosure, or the individual wouldreasonablyexpecttheirpersonalinformationtobeusedforthesecondarypurpose,oranotherprescribedexceptionapplies(suchasthatthedisclosureisnecessarytoprotectsomeone’shealthorsafety,orthedisclosureorsecondaryuseisrequiredorauthorisedbyorunderanAustralianlaworacourt/tribunalorder).

(g) APP7—Directmarketing: Acompanymustnotuseordisclosepersonal information itholdsforthepurposeofdirectmarketingtoanindividualunlesstheindividualreasonablyexpects it, or consents to it, and there is an ‘opt out’ process in place throughwhich theindividualcanelectnottoreceivedirectmarketingcommunications.

(h) APP8—Cross–borderdisclosureofpersonal information: A company that disclosespersonalinformationtoanoverseasrecipientmusttakereasonablestepstoensurethattheoverseasrecipientdoesnotbreachtheAPPs.ThecompanywillbeaccountableforanyactsorpracticesoftheoverseasrecipientinrelationtotheinformationthatwouldbreachtheAPPs.

(i) APP9—Adoption,useordisclosureofgovernmentrelatedidentifiers:Companiesarerestrictedfromadopting,usingordisclosingagovernment-relatedidentifier(ie,anumber,letterorsymbol,orcombinationofanyofthosethings,usedtoidentifyanindividualorverifythe identity of an individual, that has been assigned by a government agency, a State orTerritoryauthority,anagentofagovernmentagencyorauthority,oracontractedserviceproviderforaCommonwealthorStatecontract).

(j) APP 10—Quality of personal information: Companiesmust take reasonable steps toensurethatthepersonalinformationtheycollectisaccurate,up-to-dateandcomplete,andensurethatthepersonal informationtheyuseordisclose isaccurate,up-to-date,completeandrelevant,havingregardtothepurposeoftheuseordisclosure.

(k) APP11—Securityofpersonal information: Companiesmust take reasonable steps toprotect the personal information they hold from misuse, interference, loss, unauthorisedaccess,modificationordisclosure.

30


(l) APP12—Access to personal information: Companies that hold personal informationaboutanindividualarerequiredtogivetheindividualaccesstothatinformationonrequest,unlessanexceptionapplies.

(m) APP13—Correctionofpersonalinformation:Companiesarerequiredtotakereasonablestepstocorrectpersonalinformationifsorequestedbytheindividualtoensurethat,havingregardtothepurposeforwhichitisheld,thepersonalinformationisaccurate,up-to-date,complete,relevantandnotmisleading.

4 ROLES


ThePrivacyActdoesnot considerdistinctionsbetweendata controllers anddataprocessors.Anyhandlingofpersonalinformation,whethercollecting,storing,processingorotherwise,ispotentiallysubjecttoprivacylegislation.

5 OBLIGATIONS


Asageneralrule,theAPPsprovidethatanorganizationshouldonlyuseordisclosepersonaldataforthepurposeforwhichitwascollected.However,anorganizationmayuseordisclosepersonaldataaboutanindividualforanotherpurpose(“secondarypurpose”)iftheindividualhasconsented,orthesecondarypurposeisrelatedtotheprimarypurposeandsuchuseordisclosuremightreasonablybeexpectedbytheindividual.Ifthepersonaldataissensitivepersonaldata,thesecondarypurposemustbedirectlyrelatedtotheprimarypurpose.Therearealsoanumberofexceptionstothisgeneralrule.In terms of advertising, APP 7 provides a general prohibition against direct marketing unless anexceptionapplies.Individualsmustalwaysbegivenasimplemeanstoopt-outofanydirectmarketing.

APP1requiresthatentitiesregulatedunderthePrivacyActhaveanup-to-dateandclearlyexpressedprivacy policy that is easily accessible. A privacy policy should, among other things, set outwhatinformationiscollectedaboutindividuals,thepurposeforthecollectionofinformationandwhetherpersonalinformationisdisclosedtothirdparties.

Thereisnoobligationtoappointaprivacyofficerinanorganization,howevertheOAICrecommendstheappointmentofaprivacyofficeraspartofitsbestpracticeguidelines,inordertoensurethereisasimplepointofcontactforprivacyrelatedcomplaints/enquiries,andsomeonewhoisresponsibleintheorganizationforcompliancewithprivacylaws.ThePrivacyActdoesnotsetoutthescopewithinwhichaprivacyofficermustact,buttheOAIChasdevelopedguidelinesforrecommendedpracticesandsystems,availableat:https://www.oaic.gov.au/s/privacy-officer-toolkit/.

Aprivacyimpactassessmentisavoluntaryprocessundertakentoevaluateacompany’scompliancewith theAPPs.TheOAIC suggestsprivacy impact assessments shouldbe conducted aspart of theplanningprocesstoidentifyandmitigateprivacyrisks,particularlywhereaprojectoractivitymayimpactontheprivacyofindividuals.TheOAICprovidesguidanceonhowtoconductaprivacyimpact

31


assessment, available at: https://www.oaic.gov.au/privacy/guidance-and-advice/guide-to-undertaking-privacy-impact-assessments/.

Althoughnotmandatory,theOAICalsorecommendsconductingariskanalysisasbestpracticeforpreparingadatabreachresponseplan.

ThereisnorequirementinAustraliafororganizationstoregisteranythingwithaprivacyauthoritysuchastheOAIC.


6.1 HowisdatasecurityregulatedinAustralia?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

UnderAPP11,entitiesmusttakereasonablestepstoensurethesecurityofthepersonalinformationthey hold. The concept of taking reasonable steps is relative to the size of the business and thesensitivityoftheinformationheld.Reasonablestepscouldincludeinternaltraining,ICTsecurity,andthedestructionandde-identificationofdatawhennolongerrequired.

TheOAICadvocatesforpreventionofdatabreacheswherepossiblethroughpromotinginformationsecurity.TheOAIChasproducedaguidetosecuringpersonalinformation,and,whilstnotbinding,thisguidewill be referred toby theOAICwhenexercising regulatorypowers in response to abreach,complaintornon-compliance.Theguideisavailableat:https://www.oaic.gov.au/privacy/guidance-and-advice/data-breach-preparation-and-response/.

6.2 HowaredatabreachesregulatedinAustralia?Whataretherequirementsforrespondingtodatabreaches?

Part IIIC of the Privacy Act contains the Notifiable Data Breaches scheme,which requires certainentitiescoveredbythePrivacyActtonotifyaffectedindividualsandtheOAICaboutdatabreachesandwhenlossofinformationorunauthorisedaccesstoinformationislikelytoresultinseriousharmtoanindividualwhosepersonalinformationisinvolved.

Determiningwhether serious harm is likely as a result of the breach involves decidingwhether areasonablepersoninthepositionoftheentitywouldconsiderthatthedatabreachwouldlikelyresultinseriousharmtoanindividualwhoseinformationwasinvolvedinthebreach.

TheOAICprovidesaguidelineforsuggestedstepsifadatabreachissuspected:

(a) Contain the breach: Take immediate steps to limit further access or distribution of theinformation.

(b) Assesswhetherthebreachislikelytoresultinseriousharm.Considerwhetherremediationispossible.

(c) If serious harm is likely, prepare a statement to the OAIC containing the entity’s contactdetails, description of the breach, nature of the information and recommended steps forindividuals.

(d) Ifseriousharmislikely,notifyaffectedindividuals.Theentitymaynotifyallindividuals,onlythoseatriskofseriousharm,or,ifneitherofthoseoptionsisreasonablypracticable,publishastatementontheentity’swebsiteandpubliciseit.

32


(e) Ifthebreachisnotlikelytoresultinseriousharm,orafternotifyingtheOAICandaffectedindividuals, the entity should conduct a reviewof the incident and take action to preventfuturebreaches.

7 INDIVIDUALRIGHTS


(a) IndividualshavetherighttoaccesstheirpersonalinformationfromanorganizationoragencyholdingtheirpersonalinformationunderAPP12.

Theorganizationoragencymustgiveanindividualaccesstotheirpersonalinformationwhenit has been requested by the individual, exceptwhere the law allows the organization oragencytorefusetherequest.ExamplesofinstanceswhereaccesscanberefusedareprovidedinAPP12,andinclude:(i) the organization believes that giving the individual accessmay endanger the life,

healthorsafetyofanyindividual,orendangerpublichealthorsafety;(ii) giving the individualaccesswouldhaveanunreasonable impacton theprivacyof

otherindividuals;(iii) therequestisfrivolousorvexatious;or(iv) thepersonalinformationispartofexistingoranticipatedlegalproceedingsbetween

theindividualandtheorganization.

(b) Under APP 13, individuals can also request a correction of their personal information anorganizationoragencyholdsaboutthemifthepersonalinformationis:(i) inaccurate;(ii) outofdate;(iii) incomplete;(iv) irrelevant;or(v) misleading.

Individualsalsohavetherighttoaccessandcorrectgovernmentrecordswhichcontainanindividual’spersonalinformationundertheFreedomofInformationAct1982,andtherighttoaccessandcorrectpolicerecordsbycontactingtheAustralianFederalPoliceorthelocalcriminalrecordssectionofthepoliceservice.



Marketingcommunicationsviaelectroniccommercialcommunications(includingemailandSMS)areregulatedbytheSpamAct(2003)(“SpamAct”).TheSpamActregulateshowmarketingmessagesaretransmittedbyanyonein,intoorfromAustralia.Generally,thepersonwhowillreceivethemessagemustconsenttoreceivingthemessage,themessagemustidentifyandprovidethecontactdetailsofthesender,andthemessagemustincludeafunctionalunsubscribefacility.

TheDoNotCallRegisterAct(2006)(“DoNotCallAct”)prohibitsunsolicitedtelemarketingcallsmadeto a telephone number registered on the Do Not Call Register, unless the account holder of the

33


telephonenumberhasconsentedtoreceivingthecall.TheDoNotCallRegisterisadatabasewhereindividualscanregistertheirnumberstooptoutofmostunsolicitedtelemarketingcalls.AbusinessmustcheckitsmarketinglistsagainsttheDoNotCallRegistertoavoidcallingorfaxingthosenumbers.If a business outsources telemarketing calls, both the business and the outsourcing provider areresponsibleforcomplyingwiththeDoNotCallAct.


Use of tracking technologies are not specifically regulated in Australia, as they are not (withoutcombiningthemwithadditionalidentifyingdata)consideredtobe“personalinformation”asdefinedunderthePrivacyAct.Wheretheidentificationofanindividualisenabledbytrackingtechnologies,theuseofthosetrackingtechnologieswillbesubjecttotheAPPs.

WhilstnotspecificallyregulatedinAustralia,individualsaregenerallygiventheoptiontomanagetheuseoftrackingtechnologiesundertheoptionsorsettingsonabrowser.Individualscaneitherblock,turnoff,acceptordeclinetheuseoftrackingtechnologies.


Where advertisers target certain individuals using information which is not about an “identifiedindividual, or an individualwho is reasonably identifiable”, thePrivacyActdoesnot apply.Onlinebehavioraladvertisingisconductedbycollectingwebbrowsingactivitiesandlinkingthistocertainnon-identifyinginformation,suchasanIPaddress,inordertodirecttargetedadstowebpagesvisitedbytheuserofthatIPaddress.Assuch,nopersonalinformationisbeingcollected,usedordisclosedandtherefore,thePrivacyActdoesnotapply.

Eveniftheinformationusedbyanorganizationtoadvertiseisnotitself“personalinformation”,ifitcanbe linkedwithother informationheldbytheorganization(evenif it isstoredseparately),orarelatedorganization,orisreasonablyaccessiblebasedonthe“motivatedintruder”test,totheextentthat,when it is linkedup, itbecomes informationaboutan identifiable individual, then itmustbetreated aspersonal information and thePrivacyActwill apply.TheuseofBigDataby companieshighlightsthisissue,as,themorelayersofinformationthatarecollectedaboutauser,theeasieritbecomes to identify the individual, and the question is: at what point does it become personalinformation?

TheAustralianBestPracticeGuidelineforOnlineBehavioralAdvertising(alsocalledAustralianBestPracticeGuidelinesforInterestBaseAdvertising)wasdevelopedbyAustralia’sleadingbusinessandindustryassociationsintheonlineadvertisingsector,andisAustralia’sfirstself-regulatoryguidelinefor third party online behavioral advertising. The guideline sets out self-regulatory principles foronlinebehavioral advertising, andaims topromote transparencyand consumerawareness and toencouragebestpracticeandaccountability.


If the advertiser is providing de-identified information to the third party, which is matchedwithrelevantcustomerprofiles,thereisnouseofpersonalinformationandthePrivacyActdoesnotapply.

34


However,ifpersonalinformationisbeingusedtoidentifyindividualstoadvertiseto,theAPPswillapply:

(a) UnderAPP5,acompanyisrequiredtotakereasonablestepstonotifyanindividualiftheyarecollectingpersonalinformationabouttheindividual.Thecompanymustnotifyanindividualofcertainmatters,including:(i) thecompany’sidentityandcontactdetails;(ii) thefactandcircumstancesofcollection;(iii) whetherthecollectionisrequiredorauthorisedbylaw;(iv) thepurposesofcollection;(v) theconsequencesifpersonalinformationisnotcollected;(vi) thecompany’susualdisclosuresofpersonalinformationofthekindcollectedbythe

company;(vii) informationaboutthecompany’sPrivacyPolicy;and(viii) whether the company is likely to disclose personal information to overseas

recipients,and,ifpracticable,thecountrieswheretheyarelocated.

Thenotificationcanbedonethroughavarietyofformats,suchasoverthephone,onlineorhardcopynotice.

(b) UnderAPP6, ifdata sharinganddisclosure to thirdparties is theprimarypurposeof thecollection of data, and the individual is made aware of this and has consented to it, thecompanycandisclosethepersonalinformationtothirdparties.However,ifdatasharingisasecondaryuse,thecompanywillneedtoobtainadditionalconsentfromtheindividualtothatsecondaryuseofthepersonalinformation,unlessanexceptionapplies.

Consentcanbeexpressorimplied.Thefourkeyelementsofconsentare:(i) theindividualisadequatelyinformedbeforegivingconsent;(ii) theindividualgivesconsentvoluntarily;(iii) theconsentiscurrentandspecific;and(iv) theindividualhasthecapacitytounderstandandcommunicatetheirconsent.


Databrokersareconsideredbusinessesthat“trade”inpersonalinformation,astheycollectordiscloseanindividual’spersonalinformationtosomeoneelseforabenefit,serviceoradvantage(eg,apayment,concession,subsidyorsomeotheradvantageorservice).

BusinessesthattradeinpersonalinformationarespecificallyregulatedunderthePrivacyActandwillneedtocomplywiththeAPPs,eveniftheyareasmallbusiness(ie,turnoverislessthanthethresholdAU$3million).


OrganizationsinAustraliathatcollectpersonalinformationviasocialmediaplatformsareregulatedbythePrivacyActinthesamewaytheywouldbeiftheycollectedpersonalinformationviaanyothermeans.Thechannelbywhichpersonalinformationiscollectedmayvary,buttheprinciplesthatapplytothecollection,use,storageanddisclosureofpersonalinformationremainthesame.

35



Therearecurrentlynospecificlawsregulatingprivacyinrespectofloyaltyprogramsandpromotionsin Australia. If the consumer data has been de-identified, the businesses conducting the loyaltyprogramsorpromotionsarefreetosellinsightsfromsuchconsumerdatatothirdpartieswithouttheconsumers’knowledgeandconsent,whichresults in targetedadvertisingbysuch thirdparties.Ofcourse,iftheinformationisnotde-identified,alloftheAPPswillapply.

9 DATATRANSFER


Personalinformationcanbetransferredbetweengroupcompanieswithoutsuchtransferbecominga“disclosure”.Otherthanthis,personalinformationshouldonlybetransferredtothirdpartieswiththeconsentoftheindividual,orwherethetransferisreasonablycontemplatedorispartoftheprimarypurposeofthecollection.Oncepersonalinformationistransferredtoathirdpartyitisconsidereda“disclosure”andtheentitymustcomplywithalltheelementsofAPP6.

ThedisclosureofpersonalinformationtootherjurisdictionsoutsideAustraliaisgovernedbyAPP8,whichrequiresthatentitiestakereasonablestepstoensurethataforeignrecipientofpersonaldatacomplieswiththeAPPs.APP8.2providesthatthisisnotnecessarywhere:

(a) itisreasonablybelievedthattherecipientissubjecttoalaworbindingschemethatbearsoverallsubstantialsimilaritytotheAPPsandtheindividualcantakeactiontoenforcesuchprotections;

(b) theentityhasobtainedtheindividual’sconsenttotheforeigndisclosure;

(c) theforeigndisclosureisrequiredorauthorisedbyAustralianlaw;

(d) suchdisclosureisrequiredbyagovernmentagencyunderanagreementtowhichAustraliaisaparty;

(e) thedisclosureisbyagovernmentagencyandrelatestoforeignlaw-enforcementactivities;or

(f) apermittedgeneralsituationapplies(suchastopreventserioushealthandsafetyrisks).


Atransferofpersonalinformation(otherthansensitiveinformation)fromacompanytoarelatedbodycorporateisnottakentobeaninterferencewiththeprivacyofanindividual.ThePrivacyActrequiresthat the personal information that is disclosed to a related body corporate must be handled inaccordancewiththeprimarypurposeforwhichitwasinitiallycollectedbythecompanythatcollectedthepersonalinformation.

However,where the company discloses personal information to a related body corporate locatedoutsideAustralia,APP8willapply,whichputsanobligationonthecompanytotakereasonablestepstoensuretheoverseasrelatedbodycorporatedoesnotbreachtheAPPsinrelationtothepersonalinformation.

36


10 VIOLATIONS


ThePrivacyActconfersarangeofregulatorypowersontheCommissioner, includinginvestigationandenforcementpowers,whicharebasedonanescalationmodel.

Thepreferred regulatory approachof theOAIC is toworkwith entities to facilitate legal andbestpracticecompliance.Forexample,engagingwithregulatedentitiestoprovideguidance,promotebestpracticecompliance,andidentifyandseektoaddressprivacyconcernsastheyarise.

AninvestigationmaybecommencedbytheOAICintoasuspectedorallegedinterferencewithprivacy,either on receipt of a complaint or as a Commissioner initiated investigation (“CII”). Following acomplaintinvestigationorCII,theCommissionermaydecidetotakeenforcementactionagainstanentity.

UnderthePrivacyAct,enforcementpowersrangefromlessserioustomoreseriousregulatoryaction,andincludepowersto:

(a) acceptorenforceanenforceableundertaking;

(b) makeadeterminationorbringproceedingstoenforceadetermination;

(c) seekaninjunctiontopreventapotentialprivacybreachfromcontinuing;or

(d) applytothecourtforacivilpenalty.

Forseriousandrepeatedbreachesofprivacybyanentity,theCommissionermayapplytotheFederalCourtorFederalCircuitCourt foranorder that theentitypaytheCommonwealthapenalty.Fora“seriousorrepeatedinterferencewithprivacy”apersonmustpayupto2,000penaltyunits(whichcurrentlyamountstoapproximatelyAU$420,000).


(a) Common law rights: There is currently no common law right of privacy in Australia;however, recent case law suggests a common law tort for invasion of privacy may bedeveloping.InAustralianBroadcastingCorporationvLenahGameMeatsPtyLtd(2001)208CLR199themostsuperiorcourtinAustralia,beingtheHighCourt,leftthepossibilityofatortofprivacyopen.TodatenoAustralianappellatecourthasconfirmedtheexistenceofatortofprivacy.

However,lowercourtshaveawardeddamagesfortortiousinvasionsofprivacy,suggestingthat the legal basis for this action does exist. For example, the County Court of VictoriaawardeddamagesforbreachofpersonalprivacyinJaneDoevABC(2007)VCC281.

TheQueenslandDistrictCourthasalsoawardeddamagesonthebasisofinvasionofprivacyinGrossevPurvis(2003)QDC151.

The Australian Law Reform Commission (“ALRC”) and the Australian Competition andConsumer Commission (“ACCC”) have both called for the statutory creation of a right ofprivacy.TheACCCrecommendationwasreleasedinJuly2019.

(b) Statutoryrights:WhilstthereiscurrentlynostatutoryregimeinAustraliaforanindividualtoenforceaprivaterightofactionforbreachofprivacy,anindividualcanmakeacomplainttoacompanyregardingapotentialbreachofprivacy,andlodgethecomplaintwiththeOAIC.TheOAICwilltheninvestigatethematterandtakeactiononbehalfoftheindividual.

37


While a civil penalty order does not compensate individuals, Sections 25 and 25A of thePrivacyActallowanindividualtorecovercompensationforlossordamage(includinginjurytotheindividual’sfeelingsorhumiliation)sufferedbytheindividual,orotherremedieswhereacivilpenaltyorderismadeagainstacompanyforacontraventionofacivilpenaltyprovision.Otherremediesincludeacourtorderdirectingthecompanyto:(i) carryoutanyreasonablecourseofconducttoredressthelossordamagesufferedby

theindividual;(ii) pay the individual a specified amount to reimburse the individual for expenses

reasonably incurred by the individual in connection with the contravention orcommissionoftheoffence;and

(iii) paytotheindividualtheamountoflossordamagesufferedbytheindividual.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofAustraliawhichaffectprivacy?

Thereiscurrentlynoprivacy-relatedlegislationinAustraliawhichisspecifictoAustralianculture.However, the ALRC published recommendations in a 2010 report,which discussed establishing aprivacyprotocoltoprotecttheprivacyofindigenousgroups.Recommendation7-1recommendedthattheOffice of thePrivacyCommissioner (now theOAIC) should encourage and assist agencies andorganizations to develop and publish protocols, in consultation with indigenous groups andrepresentatives,toaddresstheparticularprivacyneedsofindigenousgroups.Recommendation7–2recommendedthattheAustraliangovernmentshouldundertakeaninquirytoconsiderwhetherlegalrecognitionandprotectionofindigenousculturalrightsisrequiredand,ifso,theformsuchrecognitionandprotectionshouldtake.

Currently there are cultural protocols about how certain Aboriginal and Torres Strait Islanderindividualsmaybeportrayedinvarioustypesofmedia.Theserules,whilstfocusedonspiritualandcultural sensitivities, may also protect an indigenous person’s sense of privacy. For example, thereproductionofadeceasedperson’snameandimageisoffensivetosomeindigenousculturalbeliefs.Itisrecommendedthatculturalwarningsareusedatthebeginningofanyaudio-visualmediatoalertAboriginalandTorresStraitIslanderviewersand/orlistenersthatimagesand/orvoicesofdeceasedpersonsmaybeused.ItisalsogenerallyrecommendedthatanydepictionsofAboriginalpeoplebereviewed by an appropriate indigenous arts body to confirm that such depictions are culturallysensitive and accord with Aboriginal religious and cultural beliefs and are not offensive to ormisrepresentstheirlawsandcustoms.


In July 2019, theACCC released theDigital Platforms InquiryReport,which contains a number ofrecommendations. The report is most relevant to online businesses, search engines, contentaggregationplatformsandsocialmediaplatforms.Astrongthemeinthereportistheneedtoincreasethe transparency of organizations that are entrustedwith personal information, in order to allowconsumerstomakeinformedchoicesabouttheirpersonalinformation.Inparticular,thereportmadeanumberofrelevantrecommendations,including:

(a) thedevelopmentofaPrivacyCodeforDigitalPlatforms,includingspecificperiodsfordataretentionandmoreprescriptiveobligationsregardingformofprivacypolicies;

38


(b) increased penalties for breaches of privacy to mirror the penalties for breaches of theAustralianConsumerLaw(thegreaterofAU$10million,threetimesthebenefitreceived,or10%ofannualturnoverinthepreceding12months);

(c) technicalandlocationdatabeingincludedinthedefinitionofpersonalinformation;

(d) stronger consent requirements for any data collection, rather than only secondary datacollection;

(e) measurestorequireorganizationstoerasepersonalinformationonrequest;and

(f) creation of a statutory tort for serious invasion of privacy, not confined to organizationssubjecttothePrivacyAct.

If implemented, theserecommendationswillposeasignificantcompliancechallenge tobusinessesthatcollectpersonalinformation.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainAustralia?

Ifcollectingsensitiveinformation,therearegreaterobligationstoensurethatindividualsareawarethattheirpersonalinformationisbeingcollected,thepurposesforwhichtheinformationiscollected,andthatconsentisobtainedfortheuseordisclosureoftheinformation.

If personal information about Australian individuals is stored overseas it is still regulated underAustralian privacy law. Care should be taken when outsourcing the storage of personal data, forexample,throughcloudhostingservices.

12 OPINIONQUESTIONS


Therapiddevelopmentinonlinetechnologyhashadamajorimpactonpersonalprivacy.Inparticular,the large amount of personal information being collected, store and shared/traded betweencompaniesinanonlineenvironmenthasmadeiteasierforlargedatabreachestooccur.AccordingtotheAustralianBureauofStatics,oneintenAustralianbusinessessufferedsomeformofdatabreachin2018.

The Notifiable Data Breaches scheme came into effect in February 2008, which has the primaryobjectiveofincreasingconsumerprotection.Itintroducedamuch-neededlegalobligationonentitiesto carry out an assessmentwhenever they suspect a databreach, and tonotify individualswhosepersonalinformationisinvolvedinadatabreachthatislikelytoresultinseriousharm.Theschemeeffectivelyensuresthatentitieshavereasonablestepsinplacetosecurepersonalinformation,whichinturnimprovessecuritystandards.

AsaresultoftheACCC’sDigitalPlatformsInquiryReportreleasedthisyear(seequestion11.2),theAustraliangovernmentannounced its intention tomakemajor changes toprivacy lawswhichwillimplement stronger privacy protections for individuals. One of the proposed changes is theintroductionofincreasedpenaltiesforseriousorrepeatedbreachesofprivacy.

39


AnotherproposedchangeistogivetheOAICmorepowerstoissueinfringementnoticesforfailuretocooperatewitheffortstoresolveminorbreaches.ThemaximumfinesthatcouldbeissuedunderaninfringementnoticeareAU$63,000forcompaniesandAU$12,600forindividuals.Specificruleswillalsobeintroducedtoprotectthepersonalinformationofchildrenandothervulnerablegroups.

ThechangestoAustralianprivacylawsaretoensurethatthelawisrelevantandeffectiveinthedigitalenvironment,andtobringAustraliamoreinlinewiththeEUGDPRregime.


Weanticipate that theAustralianprivacy landscapewillbecome increasinglyregulated inorder tobringAustraliainlinewithothercountries’privacystandards,suchasEurope,andfacilitateglobaldata sharing. Currently the issue of “Big Data” remains a grey area; however, it is clear that, ascompaniesgathermore informationaboutapersonand“consumerprofiling”occurswithmultipleoverlaysof information, thedata thatwasoriginallynot consideredpersonal information, such aslocationor IPaddress,willpotentially fall into thedefinitionof “personal information”as thedatasubjectbecomesmoreeasilyidentifiablethroughthenarrowingdownofpossibilities.Therefore,thereare questions about how to regulate this space, and we anticipate the definition of personalinformationwillneedtochangeinordertoprotectinformationaboutapersonwhohasbecomeanidentifiedindividualthroughthecollectionoflargeamountsofde-identifieddata.

Wealsoanticipatechangeswillbemadetostrengthennotificationandconsentrequirementsrelatingtopersonalinformation,andfurtherdiscussionsonadirectrightforindividualstobringactionsforabreachoftheirprivacy.


Privacylawshavehadtoevolvetokeepupwiththeever-changingworldofonlinetechnologyandadvancedbreachesindatasecurity.Morechangestothelawmeanthatcompanieswillneedtoworkharder to ensure compliance with the privacy laws. With harsher penalties coming into place,companiesarebeingforcedtore-evaluatetheirprivacypoliciesandprocesses.

In the wake of serious data breaches, companies are also having to consider new software andtechnologytoincreasetheirdatasecurityandprotectthepersonalinformationofindividualswhichtheyhold,resultinginadditionalcompliancecosts.

40

41

PRIVACY LAW – BELIZE

1 PRIVACYLAW

1.1 HowisprivacyregulatedinBelize?

Belizeislackingthoroughregulationofprivacy.Currently,privacyisonlyexpresslyconsideredintheBelizeConstitution,thoughreferencescanbefoundinsomelawswhichregulatepublicandprivateentities,andwhicharerequiredtoobtainpersonalinformation.


Thekeylawsregulatingaspectsofprivacy(includingconfidentialinformationandconfidentialdata)inBelizeare:

(a) TheBelizeConstitutionAct,Cap.4,2012;

(b) InterceptionofCommunicationsAct,Cap.229.01;

(c) FreedomofInformationAct,Cap13;

(d) CaribbeanCommunityAct,Cap.17;

(e) JusticeProtectionAct,Cap.119.02;

(f) TheCensusAct,Cap.155;

(g) StatisticalInstituteofBelizeAct,Cap.158;

(h) BelizeTelecommunicationsAct,Cap.229;

(i) CopyrightAct,Cap.252;

(j) ImmigrationAct,Cap.156;

(k) Immigration(AdvancePassengerInformation)Regulations2017(SINo46-2017);and

(l) taxinformationexchangeagreements(thathavebeensignedwithvariouscountries).


Therearenoregulatorybodiessetupspecificallytoenforceprivacylaw.ItsenforcementfallsunderthejurisdictionoftheBelizeanJudicialSystemandtheregulatingbodiesoftheindustrieswhichutilizepersonalinformationinfulfilmentoftheirduties.Forexample,thePublicUtilitiesCommittee,whichregulatesthetelecommunicationsectorofBelizeandtheuseofdatawithinthatsector,andtheCentralBankofBelize,whichregulatesthebankingandfinancesector.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinBelize?

TotheextentthatprivacylawsexistinBelize,theyapplytoboththepublicandprivatesectors.

42


2.2 DoesprivacylawinBelizeapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

N/A


3.1 Howispersonalinformation/personaldatadefinedinBelize?

Thetermisnotspecificallydefinedinanylegislation.

However,Section2oftheStatisticalInstituteofBelizeActdefines“confidentialdata”as“dataobtainedby the Institute for theproductionofofficial statisticswhensuchdataallowstatisticalunits tobeidentifieddirectlyorindirectly,therebydisclosingindividualinformation”;anditcanbeinferredfromSection42(1)that“personalinformation”isinformationwhichcanberelatedtoanidentifiableperson.


Thoughnotexpresslycategorizedinanylaw,anyinformationthatisapersonalidentifierisconsideredsensitive,andsubjecttoconfidentialityanddisclosureonlyontheauthorizationofthepersontowhomitrefers,orundercourtorderthatabidesbySection14oftheConstitution.


DuetotheimplementationoftheEUGeneralDataProtectionRegulation(“GDPR”),mostcompanies,especiallyinthetourismindustryandbankingindustry,thatareexposedtohandlinginformationofEUcitizensareimplementingthisregulation.Therefore,mostcompaniesimplementtheprinciplessetforthintheGDPR,namely:lawfulness,fairnessandtransparency,purposelimitation,accuracy,dataminimisation,integrityandconfidentialityandstoragelimitation.

4 ROLES


No.

5 OBLIGATIONS


Therearenonationalregulations;however,mostsectorstendtopullresourcesfortheirbusinesses(suchaswebsitetermsandconditions;systemandplatformprovisions)fromtheUnitedStatesandtheEuropeanUnion(English-speaking)nations.Therefore,manycompanies(bydefault)complywithinternationalregulations,suchastheGDPRandotherdataprotectionandprivacylaws.

43



6.1 HowisdatasecurityregulatedinBelize?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

Datasecurityisnotspecificallyregulated.PartIIIoftheInterceptionofCommunicationsAct,whichespeciallyappliesincasesofwire-tappingandothermeansofdatagatheringtoinvestigatecriminaloffences,stipulatesthesanctionsforhavingacquiredprotectedinformationortrafficdatabymeansof a communicationnetwork forpersonaluse, commercialbenefit, political advantage, or criminalactivity.ThisprovisionisthemostspecificonefoundinthisregardamongstthecadreofBelizeanlaws.

6.2 HowaredatabreachesregulatedinBelize?Whataretherequirementsforrespondingtodatabreaches?

DatabreachesareregulatedintheInterceptionofCommunicationsAct(seequestion6.1).Theyarereferredtoas“unauthorizedinterceptions”.

However,thereisadraftCyberSecurityBillcurrentlyundergoingstakeholderreview,whichisintendedtobeenactedin2020.ThisActwillbeoneofthefirsttodelvedeeplyintodatasecurityandprivacyinthedigitalenvironment.

7 INDIVIDUALRIGHTS


Accordingtocurrentlegislation,individualshavetherightfortheirpersonalinformationthathasbeencollectedfromthepublicsectortoremainconfidential.Suchpersonalinformationisonlytobesharedwiththatperson’swrittenconsent,ortheconsentoftheirrelativesifthepersonisdeceased.

Inthisregard,theBelizeConstitutionActregulatesthefollowinginSection3:

“Whereaseveryperson inBelize isentitled to the fundamentalrightsand freedomsof theindividual,thatistosay,theright,whateverhisrace,placeoforigin,politicalopinions,colour,creedorsex,butsubjecttorespectfortherightsandfreedomsofothersandforthepublicinterest,toeachandallofthefollowing,namely,(a) life,liberty,securityoftheperson,andtheprotectionofthelaw;(b) freedomofconscience,ofexpressionandofassemblyandassociation;(c) protectionforhisfamilylife,hispersonalprivacy,theprivacyofhishomeandother

propertyandrecognitionofhishumandignity;and(d) protectionfromarbitrarydeprivationofproperty,theprovisionsofthisPartshallhaveeffectforthepurposeofaffordingprotectiontothoserightsandfreedomssubjecttosuchlimitationsofthatprotectionasarecontainedinthoseprovisions, being limitationsdesigned to ensure that the enjoymentof the said rights andfreedomsbyanypersondoesnotprejudicetherightsandfreedomsofothersorthepublicinterest.”

44




Thereisnonationalregulation,howeverthereareamyriadofbusinessesthatcomplywiththeGDPRand/orotherinternationalregulations.


Thereisnonationalregulation.


Thereisnonationalregulation.


N/A


N/A


Therearenonationalregulations.However,theBelizeancommunityisveryvocalaboutanyinjusticecarriedout through socialmedia, especiallywith respect to cyber-bullying,discriminationand theexposureofpersonalinformation.PublicoutcryhasledtoastrongpushtowardsthepassingoftheCybersecurity Bill, especially after social media has been used to expose intimate pictures ofindividuals,aswellastodirectthreatstowardsindividuals’personalandsexualintegrity,especiallyofwomen.Thelastinstanceofcyber-bullyingwasmetwithoutcryfromboththepublicandprivatesectors,includingthePrimeMinister,MinisterofGovernmentandseveralNGOs.


N/A

9 DATATRANSFER


No.Anyrequirementsorrestrictionsexistwithintheagreements/contractsbetweenparties.

45



Privilege between different professionals and individuals is expected and exists within specificprofessions,throughtheMedicalPractitioners’Act,theFreedomofInformationActandtheCodeofJudicialConductandEtiquette,amongothers.

10 VIOLATIONS


The potential penalties are fines and prison sentences. For example, in accordance with theInterceptionofCommunicationsAct,finesofupto200,000dollarsmaybeimposed,andimprisonmentforuptotenyears,dependingonthematteranditsrecurrence.


Yes,individualshaveaprivaterightofactionunderConstitutionalLaw,TortsandContractLaw.Thepotentialremediesaredamages.

Duetothelackofspecificlegislationonprivacy,manypeoplerelyonprivilegeestablishedbetweenaprofessionalandthemselves.Inaddition,wheresensitiveinformationisexchanged,itisthenormtoincludeaconfidentialityclauseinthecontract,ortocarryoutaconfidentialityagreement.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofBelizewhichaffectprivacy?

No. Privacy and its preservation in daily life and in commerce is not a prevalent, nor thoroughlyexploredpartofBelizeansociety.Therefore,evenfromaculturalperspective,thereappearstobenospecific“rule”thataffectsprivacyinBelize.


ThereiscurrentlyaCybercrimeBillthatisexpectedtobepassedintolawin2020.Thisbillregulatestheillegalaccesstocomputersystems,interception,datainterference,acquisitionofdata,computer-relatedforgeryandfraud,andidentityrelatedoffenses,amongothers.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainBelize?

Belize caters to a large number of tourists and expats, whose information may be protected byinternationalregulations.Therefore,internationalprivacylawsarewidelyreferredtobycompanies,andintegratedintotheirpolicies,inordertoreduceanyliabilitiesthatmayarisefromthecollectionofpersonalinformation.

46


12 OPINIONQUESTIONS


In2019,therewereoccurrencesrelatingto:cyber-bullying;socialmediaandwebsitehacking;bankaccountdataphishing;andATMtamperingandfraud.Duetotheseevents,mattersofprivacycameinto sharper focus in public discussion, however, there has not been an equally intense focus onpassinglegislationtodealwiththeseissues.


Due to Belize’s lack of attention to the need for privacy regulation, we anticipate that there willcontinuetobesensationaleventsconcerningbreachesofprivacyanddatabreaches,whichwilltouchseveralareaofsocietyincluding:

(a) youthandcyber-bullying;

(b) banksanddataprotection;and

(c) telecommunicationsanddatatransfer.

Therefore,itishighlylikelythat,withinthenext5years,Belizemay,in“onefellswoop”,revampitsprivacylandscapeinordertocombatthevariousissues;andwillpossiblydosoinawide-reachingandcohesivemanner.


Companiesmustcarryouttheirduediligencetoensurethattheyabidebytheupcominglegislationtoavoidcorporateliability,especiallyifandwhentheCybersecurityBillispassed,asitstipulatesthatthecourts inBelizewillhave jurisdiction, amongother situations, if a regulatedact is carriedoutandaffectsacomputersystemlocatedinBelize,orcomputerdataonacomputerdatastoragemediumlocatedinBelizeisaffectedbytheact,ortheeffectoftheact,orthedamageresultingfromtheact,occurswithinBelize.

47

48

PRIVACY LAW – BOLIVIA

1 PRIVACYLAW

1.1 HowisprivacyregulatedinBolivia?

Privacyisregulatedasafundamentalright,recognizedinArticle21.2oftheBolivianConstitution.Asaconsequence,constitutionalrulingsissuedbytheBolivianConstitutionalCourthavedevelopedthescopeofthisrightandcreatecertainspecificobligationsaimedattheadequateprotectionofprivacy.

Additionally, sector-specific laws for certain regulated sectors (such as financial entities andtelecommunications)imposemoreobligationsuponthoseentitiessubjecttosuchlegislation.


(a) Nationallaws:(i) BolivianConstitution(Articles21.2,130and131);(ii) CriminalCode(Articles363Bisand363Ter);

(b) Sector-SpecificLaws(i) Access to Information, SupremeDecree28168 (Article 19) (executive branch and

State-ownedcompanies);(ii) ElectoralOrganizationLaw018(Articles72,74,76,77and79)(electoralbody);(iii) Telecommunications Law 164 (Articles 54, 56, 59, 84, 89, 90, and 91)

(telecommunicationsindustry);(iv) Telecommunications Regulation Supreme Decree 1391 (Article 179)

(telecommunicationsindustry);and(v) TelecommunicationsRegulationSupremeDecree1793(Articles3,4,40,54,56and

57)(telecommunicationsindustry).


Privacylawisenforcedthrough:

(a) ConstitutionalrulingsissuedbytheBolivianConstitutionalCourt,whenitisconsideredthata certainperson, companyor entity is affectingprivacyas a fundamental rightof anotherperson.

(b) Criminaljudgements,whentheparticularsituationisconsideredtobeacriminaloffense.

(c) AdministrativeresolutionsissuedbytheTelecommunicationsandTransportAuthority(onlyapplicabletothecompaniesthatareunderitsauthority).

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinBolivia?

All companies are subject to the privacy guidelines (among others) resulting from constitutionalrulings.ThismeansthatthestandardsandrulesthattheBolivianConstitutionalCourthasdevelopedthroughitsrulingsaremandatoryforallcompaniesandpeopleintheBolivianterritory.

49


However,somecompaniesarealsosubjecttospecificprivacylaws.Forexample,Law164,SupremeDecree1793andSupremeDecree1391establishprivacyprotectionobligationsforcompaniesthatperformactivitiesor supply services related to telecommunications, information technologies, andcommunication.TherearealsoseveralregulationsissuedbytheBolivianFinancialRegulatoryAgencythat impose specific privacy protection obligations on financial institutions, including insuranceprovidersandrelatedentities.

Finally,therearelawsareonlyapplicabletocertainstateentitiesintheexecutivebranch(Law018)andtheelectoralbody(Law28168).

2.2 DoesprivacylawinBoliviaapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

Bolivianprivacy lawsareapplicabletoforeignentitiesonlytotheextentthattheactivitiesofsuchforeigncompaniesareperformedinBoliviaorthatBolivianpersonsaretheintendedconsumersoftheproductsorservices.

Law164andSupremeDecree1391applytocompaniesthatcarryoutactivitiesorsupplyservicesrelatedtotelecommunications,informationtechnologiesandcommunication.Theseregulationsapplyto companies whose activities: (i) originate in Bolivia, (ii) transit through Bolivia or (iii) haveconsumersinBolivia.

Therearenospecificregulationsresultingstrictlyfromprivacylawforcompaniesoutsidethecountry.


3.1 Howispersonalinformation/personaldatadefinedinBolivia?

Article3ofSupremeDecree1793defines“personaldata”asallinformationthatidentifies,ormakesidentifiable,apersonorlegalentity.

TheBolivianConstitutionalCourthasnotdefinedtheterm“personaldata”,althoughtherearespecificrulingsthatusethisconceptandlinkittotherightofprivacy.


Constitutional Sentence 1738/2010-R defines “sensitive information” as information that onlyconcerns its owner, such as political and religious beliefs, sexual orientation, health conditions,informationthatcouldgenerateanytypeofdiscrimination,etc.

Theownerofthisinformationhastherighttorequesttheexclusionofthisinformation,andthereisanobligationonanentitythathassuchinformationnottoshareit,ormakeitpublic.

50



Local legislation does not establish specific principles regarding the processing of personal data.However,itisunderstoodthatconsentiskey.Theowneroftheinformationmustbeawareofeveryaspectrelatedtotheprocessingofhis/herinformationinordertoprovideinformedconsent.

However,werecognizeasgoodpracticetheimplementationoftheprinciplesestablishedbytheInter-American Juridical Committee regarding privacy and data protection. This document includes thefollowingprinciples(amongothers):

(a) Lawfulandfairpurposes(“Personaldatashouldbecollectedonlyforlawfulpurposesandbyfairandlawfulmeans”);

(b) Clarityandconsent(“Thepurposesforwhichpersonaldataiscollectedshouldbespecifiedatthetimethedataiscollected.Asageneralrule,personaldatashouldonlybecollectedwiththeconsentoftheindividualconcerned”);

(c) Relevantandnecessary(“Thedatashouldbeaccurate,relevantandnecessarytothestatedpurposesforwhichitiscollected”);

(d) Limiteduseandretention(“Personaldatashouldbekeptandusedonlyinalawfulmannernot incompatiblewith thepurpose(s) forwhich itwas collected. It shouldnotbekept forlongerthannecessaryforthatpurposeorpurposesandinaccordancewithrelevantdomesticlaw”);

(e) Dutyofconfidentiality(“Personaldatashouldnotbedisclosed,madeavailableorused forpurposesotherthanthoseforwhichitwascollectedexceptwiththeknowledgeorconsentoftheconcernedindividualorundertheauthorityoflaw”);

(f) Protectionandsecurity(“Personaldatashouldbeprotectedbyreasonableandappropriatesecurity safeguards against unauthorized access, loss, destruction, use, modification ordisclosure”);and

(g) Accuracy of data (“Personal data should be kept accurate and up-to-date to the extentnecessaryforthepurposesofuse”).

4 ROLES


No,Bolivianlegislationdoesnotassigndifferentrolestocompaniesinthisway.

5 OBLIGATIONS


Themainobligationrequiredbyprivacylawisrelatedtoconsent;accordingtoBolivianlegislation,consentof theownerof thepersonaldata is requiredatall stagesofdataprocessingandstorage.

51


Therefore,themainobligationforcompaniesistoobtainthisconsent(inwriting,whensector-specificlegislationrequiresit).

Anotherobligationistostoreandprocessthisinformationthroughsecuremechanisms,inordertoavoiditbeingusedinanywayinwhichconsenthasnotbeenobtained.

Companiesarerequiredtoinforminformation-ownersoftheirrights,especiallytheirrighttoaccess,rectify,cancelordeletethisinformation.

Thesearegeneralobligations,therearenospecificprivacyobligationsinadvertising.


6.1 HowisdatasecurityregulatedinBolivia?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

DatasecurityisregulatedinBoliviaasanobligationonthosesubjecttoSupremeDecree1793,namelycompaniesorindividualsthatcarryoutactivitiesorprovideservicesrelatedtodigitalcertification,eGovernment, free software, email and use of documents and digital signatures. According to thisSupreme Decree, the person responsible for data processing must implement all measures thatguaranteethesecurityofpersonaldata.Themeasurestakenmustbeappropriategiventechnologicaladvancesandthenatureofthedatastored.

Thereisnothinginlocallegislationtohelpcompaniesaddressthisstandard.

6.2 HowaredatabreachesregulatedinBolivia?Whataretherequirementsforrespondingtodatabreaches?

Dependingonthecircumstances,databreachescanbetreatedas:

(a) CriminaloffenseundertheCriminalCode:namelyeither:(i) Accessandmisuseofcomputerdata:Onewho,withtheintentiontoobtainanundue

benefitforhimself/herselforathirdparty,manipulatesaprocessingortransferofcomputerdatathatleadstoanincorrectresultoravoidsuchaprocesswhoseresultwouldhavebeencorrect,causingatransferofassetstothedetrimentofathirdparty,maybepunishedwithonetofiveyearsofimprisonmentandafineof60–200days).

(ii) Data manipulation: One who, without being authorized, seizes, accesses, uses,modifies,deleteordisablesdatastoredonacomputerorinanycomputersupport,causingdamagetotheowneroftheinformation,maybesanctionedwithcommunityserviceofuptooneyearorafineofupto200days).

(b) Violationoftheconstitutionalrighttoprivacy:Thismaybeprotectedthroughaconstitutionalclaim.This isconsideredsubsidiary;otherpossibilities inorder tosolveaparticularclaimmustprevailandusedbeforepresentingaconstitutionalclaim.

52


7 INDIVIDUALRIGHTS


IndividualsinBoliviahavethefollowingrightsrelatedtotheirpersonalinformation/personaldata:

(a) toaccesstheircollectedandstoredinformation,includingtherighttoknowthespecificaimsandobjectivesofthedatacollectionandstorage;

(b) toobjecttothecollectionandstorageoftheirinformation;

(c) torequestandobtainthecancelationanddeletionoftheirpersonalinformation;

(d) torectifyinaccurateorincompletepersonalinformation;and

(e) torequestconfidentialityofthecollectedinformation.

AccordingtotheBolivianConstitutionalCourt,alltheserightsareincludedinagenericrightknownasthe“InformativeAuto-Determination”.



Marketing communications are not regulated inBolivia froma privacy perspective.However, it isunderstoodthatgeneralrulesregardingdataprotectiondevelopedbytheConstitutionandBolivianConstitutionalCourtareapplicabletomarketingcommunications.


TrackingtechnologiesarenotregulatedinBolivia.


TargetedadvertisingandbehavioraladvertisingarenotregulatedinBolivia.


In order for advertisers to share datawith third parties for customermatching, the owner of thepersonaldatamustprovideunequivocalconsent.IncaseswherethecompanyissubjecttoSupremeDecree1793(seequestion6.1),thisconsentmustbeinwriting.Thisobligationisapplicabletoanytype of data transfer or sharing; customer matching is not specifically contemplated in Bolivianlegislation.


Therearenospecificprivacyrulesgoverningdatabrokers.

53



ThereisnoregulationrelatedtosocialmediafromaprivacyperspectiveinBolivia.TherelationshipbetweenBolivianusersandsocialmediaplatformsisstrictlyregulatedbythetermsandconditionsofeachplatform,andthereisnoadditionalregulationestablishedbyBolivianlegislation.


Loyaltyprogramsandpromotionsarenotspecificallyregulatedfromaprivacyperspective.However,it is understood that general rules regarding data protection developed by the Constitution andBolivianConstitutionalCourtareapplicabletoloyaltyprogramsandpromotions.

9 DATATRANSFER


ByArticle56ofSupremeDecree1793,theownerofpersonaldatamustbeinformed,beforegivinghis/her consent, about (among other things) the potential recipients of the information, and theidentity,addressandlegalrepresentativeoftheentityresponsibleforthedatatreatment.


BySupremeDecree1793, the consent givenby theownerof thepersonaldatamustbe clear andprovidedinwritingoranyappropriatemedium.EventhoughthisSupremeDecreedoesnotapplytoallcompaniesinBolivia(seequestion6.1), it isconsideredgoodpracticetoobtainwrittenconsentfrom the owner of personal data, even if some sector-specific laws do not require it, in order toguaranteetherespectoftherighttoinformative-autodetermination.

10 VIOLATIONS


Theviolationofprivacycouldbesanctioned, if theviolation isrecognizedbya Judgeasacriminaloffence under the Criminal Code, with imprisonment of 1 to 5 years (in case of computer datamanipulation)orfines(incaseofalteration,accessandmisuseofdataorofdatamanipulation).


Individuals have a general private right of action to claim compensation for non-material damagecaused bywrongful data processing. Potential remedies could be economic compensation for thedamagecaused.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofBoliviawhichaffectprivacy?

No,Bolivianculturehasnoparticularrulesthatcouldaffectprivacy.

54



Adraftbillwaspresented to the lowerchamberof theBolivianAssemblyonNovember30,2018,althoughthislawhasnot,asyet,beenpassed.

ThisdraftlegislationincludestheprinciplesdevelopedbytheInter-AmericanJuridicalCommittee(seequestion 3.3), together with all other previously mentioned legal provisions; and establishes theobligationoncompanies,oranypersonwhoisprocessingpersonaldata,toimplementappropriatemechanismstoprovecompliancewithitsobligationsregardingprotectionofpersonaldata.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainBolivia?

Currently,Boliviahasnotdevelopedspecificregulationsrelatedtodataprotection.However,sincethebasisofdataprotectionhasbeenrecognizedbytheBolivianConstitutionalCourt,weadvise,toavoidfutureclaims, the implementationofgeneralprinciplesand internationalgoodpractices regardingdataprotection.

12 OPINIONQUESTIONS


Over thepast fewyears, privacy regulationhasbeen significantlydeveloped throughnational andinternationallegislation.Thereisanewdimensiontoalready-existingrights,thatisalogicalresponseto the impact of new technologies in everyday life and the commercial opportunities that theyrepresent.Thedevelopmentoftheserightshascreatednewobligationsoncompanies,whichaffecttheirinteractionwithcostumersandthepublicingeneral.

Thesechangeshavebeentriggeredbythenewchannelsofinteractionthatthenewtechnologieshavecreatedbetweenpersonsandcompanies,andthenewnecessitiestheybring.


Infiveyears,theextentofprivacyasarightwillbebetterunderstoodbypeopleandcompanies,andtherulesofinteractionthroughnewtechnologieswillbeclearer.Byhavingabetterunderstandingofthe rules applicable to privacy, companies and their customers/consumers will be able to takeadvantageofnewtechnologieswithinthescopeoftheserules.Companiesmustfacethechallengesthatarisewiththedevelopmentofprivacyinordertomeettheirconsumers’demands,and,inthelongterm,thiswillgeneratenewcommercialinteraction.


Currently,companiesarecompelledtoincludenewmechanismstoensurecorrectdataprocessing.Thesenewmechanisms should includeprocedures to ensure informed consent andguarantee thesecurityof this information,andotherchannels tocomplywiththenewobligationsoncompanies.Companiesmustadapttheirstructuresandinternalregulationtomeetthesestandards.

55


Additionally,companiesmusthaveaproceduretosolveanyproblemsrelatedtodataprotection.Newtechnologiesrepresentanew,fasterandeasiermediumtotransferinformation;andcompaniesmustbepreparedtofaceanyconflictthatcouldresultfromamisuseofpersonaldatainthismedium,whenerrorscannotbeavoided.

56

57

PRIVACY LAW – BRAZIL

1 PRIVACYLAW

1.1 HowisprivacyregulatedinBrazil?

TheBrazilianConstitutionstablishesgeneralprinciplesthatprotecttheprivacyandconfidentialityofpersonalinformationandcommunication.Accordingly,itprovidesfortheinviolablerighttointimacy,privacy, honor and image of individuals (article 5, itemX). The Constitution also provides for theconfidentiality of correspondence and telegraphic communications, data and telephonecommunication (article 5, item XII). Violation of the above rights entitles the individual toindemnificationformoralormaterialdamages(article5,itemX).

TheCivilCodedoesnotdefineprivacy,butprovidesthattheprivatelifeofanindividualshallnotbeviolatedandthatthejudgeshall,uponrequestoftheinterestedparty,takethenecessarymeasurestostoportoimpedeanyactcontrarytothisrule(article21).TheCivilCodefurtherstatesthattherighttoprivacyisapersonalright,whichcannotbewaivedorassigned(article11).

Moreover, theBrazilianGeneralData Protection Law (“LGPD”), the first specific legislation on thesubject inBrazil,wassigned into lawonAugust14,2018.Thetext followstheworldwidetrendofstrengtheningpersonaldataprotection, guaranteeinga seriesof rights todata subjects, aswell asimposingimportantobligationsonprocessingagents.TheLGPDreplicateskeypointsoftheEuropeanGeneralDataProtectionRegulation(“GDPR”).ThisnewlawwillbeeffectiveasofAugust2020.


AlthoughtheLGPD(FederalLaw13,709/18) isnoteffectiveyet, theBrazilian legislationhasothernormscurrentlyinuseforthecontroloftheuseofpersonaldataforadvertising.Themostimportantlaws used in these cases — concerning topics from image rights to rights of information andtransparencyofservices—are:(a) The1988FederalConstitution;

(b) TheBrazilianCivilCode(FederalLaw10,406/02);

(c) TheConsumerDefenseCode(FederalLaw8,078/90);

(d) TheBrazilianCivil Frameworkof the Internet (Federal Law12,965/14, complementedbyDecree7,724/12);

(e) TheChildandAdolescentStatute(FederalLaw8,069/90);

(f) BankSecrecyLaw(Law105/01);

(g) TelephoneCallsInterceptionLaw(Law9,296/96);

(h) PublicInformationAccessLaw(Law12,527/11;complementedbyDecree7,724/12);

(i) Cyber-SecurityPolicy(Resolution4,658/2018bytheBrazilianCentralBank);

(j) HabeasDataLaw(Law9,507/97);and

(k) Nonpayers’RegisterLaw(Law12,414/11).

The LGPD also establishes the National Data Protection Authority (“ANPD”), responsible foroverseeing,implementingandenforcingLGPDcompliance.Seequestion1.3.

58



In addition to the regular courts,which are responsible for civil and criminal lawsuits, theANPD,established by the LGPD (through Provisional Measure 869) is responsible for overseeing,implementingandenforcingLGPDcompliance.

TheProvisionalMeasureestablishes,amongotherthings,thattheANPDisanagencywithtechnicalanddecision-makingautonomyandisofatransitionallegalnature,whichcanbetransformedintoanindirectfederalpublicadministrationentitywithintwoyears.

TheANPDisto:

(a) developguidelines for theNationalPolicyofPersonalDataandPrivacy,aswellasspecificrules;

(b) coordinate itsactivitieswithregulatorsofspecificsectors, toensurethefulfilmentoftheirdutieswiththegreatestefficiency;

(c) disseminate in society information about the norms and public politics of protection ofpersonaldataandaboutmeasuresforsecurity;and

(d) haveexclusivecompetencetoapplysanctions.

Thesepowersshouldtakeprecedenceoverthoseofotherpublicadministrationentities.

TheANPDisstillinprocessofformation.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinBrazil?

TheLGPDisapplicabletoanycompanywheneverpersonaldataiscollectedfromindividualslocatedinBrazil,theprocessingisperformedinBrazil,orthereistheofferofgoodsandservicestoindividualslocatedinBrazil.

However,itisnotapplicablefor:

(a) publicsecurity,

(b) datacomingfromanddestinedforothercountriesthatisonlyintransitthroughBrazil,

(c) personalornon-commercialuse,and

(d) journalistic,artisticoracademicpurposes.

2.2 DoesprivacylawinBrazilapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

TheLGPDestablishestheprincipleofextraterritorialityinitsapplication.Asaresult,thenewrulesapplynotonlytocompanieslocatedinBrazil,butalsotoentitiesthatprocessorcollectdataintheBrazilian territory and to companies that aim to offer or supply goods and services to individualslocatedinBrazil.

59



3.1 Howispersonalinformation/personaldatadefinedinBrazil?

According to theLGPD, “PersonalData” is informationrelated toanaturalpersonawho isdirectlyidentifiablebythatinformationorcanbepossiblyidentifiedfromit.

Personaldatamusthavebeencollectedonnationalterritorytocomplywiththelaw.

Foreachtypeofdata,theLGPDreservesadifferentmodelofconducttobeadoptedduringprocessing,with limitations on the assumptions inwhich personal and sensitive datamay be processed (seequestion3.2).


Dataprocessingfollowsdifferentrulesdependingonthetypeofdatawearedealingwith.Datamaybedividedintwomajorgroups:

(a) Inthefirst,therearetwotypesofdatathatweneedtobecarefulabout:(i) Anonymized data — which is data that does not contain the data subject’s

identification element and will only be considered personal data when theanonymizationprocesstowhichitwassubmittedisreversedorcanbereversed;and

(ii) Pseudonymizeddata—whichisdatathathasencryptedidentificationelementsandwherereversibilityispossible.

(b) Inthesecondgroup,therearetwotypesofdatatowhichtheLGPDgrantsgreaterprotection:(i) Personaldata—informationrelatedtotheidentifiedoridentifiablenaturalperson

(including identifyingnumbers, locationdata or electronic identifiers,when theserelatetoaperson);and

(ii) Sensitivepersonaldata—informationsuchasracialorethnicorigin,religiousbeliefs,politicalopinions,membershipoftradeunionsorreligious,philosophicalorpoliticalorganizationsrelatingtohealthorsexuallife,geneticorbiometricdata,etc.

Personalorsensitivedataprocessingisallowedinthefollowingexceptionalcases:• forthefulfilmentofalegalorregulatoryobligation;• bythepublicadministration,fortheimplementationofpublicpoliciesestablishedby

law;• for the conduction of studies by research bodies, provided that anonymity is

maintained;• fortheperformanceofthecontracttowhichthedatasubjectisparty;• fortheregularexerciseofrightsinjudicial,administrativeorarbitralproceedings;• fortheprotectionofthedatasubject’sorthirdparty’slifeorphysicalintegrity;• forhealthprotection,withproceduresperformedbyhealthprofessionalsorhealth

entities;• fortheprotectionofcredit,underthetermsoftheConsumerDefenseCode;and

60


• whenitisnecessarytomeetthelegitimateinterestspursuedbythecontroller(ie,theindividual or legal entitywhich is responsible formaking decisions regarding theprocessingofdata)orbyathirdparty(exceptwheresuchinterestsareoverriddenbytheinterestsorfundamentalrightsandfreedomsofthedatasubjectwhichrequireprotectionofpersonaldata).

Aside from the above-mentioned exceptions, the processing agents must obtain the freely-given,informedandunambiguousconsentofthedatasubject,inwritingorbyothermeansthatindicatethedata subject’s agreement, both to the data processing and to the sharing of the data with othercompanies.Thedatasubjectmaywithdrawsuchconsentatanytime.

Theuseofchildren’sorteenagers’datamustbemadewithspecificconsentgivenbyatleastoneparentorlegalguardian.Personaldataofminorsmaybecollectedwithoutthisconsentwhencollectionisnecessarytocontacttheparentorlegalguardian,whenitisusedonlyforstoragepurposes,orfortheminor’sprotection,andinnocasemaybepassedontoathirdpartywithouttheconsentofatleastoneparentorlegalguardian.Controllersmaynotrestraintheparticipationofminorsingames,internetapplications, or other activities to the provision of personal information beyond what is strictlynecessaryfortheactivity.Thecontrollermustalsomakereasonableeffortstoverifythatconsenthasbeengivenbythechildorteenagerconcerned,consideringavailabletechnologies,andtoensurethatdataprocessinginformationisprovidedinasimple,clearandaccessiblemanner,takingintoaccounttheintellectualandmentalaspectsoftheuser,withtheuseofaudiovisualresourceswhenappropriate,inordertoprovidethenecessaryinformationtotheparentsorlegalguardian,andadequatetotheunderstandingofthechildorteenager.


Thetenprinciplesthatcompaniesneedtofollowregardingtheprocessingofpersonaldataare:

(a) Purpose—Legitimate,limited,explicitandinformedpurposesforprocessing;

(b) Adequacy—Compatiblewiththepurposes;

(c) Necessity—Useofdataonlywhennecessary;

(d) Freeaccess—Provisionoffreeandintegralaccesstodatasubjectsontheprocesseddata;

(e) Qualityofdata—Accurate,clearandupdateddata;

(f) Transparency—Clearandaccurateinformationtodatasubjects;

(g) Security—Effectivetechnicalandadministrativemeasuresregardingdataprotection;

(h) Prevention— Adoption of measures to avoid damage to data subjects, such as periodicdiligence,trainingetc;

(i) Non-discrimination—Nousefordiscriminatorypurposes;and

(j) Liabilityandaccountability—EvidenceofeffectivemeasuresforcompliancewiththeLGPD.

61


4 ROLES


Inadditiontothedatasubject,therearethreeotherfiguresinvolvedindataprocessing:

(a) The Processor — a natural or legal person, under public or private law, who processespersonaldataonbehalfofthecontroller;

(b) TheController—anaturalorlegalperson,whetherpublicorprivate,whotakesthedecisionsconcerningtheprocessingofpersonaldata;and

(c) TheDataProtectionOfficer(“DPO”)—anaturalorlegalperson,appointedbythecontroller,whoactsasacommunicationchannelbetweenthecontrollerandthedatasubjectandthecompetentauthority.

Ifthecontrollerortheprocessor(together,the“processingagents”),duetotheexerciseoftheactivityof processing personal data, causes property,moral, individual or collective damage to others, inviolationofthelegislationonprotectionofpersonaldata,heisobligedtoredressit.

Inordertoensureeffectivecompensationtothedatasubject,theLGPDprovidesjointliabilityincaseswhen (i) the damage was caused by processing made by the processor after breaching the dataprotectionlawobligations,or(ii)hehasnotfollowedthecontroller’slawfulinstructions;andwhenthecontrollerisdirectlyinvolvedinthetreatmentwhichcausedthedamage.

However,theprocessingagentswillnotbeheldresponsiblewhentheyprove:(i)thattheyhavenotprocessedthepersonaldata;(ii)that,althoughtheyhaveprocessedthepersonaldata,therehasbeennoviolationofdataprotectionlegislation;or(iii)thatthedamagewascausedbythedatasubjectorathirdparty’sfault.

5 OBLIGATIONS


Theprocessingagents—oranyotherpersonwhointervenesinoneoftheprocessingphases—arerequiredtoensurethesecurityofthepersonaldatainformation,asprovidedintheLGPD,evenafterthecompletionoftheprocessing.

Theprocessingagentshouldinformthedatasubject,inaclearandspecificmanner,ofanychangesinthe purpose, form, or duration of data processing, as well as changes regarding the sharing oridentificationofthecontroller.

Theprocessormustprocessthedataaccordingtotheinstructionsprovidedbythecontroller,whowillverifycompliancewiththeinstructionsandtherulesonthematter.

Thecontrollerandtheprocessormustkeeparecordofthepersonaldataprocessingoperationsthattheyperform,especiallywhenbasedonlegitimateinterest.

62


TheANPDmayrequirethecontrollertodrawupareportontheimpactontheprotectionofpersonaldata, including sensitive data, regarding its data processing operations, under the terms of theregulation,subjecttocommercialandindustrialsecrets.Thisreportmustcontain,asaminimum:

• adescriptionofthetypesofdatacollected,

• themethodologyusedforthecollectionandforensuringthesecurityoftheinformation,and

• thecontroller’sanalysisregardingthemeasures,safeguardsandriskmitigationmechanismsadopted.

The controllermust appoint a DPO for the processing of personal data. The identity and contactinformation of the DPO must be disclosed publicly, clearly and objectively; preferably on thecontroller’swebsite.TheactivitiesoftheDPOconsistof:

• receiving complaints and communications from data subjects, providing clarification andadoptingmeasurestosolvethese;

• receivingcommunicationsfromtheANPD;

• advisingtheentity’semployeesandcontractorsregardingthepracticestobetakeninrelationtotheprotectionofpersonaldata;and

• performingotherdutiesasdeterminedbythecontrollerorassetoutincomplementaryrules.

NotethattheANPDmayestablishcomplementaryrulesconcerningthedefinitionanddutiesoftheDPO,includingsituationsinwhichtheneedforhisappointmentisexempted,accordingtothenatureandsizeoftheentity,orthevolumeofthedataprocessingoperations.

Except in specific situations, the agentmustdeletepersonaldataupon the completionof thedataprocessing—whichmayoccurwhenthepurposeofthedataprocessingisreached,whentheperiodagreedfortheprocessingends,whenrequestedbythedatasubject,orwhenorderedbythecompetentbody.Thespecificsituationsinwhichtheagentwillnotdeletethepersonaldataaftertheendofitsprocessingare:• forcompliancewithlegalorregulatoryobligationbythecontroller;

• forstudybyresearchbody,ensuring,wheneverpossible,anonymizationofpersonaldata;

• fortransfertoathirdparty,providedthatthedataprocessingrequirementslaiddownintheLGPDarerespected;or

• forexclusiveuseofthecontroller,aslongasitisanonymised,beingforbiddenitsaccessbyathirdparty.


6.1 HowisdatasecurityregulatedinBrazil?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

Datasecurityfortheprocessingofpersonaldatashallbestructuredtomeetsecurityrequirements,thegovernancestandards,andthegeneralprinciplesset forth in theLGPDand inother laws(see,further,question1.2).

Pleasenote that it is part of theANPD’s responsibility to oversee, implement and enforceprivacycompliance.Thus,itisexpectedthatnewregulationsbedraftedinthenearfuture.

63


6.2 HowaredatabreachesregulatedinBrazil?Whataretherequirementsforrespondingtodatabreaches?

TheBrazilianCivilFrameworkoftheInternetprovidesfortherightofinviolabilityofprivacyoftheInternetuser,ensuringcompensationformaterialormoraldamagearisingfromitsviolation.

TheLGPDprovidesthatthecontrollermustreporttotheANPDandtothedatasubjecttheoccurrenceofasafetyincidentthatmayleadtosignificantriskordamagetothedatasubject.Thecommunicationshouldbemadewithinareasonableperiodoftime,asdefinedbytheANPD,andshouldmentionatleast:

(a) thedescriptionofthenatureoftheaffectedpersonaldata;

(b) informationaboutthedatasubjectsinvolved;

(c) indicationofthetechnicalandsecuritymeasuresusedfordataprotection,observingthetradeandindustrialsecrets;

(d) therisksrelatedtotheincident;thereasonsforthedelay,incasethecommunicationwasnotimmediate;and

(e) themeasuresthathavebeenorwillbetakentoreverseormitigatetheeffectsofthedamage.

TheANPDwillverifytheseriousnessoftheincidentandmay,ifnecessarytosafeguardtherightsofthedatasubjects,orderthecontrollertoadoptmeasuressuchaswidedisseminationofthefactinthemediaandmeasurestoreverseormitigatetheeffectsoftheincident.Duringitsjudgmentastotheseverity of the incident, it will evaluatewhether there is any evidence that appropriate technicalmeasures have been taken to render the affected personal data unintelligible to third parties notauthorizedtoaccessthem.

Formoreinformationonthepenalties,pleaseseequestion10.1.

7 INDIVIDUALRIGHTS


TheLGPDguaranteesawiderangeofrightstodatasubjects,suchas:

(a) confirmationoftheexistenceofprocessing;

(b) accesstotheirdata;

(c) correctionofincomplete,inaccurateoroutdateddata;

(d) anonymization,blockingoreliminationofunnecessary,excessiveortreateddatainbreachofthelaw;

(e) portability of the data to another service or product provider, upon express request andobserving the commercial and industrial secrecy, according to the guidance of the dataprotectionauthority;

(f) eliminationofpersonaldataprocessedwiththeconsentofthedatasubject,exceptinthecasesprovidedforbylaw;

64


(g) informationonpublicandprivateentitieswithwhichthecontrollerpromotedshareduseofdata;

(h) information about the possibility of not providing consent and the consequences of therefusal;and

(i) withdrawalofconsentatanytime.



ThistypeofmarketingfallsundergeneralprivacyandadvertisingregulationssetoutintheLGPD,theBrazilian Federal Constitution, the Brazilian Civil Code, the Brazilian ConsumerDefense Code, theBrazilianAdvertisingSelf-RegulationCode,andotherlawsmentionedinquestion1.2.

It isworthnoting that theBrazilianSuperiorCourtof Justicehas ruled that themakingof certaintelephonecalls formarketingpurposestoaconsumerathomeorworkwithcoerciveordishonestbusinessmethods,without the consumer’s approval, is deemed “abusive publicity” and, therefore,illegal(article6,itemIV,oftheConsumer’sDefenseCode).

Thus. it is recommended that companies obtain the consumer’s express consent before makingtelephonecallsformarketingpurposes(basedontheopt-insystem).


There are no specific privacy rules governing tracking technologies, although the privacy rulescontainedintheLGPDandotherlawsmentionedinquestion1.2mustberespected.

TheexpectationisthattheANPDwillissuerulesthatwillcoverthespecificpointsnotyetregulated.


There are no specific privacy rules governing targeted advertising and behavioral advertising,althoughtheytheprivacyrulescontainedintheLGPDandotherlawsmentionedinquestion1.2mustberespected.



Nopersonaldatamaybetransferredtothirdparties,includingaccesslogsandconnectionlogs,unlesstheuserconsentsoritisallowedbylaw.TheLGPDprovidesfortheprincipleoftransparencyintheprocessingofpersonaldata.Thismeans that thedata subjectmusthaveclear, accurateandeasilyaccessibleinformationaboutwhoishandlingtheirdata.Accordingly, intheeventthatacontroller,whohasobtainedtheconsentofthedatasubjectfortheprocessingofhisdata,needstocommunicateorsharepersonaldatawithothercontrollers,hemustobtainthespecificconsentofthedatasubjectforthatpurpose.Inpractice,ifthecontrollerneedstotransferthecollecteddatatothirdparties,data

65


subjects should have clear information about such transfer, for example through the controller’sprivacy policy. Additionally, if the controller processes the data based on the consent of the datasubject,theremustbespecificconsentofthedatasubjecttothetransfer.


Therearenospecificprivacyrulesgoverningdatabrokers,althoughtheprivacyrulescontainedintheLGPDandotherlawsmentionedinquestion1.2mustberespected.



Therearenospecificprivacyrulesgoverningsocialmedia,althoughtheprivacyrulescontainedintheLGPDandotherlawsmentionedinquestion1.2mustberespected.



Inadditiontothelawsmentionedinquestion1.2,loyaltyprogramsandpromotionsarealsoregulatedby:

(a) TheConsumerDefenseCode—This lawestablishesthe legalprinciplesandrequirementsapplicable to consumer relations in Brazil. It regulates, among other things, product andservice liability, contractual clauses, commercial practices, advertising and relevantinformation on products and services offered to consumers. Misleading and abusiveadvertisingarestrictlyprohibited.Inaddition,accordingtotheConsumerDefenseCode,theopening of registration, form, registration and personal and consumer data must becommunicatedinwritingtotheconsumer,whennotrequestedbyhim.

(b) BrazilianAdvertisingSelf-RegulationCode(“Self-RegulationCode”)—Anyactivitydesignedtostimulatetheconsumptionofproductsandservicesandpromoteinstitutions,conceptsorideas is considered to be advertising and subject to the rules of the Self-Regulation Code.AlthoughtheSelf-RegulationCodeisnotenshrinedinlaw,onthefewoccasionswhentheSelf-Regulation Council’s rulings have been challenged in a court of law, its decisions haveprevailed. As a result, the Self-Regulation Code is also used as a reference document andconsideredsubsidiarylegislationbyBraziliancourts.

(c) Decree Law70,951/72 andLaw13,756/2018, regulating Law5,768/71—Under this, allpromotions involving the free distribution of prizes (contests, sweepstakes and giftcertificates)requiretheauthorisationoftheFiscal,EnergyandLotterySecretariat,whichislinked to the Ministry of Economy, the Brazilian National Savings Bank before beingimplementedinBrazil.

(d) DecreeLaw7,962/2013 (“ElectronicCommerceDecree”)—ThisLawregulates consumerrelationsontheinternetandincludesapplicableprovisions.

66


9 DATATRANSFER


Astotransferofdatagenerally,seequestion8.4.

InternationaltransferofpersonaldataisonlyallowedbytheLGPDinthefollowingcases:

(a) ForcountriesorinternationalorganizationsthatprovideadegreeofprotectionofpersonaldataappropriatetotheprovisionsoftheLGPD;

(b) Whenthecontrolleroffersandprovesguaranteesofcompliancewiththeprinciples,therightsofthedatasubjectandthedataprotectionregimeprovidedforinthisLaw,intheformof:

(i) specificcontractualclausesforagiventransfer,

(ii) standardcontractualclauses,

(iii) globalcorporatestandards,or

(iv) regularlyissuedstamps,certificatesandcodesofconduct;

(c) Whenthetransferisnecessaryforinternationallegalcooperationbetweenpublicintelligence,investigationandprosecutionbodies,inaccordancewiththeinstrumentsofinternationallaw;

(d) Whenthetransferisnecessarytoprotectthelifeorphysicalsafetyofthedatasubjectorthirdparty;

(e) Whenthenationalauthorityauthorizesthetransfer;

(f) Whenthetransferresultsinacommitmentmadeinaninternationalcooperationagreement;

(g) Whenthetransferisnecessaryfortheexecutionofpublicpolicyorlegalattributionofthepublicservice;

(h) Whenthedatasubjecthasgivenhisspecificandprominentconsenttothetransfer,withpriorinformation on the international character of the operation, clearly distinguishing it fromotherpurposes;or

(i) Whennecessarytomeettheassumptionsofcompliancewithlegalorregulatoryobligationbythecontroller;regularexerciseofrightsinjudicial,administrativeorarbitralproceedings;orprotectionofthelifeorphysicalsafetyofthedatasubjectorthirdparty.


Pleaseseequestion9.1.

10 VIOLATIONS


In addition to damage to the company’s reputation in the public eye, the LGPD provides for thefollowinglegalpenalties:

(a) warnings;

67


(b) obligationtodisclosetheincident(see,further,question6.2);

(c) datadeletion;

(d) fines of up to 2% of business group revenues in Brazil, limited to R$ 50,000,000.00 perinfraction;

(e) dailyfineofuptoR$50,000,000.00perinfraction;and

(f) datalock.


Individualshaveaprivaterightofactionbybringingcivilandcriminal lawsuitsbeforetheregularcourts,onthebasisofthelawsmentionedinquestion1.2.

Thelawsuitsmayresultincompensationformaterialandmoraldamages.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofBrazilwhichaffectprivacy?

TherearenorulesparticulartothecultureofBrazil.


Companies must be aware of the LGPD— which will be effective as of August 2020 — and ofregulationsthatwillbeissuedbytheANPD.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainBrazil?

Thereisnoadditionalrelevantinformation.

12 OPINIONQUESTIONS


Duetoglobalization,therecenttechnologicaldevelopments,andtheadventofsocialmedia,humanbeingsallaroundtheglobehavebeguntoproduceandsharemassiveamountsofdataonascalethathasneverbeenseenbefore.Thesegreatalterationsoneverydaylifehaveresultedintheriseofmajorscandals—inparticular,thebestknownofall:theFacebook–CambridgeAnalyticadatascandal.Thesescandalshaveledtoarealizationofthedangerthatthisunregulatedsectorrepresentstoindividualsprivacysafetyandforsocietyasawhole—finallyleadingcitizenstodemandstrongerlawstodealwiththisissue.

68



Infiveyears,withtheraisingofawarenessoftheimportanceofpersonaldataandagreaterdemandforgovernmentaction,regulationshouldbecomeincreasinglyclearandcomprehensive,securingtoindividualsgreaterrightsandtransparencyintheuseoftheirdata.


Private companies have the period until the LGPD comes into force (August 2020) to adapt theircurrentsystems.Itisrecommendedtoupdatecompanies’termsofuseandprivacypoliciesandtoseekthedatasubject’sspecificconsentforthedatapreviouslycollectedtoproceedproperlywiththedatatreatment.Companieswillneedtokeepupwiththemanychangesthatwillhappeninthenearfuture,lookingfortheassistanceofspecializedprofessionals.

69

70

PRIVACY LAW – CANADA

1 PRIVACYLAW

1.1 HowisprivacyregulatedinCanada?

The Office of the Privacy Commissioner of Canada (“OPC”) oversees compliance and enforces thefederal privacy laws that set out the rules for the handling of personal information by federalgovernment institutionsandcertainprivatesectorbusinesses. It releasesdecisions, reports,policystatementsandguidelinesrelatingtotheapplicationandenforcementofprivacylegislation.ItalsoeducatesCanadianswithrespecttoprivacyrightsandrecourses.

SimilarprovincialPrivacyCommissioner’sofficesoverseethevariousprovincialprivacylaws.


In Canada, there is both federal and provincial privacy legislation governing the collection, use,disclosureandmanagementofpersonalinformation:

(a) PersonalInformation(Federal):Canadahastwofederalprivacylaws:

(i) The Privacy Act governs how federal government institutions deal with personalinformation,and

(ii) the Personal Information Protection and Electronic Documents Act (“PIPEDA”)covershowprivatesectorbusinessescollect,useanddisclosepersonalinformationinthecourseoftheircommercialactivitiesinprovinceswithoutsubstantiallysimilarlegislation, as well as their inter-provincial and international collection, use anddisclosureofpersonalinformation.Italsoappliestofederallyregulatedbusinessessuchasbanks,telecommunicationscompanies,airlines,railwaysandinternetserviceproviders.

(b) Personal Information(Provincial):At theprovincial level,Quebec,BritishColumbiaandAlbertahaveenactedprivacylawsdeemedtobesubstantiallysimilartoPIPEDA.Therefore,privatesectorbusinessesoperatinginthoseprovincesaresubjectto:(i) PersonalInformationProtectionAct(BritishColumbia),(ii) ActRespectingtheProtectionofPersonalInformationinthePrivateSector(Quebec),

or(iii) PersonalInformationProtectionAct(Alberta),

ratherthanPIPEDA.

(c) HealthandEmploymentPersonalInformation(Provincial):Certainprovincesalsohaveprivacylegislationinplaceforhealth(Ontario,NewBrunswick,NewfoundlandandLabrador,NovaScotia)andemployment(AlbertaandBritishColumbia)personalinformation.

Forthepurposesofthischapter,wewill focusontheprivacylegislationin(a)and(b),referredtohereinas“Canadianprivacylegislation”.

All businesses that handle the personal information of Canadians, including for marketing andadvertisingpurposes,needtokeepthese laws inmind.There isnoself-regulatorybody inCanadarelatingtoprivacy.

71



PIPEDA is enforced by the OPC, which can launch an investigation into the business practices ofcompaniesthatcollectpersonalinformation,eitherasaresultofindividualcomplaintsorasaresultofitsowninvestigationsintoaparticularcompanyorindustrysector.TheOPCalsoconductsauditsandpursuescourtactionsunderPIPEDA,andissuesreports,policystatementsandguidelines.

ThesameistrueforAlberta,QuebecandBritishColumbia.Ineachoftheseprovinces,theregulatorisknownas:

(a) Alberta:OfficeoftheInformationandPrivacyCommissioner;

(b) Quebec:Commissiond’accèsàl’informationduQuébec;

(c) BritishColumbia:OfficeoftheInformationandPrivacyCommissionerforBritishColumbia.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinCanada?

AllprivatesectorbusinessesthathandlethepersonalinformationofCanadiansinthecourseoftheircommercialactivitiesaresubjecttoPIPEDA,ortheprovincialprivacystatutesinQuebec,AlbertaorBritish Columbiawith regards to their activities in those provinces. Some organizations regulatedfederally from a constitutional perspective are not subject to provincial private sector privacylegislation.

2.2 DoesprivacylawinCanadaapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

Privacy law applies to organizations conducting business in Canada that handle the personalinformationofCanadians.Ifanon-CanadianorganizationdoesbusinessinCanadaandcollects,usesordisclosespersonalinformationofaCanadian,itissubjecttoCanadianprivacylegislation,regardlessofthejurisdictioninwhichitislocated.AllorganizationsarerequiredtoappointaprivacyofficertoberesponsibleforcompliancewithCanadianprivacyobligations,butthatindividualdoesnothavetobelocatedwithinCanada.


3.1 Howispersonalinformation/personaldatadefinedinCanada?

Thedefinitionof“personalinformation”inCanadaisverybroadandcancovermostinformation.Inshort, it is information that,on itsownorwhencombinedwithother information, can identifyanindividual.Inthelegislation:(a) PIPEDA:“Personalinformation”meansinformationaboutanidentifiableindividual.

(b) Quebec: “Personal information” is any informationwhich relates to a natural person andallowsthatpersontobeidentified.

(c) Alberta:“Personalinformation”meansinformationaboutanidentifiableindividual.

72


(d) BritishColumbia:“Personalinformation”meansinformationaboutanidentifiableindividualandincludesemployeepersonalinformationbutdoesnotinclude(i)contactinformation,or(ii)workproductinformation.


“Sensitive personal information/personal data” is not defined in any Canadian privacy legislation.PIPEDAprovidesthatanyinformationcanbeorbecomesensitive,dependingonthecontext.Certaincategoriesofinformation,suchashealthorfinancial,willgenerallybecategorizedassensitive.


Thekeyprivacyprinciplesworkinunisonandareasfollows:

(a) Consent:Organizationsmustobtainmeaningfulconsentwhencollecting,usingordisclosingpersonalinformation.PIPEDArequiresthatitwouldbereasonabletoexpectthatindividualswouldunderstandthenature,purposeandconsequencesofthecollection,useordisclosureof the personal information to which they are consenting. For consent to be valid,organizations must inform individuals of their privacy practices in a comprehensive andunderstandablemanner.Thisistypicallyachievedwithaprivacypolicy.Thetypeofconsentrequired(expressorimplied)willdependonthefollowingfactors:(i) Natureoftheinformation:Sensitivepersonalinformationwillmostoftenrequirean

individual’sexpressconsent.(ii) Reasonableexpectations:Ifthereisauseordisclosurethatanindividualwouldnot

expect inthecircumstances(eg,transfertothirdparty; locationtracking),expressconsentisrequired.

(iii) Riskofharm:Ifthereisamaterialriskofharmtoanindividualthatcouldarisefromthecollection,useordisclosureofhis/herpersonalinformation,expressconsentisrequired.

(b) Identifying Purposes: Organizationsmust identify the purposes for which the personalinformationiscollected,eitherbeforeoratthetimeofcollection.

(c) Accountability:Organizationsareresponsibleforpersonalinformationundertheircontrol,including when it is transferred to a third party for processing. Organizations must alsodesignateanindividual(eg,aprivacyofficer)whowillberesponsiblefortheorganization’sprivacycomplianceaswellashandleconsumercomplaintsandrequests.

(d) LimitingUse, Collection,Disclosure andRetention: Collection of personal informationshould be limited to that which is necessary to fulfil the intended purpose. Also, theinformation should be retained only for as long as is necessary for the fulfilment of thepurpose(s)statedatthetimeitwascollected.

(e) Security:Personalinformationmustbeprotectedbysecuritysafeguardsappropriateforthesensitivityoftheinformation.Thesesafeguardsmustprotectagainstloss,theftandunwanteddisclosure.

(f) Openness:Organizationsmustdocument,andmakereadilyavailabletoindividuals,specificinformationabouttheirpoliciesandpracticesrelatingtothehandlingofpersonalinformation.

73


(g) Accuracy: Organizations have an obligation to ensure that personal information in theirrecordsisaccurate,completeandup-to-date,asnecessaryfortheidentifiedpurposes.

(h) Access: Individualshavearighttoaccessthepersonalinformationthatanorganizationholdsaboutthemandtorequestthatinaccuraciesintheinformationbecorrectedornoted.

(i) Recourse:Organizationsmustdevelopsimpleandeasilyaccessiblecomplaintprocedures.

4 ROLES


No,Canadianprivacy legislationdoesnotassignformalrolestocompaniesbasedontheirpositionrelativetothepersonalinformation.Thecompanythatinitiallycollectsthepersonalinformationfromthe individual remains responsible for the informationevery stepof theway, includingwhen it istransferred to third parties for processing, as would be the case with service providers. Whentransferring information toa thirdparty forprocessing, forexample, anorganizationmustensuresufficient controls are inplace toprotect the information.This is typically reflected in contractualrepresentationsandwarrantiessettingstandards,handlingandprotectionexpectations,aswellasgrantingrightstoauditserviceprovidersforcompliance.

5 OBLIGATIONS


TocomplywithCanadianprivacylegislation,organizationsmust:

(a) postaprivacypolicythatexplainsthetypeofinformationcollected,theuseandanydisclosuretothirdparties;

(b) appointaprivacyofficer: this individualwouldbe responsible forprivacycomplianceandrespondtoanyprivacycomplaint;

(c) gettheappropriateformofconsentbasedonthesensitivityofthepersonalinformationandthereasonableexpectationsoftheindividual;and

(d) notifytheregulatorofadatabreach.


6.1 HowisdatasecurityregulatedinCanada?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

There is no legislative minimum standard for securing data. All personal information must beprotectedbysecuritysafeguardsthatwillensurethatthepersonalinformationissecuredfromtheft,loss, unauthorized access, disclosure, use, copyingormodification.The level of security shouldbecommensuratetothesensitivityoftheinformation,sothemoresensitivetheinformation,thehigherthe level of security. These safeguards should include physical (eg, locking filing cabinets),organizational(eg,securityclearances)andtechnological(eg,useofencryption)measures.

74


6.2 HowaredatabreachesregulatedinCanada?Whataretherequirementsforrespondingtodatabreaches?

(a) Federally, PIPEDA requires organizations to report any breaches of security safeguardsinvolvingpersonalinformationtothePrivacyCommissionerofCanadaifitis“reasonableinthe circumstances to believe that the breach creates a real risk of significant harm to anindividual”.Organizationsmustalsonotify theaffected individualsas soonas feasibleandkeeprecordsofallbreachesforatleasttwoyears.Therecordsmustincludethefollowing:

(i) dateorestimateddateofthebreach;

(ii) generaldescriptionofthecircumstancesofthebreach;

(iii) natureofinformationinvolvedinthebreach;and

(iv) whetherornot thebreachwas reported to thePrivacyCommissionerofCanada/individualsconcernedwerenotified.

“Significantharm”includesbodilyharm,humiliation,damagetoreputationorrelationships,loss of employment, business or professional opportunities, financial loss, identity theft,negativeeffectsoncreditrecordanddamageto/lossofproperty.Factorsthathelpdeterminewhetherabreachcreatesarealriskofsignificantharmincludethesensitivityofthepersonalinformationinvolvedandtheprobabilitythatthepersonalinformationhasbeenorwillbemisused.

(b) InAlberta,anorganizationmustnotifytheInformationandPrivacyCommissionerofAlbertawithout unreasonable delay of a breach where there is a real risk of significant harm toindividuals.Thenoticemustbe inwritingand includesimilardetailsas thoserequiredbyPIPEDAin(a)above.

7 INDIVIDUALRIGHTS


Anindividualhasthefollowingrights:

(a) torequestaccesstothepersonalinformationanorganizationholdsabouthim/her;

(b) torequestthecorrectionoftheerrorsorinaccuraciesofhis/herpersonalinformation;

(c) to withdraw consent at any time. The individual must be informed of the implicationsassociatedwiththewithdrawal;and

(d) tocomplaintotherelevantprivacyauthorities.



Businessesthatsendemails,textsorpushnotificationstoCanadiansaresubjecttoCanada’sAnti-SpamLegislation (“CASL”). Ingeneral, tosendmarketingmessages,businessesmusthave therecipient’sconsent(expressor implied)andthemessagemust includetheprescribeddisclosures, includingavalidunsubscribefunction.

75



TheinformationcollectedbythistechnologyislikelyclassifiedaspersonalinformationandissubjecttoPIPEDA.Thetypeofconsentrequired(impliedorexpress)willdependonthesensitivityof theinformation collected and the reasonable expectations of the individual. See also question 8.3, ascookies,pixelsandSDKsareoftenusedinonlinebehavioraladvertising.


Consent is required for the collection, use or disclosure of all personal information, including formarketing purposes. The formof consent (express or implied) depends on the circumstances, thesensitivityoftheinformationandthereasonableexpectationsoftheindividual.Incaseswhereimpliedconsentissuitable,individualsmustbemadeawareofthemarketingpurposesatorbeforethetimeofcollection,andinamannerthatisclearandunderstandable(eg,justintimenotices).Individualsmust be able to easily opt out of the practice; the opt out must take effect immediately and theorganizationmustdestroyorde-identifytheinformationassoonaspossible.


The type of consent required (express or implied) will depend on the sensitivity of the personalinformationcollected,aswellasthereasonableexpectationsoftheindividual.


No.However,anysaleorotherdisclosureofpersonalinformationtoathirdpartywouldlikelyrequireexpressconsentfromtheaffectedindividuals.


Socialmedia is not treated differently, and organizations hosting or participating on socialmediaplatformsaresubjecttoCanadianprivacylegislationinthesamemannerasotherorganizations.


LoyaltyprogramsandpromotionsthatinvolvepersonalinformationaresubjecttoCanadianprivacylegislation. This purpose for collecting personal information is not treated differently than otherpurposes. The regulation of these programs, and level of consent required, will depend on thesensitivity of the personal information collected, as well as the reasonable expectations of theindividual.

9 DATATRANSFER


Yes, under PIPEDA, an organization is required to “use contractual or other means to provide acomparablelevelofprotectionwhiletheinformationisbeingprocessedbyathirdparty”.

Further,inAlberta,ifanorganizationusesaserviceprovideroutsideofCanadatocollect,use,discloseorstorepersonalinformation,itmustdisclose(eg,intheirprivacypolicy)theforeignjurisdictionin

76


which the collection, use, disclosure or storage is taking place, and the purposes for which theinformationwillbetransferredoutsideCanada.


Companies should, in order to be transparent in their handling of personal information, advisecustomersthattheirpersonalinformationmaybesenttoanotherjurisdictionforprocessing,andthatitmay be accessed by the courts, law enforcement and national security authoritieswhile it is inanotherjurisdiction.

10 VIOLATIONS


(a) Datasecurity:UnderPIPEDA,failuretocomplywiththebreachnotificationprovisionsisanoffence punishable on summary conviction with a fine not exceeding $10,000, or, as anindictableoffence,afinenotexceeding$100,000.

InAlberta,failuretonotifytheInformationandPrivacyCommissionerintheeventofabreachisanoffence.Anindividualwhocommitsanoffenceisliabletoafinenotexceeding$10,000,inthecaseofapersonotherthananindividual,toafinenotexceeding$100,000.

(b) Privacy: Afterreceivingacomplaint, theOPCcan launchan investigation intoabusiness’privacypractices.Oncetheinvestigationiscomplete,theOPCwillissueareportofitsfindingsand,ifapplicable,offerrecommendationsforcompliance.Further,theOPCandthebusinesscan enter into an agreement under which the business agrees to comply with the OPC’srecommendations.Ifthebusinessfailstocomplywiththetermsofthecomplianceagreement,theOPCcanapplytotheFederalCourtforanorderrequiringthebusinesstocomply.

There are other statutory provisions under PIPEDAwhich can amount to criminal sanctions. Forexample,obstructingtheCommissionerinthecourseofacomplaintinvestigationisanoffenceandliable to a fine of $10,000 for an offence punishable on summary conviction or $100,000 for anindictableoffence.


There is no private right of action. However, there are growing common law causes of action forinvasionofprivacyinsomeCanadianprovinces.Thesetortscouldbeactionableiftheintrusionwasintentional/reckless,amountedtoanunlawfulinvasionoftheplaintiff’sprivateaffairs,andwouldbeviewed as highly offensive to the reasonable person. Common law remedies are broad, includingawardsofdamagesandinjunctiverelief.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofCanadawhichaffectprivacy?

QuebecistheprivacyleaderinCanadaandtheconceptofprivacyistiedtoanindividual’sdignity.Quebec’sCharterofHumanRightsandFreedomsstatesthateverypersonhasarighttorespectofhis/herprivatelife.ItisimportanttonotethattheQuebecCharterappliestoalldisputes,whetherornottheyinvolvegovernmentaction.

77



TheOPCrecentlyinitiatedaconsultationtoconsideritspositiononcrossborderdatatransfersunderPIPEDA.Inparticular,itconsideredimposingarequirementthatsuchtransferstakeplaceonlywiththeconsentofthedatasubject.Thiswouldhavebeenasignificantchange.Since2009,theOPChasheld that businesses transferring personal information to service providers outside of Canada forprocessingarerequiredtoprovidenoticetoindividualsandtoensure,throughcontractualorothermeans,thatthedatarecipientwillprovideacomparablelevelofprotectionwhiletheinformationisbeingprocessedbytheserviceprovider.TheOPCdoesnotrequiretheindividual’sexpressconsentforthedatatransfer,providedthatthe“use”ofthepersonalinformationwasforthepurposeforwhichitwasoriginallycollected.

OnSeptember23,2019,theOPCannouncedthatithadconcludeditsconsultationoncrossborderdatatransfersandthatitsguidelinesforprocessingpersonaldataacrossborderswillremainunchanged,fornow.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainCanada?

Giventheconceptofmeaningfulconsent,theOPCtakesthepositionthatparentsorlegalguardiansmustbeinvolvedintheconsentprocesswhendealingwiththepersonalinformationofchildrenunderthe age of 13. In theOPC’s view, this age groupdoesnot have themental capacity ormaturity tounderstand that nature of what they are consenting to. Individuals between 13 years and theapplicableageofmajoritycangivemeaningfulconsent,providedtheorganization’sprivacypolicyandprivacypracticescaneasilybeunderstoodbysuchindividuals.

12 OPINIONQUESTIONS


Overtheyears,theconceptofconsenthasseensomeofthebiggestchangesintheprivacylandscapeinCanada.Thescopeandapplicationofconsenthasbeenconstantlyadaptingtotheevolutionofbigdatapracticesandindividuals’sophisticationregardingthevalueoftheirpersonalinformation—andpurposes for which it is used. The evolution of consent has also been reflected in expanding theregulatory interpretation of existing legislation and enforcement approaches. For example, therecentlyconcludedfederalregulatoryconsultationsuggeststhattheOPCmaytakethepositioninthenearfuturethatthecross-borderflowofdatawillrequireanelevatedformofconsent(seequestion11.2).

AnothersignificantchangetotheprivacylandscapeinCanadaistheubiquitoususeoftechnologyindailytransactionsandinteractions,andthespeedwithwhichplatformsfacilitatingdataexchangehavecontinuedtoevolve.Whiledatapracticesbecomeincreasinglymoresophisticated,regulatoryviewson the “reasonable expectations” of Canadians has not kept up. Multi-page privacy policies withcomplexterminologyarenolongersufficienttoprovideappropriatedisclosureofabusiness’privacypracticesandestablishthesolebasisforinformedconsent.

78



As individuals are becomingmore aware of the value of their data, organizationswill need to beprepared formore questions, transparency and, possibly, complaints. The common law causes ofprivateactionwillbecomemoresignificantlegalandpracticalriskstoorganizations.Itislikelythattherewillbeasignificantlegislativereformatthefederallevelinthenext5years,drivenbychanginglegislative regimes internationally, and reflected in the statedpriorities of the federal governmentpriortoits2019re-election.


Meaningfulconsentanddatasecurityarethekeyprivacychallengesfororganizations.Explainingtheproposeduseof an individual’spersonal information inway thathe/she canunderstand iskey toestablishingmeaningfulconsentatlaw.Astechnologiesandprocessesevolve,organizationsarefacingincreasingchallenges in translating thecomplexityof theiruseofdata toeverydayCanadians inasimple,yetmeaningful,manner.

Further,thevalueandquantityofpersonalinformationbeingexchanged,particularlyacrossborders,has resulted in the rise of significant data breaches in Canada, including those involving personalfinancialinformation.Organizationsarechallengedtocontinuetoprotectthemselvesfromthisrisk,fromthreatsposedbyinnovativetechnologicalmethodsofbreach,aswellasmorelong-standingrisksofexposure,suchasweakorganizationalcontrolsandpoorproactiveemployeetraining.

79

80

PRIVACY LAW – CHILE

1 PRIVACYLAW

1.1 HowisprivacyregulatedinChile?

InChile, privacy is regulatedmainlybyLaw19.628, “On theprotectionofprivate life”, commonlyreferred as “the Personal Data Protection Law” (“DPL”). It dates from 1998, being the first LatinAmerican regulation on the topic of personal data, and sought to regulate the market for theprocessing of personal data rather than to institute an autonomous right to the protection ofpersonaldata.Since1998,thelawhasundergonesomeminorchanges,whicharemostlyrelatedtothetransferofdebtorlistsandthecriteriaofcommercialriskassessments.

Nevertheless, the most commonly used way of exercising rights over personal data is throughconstitutionalactions.In2018,thiswasconsolidatedbyincorporatingintotheconstitutionaltexttheprotectionofpersonaldata,identifyingsuchrightseparatelytotherightofprivacy.

AnewDataProtectionBill iscurrentlybeingdebatedintheChileanCongress,whichisinspiredbytheGDPR.

1.2 What are the key laws regulating privacy? Please point out national laws, local or state-specific laws, sector-specific laws, and self-regulatory frameworks, with special focus onadvertingaspects.

Data protection is addressed in several specific laws, aswell as provisions scattered in related orcomplementary laws and other legal authority. The main laws and decrees containing dataprotectionprovisionsare:

(a) ConstitutionoftheRepublicofChile,Article19(4):establishestherightto“therespectandprotectionofprivatelifeandthehonorofthepersonandhisfamily,and, furthermore,theprotectionofpersonaldata”.Anypersonwhobyarbitraryorillegalactoromissionsuffersaloss,perturbationorthreattothisrightcanfileaconstitutionalprotectionaction.

(b) DPL: mainly defines and refers to the treatment of personal information in public andprivatedatabases.

(c) Law 20,285, “On the Access to Public Information”: sets forth the public functionTransparency Principle, ie, an individual’s right to access the information held by publicadministrationbodies,andtheproceduresandexceptionsthereof.

(d) GeneralLawonBanks,Article154:establishesbankingsecrecy.Itprovidesthat,subjecttocertainspecificexemptions,alldepositsaresecret,andaccount-relatedinformationcanbegivenonlytotheaccount’sownerordesignatedrepresentative.

(e) Law19,223,“CriminalConductsrelatedtoInformatics”:establishessanctionsforthosewhobreachandunlawfullyaccessand/oruseinformationavailableinelectronicdatabases.

(f) DecreeNo13of2009,MinistryoftheGeneralSecretaryofthePresidency:establishestheRules(oradministrativeprovisionsandprocedures)ofLaw20,285.

(g) DecreeNo779of2000,MinistryofJustice:establishestheRulesofthepersonaldatabankofPublicEntitieswhichprovidethattheCivilRegistryandIdentificationServicewillmanagepublicdatabanksonbehalfofallpublicbodies.

81


Withaspecialfocusonadvertisingaspects,thereisaself-regulatorybodycalledtheAssociationofDirectandDigitalMarketingofChileAG,whichenforcestheCodeofEthicsandSelf-regulationoftheDirect and Digital Marketing Association of Chile AG”. This Code has an annex called theRecommendationsoftheSelf-RegulationCouncilofDirectandDigitalMarketingonConsumerRightsintheProcessingoftheirPersonalData”,inwhichrecommendationsregardingsixtopicsaremade:• Principlesofdataprocessing,• Consumerconsentfordataprocessing,• Consumerrightsindataprocessing,• Responsibilityandgovernanceindataprocessing,• Securityindataprocessing,and• Processingofpersonaldatabythirdparties.


TheremedysetoutintheDPListhehabeasdataaction,wherebythedatasubjectcanapplytotheperson in chargeofadatabankwitha request for information,or for information tobecorrected,updatedordeleted.Wherethepersoninchargeofthedatabankdoesnotruleonsuchrequestwithintwobusinessdays,orwhen it isdenied, thepersoncango to court,whichmustproceedwith therequest through a brief and summary procedure. If the claim is accepted, the judge will set areasonableperiodoftimetocomplywiththedecisionandmayapplyafineofonetotenmonthlytaxunits(US$70–700),ortentofiftymonthlytaxunits(US$700–4000,approximately)ifthedatawererelatedtoobligationsofaneconomic,financial,bankingorcommercialnature.

However,thosewhoarevictimsofanillegitimatetreatmentoftheirdatararelyexecutethehabeasdataactionavailableinthelaw,andinsteadchoosetoproceedthroughtheconstitutionalprotectionaction, which is characterized by its speed and low cost. Through it, any person can request theChileanCourtofAppealstotakemeasurestobringtoanendanarbitraryorillegalactoromission,namely a deprivation, disturbance or threat to their constitutional rights and guarantees, (one ofwhichbeingtherighttodataprotectionandprivacy).

Regardingpublicdataprocessing,LawNo20,285grantedtheChileanCouncilforTransparencythecompetencetoensureadequatecompliancewiththeDPLregardingtheprotectionofpersonaldataby theorgansof theStateAdministration.Unfortunately, itwasnotgranted theability tosanctionbreachesofcertainobligations,sothelackofcompliancewiththeprovisionsofthelawindicatedbypublicbodieshasnotbeenmitigated.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinChile?

All companies are subject to privacy law in Chile, including both those in the private and publicsectors.Therearenoexcludedindustrysectors.

2.2 Doesprivacy law inChileapply to companiesoutside the country? If yes, are there specificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

No,unliketheGDPR,therearenoexplicitextraterritorialdispositionsinChileanprivacylaw.

82



3.1 Howispersonalinformation/personaldatadefinedinChile?

“Personaldata” isdefinedas “anydata related to informationofany typeconcerning identifiedoridentifiablenaturalpersons”.


TheDPLdefines“sensitivedata”as“personaldatathatreferstoanyphysicalormoralcharacteristicsof anyperson, or to facts or circumstances of his or her intimate sphere, such as personal habits,racial origin, political ideologies and opinions, religious beliefs, physical and mental health, andsexuallife”.Itisabroaddefinitionwhichhastobeinterpretedtoincludenewtypeofdata,suchasbiometricdata,whichwerenotcommonlyavailableatthetimethattheDPLwasdrafted.

Sensitive data may not be processed, unless there is legal authorization, the data subject hasconsented,or the sensitivedata isnecessary togranthealthcarebenefits to itsholder. Inpractice,there are fewer exceptions available to process sensitive personal data than regular personalidentifiable information,which translates intocompaniesrelyingon individual consent inorder tolawfullyprocessthisinformation.


InChile,theprinciplesofdataprotectionarenotexpresslyestablishedinlegislation,howevertheyare understood to be incorporated in the norm through legal interpretation of the DPL’s mainprovisions:

(a) Lawfulness and fairness: whichmeans treating the data in accordancewith the law andrespectingtheauthorizationoftheowner;

(b) PurposeLimitation:whichmandatesthatpersonaldatacanonlybeusedandprocessedforthepurposesforwhichtheywerecollected;

(c) Storage limitation: that is, to treat thedataonlyuntil thepurposesof the treatmenthavebeenfulfilled,storingitonlyforthesufficienttime;

(d) PrincipleofAccuracy:thatis,thatdatamustbeaccurate,up-to-date,andaccuratelyreflecttherealsituationofitsowner;and

(e) Integrityandconfidentiality:theobligationofthecontrollerofpersonaldatatotakecareofitwithduediligence,takingresponsibilityforthedamagescaused.

83


4 ROLES


TheDPLdoesnotusetheterm“controller”whichispresentinotherjurisdictions.Rather,theDPLconsiderstheroleof“responsibleperson”whichisaccountableformitigatingharmordamagetoanindividual as a result of processing their personal data. The “responsible person”, ie, the naturalperson, legal entity or public body that makes decisions related to the use of personal data, isresponsible for ensuring that personal data is protected in accordance with applicable law. Thegeneraldutyofcarethatthelawimposesisthatof“duediligence”.

TheDPLaddressestheroleof“dataprocessor”whentheprocessingofprivatedatabasesisdelegatedtoathirdparty.Intheseinstances,theDPLmandatesthatthecontractbetweenbothpartiesmustbeinwritingandincludetheconditionsstipulatedintheprocessing.

Therearenoadditionalexplicitprovisionsontheresponsibilitiesordefinitionsofthesetworoles.

5 OBLIGATIONS


Regarding advertising, the most relevant obligation lies in the Chilean consumer law, whichestablishestherighttoreceivetruthfulandtimelyinformationaboutthegoodsandservicesoffered,their price, contracting conditions and other relevant characteristics thereof, which pushescompanies to generate provisions regarding data protection in their terms and conditions, or,properly,aprivacypolicy.

Amongotherobligationsthatthe“responsiblepersons”,or“controllers”asthisroleisdescribedinother jurisdictions, must fulfil, it is to maintain the quality of the data so that the availableinformation is accurate, updated, and truthful regarding the real situation of the data owner. Thecontrollermust alsomaintain the security of the data, taking care of the datawith due diligence.Moreover,thereisadutyofsecrecyonthoseinchargeoftherecords,whichisnotextinguishedbyhavingceasedactivityasmanager.


6.1 HowisdatasecurityregulatedinChile?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

DatasecurityisbrieflyregulatedinthecurrentDPL.TheDPLestablishesthatallpersonnelinvolvedin personal data processing have a legal obligation of confidentiality related to data that is notpubliclyavailable,evenaftertheendoftheircontractualrelationship.Thesecurityofpersonaldatacontainedindatabasesisanobligationofthecontroller(or“responsibleperson”,asit’scalledintheDPL).Theresponsiblepersonmustmaintainthedatabase,andkeepit“withduediligence,beingheldaccountableforthedamages.”

84


Thebankingindustryhassomespecificregulationsconcerningdatasecurity,beingtheobligationtoidentify, record,evaluate,control,mitigate,monitor,andreportoperational incidents.Thebank, incaseofincident,willberesponsibleforkeepingtheSuperintendencyinformedofthesituationunderdevelopmentandthemeasuresoractionsfordetection,response,andrecoveryoftheincident.

The informationmust be sent to the extranet account enabled by the authority, at any time, bothworkingandnon-workingdays,withinamaximumperiodof30minutesafter itsoccurrence.Theinformationmustbereportedatthestartandatthetimeofclosingtheincident,includingbasicdataofthereportingentityandoftheincident.

Iftheincidentaffectsthequalityorcontinuityofservicestoclients,orisafactofpublicknowledge,theinstitutionwillberesponsibleforinforminguserspromptlyabouttheoccurrenceoftheevent.

6.2 HowaredatabreachesregulatedinChile?Whataretherequirementsforrespondingtodatabreaches?

Current legislation does not establish universal standards or measures that must be taken withrespecttodatabreaches.Therefore,ifthereisadatabreachandthatbreachcausesdamagetoadatasubject, compensation for that damage must be obtained through normal civil procedures.Exceptionally,thebankingandfinancesectorshaveestablishedsomeregulatorynormsinrelationtocybersecurity,whichmayinvolvepersonaldatabreaches,butthesearefocusedonthesecurityoftheinformation,regardlessofitsnature.

7 INDIVIDUALRIGHTS


Chileanlawexplicitlyrecognizesthefollowingdatasubjectrights,whicharecollectivelyreferredas“ARCO”rightsaftertheirinitialsinSpanish(acceso,rectificacion,cancelacionandoposicion):

(a) Therighttobeinformed:Priortogivingconsent,thedatasubjectmustbeinformedofthepurposeofthedataprocessingandwhetherthedatawillbemadepubliclyavailable.

(b) Theright todataaccess: Thedata subject can request, freeof charge, access toher/hispersonal data, as well as information about the sources and recipients of such data, thepurpose of the processing, and the identity of third parties to whom that data is beingtransferredtoregularly.

(c) Therighttorectifydata:Ifdataiswrong,inaccurate,orincomplete,thedatasubjectmayrequestthemodificationofsuchdata.

(d) The right to eliminate or block data: If the personal data is not stored legally (eg, noconsentwasobtained)orifthedataisnolongerup-to-dateortheauthorizationtoprocessthedatahasexpired,thenthedatasubjectwillbeabletorequestthatthepersoninchargeofthe database delete his/her data from it. Data subjects also have the right to request thedeletionoforblockonpersonaldatastoredinadatabase,ifsuchdatawasgivenvoluntarilybythedatasubject,orifthedataisbeingusedtosendmarketingcommunications.

Datasubjectscanexercisetheserightsfreeofcharge,everysixmonths.

85




MarketingcommunicationsisoneoftheexceptionsconsideredintheDPLtotheprocessingandusepersonaldataintheabsenceofexplicitconsentbythedatasubject.Ifthepersonaldataisobtainedfrom a publicly available source and the data is needed to provide direct commercialcommunications,thenindividualconsentisnotrequired.


Tracking technologies is not explicitly addressed in theDPL. Furthermore, geo-localizationdata isnot mentioned in the law, although it can be understood to be considered to be sensitive data.Consequently,followingthegeneraldataprotectionrules,tolawfullyusedatacollectedbytrackingtechnologies,explicitconsentmustbeobtainedfromthedatasubjects.


Targeted and behavioral advertising are not explicitly mentioned or addressed in current law.Consequently, following theDPL general rules, personal data that is collected for the purposes oftargetingmustbeobtainedeitherthroughapubliclyavailablesourceorwiththeexplicitconsentofthe data subject. Data subjects can exercise any of their ARCO rights, particularly the right toeliminateorblockdata,ifitisbeingusedforpurposesofmarketingcommunications.


Unlessthedatahasbeenobtainedfromapubliclyavailablesource,advertisersneedtoensurethatdata subjects have been informed of the purpose of the data collection (customermatching) andsecureexplicitconsenttoprocesssuchdataforthatpurpose.


No,therearenospecificrulesinrelationtodatabrokers.Consequently,thegeneralrules,rightsandprinciplesoutlinedinquestions7and3.3willapply.


Advertising campaigns made through social media need to follow the general rules, rights andprinciplesoutlinedinquestions7and3.3.


Loyaltyprogramsandpromotionsneedtofollowthegeneralrules,rightsandprinciplesoutlinedinquestions7and3.3.

86


9 DATATRANSFER


Transborder data transfer is not explicitly regulated in the DPL. Consequently, any transfers ofpersonal data outside the country, including transfer between group of companies, follow generalrules.Inpractice,companiesshouldaskforconsentfromdatasubjectstotransfertheirdataoutsideofChileanborders.


Sincetherearenoprovisionsregardingcross-bordertransferofdata,therearenospecialissuestobeconsidered.

10 VIOLATIONS


The current Chilean lawondata protection is characterized by the lack of sanctions and effectivepenaltiesforbreachesoftheobligationsrequiredbylaw;theonlyexistingsanctionsintheDPLarethoseawardedafterajudicialdeterminationofbreachofhabeasdata,rangingfromUSD$70–4,000,beingmeagerpenalties.

Without prejudice to this, data subjects have the right to request compensation in a civil court,whetherfordirectorevenmoraldamage,fortheinfringementsoftheirrightsbythecontroller.


IntheChileansystem,individualsmaybringprivateactionsforbreachofprivacy;however,thesearenotspecialrights,andareregulatedbythegeneralcivillaw,byaprejudiceindemnificationaction,inwhichharmandcausationmustbeproven.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofChilewhichaffectprivacy?

No


A new Privacy Bill, modelled largely on the GDPR, is being discussed in the Chilean Congress. Ifapproved, thenationaldataprotectionregimewillbecompletelychanged,particularly in termsofenforcement,withtheCouncilofTransparencyactingasthedataprotectionauthority. Inaddition,thescaleoffineswillraisesignificantlytoreachalmost$1millioninmostextremecases.

87


11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonal information/personaldatainChile?

ThecurrentDPLisclearlybelowthestandardofothermoreadvancedpiecesoflegislations,suchasthe GDPR. However, the biggest challenges in implementing foreign privacy policies in Chile arerelatedtohavingtorelyonindividualconsent,ratherthanotherlegalbasesofprocessingavailableinotherjurisdictions,suchaslegitimateinterests.Furthermore,thecurrentlawstillrequiresexplicitandwrittenconsent,whichisunusualinmoreadvancedlegislations.

12 OPINIONQUESTIONS


The advancement of the Data Protection Bill has moved local companies to anticipate the finalapprovalofthenewlegislationanddefineclearprivacyprogramswithintheirorganizations.


ConsideringtheinfluenceoftheGDPRonvariousprivacybills,includingthatinChile,weenvisionanormative confluence towards a similar standard to that of the European regulation, in whichdecisionmadeby the respectiveEuropeanauthoritieswillmark thenormativeandadministrativedecisionsthatarealsomadeinourcountry.Inaddition,furthersectorialregulations,particularlytofinance/banking,criticalinfrastructureandconsumerrelationsislikelytotakeplace.


Thefirstchallengethatmost localcompanies face is thatofassessingtheamountofpersonaldatathattheyuseandhaveavailablewithintheirorganizations.Thisisparticularlytrueincaseswheretechnologyhasmadeitincreasinglyeasytoidentifyindividualsthroughthecollectionofdata,whichuntilafewyearsagowasinsufficientbyitselftomakeanindividualidentifiable,butnowcombinedwithadditionalinformationcandeterminespecificcharacteristicsofaperson.

88

89

PRIVACY LAW – CHINA

1 PRIVACYLAW

1.1 HowisprivacyregulatedinChina?

Thereisnospecific“PrivacyLaw”inthePeople’sRepublicofChina(“PRC”).Rather,China’sregulatoryframework for privacy protection includes laws and regulations in the civil, criminal andadministrativeareas,andisgraduallyevolving.Itincludes:

(a) theConstitutionandtheGeneralPrinciplesoftheCivilLaw:whilethesedonotspecificallyaddress “privacy”, they do indirectly provide a basis to protect certain rights related toprivacy;

(b) theTort Liability Law: this expressly includes a “right of privacy”, andprovides that if anindividual’sprivacyisinfringed,theindividualmaybringacivillawsuitagainsttheinjuringparty to seek redress. Under the Criminal Law, sale of personal information or illegalacquisitionorprovisionofpersonalinformationmayconstituteacriminaloffence;

(c) DecisiononStrengtheningtheProtectionofOnlineInformation(“NPCDecision”): In2012,theStandingCommitteeoftheNationalPeople’sCongress(“NPC”)issuedtheNPCDecision,which requires enterprises and, in particular, internet service providers to protect thepersonal electronic information of Chinese citizens. Following theNPCDecision, a sector-specificlegalregimeinrespectofpersonalinformationhasgraduallyformedinChina,withvariousdepartmentsoftheStateCouncil,suchastheMinistryofIndustryandInformationTechnologyofthePRC(“MIIT”),theStateAdministrationforIndustryandCommerce(“SAIC”,nowmerged intotheStateAdministration forMarketRegulation,“SAMR”), theMinistryofPublicSecurity(“MPS”)andthePeople’sBankofChina(“PBOC”)respectivelyissuingpersonalinformationprotectionregulationsunder theirownadministrativeauthorityover thepastfewyears;and

(d) theCybersecurityLaw(“CSL”):theCSL,issuedonNovember7,2016andeffectiveonJune1,2017, has further enhanced online and network data protections, and is a milestone forpersonal information protection and data security in the PRC. Following the CSL, severalregulationsandstandardshavebeenissuedbyrelevantauthoritiestofurtherimplementthegeneraldatamanagementandprivacyrequirementsoftheCSL.

In all of these laws and standards, “privacy” is not given a consolidated definition, but “personalinformation” is defined under many industry-specific regulations, and generally refers to anyinformationrelatingtoanindividualthataloneorincombinationwithotherinformation,canbeusedtoidentifythatindividual.Theaboveregulationsandtheirimplementingrulesprovideanumberofgeneralprinciplesforprocessingandprotectingpersonalinformation.


(a) CSL:TheCSLprovidesvarioussecurityprotectionobligationsfornetworkoperators(averybroad category encompassing nearly any company that operates an internet-enabledbusiness,platformorinterface),andimposesaseriesofheightenedsecurityobligationsforcriticalinformationinfrastructure(“CII”)operators.CIIreferstoinformationinfrastructureused for public communications and information services, energy, transport, waterconservancy,finance,publicservices,e-governmentaffairsorotherimportantindustriesand

90


fields, or other information infrastructure that will result in serious damage to nationalsecurity,thenationaleconomyorthepublicinterestifdestroyedordamaged,orsufferingadata leak. These heightened security obligations include the protection of personalinformation,asaddressedfurtherbelow.

(b) CriminalLaw:Article253oftheCriminalLaw(asprovidedinAmendmentVIItotheCriminalLaw)applieswhereanyindividual(includingstaffofgovernmentalauthoritiesandcompaniesengagedinvariousindustrialsectors,includingfinance,telecommunications,transportation,educationandhealthcare)sellsorillegallyprovidespersonalinformationobtainedinhis/heremploymentandwherethecircumstancesare“serious”.Itisalsoapplicableifanindividualillegally acquires such information by stealing or by any other means and where thecircumstancesareserious.Legalconsequencesofsuchactsincludefixed-termimprisonmentofuptothreeyears,criminaldetentionorfines.

Intheeventthatanentitycommitseitherofthesecrimes,theentityissubjecttoafine,andtheindividualincharge,alongwithanyotherindividualsdirectlyresponsibleforthecriminalactivity,issubjecttothepunishmentslistedabove.AmendmentIXtotheCriminalLaw,whichbecameeffectivefromNovember1,2015,hasamendedArticle253,andhasbroadenedthescopeofpersonalinformation-relatedoffencesandincreasedthepotentiallegalliability.

TheSupremePeople’sCourtandtheSupremePeople’sProcuratoratehavealsopromulgatedanInterpretationoftheSupremePeople’sCourtandtheSupremePeople’sProcuratorateonIssuesConcerningtheApplicationofLawinHandlingCriminalCasesoftheInfringementofCitizens’ Personal Information and relevant typical cases, effective from June 1, 2017,providingmoredetailsastohowArticle253shouldbeinterpretedandimplemented.

(c) Tortliability:TheTortLiabilityLaw,effectiveasofJuly1,2010,includesmanyprovisionsthatspecificallyorgenerallyrelatetotheprotectionofpersonaldata,and, inparticular, inArticle2,definesthe“civilrightsandinterests”protectedundertheLaw,specificallylisting18typesofrights,includingtherightofprivacy.ThiswasthefirsttimeunderPRClawthatthe right of privacy has been treated as an independent type of civil right, and no longerattachedtotherightofreputation.UndertheTortLiabilityLaw,theviolationoftherightofprivacy and other personal and property rights and interests is clearly provided asconstitutingatort.Assuch,aninjuredpartycanseekredressagainsttheinjuringparty.

(d) Personal Information Security Standard: The Personal Information Security Standard(“2018 Standard”), was issued by the State Administration for Quality Supervision andInspection and Quarantine (now incorporated into the SAMR) and the China NationalStandardizationManagementCommitteeonDecember29,2017,effectiveMay1,2018.

The2018Standardisanationalrecommended(notmandatory)standard,but,ascurrentlythemostcomprehensivegeneralpersonalinformationstandard,itisveryimportantandhasbeenwidelyadoptedandreferredto,andwill influence legislation inthe future.Themostrecentdrafttoamendthe2018StandardwasissuedonOctober22,2019,anditisnowopenforpublicopinion.Therearealsoseveralotherstandardsrelatedtopersonalinformationanddatasecuritythatareundergoingapubliccommentperiod.

(e) Industry-specificregulationsandrules:TheNPCDecision(seequestion1.1),setsforthanumberof importantprinciples forhandlingpersonal electronic information.Accordingly,various governmental authorities have issued administrative regulations to set out more

91


specificrequirementsintheirarea—including,eg,theMIIT,theSAIC,thePOBC,andNationalHealthCommission(“NHC”)—andtoproviderulesforanumberofdifferenttypesofpersonalinformation.Forexample:(i) CircularofthePeople’sBankofChinaonProtectingPersonalFinancialInformation

byFinancialInstitutions, issuedbythePBOConJanuary21,2011,effectiveMay1,2011;

(ii) Circular of the People’s Bank of China on Further Protecting Customer PersonalFinancialInformationbyFinancialInstitutions,issuedbythePBOCandeffectiveonMarch27,2012;

(iii) SeveralProvisionsonRegulatingtheMarketOrderofInternetInformationServices,promulgatedbytheMIITonDecember29,2011andeffectiveMarch15,2012;

(iv) Order for the Protection of Telecommunication and Internet User PersonalInformation,promulgatedbytheMIITonJuly16,2013;

(v) ProvisionsontheManagementoftheSecurityofPersonalInformationofPostalandDeliveryServiceUsers, issuedbytheStatePostBureauandeffectiveonMarch26,2014;

(vi) ImplementingMeasuresforSafeguardingFinancialConsumers’RightsandInterests,issuedbythePBOCandeffectiveonDecember27,2016;

(vii) CircularoftheGeneralOfficeoftheMinistryofHumanResourcesandSocialSecurityand the General Office of the Ministry of Finance on Further Strengthening theProtection of Personal Information in the Information Disclosure for the Use ofEmployment Subsidies, issued by the Ministry of Human Resources and SocialSecurityandtheMinistryofFinanceandeffectiveonMay12,2017;

(viii) AdministrativeMeasuresonNationalHealthandMedicalBigDataStandards,SafetyandService(trial),issuedbytheNHCandeffectiveonJuly12,2018;

(ix) RegulationsontheSupervisionandExaminationofInternetSecurity,issuedbytheMPSonSeptember15,2018,effectiveNovember1,2018;

(x) NoticeonSpecialGovernanceofIllegalCollectionandUseofPersonalInformationviaApps,issuedbytheOfficeoftheCentralCyberspaceAffairsCommission,theMIIT,theMPSandtheSAMRonJanuary23,2019;

(xi) Implementation Rules on Security Certification for Mobile Internet Applications,issuedbytheCyberspaceAdministrationofChina(CAC)andtheSAMRonMarch13,2019;

(xii) GuidelinesforInternetPersonalInformationSecurityProtection,issuedbytheMPSonApril10,2019;and

(xiii) RegulationonCyberProtectionofChildren’sPersonalInformation,issuedbytheCAConAugust22,2019,effectiveOctober1,2019;

(xiv) NoticetoRectifyMobileApps’InfringementonUsers’Interests,issuedbytheMIITonOctober31,2019;and

(xv) MeasuresonIdentifyingIllegalCollectionandUseofPersonalInformationbyApps,issuedbytheCAC,MIIT,MPSandSAMRonNovember28,2019.

92



Intheabsenceofaunifiedprivacylaw,regulationandenforcementofprivacy-relatedissuesfalltoavariety of authorities across all levels of Chinese government, depending on the nature of theinfringement.

For example, a breach of the restrictions and requirements for advertising communications (seequestion8below)couldresultinaninvestigationfromtheSAMR,whichcouldleadtoanorderforrectificationplusafineofCNY10,000–30,000.

OtherbreachesofprivacyobligationscouldleadtolitigationbythevictimundertheTortLawandotherlaws.Thevictimcouldalsomakecomplaintstorelevantauthorities,whichcouldinturnleadtoadministrativepenaltiesandevencriminalliability,dependingontheinfraction.

Keyauthoritiesforprivacy-relatedmattersinclude:

(a) TheCAC:responsiblefortheplanningandcoordinationofcybersecurityandrelatedmatters,includingpersonalinformationprotection,alongwithotherauthorities;

(b) TheMIIT: responsible for supervision and administration of personal information in thetelecommunicationsandinternetsector;

(c) TheMPS: with general authority over all criminalmatters, includingwith respect to theunlawful obtaining, sale or disclosure of personal information and other privacy-relatedinfractions;

(d) TheSAMR:responsibleforimplementingtheLawontheProtectionoftheRightsandInterestofConsumers;

(e) TheChinaConsumerAssociation(“CCA”):agovernment-connectedindustryself-regulationorganization,whichacceptsandhandlescertainconsumercomplaints(includingreferraltootherauthoritieswherewarranted)andsometimesundertakescoordinatedcampaigns.Forexample,inJune2018,theCCAinitiatedanevaluationofprivacypoliciesanddatacollectionbyappsinChina,andinNovember2018issuedtheresultingAssessmentReportonPersonalInformationCollectionandPrivacyPoliciesby100Apps,whichpointedoutseveraltypicalproblemssuchasexcessivecollectionofpersonaldata,useofunclearprivacypolicies,etc.

On the critical issue of online personal data collection, coordination among these authorities iscommon,andenforcementeffortscantakemanyforms.Forexample,onJanuary23,2019,theCAC,MIIT,MPSandSAMR jointly issuedaNoticeonSpecialGovernanceof IllegalCollectionandUseofPersonalInformationviaApps,basedonwhichtheseauthoritiesauthorizedtheNationalInformationSecurityStandardizationTechnicalCommittee,ChinaConsumersAssociation,theInternetSocietyofChinaandtheCybersecurityAssociationofChinatocreateaspecialworkinggrouponthecollectionanduseofpersonalinformation(the“SpecialWorkingGroup”)inviolationoflawsandregulations.

ThatSpecialWorkingGroupthenopenedaWechatofficialaccountcalled“AppPersonalInformationReport” and publicized an email ([email protected]) to receive public reports on illegal use andcollection of personal information. In April 2019, presumably following complaints, the SpecialWorkingGroupsentnoticestotheoperatorsofmorethan30popularappsrequiringrectificationofvariouspersonalinformation-relatedissues.Someappsthatdidnotcomplyintimewerethendelistedfromappstoresorhadtheirbusiness licensesrevoked.BytheendofSeptember2019, theSpecialWorkingGroupclaimstohaveevaluatedover600popularapps,beenincontactwiththeoperatorsof200appsandtohaverectifiedover800issues.

93


In a similar vein, on November 4, 2019, the MIIT launched a special campaign to rectify theinfringementofusers’rightsandinterestsbyapps,focusingonfourkeyelements:illegalcollectionofuserpersonalinformation,illegaluseofuserpersonalinformation,unreasonableacquisitionofuserauthorization,andsettingupobstaclestoaccountcancellation.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinChina?

All companies operating in China are potentially subject to laws relating to privacy and personalinformation.Forexample,allcompaniesandtheiremployeesaregenerallysubjecttotheCriminalLawandtheTortLiabilityLaw.Any“networkoperator” (which isaverybroadcategoryencompassingnearly any company that operates an internet-enabled business, platform or interface) is furthersubjecttothepersonaldataprotectionmeasuresundertheCSLandallof itsrelatedimplementingregulations.Further,anycompanyoperatingincertainindustries,suchasfinanceorhealthcare,maybesubjecttoindustry-specificrules.

2.2 Doesprivacy lawinChinaapply tocompaniesoutsidethecountry? Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

Yes,ifacompanycollectspersonalinformationfromChina,itmaybesubjecttorelevantrulesrelatingtodatatransfersandlocalization.Someoftherelevantlawsarestillindraftform,butthiswillbeanareaofincreasingobligationsforforeignentities.Pleaseseefurtherquestion9.1.


3.1 Howispersonalinformation/personaldatadefinedinChina?

UndertheCSL,“personalinformation”referstoallkindsofinformationrecordedbyelectronicorothermeansthatcanbeusedtoindependentlyidentifyorbecombinedwithotherinformationtoidentifynaturalpersons’personalinformation,includingbutnotlimitedto:naturalpersons’names,datesofbirth,IDnumbers,biometricinformation,addressesandtelephonenumbers,etc.

The2018Standard further classifiespersonal informationasbasicpersonal information,personalbiometricinformation,internetidentityinformation,personalphysicalhealthinformation,personaleducational and career information, personal financial information, personal communicationinformation,personal contact information,personal location information, etc., andsetsout severalexamplesforeachofthesecategories.

For instance, “personal financial information” under the 2018 Standard includes bank accountinformation,identificationinformation(code),depositinformation(includingtheamountofdeposits,recordsofreceiptsandpayments,etc.),realestateinformation,creditloanrecords,creditreferenceinformation,recordsoftransactionsandconsumption,flowrecords,etc.,andinformationaboutvirtualproperty(suchasvirtualcurrency,virtualtransactions,andkeycodesforgames).Further,thedraftTrialMeasuresontheProtectionofPersonalFinancialInformationandDatacirculatedbythePBOConSeptember10,2019,define“personalfinancialinformation”asincludingidentityinformation,bankaccountinformation,assetinformationandotherfinancialinformation.

94



Underthe2018Standard,personalinformationissubdividedintogeneralinformationandsensitiveinformation.“Sensitivepersonalinformation”ispersonalinformationthatmayendangerpersonalandproperty safety, easily cause damage to personal reputation, physical andmental health or causediscriminatorytreatment if leaked, illegallyprovidedorabused.This includesIDnumber,personalbiometric information, bank account number, communication records and contents, propertyinformation, credit information, location information, accommodation information, health andphysiological information, transaction information, personal information of children aged 14 andunder,etc.Sensitivepersonalinformationcanonlybecollectedwiththeuser’saffirmativeconsent,whichisclear,specificandgivenonafullyinformedbasis.


Inadditiontocertainexistingandpendingdatatransferandlocalizationrequirements(seequestion9below),thekeyprincipleforpersonalinformationhandlinginthePRCisconsent,accompaniedbyanumberofothergeneralandspecificprinciplesaddressingthesecurityandscopeofdatacollection,and the rights of thedata subject.Key rules in this respect areprovided in theCSL and the2018Standard,asfollows:

(a) TheCSLoutlinesthreegeneralprinciplesforthehandlingofpersonalinformation:(i) Transparency:TheCSLrequiresthatnetworkoperatorsshallmakepublictherules

for collecting and using personal data, and expressly notify users of the purpose,methodsandscopeofsuchcollectionanduse.

(ii) Lawfulbasisforprocessing: TheCSLrequiresthenetworkoperatorsabidebytheprinciplesof“lawful, justifiableandnecessary”whencollectingandusingpersonaldata.

(iii) Purposelimitation:TheCSLrequiresthatnetworkoperatorsnotcollectanypersonaldatathatisnotrelatedtotheservicebeingprovided.

(b) The2018Standardidentifiesanumberofotherormoreenhancedobligationsforthehandlingofpersonalinformation,including:(i) Consistency of responsibility: ie, personal information controllers should be

responsiblefordamagecausedbytheirpersonalinformationprocessingactivitiestothelegitimaterightsandinterestsofthesubjectofthepersonalinformation;

(ii) Clarityofpurpose:ie,personalinformationprocessingshouldbelegitimate,justified,necessaryandhaveclearpurposes;

(iii) Choice and consent: ie, informing the subject of the personal information of thepurpose,mode, scope and rules for personal information processing and seekingauthorizationandconsent;

(iv) Minimumsufficiency:ie,exceptasotherwiseagreedbythesubjectofthepersonalinformation,onlytheminimumtypeandquantityofpersonalinformationneededtosatisfy the purpose should be collected, and when the purpose is achieved, thepersonalinformationshouldbedeletedintimeaccordingtotheagreement;

95


(v) Openness and transparency: ie, the scope, purpose and rules for dealing withpersonalinformationshouldbepublicizedinaclear,understandableandreasonableway,andbesubjecttoexternalsupervision;

(vi) Security: ie, network operators should have security capabilities matching thesecurity risks of the personal information collection, and sufficient managementmeasures and technical means should be adopted to protect the confidentiality,integrityandusabilityofthepersonalinformation;and

(vii) Subjectparticipation: ie,providing foraccess, correctionanddeletionofpersonalinformationandamethodtowithdrawconsentorcancelanaccountforthesubjectofthepersonalinformation.

4 ROLES


Chineselawdoesnotgenerallydistinguishbetweendatacollectors,datacontrollers,dataprocessors,etc,butsomenewerrulesarebeginningtomakesuchdistinctions.Forexample,the2018Standardintroducescertainobligationsthat“dataprocessors”shouldcomplywithduringanydata“entrustedprocessing”, ie, where a data controller entrusts another party to process personal data on thecontroller’sbehalf.Insuchcase,thecontrollershouldenterintoanagreementoruseotherformalitiestoaddresstheresponsibilitiesanddutiesoftheprocessor.

Inthecontextofpersonalinformationcollection,thekeyregulatedcategoriesarenetworkoperators,which include nearly all companieswith amaterial online presence, and CII operators,which aresubjecttostricterrequirementsinrespectofdatasecurity,eg:

(a) tosetupindependentsecuritymanagementinstitutionsanddesignatepersonsresponsibleforsecuritymanagement,andreviewthesecuritybackgroundofthesaidresponsiblepersonsandpersonnelinkeypositions;

(b) toperiodicallyconductcybersecurityeducation,technicaltrainingandskillassessmentforpractitioners;

(c) tomakedisasterrecoverybackupsofimportantsystemsanddatabases;and

(d) to formulate contingency plans for cyber security incidents, and carry out manoeuvresperiodicallyetc.

5 OBLIGATIONS


Inbrief,thekeyobligationsincludethefollowing:

(a) complyingwith the principles of lawfulness, fairness and necessity and other key privacyprincipleslistedabovewhencollectingandusingpersonalinformation;

(b) informingdatasubjectsexplicitlyofthepurpose,methods,andscopeofthecollectionanduseofthepersonalinformation,andobtainingtheirconsent;

96


(c) publishingstatementsdescribingthecollectionanduseofpersonalinformation;

(d) keepingpersonalinformationstrictlyconfidential,andrefrainingfromdisclosing,sellingorillegallyprovidingsuchinformationtootherswithoutconsent;

(e) takingnecessarymeasurestoensurethesecurityofpersonalinformationand,intheeventofthedisclosureorlossofsuchinformation,immediatelytakingremedialmeasures;and

(f) refrainingfromsendinganycommercialmessagestoanindividualwithouthisorherconsentorrequest,oriftheindividualshasexpresslyrefusedtoreceivesuchinformation.


6.1 HowisdatasecurityregulatedinChina?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

(a) UndertheCSL,networkoperatorsareresponsiblefortakingtechnicalandothernecessarymeasures to ensure the security of the personal data they collect, for establishing andimprovingtheirsystemsforuserinformationprotection,andforpreventingsuchinformationfrombeingdivulged,damagedorlost.The2018Standardalsoprovidesthat,ifthenetworkoperatorappointsathirdpartytoprocesspersonaldataonitsbehalf,itshallensurethatsuchprocessorwillprovideanadequatelevelofprotectiontothepersonaldatainvolved.

(b) On June 27, 2018, the MPS released for public comment a draft of the Regulations onCybersecurityMulti-levelProtectionScheme(the“DraftMLPSRegulation”).TheDraftMLPSRegulationupdatestheexistingMLPS,aframeworkdatingbackto2007.BoththeoriginalandtheupdatedDraftMLPSRegulationusesaone-to-fivescaletoclassifyinformationsystemsphysicallylocatedinChina,basedontheirrelativepotentialimpactonnationalsecurity,socialorder,andeconomicinterests,withonebeingtheleastcriticalandfivebeingthemostcritical.Networkoperatorsthatareclassified(initiallyself-assessedandproposedbyoperators,andthenconfirmedbyMPS)atlevel3orabovearesubjecttoenhancedsecurityrequirements.TheupdatedDraftMLPSadjusts theclassificationcriteria for levels2and3,andprovidesmoreobligationsforoperatorsclassifiedatlevel2,andthoseatlevel3orabove.

(c) In September 2018, the MPS issued Regulations on the Supervision and Examination ofInternetSecurity.Theseregulationsauthorisethepolicetoinspectthenetworksecurityofprovidersofthefollowingservices:(i) internet connectionservices, internetdatacentres, contentdeliverynetworksand

domainservices;(ii) internetinformationservices;(iii) internetcafeservices;and(iv) otherinternetservices(notdefined,butcouldcovernearlyallservicesconstituting

theinternetindustryinChina).These regulations summarise and consolidate the security obligations of internet serviceproviderssetoutintheCybersecurityLawandaseriesofregulationsandcircularsapplicabletodifferent typesof internetserviceproviders.Theseregulationsgenerallygive thepoliceauthoritytoconducton-siteinspectionofaninternetserviceprovider’splaceofbusinessandcarryoutremotetestingofnetworkloopholes.Thepowersofthepoliceandtheproceduresforinspectinginternetserviceprovidersandimposingpenaltiesarestillbeingclarified.

97


(d) During the year 2018-2019, the National Information Security Standardization TechnicalCommittee formulatedandannounceda seriesofnational recommended standardsunderwhichinformationsecuritytechnologiesaretoberegulated.

6.2 HowaredatabreachesregulatedinChina?Whataretherequirementsforrespondingtodatabreaches?

Thereisnospecificdefinitionof“databreach”ineithertheCSLorthe2018Standard.However,undertheCSL,incaseofpossibledisclosure,damageorlossofdata,thenetworkoperatorisrequiredtotakeimmediateremediesandreporttheissuetothecompetentauthority.The2018Standardprovidesthatthe report should include the type, quantity, content and nature of the affected data subjects, theimpactofthebreach,measurestakenortobetaken,andthecontactinformationofrelevantpersonsatthecompany.

TheAdministrativeMeasuresforDataSecurity(draftforcomments)issuedbyCAConMay28,2019providesthatanetworkoperatormust,inthecaseofanydatasecurityincidentinvolvingpersonalinformationdisclosure,damage,loss,etc.,oranysignificantlyincreasedriskoftheoccurrenceofadatasecurity incident, immediately take remedialmeasures and promptly notify the relevant personalinformationownerbyphone,SMS,mailorletter,andinformthecompetentsupervisoryauthorityinchargeoftheindustryandcompetentcyberspaceadministrationasrequired.Ifanetworkoperatorviolates these provisions, it may, in light of the circumstances, be penalized by public notice,confiscation of illegal gains, suspension of related business, cessation of business for rectification,closureofwebsite,orrevocationoftherelevantbusinesspermitorbusinesslicensebythecompetentauthority.Iftheactsrisetothelevelofacrime,thencriminalliabilityisalsopossible.

Under theCriminal Law, “network serviceproviders”whodonot fulfil legal obligations regardinginformationnetwork securitymanagement, refuse tomake corrections after beingorderedby therelevantauthorities,andthereforecausingleakageofusersinformationwithseriousconsequences,may face a sentence of imprisonment or criminal detention of not more than three years orsurveillance,withafineorafineonly.

7 INDIVIDUALRIGHTS


Under theCSL and the2018Standard, individualshave the followingkey rights in relation to theprocessingoftheirpersonalinformation:

(a) rightofaccesstodata,copiesofdata;

(b) righttorectificationoferrors;

(c) righttodeletion/righttobeforgotten;

(d) righttoobjecttoprocessing;

(e) righttorestrictprocessing;

(f) righttodataportability;

(g) righttowithdrawconsent;

(h) righttoobjecttomarketing;and

(i) righttocomplaintotherelevantdataprotectionauthorities.

98


Someof these rights are relatively newor not clearly defined, and there is some inconsistency inmarketpractice.



Generally, the NPC Decision provides that no organization or individual may send commercialelectronicmessagestofixedlineormobiletelephonesortheemailofanindividualwithoutthepriorconsentorrequestoftherecipientoriftherecipientexplicitlyexpresshis/herrefusal.

In addition,underArticle43of theAdvertisementLaw,noadvertisementsmaybedistributedviaelectronicmeanswithoutobtainingtherecipient’sconsent.Advertisementsdistributedviaelectronicmeansmuststatethetrueidentityandcontactdetailsofthesender,andamethodfortherecipienttorefuseacceptanceoffutureadvertisements.

TheAdministrationofInternetElectronicMailServicesProceduresprovidesthatifanemailrecipientwhohasexpresslyconsentedtoreceiveelectronicdirectmarketingsubsequentlyrefusestocontinuereceivingsuchemail,thesendermuststopsendingsuchemailsunlessotherwiseagreedbytheparties.

Further, under the 2018 Standard, the consent of relevant data subject much be obtained foradvertisinginelectronicorotherformsusingpersonaldata.Ifthedatasubjectrevokeshis/herconsentfordataprocessing,thedatacontrollermaynotcontinuesendingsuchadvertisements.


There isno legislationexplicitlyaddressing theuseof tracking technologies.Butasmanyof thesetracking methods fall within the definition of personal information in accordance with the 2018Standard, it is understood that general regulations on personal data apply to the use of trackingtechnologies.

The2018Standardalsoprovidesatemplatewebsiteprivacypolicy,whichrequiresawebsite/apptodisclose to its users how such website/app uses Cookies and similar technologies for collectingpersonal information, and how the user can restrict Cookies or other similar technologies fromcollectingpersonalinformation.


The Guidelines for Internet Personal Information Security Protection provide that user profilingtechnology,whichreliesentirelyonautomatedprocessing,canbeappliedtovalue-addedapplicationssuchasprecisionmarketing,searchresultsranking,personalizedpushnews,targetedadvertising,etcwithoutexplicituserauthorizationinadvance,butthatusersshouldbeguaranteedtherighttoobjectorrefuse.Ifappliedtovalue-addedapplicationsthatmaybringlegalconsequencestousers,suchascredit informationservices, administrativeand judicialdecision-making,orusedbycross-networkoperators,suchdataprocessingshouldbeexplicitlyauthorizedbyusers.

99



Explicitconsentfromthedatasubjectisrequiredforsharingdatawithathirdparty.Thesourceofthedatamustalsohavebeencollectedlegitimatelyandlawfully.Itisrelativelyeasytotrackthisthroughusertermsfordatacollectedonline,butismorechallengingfordatacollectedoffline.


Currently,therearenospecificprivacyrulesinthisregard.Asdatabrokersfallwithinthescopeofnetwork operators under the CSL and its many related regulations, the general rules will apply,especially as to user consent, scope of collection, and similar data management rules and rights.Moreover,morerulesarebecomingapplicabletothesekindsofdatacrawlsandbrokeredsalesovertime. For example, theAdministrativeMeasures forData Security (draft for comments) setsmoredetailsandlimitsfornetworkoperatorswhichcollectdataandcrawltheinternetforuserinformation.Inparticular,wherethenetworkoperatoraccessesandcollectsdataofawebsitebyautomatedmeans,it may not hinder the normal operation of the website. If such automated access and collectionseriously affect the operation of the website, eg, if the traffic from that exceeds one-third of thewebsite’sdailyaveragetraffic,itmustbestopped,uponthewebsite’srequest.Inaddition,itshouldbenoted that authorities are strengthening their supervision of data brokers who illegally collectpersonalinformation.InSeptember2019,severaldatacompanieslocatedinHangzhouandShanghaiwere investigated by the local authorities and had to suspend their data broker services. Thesecompanies illegally collected personal information including credit information, shopping records,socialmediarecordsandevenfeespaidfortelecoms,gasorelectricity,andprovidedsuchintegratedinformationtoonlinelendingplatforms.


Therearenospecificprivacyrulesinthisregard.Associalmediaoperatorsalsofallwithinthescopeofnetworkoperators,andsometimesevenCIIoperators,thegeneralrulesforthosecategoriesofdataprocessorswillapply.

Inaddition,thereareseveralrequirementsandlimitationsonthecollectionofpersonalinformationthrough apps including social media apps, including the Guidelines on Self-evaluation of IllegalCollection and Use of Personal Information by Apps issued in March 2019, and theMeasures onIdentifyingIllegalCollectionandUseofPersonalInformationbyApps(Draftforcomments)issuedinMay2019.


Loyalty programs, promotions, sweepstakes and other parallel market-building activities areregulatedunderadvertising-related laws,but therearenospecificprivacyrules inthisregard. Ifaprogrampromotercollectsuserpersonal information, then itwillhavetocomplywiththegeneralrulesfortheprotectionofpersonalinformation.

100


9 DATATRANSFER


(a) TheCSLprovidesthatthepersonalinformationandimportantdatacollectedbyaCIIoperatorduring operations within the territory of PRC must be stored domestically. Cross-bordertransferisonlyallowedifnecessarytosatisfybusinessneeds,andwillinanyeventbesubjectto the completion of a security assessment and approval from the competent industryauthorities.Asmentionedinquestion1.2,aCIIoperatorisanentitywhooperatesinformationinfrastructureused for public communications and information service, energy, transport,water conservancy, finance, public services, e-government affairs or other importantindustriesandfields,orotherinformationinfrastructurethatwillresultinseriousdamagetonationalsecurity,nationaleconomyorthepublicinterestsifdestroyed,damagesorsufferingadataleakage.

(b) TheDraftMeasuresontheSecurityAssessmentofPersonalDataandImportantDatatobeTransferredAbroad(DraftforComment)issuedbytheCAConApril11,2017wereintendedto provide more details on these obligations. Crucially, this draft expanded the datalocalizationrequirementtoallnetworkoperators,whichcausedasignificantreactionamongindustrystakeholders.

The2017draftwasupdatedwithanewdraft in2019 titledas theDraftMeasureson theSecurityAssessmentofPersonalDatatobeTransferredAbroad(DraftforComment),whichremovestheexplicitdatalocalizationrequirementfornetworkoperators,andinsteadfocuseson the requirement to fulfil a “security assessment” before any cross-border transfer ofpersonal information. The 2019 draft also clearly specifies that “foreign entities” will berequired to fulfil the relevant obligations under the 2019 draft through their authorizedrepresentativesoraffiliatesinChinaiftheycollectthepersonalinformationofChineseusersthroughtheinternet.

Thespecificproceduresfortheseproposed“securityassessments”arenotdetailedinthesedrafts, andnor is thereanyspecifiedmechanism for foreignentities to complywith theseproposed rules if they do not have a local entity. These details and many others willpresumablybeaddressedinfuturedraftsorimplementingrules.


Theprinciplesoutlinedabovegenerallyapplytoalldatatransfers.

10 VIOLATIONS


UndertheCSL,fora“severe”violation,anoperatororprovidermayfacefinesofuptoRMB1million(or 10 times the illegal earnings), suspension of a related business, winding up for rectification,shutdownofanywebsitesandrevocationofabusinesslicense.ThepersonsdirectlyinchargemayfaceafineofuptoRMB100,000.

101


Data security breaches may also involve criminal liabilities. Article 286(A) of the Criminal Lawstipulates thatnetworkserviceproviderswhodonot fulfil legalobligations regarding informationnetwork securitymanagement provided in the laws and administrative regulations, and refuse tomakerectificationsafterbeingorderedbytherelevantauthorities(thereforecausingtheleakageofuser’s informationwith serious consequences), may face a sentence of imprisonment or criminaldetentionofnotmorethanthreeyearsorsurveillance,withafine,orafineonly.


Yes,individualscansueforcivilcompensationiftheirprivacyrightsorreputationareharmed.SuchlawsuitswouldgenerallybebroughtundertheTortLiabilityLawortheLawontheProtectionoftheRightsandInterestofConsumers.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofChinawhichaffectprivacy?

No.


DatalocalizationandillegalorharmfuldatahandlingbycompaniesareprioritytopicsforboththepublicandtheregulatorsinChinarightnow,andthelawsreflectthis.FollowingthepromulgationoftheCSL,therehavebeennumerousnewstandards,measuresandotherrulesissuedbytheauthoritiesdesignedtoclarifytherequirementsforcompaniesandindividuals.However,manyofthesenewrulesremainindraftform,andtherehassometimesbeensignificantvariationbetweenversionsofthesedrafts,sothereisstillconsiderableuncertaintyastowhatthefinaldatahandlinganddatatransferregimeinChinawilllooklike.Nevertheless,thereisastrongtrendtowardsdatalocalization,whichisofparticularconcerntoforeigncompaniesoperatinginoradvertisingandcollectingdatainChina.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainChina?

No.

12 OPINIONQUESTIONS


China legislators are gradually releasingmore laws focussing on cybersecurity, network security,includingpersonalinformationprotection,alongwiththestrengtheningenforcement.Manyrelevantregulations targeting thiswere issued in2019, in final ordraft form, including theAdministrativeMeasuresforDataSecurity,thePersonalFinancialInformationandDataProtectionMeasuresandthePersonal Information Security Standard, and some are already issued and in effect, such as theImplementationRulesonSecurityCertification forMobile InternetApplications, theGuidelines forInternet Personal Information Security Protection, and the Regulation on Cyber Protection ofChildren’sPersonalInformation.Thisispartofawidertrendtowardsbetterregulationandprotectionof what is called cybersecurity sovereignty, whichwe expectwill createmore andmore onerous

102


requirements for companies across the spectrum of scale, industry, and national origin. This alsotracks and is enabled by a growing global scepticism of corporate data handling in general, asexemplifiedbytheGDPRandrelatedrules.


TheCSLanditsmanyrelatedruleshavemanyprovisionsthatarestillverygeneralandabstract.Thenext five yearswill see these rules clarified, and the true extent of regulationwill be revealed byenforcement actions. It is very difficult to anticipate exact outcomes, as the PRC government isattempting to balance a continuing desire for domestic growth and foreign investment against apriority for information sovereignty and political stability. Nevertheless, we anticipate tighterregulationandenforcementofdataandprivacyissueswillbethestrongtrend.


ThemajorchallengeforallcompanieshandlingdatainChinatodayisbalancingtheclearlyincreasinglegalrequirementsagainstthefactthatmanyoftherelevantrulesremainindraftform.Thismeansthat companies need to be flexible and need to prioritize staying up-to-date on the continuouslyevolvingrequirementsandexpectations.

103

104

PRIVACY LAW – COLOMBIA

1 PRIVACYLAW

1.1 HowisprivacyregulatedinColombia?

PrivacyisregulatedinColombiabasedontheconstitutionalrightofhabeasdata.

Habeasdataistherightofcitizenstoknow,update,rectifyanddeleteinformationprovidedtothirdpartieswhichhasbeenincorporatedintodatabasesandpublicandprivatearchives.Consequently,itistheentitlementofcitizenstoensurethatpersonalinformationgrantedtothirdpartiesandcollectedindatabasesorfilesiscollectedandtreatedproperly.


Thekeyregulationsconcerningprivacyarethefollowing:

(a) Law1266of2008:bywhichthegeneralprovisionsofhabeasdataareestablished,andthemanagementoftheinformationcontainedinpersonaldatabases,especiallydatabaseswithfinancial, credit, commercial or services related content and those from third countries isregulated.

(b) Decree 1727 of 2009: which sets out theway inwhich the operators of financial, credit,commercial and services databanks, and those from third countries, must present theinformationofdatasubjects.

(c) Law1581of2012(“DataProtectionStatute”):bywhichgeneralprovisionsfortheprotectionofpersonaldataareissued.

(d) Decree1377of2013:bywhichtheDataProtectionStatuteispartiallyregulated,inordertofacilitateitsimplementationandcompliance.Inparticular,aspectsrelatedto:(i) theauthorizationofthedatasubjectforthetreatmentofhis/herpersonaldata,(ii) thepoliciesrelatingtodataprocessingandthedatacontroller,(iii) theexerciseoftherightsofdatasubjects,(iv) transfersofpersonaldata,and(v) responsibilitytowardstheprocessingofpersonaldata.

(e) Law1712of2014:throughwhichthelawoftransparencyandtherightofaccesstonationalpublicinformationiscreated.

(f) Decree886of2014:whichregulatestheNationalRegistryofDatabases.

(g) Law1928of2018:throughwhichthe“ConventiononCybercrime”isadopted.


Privacylawcanbeenforcedasfollows:

(a) Directclaims:Adatasubjectoritssuccessorswhoconsidersthattheinformationcontainedinadatabaseshouldbecorrected,updatedordeleted,orwhonoticesanallegedbreachofanyofthedutiesoftheDataProtectionStatute,mayfileacomplaintwiththedatacontrollerorthedataprocessor.

105


Themaximumtermtorespondtotheclaimis15businessdaysfromthedayfollowingthedateofreceipt.Whenitisnotpossibletoaddresstheclaimwithinthisperiod,theinterestedpartywillbeinformedofthereasonsforthedelayandthedateonwhichtheirclaimwillbeaddressed,whichinnocasemayexceed8businessdays.

(b) ClaimbeforetheSIC:ThedatasubjectoritssuccessorsmayonlyfileacomplaintwiththeSuperintendence of Industry and Commerce (“SIC”, the competent authority) onceproceedings of a direct claim before the data controller or data processor have beenexhausted.

TheSIC,onceabreachoftheprovisionsoftheDataProtectionStatutebythedatacontrolleror data processor has been established, will adopt the appropriate measures or imposesanctions.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinColombia?

Allcompanieswhichperformtheprocessingofpersonaldataorownadatabasearesubjecttoprivacylaw.Inotherwords,thefollowingpersons/entitiesaresubjecttotheprivacylawinColombia:

(a) DataProcessor: Natural (individual)or legalperson (company),publicorprivate, thatbyitselforinassociationwithothers,performstheprocessingofpersonaldataonbehalfofthedatacontroller.

(b) DataController: Natural (individual)or legalperson,publicorprivate, thatby itselfor inassociationwithothers,createsthedatabaseand/orthedataprocessing.

2.2 DoesprivacylawinColombiaapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

TheDataProtectionStatuteappliestotheprocessingofpersonaldatacarriedoutintheColombianterritory or when Colombian legislation is applicable to a data controller or data processor notestablishedinnationalterritoryunderinternationalregulationsandtreaties.

Companiesoutsidethecountryarenotrequiredtocompletespecificobligations,otherthantheonesestablishedforcompanieslocatedinColombia.Thus,theyarenotrequiredtohavearepresentativeinColombia.


3.1 Howispersonalinformation/personaldatadefinedinColombia?

“Personaldata”isdefinedasanyinformationlinkedwith,orthatcanbeassociatedwith,oneormoredeterminedordeterminablenaturalpersons(individuals).

106



“Sensitivedata”isallinformationthatmayaffecttheprivacyofthedatasubjectorwhoseimproperusemaygeneratediscrimination,suchasthosethatrevealracialorethnicorigin,politicalorientation,religiousorphilosophicalbeliefs,membershipinsyndicates,socialorganizations,ofhumanrightsorthatpromoteinterestsofanypoliticalpartyorthatguaranteetherightsofoppositionpoliticalpartiesaswellasdatarelatedtohealth,sexuallifeandbiometricdata.

Processingofsensitivedataisprohibited,exceptwhen:

(a) Thedatasubjecthasexplicitlyauthorizedtheprocessing,exceptincaseswherethegrantingofauthorizationisnotrequiredbylaw.

(b) Theprocessingisnecessarytosafeguardthevitalinterestofthedatasubjectandhe/sheisphysically or legally incapacitated. In these events, legal representativesmust grant theirauthorization.

(c) Theprocessingiscarriedoutinthecourseoflegitimateactivitiesandwithdueguaranteesfromafoundation,NGO,associationoranyothernon-profitorganization,whosepurposeispolitical, philosophical, religious or syndicates, provided that they relate exclusively to itsmembersortopersonswhohaveregularcontactbecauseoftheirpurpose.Intheseevents,thedatacannotbeprovidedtothirdpartieswithouttheauthorizationofthedatasubject.

(d) Theprocessingrelatestodatanecessaryfortheestablishment,exerciseordefendarightinajudicialproceeding.

(e) Theprocessinghasahistorical,statisticalorscientificpurpose.Inthisevent,themeasuresleadingtotheremovalofidentityofthedatasubjectsmustbeadopted.

The processing must ensure respect for the prevailing rights of children and adolescents (Theprocessingofpersonaldataofchildrenandadolescentsisprohibited,exceptfordatathat,duetoitsnature,ispublic).ItisthetaskoftheStateandeducationalentitiesofallkindstoprovideinformationand train legal representatives and tutors on the possible risks facedby children and adolescentsregardingtheimpropertreatmentoftheirpersonaldata,andinstructabouttheresponsibleandsafeusebychildrenandadolescentsoftheirpersonaldata,theirrighttoprivacyandprotectionoftheirpersonalinformationandthatofothers.


Theprinciplesregardingtheprocessingofpersonalinformation/personaldataare:

(a) Legality:ThedataprocessingreferredtointheDataProtectionStatuteisaregulatedactivitythatmustbesubjecttotheprovisionsofthatstatuteandintheotherprovisionsrelatedtothesubject.

(b) Purpose: The data processing must be for a legitimate purpose in accordance with theConstitutionandtheLaw,whichmustbecommunicatedtothedatasubject.

107


(c) Freedom: Data processing can only be carried out with the prior, express and informedconsentof thedata subject.Personaldatamaynotbeobtainedordisclosedwithoutpriorauthorization,orintheabsenceofalegalorjudicialmandatethatrelievesconsent.

(d) Truthfulness or Quality: The information subject to data processing must be truthful,complete, accurate, updated, verifiable and understandable. The processing of partial,incomplete,fractionalorerror-inducingdataisprohibited.

(e) Transparency:Indataprocessing,therightofthedatasubjecttoobtaininformationaboutthe existence of data concerning him/her must be guaranteed at any time and withoutrestrictionsfromthedatacontrollerorthedataprocessor.

(f) AccessandRestrictedCirculation:Thedataprocessingissubjecttothelimitsderivedfromthe nature of the personal data, the provisions of the Data Protection Statute and theConstitution.Thus,processingmayonlybedonebypersonsauthorizedbythedatasubjectand/orbythepersonsauthorizedbylaw.

Personaldata,exceptforpublic information,maynotbeavailableontheInternetorothermeans of disclosure or mass communication, unless access is technically controllable toproviderestrictedknowledgeonlytodatasubjectsorauthorizedthirdpartiesinaccordancewiththeDataProtectionStatute.

(g) Security: The information subject to data processing by the data controller or the dataprocessorreferredtointheDataProtectionStatuteshouldbehandledwithsuchtechnical,human and administrative measures as are necessary to grant security to the records,avoidingtheiradulteration,loss,consultation,useorunauthorizedorfraudulentaccess.

(h) Confidentiality:Allpersonsinvolvedintheprocessingofpersonaldatanotcategorizedaspublicareobligedtoguaranteetheconfidentialityoftheinformation,evenaftertheendoftheirrelationshipwithanyofthetasksincludedintheprocessingofdata,beingableonlytoprovide or communicate personal data when it corresponds to the development of theactivitiesauthorizedintheDataProtectionStatuteandinthetermsthereof.

4 ROLES


Therearetwomainrolesthatmayconcurinoneperson/entity:

(a) DataController,whoisinchargeofthecollectionoftheinformation.Thus,thedatacontrolleris required toobtainauthorization fromthedata subject concerning theprocessingof thepersonaldata.

(b) The processing of the personal data can be delegated to aDataProcessor. The principalresponsibilityofthedataprocessoristheduemanagementofthedatabase.

108


5 OBLIGATIONS


(a) Theobligationssharedbythedatacontrollerandthedataprocessorarethefollowing:

(i) toguaranteetothedatasubject,atalltimes,thefullandeffectiveexerciseoftherightofhabeasdata;

(ii) to keep the information under the necessary security conditions to prevent itsadulteration,loss,consultation,useorunauthorizedorfraudulentaccess;

(iii) to update the information and take the other necessary measures so that theinformationprovidedtoitiskeptupdated;

(iv) to process any queries and claims made in accordance with the Data ProtectionStatute;

(v) toadoptaninternalmanualofpoliciesandprocedurestoensurepropercompliancewiththeDataProtectionStatute,especiallyregardinginquiriesandcomplaints;and

(vi) tocomplywiththeinstructionsandrequirementsissuedbytheSIC.

(b) Theobligationsofthedatacontrollerarethefollowing:

(i) torequestandkeep,undertheconditionsrequiredintheDataProtectionStatute,acopyoftherespectiveauthorizationgrantedbythedatasubject.Thisauthorizationmayberequiredbytheauthorityincasethereisacomplaintfromthedatasubject;

(ii) todulyinformthedatasubjectaboutthepurposeofthecollectionoftheinformationand the rights that assist him/her by virtue of the authorization granted. Alladvertisingpurposesmustbeincludedandacceptedbythedatasubjectinordertobeabletosendadvertisingtothecontactinformationprovidedbythedatasubject;

(iii) to ensure that the information provided to the data processor is true, complete,accurate,updated,verifiableandunderstandable;

(iv) torectifytheinformationwhenitisincorrectandcommunicatethepertinenttothedataprocessor;

(v) to provide the data processor, as appropriate, only data whose processing ispreviously authorized in accordance with the provisions of the Data ProtectionStatute;

(vi) torequirethedataprocessor,atalltimes,tohaverespectforthesecurityandprivacyconditionsofthedatasubject’sinformation;

(vii) toinformthedataprocessorwhenthedatasubjecthassubmittedaclaimconcerninghis/herpersonalinformationandtherespectiveprocedurehasnotbeencompleted;

(viii) toinformthedatasubject,athis/herrequest,abouttheusegiventohis/herpersonaldata;and

(ix) to inform the SIC when there are violations of security codes and risks in theadministrationoftheinformationofthedatasubjects.

109


(c) Theobligationsofthedataprocessorarethefollowing:

(i) totimelyupdate,rectifyordeletethedatainthetermsoftheDataProtectionStatute;

(ii) torecordinthedatabasethelegend“claiminprocess”inthewayitisregulatedintheDataProtectionStatute;

(iii) toinsertinthedatabasethelegend“informationinjudicialdiscussion”oncenotifiedbythecompetentauthorityaboutjudicialprocessesrelatedtothepersonaldata;

(iv) torefrainfromcirculatinginformationthatisbeingdisputedbythedatasubjectanduseofwhichhasbeensuspendedbytheSIC;

(v) toallowaccesstoinformationonlytothosewhomayhaveaccesstoit;and

(vi) toinformtheSICwhenthereareviolationsofsecuritycodesandtherearerisksintheadministrationoftheinformationofthedatasubjects.


6.1 HowisdatasecurityregulatedinColombia?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

Datasecurityisgovernedbytheprinciplesofaccessandrestrictedcirculationandsecurity.

Thus,personaldata,otherthanpublicinformation,maynotbeavailableontheInternetorothermeansofdisclosureormasscommunication,unlessaccessistechnicallycontrollabletoproviderestrictedknowledgeonlytodatasubjectsorauthorizedthirdpartiesinaccordancewiththeDataProtectionStatute.

Furthermore,personaldatashouldbehandledwiththetechnical,humanandadministrativemeasuresthatarenecessarytograntsecuritytotherecords,avoidingtheiradulteration,loss,consultation,useorunauthorizedorfraudulentaccess.

Consequently, the data controller or the data processor must adopt measures to preserve theinformationandimplementsecuritycontrolsthatminimizetheriskofdataleakageoradulteration.

Finally, the data controllermust keep the information under the necessary security conditions topreventitsadulteration,loss,consultation,useorunauthorizedorfraudulentaccess.

6.2 HowaredatabreachesregulatedinColombia?Whataretherequirementsforrespondingtodatabreaches?

ThedatacontrollermustinformtheSICwhenthereareviolationsofthesecuritycodesandtherearerisksintheadministrationoftheinformationofthedatasubjects.

Thus,whenasecuritybreachoccursentailingrisksforthepersonaldataincludedinthedatabase,thedatacontrollerand/orthedataprocessormustinformtheSICasdataprotectionauthority,thatadatabreachhasoccurred.

110


Consequently,abriefmustbefiledbeforetheSIC,explaining:

(a) Theprotectivemeasuresunderwhichthedatabasewassafeguarded(Forexample,inacaseagainstaBankinColombia,theSICpointedoutthattheBankfailedtodemonstratethatithadimplementedsecuritymeasurestoavoidtheexposureofpersonaldataofthedatasubjects).

(b) Howandwhenthedatabreachoccurred.

(c) Allthemeasurestakentounderminethebreachanditseffects(InthesamecaseagainsttheBank, the SIC found that the Bank had failed to prove the security protocols to limit orminimizetherisksfortheprocessingofpersonaldata).

(d) Itisalsoimportanttodeterminethenumberofdatasubjectsaffectedbythebreach.

Lackofnotificationistakenasacontributingfactorthatwouldenhancethesanctionincaseswhereaninvestigationisinitiated.Ontheotherhand,notificationisamitigatingfactor.Article24(f)oftheData Protection Statute states: “The penalties for infractions ...will be graduated according to thefollowingcriteria:…Theexpressacknowledgmentoracceptancemadebytheinvestigatedpartyaboutthecommissionoftheinfractionbeforetheimpositionofthesanctionthatmayarise.”

Hence,tobenefitfromthemitigatingfactor,thedatacontrollerand/orthedataprocessorcouldsimplynotifythebreachoracceptthebreachwithinthecourseofaninvestigation.However,abetterscenariowouldbeforanacknowledgment(notification),asitallowsthemtoexplaintotheauthoritytheextentof thedamageandtheeconomicbenefitobtainedbythe infringerorthirdparties,byvirtueof thecommissionoftheinfraction;whichareothertwofactorstakenintoaccounttograduatethepenalty.

Forexample,inacaseagainstaUniversity,basedonsecuritybreach,thepenaltywasreducedfrom40to30timesthemonthlylegalminimumwage(approximatelyUS$8,280),sincetheUniversityacceptedthatithadsufferedasecuritybreach.

7 INDIVIDUALRIGHTS


Adatasubject(whoisanindividual)hasthefollowingrights:(a) To know, update and rectify the personal data with the data controller and/or the data

processor.Thisrightmaybeexercised,amongothers,againstpartial,inaccurate,incomplete,fractional,error-inducingdata,orthosewhoseprocessingisexpresslyprohibitedorhasnotbeenauthorized.

(b) Torequestproofof theauthorizationgrantedto thedatacontrollerexcept incaseswhereauthorizationisexpresslyexceptedasarequirementforthedataprocessing,inaccordancewiththeprovisionsoftheDataProtectionStatute.

(c) Tobeinformedbythedatacontrollerand/orthedataprocessor,uponrequest,regardingtheusegiventohis/herpersonaldata.

(d) TosubmitcomplaintstotheSICforviolationsoftheprovisionsoftheDataProtectionStatuteandtheotherrelatedregulations.

111


(e) Torevoketheauthorizationand/orrequestthedeletionofthedatawhentheconstitutionalandlegalprinciples,rightsandguaranteesarenotrespectedintheprocessing.Therevocationand/ordeletionwillproceedwhentheSIChasdeterminedthat inthedataprocessing,thedata controller and/or the data processor have incurred in conduct contrary to the DataProtectionStatuteand/ortheConstitution.

(f) Toaccessfreeofchargetothehis/herpersonaldatathathasbeensubjecttoprocessing.



Theonlycontactinformationwhichcanbeusedtosendmarketingcommunicationsisthatwhichthedatasubjecthasexplicitlyauthorizeduseof.Thus, theuseofpersonaldata formarketingmustbepreviouslyauthorizedinaccordancewiththeprovisionsoftheDataProtectionStatute.

Incaseswhereanindividualreceivesamarketingcommunicationwhichhasnotbeenauthorized,therecipientmayinitiateaproceedingagainsttheadvertiser.

ThishasbeenstudiedinseveraldecisionsfromtheSIC,inwhichitisclearthatthegatheringofthecontactinformationmustbepreviouslyauthorized(orthelatestatthemomentofcollection)andthattheuseforwhichtheinformationisbeingcollectedshouldbeclearandsufficientsothedatasubjectcancontroltheuseofhis/herinformation.


Thisisgovernedbythegeneralprinciplesexplainedinquestion3.3.

Theessenceofhabeasdataisintegratedwiththerighttodataself-determinationandfreedom.Dataself-determinationisthepowerofthedatasubjecttoauthorizeitsconservation,useandcirculation,inaccordancewithlegalregulations.Thus,withouttheconsentofthedatasubject,thisfundamentalright is violated, as it unjustifiably restricts the data subject’s self-determination regarding theirpersonalinformation,sincetheadministrationoftheirdata,regardingthecollection,treatmentanddisclosure,wouldbedonewithoutauthorization.


Targetedadvertisingandbehavioraladvertisingarenotspecificallyregulated.Thus,theirregulationisbaseduponthegeneralrules.Aspertheprinciplesrulingprivacy,thereisabanoncreatingaprofilebasedondataanalysis.Thistranslatesintoaproscriptiononbeingsubjectedtoadverselegaleffectsduetoanevaluationoftheirpersonalitythroughanautomatedtreatmentofdataintendedtoevaluatecertainaspectsoftheirpersonality,orinconnectionwithdatathatisconsideredassensitive.


As theprivacyright isbaseduponself-determinationand freedom, thenoticeof consentcollectedshouldbeclearandsufficientsothedatasubjectcancontroltheuseofhis/herinformation.

112


Theusesandthescopeofsuchuseswhicharetobegiventotheirpersonal informationshouldbemadecleartothedatasubject.


Databrokersarenotspecificallyregulated.Thus,regulationisbaseduponthegeneralrules.

InformationoperatorsmayprovidepersonalinformationverballyorinwritingcollectedorprovidedinaccordancewiththeprovisionsoftheDataProtectionStatute,tothefollowingpersons:(a) thedatasubject,

(b) personsdulyauthorizedbythedatasubject;

(c) thesuccessorsofthedatasubject;

(d) theusersofinformation;

(e) thejudicialauthorityafteracourtorder;

(f) thepublicentitiesoftheexecutivebranchintheexerciseoftheirfunctions;

(g) the supervisory bodies and other entities of disciplinary, fiscal, or administrativeinvestigation;

(h) other data operators when authorization is obtained from the data subject or when theauthorizationofthedatasubjectisnotrequiredbythedestinationdatabank,asithasthesamepurposeorpurposeasthatwhichtheoperatorwhodeliversthedatahas;and

(i) thepersonsauthorizedbytheaforementionedlaw.

Thecontactinformationandpersonaldatacanonlyberegisteredanddisclosedwiththefree,priorandexpressconsentfromthedatasubject,aspertheDataProtectionStatute.


(a) SocialNetworks:Thesecannotcollectortreatpersonalinformationwithoutfree,priorandexpressconsentfromthedatasubject.

(b) ThirdParties:Thedatacontrollermayonlycontactthedatasubjectthroughthemechanismspreviouslyandexpresslyauthorizedbyhim/her,andsuchconsentcannotbeextendedtothelinkingofthisinformationthroughtheuseofmobileinstantmessagingapplicationsorsocialnetworks.Thus,forathirdpartytocontactthedatasubjectthroughinstantmessagingorsocialmediaapplications, it must in every case obtain prior, clear and express authorization for thispurpose.

(c) Users: Users of socialmedia are governed byArticle 15 of the Constitution bywhich allindividuals are entitled to their fundamental right of privacy.Hence, users cannotpost ordisclosed information thatmay affect the privacy of others or affect their image or goodstanding.


Loyaltyprogramsareauthorization-based.Thus,programscanonlyuseinformationforthepurposesexpresslypermittedbythedatasubject.

113


9 DATATRANSFER


The transferofpersonaldataof anykind to countries thatdonotprovideadequate levelsofdataprotectionisprohibited. It isunderstoodthatacountryoffersanadequate levelofdataprotectionwhenitmeetsthestandardssetbytheSIConthesubject,whichinnocasemaybelowerthanthoserequiredinColombia.

Thisprohibitionshallnotapply:

(a) where thedata subjecthasgrantedhis/herexpressandunequivocalauthorization for thetransferoftheinformation.

(b) totheexchangeofmedicaldata,whenrequiredbythedatasubject’smedicaltreatmentforreasonsofhealthorpublichygiene.

(c) tobankorstocktransfers,inaccordancewiththeapplicablelegislation.

(d) totransfersagreedintheframeworkofinternationaltreatiestowhichColombiaisaparty,basedontheprincipleofreciprocity.

(e) totransfersnecessaryfortheexecutionofacontractbetweenthedatasubjectandthedatacontroller,orfortheexecutionofpre-contractualmeasures,providedthatthedatasubjecthasauthorizedthis.

(f) where legally required in order to safeguard the public interest, or for the recognition,exerciseordefenseofarightinajudicialprocess.


CompaniesinterestedininternationaldatatransferarerequiredtoobtainadeclarationofconformityfromtheSIC.

10 VIOLATIONS


TheSICmayimposethefollowingsanctionsonthedatacontrollerand/orthedataprocessor:

(a) Finesofapersonal(individual)andinstitutionalnatureuptotheequivalentof2,000timesthe legal monthly minimum wage in force at the time of the imposition of the sanction(US$480,000approx).Finesmaybesuccessiveas longas thebreachthatoriginatedthempersists.

(b) Suspensionoftheactivitiesrelatedtothedataprocessingforatermof6months.

(c) WherethetermofsuspensionhaselapsedwithouttheadoptionofthecorrectivemeasuresorderedbytheSIC,temporaryclosureofoperationsrelatedtotheprocessingmaybeimposed.

(d) Immediate anddefinitive closureof anoperation that involves theprocessingof sensitivedata.

114



Individuals have a private right of action; however, the proceeding does not contemplatecompensation for damages for the data subject and remedies would be the those described inquestion10.1,thatis,fines,suspensionorclosure.

If there is a damage that should be compensated, the individual should initiate a declarative civilproceeding.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofColombiawhichaffectprivacy?

TherearenorulesparticulartothecultureofColombiawhichaffectprivacy.

However,theConstitutionalCourtmayconsidercasesrelatedtoprivacy,asthisisafundamentalright,andmayissueguidelinesnotpreviouslycontemplatedbythecompetentauthority.


Therearestillsometopicstoberegulated,especiallyregardingnewtechnologies.However,currentlytherearenopendinghottopicsorlawsontheway.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainColombia?

ThemaincautioninColombiaistheimportancetosafeguardtheauthorizationgrantedbythedatasubject,asproofofhis/herconsentmightberequiredbythecompetentauthority.

12 OPINIONQUESTIONS


The importanceofprivacy ina timewhereboundarieshavebeengettingmoreandmoreblurred.However,thechangeshavebeenextremeascompanieshavehadtoadaptandmodifyconductwhichhadbeenthenormforalltheirlives.


Recognitionofdatasubjectsandthevalueof thedatatheyprovide.Paymentto individuals fortheprovisionofprivatedata.


Oneof themainconsequencesoftheDataProtectionStatutehasbeenthatcompanieshavehadtomodifythewaytheycontacttheirclientsandhowtheyobtainnewclients.

115

116

PRIVACY LAW – COSTA RICA

1 PRIVACYLAW

1.1 HowisprivacyregulatedinCostaRica?

DataprotectioninCostaRicaisregulatedbytheLawfortheProtectionofIndividualsRegardingtheProcessingof theirPersonalDataNo8968of 2011 (“DataProtectionLaw”) andRegulationof theExecutiveLawontheProtectionofPersonsRegardingtheProcessingoftheirPersonalData(DecreeNo37554-JP)(“DataProtectionRegulation”).

However,therighttodataprotectionwasrecognizedandprotectedinCostaRicabeforetheenactmentof theDataProtectionLaw, through several decisions issuedby theConstitutional Court from the1990sonwards.ThisrightwasunderstoodtobederivedfromArticle24ofthePoliticalConstitutionof Costa Rica, which protects the right to intimacy, as well as the freedom and secrecy ofcommunications.

ThemainregulatorinCostaRicaistheAgencyfortheProtectionofInhabitants’Data(“PRODHAB”)andPRODHAB’smaindutiesandresponsibilities,amongothers,are:

(a) Processinganyclaimrelatedtoadataprotectionmatter;

(b) Administrating the registrationprocedure of thosedatabases thatmust complywith suchrequirement;

(c) Requestinganyinformationregardingthedataprocessingmadebyanyentity;

(d) Creatingawarenessandpromotetheprotectionofpersonaldata;

(e) Elaboratingguidelinesforanyaspectregardingdataprotection;and

(f) Ifneeded,issuingmandatoryorderstodatacontrollerstoensurecompliancewiththedatasubjects’rights.


ThefollowingarethekeylawsregulatingprivacyinCostaRica:

(a) DataProtectionLaw;

(b) DataProtectionRegulation;and

(c) ThechapterconcerningelectroniccommerceoftheRegulationoftheConsumerProtectionLaw(DecreeNo37899-MEIC)(“ConsumerProtectionRegulation”).


TheregulatorinCostaRicaisPRODHAB.However,theNationalConsumer’sCommission(“CNC”)alsohasjurisdictionwhenconsumerprotectionissuesareinvolved(mainlyinthecontextofe-commercetransactions).Thereisnoself-regulatorybodydealingwithprivacy.

117


2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinCostaRica?

Anycompany(privateorpublic)thatprocessespersonaldatacontainedinautomateddatabasesormanualsissubjecttotheprivacylawinCostaRica,regardlessofitslocation.

2.2 DoesprivacylawinCostaRicaapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

TheDataProtectionLawisapplicabletoanyonestoringorusingdataofaCostaRicanresident.Itisalsoapplicablewhensostatedinacontractorbyanyruleofinternationallaw.Foreignbasedentitiesarenotrequiredtohavealocalrepresentative(unlessthedatabasemustberegistered,inwhichcaseappointingarepresentativeisadutyofbothlocalandinternationalentities),buttheiractionswillbesubjecttoCostaRicanlaws.


3.1 Howispersonalinformation/personaldatadefinedinCostaRica?

Article 3 of theData Protection Lawdefines “personal data” as any information that relates to anidentifiedoridentifiablelivingindividual.


TheDataProtectionLawestablishesthefollowingcategoriesofpersonaldata:

(a) UnrestrictedAccessPersonalData:datacontainedinpublicandopendatabaseswithgeneralaccess,theuseofwhichisgovernedbyspecificlawsandpursuanttothepurposeforwhichsuchdatawerecollected.

(b) Restricted Access Personal Data: data that may be accessed and stored only withauthorization.

(c) SensitivePersonalData:informationconcerningtheintimaterealmoftheperson,thatmaynotbestoredexceptinveryspecificcircumstances.Personaldatarevealingracialorethnicorigin, political opinions, religious or philosophical beliefs, spiritual convictions,socioeconomic condition, biomedical or genetic information, health, sexual life andorientation.Data subjects have the right to refuse to provide sensitive data, and, when such data isprovided, it may not be processed without the express consent of the data subject. Theexceptionsarewhere:(i) theprocessingisnecessarytoprotectthevitalinterestsofthedatasubject,orinother

circumstances where the data subject is physically or legally incapable of givingconsent;

118


(ii) theprocessingisundertakenbyafoundation,association,orotherbodyforpolitical,philosophical,religiousorunionpurposes,providedthatthepersonaldataisthatofitsmembersorregularcontactsandtheprocessingisundertakeninthecourseofitslegitimateactivitiesandinaccordancewiththelaw,andprovidedthattheconsentofthedatasubjectisobtainedfortransferstothirdparties;

(iii) theprocessingrelatestosensitivepersonaldatathatthedatasubjecthasvoluntarilymadepublic,orisrequiredfortherecognition,exerciseordefenceofarightinjudicialproceedings;or

(iv) the processing is necessary for medical or health purposes, provided that theprocessing is undertaken by a person in the medical profession, subject toprofessionalsecrecyobligationsortheequivalent.


TheCostaRicanDataProtectionLawrequiresthatallinformationthatitishandledmustbeuptodate,truthfulandadequatetothepurposethatwasrequested.Also,itismandatorytoensurethateveryperson included in any database will have the right to access, rectify, revoke or cancel theirauthorizationtostoreandusetheirpersonalinformation.

4 ROLES


Therearenorelevantprovisionsforagreementsbetweendatacontrollersanddataprocessors.TheonlyaspectrelatedtothismatterisprovidedinArticle30oftheDataProtectionRegulation,whichstates that thedataprocessor shouldprocess thepersonaldata inaccordancewith theagreementmadewiththedatacontroller.

TheDataProtectionRegulationalso imposes someobligationsondataprocessors and, in general,requiresthatthedataprocessorguaranteestheintegrityandsecurityoftheinformation.Inparticular,thedataprocessormust:

(a) processpersonaldatafollowingthedatacontroller’sinstructions;

(b) refrainfromprocessingpersonaldataforpurposesotherthanthoseinstructedbythedatacontroller;

(c) implementsecuritymeasuresandcomplywithanyminimumperformanceprotocols;

(d) maintaintheconfidentialityofthedatathathasbeenprocessed;

(e) avoidproceedingwithadatatransfer,unlessdulyinstructedtodosobythedatacontroller;and

(f) deletepersonaldataassoonastherelationshipwiththedatacontrollerhasended.

119


5 OBLIGATIONS


Beforemakingoutboundcallsformarketing/salespurposes,entitiesmustobtainpriorconsentfromtherecipientinordertoprocesshispersonalinformation.Theconsentmustbeexpress,unequivocalandinformed,sothatthedatasubjecthasbeengiventhefollowinginformation:(a) theexistenceofthedatabase,

(b) usethatwillbegiventotheinformation,

(c) whowillbetherecipientsoftheinformation,

(d) whetherornotitismandatorytoprovidetheinformation,

(e) consequencesfornotprovidingtheinformation,

(f) howtheinformationwillbesafeguarded,

(g) mechanisms allowing individuals to consult, amend, update, and suppress personalinformation;and

(h) authorizationfortransferringthedatabasetoathirdparty.

Asexceptionstothisrule,coldcallingisallowedwhen:

• the client has previously expressed its willingness to receive any of the communicationsotherwisecoveredbytheprohibition;or

• in the context of a previous sale or commercial relationship, that same supplier uses theinformationprovidedbytheclienttopromotethesaleofsimilarproductsorservicesand/orpretendstosolveanyissuewiththetransaction.

Additionally,anymarketingcommunicationmadebyemail,SMSorphonemustclearlyidentifythesender.Itmustalsobedonesimplyenoughtoeasilyidentifythepurposeofthemessage.Allmessagesmustincludeavalidemailaddresstowhichtherecipientofthemessagemaysendarequesttosuspendanyfurthermessage,atnocosttotherecipient.


6.1 HowisdatasecurityregulatedinCostaRica?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

There are general obligations of confidentiality and security for the processing of personalinformation:

(a) ThesecurityobligationisincludedintheDataProtectionLaw,whichprovidesthatthedatacontrollermustconductalltechnicalandorganizationalsafeguardsinordertoavoidtheloss,destruction,alterationand/orunauthorizedaccessofthepersonaldata.

(b) Thedutyofconfidentialityprovidesthatthedatacontrollerandthoseinvolvedinanyphaseoftheprocessingofpersonaldataareboundbyprofessionalorfunctionalsecrecy,evenafter

120


theendoftheirrelationshipwiththedatabase.Apersonmayberelievedofthedutyofsecrecybyacourtdecisionwherestrictlynecessary.

6.2 HowaredatabreachesregulatedinCostaRica?Whataretherequirementsforrespondingtodatabreaches?

Intheeventofadatabreach,adatabreachnotificationismandatory.Therequirementsrelatingtodatabreachnotificationsarethat:

(a) ThedatacontrollermustnotifythedatasubjectsandthePRODHABwithinfivebusinessdaysfollowingthediscoveryofthebreach;

(b) Withinthatsameterm(fivebusinessdays),thedatacontrollermustinitiateathoroughreviewto determine the extent of the damages caused by the breach, and the corrective andpreventivemeasuresthatmustbeadopted;and

(c) The notification to affected data subjects and PRODHABmust include, as aminimum, thefollowinginformation:(i) natureoftheincident;(ii) compromiseddata;(iii) correctivemeasuresimmediatelytakenuponnoticeofthebreach;and(iv) contactinformationandplacewheremoredetailsaboutthismattercanbeobtained.

7 INDIVIDUALRIGHTS


Datasubjectshavetheright,whenrequestedtoprovidetheirpersonalinformation,toaninformedconsent(seequestion5.1).Expressconsentisnotneededinthecaseofafewexceptions,namely:

• thereisareasonedorderissuedbyacompetentjudicialauthority,oranagreementadoptedbyaspecialinvestigativecommitteeoftheLegislativeAssemblyintheexerciseofitsoffice;

• itispersonaldataofunrestrictedaccess,obtainedfromsourcesofgeneralpublicaccess;or

• thedatamustbeprovidedasaresultofaconstitutionalorlegalprovision.

Themainrightsofeachdatasubjectare:

(a) Rightofaccess:therightofdatasubjectstoreceive,freeofcharge,withinfiveworkingdaysaftersubmittingarequest, informationfromthedatacontrollerastowhetheranyoftheirdata is held, an accurate report of the information on them being processed, and evenextensive information, inwriting (whether digitally or physically) concerning all the databeingprocessed,aslongasthisdoesnotaffectthirdpartyrights;

(b) Rightofrectification:datasubjectsareentitledtorequestthemodificationofallincomplete,inaccurate,and/oruncleardata;and

(c) Right to deletion: data subjectsmay request, at any time, the deletion of their personalinformation. The data controller may refuse such a request only under the followingcircumstances:(i) thedatashouldbemaintainedinordertocomplywithotherlaws;

121


(ii) thedataisneededforsecurityreasons;(iii) thedataisneededinordertopreventand/orinvestigateanycrime;(iv) thedataisneededtoprovideapublicservice;(v) thedataisunrestrictedpersonaldata;or(vi) thepersonaldatawasanonymised.



Initially,marketingcommunicationswereregulatedintheTelecommunicationsLaw,whichcoveredonlydirectsales.However,subsequentregulationshaveextendedthisruletocoveralsootherformsofcommercialcommunications, suchaspromotionalmarketingand/oradvertising ingeneral.Anymarketingcommunicationmadethroughemailmustclearlyidentifythesender.Itmustalsobedonesimplyenoughtoeasilyidentifythepurposeofthemessage.Additionally,allmessagesmustincludeavalidemailaddresstowhichtherecipientofthemessagemaysendarequesttosuspendanyfurthermessage,atnocosttotherecipient.

Thefollowingformsofconductareexpresslymentionedintheregulationsasunfairand/orfraudulent(thedefinitionmentionedbelowistheonecontainedintheregulation):

(a) Unsolicitedadvertising(“adware”):Informationsentthroughthewebtousersrelatedtothesaleofaproductoraservicewithouttheconsentoftherecipient.

(b) Unsolicited communications: Any sort of communication generated by automated callsystems, fax,email,callcenters,persontoperson,SMS,etc,withthepurposesofsellingorsolicitingsalesofaproductorservicewithoutthepriorconsentoftherecipient.

(c) Unauthorized operation of, access to andmonitoring a terminal: Inserting an apparentlyharmlesscodeintoacomputertoestablisha“backdoor”thatallowsthemanipulationoftheaffectedcomputer,compromisingtheconfidentiality,functionalityandtheinformationstoredinthatcomputer.

(d) Spreading viruses: Sending mass emails or other messages with the purpose or theconsequenceofcontaminatingtherecipientterminalwithavirus.

(e) Unsolicitedmassemails(SPAM):Emailsofunknownsenderswithintheweb,whoconstantlychangetheirdomainsorusernameswiththepurposeofdefeatingthefiltersagainstunwantedmessages.


Thereisnospecificregulationforusingtrackingtechnologies.


Thereisnospecificregulationfortargetedandbehavioraladvertising.Thus,thegeneralregulationsregardingdataprotectionandinformedconsentwillapply.

122



TheDataProtectionLawrequiresthatdatacontrollersobtainconsentfromthedatasubjectinorderto transfer personal data to another country (It does not include special regulations for specificcountries.Allcountrieshavethesamerequirements.)Also, thetransferormustensurethat,whereinformation is transferred toanyothercountry,adequate levelsofprotectionof thedata subject’srightsinconnectionwiththeprocessingoftheirpersonaldatawillbeprovided.


No,thereisnospecificregulationfordatabrokers.


Thereisnospecificregulationforsocialmediafromaprivacyperspective.


Loyaltyprogramsareregulatedbygeneraldataprotectionregulations.

9 DATATRANSFER


Seequestion8.4.


Whenpersonaldataistransferredtoadataprocessorforprocessingpurposesonly(ie,theprocessordoesnotbecomeadatacontroller),orismovedbetweencompaniesofthesameeconomicgroup,orto companies under joint control, the transfer of data to the data processor does not constitute atransferundertheDataProtectionLaw,anditisnotnecessarytoobtainthedatasubject’sconsent.

10 VIOLATIONS


The competent authority in charge of imposing sanctions against non-compliance of the DataProtectionLawisPRODHAB.Insomespecificcircumstances,otherauthoritiesmaybeinvolved.Forexample, ifaviolationofa fundamentalright isbeingdiscussed, thecasewouldbedecidedbytheConstitutional Court, or, in the context of an e-commerce transaction, the CNC may also imposepenalties.

PRODHABmayinitiateproceedingssuasponte,oruponrequestbyapersonwithalegitimateinterestorsubjectiveright.Afterreceivingsucharequest,PRODHABwillgrantdatabaseadministratorsthreeworkingdaystoreplyandofferevidenceconsideredrelevantfortheirdefense.PRODHABcanalsoinvestigateandgatherevidence,andmayissueanyinterimandprovisionalmeasuresthatitdeemsnecessary.Proceedingsendwithafinaljudgmentwhichissubjecttoappeals.

123


Foranoffenseunder theDataProtectionLaw,PRODHABcan issuesanctionswhichcanbeminor,seriousorextremelyserious.Thepenaltywillvarydependingontheseriousnessoftheoffense,andfinescanrangefromapproximately$3,000to$18,000.


IndividualsmayfileaclaimatPRODHAB.Wheretheclaimiswellfounded,theagencymayordertothedatacontrollertoproceedwiththerequestoftheindividualand/orimposeafine.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofCostaRicawhichaffectprivacy?

No.


No,therearenohottopicsorlawsatthistime.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainCostaRica?

No,everythinghasbeencovered.

12 OPINIONQUESTIONS


Therehaven’tbeenanyimportantchangeinthepastfewyears.


Atthistime,wedonotforeseeanyimportantmodificationintheprivacylandscapeinCostaRica.


OneofthemainchallengesinCostaRicaisthelackofculturefromtheindividualsandthemanagersingeneral.

124

125

PRIVACY LAW – CURACAO

1 PRIVACYLAW

1.1 HowisprivacyregulatedinCuracao?

PrivacylawinCuracaoisbasedonthePrivacyOrdinance(OfficialGazette2010no84).


PrivacylawisbasedonthePrivacyOrdinance(OfficialGazette2010no84).


The Commission for Protection of Personal Data is in charge of supervising compliance with thePrivacyOrdinanceandadministrativeenforcement;however,themembersofthisCommissionhaveyettobeappointed.Infringerscanalsobeprosecutedviacivilandcriminalactions.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinCuracao?

Companies subject to privacy law in Curacao are those legal entities established in Curacao thatprocesspersonaldatainconnectionwithactivitiesinCuracao.

Exceptionsaremadeforwherepersonaldataisprocessed:

(a) byoronbehalfofintelligenceandsecurityservices;

(b) fortheperformanceofpolicetasks;

(c) fortheimplementationoftheNationalOrdinanceBasicAdministrationofPersonalData;

(d) fortheimplementationoftheNationalOrdinanceJudicialDocumentation;and

(e) on the statements regarding the conduct and for the implementation of the ElectionRegulation.

Another exception is if personal data is processed for journalistic, artistic or literary purposes;however, processing must be done properly and carefully for an explicitly defined and justifiedpurpose,andmustcomplywithcertainconditionsunderthePrivacyOrdinance.

2.2 DoesprivacylawinCuracaoapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

Privacy law applies to companies outside Curacao if they are using automated or non-automatedmeans located in Curacao, unless these means are only used for the transfer of personal data.CompaniesoutsideCuracaomayonlyprocesspersonaldataifaresidentrepresentativeisappointed.

126



3.1 Howispersonalinformation/personaldatadefinedinCuracao?

“Personalinformation”isanyinformationconcerninganidentifiedoridentifiablenaturalperson.


The term “sensitive personal data” is not used in the Privacy Ordinance. The Privacy Ordinancemaintainstheterm“exceptionalpersonaldata”,whichisaperson’sreligionorbelief,race,politicalaffiliation,health,sexuallife,aswellaspersonaldataregardingmembershipofatradeunion,criminalpersonaldataandpersonaldataaboutunlawfulornuisancebehaviorinconnectionwithaprohibitionimposedasaresultofthatbehavior.


(a) Personaldatamustbecollectedforspecific,explicitlydescribedandlegitimatepurposes.

(b) Itmustbeprocessedinaproperandcarefulmannerandnotfurtherprocessedinawaythatisincompatiblewiththepurposesforwhichitwasobtained.

(c) Personaldatamustbeadequate,relevantandnotexcessiveconsideringitspurposeandmustbecorrectlyandaccuratelyreflected.

(d) Confidentialitymustbeobservedforpersonaldata.

(e) Personal datamustnot be stored longer than is necessary for thepurpose forwhich it isprocessed.

(f) Theremustbeappropriate technical andorganizationalmeasures tosecurepersonaldataagainstlossorwrongfulprocessing.Suchmeasuresmustguaranteeanappropriatelevelofsecurity,takingintoaccountthestateoftheartandthecostsofimplementation,inviewoftherisksinvolvedinprocessingandthenatureofthepersonaldatatobeprotected.Themeasuresmustalsopreventunnecessarydatacollectionandfurtherprocessingofpersonaldata.

Personaldatamayonlybeprocessedinthefollowingcases:

(a) theindividualhasgivenclearconsentfordataprocessing;

(b) dataprocessingisnecessarytoimplementanagreementtowhichtheindividualisparty,ortotakepre-contractualmeasuresthatarenecessaryforconcludinganagreementfurthertotheindividual’srequest;

(c) data processing is necessary to comply with a legal obligation to which the controller issubject;

(d) dataprocessingisnecessarytosafeguardthevitalinterestsoftheindividual;

(e) dataprocessingisnecessaryfortheproperperformanceofapublic-lawtaskbytherelevantadministrativebodyortheadministrativebodytowhichthedataisprovided,or

127


(f) dataprocessingisnecessarytoprotectthelegitimateinterestofthecontrollerorofathirdparty to whom the data is provided, unless the interest or the fundamental rights andfreedomsofthedatasubject,inparticulartherighttoprivacy,prevails.

4 ROLES


Yes,therearetherolesofcontroller(responsibleparty)andprocessor:

(a) The controller bears primary statutory responsibility for complying with the PrivacyOrdinance.The controller determines the purpose and resources for processing personal data andensuresthattheprocessortakessufficienttechnicalandorganizationalsecuritymeasurestoprotectpersonaldataandpreventunnecessarydatacollectionandfurtherprocessingthereofandsupervisescompliancebytheprocessorwithsuchmeasures.Inaddition,thecontrollerensuresthattheprocessorprocessespersonaldatafurthertohisinstructions.

(b) Theprocessorprocessespersonaldata to thebenefit and further to the instructionof thecontroller,butisanindependentparty.

Processingofpersonaldatabyprocessorsisgovernedbyanagreementorbyvirtueofanotherlegalactthatcreatesacommitmentbetweentheprocessorandthecontroller.

IftheprocessorisnotestablishedinCuracao,thecontrollermustensurethattheprocessorcomplieswiththelawofthatothercountry.

Forevidencepurposes,thepartsoftheagreementorlegalactrelatingtotheprotectionofpersonaldata,aswellas thesecuritymeasurestoprotectpersonaldata,mustbe laiddowninwritingor inanotherequivalentform.

5 OBLIGATIONS


Therearenospecificadvertisingprivacyrequirements.Thegeneralprinciplesofprocessingpersonaldata apply, and the rights of the individual must be observed, as well as generally acceptedinternationalstandardpractice.

128



6.1 HowisdatasecurityregulatedinCuracao?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

Theremustbeappropriatetechnicalandorganizationalmeasurestosecurepersonaldataagainstlossorwrongfulprocessing.TheCuracaoBureauforTelecommunicationandPosthasissuedguidelinesinthisregard.Also,recommendationspertainingtotheGDPRcanserveasaguideline.

6.2 HowaredatabreachesregulatedinCuracao?Whataretherequirementsforrespondingtodatabreaches?

ThereisnolegalobligationtoreportdatabreachestotheCommissionforProtectionofPersonalData,nor are there any requirements for responding to data breaches. However, the Commission forProtectionofPersonalDatacanimposeadministrativeenforcementmeasures,suchasarestorationorderunderpenaltyoftheCommissionforProtectionofPersonalDatarectifyingtheviolationitself,orunderpenaltyofthepaymentofafineiftheorderisnotcompliedwithinatimelyorproperfashion.Individualsmayalsopursuecivilorcriminalenforcement.

7 INDIVIDUALRIGHTS


Individualshavearighttobeinformediftheirpersonaldataisbeingprocessed,theymustbeinformedaboutthedetailsconcerningprocessingoftheirpersonaldata(eg,typeofdata,purpose,identityofcontroller,andotherinformationinviewofthenatureofthepersonaldata,thecircumstancesunderwhichsuchwasobtainedortheusethatismadethereoftoguaranteetotheindividualthatpersonaldataisappropriatelyandcarefullyprocessed)andcanrequestthattheirpersonaldatabemodified,protectedordeleted.



Therearenospecificstipulationsformarketingcommunications.Thegeneralprinciplesofprocessingpersonaldataapply,andtherightsoftheindividualmustbeobserved,aswellasgenerallyacceptedinternationalstandardpractice.


There are no specific stipulations for tracking technologies. The general principles of processingpersonaldataapply,andtherightsoftheindividualmustbeobserved,aswellasgenerallyacceptedinternationalstandardpractice.

129



There areno specific stipulations for targeted advertising andbehavioral advertising.The generalprinciplesofprocessingpersonaldataapply,andtherightsoftheindividualmustbeobserved,aswellasgenerallyacceptedinternationalstandardpractice.


There are no specific stipulations for suchnotice or consent. The general principles of processingpersonaldataapply,andtherightsoftheindividualmustbeobserved,aswellasgenerallyacceptedinternational standard practice. For example, clearwritten consent from the individual for use ofpersonaldataandsharingthereofwiththirdparties,andclearnotificationtotheindividualregardingwhatkindofpersonaldataiscollectedandusedandforwhatpurpose,andofappropriatemeasurestakentoprotectthepersonaldata.


Therearenospecificstipulationsfordatabrokers.Thegeneralprinciplesofprocessingpersonaldataapply,andtherightsoftheindividualmustbeobserved,aswellasgenerallyacceptedinternationalstandardpractice.


Therearenospecificstipulationsforsocialmedia.Thegeneralprinciplesofprocessingpersonaldataapply,andtherightsoftheindividualmustbeobserved,aswellasgenerallyacceptedinternationalstandardpractice.


There are no specific stipulations for loyalty programs and promotions. The general principles ofprocessingpersonaldataapply,andtherightsoftheindividualmustbeobserved,aswellasgenerallyacceptedinternationalstandardpractice.

9 DATATRANSFER


TherearenorequirementsorrestrictionsconcerningdatatransfertoacountrythatbelongstotheKingdom of the Netherlands (Aruba, StMaarten, the Netherlands, and the CaribbeanNetherlands(Bonaire,StEustatiusandSaba)).

DatatransfertoacountryoutsideoftheKingdomoftheNetherlandsispermitted,providedthattheforeigncountryoffersanappropriatedegreeofprotectiontopersonaldata.Particularconsiderationmustbegiventothenatureofthedata,thepurposeandthedurationoftheintendedprocessing,thecountryoforiginandthecountryoffinaldestination,thegeneralandsectorallegalrulesthatapplyintheforeigncountry,andtheprofessionalrulesandthesafetymeasuresthatareobservedintheforeigncountry.

130


However,personaldatacannonethelessbetransferredtoaforeigncountryinthefollowingcases:

(a) clearconsentfromtheindividual;

(b) data transfer is necessary to implement an agreement between the individual and thecontroller,orfortakingpre-contractualmeasuresfurthertotheindividual’srequestthatarenecessaryforconcludinganagreement;

(c) data transfer is necessary to conclude an agreement or perform an agreement that wasalreadyconcludedbetweenthecontrollerandathirdpartyintheinterestoftheindividual;

(d) datatransferisnecessaryforasubstantialpublicinterestorfortheestablishment,executionordefenseofanyright;

(e) datatransferisnecessarytosafeguardthevitalinterestsoftheindividual;or

(f) dataistransferredfromaregisterestablishedbylawandwhichcanbeconsultedbyanyoneorbyanypersonwhohasa legitimate interest,provided that the statutory conditions forconsultationaremetinthecaseinquestion.


Itisadvisableforindividualstobemadeawareaboutmatterssuchasthekindofpersonaldatathatwillbetransferred,towhatparty,whereitwillbestored,andthetypeofprotectionthatisofferedthereto.

10 VIOLATIONS


Potentialpenaltiesorsanctionsforviolationsofprivacyordatasecuritylaware:

(a) administrativesanctions,suchastheissuanceofanorderunderadministrativeenforcementorapenalty;

(b) criminalsanctionssuchasapenaltyuptomaxANG10,000oraprisonsentence;and

(c) civilsanctionssuchasdamages.


Yes.Remediesinclude:

(a) damages;

(b) acourtordercontainingaprohibitiononcontinuingtheinfringingbehavior;and

(c) a courtorder for the infringer to remedy the consequencesof theviolationof thePrivacyOrdinancefortheindividual.

131


11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofCuracaowhichaffectprivacy?

Curacaoisarelativelysmallcommunity,sothisurgescontrollersandprocessorstoobserveextraduecareinprocessingpersonaldata.


Internationalpracticesthatarestandardacrosstheboardmaybereferencedtogivefurthercontexttolocallawprovisions,aslongasthesedonotconflictwithlocallaw.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainCuracao?

ConsideringthatthePrivacyOrdinanceisbasedontheDutchPrivacyAct(theDutchPrivacyActhas,inthemeantime,beenreplacedbytheGDPR),Dutchstandardsandcaselawtendtobeobservedtointerpretlocalprivacylaw.Also,theGDPRmayapplyinsomecases,ormaybeobservedasaguidelineforgoodpractice.

12 OPINIONQUESTIONS


TherehavebeennochangestothePrivacyOrdinance,otherthanaprofilesketchforpersonstobeappointedtotheCommissionforProtectionofPersonalData.Themembershavenotbeenappointedasyet.


Hopefully,thememberstotheCommissionforProtectionofPersonalDatawillbeappointedbythenandtheCommissionwillbeactive.


Practicalinformationontheimplementationofmeasurestoprotectpersonalinformation.

132

133

PRIVACY LAW – DOMINICAN REPUBLIC

1 PRIVACYLAW

1.1 HowisprivacyregulatedintheDominicanRepublic?

PrivacyisafundamentalrightincludedinArticle44oftheDominicanRepublicConstitution,whichsays:“Everyonehastherighttoprivacy.Respectandnon-interferenceintheprivate,familyandhomelifeandtothecorrespondenceoftheindividualisguaranteed.”Fromthatstatement,theArticlerefersasconsequences:

(a) theinviolabilityofthehome;

(b) therighttodataprotection;and

(c) theinviolabilityofthesecrecyoftelecommunications.

BeyondtheConstitution, theDominicancourtshavetakenintoconsiderationinternationaltreatiessuchas theUniversalDeclarationofHumanRightsandthe InternationalPactofCivilandPoliticalRights.

Therearealsospecialdataprotectionandanti-spamlaws,thatspecificallyconcernprivacy.


TheDominicanRepublichasthefollowinglawsconcerningspecificareas:

(a) General:DataProtectionLawNo172-13;

(b) Advertising:Anti-SpamLawNo31-14;

(c) PrivacyoftelecommunicationsbyanymeansisalsoregulatedbyseveralLaws,suchas:

(i) TelecommunicationsLaw,

(ii) TechnologyCrimesLawNo53-07,

(iii) CriminalProcedureCode,and

(iv) Ecommerce is also regulatedby several resolutions from theTelecommunicationsAgency;

(d) Law on the Protection of the Image, Honor and Family Intimacy Linked to Deceased andInjuredPersons,themainobjectiveofwhichistopreventthepublication,inanysortofmedia,pictures of injured or deceased individuals in accidents. Social media, TV and press areincludedinthislegislation;and

(e) Thereisalsoanautoregulatorycode,thatitisnotbeingenforced,thatincludesprinciplesandrulesonrespectofprivacyandintimacyofthepersons.


ThereisnodataprotectionauthorityintheDominicanRepublic.Rather,privacyisenforcedbycourtsincivilandconstitutionalmatters.

134


TheDistrictAttorneyandthepoliceenforcethelegislationwhenacrimeiscommitted,eg,whenthereisillegalinterceptiontapping,spyingondatatransmissionortelecommunicationsorthereanillegalaccesstoadatabase.TheDistrictAttorneyalsohasjurisdictionifthereis“anyviolation”oftheDataProtectionLaw,andalsoifapersonconsultswithoutpermissiondatabasesofcreditbureaus.

Ontheotherhand,theBankingSuperintendence,whichisaninstitutionformedfortheinspectionandcontroloftheoperationsofbankinginstitutionsintheDominicanRepublic,hasauthorityascontrolagency to inspect the personal data processing of information or credit bureaus. However, creditbureausdonothaveanobligationtoregisterdatabasesortonotifythetransfers.

TheDominicanCommissionofAdvertisingAutoregulation(“CODAP”)hasbeencreated,buthasnotbeenimplemented.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinDominicanRepublic?

Generally speaking, all persons and companies are subject to privacy legislation in theDominicanRepublic.

In addition, credit bureaus have to comply with detailed and specific rules laid out in the DataProtectionLaw.

2.2 DoesprivacylawinDominicanRepublicapplytocompaniesoutsidethecountry?Ifyes,arethere specific obligations for companies outside the country (eg, requiring a companyrepresentativeinthecountry)?

Dominicandataprotectionrulesdonotapplyoutsidethecountry.

Asregardsprivacymatters,whereanillicitactionorcrimeiscommittedwitheffectsintheDominicanRepublic,andtheentitythatoriginatesororderstheillicitactionisoutsidetheDominicanRepublic,DominicanLawandCourtsarecompetentforenforcementagainstsuchaction.


3.1 Howispersonalinformation/personaldatadefinedinDominicanRepublic?

TheData Protection Lawdefines “personal information” as: “Any numerical, alphabetical, graphic,photographic,acousticorotherinformationconcerningidentifiedoridentifiablenaturalpersons”.


CategoriesofpersonaldatawhichareconsideredsensitiveintheDominicanRepublicare:aperson’spoliticalopinions,religion,philosophicalormoralconvictions,laborandunionaffiliation,andhealthandsexualinformation.Raceitisnotformallyincluded,butismentionedasanexceptionforhealthtreatmentsandprocedures(see(b)below).

135


Asregardssensitivepersonaldata,theDataProtectionLawindicatesthatentitiesareobligedtoobtainexpress, free, conscious consent to treat thiskindofdata; and treatmentof suchdata is expresslyforbiddenwithoutthatconsent.

Therearetwoexceptionsfromtheobligationsregardingexpressconsentandprohibitionoftreatment:

(a) Churches, religious associations, hospitals, political organizations and labor unions maycollectsuchdatainordertohavearegistryoftheirmembers.

(b) Dataonhealth,“race”andsexuallifemaybetreatedwhenitisnecessaryforthepreventionorfordiagnosisofanillness,sanitaryassistanceormedicaltreatmentsorforthemanagementofhealthservices,providedthatsuchdataprocessingiscarriedoutbyaprofessionalsubjecttoprofessionalsecrecy.


Theprinciplesindataprotectiontobefollowedare:

(a) Consentmustbeobtainedtousethedataunlessanexceptionapplies;

(b) Lawful:personaldatashouldnotbekeptorusedforillegalpurposes;

(c) Qualityofdata;

(d) Notification:Allindividualsshouldbeinformedofthefollowingconcerningtheirdata:

(i) purposeofitsuse,

(ii) theexistenceofdatabase,and

(iii) thepossibilityofenforcingtheirrightsofaccess,rectificationanddeletionofdata;

(e) Datamustbesecure;

(f) Dutyofconfidentiality;

(g) Loyalty:Datamustbecollectedinalegalmanner;and

(h) Data collectedmust be appropriate, relevant and not excessive in relation to the specific,explicitandlegitimatescopeandpurposeforwhichithasbeenobtained.

Asregardsexceptions fromtheneed forconsent, in theDominicanDataProtectionLawregardingmarketingandadvertisingissues,thereisnomandatoryrequirementforpriorconsentforthetransferofthefollowingtypesofpersonaldata:

• datacompiledfrompublicsources,suchastelecommunicationslists(phonebooks);

• data for marketing purposes, such as name, ID number, passport, tax ID and any otherbiographicinformation;

• data from commercial, labor, contractual or scientific relation and are needed for thedevelopmentandfulfilmentoftheduties;

• whereaninformationdissociationprocedurehadbeenapplied,sothatthepersonstowhomtheinformationreferswereunidentifiable;and

• data fromopinionpolls, statistics,marketandscientific investigationsandresearch,whendatadoesnotidentifyaparticularperson,ormakeiteasytoidentifythem.

136


4 ROLES


Thereisnoobligationtohaveadataprotectionofficer.

5 OBLIGATIONS


AtthismomentintheDominicanRepublic,thereisnoobligationto:

(a) haveaprivacypolicy;

(b) appointprivacyofficers;

(c) registerwithanyauthority;or

(d) carryoutriskimpactassessments.

Moreover,therearenoobligationsspecifictoadvertising.


6.1 HowisdatasecurityregulatedintheDominicanRepublic?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

The only mandatory standards and procedures are found in the banking system and also in thetelecommunicationssector.In2020,theDominicanRepublicisimplementingsecurityobligationstothebankingsystemandcreditbureaucompanies.Therearenospecialregulationsinanyothersector,otherthanthegeneraldutytomaintainsecurethedata.

ThegeneralruleintheDataProtectionLawis:“Itisprohibitedtorecordpersonaldatainfiles,recordsor databanks that do not meet technical conditions of integrity and security”. There is no legaldefinitionofsuch“technicalconditions”,otherthanthatreferredtoearlierwithrespecttothebankingsystem.

6.2 HowaredatabreachesregulatedintheDominicanRepublic?Whataretherequirementsforrespondingtodatabreaches?

OutsidetheBankingsystemandcreditbureaucompanies,therearenorequirementsforrespondingtodatabreachesandnosanctionsfordatabreachincidentsperse.Thereisonlyageneralobligationonentitiestopreserveandprotectthedataandinformationintheirsystems.

Thereisnorequirementtoprovideformalnoticeofdatabreachorsecurityincident.

137


There isnosanctionforthecompanyfromwhichthedatabreachoccurred,but if the incident isaresultofillicitaccessbyanemployeeorathirdparty,theillegalpenetrationofthesystem,theuseandexpositionofthedataissanctionedbytheTechnologyCrimesLaw.

7 INDIVIDUALRIGHTS


Allindividualshavetherightofaccess,rectificationanddeletionofdata.



TheAnti-SpamLaw indicatesexpressly thatusers in theDominicanRepublichave therightnot toreceiveunsolicitedcommercialemailswithadvertisingandoffers(spam).Also,usershavetherighttorejectspamemailsandtooptoutfromanylisttheyhavepreviouslyconsentedtobeon.

Companieshavetherighttosendcommercial/advertising/offersemailsiftherehasbeenanysortofpreviouscommercialrelationwiththecustomer.Themechanismtocollectemailaddressesmustbelegalandtransparent,asmaliciouscollectionofemailsaddressisbannedintheDominicanRepublic.Theuserwillalwayshavetherighttooptout.

Emails allowed by the Law must be clearly identified as “advertising” (“publicidad” in Spanish).Commercialmessagesalsomustcomplywiththeobligationtoidentifythesenderandincludeavalidemailaddresstoallowtherecipienttosendamessagetooptoutoffurthercommunications.

Notethattheserulesonlyapplytoemails;socialmediaisnotincluded.


Therearenospecialrulesregardingcookies,pixels,SDKs.


There are no special rules. Compilation of addresses, direct advertising or sales and other similaractivitiesispermitted,ifdataistakenfrompublicsourcesorobtainedwithconsentfromthepersonsconcerned,inordertoestablishprofilesforpromotions,advertisingandconsumerhabits.


Thesharingofdatawiththirdpartiesforcustomermatchingispermittedandnofurtherconsentisnecessaryifthereisconsenttodataprocessing.

138



Therearenospecialrulesfordatabrokers.


Therenospecialrulesregardingsocialmedia.


Therearenospecialrulesforloyaltyprogramsandpromotions.

TheConsumerProtectionAgencyenforcesdataprotectionclausesintherulesofpromotions,rafflesandgames.

9 DATATRANSFER


Thereisnoprohibitionorlimitonthecountriestowhichdatamaybetransferred.

In theDominicanRepublic the validity of transfer agreements or theBindingCorporateRules areacceptedandSectoralandadministrativeagreementsorbusinessdecisionsarepermitted.


There are no special rules regarding data transfer other than that personal data may only betransferredinternationallyinthefollowingcircumstances:

(a) therehasbeenformalauthorizationfromthedatasubject;

(b) dataforneededformedicaltreatmentofepidemicinvestigation;

(c) bankingtransactions;

(d) transferagreedininternationalandfreetreatyagreements;

(e) cooperationwithinternationalcriminalinvestigations;

(f) fulfillmentofadataprotectionagreement;

(g) judicialprocess,includingtaxandcustomsissues;or

(h) datatransferfromapublicregistry,requestedbyaninternationalinstitutionwithalegitimateinterest.

139


10 VIOLATIONS


TheDataProtectionLawhasawideprovisionwherebyallviolationsofanyofitsprovisionswillbesanctionedwith a prison term of between 6months and 2 years and a fine of between 100 and150timestheminimumwage.Suchviolationsinclude:

(a) actinginbadfaith,insertingfalsepersonaldataindatabasesorprovidingfalseinformationtoathirdparty;

(b) illegallyaccessingadatabase;and

(c) revealingpersonalinformationincludedinadatabasetoathirdparty.

TheBankingSuperintendencewithauthorityascontrolagencytoinspectthepersonaldataprocessingoftheinformationbureausmayimposefinesuptoUS$30,000.


TheDominicanLawadmitstheHabeasDatapersonalactiontoenforcetheDataProtectionLaw.Itentitlesindividualstocollect,rectifyordeletetheirpersonaldata.

Thevictimsareentitledtocollectcivildamages,specificallyincasesof:

(a) denial,withoutfoundation,ofarequestforrevisionoranapplicationforrectificationofthecreditinformationrequiredbytheinformationholder;

(b) refusaltomodifyordeletetheinformationofaninformationholder,afterhe/shehasobtainedafavorablepronouncementinaprocedurefollowedinaccordancewiththeprovisionsoftheDataProtectionLaw;or

(c) violationinaseriousorrepeatedmanneroftheprovisionsofthedefinitivesentencesofthecivilcourts.

IftheviolationofprivacyhasbeencommittedalongsideaviolationoftheCybercrimeLaw(eg,illegalaccess),penaltiesaremuchhigher.

11 MISCELLANEOUS

11.1 Are there any rules that are particular to the culture of Dominican Republic which affectprivacy?

Sadly,itisverycommonintheDominicanRepublicthatcompaniesandgovernmentinstitutionrequirepersonal data from individuals. In a high percentage of these cases, data is collected withoutnotificationormeetingtherequirementofauthorizationfordatatreatmentandtransfer.


TheGovernment isworkingonanewdraftdataprotection lawcloselymodelledon theEuropeanGDPR.

140


11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainDominicanRepublic?

In2019,theDominicanGovernmentenactedalawtoprotecttheprivacyandimagesofindividualsinvolved(hurtordead)inaccidents(seequestion1.2).

12 OPINIONQUESTIONS


The advances in contact (call) centers and outsourcing business, which have increased in theDominicanRepublic,haveshownthatthereisaneedtoimplementstrongerinternationalrulesofdataprotectionthroughcontracts.


Dominicanpeoplearetakingconscienceaboutprivacy.In5years,itislikelytobebetterprotected.


Theexistenceofagovernmentauthorityasdataprotectionauthorityandthepenaltiesorfinesthatitmightbeimposed.

141

142

PRIVACY LAW – ECUADOR

1 PRIVACYLAW

1.1 HowisprivacyregulatedinEcuador?

EcuadordoesnothaveaDataProtectionLaw;however, theConstitutionrecognizesandguaranteestheprotectionofpersonaldata,establishingthattheauthorizationofthedataownerisnecessaryforanycollection,filingordissemination.

Inadditiontotheconstitutionalregulations,thereareregulationsscatteredinvariouslegalinstruments that refer to the protection of personal data for specific issues, with someinconsistencies and without procedural rules, such as the Organic TelecommunicationsLaw,theMonetaryandFinancialOrganicCodeandthePublicDataRegistrationLaw.

Therefore, the absence of specific technical regulation on thematter and the lack of anexpeditedcourseofactiontoenforcerights,haveleftdataprivacybehindinEcuadorwithalmostanunexistingactualprotectiontothedataowner.

However,aspecificBillfortheprotectionofpersonaldatawaspresentedbytheExecutiveBranchtotheNationalAssemblyonSeptember19,2019whichwillregulateindetailthismatter in a very similarway to the GDPR in Europe. This Billmay take severalmonthsmoretobeapproved.

1.2 What are thekey laws regulatingprivacy?Pleasepoint outnational laws, local orstate-specificlaws,sector-specificlaws,andself-regulatoryframeworks,withspecialfocusonadvertingaspects.

ThelawsthatregulatedataprotectioninEcuadorandarerelevantherearethefollowing:

(a) ConstitutionoftheRepublicofEcuador,Articles66(11),(19),(20)and92:Article66 recognizes and guarantees data protection. Article 92 determines that theauthorizationof theownerof thedata isnecessary,both inorder fordata tobecollectedandtobedisseminated.

Problem:TheConstitutionofEcuadorrecognizestheprotectionofpersonaldata,without giving a specific definition,which leaves it open to interpretation as toownership of the right. In addition, no competent authority is established toregulateorsupervisecompliancewiththefewexistingrulesonprotectionwithinthe Ecuadorian legal system. This is left to a habeas data proceeding before aregularjudge,whichisnotusuallyeffective.

(b) OrganicLawofJurisdictionalGuaranteesandSocialControl,Articles49and51:InaccordancewiththeConstitution,thesecontemplatesthehabeasdataproceeding.

(c) Organic Law of Telecommunications, Articles 22, 24, 78, 80, 81 and 82: TheseArticlessetoutrulesontherightsofcustomersusingtelecommunicationservices,the obligations of telecommunication service providers, the right to privacy andthecommercialuseofpersonaldata.

(d) Organic Monetary and Financial Code, Articles 352–360: These develop somescarceregulationontheprotectionofpersonalinformationofusersofthenationalfinancialsystem,whichismanagedbythefinancialinstitutionsinEcuador.

(e) Regulations for the Management of Confidential Information in the NationalHealth System, Articles 17, 27 and 38: These contain some regulation on thematter;however,theyconfuse“confidentialinformation”and“sensitivedata”.

143


(f) LabourCode,Article42(7):Thisimposesanobligationonemployerstohaveandupdatetheirworkers’data.

(g) Organic Code of the Social Economy of Knowledge, Creativity, and Innovation,Articles140and141,GeneralProvisions26and27:Theseaddresspersonaldatafromanintellectualpropertypointofview,statingthatpersonaldataisnotpartoftheprotectablematterofdatabases.

(h) Public Data Registration Law: This is not a personal data law, as it doesn’tinterferewithprivatedatabases.Itdoesnotdefinepersonaldataandislimitedtoregulatingthecompilationofinformationcontainedinthedifferentpublicoffices.

(i) Comprehensive Organic Criminal Code, Articles 178 and 229: This typifiespunishableactivitiesregardingillegaldatabasedisclosureandviolationofprivacy,however,itconfuses“confidentialinformation”and“intimacyrights”.

(j) PronouncementsoftheConstitutionalCourtofEcuador:(i) SentenceNo.001-14-PJO;(ii) SentenceNo.002-11-SIN-CC.

(k) Bill for Personal Data Protection: This was presented to the Assembly inSeptember 2019; it clarifies the subject and all its concepts, becoming acomprehensiveregulationwithinternationalstandards.

1.3 How is privacy law enforced? Please address both regulators and self-regulatorybodies.

SinceEcuadordoesnothavea lawfor theprotectionofpersonaldata,andthescatteredregulations do not contemplate any specific proceedings, it is necessary to follow theprovisionsoftheConstitution,which,throughahabeasdataproceeding,guaranteeaccesstopersonaldata, throughwhich theownerof such informationmay request for it toberectified,deletedorupdated,orsimplyseekaccesstoit.

TheOrganicLawofJurisdictionalGuaranteesandConstitutionalControlstatesthathabeasdataactionsmustbefiledbeforethecompetentjudgewherethetransgressiontakesplace.Although it is not a complex proceeding, it is not simply an execution or complianceprocess,andmayrequireapublichearingandthepresentationofevidence.

The Bill for Personal Data Protection simplifies the situation and establishes a specificproceeding for this, which is handled through an administrative procedure before thePersonalDataProtectionAuthority(whichhasyettobecreated).

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinEcuador?

According to the Constitution, any entity, public or private, that handles information orpersonaldataofanyperson,issubjecttoprivacyrules.

2.2 Does privacy law in Ecuador apply to companies outside the country? If yes, arethere specific obligations for companies outside the country (eg, requiring acompanyrepresentativeinthecountry)?

Currently, in Ecuador, there is no specific rule about the scope of application of privacylaws;however,theBillforPersonalDataProtectionwillestablishthatitisapplicableevenwhendataprocessorsarenotdomiciledinEcuador,butthedataownersare.

144


Inaddition,theBillprovidesrulesregardingdatatransfertoothercountries(internationaltransfer)inboththepublicandprivatesectors.Companiesoreconomicgroupsmusthavebinding corporate policies and regulations regarding data protection, which must beapprovedbytheAuthority.


3.1 Howispersonalinformation/personaldatadefinedinEcuador?

Although, Ecuador has various piecemeal rules on data protection, it does not have aspecific rule thatclearlydefineswhat “personaldata” reallymeansandoftenconfuses itwith“confidentialinformation”and“intimacyrights”.

The Bill for Personal Data Protection, however, defines “personal data” as “data thatidentifies ormakes identifiable anatural person, directly or indirectly, in thepresentorfuture”.Thisdefinitionincludesmetadataanddatafragments.

3.2 Whatcategoriesofpersonalinformation/personaldataareconsideredsensitive(eg,children, biometric, health, video, geo-location, financial)? Are there specificobligationsaroundsensitiveinformation?

“Sensitivedata”inEcuadoristreatedingeneralbytheConstitutionaspersonaldatathatrevealsracial,ethnicorreligiousorigin,politicalpositions, tradeunionmembership,anddata concerning health, sexual life or any other personal data that may causediscriminationinthelifeoftheowner.Therearenospecificobligationsregardingsensitiveinformation.

The Bill defines “sensitive data” as data “related to ethnicity, gender identity, culturalidentity, religion,political affiliation, judicialpast, immigration status, sexualorientation,health,biometricdata,geneticdataandthosewhoseimproperprocessingmaygiverisetodiscrimination”. In addition, the Bill opens up the possibility that the Personal DataProtectionAuthoritymayimplementothercategoriesofsensitivedata.

3.3 Whatarethekeyprivacyprinciplesthatcompaniesneedto followregardingtheirprocessing of personal information/personal data (eg, transparency, choice,purposelimitation)?

TheprimarysourceoftheprinciplesgoverningdataprivacyaresetoutinArticle92oftheConstitutionofEcuador,whichcontainsvariousrightsfordataowners,whichcompaniesmustrespectintheprocessingofinformation.

Transparency: Allpersonshave theconstitutional right toknowabout theexistenceofanydataaboutthemthatisbeingheldinbothpublicandprivatecompanies,aswellasitsusage. This principle is based on the consent of the owner. One example of thetransparencyprincipleis inArticle79oftheTelecommunicationsLaw,whichestablishesthat,intheeventofaparticularriskofabreachofthesecurityofthepublicnetworkorthetelecommunications service, subscribersmust be informed and the necessarymeasuresmustbetakentoavoidthedamage.

Purposelimitation:Forexample,Article82oftheTelecommunicationsLawdeterminesthat companies that provide telecommunications servicesmay not use personal data ofcustomerswithoutpriorexpressconsent,whichshouldspecifywhatdataandinformationmaybeusedandforhowlongandforwhatpurpose.

145


Security:Article74ofTelecommunicationsLawestablishesaseriesoftechnicalsecurityandinvulnerabilitymeasuresthatcompaniesmustfollowfortheuseofpersonaldataandinformation.ThemainobjectiveofthisistopreservetherighttoprivacymentionedintheConstitution. Similarly, Article 80 establishes the obligation on telecommunicationcompaniestoimplementinternalprocedurestodealwithrequestsforaccesstopersonaldata and the supervision and control thereof, following theprovisionsof theAgency forRegulationandControlofTelecommunications.

4 ROLES

4.1 Does privacy law assign different roles to companies based on how they processpersonalinformation/personaldata(eg,controllerversusprocessor)?Ifso,howdotheserolesaffectobligationsandcontractualrequirements?

Asmentionedbefore, at this time there is noPrivacy Law that specifically regulates therolesofcompanieswithrespecttopersonalinformation/personaldata.

However, in theBill currentlybeingdiscussedby theAssembly, rolesareestablished forboth,thoseinchargeandthoseresponsiblefortheprocessingandprotectionofpersonaldataaffectingtheirobligations,forinstance:

(a) Obligations of data controllers: Article 71 of the Bill establishes a series ofobligations that the data controller will have to comply with, ranging fromtechnical requirements to the need to sign confidentiality contracts andpermanentupdatingandregistration.

(b) ObligationsofObligationsofdataprocessors:Article72oftheBillcontainstheroles of the data processor,which relatemainly to the securitymeasures to beimplemented.

5 OBLIGATIONS

5.1 Pleasesummarizethekeyobligationsrequiredbyprivacylaw,withspecialfocusonadvertising(eg,postingaprivacypolicy,keepingrecordsofprocessingoperations,appointing a privacy officer, registering with a privacy authority, conducting riskimpactassessments).

Atpresent, there isnoPrivacyLaw that specifically regulates thekeyobligationswith afocusonadvertising,but, throughouttheBill,obligationsare imposedonthehandlingofdata,specifyingthatuseislimitedbytheconsentoftheowners.Withouttheconsentofthedataowner,informationcannotbetreated,usedortransferred.

UndertheBill,theobligationsimposedonthecontrollersandprocessorsinclude,amongstothers, posting a privacy policy, keeping records of processing operations, appointing aprivacyofficer,andregisteringwithaprivacyauthority.


6.1 How is data security regulated in Ecuador? Is there a minimum standard forsecuring data? If so, are there any resources to help companies address thisstandard?

As stated above, data security regulations are dispersed within the Ecuadorian legalsystem.

146


Someofthestandardsthatcontainminimumregulatoryparametersare:

(a) Paragraph19ofArticle66oftheConstitution(inforcesince2008)stipulatestherighttotheprotectionofpersonaldata.However,itisnotyetregulated,asintwoothercountriesintheregion:VenezuelaandBolivia.

(b) Article 229 of the Comprehensive Organic Criminal Code punishes with one tothree years of prison anyone who discloses data that “violates the secrecy,intimacy, and privacy of individuals”. If the person is a public servant or bankemployee,thepenaltyisthreetofiveyears.

(c) Article 360 of the Organic Monetary and Financial Code prohibits thecommercialization of credit references. The Superintendence of Banks has untilSeptembertoassumethemanagementoftheserecords.

6.2 How are data breaches regulated in Ecuador? What are the requirements forrespondingtodatabreaches?

Currently, inEcuador, there isnoclearandspecificprocedureforrespondingtosecuritybreaches. Inprinciple, an investigationof the facts is initiatedby theAttorneyGeneral’sOfficeand,subsequently, thepossibleactions tobepresentedareanalyzed following thecriminalproceedingsandregulationsestablishedatthetime.

OnSeptember16,2019,Ecuadorwasthevictimofamassiveexposureofprivatedataofmore than 20 million of its citizens by a company called Novaestrat, which led toquestioningandevaluatingtheactionsbeingtakentoprotectthistypeofinformation.

In the case of Novaestrat, the damage was caused by a security incident due to a badconfiguration of a database. It is important that companies not only dedicate time andresources to the technological aspects of security, such as encryption solutions orprevention of information leaks, but also to the development of processes and securitypolicies that include appropriate controls and contribute to the proper management ofsecurity.

This case was the catalyst for the Bill for Personal Data Protection to be sent to theAssemblyforapproval.

7 INDIVIDUALRIGHTS

7.1 What privacy rights do individuals have with respect to their personalinformation/personaldata?

The Ecuadorian legal system, specifically the Constitution, states that persons have therighttoknowoftheexistenceofandhaveaccesstotheirdataheldbypublicandprivateentities.Also,itgrantscitizenstherighttoknowtheuse,purpose,origin,anddestinationoftheirinformation,plusthedurationofthefileordatabank,therectificationofdataandthe requirement of authorization of any data transfer. Personal data protection is aConstitutionalright;andsouseofpersonaldatamustrespecttheowners’honorandfullenjoymentoftheirrights.

TheTelecommunicationsLawdetermines thatprovidersof telecommunications servicesmustadoptappropriate technicalandmanagementmeasures topreserve thesecurityoftheirnetworkinordertoensuretheprotectionofpersonaldata.Italsograntstothedataownertherightofaccesstosuchdatawithoutcost,toupdatehis/herowndata,aswellasrequestitseliminationorannulment.

147


Iftheconstitutionalrightsofdataownersarenotrespected,thoseaffectedmayfilehabeasdataactions,inaccordance,withArticle50oftheOrganicLawofJurisdictionalGuaranteesandConstitutionalControl.


8.1 Howaremarketingcommunications(eg,emails,texts,pushnotifications)regulatedfromaprivacyperspective?

Currently,Ecuadordoesnothaveaspecificlawregulatingmarketingcommunications,butit is expected that once the Bill for Personal Data Protection is approved, a specificregulationonthismatterwillbedevelopedbythePersonalDataAuthority.

8.2 Howistheuseof trackingtechnologies(eg,cookies,pixels,sdks)regulatedfromaprivacyperspective?

As stated above, this is not currently regulated Ecuador but a specific regulation isexpected to be developedwhen theBill onPersonalDataProtection is approvedby theAssembly.

8.3 How is targeted advertising and behavioral advertising regulated from a privacyperspective?

Thereisnocurrentregulationonthematter.

8.4 Whattypeofnoticeandconsentdoadvertisersneedtosharedatawiththirdpartiesforcustomermatching(eg,FacebookcustomaudiencesorviaLiveRamp)?

TheonlyclearlimitthathasbeendefinedintheEcuadorianlegalsystemonpersonaldatais theconsentof theowner for collection,useand transferofpersonaldata.Thismeansthat, currently, advertisers require express authorization to share a person’s data forcustomermatching.

However, theBill ismorepermissive,as it statesexceptions fromtheneed toobtain theowner’s consent for transferring data, such as when the data has been collected fromsources accessible to the public, or when the data treatment corresponds to the legalrelationshipbetweenthedataownerandthedatacontroller.


Thereisnocurrentregulationonthematter.


There is no current regulation on the matter; all provisions focus more on theconstitutionalrightofintimacyoftheperson.


Thereisnocurrentspecificregulationonthematter.However,itisnotpossibletocollect,use,processortransferanypersonaldataforanypurposewithouttheauthorizationoftheowner.

148


9 DATATRANSFER

9.1 Arethereanyrequirementsorrestrictionsconcerningdatatransfer(eg,restrictionsontransferringdataoutsidethecountryorbetweengroupcompanies)?

Currently, anydata transfer requires theexpress consentof theowner, according to theConstitution.Hence,thefirstrestrictionistheconsentoftheowner,whichmustgivenbeprior to transfer and expressly specify the information that is being authorized to betransferred.

However,inArticle48oftheBill,exceptionsaresetoutwhentheconsentoftheholderforthetransferorcommunicationofpersonaldatawillnotberequired.Theseinclude,amongothers:

(a) whenthedatahasbeencollectedfromsourcesaccessibletothepublic,

(b) whenpersonaldatamustbeprovided toanadministrativeor judicial authority,and

(c) personaldatarelatedtohealthnecessarytosolveanemergency.


Themainconsiderationforcompaniesisconsentofthedataowners.Inaddition,theBillestablishesthattheprocessingofpersonaldatathatiscarriedoutbythirdpartiesmustberegulated by contract, that clearly and precisely establishes that the data processorwilltreat thepersonaldataaccording to the instructionsof thedatacontrollerand thatdatawillnotbeusedforpurposesotherthanthosestatedinthecontract.

10 VIOLATIONS

10.1 What are the potential penalties or sanctions for violations of privacy or datasecuritylaw?

Asmentionedabove,thereisnospecificlawinEcuadorthatprovidessanctionsincasesofviolation of the information and personal data of citizens. However, at present, theComprehensiveOrganicCriminalCodeestablishesthefollowing:

“Article178—Violationofprivacy-Anypersonwho,withoutthelegalconsentor authorization, accesses, intercepts, examines, retains, records, reproduces,disseminates or publishes personal data, text, voice, audio and videomessages,postal objects, information contained in computermedia, privateor confidentialcommunications of anotherpersonby anymeans shall be subject to a custodialsentenceofonetothreeyears...”

“Article 229— Illegal disclosure of database - Any personwho, for his ownbenefitorthatofathirdparty,disclosesregisteredinformationcontainedinfiles,archives, databases or similar media, through or directed to an electronic,computer,telematicsortelecommunicationssystem;voluntarilyandintentionallymaterializingtheviolationofthesecrecy,intimacyandprivacyofpersons,shallbepunishedwithacustodialsentenceofonetothreeyears...”

Also, there is limited case law of damages awards based on habeas data resolutions ifactualharmtothedataownerisdemonstrated.

149



In accordance with the Constitution of Ecuador and the Organic Law of JurisdictionalGuaranteesandConstitutionalControl, theownersof informationandpersonaldatathathavebeenaffectedmay fileahabeasdataactionontheirownrights thesameregardingthecoupleofcriminalregulationsonthematter.

11 MISCELLANEOUS

11.1 Are there any rules that are particular to the culture of Ecuador which affectprivacy?

Therearenospecificrulesyet.


The Bill for Personal Data Protection, as mentioned before, should be approved by theAssemblyinthefollowingmonthsandwillestablishacompleteandhighlyregulatedlegalframefordataprocessing.

11.3 Is thereanyother informationnotcovered in thischapter thatcompaniesneed toknow, including general advice or cautions around processing personalinformation/personaldatainEcuador?

Notatthistime.

12 OPINIONQUESTIONS

12.1 Whatchangesintheprivacylandscapehaveyouobservedoverthepastfewyears?Inyouropinion,whatpropelled/triggeredthesechanges?

Data protection is a very new topic for Ecuador; it gained some relevancewhen it wasincludedintheConstitutionof2008;however,itwasneverproperlyregulated.Thelackofa specialized Law that clarifies the ambiguities in the dispersed laws and fills the legalvoidsisthemainreasonthatledtheproposedBillin2019.

Nevertheless, themassivedatabreacheswhichhavebeenpubliclyreporteddemonstratehowcarelesslydataprocessingisbeinghandledinthecountryandrevealtheweaknessofour security systems, and are themain trigger for theBill to be finallypresented to theAssembly.

Mypersonal opinion is that this law isneeded inEcuadornowwithmoreurgency thanever before. Perhaps the Bill presented to the Assembly could be deemed a little over-regulatory; however, this is necessary for a country in which we have been absolutelyunprotected.


I believe that the Bill is a response to the lot of legal gaps that exist in Ecuador on theprocessing of personal data. If the Bill is accepted and, subsequently, the creation of aRegulationof theLawofProtectionofPersonalData isconsidered, thepanorama in fiveyearsinEcuadorwillbedifferent.Thatis,theanswerstodataprotectionproblemswillbeagile,clearandfast.Thesecuritymeasuresfordataprotectionwillbeeffective,and,aboveall, there will be clear limits on the use and processing of personal information. The

150


countrybythenwillmostlikelyhavea“formal”controlofdataprocessingandprotectionofprivacyrights,which,ofcourse,willstillbeimperfectduetothelackofexperienceoftheAuthority (tobecreated)and thecompliance timeframes thatwillhave tobegranted tothecompanies.

12.3 What are some of the challenges companies face due to the changing privacylandscape?

IftheBillisapproved,theestablishmentofresponsibilitiesandroles(datacontrollersanddelegates)forprocessingpersonaldatawilldefinitelyrepresentchallengesforcompanies.This because, as there is a specific rule that regulates the responsibilities of each of thesubjectsinvolved,itmeansthatcompanieswillhavetousemoreresourcestocomplywiththese legal requirements, which they are not used to. Likewise, investment in betterdeveloped termsandconditionsofuse, securitymeasuresandregistrationofdatabaseswillbenewchallengesforcompaniesinEcuador.

151

152

PRIVACY LAW – EGYPT

1 PRIVACYLAW

1.1 HowisprivacyregulatedinEgypt?

Privacy in Egypt is governed mainly by the new Egyptian constitution, which was adopted in areferendumin January2014.Egypt isalso in theprocessof issuinganewDataProtectionLaw. InAugust2018,theEgyptianCabinetapprovedadraftfortheproposedDataProtectionLaw,whichstillawaitsapprovalbyanopensessionofParliament.


Article 57 of the newly adopted Egyptian Constitution stipulates that: “Private life is inviolable,safeguardedandmaynotbeinfringedupon.Postal,telegraph,e-correspondence,telephonecallsandanyothermeansofcommunicationsareinviolableandtheirconfidentiality isguaranteedandtheymayonlybeconfiscated,examinedormonitoredbycausaljudicialorder,foralimitedperiodoftime,andincasesspecifiedbythelaw.Thestateshallprotecttherightsofcitizenstouseallformsofpublicmeansofcommunication,whichmaynotbearbitrarilydisrupted,stoppedorwithheldfromcitizens,asregulatedbythelaw”.

Article99oftheConstitutionspecifiesthat:“...anyassaultonindividualfreedomortheinviolabilityofcitizens’privatelivesandanyotherpublicrightsandlibertiesguaranteedbytheConstitutionshallbeconsideredacrime”.

Egyptispartofthefollowingregionalandinternationalconventions:

(a) TheUniversalDeclarationofHumanRights;

(b) TheInternationalCovenantonCivilandPoliticalRights;

(c) The International Convention on the Protection of the Rights of AllMigrantWorkers andMembersofTheirFamilies;

(d) AfricanCharteronHumanandPeople’sRights;

(e) AfricanCharterontheRightsandWelfareoftheChild;

(f) TheUnitedNationsConventionAgainstTransnationalOrganizedCrime;

(g) TheCairoDeclarationonHumanRightsinIslam.


CurrentlyEgyptdoesnothaveregulatorybodiestoenforceprivacylawmatter.Weexpectthistoberesolvedwiththeissuanceofthenewdataprotectionlaw’sexecutiveregulations.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinEgypt?

LawsrelatedtodataprotectionandprivacyareapplicabletoallnaturalandlegalpersonsinEgypt.

153


2.2 Doesprivacy law inEgyptapply tocompaniesoutside thecountry? Ifyes,are therespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

NodataprivacylawexistsinEgyptasofyet,thusthisdoesnotapply.


3.1 Howispersonalinformation/personaldatadefinedinEgypt?

InEgypt,personalinformation/data,whichappearsonanindividual’spassport,includes:thepassportnumber, the individual’sphoto, the individual’s fullname,gender,nationality,national IDnumber,maritalstatus,profession,militarystatus,postaladdress,placeanddateofbirthofthepassportholder.


InEgypt,thefollowingcategoriesareconsideredsensitivepersonalinformation:

(a) mental,psychological,orphysicalhealth;

(b) geneticdata;

(c) biometricdata;

(d) financialdata;

(e) religiousbeliefs;

(f) politicalopinions;

(g) criminalrecords;

(h) children’sdata.

Atthemoment,therearenoobligationsaroundthecollectionofsensitiveinformation;however,itisexpectedthatthismatterwillbecoveredinthenewdataprotectionlaw.


In2006, theEgyptiangovernment enacted theEgyptianConsumerProtectionAct,whichdoesnotgoverntheprotectionofconsumers’personaldataandinformation.ThecurrentActdoesnotofferatransparencymechanismwhichwoulddeterminewho shouldprocess thepersonal informationofconsumersaswellasthemeansbywhichtheywillbeabletoapplytherightsofinformation.Thismayallchangewiththeissuanceofthenewprivacylaw.

154


4 ROLES



5 OBLIGATIONS




6.1 HowisdatasecurityregulatedinEgypt?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

Presently,datasecurityisnotcurrentlyregulatedinEgyptduetothelackofadataprotectionlaw.Thatbeingsaid,accordingthedraftdataprotectionlaw,whichshouldbeissuedbeforetheendof2020,theprocessorofdata is required tonotify thenational regulatorwithin48hours, as soonas theybecomeawareofanypersonaldatasecuritybreach.See,further,question5.2astothenotification.

6.2 HowaredatabreachesregulatedinEgypt?Whataretherequirementsforrespondingtodatabreaches?

UnderthesuggesteddraftprivacylawinEgypt,theindividualorentitythatcontrolsorprocessesthedatamust,uponknowingofanydatabreach,informthenationalregulatorwithinatimeframeof48hours.Thisnotificationmustalso:

(a) outlinethedatabreachandtheestimatednumberofdatasubjectsandrecordsinvolved;

(b) containtheresponsibleofficer’snameandcontactinformation;

(c) explainthepossibleandmostexpectedpenaltiesresultingfromthedatabreach

(d) describetheproposedmeasureswithwhichthecontrollerplanstoaddressthedatabreach;and

(e) documentanydatabreach,aswellastheactiontakentoremedysuchbreach.

7 INDIVIDUALRIGHTS


Atthemoment,thisisnotclear,butitisexpectedtobecoveredintheexecutiveregulationsofthenewdataprotectionlaw.

155




Emails,textmessagesandpushnotificationsarenotyetgovernedinEgyptbyanylawsorlegislationfromaprivacyperspective.


Tracking technologies are not yet governed in Egypt by any laws or legislation from a privacyperspective.

8.3 Howistargetedadvertisingandbehaviouraladvertisingregulatedfromaprivacyperspective?

Targeted advertising and behavioural advertising are not yet governed in Egypt by any laws orlegislation.


CustomermatchingisnotyetgovernedinEgyptbyanylawsorlegislation.


TherearecurrentlynorulesorlawsthatgoverndatabrokersinEgypt.


Duringmid-2018,theEgyptianParliamentapprovednewlegislation,theMediaRegulationLaw,whichrestrictsthefreedomofexpressionononlineplatformsforusershavingmorethan5,000followers,andmakesthemsubjecttothesameregulationsasthoseimposedonjournalistsandestablishedmediacompanies.


TherearecurrentlynorulesorlawsthatgovernloyaltyprogramsandpromotionsinEgyptfromaprivacyperspective.

9 DATATRANSFER


Therearecurrentlynolawsrestrictingthetransferofdataoffshore.Thismaychangewhenthenewdataprotectionlawiseventuallyissued.

Underthecurrentdraftlaw,acontrollercantransferdatatoanothercontrolleroutsideabroadsubjecttothefollowing:

156


(a) thecontrollerssettleonthenatureofworkandthepurposeofthetransferoftherelevantpersonaldata;

(b) thecontrollersbothhaveanauthenticinterestinsaidpersonaldata;and

(c) the controller located outside of Egypt is required to have the same legal/technologicalprotectionsastheonesavailableinEgypt.


Underthedraftprivacyanddataprotectionlaw,acontrollercanprovidethepersonaldatatoanothercontrollerabroadgiventhefollowingconditions:

(a) The controllers have reached an agreement regarding the nature of work as well as thepurposeofthepersonaldata;

(b) Thecontrollersbothhaveagenuineinterestandconcerninthedata;and

(c) Thecontroller locatedabroadat leastmusthave the same legal/technologicaldefencesasavailableinEgypt.

Furthermore,datatransferstoforeigncountriesareagainstthedraftlaw,unlessthetransfersaretocountriesthataffordthesameprotectionsasthoseunderourdraftlaw.Transferswillbeexemptfromtheconditionsaboveincaseswherethefollowingapplies:

• for the protection and safety of the data subject’s life for the provision of medical care,treatment,ortheadministrationofmedicalservices;

• fortheproof,exercise,ordefendingajudicialright;

• toexecuteaprocedureasrequiredbyaninternationaljudicialagreement;

• toprotectthepublicinterest;or

• tocompleteabankwiretransfer.

10 VIOLATIONS


Article113oftheEgyptianCriminalCodeNo.58/1937imposescriminalpenaltiesonunauthorizedcollectionofphotographsorrecordingsofindividualsinprivateplaces.Furthermore,article309-bisoftheCriminalCodestatesthat:“apenaltyofdetentionforaperiodnotexceedingoneyear[...]inflictedonwhoever encroaches upon the inviolability of a citizen’s private life, by committing one of thefollowingactsinotherthanthecaseslegallyauthorized,orwithouttheconsentofthevictim:

• eavesdropping,recording,ortransmittingviaanyinstrumentwhateveritskind,talkshavingtakenplaceinaspecialplace,oronthetelephone;

• shootingandtakingortransmittingbyoneoftheinstruments,whateveritskind,apictureofapersoninaprivateplace”.

Itisexpectedthatmorepenaltieswillbeimposedwiththeissuanceoftheimminentprivacyanddataprotectionlaw.

157



Thisisnotcurrentlyaddressedbythecurrentlawsanditisexpectedtobeaddressedwiththeissuanceofthenewdataprotectionlaw.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofEgyptwhichaffectprivacy?

Notapplicable.


Egyptisplanningtoissueanewdataprotectionandprivacylawwithintheupcomingyear.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainEgypt?

None.

12 OPINIONQUESTIONS


Asmentioned,thebiggestchangehasbeenthedraftdataprotectionlawthatwascompletedin2018.WebelievethatthepressureofinternationallawsandregulationsiswhattriggeredthesechangesinEgypt.


Webelievethattheissuanceofthenewdataprotectionwillchangethelandscapedrasticallyoverthenextfiveyears.Egyptistypicallynotsoconcernedaboutdataprotection,sothefactthatithasalreadytakenastepforwardinthissenseisasignificantmove.WeexpectthatregulationssimilartothoseimposedonEUcountriesbytheGDPRwillalsobeimplementedonthosecompaniesincorporatedinEgyptwhichbynaturecollectcustomerprivatedata.Itwillbeinterestingtoseehowthenewlawwillbe implementedandalsotounderstandtheexecutiveregulationswhichshallgovernthis lawwithmoreaccuracy.


N/A

158

159

PRIVACY LAW – EL SALVADOR

1 PRIVACYLAW

1.1 HowisprivacyregulatedinElSalvador?

ElSalvadordoesnothaveaspecificprivacylaw;however,privacyinformationisregulatedinseverallawsthatareineffectinElSalvador.


PrivacyisregulatedinthefollowingLaws:

(a) ConstitutionofElSalvador;

(b) SpecialLawAgainstComputerandRelatedCrimes;

(c) LawonAccesstoPublicInformation;

(d) LawontheRegulationofInformationServicesonPeople’sCreditHistory;

(e) MedicinesLaw;

(f) ConsumerProtectionLaw;and

(g) LawontheSupervisionandRegulationoftheFinancialSystem.


InElSalvadorthereisnotaspecificprivacylaw,andsotheentitiesinchargeofregulatingprivacywilldepend on the case in hand, eg the Superintendence of the Financial System and the ConsumerAdvocacyistheregulatoryentityinthecasesofbanks.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinElSalvador?

Privacylawappliestothegovernment,autonomousinstitutions,municipalities,corporationsofmixedeconomies,individualsandlegalpersons(publicorprivate).

2.2 Does privacy law in El Salvador apply to companies outside the country? If yes, are therespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

No,privacylawinElSalvadordoesnotapplytocompaniesoutsidethecountry.However,itdoesapplytotheforeigncorporationsthatoperateinthecountry.


3.1 Howispersonalinformation/personaldatadefinedinElSalvador?

“Personalinformation”isprivateinformationconcerningaperson,identifiedoridentifiable,relatingtotheirnationality,address,heritage,email,telephonenumberandsoon.

160



“Sensitivepersonalinformation”isinformationthatrelatestoaperson’screed,religion,ethnicorigin,affiliation or political ideologies, union affiliation, sexual preferences, physical andmental health,moral,familysituationandotherintimateinformationofasimilarnatureorinformationthatcouldaffecttherighttohonor,toone’sownimage,topersonalandfamilyprivacy.


Thekeyprivacyprinciplesare:

(a) ResponsibilityandSecurity:thedatasubjectshouldbesecurethatthecompanyisusingitsinformationpertinently;

(b) Purpose:datashouldonlybeusedforthepurposestatedorforwhatwasrequestedandnotforanyotherpurposes;

(c) Consent:datashouldnotbedisclosedwithouttheconsentofeachindividualprovidingtheirdata;and

(d) Access: individuals who provide data should be allowed to access their data and makecorrectionstoanyinaccuratedata.

4 ROLES


Yes, banks are the best example of this, in that they have to request authorization from theSuperintendenceoftheFinancialSystem(controller)toprovideinformationondepositsandaccounts,asthisisinformationthatcanonlybegiventoitsowners.

5 OBLIGATIONS


Thekeyobligationsrequiredbyprivacylaware:

(a) toinformorprovideinformationtoaclientwhorequeststheirinformation;

(b) toprovidetheinformationrequiredbythecompetentauthorities;and

(c) whenadatainformationagencyforanyreasonfinishesitsoperationsinthecountry,itmustsenditsdatabasetotheSuperintendenceoftheFinancialSystem.

161



6.1 HowisdatasecurityregulatedinElSalvador?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

Ingeneral,thereisnominimumstandardfordatasecurity,becauseeachinstitutionhasaspecificlawthatregulatesit,forexample,banksareregulatedbytheBankLawandtheLawontheSupervisionandRegulationoftheFinancialSystem.

6.2 HowaredatabreachesregulatedinElSalvador?Whataretherequirementsforrespondingtodatabreaches?

Itdependsonthebreachcommittedandthemeansusedtocarryoutthebreach.Incasesofbreachescommittedbycomputer, this is sanctionedby thespecial lawagainstcybercrimes. Inaddition, theCriminalCoderegulatessomebreaches,andprovidessanctions.

7 INDIVIDUALRIGHTS


TheLawontheRegulationofInformationServicesonPeople’sCreditHistoryprovidesthatindividualscanmodifyoraddtotheirpersonalinformation.Wherethosewhohaveabadcreditrecordmanagetopaytheirdebt,companieshavetoremovethemfromthelistof“notsubjecttocredit”andpassthemtothelistof“subjecttocredit”withinasettimeframe.



Therearenoregulationsregardingprivacyinmarketingcommunications.


Therearenoregulationsregardingprivacyandtrackingtechnologies.


Therearenoregulationsregardingprivacyandadvertisingandbehavioraladvertising.


Therearenoregulationsregardingprivacyandsharingdatawiththirdpartiesforcustomermatching.However, when individuals sign a contract with a company, the company is allowed to use theirinformationinordertopromoteandsharecontentorcampaignswithothers.

162



Therearenoregulationsregardingprivacyanddatabrokers.


There are no regulations regarding privacy and social media; however, when individuals sign acontractwithacompanytopromoteandregulatetheirsocialmedia,theyaregivingthecompanyfullaccesstoinformation.


Therearenoregulationsregardingprivacyinloyaltyprogramsandpromotions.However,aprivacyclausewillbeincludedwhenthecompanyinchargeoftheprogramentersintoacontractwithothercompanies,establishingthattheyarenotallowedtosellorusetheinformationprovided(database)forpurposesotherthanloyaltyprogramsorpromotionsandforthecontractpurposes.

9 DATATRANSFER


Inaccordancewith theBankLaw, companies that formpartofa financial conglomeratecansharecustomerdatabases.Eachof thecompanies thatarepartof theconglomeratemaymakeeconomicinformationavailabletootherfinancialentitiesregardingtheircustomers,mostlyinregardtotheircreditbackground,withpreviousauthorizationoftheSuperintendenceoftheFinancialSystem.


Differentcompanieswillhavedifferentrequirementsorrestrictionsregardingthetransferofdata,and it is necessary that each company keeps itself informed of its obligations with respect to itscustomers.

Inmostcases,thedatatransferisdonebycooperation,andmostlywhenthereisaresolutionissuedbyajudge,orforuseinsomejudicialcase;forexample,whendatabaseholdersaresubjecttoauditsor are involved in some type of criminal act, they need to exhibit the information contained indatabasesintheprocedure.

10 VIOLATIONS


Accordingtothespeciallawagainstcomputerandrelatedcrimes,anyonewho,withoutauthorizationuses personal data through the use of information and communication technologies, violatingconfidentialityanddatasecuritysystems,byinsertingormodifyingdatatothedetrimentofathirdparty,willbepunishedwithimprisonmentoffourtosixyears.Moreover,theCriminalCodesetsoutcrimesforseizingpersonaldata,whicharesanctionedwithafine.

163



Yes,individualscanexercisetheirrightofactionatanytimebyfilingacomplaintbeforethecompetentauthorities; the potential remedies depend on the breaches committed and the legislation thatregulatesit;forexample,inthecaseoffinancialinstitutionswhichhaveuseddataforpurposesotherthanthoseforwhichauthorizationwasgranted,theBankLawandtheLawontheSupervisionandRegulationoftheFinancialSystemprovidethatthefinancial institutionsconcernedincur jointandseveralliabilityforthedamagescausedtotheindividualsthatprovidedtheirdata.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofElSalvadorwhichaffectprivacy?

Asaconstitutionalprecept,noonecandoanythingtoadverselyaffectothers“sincemyrightendswheretheother’srightbegins”.Datainformationisconsideredpersonalandnoonecandisclosethatinformationunlesstheyhavetheconsentoftheownertodoso.Culturally,wehavetriedtosafeguardtherightsofintegrityandproperty,whichincludepersonalinformationandpersonaldata.


Yes,thereisagroupthatisstudyingandelaboratingapreliminarydraftDataProtectionLawwhosepurposeistodelineateprivacylimitsfortheuseofpersonaldataanditsownership.Thisisbecause,even though there are some laws that regulate privacy issues (see question 1.2), a specific law isneededthatwillregulatedataingeneral,settingoutprovisionsastospecificpermissions,restrictions,obligations,aswellassanctions,remedies,etc.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainElSalvador?

No,sinceElSalvadordoesnothaveaspecificDataPrivacyLaw.

12 OPINIONQUESTIONS


InElSalvador,wehaverealizedthatthereisaneedfordatatobeprotectedbyaspecificlaw,andthisiswhyapreliminarydraftBillisbeingcreatedandstudiedinordertopasstheBilltotheLegislativeAssemblyforitsapproval.


Currently,thereisnoconsolidatedlegislationthatdealswithdataprotection,butthereisapreliminarydraftDataProtectionBill,thatwouldsimplifymattersbothforindividualstoknowtherightstheyhaveand to regulate corporations to make proper use of personal data. The draft Bill also aims toperiodicallyencouragecompaniesand individuals toobtain themaximumbenefits fromthedigitalmarket,economicgrowth,innovationandgovernmentcollaboration,markingtheboundariesbetweenprivacy,useofpersonaldataandtheirownership.

164



Theconstantupdatingofthelawmaybethebiggestchallenge,sincewheneveranewregulationentersinto force corporationsmustmake a changeof structure so asnot tobe involved in some typeofinfractionandoftentheyneedtotakecoursestolearnaboutthenewlegislationandthebestwaytoincorporatethechangesinthelawsintheirbusiness.

165

166

PRIVACY LAW – EUROPEAN UNION

1 PRIVACYLAW

1.1 HowisprivacyregulatedintheEuropeanUnionMemberstates?

Privacyisregulatedontwolevels:thatoftheEuropeanUnionandthatoftheMemberstates.

OntheleveloftheEuropeanUnionthemostimportantapplicablesourceoflawistheEUGeneralDataProtectionRegulation(“GDPR”)whichcameintoforceinMay2018.Itcoversallaspectsofprivacylawasfarastheprocessingofpersonaldataisconcerned.

TheprotectionofpersonaldataisalsoenshrinedinArticle8oftheCharterofFundamentalRightsoftheEuropeanUnion.AccordingtoArticle51oftheCharterofFundamentalRights,alltheinstitutions,bodies, offices and agencies of the European Union are bound by it. Also, theMember states areaddressedbytheprovisionsoftheCharterandhavetocomplywithitwhenimplementingEUlaw.AlltheEuropeanUnion’sactionsmustthereforebemeasuredagainsttheCharter,inparticularEuropeanlegislation(RegulationsandDirectives)andEuropeanadministration.

OntheEUlevel there isalsotheePrivacyDirectivewhich isnotdirectlyapplicablebutobligestheMember states to implement its regulations into national law. Currently, a draft of an ePrivacyRegulationisbeingdeliberatedandwill,probablyinthenearfuture,replacetheePrivacyDirective.Onceinforce,itwillbedirectlyapplicableintheMemberstates.

On the level of theMember states there are a varietyofdifferent regimesaddressingonly certainprivacyaspects(eg,relatingtotelecommunication),someofthembeingtheresultofEUDirectives,othersareautonomousactsofeachnationallegislator.Inaddition,theGDPRcontainsseveralopeningclauseswhichalloweachMemberstatetoenactnationalprivacyrulestoregulatecertainlimitedareasofdataprocessing.

Attheendofthischapter,thenationallawsoftheMemberstateswillbedealtwithseparatelyforeachcountry.


TheGDPR is theprimary source for theprotectionofpersonaldata in allEUMember states.ThisRegulation is directly applicable in all EU Member states without any further enactment orimplementationbythenationallegislator.

TheGDPRregulatesallaspectsoftheprocessingofpersonaldata,fromitscollection,viathetreatment,securityandstorageuntiltheirdeletion.Thus, italsocoverstherequirementsregardingtheuseofpersonaldata foradvertisingpurposes, informationobligationsof theadvertiseraswellascertainrightsofthedatasubject.

Inthischapter,referencesto“Articles”aretoArticlesoftheGDPR.

167



AccordingtoArticle51onwards,eachMemberstatehastoestablishitsownindependentsupervisoryauthority.Suchauthority’smaintaskistomonitorandenforcetheapplicationoftheGDPR.Inordertodoso, theGDPRrequires theMemberstates toprovide theirsupervisoryauthoritieswithgreatinvestigativepowers.TheGDPRcontainsaframeworkofsanctionstobeappliedbytheMemberstatesbutdoesnotitselfcontainanyenforcementstipulation.TheGDPRisthereforeenforcedbytheMemberstatesthemselves.InordertoensureuniformapplicationoftheGDPR,aDataProtectionBoardhasbeen set up at EU level. TheBoard is composed of the head of one supervisory authority of eachMemberstate.

Inadditiontothesupervisoryauthority,itispossible,attheleveloftheMemberstates,thatcertainaspectsof theprotectionprovidedby theGDPRcanbepursuedandenforcedby thecourtsof theMemberstatesupontherequestofcompetitors,consumerprotectionassociationsorthedatasubjectsthemselves.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawintheEuropeanUnion?

According to Article 2, the GDPR applies to the processing of personal data wholly or partly byautomatedmeansandtotheprocessingotherthanbyautomatedmeansofpersonaldatawhichformpartofafilingsystemorareintendedtoformpartofafilingsystem.Thiswill,infact,subjectalmostallcompanies,aswellasregulatorybodies,totheGDPR.Theonlyexemptionsarespecificallylistedandcomprise, inparticular, theprocessingofpersonaldata in thecourseofanactivitywhich fallsoutsidethescopeofEUlawortheprocessingofpersonaldatabyanaturalpersoninthecourseofapurelypersonalorhouseholdactivity.

2.2 DoesEUprivacylawapplytocompaniesoutsidetheEuropeanUnion?Ifyes,aretherespecificobligationsforcompaniesoutsidetheEuropeanUnion(eg,requiringacompanyrepresentativeintheEuropeanUnion)?

Yes, it can apply to companies outside the European Union. The territorial scope of the GDPR isstipulatedinArticle3:

(a) The GDPR applies to all processing of personal data in the context of the activities of anestablishmentofacontrolleroraprocessorintheEuropeanUnion,regardlessofwhethertheprocessingtakesplaceintheEuropeanUnionornot.

(b) ItappliestoallcontrollersandprocessorsnotestablishedintheEuropeanUnion,asfarasdatasubjectsintheEuropeanUnionareconcerned,wheretheprocessingactivitiesarerelatedto:(i) the offering of goods or services, irrespective of whether a payment of the data

subjectisrequired,tosuchdatasubjectsintheEuropeanUnion;or(ii) the monitoring of their behavior, as far as their behavior takes place within the

EuropeanUnion.Thus,eg,onlineshopsorhotelsoutsidetheEuropeanUnionofferingtheirgoodsorservicestodatasubjectsintheEuropeanUnionwillbesubjecttoGDPR.

168


Non-EUcontrollersorprocessorsmustappointarepresentativeintheEuropeanUnionwhowillactas a point of contact for supervisory authorities and data subjects. The representative must beestablishedinoneoftheMemberstateswherethedatasubjectsconcernedarelocated.


3.1 Howispersonalinformation/personaldatadefinedintheEuropeanUnion?

UnderArticle4,“personaldata”meansanyinformationrelatingtoanidentifiedoridentifiablenaturalperson (“data subject”); an identifiable natural person is one who can be identified, directly orindirectly,inparticularbyreferencetoanidentifiersuchasaname,anidentificationnumber,locationdata, an online identifier or to one ormore factors specific to the physical, physiological, genetic,mental,economic,culturalorsocialidentityofthatnaturalperson.


SpecialcategoriesofpersonaldataarecoveredinArticle9,whichprohibitstheprocessingof:

(a) personaldatarevealingracialorethnicorigin,politicalopinions,religiousorphilosophicalbeliefs,ortradeunionmembership;

(b) geneticdataandbiometricdataforthepurposeofuniquelyidentifyinganaturalperson;

(c) dataconcerninghealth;or

(d) dataconcerninganaturalperson’ssexlifeorsexualorientation.

Theprohibitiondoesnotapplyifcertainstrictandconclusiveprerequisites,suchasexplicitconsent,arecompliedwith,oriftheprocessingisnecessaryforthedatasubjectorthecontrollerinthefieldsofemployment,socialsecurityandsocialprotectionlaw,orifitisexpressivelyallowedbythenationallawofaMemberstate.

When legally handling special categories of personal data under these exceptions, furtherrequirements,suchastechnicalorganizationalmeasuresorpseudonymizationofpersonaldata,needtobefulfilled.

Specialconditionsapplytotheconsentofchildreninrelationtoinformationsocietyservices.Achildmustbeat least16yearsold togivevalidconsent to theprocessingofhis/herpersonaldata.Theconsentofsomeoneholdingparentalresponsibilityisneededinrespectofachildbelowtheageof16.However, theMember statesmay provide for a lower age for children to give their consent. Thecontrollerhastomakereasonableeffortstoverifyinsuchcasesthatthespecial(age)requirementsarefulfilled.

169



ThekeyprinciplesthathavetobeappliedwhenprocessingpersonaldataarestatedinArticle5,whichstatesthatpersonaldatamustbe:

• processedlawfully,fairlyandtransparent—“lawfulness,fairnessandtransparency“;

• collectedwithpurposelimitation—“purposelimitation”;

• adequateinrelationtothepurposes—“dataminimization”;

• accurate—“accuracy”;

• keptfornolongerthannecessary—“storagelimitation”;and

• processed in amanner that ensures appropriate security andprotection— “integrity andconfidentiality”.

The controller shall also be responsible for, and be able to demonstrate compliancewith, the keyprinciples (‘accountability’). A further key principle is the information obligation vis-à-vis datasubjectsandauthorities.

Regardinglawfulness,afundamentalprincipleissetoutinArticle6(1).Thisstatesthatdataprocessingisprohibitedexceptwhereitisexplicitlyallowedbylaw,namelyif:

(a) thedatasubjecthasgivenconsenttotheprocessingofhis/herpersonaldataforoneormorespecificpurposes;

(b) theprocessingisnecessaryfortheperformanceofacontracttowhichthedatasubjectisparty,orinordertotakestepsattherequestofthedatasubjectpriortoenteringintoacontract;

(c) theprocessingisnecessaryforcompliancewithalegalobligationtowhichthecontrollerissubject;

(d) theprocessing isnecessary inorder toprotect thevital interestsof thedata subjectorofanothernaturalperson;

(e) theprocessingisnecessaryfortheperformanceofataskcarriedoutinthepublicinterestorintheexerciseofofficialauthorityvestedinthecontroller;or

(f) the processing is necessary for the purposes of the legitimate interests pursued by thecontrollerorbyathirdparty,exceptwheresuchinterestsareoverriddenbytheinterestsorfundamental rightsand freedomsof thedata subjectwhich requireprotectionofpersonaldata,inparticularwherethedatasubjectisachild.

ConsentasabasisfortheprocessingofpersonaldataisdefinedinArticle4(11).TherequirementsforavalidconsentareregulatedinArticle7.Theconsenthastobeanunambiguousindicationofthedatasubject’swishesbywhichhe/she,byastatementorbyaclearaffirmativeaction,signifiesagreementtotheprocessingofpersonaldata.Thatmeansontheonehand,thatconsenthastobegiveninanactiveway.Ontheotherhand,itmeansthatitis,inprinciple,notboundtoaformalregulation.ButtheformshouldbechoseninsuchawaythatthecontrollercanfulfilhisdutyofproofunderArticle7.1.Incaseconsentisgiveninthecontextofawrittendeclarationwhichalsoconcernsothermatters,therequestforconsentmustbepresentedinamannerwhichisclearlydistinguishablefromtheothermatters,inanintelligibleandeasilyaccessibleform,usingclearandplainlanguage.

170


Theconsenthastobefreelygiven,specificandinformed.Whenassessingwhetherconsentisfreelygiven,theutmostaccountistakenofwhether,interalia,theperformanceofacontract/provisionofaservice, is conditional on consent to the processing of personal data that is not necessary for theperformanceofthatcontract.Forconsenttobespecificitisnecessarythatthedatasubjectcandetectwhoprocesseswhatpersonaldataabouthim/herandforwhichpurpose(s).

Thedatasubjecthastobeinformedabouthisorherrighttowithdrawhisorherconsentatanytime.If thedatasubjectwithdrawshisorherconsent, theprocessingofpersonaldatamustbestoppedimmediately.Butthewithdrawaldoesnotaffectthelawfulnessofprocessingbasedonconsentbeforeitswithdrawal.

4 ROLES


Therearetwodifferentrolesacompanyprocessingpersonaldatacantakeup:(a) controller:whodeterminesthemeansandthepurposeofthedataprocessing;or(b) processor:whoprocessesdataonbehalfofacontroller.

AcontrollermayonlyuseprocessorswhichprovidesufficientguaranteestoimplementappropriatetechnicalandorganizationalmeasuressothatprocessingwillmeettherequirementsoftheGDPRandensuretheprotectionoftherightsofthedatasubject.Aprocessingagreementneedstobeinplaceregulating the obligations of the processor. When two or more controllers jointly determine thepurposesandmeansofprocessing, theyare jointcontrollersandneed toexecuteanagreement inordertoprotectthedatasubject’srightsandtospecifytheirrespectivetasksandrolestothatrespect.

Therefore,itiscrucialtodeterminetherolesofthecompaniesprocessingthepersonaldatabecausetherequiredtasksandmeasuresdiffer,dependingontheroleofthecompany.

Note that, in addition to the requirements resulting from its respective role, each company isresponsibleforitsowncompliancewiththeGDPR,includingtheresponsibilityof(joint)controllersforallinformationobligationsvis-à-visthedatasubject.

5 OBLIGATIONS


Obligationsvary,dependingontheservicesprovided,aswellasthetypeandvolumeofdataandthesizeofthecompany.Keyobligationsare:

(a) Transparency:Theobligationtoprovideinformationwhenpersonaldataiscollected,whatdataiscollected,aswellasgivinginformationregardingtherightsofdatasubjects(eginaprivacypolicy).Theobligation requirements are stipulated indetail inArticles13 (wherecollectedfromthedatasubject)and14(wherenotobtainedfromthedatasubject),whichcanserveasaguideline.Itiscrucialtonotethatthereisnogeneraltemplateforaprivacypolicy;rather,itshouldinformaboutthepersonaldataprocessedinawaythatisadequateinthecircumstances.

171


(b) DataSecurity:Dataprotectionbydesignandbydefault;thisisespeciallycrucialforwebsitesusingcookiesorothertrackingtoolswhichrequiretheactiveconsentofusers.

(c) Technical and organizational measures: Controllers and processors must implementappropriatetechnicalandorganizationalmeasurestoensurealevelofsecurityappropriatetotherisk.Inaddition,controllersmustimplementappropriatetechnicalandorganizationalmeasurestoensurethatprocessingisperformedinaccordancewiththeGDPRandbeabletodemonstratethis.

(d) Assessment:Theobligationtocarryoutadataprotectionimpactassessment(“DPIA”)whennewtechnologiesareused,orwhenthenature,scope,contextandpurposesoftheprocessingislikelytoresultinahighrisktotherightsandfreedomsofnaturalpersons.Incertaincases,whereaDPIAindicatesthattheprocessingwouldresultinahighrisk,evenconsultationofthesupervisoryauthoritypriortoprocessingmaybenecessary.

(e) DataProtectionOfficer:Theobligationtodesignateandregisteradataprotectionofficer,unlessnotrequiredundertheapplicablenationallaw.

(f) Recordsofprocessingactivities:Theobligationtokeeparecordofprocessingactivities,containingall relevantdataas stipulated inArticle30.Recordsmustbe inwriting (whichincludeselectronicform).


6.1 How is data security regulated in the European Union? Is there a minimum standard forsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

DifferentmeasuresneedtobetakeninaccordancewiththedatasecurityrulescontainedinGDPRandthe national laws; in comparison to data protection, data security is not limited to personal data.Measures include, inter alia, pseudonymization and encryption, as well as system resilience oravailabilityandaccess.Thesemeasuresneedtobeevaluatedregularlyand,ifnecessary,adapted.Alltechnicaltoolsusedneedtobestateoftheart.

Datasecurityiscomplementedbytechnicalandorganizationalmeasures,whichrequireahands-onapproach to securing data in companies through appropriate means, as well as technical andorganizationalmeasures,suchasacleandeskpolicy,limitedaccessrights,orlockedbinsforsensitivematerial.ThisisfurtherspecifiedinArticle32oftheGDPRandinnationallaws.

National data protection authorities have issued guidelines on data security (see the respectivenationalchaptersbelow).

6.2 How are data breaches regulated in the European Union? What are the requirements forrespondingtodatabreaches?

IntheGDPR,databreachesareprimarilyregulatedbynotificationrequirements.Incaseofabreach,companiesarerequiredtoinform:

(a) thedatasubjectwithoutdelay,ifthebreachislikelytoresultinahighrisktotherightsandfreedomsofnaturalpersons;and

(b) thesupervisoryauthoritywithin72hours,unlessthepersonaldatabreachisunlikelytoresultinarisktotherightsandfreedomsofnaturalpersons.

172


7 INDIVIDUALRIGHTS


Adatasubjecthasrightsregardingtheprocessingofhis/herpersonaldata(Articles15–22).Therightsare:

(a) Access:Adatasubjecthastherighttobetoldwhetherornotacontrollerhaspersonaldataconcerninghim/her,and,wherethatisthecase,detailsaboutsuchdata.Thismeans,thatanydatasubjectcanaskanycompanyifithasinformationstoredabouthim/her,evenifnopriorcontact had beenmade. A controller is required to provide information in response to arequestwithoutunduedelay,andinanyeventwithinonemonthofreceiptoftherequest.

(b) Rectification:Adatasubjecthasarighttoobtainfromthecontrollerwithoutunduedelaytherectificationofanyincorrectpersonaldata.

(c) Erasure: A data subject has the right to erasure (“right to be forgotten”),meaning that acontroller is obligated to erase personal data without undue delay under certaincircumstances.

(d) Restriction of processing: A data subject has, under certain circumstances, a right torestrictionofprocessing.

Whereanyrectificationorerasureofpersonaldataorrestrictionofprocessinghasbeencarriedout,the controller has the duty to communicate this fact to everyone towhom the personal data hadpreviouslybeendisclosed.Thecontrollermustinformthedatasubjectaboutthoserecipientsifthedatasubjectrequestsit.

(e) Dataportability:Onrequest,acontrollermustprovideadatasubjectwithhis/herpersonaldatainastructured,commonlyusedandmachine-readableformat.Thedatasubjectalsohastherighttotransmitsuchdatatoanothercontrollerwithouthindrancefromthecontrollertowhichthepersonaldatahasbeenprovided.Thisrightislimitedtodataprovidedbythedatasubjecttothecontroller.

(f) Object:Adatasubjecthastherighttoobjectatanytimetotheprocessingofhis/herpersonaldatawhichwasbasedonArticle6(1)(e)(necessaryfortheperformanceofataskcarriedoutinthepublicinterest)orArticle6(1)(f)(forthepurposesofthelegitimateinterestspursuedbythecontrollerorathirdparty).Whereobjectionismade,thecontrollermayonlycarryonprocessing thesubject’sdata ifhe/shecandemonstratecompelling legitimategrounds fordoingso,whichoverridetheinterests,rightsandfreedomsofthedatasubject.Therighttoobjectcanalsobeoverridden for theestablishment,exerciseordefenseof legalclaims. Inaddition,adatasubjectcanalways,andatanytime,objecttotheuseofhis/herpersonaldatafordirectmarketingpurposes.

(g) Notoautomatedprocessing:Adatasubjectalsohastherightnottobesubjecttoadecisionbasedsolelyonautomatedprocessing,includingprofiling.

173




TheGDPRonlyregulatestheprocessing(use)ofthepersonaldata,whilenationallawsmayregulatethepermissibilityandthemeansandprerequisitesofcommercialcommunications.SeethenationalsectiononeachMemberstatefordetails.

Purelyfromaprivacyperspective,thegeneralrulesapply,namelythattheprocessing(use)ofpersonaldata formarketing communications is permitted on the basis of (informed) consent or legitimateinterests, both of which need to be documented. The general information requirements must becompliedwith.

In addition, the controller (or the processor) must inform the data subject, at the time of firstcommunicationwithhim/her,ifnotbefore,oftherighttoobjecttotheprocessingofhis/herpersonaldataforthepurposeofdirectmarketing.Whereobjectionismade,theprocessingofthepersonaldataforthepurposeofdirectmarketingmustcease,whichmeansthatanyformofdirectmarketingmuststopimmediatelyupontherequestofthedatasubject(Article21).


(a) General: As with any personal data, the use of tracking tools is prohibited unless theprocessingofdata canbebasedona legal exemption (seequestion3.3).As a result, onlyconsentandlegitimateinterestscanlegitimizetheuse.

Inaddition,pleasenotethat,accordingtotheePrivacyDirective,therulesrelatingtotrackingtoolsarenotlimitedtopersonaldatabutcoveralldatawhicharebeingtracked(egtrafficdata).

(b) Cookies: Regarding cookies, the European Court of Justice (“ECJ”) has recently issued adecision from which some guidance regarding the consent can be obtained (Case No C-673/17).Aneffectiveconsentrequiresanunambiguousactionofconfirmation,egactivelyclickingaboxaffirmingtheconsentonthewebsite.Incontrast,aboxthatisalreadycheckedoffortheinactivityoftheusercannotestablisheffectiveconsentinthesenseoftheGDPR.Accordingly,cookiebannerswhichseektoestablishconsentsimplythroughausercontinuingsurfingonawebsitearenotadmissible.

AnexemptionfromtheconsentrequirementinArticle5oftheePrivacyDirectiveismadefortechnicalstoragethatisstrictlynecessaryinordertoprovidethewebsiteserviceexplicitlyrequestedbytheuserofawebsite.Thisexempts,eg,cookiesthatareimplementedfortheprovisionofashoppingcartfunctioninanonlineshop.Incontrast,cookiesthatareusedinthecontextoftrackingandanalysistoolsarenotabsolutelynecessaryfortheoperationofthewebsiteand,therefore,requireconsent.

(c) PixelsandSDKs:Regardingpixels,dependingonthetypeofpixelused,usemaybebasedeither on consent or legitimate interests (see question 3.3). In any case, the informationobligationofArticle13has tobeobserved.The sameapplies to SDKs.However, as far asprofilingisconcerned,itismostlikelythatonlyconsentwillserveasabasisforprocessingthepersonaldata.

174


(d) Trackingtoolsoperatedbythirdparties:Asfarasthetrackingtoolsareoperatedbythirdparties which process that data, data controllers and processors need to sign either aprocessing agreement or a joint controllership agreement depending on their respectiveresponsibility.

Forembeddingofthird-partyservices(likeGoogleAnalytics),wherethethirdpartyusesthepersonaldataforitsownpurposes,theconsentofthedatasubjectisneeded.

Inthisregard,itshouldespeciallybenotedthattheuseofsuchaservicerequiringconsentisonlypermissibleiftheconsenthaseffectivelybeenissuedbytherespectiveuserpriortoanypersonaldatabeingcollected.Until this time,processingmaynotoccur, andacookie thatrequiresconsentmayonlybesetafterconsenthasbeenissued.However,as farasGoogleAnalyticsisconcerned,Googledoesnotdisclosewhatdatatheycollectandwhattheyusethedata for. Therefore—at least according to theGerman supervisory authorities—a validconsentiscurrentlynotpossible,becauseaccurateinformationcannotcurrentlybeprovided.Forothertoolsthismustbecheckedthoroughlyineachcase.


Seequestion8.2.


Thesharingofdatawillbelegalonlywhenbasedonalegalexemption,ofwhichconsentorlegitimateinterestsaremostrelevant(Seequestion3.3).ThegeneralinformationobligationsinArticles13and14alsoapply(seequestion5.1).

FacebookCustomAudiencehastobedifferentiated:

(a) In thecaseofFacebookCustomAudiencevia thecustomer list,Facebook is theprocessor.Therefore,thecontrollerandtheprocessor(Facebook)needtohaveaprocessingagreementinplace(Article28).

(b) InthecaseofFacebookCustomAudienceviathepixelmethod,Facebookandtheproviderarejointcontrollers.Theyneedtohaveajointcontrolleragreement(Article26).

InthecaseofusingLiveRamp,ajointcontrolleragreementisneeded.


TherearenospecificrulesgoverningdatabrokersintheGDPR.Theprocessingofdatawillbelegalonlywhenbasedonalegalexemption,ofwhichconsentorlegitimateinterestsaremostrelevant(seequestion3.3).TherestrictionsofArticle9,regardingsensitivedata,apply.

TheinformationobligationsofArticle14mustbeobservedwherepersonaldatahasnotbeenobtainedfrom thedata subject. Inparticular, it is necessary to clarify fromwhich source thepersonal dataoriginates,and,ifapplicable,whetheritcamefrompubliclyaccessiblesources.Wherepersonaldataiscollectedfromthedatasubject,theinformationobligationsofArticle13mustbeobserved.

175



Operatorsofsocialmediaaresubject totherulesof theGDPRinthesamewayasanyoneelse.Nospecialrulesapply.Ithastobepointedout,though,thatwebsiteoperatorsthatusesocialmediaandsocialmediaoperatorsmaybeconsideredjointcontrollersandthuswouldneedajointcontrollershipagreementwhichcomplieswiththerequirementsofArticle26.

AccordingtoanECJdecisionofJune2018(CaseNoC-210/16),operatorsofFacebookfanpagesintheEuropean Union are joint controllers togetherwith Facebook Ireland. Thus, a joint controllershipagreementmustbeinplace.

AccordingtoanECJdecisionofJuly2019(CaseNoC-40/17),theoperatorofawebsitethatusesasocialplugincausingthebrowserofauserofthatwebsitetotransmitpersonaldataoftheusertothatprovider(eg,theFacebook“like”button)canbeconsideredtobeacontroller.Thatliabilityis,however,limitedtotheoperationorsetofoperationsinvolvingtheprocessingofpersonaldatainrespectofwhichitactuallydeterminesthepurposesandmeans,thatistosay,thecollectionanddisclosurebytransmissionofthedataatissue.

Itisimportanttonotethattherequirementsforavalidbasisfortheprocessingofpersonaldatasuchas,eg,consentorlegitimateinterestsmustexistbeforethesocialpluginevenstartsprocessing(ie,collecting) thepersonal data from theuser. Thismeans that in caseswhere a consent is requiredbecauseoftheuseofcookies,thesocialpluginmustbeinactiveuntilsuchconsentisvalidlyissued.Technically, this can be implemented, eg, with the so-called “two-click” solution. The “two-click”solutionmeansthattheuser,beforeactivatingtheplug-inwiththefirstclick,willbeinformed,sothatavalidconsentcanbegranted.Nodatamustbeprocessedbeforethisactivation.Onlyafterthisfirstclicktheusercanclickthesocialplug-in(eg,the“like”button).


Therearenospecialrules.TheGDPRapplies,andthusalegalbasisfortheuseofthedatamustbeavailable(seequestion3.3).Certaininformationrequirementsapply.

9 DATATRANSFER


AnytransferwithintheEUissubjecttothegeneralrulesoftheGDPR,ie,itmusthavealegalbasis(Article6,astowhichseequestion3.3)andcomplywithalltheotherrequirementsregardingdatasecurityetc.Thisalsoappliestoatransferbetweengroupcompanies.

Inaddition,incaseofanytransferofpersonaldataoutsidetheEUthefollowinghastobeobserved:

(a) Transfersonthebasisofanadequacydecision(Article45):AtransferofpersonaldatamaytakeplacewheretheEuropeanCommissionhasdecidedthatthethirdcountryensuresan adequate level of data protection. Currently, the European Commission has issued anadequacydecisionregardingthefollowingcountries:Andorra,Argentina,Canada,Guernsey,FaroeIslands,IsleofMan,Israel,Jersey,NewZealand,SwitzerlandandUruguay.

176


Special case EU-US Privacy Shield: The treaty between the EU and the USA consists of anadequacydecisionof theEuropeanCommissionanddifferentattachments, suchas theso-called “Privacy Principles” (that regulate, in particular, the principles of notice, choice,accountability for onward transfer, security, data integrity and purpose limitation, access,recourse, enforcement and liability) and Letters of different US ministries, in which theycommitthemselvestocomplywiththestandards.US-AmericancompaniesmayundertaketotheUSDepartmentofCommercetoadheretothePrinciples.Therefore,theyhavetopublisha “Privacy Policy” that matches with the Principles and certify themselves. The self-certificationhastoberepeatedyearly.Furthermore,theyhavetodocumenttheadherence.The companies that fulfil the conditions of the Privacy Shield are listed underhttps://www.privacyshield.gov/list.

ForallUScompaniesintheUSnotparticipatinginthePrivacyShieldoneoftheappropriatesafeguardsofArticle46mustbeinplace.

(b) Transferssubjecttoappropriatesafeguards(Article46):Intheabsenceofanadequacydecision,acontrollerorprocessormaytransferpersonaldatatoathirdcountryonlyifthecontroller or processor has provided appropriate safeguards, andonly if enforceable datasubjectrightsandeffectivelegalremediesfordatasubjectsareavailable.

ThemostrelevantappropriatesafeguardsarethestandarddataprotectionclausesadoptedbytheCommissionorbyasupervisoryauthorityandapprovedbytheCommission.

(c) Derogationsforspecificsituations(Article49):Intheabsenceofanadequacydecisionorofappropriatesafeguards,atransferofpersonaldatatoathirdcountrymaytakeplaceonlyononeofthefollowingconditions:(i) Explicitconsentofthedatasubject:‘Explicit’meansthatanimpliedconsentisnot

possible.Furthermore,thedatasubjecthastobeinformedaboutthepossiblerisksoftransfersduetotheabsenceofanadequacydecisionandappropriatesafeguards;

(ii) Thetransferisnecessaryfortheperformanceofacontractbetweenthedatasubjectandthecontrollerorfortheimplementationofpre-contractualmeasurestakenatthedatasubject’srequest;or

(iii) Thetransferisnecessaryfortheconclusionorperformanceofacontractconcludedintheinterestofthedatasubjectbetweenthecontrollerandanothernaturalorlegalperson;

(iv) Thetransferisnecessaryforimportantreasonsofpublicinterest;

(v) Thetransferisnecessaryfortheestablishment,exerciseordefenseoflegalclaims;

(vi) Thetransferisnecessaryinordertoprotectthevitalinterestsofthedatasubjectorofotherpersons,wherethedatasubjectisphysicallyorlegallyincapableofgivingconsent;or

(vii) Thetransferismadefromaregisterwhich,accordingtoEUorMemberstatelaw,isintendedtoprovideinformationtothepublicandwhichisopentoconsultationeitherbythepublicingeneralorbyanypersonwhocandemonstratealegitimateinterest,butonlytotheextentthattheconditionslaiddownbyEUorMemberstatelawforconsultationarefulfilledintheparticularcase.

177



Therearenoprivilegesfortransferbetweengroupcompanies,whichareconsideredindependentandseparateentitiesundertheGDPR.Therefore,alegalbasisundertheGDPRmustbeinplaceforeachinter-grouptransferofpersonaldata.

Itshouldbenotedthatajointcontrollershiporaprocessingagreementmaybenecessaryincertaincircumstances.Itdependsonwhichroletherespectivegroupcompanytakesoninprocessing.Wherethecompaniesjointlydeterminethepurposesandmeansofprocessing,theyarejointcontrollers,butwhere one company processes data on behalf of another, it is considered a processor (seequestion4.1).

LargergroupcompanieswithentitiesoutsidetheEUshouldconsiderissuingbindingcorporaterulesasprovidedinArticle47,which,whilehavingtobeapprovedbythecompetentsupervisoryauthority,willprovideaneasierdatatransferwithinthegroup.

10 VIOLATIONS


Incaseofnon-compliancewithGDPRstipulations,or in thecaseofadatabreach, thesupervisoryauthoritycanissueadministrativefinesofupto20millioneuros,orinthecaseofanundertaking,upto 4% of the preceding financial year’s totalworldwide annual turnover of the group towhich itbelongs,whicheverishigher.


Thefollowingrightsexistfordatasubjectsaffectedbydataprotectioninfringements:

(a) Righttolodgeacomplaintwithasupervisoryauthority;

(b) Righttoclaiminformationaboutone’sownpersonaldataaccordingtoArticle15;

(c) Righttoaneffectivejudicialremedywhereapersonconsidersthathis/herrightsundertheGDPR have been infringed as a result of the processing of his/her personal data in non-compliancewiththeGDPR;

(d) Righttoreceivecompensationfromthecontrollerorprocessorfordamagesuffered;and

(e) Righttomandateanot-for-profitbody,organizationorassociation(whichhasbeenproperlyconstitutedinaccordancewiththelawofaMemberstate,hasstatutoryobjectiveswhichareinthepublicinterest,andisactiveinthefieldoftheprotectionofdatasubjects’rightsandfreedomswithregard to theprotectionof theirpersonaldata) to lodge thecomplaintandexercise the rights referred to above on his/her behalf (in the case of the right tocompensation,thisappliesonlywhereprovidedforbyMemberstatelaw).

178


11 MISCELLANEOUS

11.1 Are thereany rules that areparticular to the cultureof theEUMember stateswhichaffectprivacy?

PleaseseethesectionofeachMemberstatebelow.


ThehottesttopicistheePrivacyRegulationwhichsofaronlyexistsasadraft.TheePrivacyRegulationwill regulate the sector of electronic communications. The following electronic communicationprocesseswillmostlikelybeaffected:

• internetaccess

• instantmessagingservices,

• web-basedemailservices,

• internettelephony,

• staffmessaging,and

• socialmedia.

ItshouldbementionedthattheePrivacyRegulationwillapplytotheprocessingofbothpersonalandnon-personaldataandaimstoprotectthecommunicationsdataofnaturalandlegalpersons.

The changes will affect, in particular, the handling of cookies and the use of electronic means ofcommunicationsuchase-mailandtelephoneforadvertisingpurposes.However,asthelatestdrafthasjustbeenrejectedbyabouthalftheMemberstates,itdoesnotlooklikeitcancomeintoforceinthenextoneortwoyears.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldataintheEuropeanUnion?

ThenationaldataprotectionauthoritiesofMember stateshave started issuing ratherheavy fines,whichmeansthateachcontrollerisstronglyadvisedtotakeallnecessarystepstocomplywiththerequirementsoftheGDPRandtherespectivenationallaws.

12 OPINIONQUESTIONS


Peoplehavebecomemoreawareofthevaluetheirpersonaldatahas.SomeMemberstateshavebeenshakenbydatabreachscandalsandsurveillanceaffairsfromcompaniesaswellasfromforeignstates.Peoplearenolongerwillingtoacceptthiskindofbehavioranddaretotakebackcontrol,egagainstmajorsocialmediacompanies(seetheSCHREMSLaworthe“NotYourBusiness”initiative).Atitscore,dataprotectioncangiveacompetitiveadvantage,ascustomerstendtotrustcompaniesthattakedataprotectionseriously.Peopleincreasinglywanttoknowhowthedataentrustedtocompaniesisbeinghandledbythem.

179


Also, people have become skeptical towards technological advancements, such as the internet ofthings,surveillancetoysforchildren,fitnesstrackers/appsandsmarthomesandmeters,especiallybecauseitisunclearhowandforwhatpersonaldatathegadgetcanandwillbeused(againstdatasubjects).


Hopefully, the current hysteria will have calmed down. First court decisions will have brought areliable interpretation of current uncertainties in respect of some GDPR stipulations and itsinterpretation by the authorities. The fines issuedwithin the next five yearswill provide amoretransparentandsecureenvironmentasfaraspersonaldataisconcerned.


Companieswillneedtostaytunedtodevelopmentsinsuchissuesastheinterpretationandapplicationof theGDPR,whichwill requirenotonlymoneyandhumanresourcesbutalsochangeswithin theorganizationofthecompany.

180

181

PRIVACY LAW – AUSTRIA

1 PRIVACYLAW

1.1 HowisprivacyregulatedinAustria?

InAustria,thestrictprivacyrulesoftheGDPRareapplicable.Thus,naturalpersonsaregrantedrightsundertheGDPRandcontrollersandprocessorshavetoadheretoitsstrictstandards.

Apartfromthat,therighttoprivacyisafundamentalrightunderSection1oftheAustrianPrivacyActandunderArticle8oftheCharterofFundamentalRightsoftheEuropeanUnionthatisgrantedundertheconstitution.


Inthefirstplace,theGDPRisdirectlyapplicableinAustria.

Austria’sPrivacyAct2000wasamendedin2018toimplementchangesduetotheGDPRenteringintoforce.AustriamadeverylittleuseoftheopeningclausessetoutintheGDPR.

Apart from that,privacy regulationscanbe found invariousother statutes, eg in lawsapplying toscientificresearchetc.


First of all, the Austrian Data Protection Authority, as established by the Austrian Privacy Act, isresponsible for enforcing privacy laws, and has extensive rights and may impose fines. It is thesupervisorybodypursuanttoArticle51oftheGDPR.

Secondly,theAustriancourtsmayruleonprivacymatters.Theyarealsocompetenttoawarddamagesfordatabreaches.

Inarecentcourtdecision, itwasheldthatadatasubjectmayonlypursueonepathinanyprivacymatter,ie,eitherseekhelpfromthecourtsorfromtheDataProtectionAuthority.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinAustria?

Acompanymustadheretothestrictprivacyruleswhenprocessingdataofindividuals,if:

(a) thecompanyislocatedinAustria;or

(b) offersgoodsorservicesinAustria;or

(c) monitorsthebehaviorofdatasubjectswithinAustria.

182


2.2 DoesprivacylawinAustriaapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

PrivacylawsapplytocompaniesoutsideAustriapursuanttotherulessetforthintheGDPR.Thus,ifcompaniesoutsideAustriaoffergoodsorservicesinAustria,ormonitorthebehaviorofdatasubjectswithinAustria,Austrianprivacylawsapply.IfsuchcompaniesarelocatedoutsidetheEU,ordonothaveanestablishmentintheEUprocessingthedata,thensuchcompaniesareunderadutytoappointarepresentativeinanEUmemberstate.

SeealsotheEuropeanUnionchapter.


3.1 Howispersonalinformation/personaldatadefinedinAustria?

Personaldatahas thewidemeaningasset forth inArticle4of theGDPR.See theEuropeanUnionchapter.


SeetheEuropeanUnionchapter.



4 ROLES



5 OBLIGATIONS


TheobligationsofacontrollerorprocessorarethosesetoutintheGDPR.Generally,eachcontrollerandprocessormust:

(a) ensuretransparencyandthelawfulprocessingofdata;

(b) maintainarecordofprocessingactivities;

183


(c) appointaprivacyofficerwhenrequiredundertheGDPR(AustriadoesnothaveanystricterrulesthanundertheGDPR)andregisterhim/herwiththeDataProtectionAuthority;

(d) conductariskimpactassessmentwhererequiredundertheGDPR;

(e) implementappropriatetechnicalandorganizationalmeasurestoensurea levelofsecurityappropriatetotherisk;and

(f) maintainsufficientdocumentationtobeable todemonstratecomplianceof theprocessingactivities with the GDPR and execute the necessary contracts (eg, with processors, jointcontrollersor,whererequired,withrecipientsofpersonaldataincountriesoutsidetheEU).

Inmoredetail,andwithregardtoadvertising,eachcontrollerhasto:

(g) setupaprivacystatementinformingdatasubjectsabouttheprocessingoftheirpersonaldataaswellastheirrightsundertheGDPR;

(h) execute joint controller agreements with social media platforms (when used by thecontroller);

(i) usecookiesinlinewiththelegalrequirements(seequestion8.2);and

(j) askforthedatasubjects’consentforcertainmarketingactivities(suchuspromotionalemails)etc.

Furthermore,eachcontrollerandprocessorshouldhaveaprivacypolicylayingdowntheapplicableprinciples concerningprivacy issues and instruct employees regularly involved in data processingaboutprivacy,aswellashavethemsignaprivacystatement.

SeealsotheEuropeanUnionchapter.


6.1 HowisdatasecurityregulatedinAustria?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

Generallyspeaking,securityismainlycoveredbytheruleslaiddownintheGDPR.Eachcontrollerandprocessormust implement appropriate technical andorganizationalmeasures to ensure a level ofsecurityappropriatetotherisk,takingintoaccountthestateoftheart,thecostsofimplementationandthenature,scope,contextandpurposesofprocessingaswellastheriskofvaryinglikelihoodandseverityfortherightsandfreedomsofnaturalpersons.


6.2 HowaredatabreachesregulatedinAustria?Whataretherequirementsforrespondingtodatabreaches?

Again,therearenospecialrulesotherthanthosesetoutintheGDPR.SeetheEuropeanUnionchapter.

Furthermore,thecontrollermustdocumentanypersonaldatabreaches,notingthefactsrelatingtothepersonaldatabreach,itseffectsandtheremedialactiontaken.

184


7 INDIVIDUALRIGHTS


Individuals(datasubjects)havetherightsspecifiedintheGDPR.SeetheEuropeanUnionchapter.

Ifanindividualisdeniedtheserights,he/shecanenforcethemeitherthroughtheordinarycourtsorbylodgingaclaimwiththeDataProtectionAuthority.



Formarketingcommunications,again,theGDPRapplies.SeetheEuropeanUnionchapter.

Under the GDPR,marketing communication is only permitted if the processing of the individual’spersonaldata(eg,his/heremailaddress) is lawfulunderArticle6of theGDPR.Usually thiseitherrequires the individual’s consent or, in some cases, that the legitimate interests pursued by thecontroller or by a third party outweigh those of the individual. If the data subject is a child, thisbalancingofinterestsusuallyisinfavorofthechild.

In addition, for electronic communication, the Telecommunication Act applies. TheTelecommunication Act implemented the regulations of the EU ePrivacy Directive, which will bereplaced by the ePrivacy Regulation in the near future. Under the Act, the prior consent of theindividualisrequiredinalmostallcases.


TrackingtechnologiesaresubjecttotherulesoftheGDPR.SeetheEuropeanUnionchapter.

CookiesarealsoregulatedbytheTelecommunicationsAct(seealsoquestion8.1).

Trackinggenerallyrequirestheconsentofthedatasubject.Inthiscontext,itisimportanttonotethatconsentmustbegivenactively.Itisnotsufficienttouse,eg,acookiebannerinformingthedatasubjectabout the tracking and require him/her to disable the same, if the data subject does not actuallyconsenttotheuseofcookies.

Only“necessarycookies”—ie,thoseneededtobeabletoprovidetheservicesofferedonline—maybeusedwithoutthedatasubject’sconsent.

Thedatasubjectmustalsobeinformedindetailaboutthetrackingmethods,inparticularaboutthevariouscookiesthatarebeingused.


Again,therulesoftheGDPRapply.SeetheEuropeanUnionchapter.

Targetingandbehavioraladvertisingusuallyrequirethedatasubject’sconsent.

185



Heretoo,theGDPRapplies.SeetheEuropeanUnionchapter.

Undertheprincipleoftransparency,thedatasubjecthastobeinformedwhendataissharedwiththirdparties like Facebook. Furthermore, it is advisable to provide a link to the third-party privacystatement.

Mostlikely,sharingsuchdataalsorequiresthedatasubject’sconsent.


TheAustrianTradeLawcontainsspecialrulesfordatabrokers,Generally,theGDPRisapplicableforthem, too. Address publishers and directmarketers are allowed to obtain personal data for theiractivities from publicly available information, by interviewing data subjects, from customer andinterestfilesystemsofthirdpartiesorfrommarketingfilesystemsofotheraddresspublishersanddirect marketing companies, provided that this is done in compliance with the principle ofproportionality for the preparation and implementation of marketing campaigns of third parties,includingthedesignanddispatchofadvertisingmaterialorlistbroking.Thisrightis,however,limitedtonarrowlydefinedcategoriesofdata.Fortheprocessingofsensitivedata,thedatasubject’sconsentisrequired.


Again,theGDPRapplies.SeetheEuropeanUnionchapter.

Otherwisetherearenospecificrules.Socialmediaplatformsareconsideredasjointcontrollers,withthe consequence that companiesusing socialmediaplatformsneed toenter intoa joint controlleragreementwiththesocialmediaoperator(eg,Facebook).

Otherwise,transparencyrulesareparticularlyrelevant.Thedatasubject’sconsentmayberequiredforsocialmediaactivities.


Therearenospecialrulesfromaprivacyperspective,otherthanthoseundertheGDPR.TransparencyandthelawfulprocessingofpersonaldataunderArticle6oftheGDPRarerequired.Undercertaincircumstances,thedatasubject’sconsentmaybelinkedtotherighttoparticipateinsweepstakesorthelike.

9 DATATRANSFER


Again,theGDPRapplies.

Tobeginwith,datatransfersareonlypermittediftheprocessingofpersonaldataandthetransferarelawful. For instance, between group companies a transfer could be lawful because the legitimateinterests of the group outweigh the interests of the data subjects whose personal data is beingtransferred.

186


TransferstocountriesoutsidetheEUaresubjecttothestrictrulesundertheGDPR.SeetheEuropeanUnionchapter.Ingeneral,privacyandthedatasubject’srightsmustbeadequatelysecured.


No.

10 VIOLATIONS


Thereisawiderangeofpenaltiesandsanctions,fromawarningbytheDataProtectionAuthoritytothehighestfinesundertheGDPR(administrativefinesupto20millionEUR,orupto4%ofthetotalworldwideannualturnoveroftheprecedingfinancialyear,whicheverishigher).

TheAustrianDataProtectionActsetsoutadditionalfinesforcertainadministrativeoffencesundertheAct.

AsforeseenundertheGDPR,individualsmayclaimdamagesfordatabreaches,which—especiallyincaseswherenumerousdatasubjectsareaffected—canbehigherthanthefinesundertheGDPR.


IndividualsmaylodgeclaimswiththecourtsortheDataProtectionAuthority.

Thecourtsmayawarddamagesand/orprohibitthefurtherprocessingofdata.

TheDataProtectionAuthoritymayimposefinesandalsoprohibitthefurtherprocessingofdata.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofAustriawhichaffectprivacy?

TherighttoprivacyisafundamentalrightunderAustria’sconstitution.


No.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainAustria?

No.

187


12 OPINIONQUESTIONS


TheGDPRandthemassivefinessetoutthereinhavetriggeredmoreawarenessaboutprivacy,bothamongstcompaniesanddatasubjects.Thishasled,ontheonehand,tocompaniestakinganincreasednumberofmeasurestoobserveprivacyand,ontheotherhand,tomoreclaimsbeinglodgedwiththeDataProtectionAuthoritybydatasubjects.


Afterthehypeoverprivacy,whichbeganin2018whentheGDPRbecameeffective,hassettled,privacywillbecomemorecommonplace.Wewillhavemoreclarityonlegalprivacyissuesthatareuncertaintoday, because thenumberof decisionsbydataprotection authorities and courtswill continue toincrease.


Thechallengeswillstillbethesame:implementingeffectivetechnicalandorganisationalmeasurestosecureareasonablelevelofsecurityandtokeepthemup-to-date.

Ongoingdigitalisationwillbringmorechallengesasdigitalisationbringsalongahugeflowofdata,oftenbigdata.

188

189

PRIVACY LAW – BELGIUM

1 PRIVACYLAW

1.1 HowisprivacyregulatedinBelgium?

The Belgian legislative and regulatory landscape to privacy, data protection and cybersecurity iscomprehensive,andconsistsofstatutorylaw,constitutionallawandEuropeanlaw.Theselegislativeinstruments are applied and enforced by the Belgian data protection authority(“Gegevensbeschermingsautoriteit/ Autorité de Protection de Données”) (“DPA”), by the criminalinvestigationauthorities andby the courts, bothdirectly anduponappeal againstdecisionsof theBelgian data protection authority. The Belgian DPA uses its own guidelines, decisions andrecommendationswheninterpretingthelaws.

PriortotheenteringintoforceoftheEUGeneralDataProtectionRegulation(“GDPR”),theBelgianprivacy and data protection legislation was set forth in the Act of December 8, 1992 on privacyprotectioninrelationtotheprocessingofpersonaldata(“DataProtectionAct”),whichwasamendedto implement theEUData ProtectionDirective. TheData ProtectionAct and theRoyalDecrees ofFebruary13,2001andDecember17,2003havebeenrepealedandreplacedbytheActof July30,2018ontheprotectionofphysicalpersonstowardstreatmentsofpersonaldata(“PrivacyAct”).ThisAct deals with the Belgian substantive aspects of the GDPR, with several specifications andderogations.See,further,question3.2.

Prior to the GDPR, the Belgian enforcement agency was the Belgian Privacy Commission. Itmonitored compliance, with powers to conduct raids and investigations, but could not imposeadministrative penalties upon individuals or organisations. TheBelgianPrivacy Commission, for avariety of reasons, including lack of sufficient resources, had traditionally taken a rather inactiveposition, only rarely making investigations and decisions. The Belgian Privacy Commission wasreplacedbytheBelgianDPAthroughtheActofDecember3,2017,whichgranteditthepowersandjurisdictionwhichtheGDPRrequiresnationalsupervisoryauthoritiestohave.NotwithstandingthefederalpoliticalstructureofBelgium,BelgiumonlyhasonecentralDPA.

Another piece of general legislation impacting data protection is the law of June 13, 2005 onelectroniccommunications(“ActonElectronicCommunications”),whichimplementedtheePrivacyDirective2002/58/EC,withspecificprivacyrulestotheprocessingofpersonaldatabythetelecomssector.

1.2 What are the key laws regulating privacy? Please point out national laws, local or state-specific laws, sector-specific laws, and self-regulatory frameworks, with special focus onadvertisingaspects.

The EU GDPR is directly applicable in Belgium and is the principal and primary source for dataprotectioninBelgium.TheGDPRcoversalmostalloftherelevantaspectsofdataprivacy.

TheActofJuly30,2018ontheprotectionofphysicalpersonstowardstreatmentsofpersonaldata(“PrivacyAct”)isthenewBelgiannationalprivacylaw.Mostoftheprovisionsapplytotheprocessingofpersonaldatainthepublicsector.Onlyalimitednumberofprinciples,issuesoropeningclausesarespecificallyimpactingprivatecompaniesandorganizationsdifferentlyfromtheprovisionsoftheGDPR.

190


Other important legislative and regulatory provisions affecting privacy, data protection andcybersecurityare:

(a) TheBelgianConstitution (“everyone is entitled to theprotectionofhisorherprivate andfamilylife”);

(b) BookXII(“LawoftheElectronicEconomy”)oftheCodeonEconomicLaw,asadoptedbytheAct of December 15, 2013, which deals with aspects of information society services andwhich provides rules on the use of personal data for direct marketing purposes viaelectronicpost(includingemail,SMSandMMS);

(c) BooksVIandXIVoftheCodeonEconomicLaw(marketpracticesandconsumerprotection,withrulesontheuseofpersonaldatafordirectmarketingpurposesviatelephone,faxandautomaticcallingmachines);

(d) TheActonElectronicCommunications;and

(e) TheActofNovember28,2000onCybercrime.

Belgiumhasnosectoralapproachtoprivacyandpersonaldataprotectionbutthefollowingprovidespecificrules:

(f) ActofMarch21,2007ontheinstallationanduseofsurveillancecameras;

(g) Collective Bargaining Agreement No 68 of June 16, 1998 on camera surveillance ofemployees;

(h) Collective Bargaining AgreementNo 81 of April 26, 2002 on themonitoring of electroniccommunicationsofemployees;

(i) ThePatientRightsActofAugust22,2002(specificallyontheuseofpatients’data).

All rules on the processing of personal data for marketing purposes are contained in the GDPR.Specificmarketingactivities,suchasdirectmarketingbyemailortelephone,areregulatedbytheActon Electronic Communications and theBook of the Code onEconomic Laws dealingwith fair andunfairmarketpractices.


The GDPR, the Belgian Privacy Act and other laws protecting personal data are enforced by thesupervisoryBelgianDPA,aswellas thecourtsandthecriminal investigationauthorities.Theycanmonitor, ask questions, issue orders and fines in case of violations of the data protection laws. Inparticular,theEconomicInspectionServiceoftheFederalPublicServiceEconomyenforcesrulesondirectmarketingwhicharepartofBooksVI,XIIandXIVoftheCodeofEconomicLaw.Noneoftheenforcementagenciesareself-regulatory.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinBelgium?


191


2.2 DoesprivacylawinBelgiumapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

Yes,privacylawappliesoutsidethecountry:

(a) AsfarastheGDPRisapplicable,itappliestocompaniesoutsideBelgium:(i) that are established in anyEUMember State and that process personal data as a

controllerorprocessor,regardlessofwhetherornottheprocessingtakesplaceintheEU;

(ii) that are not established in any Member State but are subject to the laws of aMemberStatebyvirtueofpublicinternationallaw;and

(iii) thatareoutsidetheEU,iftheyprocessthepersonaldataofEUresidentsinrelationtotheofferingofgoodsorservices,oriftheymonitorthebehaviorintheEUofEUresidents.

(b) TheBelgianPrivacyActappliestocontrollersandprocessorsthat:(i) processpersonaldatainBelgium(seequestion2.1)and(ii) donothaveanestablishmentinBelgium,butfallwithinthescopeoftheGDPR.


3.1 Howispersonalinformation/personaldatadefinedinBelgium?

Personal data is legally defined in the GDPR Article 4(1) (see the European Union chapter). AnidenticaldefinitioncanbefoundintheBelgianPrivacyAct(Articles2and3).



InadditiontothespecificobligationscontainedintheGDPR,theBelgianPrivacyActpermitsprivatebodiestoprocessspecialcategoriesofpersonaldataforcertainpurposes.SomeofthemostrelevantspecificBelgianclausesandobligationsaroundsensitiveinformationare:

(a) Theloweringtheageforachild’sconsentto13;

(b) Alistofthreesituationsinwhichprocessingisdeemedtobeofsubstantialpublicinterestasan exemption to the prohibition of processing the special categories of personal data(principally racial or ethnic origin, political beliefs, religious or philosophical beliefs). Themost relevantonerelates toprocessingbyassociationswhichhaveas theirstatutorygoalthedefenseandimprovementofhumanrightsandfundamentalfreedoms;and

(c) Threenewobligations for thedatacontrollerorprocessor in relation to theprocessingofgeneticdata,biometricdataordataconcerninghealth:(i) indication of which categories of persons have access and explanation of their

relationtotheprocessing,

192


(ii) maintainingalistofthesecategories,and(iii) ensuring that the designated persons are subject to a legal or equal contractual

obligationtoensuretheconfidentialcharacterofthepersonaldata.

Thecontrollerorprocessorhastotakeappropriateandspecificmeasurestosafeguardtheinterestsofthedatasubject.



4 ROLES



5 OBLIGATIONS



Theapproachof theBelgianDPA todataprotection impactassessments (“DPIA”s) is setout in itsFebruary28,2018recommendation,withaBlacklistofprocessingoperationswhichalwaysrequireaDPIA.SomeofthemostrelevantoperationsontheBlacklistare:

(a) processing involving theuseofbiometricdata touniquely identify individuals inacertainspace;

(b) processingofdatacollected froma thirdparty inorder tomakeadecision torefuseor toterminateaservicescontract;

(c) processingofspecialcategoriesofpersonaldataforapurposeotherthanthatforwhichtheywere originally collected, except where the data subject gives his/her consent or inparticularcircumstances;

(d) withmedicalimplantswhereadatabreachcancompromisephysicalhealth;

(e) large-scaleprocessingconcerningvulnerablepeopleforpurposesotherthanthatforwhichthedatawereoriginallycollected;

(f) large scale collections from third parties for the purpose of predicting the economicsituation,health,personalpreferences,interests,reliability,behavior,locationormovementsofindividuals;

(g) data of a very personal nature, such as poverty, involvements, domestic and privateactivities,orlocationdata,beingsystematicallysharedbetweenmultiplecontrollers;

193


(h) large-scale processing activities by connected devices (“IoT”) (eg, generated by devices,smart toys) or systematic processing though the use of automated processing of certaininternet data or metadata, viewing, listening and browsing habits, clicking activity orshoppinghabits.


6.1 HowisdatasecurityregulatedinBelgium?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?


6.2 Howaredatabreachesregulated inBelgium?Whatare therequirements forresponding todatabreaches?


7 INDIVIDUALRIGHTS


SeetheEuropeanUnionchapterandquestion1.3above.



SeetheEuropeanUnionchapterforprivacylawobligations.

Regulationisdependentonthemeansofcommunication:

(a) Theuseofelectronicmeans(includingemail,SMSandMMS)fordirectmarketingrequiresthepriorauthorizationoftherecipient.Thisconsenthastobespecificandfreelygivenonaninformedbasis(opt-in),exceptforelectronicdirectmarketingto:(i) legalentitiesusinganon-personalemailaddress(opt-out);and(ii) existingcustomersaboutidenticalorsimilarproducts(underspecificconditionsto

be respected and always provided that the recipient can at any time oppose thefurtheruseofhis/herelectroniccontactdetailsfordirectmarketingpurposes)(opt-outbasis).

(b) Aprior consent of the recipient (opt-in) is also required formarketing by fax or throughautomatedcallingmachines(BookXIIoftheCodeonEconomicLawontheuseofemailsforadvertisingpurposes).

(c) Belgiumhasanationalopt-outregister(the“RobinsonList”)formarketingbytelephone.

(d) The use of postal services for directmarketing does not require the prior consent of theaddressee,providedthatanopportunityisofferedtooptout.Thereisanopt-outregisterfordirectmarketingbypostwhichismandatoryformembersoftheBelgianDirectMarketingAssociation.Non-personalisedadvertisingbypostcanbestoppedthroughtheuseofstickersonmailboxes.

194




The Act on Electronic Communications implements the ePrivacy Directive, pursuant towhich thestorage of cookies on an end user’s device requires prior, specific, informed and freely givenunambiguousconsent(onthebasisoftheGDPRstandard),unlessthecookieisforthesolepurposeofcarryingout the transmissionofacommunicationor isstrictlynecessary toprovide theserviceovertheinternet.

TheBelgianDPAhaspublishedrecommendationsontheuseofcookies.Consentcannotbeobtainedthroughcurrentbrowsersettings.Consentrequiresanaffirmativeactionbytheuser,whomusthavea chance to review the cookiepolicybeforehandandwhoshouldbegiven theoption toacceptordeclinetheuseofeachspecificcategoryofcookie.

Both the Belgian Institute of Postal Services and Telecommunications and the Belgian DPA havetakenenforcementactioninrelationtocookies.FacebookhasbeencondemnedbytheBrusselsCourtof First Instance for having tracked an internet user without knowledge and consent (fine ofEUR250,000perdaywithamaximumfineofEUR100million).OtherenforcementactionstakenbytheBelgianDPAhavegivenrisetoaEUR15,000fineforillegaluseofcookiesonawebsite.


SeetheEuropeanUnionchapterquestion8.2.







InarecommendationofMay2015,theBelgianDPAopposedtheuseof“socialplug-ins”thatallowthetrackingof the internet trafficandbehaviornotonlyofusers,butalsoof internetuserswithadeactivated account or without any account at all. These recommendations have been enforcedthroughalawsuitagainstFacebook(seequestion8.1).



195


9 DATATRANSFER





10 VIOLATIONS



ThemaximumpenaltyforsendingmarketingcommunicationsinbreachofthedataprotectionlawsisEUR10,000(thisamountisacriminalfineand,assuch,hastobemultipliedbyeight).Inadditionto the administrative sanctions already imposed by the GDPR, fines ranging from EUR 100 toEUR30,000forinfringementsoftheBelgianPrivacyActcanbeimposed.



TheBelgian PrivacyAct also introduces a “cease and desist” procedure to allow a data subject tobringa claimof infringementofdataprotectionobligationsbefore thePresidentof thecompetentCourtofFirst Instance.TheCourtcanprevent further infringementthroughan injunction,andcanalso imposedailypenaltiesandcanorderthepublicationof itsorder.Claimsforcompensationfordamagesincurredwillnecessitatethelaunchofseparateproceedings.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofBelgiumwhichaffectprivacy?

InadecisionofDecember17,2019, theBelgianDPAfinedanoperatorofawebsite for legalnewswhichhaditsprivacystatementonlyavailableinEnglish,althoughitwasalsoaddressedtoaDutchandFrenchspeakingaudience.


ThehottesttopicisthedraftePrivacyRegulation.SeetheEuropeanUnionchapter.

196


11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonal information/personaldatainBelgium?

TheBelgianDPAhasrecentlybecomeveryactive,makingrecommendations,opinionsanddecisionsonanear-dailybasis.Oneexample isaEUR15,000 fineofawebsiteoperator foruseofaprivacystatementwhichwasnoteasilyaccessibleanddidnotmentionthelegalbasisforthedataprocessing.The DPA referred to the ECJ ruling on Planet 49 which determined that effective consent wasrequiredfortheuseofGoogleAnalytics.

AnotherexampleisadecisionofDecember17,2019whereaEUR2,000finewasimposedagainstanursingcareorganisationwhichfailedtoactonrequestsfromadatasubjecttogetaccesstohisdataandtohavehisdataerased.SeveralotherdecisionsweremadeinNovember2019, imposingfinesfor reason of data processing with insufficient legal basis (particularly electionmailings to emailaddresseswhichhadnotbeencollectedforthispurpose).

12 OPINIONQUESTIONS







Data breaches caused by insufficient cybersecurity are an ever-increasing source of concern andtriggerpotentialenforcementbytheBelgianDPA,ontopoftheotherconcernsanddamagesinflictedupon private and public entities by cybercrime. GDPR is also increasingly being weaponised bypartiesindiscussionsandlitigation.Itremainstobeseenwhenthefirst-classactionlawsuitswillbefiledinconnectionwithdataprivacy.

197

198

PRIVACY LAW – BULGARIA

1 PRIVACYLAW

1.1 HowisprivacyregulatedinBulgaria?

Privacyisregulatedontwolevels:thatoftheEuropeanUnionandthatoftheRepublicofBulgaria.

SinceMay25,2018theprimarypieceoflegislationontheEUlevelregulatingdataprotectionistheGeneralDataProtectionRegulation(“GDPR”).ThishasdirecteffectinBulgariaanditsrulesprevailoveranyconflictingrulesofBulgarianlaw.

TherighttoprivacyissetforthintheConstitutionofRepublicofBulgariaasafundamentalhumanright. Itsscopegoes farbeyondtherighttopersonaldataprotectionandalso includestherighttopersonalintegrityandnon-interferenceinprivatelife,tonon-surveillanceandtosecrecyofprivatecommunications.

TheprimaryBulgarianlegislativeactondataprotectionisthePersonalDataProtectionAct(“PDPA”),whichwaslastamendedwitheffectfromMarch1,2019tosetoutderogationsandotheradditionaland/orspecificdataprotectionrulestotheGDPR.TheamendedPDPAandtheRulesonActivitiesoftheCommissionforPersonalDataProtectionandItsAdministration(the“CPDPRules”),effectiveasofJuly30,2019alsosetoutthepowersandsupervisionproceduresoftheCommissionforPersonalDataProtection(“CPDP”),whichistheBulgariandataprotectionsupervisoryauthority.

ThePDPAalsoimplementstheprovisionsoftheEULawEnforcementDirective2016/680,andthuscontainsspecialrulesontheprocessingofpersonaldatabycompetentauthoritiesforthepurposesofprevention,investigation,detectionorprosecutionofcriminaloffensesortheexecutionofpenalties,includingthepreventionofthreatstopublicorderandsecurity.

TheBulgarian Electronic CommunicationsAct (“ECA”) implements the ePrivacyDirective (see theEuropeanUnionchapter).

Nationalsector-specificlawsprovideforafewindividualsector-specificrulesondataprotection.

At a secondary legislation level, the CPDPmay issue binding rules and instructions regulating theimplementation and functioning of legal instruments, such as the technical and organizationalmeasures for personal data protection, set forth in a genericmanner in the GDPR or PDPA. Suchsecondarypiecesoflegislationhavetobeinconformitywiththerelevantprimarylegalact.Otherwise,theymaybeinvalidatedasunlawful.Asofnow,thereisonlyonesuchpieceofsecondarylegislationineffect,anditrelatestothenotificationofconsumersbypublicelectronicserviceprovidersinrelationtodatabreaches.


TheprimarylegalactsregulatingdataprotectioninBulgariaaretheGDPRandPDPA,wherethePDPAsetsoutonlythelocalrulesonpersonaldataprocessingundertheopeningandderogatingclausesofGDPR.Thus,theprincipalandcorerulesondataprotectioncanbefoundintheGDPR.

199


PursuanttothePDPA:

(a) In caseof large-scaleprocessingof personal data or systematic large-scale surveillanceofpubliclyaccessibleareas, including throughvideosurveillance,controllersmustadoptandapplyrulesforpersonaldataprocessing,containing:(i) thelegalbasesandobjectivesforsettingupamonitoringsystem,(ii) theterritorialscopeofsurveillanceandthemeansofmonitoring,(iii) theperiodofstorageofinformationrecordsandtheirdeletion,(iv) therightofaccessbythemonitoredpersons,(v) informing the public about the monitoring carried out, as well as restrictions in

provisionofaccesstotheinformationtothirdparties.

(b) Employers,intheircapacityasdatacontrollers,mustadoptspecialrulesandproceduresonpersonaldataprocessingwhentheyhaveimplemented:(i) aninternalsystemforreportingofviolations;and/or(ii) control systems of the access, working time and work discipline within their

premises.

Thesemustcontaininformationonthescope,obligationsandmethodsforimplementationoftherespectivesysteminpracticeandbenotifiedtotheemployees.

(c) Further,thePDPAprescribesthattheprocessingofpersonaldataforjournalisticpurposes,aswell as foracademic, artisticor literaryexpression, is lawfulwhen it isperformed for therealizationofthefreedomofexpressionandtherighttoinformation,whilerespectingprivacyofpersonallife.

In November 2019, however, the Bulgarian Constitutional Court struck down asunconstitutionaltheprovisionofthelawwhichprovidedforthebalancingtestcriteriawhichhadtobetakenintoaccountbycontrollerswhenassessingtheopposingrightofadatasubjecttopersonaldataprotectionandtherightofotherinvolvedsubjectstofreedomofexpressionandinformation(seeDecisionNo8ofNovember15,2019underConstitutionalCase4/2019).Thus,atthemoment,BulgarianprivacylawdoesnotprovideforanimplementationofthejournalisticexceptionunderArticle85oftheGDPR.

(d) Another specific rule exists with respect to processing personal data for the purposes ofcreatingaphotographicoraudiovisualworkbyfilmingapersoninthecourseofhis/herpublicactivityoratapublicplace.Inthiscase,thePDPAprovidesthatdatasubjectscannotmakeuseoftheirprivacy-relatedrightsrecognizedbyGDPR,andtheregimefordatabreachesdoesnotapply.

ProcessingofpersonaldataformarketingpurposesisgovernedbytherulesoftheGDPR.Limitedlocalprovisionsalsoapplywithrespecttodirectmarketingviaemailandtelephone(seequestion8.1).

Therearenostateorsector-specificlawsandnoself-regulatoryframeworksapplicabletothematterinBulgaria.

200



TheCPDPisthenationalsupervisoryauthority.ItspowersareprovidedforintheGDPRandPDPAandtherulesandprocessesfortheexerciseofsuchpowersaresetoutintheCPDPRules.Toenforcedataprotectionsrules,theCPDPmayinspectdatacontrollersandprocessors,issueandapplymandatoryadministrativemeasuresand/orimposeadministrativefinesandothersanctions.TheCPDPexercisesitsenforcementpowersbyissuingdecisionorotheradministrativeactswhicharesubjecttoajudicialreviewattwoinstances.

The CPDP enforces the GDPR and national data protection legislation with respect to all datacontrollers and processors, save for the Bulgarian courts and prosecution and investigation statebodies.ThelatterareunderthejurisdictionoftheInspectorateoftheSupremeJudicialCouncil.Whenexercising itssupervisoryfunctions, theInspectoratehassimilarpowerstothoseof theCPDP.ThetermsandproceduresthatgoverntheenforcementpowersoftheInspectoratearesetouttheRulesofOperationoftheJudiciaryAct.

Self-regulatorybodiesarenotstilldevelopedandcommoninBulgaria.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinBulgaria?


2.2 DoesprivacylawinBulgariaapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

InaccordancewiththescopeofapplicationoftheGDPR,whichisdirectlyapplicableintheterritoryofBulgaria,privacylawdoesapplytocompaniesoutsideBulgaria.SeetheEuropeanUnionchapter.

ThePDPAdoesnotcontainspecialrulesrelatingtoitsscopeofapplication.


3.1 Howispersonalinformation/personaldatadefinedinBulgaria?

PersonaldataisdefinedintheGDPR.ThePDPAdoesnotsupplementorotherwisemodifytheGDPRdefinitionofpersonaldatainanyway.



InadditiontothespecificobligationscontainedinArticle9oftheGDPR,Bulgarianlawsprovidealsoforthefollowing:

(a) Children’sdataandconsent:Theprocessingofpersonaldataofdatasubjectsbelowtheageof14on thebasisofconsent is lawfulonly if theconsent isgivenby thechild’sparentorguardian.

201


(b) Copiesofpersonaldocuments:ThePDPAexplicitlyrestrictscaseswherebydatacontrollersandprocessorsmaycopyanidentitydocument,suchasanidentitycard,drivinglicenseorresidencedocumentofadatasubject—thisispermissibleonlyifexpresslyprovidedforinaprimarylegalact.

(c) Processing of personal identification credentials: In Bulgaria, the processing of personalidentificationnumbers (“PIN”) ofBulgarian citizensor theprocessingof the identificationnumbersofforeignersissubjecttoenhancedprotection.SpecificobligationsimposedbythePDPAinclude:(i) anexplicitprohibitiononthegrantingoffreepublicaccesstoinformationcontaining

aPIN,orpersonalnumberofaforeigner,unlessthelawprovidesotherwise;(ii) controllers providing electronic services must take appropriate technical and

organizationalmeasures,andnotuseaperson’sPINorpersonalnumberastheonlymeansofidentifyingtheuserwhenprovidingremoteaccesstotherespectiveservice.

(d) UnderBulgarianemploymentlaw,thedeadlineforemployerstorespondtoemployeeaccessrequestswithrespecttotheirlaborrelatedfiles,documentsandotherinformationis14days(incontrasttotheperiodofupto1monthundertheGDPR).



In addition, where data is provided by the data subject without a legal basis, or contrary to theprinciplesunderGDPRArticle5,thePDPAobligescontrollersandprocessors,withinonemonthofbecoming aware of this, to return the carriers of the data, or, if this is impossible, or requiresdisproportionateeffort,toeraseordestroytheunlawfullyobtaineddata.Deletionanddestructionofdatamustbedocumented.

Inlightoftheprincipleofstoragelimitation,thePDPAprovidesthat,inthecontextofrecruitment,thepersonaldataofapplicantswhohavenotbeenofferedajobpositionmaybeprocessednolongerthansixmonthsaftertheendoftherecruitmentprocess,unlesstheapplicanthasgivenhis/herconsentforstorageofthedataforalongerperiod.Uponexpiryofthisperiod,theemployermustdeleteordestroythestoredpersonaldataandreturntheoriginaldocumentsprovidedbythedatasubject.Itisworthnoting,however,that,inoneofitsopinions,theCPDPclarifiedthatapplicants’datamaybestoreduptothreeyears,ifcontainedininternalcompanyrecordscreatedbytheemployerwithrespecttotheconductoftheapplicationprocess,onthebasisofthelegitimateinterestoftheemployertoprotectitselfagainstaccusationsofdiscriminatory treatment (threeyearsbeing thestatutorydeadline forfilling a discrimination complaint under the Bulgarian legislation). In such a case, however, theemployermustobservethedataminimizationprincipleby,eg,pseudonymizationofthedata.

4 ROLES



ThePDPAdoesnotregulatethisquestion.

202


TheCPDPoccasionallyissuesopinionsontheallocationofrolesregardingtheprocessingofpersonaldatabetweendifferentcompanies (eg, in thecontextofmedicalassessmentofemployeesdonebyspecializedcompanies,laboratorymedicaltests,courierservices,etc).AccordingtotheCPDP,iftheserviceprovider’sactivityinvolvingtheprocessingofpersonaldataisstatutorilyregulated,thereisahighprobability,dependingontheparticularcircumstances,thattheserviceproviderwillqualifyasanindependentcontroller.

5 OBLIGATIONS



InaccordancewithGDPRArticle35(4),theCPDPhaspublishedandannouncedtotheEuropeanDataProtectionBoard(“EDPB”)arevisedlistofthetypesofprocessingoperationsrequiringapriordataprotectionimpactassessment.Thelistcontainseightoperationswhichshouldbetakenintoaccountbythedatacontrollers.Theyhaveanobligationtoconductanimpactassessmentifthepersonaldataprocessingoperationstheycarryoutareamongthoselisted.Itshouldalsobenotedthatthelistisnon-exhaustiveandtheCPDPmayaddorremovequalifyingoperationsfromthelistatanytime.


6.1 HowisdatasecurityregulatedinBulgaria?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?


6.2 Howaredatabreachesregulated inBulgaria?Whataretherequirements forrespondingtodatabreaches?


Databreachesrelatedtotheprocessingofpersonaldataforhumanitarianpurposesbypublicbodiesorhumanitarianorganizations,aswellasprocessingincasesofdisasterwithinthemeaningoftheDisasterProtectionActareexemptfromthelegalregimeundertheGDPR.

7 INDIVIDUALRIGHTS



The Bulgarian legislator has also limited (in accordancewith GDPR Article 23) the rights of datasubjectsunderGDPR incaseswhere thecompleteexerciseof the rightsconcernedposesa risk tonationalsecurity,totheprevention,investigation,detectionorprosecutionofcriminaloffences,ortootherimportantobjectivesofgeneralpublicinterest,etc.However,thereisnoimplementingsector-specificregulationeffectiveonthematterasrequiredunderGDPRArticle23(2).

203


According to CPDP interpretations of the applicable data protection laws, the datacontroller/processorisnotentitledtorequestanotarizedpowerofattorneyfromarepresentativeofthedatasubject,wherethedatasubjectisnotexercisingher/hisrightspersonally.Evenwhenhandlingright to access requests in respect of sensitive data (eg, health-related data), the datacontroller/processorisnotentitledtorequestanotarizedpowerofattorneyandmustinsteadaccepta power of attorney in simple written form and/or implement additional, but less burdensome,measuresforidentification.

TherightofadatasubjecttofileacomplaintwiththeCPDPforviolationofher/hispersonaldataisstatutorilylimitedtosixmonthsafterbecomingawareoftheviolation,and,inanyevent,notmorethan two years after itwas committed. Thedata subject is not entitled to bring a case before thecompetentcourt,ifproceedingsarependingbeforetheCPDPwithrespecttothesameclaim,oraCPDPdecisiononthesamematterhasbeenappealedandnofinalandbindingcourtdecisionhasyetbeenissuedonthematter.




ThePDPAspecifiesthatprocessingdataofadatasubjectbelowtheageof14years(ie,aminor),basedonconsent,includingincasesofdirectsupplyofinformationsocietyservices,willbelawfulonlyiftheconsentisgivenbytheminor’sparentorguardian.

Inaddition,certaindirectmarketingactivities,suchasemail,telefaxes,textmessagesandphonecallsaresubjecttoregulationbytheECA,andare,asageneralrule,permissibleonlyonthebasisofavalidpriorandinformedconsent.However,asanexceptiontothisregime,theECAallowsanyentitythathasreceivedcontactdatainrelationtotheprovisionofservicesand/orproductstoconsumerstousethatdatatocontactthem,includingviatextmessagesoremails,forthepurposesofmarketingandadvertisingitsownsimilarservicesand/orproducts,providedthatitgiveseachconsumertheoptiontooptouteasilyfromreceivinganyfuturemessagesforanysuchpurpose.Forthepurposesofthisrule,consumerscanbebothindividualandlegalentities.

Forthoseentitiesthatofferpublictelephonyservices,thereisarequirementonsuchentitiestoobtainthepriorexplicitconsentofsubscribersbeforeprovidingaccesstotheirnetworktothirdpartiestomakecalls,sendtextmessagesande-mailsforthepurposesofdirectmarketingandadvertising.

It isworthnoticingthattheBulgarianCommissiononConsumerProtectionkeepsaregisterof theemail addresses and telephone numbers of legal entitieswhich have expressly opposed receivingunsolicited commercial communication. Sending unsolicited commercial communication to suchcontactdetailsofsuchlegalentitiesisunlawful.

Finally,inanycase,directmarketingcommunicationisprohibitedwhen:

(a) theidentityofthesenderisdisguisedorconcealed,or

(b) theprovidedopt-outaddressisnotvalid.

204




InBulgaria,theuseofcookiesisalsoregulatedbytheLawonElectronicCommerce(“LEC”).TheLECallowstheuseofcookies,providedthatdatasubjectsaredulyinformedabouttheuseofcookiesandhavebeengiventheopportunitytorefusethestorageofcookies.Theprovidersofinformationsocietyservicesmustensurethatdatasubjectsareprovidedwiththeopportunity,atanytime,tocheckwhatcookiesandinformationarestoredontheirdevices.

However,theseprovisionsoftheLEChavenotbeentestedbeforetheCDPDandthenationalcourtsfollowingtheGDPRcomingintoeffect.InlightofthemorerecentECJcaselawontheinterpretationoftheGDPR,wewouldrecommendinstallingacookiemanager,seekingpriorinformedconsentforeachtrackingtool.


SeetheEuropeanUnionchapter,question8.2.

TheCPDPhasnotissuedanyguidanceonthematter.





NospecialBulgarianlawrulesexist.







205


9 DATATRANSFER





10 VIOLATIONS



TheCPDPhasalreadyimposedfines:

(a) ofBGN1million(approxEUR500,000)onabankinginstitutionforthelackofappropriatetechnicalandorganizationmeasures, resulting in the leakofpersonaldataofover33,000bankcustomers;and

(b) ofBGN5.1million(approxEUR2,550,000)ontheBulgarianNationalRevenueAgencyforasecuritybreachofitssoftwaresystemwhichledtoaleakoffinancialdataofoversixmillionpersons.

SanctionsforindividualordinaryviolationsofdataprivacytendtorangebetweenBGN10,000andBGN60,000(approxEUR5,000toEUR30,000).

UndertheBulgarianPenalCode,sometypesofinformationanddatasecuritybreachqualifyascriminaloffenses.ThosecommittingsuchanoffensemaybesubjecttoimprisonmentforatermofbetweenoneandeightyearsandafineofuptoBGN10,000(approxEUR5,000).



TherightofadatasubjecttofileacomplaintwiththeCPDPforviolationofher/hispersonaldataisstatutorilylimitedtosixmonthsafterbecomingawareoftheviolation,and,inanyevent,notmorethantwoyearsafteritwascommitted.Thedatasubjectisnotentitledtobringacasefordamages,ortochallengedataprocessingactivitiesasbeingunlawfulbeforethecompetentcourt,ifproceedingsarependingbeforetheCPDPwithrespecttothesameclaim,oraCPDPdecisiononthesamematterhasbeenappealedandnofinalandbindingcourtdecisionhasyetbeenissuedonthematter.

Recently,theBulgarianSupremeAdministrativeCourtandSupremeCourtofCassationjointlydecidedthat administrative courts should have jurisdiction to hear class action damages claims by datasubjectswithrespecttopersonaldatabreachessuchas,inthecasethatwasathand,amassiveleakofpersonaldatafromtheNationalRevenueAgency.

206


11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofBulgariawhichaffectprivacy?

Asnotedunderquestion3.2(c),BulgarianprivacyrulesandtheCPDPareveryrestrictiveintheirviewonthepermissibleusageandrevealingofPINsofBulgariancitizensandpersonalnumbersofforeigncitizens.



11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainBulgaria?


12 OPINIONQUESTIONS







Companiesalsofaceuncertaintyintermsofenforcement.CaselawofBulgariancourtsundertheGDPRisstilllimitedandrelatestotheprincipalrulesandclear-cutsituations.Conceptssuchasappropriatetechnical and organizational measures, balancing of data controller’s legitimate interests, dataprotectionbydesign andbydefault, etc, havenot yet been reviewedand tested in court. In someinstances,theadjudicationsofBulgariancourtshavenotbeeninconformitywithrelevantECJcaselaw.Itistobeseenhowcourtdecisionsandtheentirelocalenforcementpolicyintheareaofdataprotectionwilldevelopinthecomingyears.Itmayreasonablybeexpected,however,thatfines,ifandwhenimposed,willgrowinamount.

207

208

PRIVACY LAW – CROATIA

1 PRIVACYLAW

1.1 HowisprivacyregulatedinCroatia?

DataPrivacyinCroatiaisregulatedbystatutorylawontwolevels:thatoftheEuropeanUnionandonthenationallevel.Onthenationallevel,protectionofprivacyisalsoaconstitutionalcategory.

BeforetheEUGeneralDataProtectionRegulation(“GDPR”)andtheCroatianActonImplementationoftheGDPR(“GDPRImplementationAct”)enteredintoforceonMay25,2018(seequestion1.2),theprincipal piece of legislationwhich governedprotection of data privacy in Croatiawas theAct onProtectionofPersonalDatawhichwasfirstenactedin2003(“DataProtectionAct”)(nowsuperseded).

TheDataProtectionActestablishedasolidframeworkfortheprotectionofpersonaldataofCroatianresidents,whichwasfullyharmonizedwiththeprovisionsoftheECDataProtectionDirective95/46.

Oneofcountry-specificobligationsenvisagedbytheDataProtectionActwastheobligationtoappointadataprotectionofficerforalldatacontrollersinCroatiaemploying20ormoreemployees.However,unliketheGDPR,whichcontainsmoreelaboratecriteriaregardingthetypeofprocessingoperationsandtypeofpersonaldatathatrequiretheappointmentofadataprotectionofficer,aswellasaboutthecompetencesthatthedataprotectionofficermustpossess,theDataProtectionActcontainednosuchadditionalcriteria,and,therefore,inpractice,theappointmentofadataprotectionofficerwas,inmostinstances,justanadministrativerequirementratherthananeffectiveinstrumentforprotectionofpersonaldata.

TheDataProtectionActalsoimposedageneralobligationondatacontrollerstonotifytheCroatianSupervisoryAuthorityupfrontabouttheirintentiontoestablishfilingsystems,aswellastoregisterthesamewiththeCroatianSupervisoryAuthorityupontheirestablishment.

IntheapplicationoftheDataProtectionAct,theCroatianSupervisoryAuthoritywasespeciallyactivein the field of transfer of personal data outside the territory of Croatia, and a requirement wasestablishedforpriorapprovalofappropriatesafeguards(principallyStandardDataProtectionClausesandBindingCorporateRules)bytheCroatianSupervisoryAuthority.Inthelastcoupleofyearsbeforethe GDPR started to be applied, any filings with the Croatian Supervisory Authority concerningapprovals of such safeguards would trigger the supervision of the applicant by the CroatianSupervisoryAuthority.

Moreover, in practice, one of the main focuses of the Croatian Supervisory Authority was theprocessing of personal data through video surveillance; this trend has continued into the GDPRImplementationAct,whichcontainselaborateprovisionsrelatingtotheprocessingofpersonaldatathrough video surveillance, including country-specific penalties for breach of such provisions (seefurtherquestion1.2).

The Croatian Supervisory Authority has established a requirement that consent should always begivenbyaffirmativeaction,andthereforepre-tickedboxesandsimilarsolutionswerenotconsideredasavalidconsent.Inotherwords,theCroatianSupervisoryAuthorityhadrequestedaffirmativeactionforgivingconsent,evenbeforetheGDPRenteredintoforce.TheGDPRhasnowmadethisstandardforconsent.

209



TheprimarysourcefordataprotectionintheEuropeanUnion,andthusinCroatia,istheGDPR.AsaEuropean Regulation, it is directly applicable in all EU Member states and does not need to beimplementedbytheindividualMemberStates.TheGDPRcoversmostoftherelevantaspectsofdataprivacy.

Ontheotherhand,theGDPRcontainsseveralopeningclauses,allowingEUMemberstatestoenactnational privacy rules on certain aspects, which either specify or limit the rights and obligationscontainedintheGDPR.CroatiahasdonesowiththeGDPRImplementationAct.

Themost important stipulations for theprivate sector in theGDPR ImplementationActwhicharebasedonGDPRopeningclausesarethefollowing:

(a) Section 19: In relation to the offer of information society services directly to a child, theprocessingofthepersonaldataofachildislawfulonlywherethechildisatleast16yearsold;

(b) Section20:Theprocessingofgeneticinformationisforbiddenforthepurposesofenteringintospecificagreementsinthefieldofinsurance;

(c) Section22: Theprocessingofbiometricdataintheprivatesectorispermittedonlywhereexpresslyenvisagedby law,or in caseswhere it is required for theprotectionofpersons,assets,classifieddata,businesssecretsorforindividualanddefiniteidentificationoftheusersofservices.Thelegalgroundfortheprocessingofbiometricdatainthelattercasemustalwaysbeconsent;

(d) Section23:Theprocessingofbiometricdataofemployeesispermittedonlyforthepurposeofrecordingworkingtimeandforentry/exitrecordsto/frombusinesspremises,ifstipulatedbylaworifsuchprocessingisanalternativetoothermeansofrecordingsuchinformation.Moreover,thisispermittedonconditionthatemployeeshavegiventheirexplicitconsenttosuchprocessingofdata,inlinewithprovisionsofGDPR;

(e) Section24:TheprovisionsoftheGDPRImplementationActonprocessingbiometricdataareapplicabletodatacontrollerswiththebusinessestablishmentinCroatia,orwhichprovideservicesintheterritoryofCroatia,aswellastopublicauthorities;

(f) Section 25: This Section contains definition of processing personal data through videosurveillance;

(g) Section26:Theprocessingofpersonaldatabymeansofvideosurveillancemaybeperformedonlyforapurposewhichisnecessaryandjustifiedfortheprotectionofpersonsandassets.InthisSection,theGDPRImplementationActalsodefineswhichpartsofabuildingsandspacemaybesubjecttovideosurveillance;

(h) Section27:ThisSectioncontainsdetailedprovisionsabouttheobligationofdatacontrollersordataprocessorstoclearlyindicate(bymeansofastickerorsimilar)thatacertainobjectisunder video surveillance, and about the information that needs to be included in therespectivenotice;

(i) Section 28 and 29: Only the responsible person of the data controller, or the personauthorizedbytheresponsibleperson,hastherightofaccesstovideosurveillancerecordings.Thedatacontrolleranddataprocessorarerequiredtoestablishanautomatedlogsystemto

210


videosurveillancerecordings.Thevideosurveillancerecordingsmaybekeptforamaximumperiodof6months,exceptincertainexceptionalcases(eg,ifthesameareusedasevidenceincourtoradministrativeproceedings);

(j) Section30:VideosurveillanceofofficesispermittedonlyunderconditionsenvisagedbytheGDPRImplementationActandsafetyatworkregulations(underthelatterregulations,videosurveillanceispermittedprimarilyforthepurposeofprotectionofpersonsandassets),aswellasundertheconditionthattheemployeeshavebeeninformedaboutsuchsurveillanceinadvance.Itisnotpermittedtoputupvideosurveillanceinemployees’restrooms,changingroomsandroomsforpersonalhygiene;

(k) Section31:ThisSectioncontainsprovisionsabouttheuseofvideosurveillanceinapartmentbuildings,whichrequiresthevoteoftwothirdsofthetenantsforsuchuse;

(l) Section 43: This contains provisions about the administrative fee that the CroatianSupervisoryAuthoritymaycharge for the issuingofopinions tobusinesssubjects(eg, lawfirms,dataprotectionconsultantsandsimilar)whichhavebeenrequestedbysuchsubjectsaspartoftheirregularbusinessactivities;

(m) Sections44–50: These containdetailedprovisions about theprocedure for the issuingofadministrative finesby theCroatianSupervisoryAuthority, includingprovisions regardingthestatuteoflimitationforissuingofthesame;

(n) Section51:Thissetsoutcountryspecificprovisionsaboutmonetaryfines(uptoHRK50,000approxEUR6,700)thattheCroatianSupervisoryAuthoritycanissueincaseofbreachoftheprovisions of the GDPR Implementation Act regarding the processing of personal data byvideosurveillance.

AtthebeginningofJanuary2019,theCroatianSupervisoryAuthoritypublishedaconsultationdraftofthecriteriaforpaymentbyinstalmentsofadministrativefinesrelatedtobreachofdataprotectionlaw.Theconsultationhasbeencompleted,anditisexpectedthattheCroatianSupervisoryAuthoritywillnowproceedwithcompletingandpublishingofthecriteria.

With respect to processing of personal data for marketing purposes, all relevant stipulations arecontainedintheGDPR.

Certainaspectsofmarketingactivities,suchastheuseofelectroniccommunications(email,telephoneetc)forthepurposesofsendingofunsolicitedcommunicationsarestipulatedintheCroatianActonElectronicCommunications(“e-CommunicationsAct”)(seequestion8.1).


Croatiadoesnothaveanyself-regulatorybodieswhichenforcethedataprotectionlaw.

The GDPR, the GDPR Implementation Act and other laws protecting personal data are primarilyenforcedbytheCroatianSupervisoryAuthoritywhich isauthorizedtomonitor,askquestionsthatneedtobeanswered,performsupervisions,issuecorrectivemeasuresandadministrativefines.ItisnotpossibletoappealagainstthedecisionsissuedbytheCroatianSupervisoryAuthority,includingdecisions related to the issuing of administrative fines. However, it is possible to initiate anadministrativedisputebeforetheadministrativecourtsinCroatia.

211


Certainaspectsofdataprivacyinspecificareasarealsoenforcedbyothercompetentauthorities.Forexample, themarketregulator forelectroniccommunications—CroatianRegulatoryAuthority forNetworkIndustries(“HAKOM”)—istaskedwiththeenforcementoftherulesrelatedtounsolicitedcommunications,aswellastheuseofcookies.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinCroatia?

PleaseseetheEuropeanUnionchapter.

In addition to the GDPR, the Croatian GDPR Implementation Act contains additional provisionsregardingtheapplicabilityofitsprovisionsontheprocessingofbiometricdata.ThesameprovisionsareapplicabletodatacontrollerswithabusinessestablishmentinCroatiaorwhichprovideservicesintheterritoryofCroatia,aswellastopublicauthorities.

2.2 DoesprivacylawinCroatiaapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

Yes,privacylawsapplyoutsidethecountry.PleaseseetheEuropeanUnionchapterandquestion2.1.


3.1 Howispersonalinformation/personaldatadefinedinCroatia?

PersonaldataislegallydefinedintheGDPRArticle4(1)(pleaseseetheEuropeanUnionchapter).


PleaseseetheEuropeanUnionchapter.TheCroatianGDPRImplementationActalsocontainscertaincountry-specificprovisionsconcerningprocessingofgeneticandbiometricdata(seequestion1.2).



4 ROLES


Yes,pleaseseetheEuropeanUnionchapter.

212


5 OBLIGATIONS



In addition, in linewith its obligationunderArticle 35(4), theCroatian SupervisoryAuthorityhaspublishedalistofthekindofprocessingoperationswhicharesubjecttotherequirementforadataprotectionimpactassessment,whichisavailableonitswebsite.ThelistislargelybasedonguidelinesissuedinthisregardbytheArticle29WPonthistopic.


6.1 HowisdatasecurityregulatedinCroatia?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?


Inaddition,theCroatianSupervisoryAuthorityhaspublished,onitswebsite,ageneraldescriptionoftechnicalandorganizationalmeasuresforsecuringthepersonaldata,whichinclude,interalia:

(a) Keepinghardcopymaterialscontainingpersonaldata in locked lockersordrawers,whichshouldbeunderthesupervisionofauthorizedpersons;

(b) Access to personal data by electronic means should be protected by usernames andpasswords;

(c) Safetycopies(back-up)ofrecordscontainingpersonaldatashouldbemadebyauthorizedpersons;

(d) Employeesinvolvedintheprocessingofpersonaldatashouldsignconfidentialitystatements;

(e) Pseudonymization and encryption of personal data should be used, especially in case ofspecial(sensitive)categoriesofdata;and

(f) Asystemoflogsofaccesstopersonaldatashouldbeestablished,whereapplicable.

6.2 HowaredatabreachesregulatedinCroatia?Whataretherequirementsforrespondingtodatabreaches?


TheCroatianSupervisoryAuthorityhaspublishedonitswebsiteatemplateoftheformfordatabreachnotifications.

7 INDIVIDUALRIGHTS


PleaseseetheEuropeanUnionchapterandquestion1.3above.

213





In addition, The Croatian e-Communications Act contains provisions about use of electroniccommunications(email,telephoneetc.)forthepurposesofsendingofunsolicitedcommunications.

InlinewithArticle107ofthee-CommunicationsAct,useofautomatedcallingandcommunicationssystemswithouthumanintervention,facsimilemachinesorelectronicmail,includingSMSmessagesandMMSmessages,forthepurposesofdirectmarketingandsalemayonlybeallowedinrespectofsubscribersoruserswhohavegiventheirpriorconsent.

Atrader,whichcanbeanaturaloralegalperson,mayuseemailaddressesobtainedfromitscustomersforthepurposeofsaleofproductsorservicesfordirectmarketingandsaleofitsownsimilarproductsorservices,providedthatcustomersare,clearlyanddistinctly,giventheopportunitytoobject,freeofchargeandinaneasymanner,tosuchuse,bothwhentheelectronicmailaddresswascollectedandon the occasion of receiving any electronicmessage in caseswhere the customer has not initiallyrefusedsuchuseoftheinformation.

Consentisnotrequiredfortelephonecallsmadetolegalpersonsforthepurposesofdirectmarketingandsale.

HAKOM has also established “Do not call” registries, in which the subscribers can register theirtelephonenumbersincasethatdonotwishtoreceiveunsolicitedcommunications.



Regardingcookies,inNovember2019,HAKOMissuedadecisioninwhichitconfirmedthepositiontakenbytheEuropeanCourtofJustice(“ECJ”)inCaseNoC-673/17regardingthestandardofconsentinrelationtouseofcookietechnology.Namely,HAKOMconsidersthataneffectiveconsentrequiresanunambiguousactionofconfirmation,suchasactivelyclickingaboxaffirmingconsentonawebsite.Incontrast,aboxthatisalreadycheckedoff,ortheinactivityoftheusercannotestablisheffectiveconsentinthesenseoftheGDPR.Accordingly,cookiebannerswhichseektoestablishconsentsimplythroughausercontinuingsurfingonawebsitearenotadmissible.





214








9 DATATRANSFER





10 VIOLATIONS



Inaddition,Croatiahasprescribedmonetary(administrative)fines(uptoHRK50,000,approxEUR6,700) that theCroatianSupervisoryAuthoritycan issue incaseofbreachof theprovisionsof theCroatianGDPRImplementationActregardingtheprocessingofpersonaldatabyvideosurveillance.



11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofCroatiawhichaffectprivacy?

Therearenosuchrulestothebestofourknowledge.

Nevertheless,asstatedearlier(seequestions1.1and1.2),inpractice,oneofthemainfocusesoftheCroatian Supervisory Authority has always been the processing of personal data through videosurveillance: this trend has continued in the GDPR Implementation Act, which contains elaborateprovisionsrelatingtotheprocessingofpersonaldatathroughvideosurveillanceincludingcountry-specificpenaltiesforbreachofsuchprovisions.

215


ItisalsoworthmentioningthattheCroatianSupervisoryAuthorityhas,sofar,beenmorefocusedoneducatingwithrespecttotheGDPR,andlessonsupervisions.Moreover,tothebestofourknowledge,nosignificantadministrativefineshaveyetbeenissued.However,weexpectthattrendtochangeinthefuture,andthattheCroatianSupervisoryAuthoritywillshiftitsfocustoitscorrectionalfunction.


WeareallawaitingtheePrivacyRegulation.

Inaddition,andasstatedearlier(seequestion1.2),theCroatianSupervisoryAuthorityiscurrentlyintheprocessofsettingcriteriaforpaymentbyinstalmentsofadministrativefinesrelatedtobreachofdataprotectionlaw,andthesecriteriashouldbeformallyadoptedsoon.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainCroatia?

Otherthanaforementioned,no.

12 OPINIONQUESTIONS







216

217

PRIVACY LAW – CYPRUS

1 PRIVACYLAW

1.1 HowisprivacyregulatedinCyprus?

Privacy rights are regulated through various mechanisms in Cyprus. Specifically, privacy law isregulatedthroughlegislationoftheEuropeanUnionandthroughdomesticlegislation,aswellastheCypriot Constitution. At present, the main source of privacy legislation is the EU General DataProtectionRegulation(“GDPR”),whichcameintoforceinMay2018andisdirectlyapplicabletoallEUMemberStates.Asaregulation,GDPRisdirectlyenforceableandapplicableacrosstheEUMemberStates.

The national competent authority which is responsible for data protection is the Office of theCommissionerforPersonalDataProtection(the“Commissioner”),whichhasthepowertomonitordataprotectionandissuemajorguidelines.

TheCourtsoftheRepublicofCyprusareresponsiblefortheinterpretationofthenationallaw.


Asmentionedabove,theGDPRistheprimarysourceoflegislationonprivacy.

In addition, Cyprus has adopted national legislation (Law 125(I)/2018) for the effectiveimplementationofcertainprovisionsoftheGDPRandtoincreaseitseffectiveness.TheGDPRcontainsseveral clauses,which allow room toEUMember States to regulate stricter or broader significantrightsandobligations.ThemostimportantadditionseffectedbyLaw125(I)/2018,whencomparedtotheGDPR,arethefollowing:

(a) UnderArticle9theprocessingofgeneticandbiometricdataforpurposesofhealthandlifeinsuranceisprohibited,exceptwherethedatasubjectgiveshisconsent.

(b) Article33constitutescertaininfringementsofPrivacyLawrightsascriminaloffenses,andsetsoutpenaltiesforthese(seequestion10.1).Inparticular:(i) whenacontrolleroraprocessorprovidesfalse,inaccurate,incompleteormisleading

information to theCommissioner,or fails to cooperatewith theCommissioner, orpreventsthedataprotectionofficerfromperforminghis/hertasks,particularlythoserelatingtothecooperationwiththeCommissioner;or

(ii) whenacontrollerdoesnotnotifytheCommissionerofapersonaldatabreach,ordoesnotcarryoutanimpactassessment.

Further Cyprus has enacted Law 44(I)/2019 (the Protection of Individuals with regard to theProcessingofPersonalDatabyCompetentAuthoritiesforthePurposeofthePrevention,Investigation,Detection or Prosecution of Criminal Offenses or the Execution of Criminal Penalties and theirtransmission),whichisoneoftheothermainsourcesoflegislation.ThislawspecificallyregulatestheprocessingofinformationbytheCypriotPolice,theCyprusCustomsandExciseDepartment,theUnitforCombatingMoneyLaunderingandtheTaxDepartment.

218


In addition to the above, in the context of advertising and marketing, the key legislation is theElectronicCommunicationsandMailServicesLaw(Law112(I)/2004),whichregulatesprivacylawand,amongstothermatters,directmarketingmessagesthroughelectroniccommunications.

Finally,private lifeandrespect forthesecrecyofcorrespondence isa fundamentalright inCyprusembeddedinitsConstitutionthroughArticles15and17.TheseprovisionsarenowtobereadinlightoftheGDPRprovisions.


Cyprusdoesnothaveanyself-regulatorybodieswhichenforceprivacylaw.

TheGDPRandotherprivacylawsareenforcedbytheNationalCompetentAuthoritywhichistheOfficeoftheCommissionerforPersonalDataProtection(“Commissioner’“).TheCommissionerisnotonlyresponsibleforthemonitoringofthelegislationandtheimpositionoffinesincaseofviolationofdataprotectionlaws,butalsoanswersquestionsandissuesguidelinesrelatingtotheprotectionofprivacyrights.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinCyprus?


2.2 DoesprivacylawinCyprusapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

Yes,privacylawappliestocompaniesoutsidethecountryseetheEuropeanUnionchapter.


3.1 Howispersonalinformation/personaldatadefinedinCyprus?

PersonaldataislegallydefinedintheGDPRArticle4(1)(seetheEuropeanUnionchapter).

Inaddition,pursuanttoLaw125(I)/2018andLaw44(I)/2019,“personaldata”meansanyinformationrelatingtoanidentifiedoridentifiablenaturalperson(“datasubject”).Anidentifiablenaturalpersonisonewhocanbeidentified,directlyorindirectly,inparticularbyreferencetoanidentifiersuchasaname,anidentificationnumber,locationdata,anonlineidentifierortooneormorefactorsspecifictothephysical,physiological,genetic,mental,economic,culturalorsocialidentityofthatnaturalperson(Article2ofbothLaws).


ApartfromthespecificobligationsregardinginformationunderArticle9oftheGDPR,Law44(I)/2019specifiesthecircumstancesinwhichtheprocessingofcertainpersonaldataispermitted,namelydatawhich refers to the racial or ethnic origin, political beliefs, religious or philosophical beliefs or

219


participation in trade unions, as well as the processing of genetic data or biometric data for theexclusive identification of a natural person or data which concern health or sex life or sexualorientation. This is permitted onlywhen it is strictly necessary, without prejudice to appropriatesafeguardsforthedatasubject’srightsandfreedoms,andprovidedthat:

(a) itispermittedbyEUlaworrelevantlegislation;

(b) itisnecessarytoprotectvitalinterestsofthedatasubjectorothernaturalperson,or

(c) suchprocessingconcernsdatathathasbeenpubliclydisclosedbythedatasubject.



4 ROLES



5 OBLIGATIONS




6.1 HowisdatasecurityregulatedinCyprus?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?


6.2 HowaredatabreachesregulatedinCyprus?Whataretherequirementsforrespondingtodatabreaches?


7 INDIVIDUALRIGHTS


SeetheEuropeanUnionchapterandseequestion1.3above.

220




Therearesomedirectmarketingactivities,suchasemails,telefaxes,textmessagesandphonecalls,whicharesubjecttoPart14ofLaw112(I)/2004,andare,asageneralrule,onlypermissibleonthebasisofavalidandinformedpriorconsentthathasbeengivenbythesubscribers/usersregardingthespecificmeansofdirectmarketing(Article106).

Regardingthecookiepolicyofwebsites,Article99(5)ofLaw112(I)/2004isrelevant,aswellasArticle5(3)ofEUDirective2002/58/ECwhichwasamendedbyDirective2009/136/ECwherebythestoringofcookiesrequiresexpressconsent.


SeetheEuropeanUnionchapterandseequestion8.1above.











9 DATATRANSFER



Additionally,therearerestrictionsincaseswheretransmissionofspecificcategoriesofpersonaldatatoathirdstateortoaninternationalorganizationtakesplace:

221


(a) AccordingtoArticle17ofLaw125(I)/2018,wheretransmissionistotakeplaceaccordingtoArticle 46 of the GDPR, the controller or processormust inform the Commissioner of itsintentionpriortothetransmissionofsuchdata.TheCommissionerisable,forfundamentalpublic policy reasons, to impose on the controller or the processor restrictions on thetransmissionofpersonaldata.

(b) In addition, Article 18 of Law 125(I)/2018 stipulates that the transmission of specificcategoriesofpersonaldata, on thebasisofderogations for special situationsaccording toArticle49oftheGDPR,requiresanimpactassessmenttobecarriedoutandpriorconsultationbytheCommissionerpriortothetransfer.TheCommissionerhasthepowertoimposeexplicitrestrictions on the transmission of specific categories of data to the controller or theprocessor.

(c) Article38ofLaw44(I)/2019isalsorelevant,wherebyanytransmissionofpersonaldatatoathirdcountryorinternationalorganization,mayonlytakeplaceifthefollowingrequirementsarefulfilled:(i) thetransmissionisvital forthepurposesofprevention, investigation,detectionor

prosecutionofcriminaloffenses,protectionofpublicorderandsecurity,freezingorconfiscatingillicitproceedsorotherrelatedassetsorforexecutingcriminalfines;

(ii) personaldataistobetransmittedtoacontrollerinathirdcountryorinternationalorganizationwhichisacompetentauthority,

(iii) wherepersonaldataistransmittedormadeavailablebyanotherMemberState,thatMemberStatehaspreviouslygivenitsapprovalforthetransmissioninaccordancewithitsnationallaw;

(iv) theEuropeanCommissionhasmadeanadequacydecisionasprovidedforinArticle39or,intheabsenceofsuchadecision,sufficientguaranteeshavebeenafforded;and

(v) in the event of a further transfer to another third country or internationalorganization, the competent authority which carried out the original transfer oranother competent authority in the same Member State shall allow the furthertransfer,takingdueaccountofallrelevantfactors,includingtheseriousnessofthecriminaloffense.



10 VIOLATIONS


SeetheEuropeanUnionchapterinrespecttotheGDPR.

Apart from the GDPR, Article 33 of Law 125(I)/2018 renders several breaches of privacy law ascriminaloffences.IfapersonisconvictedofcommittinganyoftheoffensesthatarereferredintheArticle,theymaybesubjecttoimprisonmentnotexceedingone,three,orfiveyears,dependinguponthe seriousness of the infringement, or a fine of up to 10,000, 30,000, or 50,000 Euros. Further,accordingtoArticle54ofLaw44(I)/2019,theCommissionerhasthepowertoimposeonacontrolleranadministrativefineincaseofinfringementofupto100,000Euros.

222




ApartfrommakingcomplaintstotheCommissionerpursuanttoArticle50ofLaw44(I)/2019,datasubjects also have a private right of action in the Administrative Court against the controller orprocessoriftheyconsiderthattheirprivacyrightshavebeenviolated.Inadditiontothis,datasubjectshavetherighttodelegatetheirclaimtonon-profitorganizationsorassociationstoexercisetheirrightsontheirbehalf.

Anypersonwhohassufferedmaterialornon-materialdamageasaresultofimproperprocessingorany act by the controller or other competent authority in breachof Law44(I)/2019 is entitled tocompensation.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofCypruswhichaffectprivacy?



ThejudgmentoftheEUCourtofJusticeinthePlanet46GmbHcase(CaseNoC-673/17)(astowhichseetheEuropeanUnionchapter,question8.2)willchangethestatusquoregardingthecookiepolicyandconsent,eventhoughthedefinitionof“freelygiven”consentremainsunclearandambiguous.Thisdecision is of great importance in light of the issues surrounding the use of personal data on theinternet.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainCyprus?


12 OPINIONQUESTIONS



Undoubtedly, themost important trigger for changes to the privacy landscapehas been the rapidtechnologicaldevelopmentoverrecentyears,andtheEUlegalframework(GDPR)thatseekstofillthegapsbetweenthenationallegislationandtechnologicaldevelopment.



223



Companiesinrecentyearshavefacedcountlessuncertaintiesduetotheinfluenceofdigitaldata.TheEuropeanUnionhassoughttorevolutionizethestatusquoofprivacylawandthishasresultedintheGDPR,wherebythepreviouslackofuniformityhasnowbeentransformedintoamorepreciseandcertain approach by the EUMember States.However, given that theGDPRhas only been enactedrecently, thecase lawremainsblurred,whilstprivacy ismorevulnerablethaneverbefore.TheEUCourtofJusticehastopromotethecertaintyanduniformityofthesystem,asthereisaneedtoreducetheinformationasymmetrieswhichstillexist.Asaresult,theEUregulatorshavetoplaceunderthemicroscopeafeasiblyhighlevelofdataprotectionwhilstconcurrentlygivingindividualsdirectaccesstojusticethroughaprivaterightofaction.

224

225

PRIVACY LAW – CZECH REPUBLIC

1 PRIVACYLAW

1.1 HowisprivacyregulatedintheCzechRepublic?

Dataprivacyandpersonaldataprotectionisregulatedinparticularbyconstitutionallaw,applicableCzechlegalregulationandEuropeanlaw.

Theapplicable legalregulation is interpretedbytheCzechandEuropeancase law;thestatements,resolutions,opinionsandguidelinesoftheCzechsupervisoryauthorityfordataprotection,theDataProtectionAuthority(“CzechDPA”);andtherecommendationsandguidelinesoftheEuropeanDataProtectionBoard.

The first lawspecifically regulatingpersonaldataprotection in theCzechRepublicwas theActonProtectionofthePersonalDatainInformationSystemsadoptedin1992.ThisActgenerallystipulatedthe basic rules relating to data privacy and definitions, such as personal data, data subject andinformationsystems.However,therewerenosanctionsforbreachingtheprovisionsofthisActandnosupervisoryauthoritytocontrolit.

Animportantdevelopment inthedataprivacyfield intheCzechRepublicwastheaccessiontotheConventionfortheProtectionofIndividualswithRegardtoAutomaticProcessingofPersonalData(“ETS108”),whichwasfirstEuropeandocumentregulatingpersonaldatatransfers,in2000.

Following thesignatureofETS108, theActonPersonalDataProtection(“APDP”),wasadopted in2000.TheAPDPintroducedsanctionsforviolationofdutiesrelatedtopersonaldataprotectionandprocessing, andcreated the firstCzech supervisoryauthority (theDPA).After theaccessionof theCzechRepublictotheEuropeanUnion,theAPDPwasfundamentallyamendedinordertobecompliantwith European data protection rules. The APDP constituted comprehensive legal regulation ofpersonal data protection and personal data processing. Therefore, the entry of the General DataProtectionRegulation(“GDPR”)intoforceinMay2018didnotconstituteamajordifferencetoourlegalenvironment.However,asaresultofalargemediacampaignconcerningtheGDPRanditshugesanctionsandnewconcepts(whichwereoftenmisinterpretedbymedia),thedataprivacyregulationcametotheattentionofmajorityofthebusinesscompaniesandentrepreneursforthefirsttimein2018.

TheGDPRisdirectlyapplicable inallEUMemberStateswithout theneed for implementation intonational law.TheGDPR thusunifieddataprotection legislation across the entireEuropeanUnion,thereby facilitating the freemovement of personal data acrossMember States. In the Czech legalsystem,theGDPRreplacedtheAPDP,whichwasthencompletelyrepealedbythenewActonPersonalDataProcessing(“NAPDP”)adoptedinApril2019.

TheprimaryobjectiveoftheGDPRistoprotectthefundamentalrightsandfreedomsofindividuals,with a focus on the right to the protection of personal data. The GDPR adopts all existing dataprotection and processing principles introduced by the 1995 Data Protection Directive, though itexplainsandcomplementsthemmoreextensively.TheGDPRfurtherdevelopsandstrengthenstherightsofpeopleaffectedbyprocessing.Inadditiontonewconcepts(suchasdataprotectionofficers,recordsorimpactassessment),theGDPRalsorequiresdatacontrollerstobesignificantlymoreactive.

226



The constitutional basis of personal data protection is stipulated in Articles 7, 10.3 and 13 of theDeclaration of the Fundamental Rights and Freedoms of the Czech Republic. These rules arecomplementedbyETS108,Article8oftheCharterofFundamentalRightsoftheEuropeanUnionandArticle16oftheTreatyontheFunctioningoftheEuropeanUnion.

TheprotectionoftherighttoprivacyandimageoftheindividualpersonsisgenerallyregulatedbytheCzechCivilCode.

Personal data protection is regulated comprehensively by the GDPR and the NAPDP. The GDPRprovidesformajorityoflegalobligations.TheNAPDPimplementedtheCriminalLawDirectiveandadaptedtheGDPRtoensurethatnationallegislationcomplieswiththeserulesand,whereappropriate,setmorespecificrulesinsomeareaswheretheGDPRdirectlypermitsMemberStatestodoso.ItisthereforeimportantthattheGDPRandtheNAPDParereadsidebyside.

TheNAPDPprovidesforthefollowing:

(a) personaldataprocessingpursuanttotheGDPR;

(b) personal data processing by the competent authorities for the purpose of the prevention,investigationordetectionofcriminaloffences,prosecutionofcriminaloffences,executionofcriminalpenalties,andprotectivemeasures,ensuringthesecurityoftheCzechRepublicandensuringpublicpolicyandnationalsecurity,includingsearchforpersonsandobjects;

(c) personaldataprocessinginensuringthedefenceandsecurityinterestsoftheCzechRepublic;

(d) otherprocessingofpersonaldatathatformorareintendedtoformpartofafilingsystemorthatareprocessedwhollyorpartlybyautomatedmeans,otherthanpersonaldataprocessingbyanaturalpersoninthecourseofapurelypersonalorhouseholdactivity;and

(e) thestatusandpowersoftheDPA.

TheNAPDPhasnotusedthepossibilityofamendinggeneralGDPRrulesinmanycases.However,theNAPDPintroducesexemptionsfromtheobligationtoassesstheimpactofprocessingontheprotectionofpersonaldata,exceptionsfromtheobligationtonotifydatasubjects,andadjusttheprocessingofpersonaldataforjournalistic,academic,artisticorliterarypurposes.

TheimplementationofGDPRruleshasentailedtheamendmentofmanyotherregulationsinvariousfieldsofbusinessactivities.


TheCzechRepublicdoesnothaveanyself-regulatorybodieswhichenforceprivacylaw.

The obligations stipulated by the GDPR and the NAPDP or other applicable legal regulation areenforcedbytheCzechDPAand,incaseswherethedecisionoftheDPAisappealed,bytheCzechcourts.

TheCzechDPAisvestedwithadditionalpowersrelatedtospecialissuesandanchoredinspeciallaws.ThebasicproceduralactsaretheSupervisoryProcedureActandtheAdministrativeCode.

227


TheCzechDPAhasarole insupervisingelectroniccommunications,asprovidedby theElectronicCommunications Act. Supervision of bulk commercial communication is regulated by the Act onSelected Services of the Information Society (“SSIS”), and non-compliance is punishable by fines.Transborder supervisory cooperation is provided by EC Regulation 2006/2004 on consumerprotectioncooperation.TherolegiventotheCzechDPAinadvertisingbytheRegulationofAdvertisingActissimilar,namelysupervisionofcomplianceofanyunsolicitedadvertisingdisseminatedwithhelpofelectronicmeans.

TheBasicRegistersActprovidesthat theCzechDPAshouldgeneratesource identifiersofphysicalpersons and item-related identifiers of natural persons, and maintain lists thereof, and ensuretransfersofanaturalperson’sitem-relatedidentifierwithinoneadministrativedossiertoitem-relatedidentifierofthisphysicalpersonunderanotherdossieronthebasisofalegalrequest.

In the public sector, unauthorized processing of information stored on biometric data carriers ispunishable by penalties provided by the Travel Documents Act; and minor offenses constitutingfurthernon-compatibleprocessingofdata,breachofconfidentialityandunauthorizeddisclosurearesetoutintheRegisterofPopulationActandtheConflictofInterestsAct.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawintheCzechRepublic?


2.2 DoesprivacylawintheCzechRepublicapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

PrivacylawappliesalsooutsidetheCzechRepublic.



3.1 Howispersonalinformation/personaldatadefinedintheCzechRepublic?


Whilstthedefinitionof“personaldata”stipulatedintheGDPRhasnotchangedfromthatintheAPDP,theinterpretationandthescopeof“personaldata”intheCzechRepublicismoreextensiveinpracticeduetocaselaw(see,eg,SDEU(C-434/16)caseNowak).



228




4 ROLES



In addition, entrepreneurs shouldbear inmind that the correct determinationof the role of theircompany ina specific contractual relationship (controller/processor) is essential todetermine therisksrelatedtoliabilityincaseofadatasecuritybreachorotherviolationsundertheGDPR.

5 OBLIGATIONS



Inaddition, it isexplicitlystipulatedintheNAPDPthatachildhascapacitytograntconsenttotheprocessingofpersonaldatainrelationtotheofferofinformationsocietyservicesonreaching15yearsofage.

InformationsocietyservicesaresubjecttotheSSIS.An“informationsocietyservice”isdefinedintheSSISasanyserviceprovidedbyelectronicmeansonindividualdemandoftheuserfiledbyelectronicmeans,usuallyprovidedforacertain fee;aservice isprovidedbyelectronicmeans if it issentviaelectronic communicationsnetworkandpickedupby theuser from theelectronicdevice fordatastorage.

IntheSSIS,theresponsibilityofcertainservicesprovidersisalsostipulated:

(a) theproviderofaserviceconsistingofthetransmissionofinformationprovidedbytheuservia electronic communications network, or intermediation of access to electroniccommunications networks for the purpose of transmission of information (includingautomatic temporary storageof transmitted information) is responsible for the contentoftransmittedinformationonlyiftheprovider:(i) initiatesthetransmissionbyhimself,(ii) choosestheuseroftransmittedinformation,or(iii) choosesormodifiesthecontentoftransmittedinformation;

(b) theproviderofaserviceconsistingofthetransmissionofinformationprovidedbyauserisresponsible for the content of information automatically temporarily stored only if theprovider:(i) modifiesthecontentofinformation,

229


(ii) failstomeettheconditionsofaccesstotheinformation,(iii) failstocomplywithrulesonupdatingofinformationgenerallyacceptedandusedin

therespectiveindustry,(iv) exceedspermitteduseoftechnologygenerallyacceptedandusedintherespective

industrywiththeobjectiveofgainingdataonuseofinformation,or(v) fails to immediatelytakemeasurestoremovethe informationstoredbyhimorto

preventaccesstosuchinformationifhefindsoutthattheinformationwasremovedfromthenetworkattheinitialplaceoftransmission,ortheaccesstosuchinformationwas prevented, or the court orderedwithdrawal or prevention of access to suchinformation;

(c) theproviderofaserviceconsistingofthestorageofdataprovidedbyauserisresponsibleforthecontentofinformationstoredondemandoftheuseronlyiftheprovider:(i) knows,withregardtothescopeofhisactivitiesandcircumstancesandthenatureof

thecase,thatthecontentofstoredinformationoruser’sconductareunlawful,or(ii) canbeshowntohavediscoveredtheunlawfulnatureofcontentofstoredinformation

or unlawful user’s conduct and failed tomake all stepswhichmay be reasonablyrequestedforhimtomakeinordertoremoveorpreventaccesstosuchinformation.

Theaboveprovidersare,nevertheless,notobligedtosupervisethecontentofinformationtransmittedorstoredbythem,ortoactivelyseekfactsorcircumstancesindicatingtheunlawfulcontentoftheinformation.


6.1 HowisdatasecurityregulatedintheCzechRepublic?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

SeetheEuropeanUnionchapterfortheminimumstandardforsecuringdata.

TheNAPDPstipulates specific standardsand rules for securingdatawhichapply topersonaldataprocessingforthepurposeofensuringdefenceandsecurityinterestsoftheCzechRepublic.

FurtherspecificstandardsfordatasecurityarestipulatedintheActonCyberSecurity.

Ifacompanyisnotentirelysurewhetherthelevelofadoptedmeasuresfordataprotectionissufficient,itcanconsulttheDPA,whichcanprovidethecompanywithguidanceinthismatter.

6.2 How are data breaches regulated in the Czech Republic? What are the requirements forrespondingtodatabreaches?

SeetheEuropeanUnionchapterforbasicregulationfollowingfromtheGDPR.

TheDPAusuallyproceedsinlinewiththeguidelinesoftheEuropeanDataProtectionBoard(formerlyknownasWorkingParty29),whichendorsedtheformerWP29GuidelinesonPersonalDataBreachNotificationunderRegulation2016/679.

Further,theDPAhasissuedashortguidelineonhowtoproceedincasesofdatasecuritybreaches,suchasthehackingofacomputeronwhichpersonaldataareprocessedorstored,whichleadstoa

230


leakofthepersonaldata,theiralterationorothermisuse;orthelossofpaperdocumentscontainingpersonaldata.

Thereisnoneedtoreportdatabreachesincaseswherethebreachisnotlikelytoresultinahighriskto therightsand freedomsofnaturalpersons.However, if this isnot thecase, thecontrollermustreport the breach to the DPA within 72 hours, either in writing or in electronic form. Any latenotificationsmustcontainduereasonsinexplanationofthedefault.TheDPAhaspreparedaformfornotificationofbreach,sothatthenotifyingsubjectmayreportthefactsofthebreachasaccuratelyaspossible.Theprocessorhasreportingobligationtothecontrollerofpersonaldata.

After reporting the breach, the controllermust notify the personswhose personal data has beenaffectedbythesecuritybreach,especiallyifthereisahighriskthatitwillaffecttheirpersonalrights.

Thereareexemptionsfromthisobligationwhere:

(a) thecontrollerhas introducedappropriate technicalandorganizationalmeasuresandsuchmeasures were used for the personal data affected by the data breach, especially if themeasuresmakethedataincomprehensibletoanyonewhoisnotentitledtoaccessthem(eg,encryption);

(b) afterthesecuritybreach,thecontrollerhasintroducedmeasures,whichwilleliminatetheriskfortheaffectedpersons;or

(c) itwouldrequireexcessiveeffortstofulfiltheobligation;insuchcases,apublicannouncementorothereffectivemethodshallbeused.

7 INDIVIDUALRIGHTS






Inaddition,electronicallydisseminatedcommercialcommunicationsarespecificallygovernedunderCzech law. One may only use an electronic contact (eg, email) for the purpose of disseminatingcommercialcommunicationselectronicallyiftheusershavegrantedtheirpriorconsent.

However,ifanaturalorlegalpersonobtainselectroniccontactdetailsfromitscustomerinrelationtoselling products or services to him, such personmay use these electronic contact details for thepurposeofdisseminatingcommercialcommunicationsrelatedtoitsownsimilarproductsorservices.Thisispossibleonconditionthatthecustomerhasaclearopportunitytoeasilywithdrawhisconsenttosuchuseofhiselectroniccontact,freeofchargeorontheaccountofsuchnaturalorlegalperson.Thispossibilitymustbepresentineachindividualmessage,ifthecustomerdidnotoriginallydeclinesuchuse.

231


Along with the above conditions, natural or legal persons intending to disseminate commercialcommunicationsviaelectronicmailhavetoensurethateachmessage:

(a) isclearlylabelledascommercialcommunication,

(b) doesnothideorconcealtheidentityofthesenderonwhosebehalfthecommunicationtakesplace,and

(c) contains a valid address to which the addressee can directly and effectively send theinformationthathedoesnotwishcommercialinformationtobesenttohimbythesenderanymore.

The agenda of (unsolicited) commercial communications is governed by the DPA and the DAPAregularlyundertakesinspectionsinthisfield.

The DPA issued a brief opinion on electronic marketing communication in 2018, in which itrecommended that entrepreneurs always use checkboxes in electronic advertising for electronicmarketingcommunication,notforconsent(asconsentisnotnecessaryandshouldnotbethelegalground of processing), but to allow the user the chance to refuse to receive the commercialcommunicationbeforetheentrepreneurstartstosendit.



InadditiontotheEUregulation,thereisalsonationallegislationstipulatingcertainprovisionsontheuse of tracking technologies. The Act on Electronic Communications states that entrepreneursoperatingpubliccommunicationnetworksorprovidingpubliclyavailableelectroniccommunicationservicesareobliged,technicallyandorganizationally,toensuretheconfidentialityofmessagesandrelated operational and location data transmitted via their public communication network andpubliclyavailableelectroniccommunicationservices.However,thisdoesnotpreventstorageofdatanecessaryforthetransmissionofmessages.

The same Act also stipulates that anyone who intends to use or uses electronic communicationsnetworksforstorageofdataortogainaccesstodatastoredintheterminalequipmentofparticipantsorusersisobligedtoprovablyinformsuchparticipantsorusersinadvanceontheextentandpurposeoftheirprocessingandisalsoobligedtoofferthemtheopportunitytodeclinesuchprocessing.Thisdoesnotapplyonlyincaseoftechnicalstorageoraccessexclusivelyforthepurposeoftransmittingmessages via electronic communications network, orwhere necessary to provide the informationsocietyserviceexplicitlydemandedbytheparticipantortheuser.

An entrepreneur operating a public communication network or providing a publicly availableelectronic communication service is also, upon the participant’s request, obliged to provideoperationalandlocationdataavailabletohimbasedontheAct,freeofchargeandinaformallowingfurtherelectronicprocessingofsuchdata,iftheparticipantisnotabletorecordorstoresuchdataduetofailureonhisdeviceresultingfromacybersecurityincident.

In relation to theGDPR, theDPAhasalsopublishedadraft recommendation for theprocessingofcookiesandothertrackingtechnologies.Inthisrecommendation,theDPAstatesthatthenewePrivacy

232


Regulationhasnotyetbeenapprovedandthusitisnecessarytofollownationallegislation,alongwithcertainrulesfortheprocessingofpersonaldatastipulatedintheGDPR.

TheDPAstipulatesinitsrecommendationthatauser’sconsentisnecessaryfortheuseofcookies.Inthis context, theDPA stipulates that aparticular settingof thewebbrowsermadeby theuser, ie,whether the browser should allow awebsite to store cookies in the terminal equipment,may beconsideredasaconsenttotheprocessingofpersonaldata.Fortheprocessingofdataobtainedbasedonsuchcookies,itisnecessarytoestablishasuitablelegalgroundunderArticle6(1)oftheGDPR.Ifthelegalgroundisconsent,furthercriteriaandrulesarestipulatedintheGDPR.Consentisinterpretedinrelationtothepurpose,meansandmannerofprocessingofpersonaldata,not inrelationtotheproductorwebapplication;onceconsenthasbeengranted,eg,forthirdpartycookies,thereisnoneedtofurtherspecifyaparticularsearchengineornewsserver.

Therecommendationisnotapplicabletocookiesnecessaryforensuringtheoperationofwebsitesandinternet services, where obtaining the user’s consent is not necessary. We believe that thisrecommendationwillbeamendedbasedonrecentcaselawandtheePrivacyRegulation.


SeetheEuropeanUnionchapterandquestion8.2.









Inaddition,at thebeginningof2020, theDPA issuedguidelineson theobligationofcontrollers toperformdataprotectionimpactassessments(“DPIA”s),withalistofactivitiesthatarenotsubjecttoDPIAs.

9 DATATRANSFER



233




10 VIOLATIONS



In addition to what is mentioned in the European Union chapter, under the NAPDP, the stateauthorities are not subject to the fines stipulated in the GDPR.Moreover, theNAPDP stipulates aspecificfineofuptoEUR200,000forbreachingthebanonprocessingofpersonaldataimposedbyspecificCzechlegalregulation.



11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureoftheCzechRepublicwhichaffectprivacy?

No.


ThehottesttopicisthedraftePrivacyRegulationasstipulatedindetailintheEuropeanUnionchapter.

WealsoconsiderEuropeanandCzechlegalregulationofcybersecuritytobeahottopic.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldataintheCzechRepublic?

TherearenoGDPR-relatedcourtcases,andonlyafewresolutionsoftheDPAonbreachesoftheGDPR.ThisisbecausetheNAPDPhasbeeneffectiveonlyasfromApril24,2019,and,beforethen,theDPAonlyissuedwarningsandrecommendations.Nevertheless,webelievethattheapproachoftheDPAwillbesimilar,bothintermsofsanctionsandassessmentofspecificdataprivacyrelatedsituations,toitsapproachundertheprevious,pre-GDPR,regulation,wherebyitdidnotfinecompaniesformistakesindataprivacydocumentationorprocesses,orimposedonlyverylowfines(mostlybetweenEUR100andEUR1,000);thehighestfineimposedforbreachoftheAPDPinthefieldofdataprotectionwasEUR 150,000 (for the loss of personal data of 1.2 million clients of the processor intelecommunications)andEUR180,000inthefieldofunsolicitedcommercialcommunications.

234


12 OPINIONQUESTIONS







CompaniesundertakingbusinessintheCzechRepublicshouldbemoreactiveinthedataprivacyfield,andensurethattheirbusinessandinternalactivitiesarecompliantwithdataprivacylaw.GDPRauditsanddataprotectionimpactassessmentsshouldbecomearegularfeatureofcommonbusinesspractice.

We also consider the processing of biometric data (in particular in internal administration andprocessesof companies), theprocessingofpersonaldataof childrenunder15yearsofageon theinternet,andgeneralregulationofadvertisingontheinternettobefuturechallengesinthisfield.

235

236

PRIVACY LAW – DENMARK

1 PRIVACYLAW

1.1 HowisprivacyregulatedinDenmark?

PrivacyisregulatedbybothapplicableDanishlawandEuropeanlaw.ThelawsareinterpretedandenforcedbytheDanishDataProtectionAuthority(“DDPA”)andbythecourts.TheDDPAhasissuedand continues to issue its ownguidelines for the applicableprivacy law inDenmark, inparticularrelatingtotheregulationoftheGDPR.TheguidelinesaremerelytheDDPA’sinterpretationofthelaw.Theyaremeantasguidanceandarethusnon-binding;however,sincetheDDPAistheoverseeingdataprotectionauthoritythatdecideswhethertoreportdataprotectionbreachestothepolice,andsincetheDDPAhasanactiveroleinsuchapoliceinvestigation,oneshouldadheretotheDDPA’sguidelines.

By the 1960s and 1970s, it had become apparent in Denmark that neither the Danish nor theinternationalregulationofprivacywassufficient.TheEuropeanConventiononHumanRightshadaverybroadprotectionofprivacyinitsArticle8,butcouldnotgrantthenecessaryprotectionneededwiththearrivalofelectronicinformationtechnology.Moreover,theDanishConstitutiononlyprotectssecrecyofcommunication,anddoesnotgrantsufficientprotectionofpersonaldata.Thislackofdataprotectionledtothefirstregulationofpersonaldatain1978intheformoftheRegistryLaws.Theseweretwolawsthatregulatedregistriescontainingpersonaldataforthepublicadministrationsandtheprivatesectorrespectively.

TheregulationofpersonaldatainDenmarkthenfollowedthedevelopmentsinEurope,withthenextmajordevelopmentcomingwith theDataProtectionDirective in1995. It tookDenmarkunusuallylong,fiveyearsinfact,toimplementnationallawonthebasisoftheDataProtectionDirective.TheDirectivewasimplementedwiththePersonalDataAct.TheDirective,togetherwiththePersonalDataAct,constitutedtheregulationofprivacyinDenmarkuntiltheGDPRenteredintoforcein2018.

WiththeGDPR,thepreviousPersonalDataActwasabolishedandreplacedbyanewlaw,theDataProtection Act, which specifically regulates the areas in which the GDPR leaves openings for theMemberStatestoregulatethemselves.InthesamewaythattheGDPRismoreanevolutionthanarevolutionoftheDirectivebeforeit,sotooistheDanishDataProtectionActonlyanevolutionofthepreviousDanishPersonalDataAct.

TheGDPRandtheDanishDataProtectionActtogetherregulateprivacyinDenmarktoday.TheDanishDataProtectionActreferstotheGDPR,inthatitsupplementsandimplementstheGDPRinDenmark.InareasthatareregulatedbyboththeGDPRandtheDataProtectionAct,itistheGDPR’sregulationandprinciplesthatapply.


TheGDPRandtheDanishDataProtectionActarethetwokeylawsregulatingprivacyinDenmark.AstheGDPRisanEURegulation,itisdirectlyapplicablyinallmemberstates,includingDenmark.

FortheGDPR,pleaseseetheEuropeanUnionchapter.

237


TheDanishDataProtectionActsupplementstheGDPRandregulatesareas inwhichtheGDPRletseachMemberStatespecifytheirownregulation.SomeexamplesarethattheDanishDataProtectionAct:

(a) regulateswhenDanishcitizen’ssocialsecuritynumbermaybeprocessed;

(b) specifieswhenpersonaldatainrelationtoemploymentmaybeused;and

(c) specifiesthatpersonaldatamaynotbetransferredfortheuseofdirectmarketing,unlessthedatasubjecthasgiventheirexplicitconsent.

The use of personal data for marketing is thus regulated in both the GDPR and the Danish DataProtectionAct.

TheDanishMarketingAct,whichisthegeneralregulationofallmarketinginDenmark,isalsorelevant,asitregulateswhenadvertiserscanusepersonalinformationtocarryoutdirectmarketing.


TheDDPAistheindependentauthorityinDenmarkthatsupervisescompliancewiththerulesondataprotectioninDenmark.TheDDPAprovidesguidance,dealswithcomplaintsandmakesinspections.AlthoughtheDDPAisanindependentauthority,organizationally,itisplacedundertheDanishJusticeDepartment.

IftheDDPAfindsitfitting,itmayreportbreachesofthedataprotectionregulationtothepolice,whichwillthenstartaninvestigation.AlthoughitisthepoliceandnottheDDPAthatissuesfines,theDDPAwillhaveanactiveroleinthepoliceinvestigation.TheDDPAwillalsomakerecommendationsastothesizeofthefinewhenitreportsthebreachtothepolice.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinDenmark?


TheDanishDataProtectionActappliestotheprocessingofpersonaldatacarriedoutonbehalfofadataprocessorordatacontrollerthatisestablishedinDenmark,regardlessofwhethertheprocessingisdoneinsidetheEuropeanUnion.

2.2 DoesprivacylawinDenmarkapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

Yes,privacylawappliestocompaniesoutsidethecountry:

AsfarastheGDPRisapplicable,itappliestocompaniesoutsideDenmark.

TheDanishDataProtectionActapplies to companiesoutsideofDenmark if thedataprocessing iscarriedoutonbehalfofadataprocessorordatacontrollerthatisestablishedinDenmark.

238



3.1 Howispersonalinformation/personaldatadefinedinDenmark?

Thedefinitionof“personaldata”inDenmarkisthesameasintheGDPRarticle4(1).PleaseseetheEuropeanUnionchapter.



AccordingtotheDanishDataProtectionAct,processingofpersonaldataispermittediftheprocessingisnecessary:

(a) torespectthedatacontroller’sordatasubject’sobligationsorrightsunderlaborlaw;

(b) forpreventivediseasecontrol,medicaldiagnosis,nursingorpatientcare,ormanagementofmedicalandhealthservices,andtheprocessingoftheinformationiscarriedoutbyapersoninthehealthsectorwhoissubjecttoconfidentialitybylaw;

(c) forreasonsofpublicinterestinthepublichealthfield,eg,protectionagainstseriouscross-border health risks, or ensuring high quality and safety standards for health care andmedicinesormedicaldevicesonthebasisofEUornationallaw,whichprovideforappropriateandspecificmeasures toprotect the rightsand freedomsof thedata subject, inparticularconfidentiality;or

(d) forarchivalpurposesintheinterestofthepublic,forscientificorhistoricalresearchpurposesorforstatisticalpurposes,andisproportionatetotheobjectivepursued,respectstheessentialcontent of the right to data protection and ensures appropriate and specificmeasures toprotectthefundamentalrightsandinterestsofthedatasubject.



4 ROLES



239


5 OBLIGATIONS



BoththeDanishDataProtectionActandtheDanishMarketingActspecificallydictatethatsendingdirectmarketingtoconsumersrequiresthespecific,expressconsentoftheconsumer.


6.1 HowisdatasecurityregulatedinDenmark?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?


DatabreachesmustbeaddressedtotheDDPA.

6.2 HowaredatabreachesregulatedinDenmark?Whataretherequirementsforrespondingtodatabreaches?


DatabreachreportsmustbeaddressedtotheDDPA.

Reporting of data breaches in Denmark can be omitted if there are substantial private or publicinterestsagainstit.Furthermore,reportsofdatabreachesarenotrequiredifthiswillmakecriminalinvestigationsmoredifficult.

7 INDIVIDUALRIGHTS





PleaseseetheEuropeanUnionchapteringeneral.

Directmarketing,includingemails,texts,pushnotificationsandthelike,isspecificallyregulatedintheDanishDataProtectionActandtheDanishMarketingAct.

240


The Danish Data Protection Act dictates that a company may not transfer information about aconsumer toanother company for thepurposeofdirectmarketing, oruse the information for thepurposeofdirectmarketing,unlesstheconsumerhasgivenitsspecific,expressconsent.

Moreover,theDanishMarkingActrequiresaspecific,expressconsentforsendingdirectmarketingtoconsumers. It also requires that it is easy and cost-free for the consumer to withdraw consent.Companies may send direct marketing to an email that they have received from a consumer inconnectionwitha sale, evenwithouta consent.However, companiesmustmake it easy, clearandwithoutcosttodeclinesuchdirectmarketing.

TherequirementsforconsentarethesameasintheGDPR.Theconsentcanbegivenbothfordataprocessingandforreceivingdirectmarketingatthesametime.





It is still up fordebatewhetherbehavioural advertising, suchas adson socialmediaplatformsorbannerads,aredirectmarketingthatrequiresconsentunderDanishlaw.Consentisusuallyrequiredandthereforeadvisable,sinceitwouldbedifficulttoclaimlegitimateinterestsasalawfulbasisfordataprocessing.









9 DATATRANSFER



241




10 VIOLATIONS



Inegregiouscases,sanctionscanbeimposedintheformofprisonsentencesonnaturalpersons.ThiswasalsothecaseundertheECDataProtectionDirective,butwasneverused.ItisunlikelythatitwillbeusedundertheGDPR,butsuchsanctionsarestillpresentincaseofveryegregiousactionsbynaturalpersonsactingonbehalfofcompanies.

Sanctionshavebeengivenastatutorylimitationof5yearsforbreachesbothoftheGDPRandoftheDanishDataProtectionAct.



11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofDenmarkwhichaffectprivacy?

None.


AswiththerestofEurope,theforthcomingePrivacyRegulationisthebighottopic.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainDenmark?

TheDDPAregularlyissuesandupdatesitsguidelines.Italsoupdatesandinformsaboutitspractice.ItisgenerallyadvisabletobeawareofhowtheDDPAinterpretstheprivacylawsofDenmarkandanychangestoitsinterpretation.

ThislastyearhasseentheDDPAreporttwocompanies,whereitrecommendedfinesofoverDKK1milliontoeachofthem.ThesizeofthefinesisratherlargeinaDanishcontext,buttheyarelesssowhencomparedtothelargerfinesseeninotherEuropeancountriestodate.

242


12 OPINIONQUESTIONS


The need for an EU Regulation on data protection arose in part because of the increasing use oftechnology and the more complex nature of technology itself. This has led to an ever-increasingamountofpersonaldatabeingprocessedbycompanies.Personalinformationhasmanyformstoday.Onecould, forexample, lookat thewayInternetofThings(“IoT”)deviceshavereached insideourhomesandcontinuetodosomoreandmore.ThespreadofIoTdeviceswillbringmanychallengesfromaprivacyperspective,asdataprocessingwillonlygetmorecomplicatedandmorevulnerable.BothdatasubjectsandcompaniesmustbeawareofthedataprocessingprinciplesintheGDPRgoingforward,whenourliveswillbemoreconnectedtotechnology,becausethetechnologywillonlygetmorecomplicatedandmoreconnected.


The hysteria regarding the practical requirements of the GDPR will most likely die out and theprocessesneededforcomplyingwiththeGDPRwillbenormalized.Dataprotectionandprivacywillstillbeimportantandmayevengaingreaterimportancearoundtheworld.Havingsaidthat,itdoesseemunlikelythattherewillnotbeanydifficultyinadheringtotheGDPRin5years.CompaniesstillhavealongroadaheadinchangingtheireverydayprocessessothatprivacyisrespectedinthewaytheGDPRdemands.


TheuncertainnatureofthefinesandhowthecourtswillinterprettheGDPRwillbeachallengeforcompanies. It is thereforeadvised that companiesmake sure that theyare in compliancewith theGDPR. Companies also continually have tomake sure they are adhering to the privacy regulation,especiallywhennewtechnologiesariseandspread.

243

244

PRIVACY LAW – FINLAND

1 PRIVACYLAW

1.1 HowisprivacyregulatedinFinland?

ThereisaconstitutionalrighttoprivacyunderFinnishlaw.Section10oftheConstitutionofFinland(731/1999,asamended)statesthateveryone’sprivatelife,honorandthesanctityofthehomeareguaranteedandthesecrecyofcorrespondence,telephonyandotherconfidentialcommunicationsisinviolable(the“righttoprivacy”).Publicauthoritiesandbusinessesexercisingpublic functionsareobligedtocomplywiththerequirementsoftheEuropeanConventiononHumanRights,whichincludeageneralrighttoprivacy.

Finland is an EU Member State and consequently the EU General Data Protection Regulation(2016/679)(“GDPR”) isdirectlyapplicable inFinland(seetheEuropeanUnionChapter).Finland’sData Protection Act (1050/2018) (“DPA”), which supplements the GDPR, became applicable onJanuary1,2019.(ThemainnationaladditionsorspecificationstotherequirementsoftheGDPRaresetoutinquestion1.2below.)

Inadditiontothegeneraldataprotectionlaws,therearealsoseveralsector-specificdataprotectionand privacy laws. For example, the processing of employee data and privacy of electroniccommunicationsarequiteheavilyregulatedinFinland(seequestion1.2).


In addition to the GDPR, theDPA supplements and specifies certain parts of the GDPR. ThemainnationaladditionsorspecificationstotherequirementsoftheGDPRincludethefollowing:

(a) Agelimitforconsentwhenofferinginformationsocietyservicestochildren:Thenationalagelimitforwhenconsentcanbegivenbyachildinrelationtoinformationsocietyserviceshasbeensetto13years.Thus,forprocessingpersonaldataofchildrenunderthisage,parentalconsentisrequired.

(b) Specificationsregardingadministrativefines: AdministrativefinesmaynotbeimposedonpublicauthoritiesorbodiesinFinland.

(c) Sanctions: In addition to administrative fines or other sanctions, criminal sanctions areincludedintheCriminalCodeofFinland(39/1889),andanewcriminaloffencenamed“dataprotectionoffence”,applicableonlytonaturalpersons,hasbeenintroduced.

(d) Provisions on national discretion: TheDPA includes national regulation on processing ofspecific types of data, such as health-related data, personal identification numbers, andchildren’spersonaldata.

(e) SupervisoryAuthority: The competent local supervisoryauthoritywill continue tobe theFinnishDataProtectionOmbudsman.(TheFinnishTransportandCommunicationsAgency(“Traficom”)willremainthesupervisoryauthorityine-privacymatters.)

Finland’s data protection laws also include separate provisions on the processing of employees’personaldata,whicharecoveredbytheActontheProtectionofPrivacyinWorkingLife(759/2004).ThisActappliestotherelationshipbetweenemployersandemployees,andincludesrestrictionson,

245


eg, processingof employeehealthdata and credit data, conditions for carryingoutdrug tests andcamerasurveillance,aswellasregulationonpersonalityassessmentsandtheretrievalandopeningofemployees’electronicmessages.

Further,informationsocietyservicesaregovernedbytheActonElectronicCommunicationsServices(917/2014)which,interalia,implementstheePrivacyDirective.Inadditionto,eg,provisionsrelatingtotheuseofcookies(see,further,question8.2),thisActcontainsstrictrulesontheconfidentialityofelectronic communications and electronicmonitoring. Privacy of communications covers both thecontentofcommunications(suchascontentofemails)aswellas trafficdata(ie, suchmetadataofcommunicationsthatisusedfortransmissionthereofandthatcanbeassociatedwithalegalornaturalperson).Confidentialityofelectroniccommunicationsismedianeutral(andthuscoversalsoover-the-topservices,eg,chatfunctionsinappsandonwebpages).See,further,question8.1.

TheCriminalCodeofFinlandcontainsseveralcriminalsanctionsrelatingtoprivacymatters,suchasthedataprotectionoffence.InconnectionwiththereformoftheFinnishPDA,theFinnishCriminalCode’sprovisionsonprivacywerealsorepealedinordertoavoidcriminalsanctionsoverlappingwithadministrativeones.


InFinland,theDataProtectionOmbudsman(tietosuojavaltuutettu)isthelocalsupervisoryauthoritywhich supervises the compliance with general data protection legislation. The Data ProtectionOmbudsmanisresponsibleforsupervisingcompliancewithdataprotectionlegislationandotherlawsconcerningtheprocessingofpersonaldata,carryingoutinvestigationsandinspections,andimposingadministrativesanctionsforviolationsoftheGDPR.

Traficomisthesupervisoryauthorityine-privacymatters.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinFinland?


Inaddition,pursuanttotheDPA,theprocessingofpersonaldataisgovernedbyFinnishlawsifthecontroller’splaceofbusinessislocatedinFinland,andiftheprocessingiscarriedoutinthecontextoftheactivitiesofanestablishmentofacontrollerorprocessorintheEuropeanUnion.

2.2 DoesprivacylawinFinlandapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

Yes,privacylawappliesoutsidethecountry.WithrespecttotheGDPR,pleaserefertotheEuropeanUnionChapter.

NeithertheActonProtectionofPrivacyinWorkingLifenortheActonElectronicCommunicationsServices contains clear provisions specifying their territorial reach. However, in the employmentcontext,theprovisionsoftheseActsshouldgenerallybelimitedtoemployeeswhoworkforthelocalofficeinFinlandorwheretheemploymentcontractisgovernedbyFinnishlaw.

246



3.1 Howispersonalinformation/personaldatadefinedinFinland?

PersonaldataislegallydefinedintheGDPRArticle4(1)(seetheEuropeanUnionchapter).NoseparatedefinitioniscontainedintheDPA.



Inaddition,Sections6and7of theDPAprovideexceptionswhereArticle9(1)of theGDPR isnotapplied.Listedbelowareexamplesofparticularlyrelevantcaseswherespecialcategoriesofdatamaybeprocessed:

(a) specialcategoriesofpersonaldatamaybeprocessedbyinsurancecompaniesforthepurposeofclarifyingtheirliabilities;

(b) anyprocessingofdatathatisprovidedbylaworthatderivesdirectlyfromastatutorydutysetoutforthecontrollerbylaw;

(c) specialcategoriesofpersonaldatamaybeprocessedforthepurposesofscientificorhistoricalresearchandstatisticalpurposes;and

(d) personal data related to criminal convictions and offences for the purposes of legalproceedings.

AccordingtotheDPA,whenprocessingspecialcategoriesofdata, thecontrollerandtheprocessormusttakeappropriateandspecificstepstoensuretheprotectionoftherightsofthedatasubject.Someof these steps are specified in Section 6 of the DPA, such as pseudonymisation, encryption andappointingadataprotectionofficer.

Consent toprocesssensitivepersonaldatamustbeexplicit.Note that theageatwhichachildcanprovideavalidconsentinrelationtoinformationsocietyserviceshasbeensetto13years,whereasthedefaultoptionintheGDPRis16years(seequestion1.2).

Inaddition, theActon theProtectionofPrivacy inWorkingLife setsextensive restrictionson theprocessingofpersonaldatainthecontextofemploymentrelationships.Personaldatashouldprimarilybecollectedfromtheemployeehim-/herself,andfromthirdpartiesonlywiththeemployee’sconsent.Unnecessarypersonaldataofemployeescannotbeprocessedevenwiththeemployee’sconsent.

Finally,theDPAcontainsrestrictionsontheprocessingofpersonalidentificationnumbers.



247


4 ROLES



5 OBLIGATIONS




6.1 HowisdatasecurityregulatedinFinland?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?


6.2 HowaredatabreachesregulatedinFinland?Whataretherequirementsforrespondingtodatabreaches?


7 INDIVIDUALRIGHTS






TherequirementsfordirectelectronicmarketingaresetforthinChapter24oftheActonElectronicCommunicationsServices,whichsetsthefollowingrulesformarketingcommunicationsforprivateindividuals:

(a) Directmarketingbymeansofautomatedcallingsystems,fax,oremail,text,voice,soundorimagemessagesrequirespriorconsentbytheconsumer(opt-in).

248


(b) Otherdirectmarketing(suchasphonemarketingorletters)isallowediftheindividualhasnotspecificallyprohibitedit(opt-out).Theconsumermustbeabletoeasily,andatnocharge,prohibitdirectmarketing.

(c) Whereaserviceproviderhasobtainedthecustomer’scontactinformationrelatingtoemail,text,voice,soundorimagemessagesinthecontextofthesaleofaproductoraservice,suchserviceprovidermayusethiscontactinformationfordirectmarketingoftheirownproductsofthesameproductgroupandofothersimilarproductsorservices.Thecustomermustbegiventheopportunitytoprohibit,easilyandatnocharge,theuseofsuchcontactinformationatthetimewhenitiscollectedandinconnectionwithanyemail,text,voice,soundorimagemessage.Thecustomermustbeclearlynotifiedofthepossibilityofsuchaprohibition(softopt-in).

In B2B context, the opt-outmodel applies assuming that the content of themarketingmessage isrelevantfortherecipientofthemarketingmessageconsideringhis/herpositionintheorganization.



Inaddition,cookiesareregulatedinnational legislationunderSection205oftheActonElectronicCommunications Services. Under this Act, a service provider may save cookies or other dataconcerninguseoftheserviceintheuser’sterminaldevice,andusesuchdata, iftheuserhasgivenhis/her consent thereto and the service provider gives the user comprehensible and completeinformationonthepurposesofsavingorusingsuchdata.Notethattheseprovisosdonotapplytoanystorage or use of data which is intended solely for the purpose of enabling the transmission ofmessages incommunicationsnetworksorwhich isnecessary for theserviceprovider toprovideaservicethatthesubscriberoruserhasspecificallyrequested.

InFinland,theePrivacyDirective(2002/58/EC)hasbeeninterpretedtoallowtheusertoconsenttothestorageofcookies,eg,throughbrowserorotherapplicationsettings.Thestorageanduseofdataisallowedonlytotheextentrequiredfortheservice,anditmaynotlimittheprotectionofprivacyanymorethanisnecessary.

It should be noted that theCourt of Justice of theEuropeanUnion (“CJEU”) has recently ruled onconsentrequirementsforcookies(CaseC-673/17,Planet49).Accordingtothejudgement,thewebsiteoperators aiming to store cookies on a user’s device must obtain active and specific consent.Accordingly,theCJEUruledthatanyopt-outconsent,bywayofpre-tickedcheckboxisinsufficientforthe storageof cookies.However, as the ePrivacyRegulation is still beingdraftedby theEuropeanUnion,theconditionsforcookieconsentsarestillinterpretedinaccordancewiththenationallawsoncookies.Traficom,whichisthecompetentnationalauthority,hasupdateditsguidelinesoncookiesaftertheCJEUruling.However,therevisedguidelinesstillreflectthebroadinterpretationofconsenttocookietracking,sincetheguidelinesnotethatcookieconsentmaybegiventhrough,eg,browsersettings.

Theanswersabove,aswellasthecurrentnationalinterpretation,mayneedtoberevisedinthenearfutureasaresultoftheupcomingePrivacyreform.OncetheEUePrivacyRegulationhasenteredintoforce,theRegulationwillbedirectlyapplicableacrosstheEuropeanUnion,harmonizingthecookieconsentquestionontheEUmarkets.

249



SeetheEuropeanUnionchapter,andquestions8.1and8.2above.









9 DATATRANSFER





10 VIOLATIONS



Inaddition,forthoseinfringementsoftheGDPRortheDPAthatarenotsubjecttoadministrativefines,theDPAreferstoCriminalCodeofFinland.BreachesoftheGDPRorFinnishdataprotectionlegislationmay constitute a data protection offence, message interception or violation of a confidentialityobligation, computerbreak-in, illicitviewing,oreavesdropping.Thecriminal sanctions range fromfinestoimprisonmentforamaximumtermof1-3years,dependingonthetypeandleveloftheoffence.

Further,accordingtoSection24oftheActonProtectionofPrivacyinWorkingLife,ifanemployerorarepresentativeoftheemployerbreachesanobligationorrestrictionsregardingprocessingpersonaldataincontextofemployment,theemployerwillbesentencedtoafine,unlessamoreseverepenaltyisprovidedinanotherAct.

250




11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofFinlandwhichaffectprivacy?

No.



11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainFinland?

According to the DPA, decisions of the Data Protection Ombudsman (as well as the Deputy DataProtectionOmbudsmen)anddecisionsonadministrativefinesmaybeappealedagainstbyfilinganappeal inanAdministrativeCourt. Itshouldbenotedthatadecisionmaystatethatthedecisionisenforceablenotwithstandingappeal.Inpractice,thismeansthatthe(possiblyunfavorable)decisionbecomes effective immediately.However, obtaining a court orderprohibiting enforcementof suchdecisionmaybepossibleincertaincircumstances.

12 OPINIONQUESTIONS







251

252

PRIVACY LAW – FRANCE

1 PRIVACYLAW

1.1 HowisprivacyregulatedinFrance?

PrivacyisregulatedbystatutorylawandEuropeanLaw.TheseLawsareinterpretedandenforcedbythesupervisoryauthority(“CNIL”),whichisagovernmentalauthority,butalsobyFrenchcourts.TheCNILactsinthefollowingfourmainfieldsofactivity:

(a) toinformindividualsoftheirrightsanddatacontrollers/processorsoftheirobligations(andaccompanythemintheircomplianceprocess);

(b) toissueitsownguidelinesinterpretingthelaw;

(c) tosanctiontheviolationofitsguidelines(investigatorypowers,warnings,ceaseanddesistlettersandsanctions,includingmonetarysanctions);and

(d) to issue public communications (opinions at the request of the legislator, or publiccommunicationspertainingtoinnovation/prospective).

TheCNIL’sguidelinesandopinionsarenotbindingthecourtsbutareusuallytakenintoaccountbythejudges.

PrivacyhasbeenregulatedinFrancesincethelawdatedJanuary6,1978(“DataProtectionLaw”).ItwasamendedonJune20,2018tointroducethenecessarychanges(ie,openingclauses)requiredbytheEuropeanGeneralDataProtectionRegulation(“GDPR”).

AsthemostimportantaspectsofdataprivacyareregulatedbytheGDPR,Francehasonlyverylimitedregulatorypower.Theruleswhicharenotsubjecttonationalregulation,orforwhichFrancehasnotmadeuseofanopeningclause,willonlybementionedbelowbyashortreferenceontheEuropeanUnion.


TheprimarysourcefordataprotectionintheEuropeanUnion,andthusinFrance,istheGDPR,whichisdirectlyapplicable inallEuropeanMemberStatesanddoesnotneed tobe implementedby theindividualEuropeanUnionMemberStates.TheGDPRcoversthemajorityofprivacyregulation.

The Data Protection Law aims at implementing the opening clauses; the main rules aiming atcompletingtheGDPRarethefollowing:

(a) theimplementationoftheaccountabilityprincipleledtothewithdrawal,fromFrenchlaw,oftheobligationtofileadataprocessingactivitywiththeCNIL(whichwascompulsorybeforethe GDPR entered into force), except for specific data processing, in particular for thecollection/processingof French citizen’s social security identificationnumber (ie, this stillrequirestheauthorizationoftheCNIL);

(b) sensitivedatacannotbeprocessedexceptinlimitedinstancesprovidedbylaw(eg,whentheprocessingrelates todatawhichhavebeenanonymized,orwhen theprocessingconcernspublic information mentioned in court decisions, provided that the purpose and theconsequences of the processing do not lead to the re-identification of the individualconcerned);

253


(c) theprocessingofhealthdatamustbeauthorizedbytheCNILincertaininstances,inparticular,processingforresearchpurposeswhentheprocessingdoesnotmeettheguidelinesissuedbytheCNIL;

(d) a childmust be at least 15 years old to give a valid consent for theprocessingof his/herpersonal data (the GDPR sets the age at 16 years, but EUMembers States are allowed toprovideforalowerage);

(e) whentheprocessingisbasedontheconsentofthedatasubject,thecontrollermustbeabletodemonstratethatthecontractswhichrelatetodevicesorservicesleadingtotheprocessingofpersonaldatadonotpreventconsentoftheenduser.Consentmaybedeemedpreventedwhentheenduserisfacedwithrestrictions,withoutlegitimatetechnicalorsecurityreasons,inparticularduringtheinitialconfigurationofthedevice;and

(f) thenotificationofadatabreachtoadatasubjectcanberestrictedwhensuchanotificationcouldraiseanissuerelatingtonationalsecurity,defenceorpublicsecurity.


Francedoesnothaveanyself-regulatorybodywhichcanenforceprivacylaw.

TheGDPRand theDataProtectionLaw is enforcedby theCNIL, theFrench supervisoryauthoritywhichhasthefollowingpowers:

(a) tohandleclaimsfiledbyindividuals;

(b) tocarryoutinvestigations(asasupervisoryauthority)andtoissuecorrectivemeasuresintheeventofaviolationofprivacylaw(eg,warnings,ceaseanddesistletters,withdrawalofanauthorizationissuedbytheCNIL,prohibitiontocarryouttheprocessing,impositionoffinesetc);and

(c) toinformtheprosecutorofanyviolationoftheprivacylawandtosubmitobservationsduringacriminalprocedure.

TheFrenchcourtsalsohavejurisdictionintheeventthatalawsuitisbroughtbyadatasubjectclaimingthat his/her rights have been violated and claiming a civil or criminal liability (depending on theviolation)fromthedatacontrollerorprocessor.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinFrance?


InadditiontothescopeoftheGDPR,Frenchdataprotectionlawappliestoanyprocessingcarriedoutinconnectionwiththeactivityoftheestablishmentofadatacontroller(oritsdataprocessor)wherethis establishment is located in France (irrespective of the placewhere the processing is located,whetherinFranceorabroad).

254


2.2 DoesprivacylawinFranceapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?


(a) AsfarastheGDPRisapplicable,itappliestodatacontrollerlocatedoutsideFrance.

(b) TherulesintheDataProtectionLawenactedtoimplementtheopeningclausesoftheGDPRapplyifthedatasubjectresidesinFrance(irrespectiveofwhetherornotthedatacontrolleris established in France); there is, however, an exception for processing carried out forjournalistic,academic,artisticorliterarypurposes,wherebytheDataProtectionLawappliestothedatacontrollerwhenitisestablishedintheEU.

TheDataProtectionLawno longer imposes therequirement that thedatacontroller,which isnotestablished in France (or in another EUMember State), must appoint a representative located inFrance.


3.1 Howispersonalinformation/personaldatadefinedinFrance?

The Data Protection Law makes a reference to the GDPR for the definition of personalinformation/personaldata.SeetheEuropeanUnionchapter.



InadditiontospecificobligationcontainedintheGDPR,theDataProtectionLawsetsforthexceptionstotheprohibitionoftheprocessingofsensitivedata,eg,if:

(a) theprocessingconcernsstatisticsandiscarriedoutbytheFrenchnationalauthorityinchargeofstatisticsandeconomicstudies,orbyaserviceofaMinistryinchargeofstatistics(ThisexceptionismorerestrictivethanthecorrespondingexceptionsetforthbytheGDPR);or

(b) processing concerns public information mentioned in court decisions, provided that thepurposeandtheconsequencesoftheprocessingdoesnotleadtothere-identificationoftheindividualconcerned(seequestion1.2(b)).

Thecontrollerorprocessormusttakeappropriateandspecificmeasurestosafeguardtheinterestsofthedatasubject.



255


4 ROLES



5 OBLIGATIONS




6.1 HowisdatasecurityregulatedinFrance?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?


6.2 HowaredatabreachesregulatedinFrance?Whataretherequirementsforrespondingtodatabreaches?


7 INDIVIDUALRIGHTS






In addition, certain direct marketing activities, such as marketing by email, telefaxes, SMS andautomaticcalling,aresubject(asageneralruleforB2Ccommunications)tothepriorinformedconsentoftherecipient(ie,opt-in;nopre-tickingoftheboxes)undertheElectronicCommunicationandPostalServiceCode.Thereareexceptionstotheopt-inrulewhentherecipientisalreadyacustomerandthepurposeofthemarketingcommunicationsrelatestoproductsorservicessimilartothosepreviouslypurchasedbythecustomer(insuchacase,theopt-outprincipleapplies:therecipientcanrefuseanyfurthercommunicationwhenhe/shereceivesthemarketingcommunications).

256


TheCNILconfirmed,inapublicrelease,thattheGDPRdoesnotaffecttheaboverules(sothataspecificconsentmustbeobtainedforthesendingofsuchcommunications).



On July 4, 2019, the CNIL issued guidelines pertaining to the use of tracking technologies such ascookies.TheformerversionoftheseGuidelineswasnolongercompliantwiththeGDPR(undertheformerguidelines,thefactthataninternetusercontinuesbrowsingwasdeemedavalidconsent).Thecurrentversionof theCNIL’sGuidelines isnow in linewith theGDPRconcerning theneed for theexplicitconsentoftheinternetuser,assetforthbytheGDPR.

TheseGuidelineswillbesupplementedatthebeginningof2020byaRecommendationinordertoenlightenoperatorsonpracticalmethodstoobtaintheinternetuser’sconsent(seequestion8.3).



OnJanuary14,2020,theCNILlaunchedapublicconsultation,open(tocompaniesactinginthisfieldof activity, and to the public) until February 25, 2020, as part of its draft Recommendation (seequestion8.2above)ontargetedadvertising.

AccordingtotheCNIL,thepurposeofthisRecommendation(softlaw)istoguidetheprofessionalsconcernedintheirprocessofcompliance.Thus,itwilldescribepossiblepracticalmethodstoobtainconsentinaccordancewiththeapplicablerules,andcontainconcreteexamplesofuserinterface,anddescribegoodpracticesallowingcompaniestogoaboveandbeyondlegalrequirements.







OnApril27,2017,theCNILsanctionedFacebookIncandFacebookIrelandfortheviolationoftheDataProtectionLawandorderedthemtopayafineof150,000Euros.Duringitsinvestigations,theCNILnoted,inparticular,thatcookieswerestoredonthedevicesofuserswhowerenotregisteredwithFacebook(thecookiesallowedFacebookto track thebrowsingofauserandtocollectsuchuser’sbrowsingdataiftheuservisitedathirdparty’swebsitecontainingasocialmediatool,suchasa“like”button).

257


AccordingtotheCNIL,thedatawerenotcollectedandprocessedinafairway,duetotheabsenceofsufficientlyclearandpreciseinformationonthecollectionofdatacarriedout,andbecausethecookiemadeitpossibletocarryoutadetailedmonitoringofthebrowsingofallinternetusers(whetherornotregisteredonFacebook’ssocialnetwork).



9 DATATRANSFER





10 VIOLATIONS


(a) Administrativesanctions:SeetheEuropeanUnionchapter.

(b) Criminalpenalties:TheFrenchCriminalCodesetsforthcriminalpenalties,eg,theprocessing(in particular for marketing purposes) of personal data of an individual despite his/heropposition(orwhenthisoppositionisbasedonlegitimateinterests)issanctionedbyaprisontermofupto5yearsandbyafineofupto300,000Euros(whentheinfringerisanindividual)or1.5millionEuros(whentheinfringerisalegalentity).



11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofFrancewhichaffectprivacy?

Section9oftheCivilCodeprovidesforarightofprivacy,asitstatesthat“Everyonehastherighttorespectforhisprivatelife.Withoutprejudicetotheindemnificationforinjurysuffered,judgesmayprescribeanymeasures,suchasescrow,seizureandothers,suitedtothepreventionortheendingofaninfringementoftheintimatecharacterofprivatelife;incaseofemergencythosemeasuresmaybeprovidedforbysummaryproceedings”.

ThescopeofSection9hasbeenextended/used,byFrenchcourts,fortheprotectionoftherightofpublicity(image,likenessetc)andisalsousedasagroundofactiondestinedtocontrolthecommercialuseofsomeone’spersona.

258



ThehottesttopicisthedraftePrivacyRegulation.SeetheEuropeanUnionchapter.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainFrance?

OnJanuary21,2019,theCNIL,inapplicationoftheGDPR,imposedapenaltyof50millionEurosonGoogle LLC, for lack of transparency, unsatisfactory information, and lack of valid consent for thepersonalizationofadvertisement.

According to theCNIL, theusers’ consentwasnot sufficiently informed.The informationon thesetreatments,dilutedbetweenseveraldocuments,didnotallowtheusertobecomeawareoftheirscope.Forexample,inthesectiondedicatedto“Personalizationofads”,itwasnotpossibletotakenoteofthepluralityofservices,sites,applicationsinvolvedinthesetreatments(Googlesearch,Youtube,Googlehome,Googlemaps,Playstore,Googlephotoetc)and, therefore, thevolumeofdataprocessedandcombined.

Inaddition,theCNILfoundthattheconsentobtainedwasnot“specific”and“unequivocal”.

12 OPINIONQUESTIONS







ThehottesttopicisthedraftePrivacyRegulationandtheinterpretationandimplementationoftheCNIL’sGuidelinespertainingtotheuseofcookies,inparticularforadvertisingpurposes(seequestions8.2and8.3above).

259

260

PRIVACY LAW – GERMANY

1 PRIVACYLAW

1.1 HowisprivacyregulatedinGermany?

Privacyisregulatedbystatutorylaw,suchasconstitutionalrights,federallaw,statelawandEuropeanlaw.Theyareallinterpretedandenforcedbythedataprotectionauthoritiesand,iftheaddresseeoftheorders issuedby theauthoritiesquestions them,by thecourts.Thedataprotectionauthoritiesissuetheirownguidelinesinterpretingthelaws.Whiletheseguidelinesonlyreflecttheopinionoftheauthorities andarenon-binding, they couldbeusedby the courts as a sourcewhenassessing theordersissuedbytheauthorities.

Privacyhasbeenacoreconcernofpost-warGermany.Thefirsteverdataprotectionlawintheworldcame into force in 1970 inGermany on a state level. A constitutional ruling from1983, triggeredthroughacensusthesameyear,evencreatedanewconstitutionalright:therightforinformationalself-determinationbasedonArticle2(1)inconjunctionwithArticle1(1)oftheGrundgesetz(GermanConstitution). Ithasbeendescribedas the "verykey to theGermanviewondataprotection".TheGerman Federal Constitutional Court ruled: "Under the conditions ofmodern data processing, theprotectionofindividualsagainstunlimitedcollection,storage,useanddisclosureoftheirpersonaldataiscovered[…].Inthisrespect,thefundamentalrightguaranteestherightoftheindividualtodeterminethedisclosureanduseofhisorherpersonaldataherselforhimself".

ThisrulingwasthebasisforthefirstGermanFederalDataProtectionAct("BDSG")thatinlargepartswasusedasablueprintfortheEuropeanGeneralDataProtectionRegulation("GDPR").

TheBDSG is now, therefore, only a secondary, but nonetheless important, source for data privacyprotection.Itcontainsnotonlythesector-specificregulationspermittedbytheopeningclauseoftheGDPRbutalsoregulationsonaspectswhicharenotregulatedbytheGDPR,suchasdataprivacyinrelationtocriminalprosecutionandproceedings.

TheBDSGhastobeinterpretedinaccordancewiththeprinciplesoftheGDPRandmaynotbeusedatallwheretheGDPRprovidesitsownstipulations.

Allfederalstateshavetheirowndataprotectionlaws(whichonlyregulateprocessingofdatabypublicbodies).Therearealsodataprotectionstipulationsinotherlaws.Otherimportantsourcesthatimpactdataprotectionandcontainimportantdataprotectionrulesare:theFederalTelecommunicationsAct("TKG")andtheFederalTelemediaAct("TMG"),aswellastheePrivacyDirective,whichhadacertainimpactontheseActs.

As themost important aspectsofdataprivacyare regulatedby theGDPR,Germanyhasonlyverylimitedregulatorypower.Aspointedoutearlier, therelevant fieldsare thesector-specificopeningclauses of the GDPR, administrative stipulations and certain aspects of criminal prosecution andenforcement.Thoseaspectsof theGDPRwhicharenot subject tonational regulationor forwhichGermanyhasnotyetmadeuseofanopeningclausewillonlybementionedbelowbyashortreferencetothechapterontheEuropeanUnion.

261


1.2 Whatarethekeylawsregulatingprivacy?Pleasepointoutnationallaws,localorstate-specificlaws,sector-specific laws,andself-regulatory frameworks,withspecial focusonadvertisingaspects.

TheprimarysourcefordataprotectionintheEuropeanUnion,andthusinGermany,istheGDPR.AsaEuropeanRegulation,itisdirectlyapplicableinallEuropeanMemberstatesanddoesnotneedtobeimplementedbytheindividualEUMemberstates.TheGDPRcoversmostoftherelevantaspectsofdataprivacy.

Ontheotherhand,theGDPRcontainsseveralopeningclauses,allowingEUMemberstatestoenactnational privacy rules on certain aspects, which either specify or limit the rights and obligationscontainedintheGDPR.Germanyhasdoneso,andhasincludedthemintheBDSG.

ThemostimportantstipulationsfortheprivatesectorintheBDSGwhicharebasedonGDPRopeningclausesarethefollowing:

(a) Section22:Forcertainpurposesrelatingtosocialsecurity,healthcareandthepublicinterest,privatebodiesareallowedtoprocessspecialcategoriesofpersonaldata(modifyingGDPRArticle9).Theprocessionofpersonaldataofemployeeshasadditionalprovisions(Section26).

(b) Sections29,32,33:ExceptionstotherequirementsofGDPRArticles13–15applyincertaincases:eg,whereconfidentialityobligationsexistoriftheinformationwouldunderminetheenforcementofcivilclaims.

(c) Section35: Furtherexceptionsaremadetothedatasubject'sright tocancellationofdataunderGDPRArticle17.

(d) Section38:MoredetailisprovidedastowhenaDPOisneededunderGDPRArticle37(seequestion5.1).

(e) Section 26: A comprehensive regulation is provided for the protection of employee data,modifyingGDPRArticle88.

However,asfarastheprocessingofpersonaldataformarketingpurposesisconcerned,allrelevantstipulationsarecontainedintheGDPR.

WhiletheapplicableEuropean,FederalandStatelawsregulatetheprocessing(use)ofpersonaldata,certainaspectsofmarketingactivities,suchasdirectmarketingbyemailortelephone,areregulatedbytheGermanActagainstUnfairCompetition("UWG")(seequestion8.1).


Germanydoesnothaveanyself-regulatorybodieswhichenforceprivacylaw.

The GDPR, the BDSG and other laws protecting personal data are enforced by the supervisoryauthorities(Aufsichtsbehörden)aswellasthecompetentadministrativeauthority.Theycanmonitor,askquestionsthatneedtobeansweredandissueordersandfinesincaseofviolationsofthedataprotectionlaws.

262


2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinGermany?


InadditiontothescopeoftheGDPR,theBDSGappliestoprivatebodiesifthecontrollerorprocessorprocessespersonaldatainGermany,regardlessofanyestablishmentofthecontrollerorprocessorinGermanyorintheEU,orthedatasubjectbeingintheEU(Section1(4)).

2.2 DoesprivacylawinGermanyapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?


(a) GDPR:asfarastheGDPRisapplicable,itappliestocompaniesoutsideGermany;

(b) BDSG:theBDSGappliestocontrollersandprocessorsthat:(i) processpersonaldatainGermany(seequestion.2.1),(ii) process personal data in the context of the activities of their establishment in

Germany,or(iii) do not have an establishment in Germany, but fall within the scope of the GDPR

(Section1(4)).


3.1 Howispersonalinformation/personaldatadefinedinGermany?

PersonaldataislegallydefinedintheGDPRArticle4(1)(seetheEuropeanUnionchapter).AnidenticaldefinitioniscontainedinBDSGSection46.



InadditiontothespecificobligationscontainedintheGDPRArticle9,BDSGSection22(1)permitsprivatebodiestoprocessspecialcategoriesofpersonaldataforcertainpurposes,egif:

(a) processing isnecessary toexercise therightsderived fromtherightof social securityandsocialprotectionandtomeettherelatedobligations;or

(b) processing isnecessaryforthepurposesofpreventivemedicine, fortheassessmentof theworkingcapacityoftheemployee,medicaldiagnosis,theprovisionofhealthorsocialcareortreatmentorthemanagementofhealthorsocialcaresystemsandservicesorpursuanttothedatasubject'scontractwithahealthprofessionalandifthesedataareprocessedbyhealthprofessionalsorotherpersonssubjecttotheobligationofprofessionalsecrecyorundertheirsupervision.

263


Thecontrollerorprocessorhastotakeappropriateandspecificmeasurestosafeguardtheinterestsofthedatasubject.



4 ROLES



5 OBLIGATIONS



ThegeneralrequirementinGDPRArticle37todesignateaDataProtectionOfficer("DPO")ismodifiedsothataDPOisrequiredonlyifthecontrollerorprocessorconstantlyemploys,asageneralrule,atleast20personsdealingwiththeautomatedprocessingofpersonaldata.However,iftheprocessingbyacontrollerorprocessorissubjecttoadataprotectionimpactassessment,oriftheycommerciallyprocesspersonaldataforthepurposeoftransfer,anonymizedtransfer,orforpurposesofmarketoropinionresearch,theymustdesignateadataprotectionofficerregardlessofthenumberofpersonsemployedinprocessing(BDSGSection38).


6.1 HowisdatasecurityregulatedinGermany?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

See theEuropeanUnion chapter.TheGermannationalDataProtectionConference (of theFederalGovernmentandtheFederalStates)("DSK"),aswellasthevariousstateauthorities,issueguidelinesforaspectsoftheGDPR,whichcanbefoundonlineontherespectiveauthorities’website.However,thecourtsarenotboundbytheseguidelineswhichonlyreflecttheinterpretationoftheGDPRbytherespectiveauthority.Itremainstobeseenwhetherthecourtswillconfirmorreplacesuchguidelineswiththeirowninterpretation.

6.2 HowaredatabreachesregulatedinGermany?Whataretherequirementsforrespondingtodatabreaches?


264


7 INDIVIDUALRIGHTS






Inaddition,certaindirectmarketingactivities,suchasemail,telefaxes,textmessagesandphonecallsaresubjecttoUWGSection7,andare,asageneralrule,onlypermissibleonthebasisofavalidpriorandinformedconsentregardingthespecificmeansofdirectmarketingandtheproductorservicestobemarketed.TheGDPRrequirementsfortheuseofthedata(consentorlegitimateinterests)donotserveasabasis forpermissioninthisrespect,astheyrelateonlytotheuseofthedata,nottothespecificmeansofmarketing.Buttheconsentmaybevalidforbothifaddressedcorrectly.

Competitors,consumerprotectionassociations,industryassociationsandrecipientsofthemarketingcommunicationareabletoenforcethelawusingwarninglettersandcourtordersby(preliminary)injunction.

Nopre-checkedboxesareallowed.Ifconsentiscontainedinotherclauses(eg,ofstandardterms)itmustbehighlighted.

Inthecaseofonlineconsent,eg,fornewslettersormailings,atwo-factorauthenticationisnecessaryinordertobeabletoshowevidenceofavalidconsentbythepersonidentifiesbythedatarelatingtothe consent. This is usually achieved by the so-called "double opt-in". With the double opt-inprocedure,theuserfirstindicatesonawebsitethathe/shewouldliketoreceiveinformationbye-mailinthefuture.Inasecondstep,aconfirmationmailcontainingaconfirmationlinkissenttotheemailaddressprovided.Therecipienthastheoptiontoconfirmtheconsenttoreceivingfutureadvertisingor informationmailsbyclickingon theconfirmation link.This is toprevent themisuseand illegalprocessingofemailaddressesandhelpsthesendertodocumenttheexplicitconsentshouldhelaterbeinneedtoprovetheconsent.

ArecentdecisionoftheAustriandataprotectionauthorityindicatesthatnotusingthedoubleopt-inprocedurewhenrequestingaconsentcouldconstituteaviolationofGDPRArticle32,whichrequirestheimplementationofappropriatetechnicalandorganisationalmeasurestoensurealevelofsecurityappropriatetotherisk.



265




Consentisusuallynecessary,especiallyforserviceswherethecollecteddataistransferredtoathird-party provider that then processes this data for its own purposes (eg for providing user-specificadvertisement on otherwebsites), although theDSKdoes not currently rule out the possibility ofbasingweb tracking on the legitimate interest of thewebsite operatorHowever, the balancing ofinterestswithintheframeworkofArticle6(1)(f)oftheGDPRrequiresasubstantialexaminationoftheinterests,fundamentalrightsandfundamentalfreedomsofthepartiesinvolved,thescopeofthedataprocessing,aswellasthepredictabilityfortheuser,andmustberelatedtothespecificindividualcase.InadequateorgeneralfindingsthatdataprocessingispermissiblepursuanttoArticle6(1)(f)donotfulfilthelegalrequirements.

Inthelightoftheuncertaintyastotherighttest,andtheriskofhighfinesincaseofnon-compliance,itisadvisabletoinstallacookiemanagerseekinginformedconsentforeachtrackingtool.Ifexternaltools are used, data controllers and third-party tracking tool providers need to sign (joint)controllershipagreements.


SeetheEuropeanUnionchapter.Acourtdecisionconfirmedtheconsentrequirementforcustomermatching like Facebook Custom Audiences. Facebook would not act as a mere processor for theadvertiser but is a third party. This would also require a joint controllership agreement (whichFacebookcurrentlydoesnotoffer)andarespectiveclauseintheprivacypolicy.





WithregardtoFacebookfanpagesandsocialplug-ins,pleasenotethefollowing:

In June2018, theECJ(CaseNoC-210/16)decidedthat fanpageoperators in theEU, togetherwithFacebookIreland,shouldberegardedasdatacontrollers.Facebookrespondedbyofferingsuchanagreement.However,accordingtoacommunicationoftheDSKinApril2019,thisagreementisnotsufficienttocomplywiththerequirementsofArticle26oftheGDPR,becauseFacebookwantstohavesoledecision-makingpoweroverthedataprocessing.Inaddition,theDSKisoftheopinionthattheagreementisnotsufficientlytransparentandconcrete.Thus,accordingtotheDSK,GDPR-compliantoperation of Facebook fanpages is currently not possible. A recent decision of the FederalAdministrative Court confirmed that the authorities can order the shutdown of fanpages in caseswheretheydonotcomplywiththeGDPR.

Whenincorporatingasocialplug-in,eg,Facebook’s“like”button,careshouldalsobetakentoensurethat theconsentallowingdataprocessing (GDPRArticle6(1)(a)) isgivenprior todataprocessing.Technically, this can be implemented, eg, with the so-called "two-click" solution. The "two-click"

266


solutionmeansthattheuser,beforeactivatingtheplug-inwiththefirstclick,willbeinformed,sothatavalidconsentcanbegranted.Nodatamustbeprocessedbeforethisactivation.Onlyafterthisfirstclicktheusercanclickthesocialplug-in(eg,the"like"button).



9 DATATRANSFER





10 VIOLATIONS




See the European Union chapter.Whether cease-and-desist claims can be brought by individualsagainst controllers that violate the individual’s rights is currently unclear. Court decisions are notunitaryandso far therehasbeennoSupremeCourtdecision in thisrespect.Thesameapplies forcease-and-desistclaimsbycompetitorsbasedontheUWG.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofGermanywhichaffectprivacy?

None.


ThehottesttopicisthedraftePrivacyRegulation.SeetheEuropeanUnionchapter.Otherhottopicsare the assessment of compliance regarding fanpages and the approach the authorities will takeconcerningtrackingtools/cookies.

267


11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainGermany?

Afteraninitialreluctancetoissuefines,thedataprotectionauthoritieshavenowstartedtodoso.Finesissuedsofarvarybetween10,000eurosand14,500,000euros.Especiallyfine-sensitiveareviolationsof the information requirements resulting fromdatabreaches;but fineshavealsobeen issued forinsufficienttechnicalandorganisationalmeasurestoensureinformationsecurity,non-appointmentofadataprocessingofficerandgenerallackofalegalbasisfordataprocessing.Usuallytheimmediatecooperationofthecontrollerwiththeauthoritywillhelptoreducetheamountofthefine.

Inaddition,theDSKhasrecentlyissuedamodeltocalculatefinesincasesofviolationoftheGDPR.Whenapplyingthemodel,thesuggestedamountsaremuchhigherthanthepreviouslyissuedfines.Themodelservesasaguidelineuntil theEuropeanDataProtectionCommitteehas issued itsownharmonizedguidelineinaccordancewithGDPRArticle70(1)(k).

12 OPINIONQUESTIONS







Companiesfacemanyuncertainties.TheGDPRhasyettobeclarifiedthroughcaselaw.CurrentlytheEuropeanCommission,dataprotectionauthorities(Article29DataProtectionWorkingParty)andtheDSKfromtimetotimereleaseguidelinesonhowtointerpretandapplytheGDPR.However, theseguidelinesonlyreflecttheopinionoftherespectivedataprotectionauthorityortheDSKandthusarenotbinding.

Itremainstobeseenwhetherthecourts,whenconfrontedwithanorder,willfollowtheinterpretationoftheauthorityordecideddifferently.

268

269

PRIVACY LAW – GREECE

1 PRIVACYLAW

1.1 HowisprivacyregulatedinGreece?

Privacy in Greece is, first of all, protected at a constitutional level, by article 9A of the GreekConstitutionwhich provides that: “All persons have the right to be protected from the collection,processinganduse,especiallybyelectronicmeans,of theirpersonaldata,asspecifiedby law.Theprotectionofpersonaldataisensuredbyanindependentauthority,whichisconstitutedandoperatesasspecifiedbylaw.”

Furthermore, the protection of personal data is specifically regulated in Greece; primarily, byEuropeanLawand,complementarily,bynationallaw.

Morespecifically,asinallEUMemberStates,theprimarysourceofprivacylawinGreeceistheGeneralDataProtectionRegulation2016/679(“GDPR”)(seetheEuropeanUnionchapter).

Additionally,nationalLawNo4624/2019setssomerulesregarding the implementationofcertainaspectsoftheGDPRinGreece,inrelationtowhichtheGDPRcontainsopeningclauses.ThesenationalruleseitherspecifyorlimitsomeoftherightsandobligationsprovidedbytheGDPR.

Privacy rules in the electronic communications sector are also set by Law No 3471/2006 (asamended),whichimplementedtheePrivacyDirective(or“CookieDirective”).


PrivacyinGreeceismainlyregulatedbytheGDPR,whichcameintoforce,asinallMemberStates,onMay 25, 2018 and is directly applicable in Greece, with no need of incorporation by the nationallegislator(seetheEuropeanUnionchapter).

Additionally,LawNo4624/2019,whichenteredintoforceonAugust29,2019,setsspecificprovisionsregarding the implementation of certain aspects of the GDPR in Greece, and also incorporates EUDirective2016/680intoGreeklaw.

The most important provisions relating to private entities in Law No 4624/2019, which aresupplementaltotheprovisionsoftheGDPR,arethefollowing:

(a) Article21:Consentofminorstoprocessingoftheirpersonaldatainrelationtoinformationsocietyservices;

(b) Article22:ProcessingofspecialcategoriesofpersonaldataforcertainpurposesotherthanthoseprovidedinArticle9(1)oftheGDPR;

(c) Article23:Prohibitiononprocessingofgeneticdataforpurposesofhealthandlifeinsurance;

(d) Article25:Processingofpersonaldataforfurtherpurposesotherthanthoseforwhichthedatahadbeencollected;

(e) Article27:Processingofpersonaldatainthecontextofemployment;

270


(f) Articles28–30:Processingofpersonaldatainspecificsituations,suchasacademic,artisticorliteraryexpressionandjournalisticpurposes,scientificorhistoricalresearchpurposesorforthecollectionorretentionofstatistics;

(g) Articles 31, 32: Exceptions from the obligation to inform ;data subject in specific cases(derogatingfromarticles13–14oftheGDPR);

(h) Articles33,34: Exceptionstotherightofaccess(underarticle15oftheGDPR)andtotherightoferasure(underarticle17oftheGDPR)inspecificcases;releasefromtheobligationtocommunicateadatabreachtothedatasubjectinspecificcases(underarticle34oftheGDPR);and

(i) Article38:Penalsanctionsforspecificwilfulviolationsofdataprotectionlaw.

LawNo4624/2019hasalsorepealedLawNo2472/1997(whichhadbeenthemainlegislativetextregulatingprotectionofpersonaldatainGreecepriortotheGDPR),withtheexception,however,ofcertainspecificprovisionswhichstillremaininforce,suchastherightofdatasubjectstodeclaretotheHellenicDataProtectionAuthoritythattheydonotwanttheirpersonaldatatobeprocessedbyanybodyforpurposesofmarketingcommunicationbypost.

Inaddition,especiallyinrelationtotheprotectionofprivacyintheelectroniccommunicationssector,article11ofLawNo3471/2006providesrulesformarketingcommunicationsbyelectronicmeans.


The independent supervisory authority responsible for monitoring the implementation andenforcementofprivacylawinGreeceistheHellenicDataProtectionAuthority(“HellenicDPA”).TheHellenicDPAhas thecompetency, interalia, tohandlecomplaints, investigatepossiblebreachesofprivacylaw,issuedecisionsandimposeadministrativesanctions(includingmonetaryfines)incasesofviolationofdataprotectionrules.

In addition, data subjectswhowish to seek compensation or other formof restitution in cases ofunlawfulprocessingoftheirpersonaldatabyacontrollerorprocessor,maybringcivilactionsbeforethecompetentcivilcourts,whichwill,inthiscase,alsoenforceprivacylaw.

Furthermore,incasesofpenalviolationsinrelationtopersonaldata,whicharespecificallyprovidedinArticle38ofLawNo4624/2019,thepenalcourtsarealsocompetenttoenforcethedataprotectionrules.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinGreece?

AsfarastheGDPRisconcerned,pleaseseetheEuropeanUnionchapter.

LawNo4624/2019appliestotheprocessingofpersonaldatawhollyorpartlybyautomatedmeansand to theprocessingother thanbyautomatedmeansofpersonaldatawhich formpartofa filingsystemorareintendedtoformpartofafilingsystem,bypublicorprivatebodies,withtheexceptionofprocessingofpersonaldatabyanaturalpersoninthecourseofapurelypersonalorhouseholdactivity.“Privatebodies”areconsideredtobeallnaturalorlegalpersonsorassociationsofpersonswithoutlegalpersonality,thatdonotfallwithinthedefinitionof“publicbodies”.Thus,asisthecase

271


withtheGDPR,allcompaniesfallundertheobligationsoftheGreekprivacylaw,subjectonlytoitsterritorialscope(seequestion2.2).

2.2 DoesprivacylawinGreeceapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

Yes,GreekprivacylawcanapplytocompaniesoutsideGreece.

AsfarastheGDPRisconcerned,pleaseseetheEuropeanUnionchapter.

GreekLawNo4624/2019appliestoprivatebodieswhen:

(a) acontrollerorprocessorprocessespersonaldatainGreece,or

(b) personaldataisprocessedinthecontextoftheactivitiesofanestablishmentofacontrolleroraprocessorinGreece,or

(c) evenifthecontrollerortheprocessordoesnothaveanestablishmentintheEU/EEA,theyfallwithinthescopeoftheGDPR.

Incaseswhereacontrollerorprocessor,whofallsunderthescopeofthelaw,isestablishedoutsidetheEU,theyshoulddesignateinwritingarepresentativepursuanttoArticle27oftheGDPR(pleaseseetheEuropeanUnionchapter).


3.1 Howispersonalinformation/personaldatadefinedinGreece?

Thereisnodefinitionof“personaldata”inGreekLawNo4624/2019;therefore,theGDPRdefinitionapplies(seetheEuropeanUnionchapter).



Inrelationto the“specialcategoriesofpersonaldata”covered,primarily, inArticle9of theGDPR,GreekLawNo4624/2019exceptionallypermitsprivatebodiestoprocesssuchcategoriesofpersonaldata,iftheprocessingisnecessary:

(a) toexerciserightsderivedfromtherightofsocialsecurityandsocialprotectionandtomeettherelatedobligations;or

(b) forthepurposesofpreventivemedicine, fortheassessmentoftheworkingcapacityoftheemployee,formedicaldiagnosis,fortheprovisionofhealthorsocialcareortreatmentorforthemanagementofhealthorsocialcaresystemsandservices,orpursuanttothedatasubject’scontract with a health professional or other person who is subject to the obligation ofprofessionalsecrecyorisundertheirsupervision.

Intheabovecases,ofcourse,appropriateandspecificmeasuresneedtobetakentosafeguardtheinterestsofthedatasubject.

272


Inaddition,processingofgeneticdataforpurposesofhealthandlifeinsuranceisprohibited.

Withregardstopersonaldataofchildren,LawNo4624/2019providesthat,whenconsentisthelegalbasis for processing of non-sensitive personal data of children in relation to information societyservices,achildshouldbeatleast15yearsoldinordertogivevalidconsent.Iftheminorisbelowtheageof15,theconsentofthepersonholdingparentalresponsibilityisrequired.



4 ROLES



5 OBLIGATIONS



TheHellenicDPAconsidersthatthedatacontrollerisobligedtocarryoutadataprotectionimpactassessment(“DPIA”)incasesofsystematicdataprocessingwhichinvolvesprofilingofnaturalpersonsformarketingpurposes,providedthatthedataiscombinedwithdatacollectedfromathirdparty.


6.1 HowisdatasecurityregulatedinGreece?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?


6.2 HowaredatabreachesregulatedinGreece?Whataretherequirementsforrespondingtodatabreaches?


273


7 INDIVIDUALRIGHTS


SeetheEuropeanUnionchapterandseequestion1.2inrelationtolimitationsofdatasubjects’rightsprovidedbyLawNo4624/2019.




Inaddition:

(a) Withregardtomarketingcommunicationsthroughelectronicmeans,suchasbyemail,SMS,fax, automated calls, etc (with the exception of callsmadewith human intervention), it isnecessary,asageneralrule,thatthereceiverofthecommunication/datasubjecthasprovidedhis/hervalid,informedandexplicitconsentpriortothecommunication(“opt-in”system).

Nevertheless, in caseswhere the electronic contact details have been previously acquiredlegallyintheframeworkofacommercialrelationshipwiththedatasubject(eg,previoussaleofproductsorprovisionofservices to thedatasubject), it ispossible tousesuchdata forfuture marketing communication in relation to similar products or services, even if therecipientofthecommunicationhadnotprovidedhis/herpriorexplicitconsent.However,itis absolutely necessary to provide, both when the data is collected as well as in eachcommunication,aclear,easyandfreewayforthedatasubjecttoobjecttothecollectionanduseofhis/her contactdetails in the future (“softopt-in” system). Ina recentdecision, theHellenic DPA imposed a fine of 200,000 Euros to a leading Greek telecommunicationsprovider,becauseitwasfoundthat,startingfrom2013,about8,000recipientsofadvertisingemailswerenotabletosuccessfullyusethe“unsubscribelink”providedintheemailsinordertoobject toreceiving theprovider’s furthermarketingcommunications,due toa technicalerrorthathadnotpreviouslybeendetected.ThissituationwasdeemedbytheHellenicDPAtobe inviolationof the rightofdata subjects toobject toprocessing fordirectmarketingpurposes,aswellastotheprincipleofprivacybydesign,providedbytheGDPR.

(b) Regarding phone calls made with human intervention for direct marketing purposes,consumershavetherighttodeclare,forfree,totheirtelecommunicationproviderthattheydonotwishtoreceivethiskindofmarketingcalls(“optout”system).Eachtelecommunicationprovider has the obligation to keep a registry of the subscriberswho have provided thisdeclaration; and any interested party who wishes to make direct marketing calls shouldpreviouslychecktheregistrieskeptbyeachproviderandcomplywiththem.Inrelationtothismatter, the Hellenic DPA recently imposed a considerable administrative fine of 200,000EurosonaleadingGreektelecommunicationsprovider,fornotkeepingtheregistryprovidedtoadvertisersproperlyupdated.Thisresultedinphonecallstosubscriberswhohadoptedoutofthiskindofdirectmarketing.TheincidentwasfoundbytheHellenicDPAtoinfringetheprincipleofaccuracyandtotheprincipleofdataprotectionbydesign,providedbytheGDPR.

274


(c) TheHellenicDPAalsokeepsaregistryofdatasubjectswhodonotwishtoreceivemarketingcommunicationsbytraditionalpost.Itisalegalobligationfordatacontrollerstocheckthisopt-outregistrypriortosendingsuchmarketingcommunications.

(d) InrelationtomarketingcommunicationsthroughtheViberapplication,in2018,theHellenicDPAissuedadecisionwhichprovidessomeguidancetoprivatecompanies(datacontrollers).According to this decision, the lawfulness of sendingVibermessages for directmarketingpurposescanbebasedeitherontheconsentofthedatasubjectoronthelegitimateinterestsofthedatacontroller.Inaddition,theHellenicDPAconsideredthatacceptingtoreceivesuchmessages from thedata controller through the “Viberbusiness” servicedidnot constitutevalidconsent,sinceitdidnotmeetthecriteriaintheGreekprivacylawinforceatthetime,northeGDPR.Thisisbecausethedatasubjectwasnotproperlyinformedofthepurposeofthe processing (namely the promotion of products/services of the company) during thecollectionofthedata;norwasthepurposeofsendingthemessageadequatelydefinedatthepointofsending.




SeetheEuropeanUnionchapter,question8.2.









9 DATATRANSFER



275




10 VIOLATIONS


SeetheEuropeanUnionchapterfortheadministrativesanctions.

In addition, Law No 4624/2019 provides penal sanctions for specific wilful violations of dataprotectionlaw.



11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofGreecewhichaffectprivacy?

None.


The“nextbigthing”inprivacylawistheproposedePrivacyRegulation,whichwillreplacetheePrivacyDirective(“CookieDirective”).SeetheEuropeanUnionchapter.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainGreece?

TheHellenicDPAhasstartedtoissueratherheavyadministrativefinestocompaniesincasesofmajorviolationsoftheGDPR.Seequestion8.1inrelationtotwofines,of200,000Euroseach,imposedonaleadingGreektelecommunicationsprovider.Anotherfine,of150,000Euros,wasimposedontheGreekcompanymember of amultinational accounting firm for violations of the GDPR in the context ofemploymentrelations.

12 OPINIONQUESTIONS





276




ThedecisionsandguidelinesissuedbytheHellenicDPAareveryimportantfortheinterpretationandapplicationoftheGDPRinGreece;therefore,companieswillneedtoseeklocal legaladviceincaseGreekprivacylawsapply.

277

278

PRIVACY LAW – HUNGARY

1 PRIVACYLAW

1.1 HowisprivacyregulatedinHungary?

Privacy law is regulatedbyvariousacts inHungary. Inaddition to theEUGeneralDataProtectionRegulation(“GDPR”),whichformspartofHungarianlaw,thereisageneralHungariandataprotectionact,namely, theActonthe InformationalSelf-DeterminationandtheFreedomof Information(alsoknownasthe“Infotv.”).

TheInfotv.hastwoprongs.ItcontainsrulesduetotheGDPRand,atthesametime,transposestheEULawEnforcementDirective(680/2016)intoHungarianlaw.

In addition to the GDPR and the Infotv., there are a number of sector-specific actswhich containprovisionsondataprocessing(seequestion1.2).

As the GDPR is an EU Regulation which is directly effective and applicable in all Member States,includingHungary,noHungarianactmaycontradicttheGDPR.


ThemainsourceoflawfordataprotectionistheGDPR,whichisanEURegulationdirectlyeffectiveandapplicableinallEUMemberStateswithoutanyneedforimplementationwhatsoever.

TheGDPRcontainsaround90openingclauseswhichallowMemberStatestoeitherdeviatefromorsupplementtheprovisionsoftheGDPR.Hungaryhastakenadvantageofsomeoftheopeningclauses.

InadditiontotheGDPRandtheInfotv.,thereareseveralpiecesoflegislationwhichcontainprovisionsgoverningdataprocessing.Theseinclude,eg:

(a) HungarianLabourCode,

(b) Whistle-blowingAct,

(c) ActonCommercialAdvertisingActivities,

(d) ActonElectronicCommercialActivities,

(e) ActonElectronicTelecommunications,

(f) ActontheProcessingofHealthData,

(g) CreditInstitutionsAct,

(h) InsuranceAct,and

(i) Anti-MoneyLaunderingAct.

Fordetailsonthelegalbasisofprocessinginamarketingcontext,pleaseseequestion8.1below.


InHungary,therearenoself-regulatorybodiesinchargeoftheenforcementofprivacylaw.

279


The GDPR, the Infotv. and all other laws on data processing are enforced by the National DataProtection and Freedom of Information Authority (Nemzeti Adatvédelmi és InformációszabadságHatóság or “NAIH”). The NAIH regularly publishes resolutions on and uploads opinions andrecommendationsontoitswebsite.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinHungary?

TakingthescopeoftheGDPRandtheInfotv.intoaccount,allcompaniesaresubjecttoprivacylaw.

ThescopeoftheInfotv.iswordedinsuchawaythattheActapplies:

(a) totheprocessingofpersonaldataifthecontrollerhasitsmainestablishmentoronlyplaceofadministrationwithintheEUinHungary;and

(b) totheprocessingofpersonaldatabyacontrollerwhohasitsmainestablishmentoronlyplaceofadministrationwithintheEUoutsideHungarybutthedataprocessingactivitiescarriedoutbythecontroller,ortheprocessoraspertheinstructionsofthecontroller,arerelatedto:(i) theofferingofgoodsorservicestodatasubjectsinHungary,irrespectiveofwhether

apaymentofthedatasubjectisrequired,or(ii) themonitoringofdatasubjects’behaviortotheextentthattheirbehaviortakesplace

withinHungary.

TheGDPRappliestotheprocessingofpersonaldatawhollyorpartlybyautomatedmeans,andtotheprocessingotherthanbyautomatedmeansofpersonaldatawhichformspartofafilingsystemorisintendedtoformpartofafilingsystem.Inthisregard,itisworthnotingthattheInfotv.providesthattheGDPRalsoappliestotheprocessingofdatawhichdoesnotformpartofafilingsystem.

2.2 DoesprivacylawinHungaryapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

Yes.Seequestion2.1above.

Controllers or processors not established in the European Union are required to designate arepresentativeinwritingintheEuropeanUnion(Article27oftheGDPR).


3.1 Howispersonalinformation/personaldatadefinedinHungary?

TheGDPRcontainsthedefinitionofpersonaldata(Article4(1)).MemberStatesmaynotdeviatefromsuch definition and may not even duplicate the definition in their national laws as regards dataprocessingactivitiescoveredbytheGDPR.

280



TheGDPR lists the special categories of personal data (Article 9) and contains rules applicable topersonaldatarelatingtocriminalconvictionsandoffences(Article10).Allsuchdatacanberegardedasbeingsensitive.Furthermore,eventhough,forexample,financialorgeo-locationdatadonotqualifyasspecialcategoriesofpersonaldata,theycanbeconsideredsensitivedata,whichissupportedbytherecitalsoftheGDPRandthepracticeoftheEuropeanDataProtectionBoard(“EDPB”,formerlyknownastheArticle29WorkingPartyorWP29)andtheNAIH.

Whenitcomestotheprocessingofspecialcategoriesofdata,theGDPRexplicitlynamesthepossiblelegalbaseswhichmaybeused in the contextof suchprocessing (Article9). Special obligations inconnectionwithprocessingsensitivedatamayincludetheneedtoprepareadataprotectionimpactassessment(“DPIA”)andtoappointofadataprotectionofficer(“DPO”).Inaddition,undertheGDPRthereisageneralobligationvestedwiththecontrollerandtheprocessortotakeappropriatetechnicalandorganisationalmeasurestosafeguardthepersonaldataandtherightsandfreedomsofthedatasubjects.Ifsensitivedataarealsoprocessed,therequiredlevelofsecurityishigher.


PleaserefertotheGDPR(especiallyArticle5).ThemainprinciplesnamedinArticle5areasfollows:

(a) lawfulness,fairnessandtransparency;

(b) purposelimitation;

(c) dataminimisation;

(d) accuracy;

(e) storagelimitation;

(f) integrityandconfidentiality;and

(g) accountability.

4 ROLES


Yes.Eventhough,theGDPRappliestocontrollersandprocessors,therearecertainobligationsthatonlyapplytocontrollers(eg,theobligationtoprepareaDPIAiftheconditionsapply;thenotificationofadatabreach to thecompetentsupervisoryauthorityand to thedatasubjects, if theconditionsapply;thedocumentationofdatabreaches).

Hungarianlawcontainsspecialprovisionswithregardsto,eg,dataretentionperiodswhichapplytocontrollers.

281


5 OBLIGATIONS


As regards informationondataprocessingand thekeepingof recordsofprocessingactivities, theprovisionsoftheGDPRhavetobecompliedwith.

ThesameappliestothedesignationofaDPO,sinceHungarianlawcontainsnoadditionalrequirementsinadditiontothoseincludedintheGDPR(Article37(1))concerningwhentheappointmentofaDPOwillberequired.

AsregardsthepreparationofaDPIA,theNAIHhasissuedablacklistofdataprocessingactivities,whichisanon-exhaustivelistofthosedataprocessingactivitiesthataresubjecttoaDPIA.Asperthelist,wetakeitthatifprofiling(eg,behavioraladvertising)takesplace,aDPIAhastobepreparedpriortosuchdataprocessing.

ThereisnoregistrationobligationwiththeNAIH.


6.1 HowisdatasecurityregulatedinHungary?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

Theprovisionsof theGDPRapply (ie, the controller and theprocessorare required to implementappropriate technical andorganisationalmeasures toensurea levelof securityappropriate to therisk).

6.2 HowaredatabreachesregulatedinHungary?Whataretherequirements forrespondingtodatabreaches?

TheprovisionsoftheGDPRapply(eg,thecontrollerisrequiredtodocumentthedatabreachesandnotifythedatabreachtothesupervisoryauthorityandthedatasubjects, iftheconditionsforsuchnotificationsapply).Theimplementationandeffectiveoperationofaproperincidentresponseplanisessential.

7 INDIVIDUALRIGHTS


InadditiontotherightsasdescribedintheGDPR,Hungarianlawcontainsaspecialrightasfollows.

TheInfotv.providesthatthepersonwhohasbeenauthorized,bythedatasubjectinhis/herlifetimebeforethecontrollerinapublicdeedorinadocumentwithfullprobativeforce,mayexercisecertainrights of a deceased data subject (right of access, right to rectification, right to erasure, right torestrictionofprocessing,righttoobject)within5yearsfromthedateofthedeathofthedatasubject.Furthermore, even if the data subject did not make a legal statement in his/her life before thecontrollerinapublicdeedordocumentwithfullprobativeforce,acloserelativeisentitledtoexercise

282


certainofhis/herrights(includingtherighttorectification,righttoobject,righttoerasure,righttorestrictionofprocessing)within5yearsfromthedateoftheirdeath.



UnderHungarianlaw:

(a) Postalmarketing communications can be sent to the data subject based on his/her priorinformed consent. If, however, themarketingmaterial qualifies as a so-called “addressedadvertisementparcel”,itcanbesenttothedatasubjectbasedonthelegitimateinterestofthecontroller (opt-out regime). (“Addressed advertisement parcel” means a communication,consistingsolelyofadvertising,marketingorpublicitymaterialandcomprisinganidenticalmessage, except for the addressee’s name, address and other datawhich do not alter thenatureofthemessage,whichissenttoatleast500addressees).

(b) Astotelephonecalls,theHungarianrulesareasfollows:(i) Personalcalls:asubscribermaybecalledintheabsenceofanyobjectiontoreceiving

suchcalls(opt-outrule).(ii) Automatedcalls:thecallissubjecttothepriorexpressedconsentofthesubscriber

(opt-inprinciple).

(c) Emails or other kinds of electronic marketing communications are subject to the priorinformedconsentofthedatasubject.

In linewith theGDPR, theNAIHstresses thatnopre-checkedboxesareallowedand that thedatasubjectsmustbeinformedoftherighttowithdrawtheirconsentor,ifthedataprocessingisbasedonthelegitimateinterestofthecontroller,therighttoobject.


Hungarianlawcontainsnospecialrulesinthisregard.TherulesoftheGDPRapply.




Hungarianlawdoesnotcontainanyspecialrulesinthisregard.TheprovisionsoftheGDPRhavetobecompliedwith. This basicallymeans that there has to be a legitimate purpose and legal basis forprocessing;priorinformationhastobegiventothedatasubjectsinaccordancewiththeGDPR;andthedatasharedhastobeproportionatewiththelegitimatepurposewishedtobeachieved.


Hungarianlawcontainsnospecialrulesgoverningdatabrokers.TherulesoftheGDPRapply.

283



Hungarianlawcontainsnospecialrulesinthisregard.TherulesoftheGDPRandthepracticeoftheEDPBandtheEUCourtofJusticeapply.



9 DATATRANSFER


TherulesoftheGDPRondatatransferapply.

Furthermore,bywayofexample, theWhistle-blowingActcontainsprovisionsontherestrictionofdata.Namely,thecompanytowhichthewhistle-blowingreporthasbeenmadeisrequiredtokeepthedatareceivedconfidential;onlythepersonstakingpartintheinternalinvestigationmayhaveaccesstothedataandtheymaynottransfersuchdatatoanyotherperson/unitoftheemployer.

Inaddition,forexample,theActontheProcessingofHealthDataalsocontainsrulesapplicabletodatatransfers.


Inaddition to the rulesof theGDPR, companiesneed toconsiderwhether thesector-specific lawscontainadditionalprovisionsondatatransfer.

10 VIOLATIONS


The NAIH applies the sanctions as listed in the GDPR (Article 58). Thus, depending on thecircumstancesofthecase,theNAIHmay,amongstotherthings:(a) issue reprimands to a controller or a processor where the processing operations have

infringedprovisionsoftheGDPR;

(b) orderthecontrollerortheprocessortocomplywiththedatasubject’srequeststoexercisehisorherrightspursuanttotheGDPR;

(c) order the controllerorprocessor tobringprocessingoperations into compliancewith theprovisions of the GDPR, where appropriate, in a specifiedmanner andwithin a specifiedperiod;

(d) orderthecontrollertocommunicateapersonaldatabreachtothedatasubject;

(e) imposeatemporaryordefinitivelimitationincludingabanonprocessing;

(f) imposeanadministrativefine;and

(g) orderthesuspensionofdataflowstoarecipientinathirdcountry.

284


UndertheGDPR,themaximumamountofthefineisEUR20million,orinthecaseofanundertaking,upto4%ofthetotalworldwideannualturnoveroftheprecedingfinancialyear,whicheverishigher.However,itisworthnotingthatHungarytookadvantageoftherelevantopeningclauseoftheGDPR(Article83(7))andtheInfotv.containsaprovisionpursuanttowhichthemaximumamountoffinethatmaybeimposedonpublicauthoritiesandbodiesissetatHUF20million(aboutEUR60,000).


Yes,undertheGDPRindividualshavetherighttolodgeacomplaintwithasupervisoryauthorityandhavetherighttoajudicialremedyagainstthecontrollerorprocessor.

Forexample,thedatasubjectmayrequestthesupervisoryauthoritytoorderthecontrollertocomplywithhis/herrequest(eg,righttoaccess,righttoerasure).

In addition, data subjects may claim compensation and/or a so-called “harm fee” at court.Whenclaimingaharm fee,nodamageshave tobeproven,only the fact thatan infringementof thedatasubject’srighthastakenplace.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofHungarywhichaffectprivacy?

ItisworthnotingthattheLabourCodecontainsrulesontheprocessingofbiometricdataandcriminaldata in the context of employment. In addition, the Labour Code also governs the control by theemployeroftheuseofdevicesbytheiremployees.

InHungary,thereisalsoaWhistle-blowingActwhichcontainsmandatoryrulesgoverningwhenanentitydecidestosetupawhistle-blowinghotlinescheme.


ThedraftePrivacyRegulationisdefinitelyahottopic,eventhoughonecannotbecertainiftherewillactuallybeanePrivacyRegulationand,iftherewillbe,whatitwillcontain.Ifadopted,theePrivacyRegulationwouldmostlikelycontainrules,amongstotherthings,ontheuseofcookiesandthesendingofdirectmarketingmaterials.

AnotherinterestingtopicistheimplementationoftheEuropeanElectronicCommunicationsCode,dueby 21December 2020,whichwill bring over-the-top (“OTT”)messaging services (likeWhatsApp,FacebookMessenger)withinthescopeoftheEUTelecommunicationsRegulation.Thiswillcertainlyhaveanimpactonsuchservicesandtheirproviders.

AthirdtopicwilllikelybetheEU’sWhistleblowingDirective.ThisDirectivehastobeimplementedbytheMember States by April 2021. Under the Directive (and, thus, the laws of theMember Statesimplementing the same), for example, private entities employing at least 50 employees will berequiredtosetupawhistleblowingsystem.

285


11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainHungary?

TheNAIHhasso far issuedseveral finesonentities for theviolationof theGDPR.Thehighest fineimposedwasHUF30million(aboutEUR90,000).Typically,thefinesimposedrangebetweenHUF1million (about EUR 3,000) and HUF 10million (about EUR 30,000) and they have typically beenimposedfortheviolationofadatasubject’srightsandtheimproperhandlingofdatabreaches.

The NAIH is in the practice of issuing opinion papers and recommendations. The documents areavailableonthewebsiteofNAIH.Also,theresolutionsofNAIHarealsouploadedontheirwebsiteandsomeoftheresolutionsalsonametheentityagainstwhichasanctionhasbeenimposed.

12 OPINIONQUESTIONS


TheGDPRenteredintoforceonMay25,2016andbecameapplicableasfromMay25,2018.TheGDPRwasadoptedmainlyduetothefactthattherearehugeglobaldatacontrollersandprocessorsanddatasecurityandtransparencyisofutmostimportance.


Asaresultofthedataprotectionauthorities’continuouseffortstoensureeffectiveenforcementoftheGDPR and data protection laws, companies will likely tend to become more cautious about dataprotection issues and will put more focus on ensuring that their data processing operations aretransparentandcomplywithapplicabledataprotectionlaws.


ThebiggestchallengeisprobablytoadapttotheregimebroughtaboutbytheGDPRandtothinkinadataprotection-cautiousway.

Atthesametime,manyoftheprovisionsoftheGDPRstillneedclarificationthroughauthoritypracticeandcaselaw.

Itisaninterestingquestioninitselfwhethercourtswillbewillingtoactivelyshapethelandscapeofdataprotectionlaworiftheywouldratherupholdthedecisionsofthesupervisoryauthoritiesandwillbereluctanttogointothedetailsofthelegalissueathandandchangethedecisionofanauthoritywhenjustified.

286

287

288

PRIVACY LAW – IRELAND

1 PRIVACYLAW

1.1 HowisprivacyregulatedinIreland?

Asacommonlawsystem,allIrishlawsareregulatedbyamixtureofstatute(includingEUdirectives)andjudge-madecaselaw.TheprimaryauthorityregulatingprivacyinIrelandistheDataProtectionCommission. It is governed by a number of legislative frameworks, primarily the General DataProtectionRegulation (“GDPR”) and theData ProtectionAct 2018, both ofwhich are discussed infurtherdetailbelow.

Irelandwastraditionallyquiteproactiveintheareaofprivacyregulation,andtheoriginallegislationdatesbacktotheDataProtectionAct1988.SomepartsoftheDataProtectionActs1988and2003were retainedby theDataProtectionAct2018andcan still apply,particularlywhere a complaintrelatestobreacheswhichoccurredpriortothecommencementoftheGDPRonMay25,2018.

SinceMay25,2018,theprimaryregulatoryframeworkistheGDPR.AsdiscussedintheEUchapter,ithasgeneralapplicationtotheprocessingofpersonaldataintheEuropeanUnion,providingforwiderobligations on data controllers and processors and offering a higher level of protection for datasubjects.AlthoughtheGDPRhaddirecteffectthroughouttheEuropeanUnion,theDataProtectionAct2018wasenactedtogiveeffecttotheGDPRinareaswhereMemberStatescouldgivefurthereffecttocertainprovisions,orhadflexibility(forexample,theGDPRallowedMemberStatestoprovidetheirownminimumdigitalageforconsent).

Asidefromthe legislationhighlightedabove, Irelandisacommonlawsystemandprivacycanalsothereforeberegulatedbycourtdecisions.

Even prior to the enactment of the GDPR, Ireland had perhaps seenmore activity thanmany EUcountries regarding data privacy, as many of the leading global social media and informationtechnologymultinationalsuseIrelandastheirEuropeanbase.


TheprimarylawistheGDPR.ItisdirectlyapplicablethroughouttheEuropeanUnionand,therefore,fromMay25,2018hasregulatedprivacyinIreland.Additionally,theDataProtectionAct2018actsassecondary legislation.TheDataProtectionAct2018enactedadditionalprovisionswhereflexibilitywas permitted under the GDPR and also to formally establish the office of the Data ProtectionCommission.

MarketinginformationandprocessingofpersonaldataforadvertisingormarketingisgovernedbytheGDPRand theDataProtectionAct2018, anddoesnothave specific legislation.TheConsumerProtectionAct2007appliesalsotomarketingpracticesiftheyareseentobeunfair;so,intheory,thatcouldalsobeappliedtoaprivacycomplaintderivingfromanunfaircommercialpractice.


TheprimarysourceforenforcementistheDataProtectionCommission.Thatoffice(invariousguises)hasbeeninplacesincetheoriginalDataProtectionAct1988.FollowingtheintroductionoftheGDPR,a new Data Protection Commission was established. It is the national independent supervisory

289


authority in Ireland,withresponsibility forupholding the fundamentalrightof individuals tohavetheir personal data protected. It’s statutory powers, functions and duties derive from the DataProtectionAct2018,theCDPR,theEULawEnforcementDirective,aswellasfromtheDataProtectionActs 1988 to 2003. TheData ProtectionCommissioner is appointed by theGovernment, but is anindependentroleandexercisesitsfunctionsindependently.

Additionally,individualswhoclaimtosufferdamageasaresultofadatabreachcanbringproceedingsfordamagesthroughthecourts.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinIreland?

SeetheEuropeanUnionchapter,assamewillapplyinIreland.

2.2 DoesprivacylawinIrelandapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

Yes,Irishprivacylawcan,whereapplicable,applytocompaniesoutsideofIreland.TheDataProtectionAct2018willalsoberelevantifacompany,althoughbasedoutsideIreland,isprocessingpersonaldatainIreland.


3.1 Howispersonalinformation/personaldatadefinedinIreland?

Personaldata isdefined in theGDPR (seeEuropeanUnion chapter), and Irelandhasadopted thatdefinition.


Generally,thisiscoveredbyArticle9oftheGDPR.FurtherdetailsarecontainedintheEuropeanUnionchapter.


TheEuropeanUnionchaptercontainsthekeyprinciplesandIrelandwillnotdifferinthatrespect.

4 ROLES


ThisisgovernedbytheGDPR.TheEuropeanUnionchaptercontainstherelevantinformationwhichwouldalsobeapplicableinIreland.

290


5 OBLIGATIONS


KeyobligationsarisefromtheGDPRandaresetoutintheEuropeanUnionchapter.


6.1 HowisdatasecurityregulatedinIreland?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

ThekeyregulationsarisefromtheGDPRandaresetoutintheEuropeanUnionchapter.

6.2 HowaredatabreachesregulatedinIreland?Whataretherequirementsforrespondingtodatabreaches?

Again,thisissetoutintheEuropeanUnionchapter.

7 INDIVIDUALRIGHTS


Suchrightsarespecified in theGDPRandaresetout in theEuropeanUnionchapter.Additionally,individualshavetherighttotakeseparatecourtproceedingsforaninjunctionand/ordamages.



TheprinciplesoftheGDPRapplyanddetailsarecontainedintheEuropeanUnionchapter.Affirmativeconsentoftherecipientisrequired.

Processingofpersonaldatainthecontextofcertainelectroniccommunications(including,amongstotherthings,unsolicitedelectroniccommunicationsmadebyphone,email,andSMS)issubjecttoboththegenerallawssetoutintheGDPRandthespecificlawssetoutintheePrivacyRegulations2011,under which the ePrivacy Directive 2002/58/EC (as amended by Directive 2006/24/EC and2009/136/EC)wastransposedintoIrishlaw.TheePrivacyRegulationsstillapplyinconjunctionwiththeGDPR.

The key element in the ePrivacyRegulations, over and beyond the GDPR, is the confidentiality ofcommunications.Processorscannotprocessthecontentofelectroniccommunicationsbeyondwhatisnecessaryfortheprovisionofthatservice.

Section30oftheDataProtectionAct2018prohibitsdirectmarketingto,orthemicro-targetingof,children.TheActsetsthedefinedageforachild(fromadataperspective)asbeingunder16yearsofage.

291



The principles of the GDPR apply and details are contained in the European Union chapter. TheePrivacyRegulationsalsoapply(seequestion8.1above).Theserequirepriorinformedconsentforstorageorforaccesstoinformationstoredonauser’sterminalequipment.Theusermustagreetotheuseofsuchtrackingtechnologiesbeforethewebsitecanusethem.


TheGDPRwillapplyandprovisionsareassetoutintheEuropeanUnionchapter.ThereispresentlyanIrishDataProtectionCommissioninvestigationunderwayregardingonlinebehavioraladvertising,buttheoutcomeofthatinvestigationis,asyet,unknown.


ThenoticeandconsentrequirementsareestablishedbytheGDPRandaresetoutintheEuropeanUnionchapter.


ThesearesetoutintheGDPRandareexplainedintheEuropeanUnionchapter.


Generally,thiswouldfallundertheGDPR(seetheEuropeanUnionchapter).ItisparticularlyrelevantforIreland,giventhatsocialmediacompaniessuchasFacebookandTwitterhavetheirEuropeanbasesinDublin.TheIrishDataProtectionCommissionconfirmedinlate2019that,atthatpointintime,ithad 11 separate investigations ongoingwith Facebook or Facebook-related companies, and theseincludedinvestigationsregardingpossiblebreachesofEUprivacyrules.


TheseareassetoutintheEuropeanUnionchapterontheGDPR.

9 DATATRANSFER


Yes,theseareestablishedundertheGDPRandsetoutintheEuropeanUnionchapter.


Again,thesearesetoutintheEuropeanUnionchapter.

292


10 VIOLATIONS


Thereareanumberofdifferentclaims/sanctionsthatcanarise:

(a) administrativefinesbytheDataProtectionCommissioner;

(b) civilclaimsbyanothercontrollerorprocessor;

(c) criminalcharges;and

(d) civilclaimsbyanindividual.

PossibleadministrativefinesarebasedontheGDPRandaresetoutintheEuropeanUnionchapter.Ifacontrollerorprocessorisorderedtopaysuchafineduetothemistakeofanother,theycan,inturn,bringacivilclaim(see(b)above)againstthatthirdparty(eg,anotherprocessorwhotheyallegeisactually liable). The Data Protection Act 2018 also provides for a number of criminal penalties,including fines and/or imprisonment, depending on the offense and whether it is a summaryconvictionoronindictment.


Yes; individualscanbringaprivateaction inthecourts fordamagesorotherremedies,suchasaninjunction,arisingoutofadatabreach.ThesecanbebroughtintheCircuitCourtorHighCourt.Suchactionsarerare,buttheoptioniscertainlythere.Theremedywoulddependontheoriginalbreachandthedamagecaused,andanyfinancialdamageswouldgenerallybequantified.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofIrelandwhichaffectprivacy?

Nospecificculturalissuesrelatingtoprivacy.


PossibleamendmentstotheePrivacyRegulations(seetheEuropeanUnionchapter).Future issuesthatwill require attention include the use of biometrics, geolocation services and geotagging andblockchaintechnology.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainIreland?

None,otherthanassetoutaboveorhighlightedintheEuropeanUnionchapter.

293


12 OPINIONQUESTIONS


ClearlytheGDPRhaschangedthelandscapecompletely.ThereasonsforthosechangesareelucidatedindetailintheEuropeanUnionchapter.


AnycontinuingchangesarelikelytobeonanEU-widebasis.Brexit,andtheunknownsassociatedwiththat, may change the path slightly for Ireland, given our close associationwith the UK as a chiefeconomic trading partner. Additionally, changing technologies will require continuing privacychallenges.


FromanIrishperspective,companiesusingIrelandastheirEUbasefaceconsiderableuncertainty,giventhelackofanysignificantcaselawyetassociatedwiththeGDPR.CompaniesherehavetodealwiththeriskofcomplaintsfrommanydifferentEUMemberStatesbeingtakenagainsttheminIreland,andhavingtodealwithsuchmulti-jurisdictionalchallenges.

294

295

PRIVACY LAW – ITALY

1 PRIVACYLAW

1.1 HowisprivacyregulatedinItaly?

InItaly,privacyisregulatedby:

(a) Constitutionalrights:AlthoughtheItalianConstitutiondoesnotcontainaspecificprovisionconcerningthedataprotectionandprivacyrights,Italiancommentatorsagreeinrecognizingaconstitutionalvaluetosuchrights,consideredasinviolablehumanrightsofnewgeneration.Followingtherelevantcaselawonthematter,theserightsmaybeinferredfromthefollowingArticlesoftheItalianConstitution:(i) Article2,recognisingandguaranteeinginviolablehumanrights;(ii) Article3,establishingtheprincipleofequalityandgrantingthefulldevelopmentof

individuals;and(iii) Article13,concerningtheinviolablerighttopersonalfreedom.

(b) Europeanlaw:FromanEUregulationperspective,themainsourceoflawistheEUGeneralDataProtectionRegulation(2016/679)(“GDPR”).

(c) National law: The first Italianprivacy regulationwasLawNo675ofDecember31,1996,implementingDirective95/46/EC,thefirstexampleofacompleteandsystematicdisciplineonthematter,whichconsideredprivacyanddataprotectionasfundamentalrights.Thislawprovided,eg,theconditionsandmodalitiesofpersonaldataprocessingcarriedoutbypublicandprivateentitiesaswellasdatasubjects’rights.ItwasrepealedandreplacedbyLegislativeDecreeNo196ofJune30,2003(the“DataProtectionCode”).

FollowingtheentryintoforceofGDPR,theItalianlegislatorissuedLegislativeDecreeNo101ofAugust10,2018,whichamendedtheDataProtectionCodeinordertoadaptthenationallegislationtotheGDPR.

Asforinterpretationandenforcement,thecompetentsupervisorybodyistheItalianDataProtectionAuthority(the“Garante”),whichalsoissuesresolutionsandguidelinesaimedatinterpretingthelaws.


(a) TheprimarysourcefordataprotectionintheEuropeanUnionand,consequently,Italy,istheGDPR.

(b) However, through the use of opening clauses, the GDPR provides the possibility for theMemberStatestoregulatecertainprivacyaspects.Someoftheseopeningclauseshavebeentransposed intotheItalian legalsystembytheDataProtectionCodeasamended,withtheintroductionoftheArticleslistedbelow,bywayofexampleandnotlimitedto:(i) Article2-ter,establishingthatincaseofdataprocessingfortheperformanceofatask

carriedoutinthepublicinterestorintheexerciseofofficialauthority,thelegalbasisfortheprocessingisexclusivelyaruleoflaworregulation(incasesprovidedforbythelawitself);

296


(ii) Article2-quater,accordingtowhichtheGarantemustadoptethicalstandardsfortheprocessingofgenetic,biometricandhealthdataand fordataprocessingbasedonArticle6(1)(c),(e)oftheGDPR;

(iii) Article2-septies,accordingtowhichtheGarantemustadoptsafetymeasuresfortheprocessingofgenetic,biometricandhealthdata;

(iv) Article 2-octies, by which the Italian Ministry of Justice must adopt a decreeidentifyingadequateguaranteesfordatasubjects’rightsandfreedomstobeadoptedinprocessingdataconcerningcriminalconvictionsandoffences.

To date, some of the resolutions required by theData Protection Code have not yet beenadoptedbytheGarante,suchastheprovisionsrequiredbyArticles2-quaterand2-septies,norhastheMinistryofJusticeissuedadecreepursuanttoArticle2-octies(see,further,question3.2).

(c) With regard to the legal framework on the protection of personal data in the field ofadvertising,thefollowingareimportant:

(i) EU ePrivacy Directive, which has been implemented in Title Ten of the DataProtectionCodeasamended;

(ii) LawNo5ofJanuary11,2018ontelemarketing,specificallyontheregistrationandfunctioningoftheopt-outregisterandestablishmentofnationalprefixesforcallsforstatistical,promotionalandmarketresearchpurposes(“TelemarketingLaw”);

(iii) ResolutionissuedbytheGaranteNo229ofMay8,2014onsimplifiedagreementstoprovideinformationandobtainconsentregardingcookies(“CookieRegulation”);

(iv) Guidelines onmarketing and against spam of July 4, 2013, issued by the Garante(“Guidelinesonmarketingandagainstspam”).


Italydoesnothaveanyself-regulatorybodyenforcingprivacy law, rather, theGaranteacts in thiscapacity.TheGaranteisanindependentauthoritywhosemainpurposeistoprotectthefundamentalrightsandfreedomsofdatasubjectsbycheckingthatdataprocessingactivitiescomplywithnationalandEuropeanlaws.

TheGarantecarriesoutseveraltasks.Forinstance,it

(a) examinescomplaintslodgedpursuanttonationalandEuropeanlaw;

(b) reportstothecompetentcriminalbodiesanyfacts,thatcanbeconsideredascrimes/feloniesprosecutableexofficio,ofwhichitbecomesawareintheexerciseofitsdutiesorbecauseofitsfunction;and

(c) drawsupanannualreportontheactivitiesithascarriedoutandthestateofimplementationoftheprivacylegislation.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinItaly?


297


2.2 Doesprivacy law in Italy apply to companies outside the country? If yes, are there specificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?



3.1 Howispersonalinformation/personaldatadefinedinItaly?




ItalyhasmadefurtherprovisionsintheDataProtectionCode:

(a) withregardtotheprocessingofpersonaldataconcerningchildren,Article2-quinquesoftheDataProtectionCodeestablishesthatachildwhoisatleast14yearsold(ratherthan16,whichis the age set by the GDPR) may consent to data processing in relation to an offer ofinformationsocietyservices.

(b) withregardtotheprocessingofgenetic,biometricandhealthdata,inaccordancewithArticle9(4)ofGDPR,Article2-septiesoftheDataProtectionCodeestablishesthattheGarantewilladoptaspecificresolutiondetailingfurthersafetymeasures.

(c) withregardtotheprocessingofdataconcerningcriminalconvictionsandoffences,Article2-octiesof theDataProtectionCodeprovides that the ItalianMinistryof Justicewilladoptadecreeidentifyingadequateguaranteesfordatasubjects’rightsandfreedomstobeadoptedinprocessingsuchdata.

However,sincetheresolutionconcerningspecialcategoriesofpersonaldataandthedecreeaboutdataconcerning criminal convictions and offences have not yet been adopted, during this transitionalperiod,theGarantehasissuedResolutionNo146ofJune5,2019inordertoidentifywhichprovisionscontainedinfivegeneralauthorizations(applicableundertheformerlegislationfortheprocessingofsensitive and judicial data) are still effective, as being compatibility with the GDPR and the DataProtectionCode.Thesefivegeneralauthorizationsconcernthefollowingtopics:

(a) processingofspecialcategoriesofpersonaldataintheemploymentrelationship;

(b) processing of special categories of personal data carried out by associative bodies,foundations,churchesandreligiousassociations/communities;

(c) processingofspecialcategoriesofpersonaldatabyprivateinvestigators;

(d) processingofgeneticdata;and

(e) processingofpersonaldatacarriedoutforscientificresearchpurposes.

298




4 ROLES



5 OBLIGATIONS



InadditiontothecaseslistedinArticle37oftheGDPR,Article2-sexiesdeciesoftheDataProtectionCodeprovides that the appointment of a dataprotectionofficer is also required in relation to theprocessingofpersonaldatacarriedoutbyjudicialauthoritiesintheperformanceoftheirduties.

Seealsoquestion8asregardsprivacyaspectsconcerningmarketing.


6.1 HowisdatasecurityregulatedinItaly?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?


6.2 HowaredatabreachesregulatedinItaly?Whataretherequirementsforrespondingtodatabreaches?


Moreover,theGarantehasissuedaspecificformtobeusedincaseofdatabreachnotification,inwhichtheinformationlistedwithinArticle33(3)oftheGDPRhasbeendetailed(seeResolutionofJuly30,2019onthenotificationofpersonaldatabreach).

7 INDIVIDUALRIGHTS



299


TheDataProtectionCodeprovidescertainlimitationstotheexerciseofindividualrights.Specifically:

(a) Article 2-undecies states that such rights cannot be exercised where a real and concretedetrimentmightariseinconnectionwith:

(i) theinterestsprotectedbythelegislationagainstmoneylaundering;

(ii) theinterestsprotectedbythelegislationaimedatsupportingvictimsofextortion;

(iii) the activities carried out by the parliamentary inquiry committees set up underArticle82oftheItalianConstitution;

(iv) theactivitiescarriedoutbyapublicbodyotherthanaprofit-seekingpublicbody,wherethisisexpresslyrequiredbyalawforpurposesexclusivelyrelatedtocurrencyand financial policy, the system of payments, control of brokers and credit andfinancialmarketsandprotectionoftheirstability;

(v) defensiveinvestigationsortheexerciseofarightincourt;or

(vi) theconfidentialityoftheidentityofanemployeewhoreportsanoffenceofwhichhehasbecomeawarebyreasonofhisoffice(ie,awhistleblower).

(b) Article2-dodeciesoftheDataProtectionCodeprovideslimitationstoindividualrightsfortheprotectionofjudicialindependenceandjudicialproceedings.Theexerciseofrightsandtheperformanceofobligationsmaybedelayed,limitedorexcludedundercertainconditions.

(c) Article2-terdeciesoftheDataProtectionCodestatesthattheindividualrightsofSections15–22oftheGDPRconcerningdeceasedpersonsmaybeexercisedbypersonshavingapersonalinterest,oractinginthenameofthedatasubjectashis/heragent,oractingforfamilyreasonsdeservingprotection(although,inrelationtotheofferingofinformationsocietyservices,thedeceasedpersoncanexpresslyforbadetheexerciseofhis/herrightsbyanotherperson,bymeansofawrittendeclarationpresentedorcommunicatedtothedatacontroller,providedthat the deceased person’swill is unequivocal, specific, free and informed). However, theexerciseofsuchrightsisnotallowedwhenitisexpresslyforbiddenbylaw.

Inanycase,theprohibitioncannotaffectthethirdparties’patrimonialrightsarisingfromthedatasubject’sdeathandtherighttodefendtheirrightsincourt.




Inaddition,intheItalianframework,marketingcommunicationsareregulatedbytheDataProtectionCode,whichimplementstheePrivacyDirective,andbytheGuidelinesonmarketingandagainstspam.

InaccordancewithArticle130(1),(2)oftheDataProtectionCode,dataprocessingforpromotionalpurposesmaybeperformedbywayofautomatedorsimilartools(eg,emails,faxes,SMS,orMMS)onlyifthedatacontrollerobtainstherecipients’priorconsent(opt-inrequirement).Moreover,theGarantehas specified that it is forbidden to send marketing communications by such means without therecipients’priorconsent,evenifthepersonaldatahasbeentakenfrompubliclyavailablesources,websites or documents. The consent required for marketing communications performed by way of

300


automatedorsimilartoolsmustbefreelygiven,informedandspecific.Tothisend,datacontrollersshould inform recipients clearly and appropriately bymeans of a proper notice containing all theelementslistedinArticle13oftheGDPRand,inaddition,informationrelatingtothemeansusedtosendmarketingcommunications,ie,automatedphonecallsandsimilararrangements(faxes,emails,SMSandMMS)and/ortraditionalmechanisms(mailandoperator-assistedcalls).

Marketingmessagesaresometimessentsimultaneouslytomailing lists; inthiscase, theaddressescontainedinthemailinglistmustnotbevisible(eg,byusingtheblindcarboncopy).

Inrelationtoemailandmailmarketing,thedatasubject’sconsentisnotrequiredincaseofsoftopt-in,underArticle130(4)ofDataProtectionCode,ifthefollowingconditionsaremet:

(a) thedatacontrollerusestheemailprovidedbythedatasubjectinthecourseofaprevioussaleofaproductorservice;

(b) theproductorserviceadvertisedissimilartoonepreviouslysold(NBapurchaseisnecessary,amerenegotiationisnotsufficient);and

(c) thedatasubjecthasbeendulyinformedastothepurposesandmodalitiesoftheprocessingand he/she is given a simple opportunity to refuse or opt out of receiving marketingcommunications.

Moreover,againinaccordancewiththeGuidelinesonmarketingandagainstspam,theemailserviceprovidersmustensuremutualauthenticationoftheirserversandinstallfilteringsystemstodetectspam.



Inaddition, inaccordancewithArticle122of theDataProtectionCodeandtheCookieRegulation,cookiesareregulateddifferentlyaccordingtothepurposesforwhichtheyareintendedtobeused.

Specifically, cookies may be distinguished into three major groups: technical cookies (includingbrowsingorsessionandfunctionalcookies),analyticcookiesandprofilingcookies:

(a) Incaseofprofilingcookies,themanagerofthewebsitevisitedbytheuser(“Publisher”)must:(i) provideasimplifiednotice,consistingofaninitial“short”noticeinanoverlaybanner

onthehomepage,whichissupplementedbyan“extended”noticetobeaccessedviaaclickablehyperlink;and

(ii) obtaintheuser’sconsenttouseprofilingcookies.Inparticular,theconsentrequesttotheuseofcookiesmustbeincludedinthebannerdisplayingtheshortinformationnotice.

ThePublisher is thedata controller in respect of the cookies installeddirectly by its ownwebsites.

Astocookiesplacedbyotherwebsitesorwebservers(“ThirdPartiesCookies”),thePublishercannotbeconsideredajointcontrollerwiththesethirdparties,butonlyasasortoftechnicalintermediarybetweenthemandusers.Assuch,thePublishermustprovideuserswithalinktothethirdparty’swebsiteanditsnoticeandconsentwording.Inordertodothis,PublishersarerequiredtoobtainthelinkstothewebpagescontainingtheinformationandconsentformsrelatingtoThirdPartiesCookieswhenenteringintotherelatingagreements.

301


(b) Ontheotherhand, technicalcookiesdonotrequireprior informedconsent.ThePublishermustprovidenoticeinthemodalitieshe/shedeemsmostappropriate.

(c) Analyticcookiesareassimilatedtotechnicalonesexclusivelyonlywhentheyareused:

(i) bythePublishertocollectaggregateinformationonthenumberofvisitorsandthepatternofvisitstothewebsite;

(ii) by thirdparties if suitable toolsareadopted to reduce the identificationpowerofcookies (eg, by masking significant portions of IP address) and the third partiesundertake not to combine the data obtained from these cookies with otherinformationalreadyavailabletothem.


Targetedadvertisingisbasedonuserprofilingmechanisms.

AccordingtotheGuidelinesonmarketingandagainstspam,inthecaseofpersonaldataprocessingforprofilingpurposes,thedatasubjectmustbeprovidedwithadequate,clearandcompleteinformation,specifying,eg,thepurposeofsuchprofilingandwhichmechanismsareexpectedtobeusedindataprocessing.

Moreover,so-called“targetedspam”,basedonprofilesofsocialnetworkusers,mayincrease,sincetheprovidersofsuchsocialnetworkplatformstendtomergeprofilesfromdifferentservicesonagivenplatforminordertoraisedetailedinformationonusers.Thus,theymayreceivemessagescustomizedtotheirinterestsandpreferences.Withregardtoso-called“socialspam”,seequestion8.6below.

Finally,concerningprofilingcookies,pleaserefertoquestion8.2.







In addition, the Guidelines onmarketing and against spamprovide clarifications on the followingspecificcasesthatmayoccurspecificallytosocialnetworkusers:

(a) Theuserreceivesamarketingmessagefromacompanythathasobtainedhis/herpersonaldata from his/her public profile on a social network: In this case, the data processing isunlawfulunlessthesendercanshowproofoftherecipient’sprior,specificandfreeconsentunderthetermsofArticle130(1),(2)ofDataProtectionCode;

(b) Theuserisa“fan”ofagivencompanyorhasjoinedagroupoffollowersofagivenbrand,personality,productorserviceandthenreceivesmarketingmessagesrelatedtosuchbrand,product,serviceorcompany:Thisdataprocessingislawfulifitisclearandunequivocalthat

302


the recipient, by his/her behavior, also intended to express his/her consent to receivingmarketingmessagesfromthatcompany.

On theotherhand, if the recipientunsubscribes from theabovementionedgroupor stopsfollowingthebrand,product,serviceorcompanyorobjectstofurthermarketingmessages,anymarketingmessagesentthereafterwillbeconsideredunlawful.

(c) Marketingmessagesaresenttoauser’scontacts(so-called“friends”)bycompaniesbyusingthephonenumbersoremailaddressesaccessiblewithinthesocialnetwork:Inthiscase,themarketingmessagesaresentlawfullyonlyifapriorspecificconsenthasbeenobtained.



9 DATATRANSFER





Inaddition,anunlawfuldatatransferdamagingthedatasubject,madeforpurposesofgainingaprofitorcausingharmtoathirdparty,isacrimepunishablewithimprisonmentrangingfromonetothreeyears(Article167oftheDataProtectionCode).

10 VIOLATIONS



In addition, Article 2-decies provides that personal data, processed in violation of the relevantprovisionsofthelaw,maynotbeusedunlesstheGarantehasindicatedtothedatacontrollerordataprocessorthenecessaryamendmentsandadditionstotheprocessingactivitiesandhasverifiedtheirimplementation.

Moreover,thefollowingviolationsoftheDataProtectionCodecanleadtocriminalpenalties:

(a) Unlawfuldataprocessingforpurposesofgainingaprofitordamagingtodatasubjects(upto18months’imprisonment).

(b) Unlawful processing of special categories of personal data and personal data relating tocriminalconvictionsandoffencesforpurposesofgainingaprofitordamagingdatasubjects(uptothreeyears’imprisonment).

303


(c) Unlawful data disclosure anddiffusion of an automated archive or a substantial part of itcontainingpersonaldatabeingprocessedonalargescaleforpurposesofgainingaprofitorharmingthirdpartiesanddamagingdatasubjects(uptosixyears’imprisonment).

(d) Fraudulentacquisitionofpersonaldatainrelationtolarge-scaledataprocessing(uptofouryearsimprisonment).

(e) UntruedeclarationssubmittedtotheGarante(uptothreeyears’imprisonment).

(f) intentionalinterruptionordisturbanceoftheregularproceedingbeforetheGaranteortheinvestigationscarriedoutbytheGarante(uptooneyear’simprisonment).

(g) FailuretocomplywithprovisionsissuedbytheGarante(uptotwoyears’imprisonment).

(h) Failuretocomplywithothermandatoryobligationsrelatingtopersonaldataprotectionofemployees(criminalfineuptoEuro1,549oruptooneyear’s imprisonment(or, inseverecases,both)).



11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofItalywhichaffectprivacy?

None.


ConsideringtheGarante’s2018annualreport(theannualreportfor2019isnotavailableyet),itispossibletohighlightthefollowingashottopics:

(a) With regard to the protection of personal data in the public and private employmentrelationship, the Garante ruled several times on data processing carried out bymeans ofdevices which allow the tracking of the geographical location of vehicles andsmartphone/tablet and therefore, indirectly, the location of the employees towhom suchdevicesareentrustedforwork.

With reference to the geolocation of company vehicles, the Garante prohibited furtherprocessingofdatarelatingtoemployeesthroughtheuseofavehiclelocationsystem.Indeed,itisconsideredinbreachoftheprinciplesofnecessityandproportionalitywithrespecttothepursuedpurposes.

(b) As regards marketing, profiling and processing of personal data, the Garante receivedthousands of reports. In addition, the Garante has recently updated the FAQs relating tounsolicitedadvertisingcalls,whichprovidealsoclarificationonhowtoobject.

In this field,pleasenote that, following theTelemarketingLaw,work iscontinuing for theadoption of the Presidential Decree aimed at amending the regulations in force on theregistrationandoperationofthe“donotcall”registerandrepealinganyregulationsthatarenotincompliancewiththecurrentregulatoryframework.

304


(c) TheGarante issuedanopiniononthedraftGuidelines foraccess forscientificpurposes toelementarydataofSistan(ie,thenationalstatisticalsystem).

Finally,pleaseconsiderthatafundamentalhottopicisthedraftEUePrivacyRegulation.See,further,theEuropeanUnionchapter.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainItaly?

Todate,theGarantehasissuedfewfinesinrelationtoGDPRenforcement.Firstly,afineofEuro50,000inrespectofafailuretoadoptadequatesafetymeasuresregardingtheprocessingofusers’dataofawebplatform,inbreachofArticles32and83(4)oftheGDPR.

Moreover,inJanuary2020,theGaranteissuedthehighestfinesever(Euro11.5millionandEuro27million)againsttwobigplayersintheutilitiesfield(energyandtelco)fordifferentunlawfulbehaviors,severalofthemconnectedwithmarketing(includingtelemarketing)andprofiling.

12 OPINIONQUESTIONS







305

306

PRIVACY LAW – LUXEMBOURG

1 PRIVACYLAW

1.1 HowisprivacyregulatedinLuxembourg?

PrivacyinLuxembourgisregulatedbyEUlaws(notablytheGDPR)andstatutorylaw.TheGDPRhasbeendirectlyapplicableinLuxembourgasofMay25,2018.

PriortotheentryintoforceofGDPR,themainsourceforprivacylawinLuxembourgwastheLawofAugust2,2002(asamended)concerningtheprotectionofindividualswithregardtotheprocessingofpersonaldata.ThisLawtransposedtheDataProtectionDirective95/46/ECintonationallegislation.

TheLawofAugust1,2018ontheorganizationoftheNationalDataProtectionCommissionandthegeneraldataprotectionframework(“LawofAugust1,2018”)repealstheLawofAugust2,2002andcompletestheGDPRatthenationallevel.ThisnewlawenteredintoforceonAugust20,2018.TheLuxembourglegislatormainlyfocusedonimplementingsomeopeningclauses,ratherthanimposingadditionalrestrictionsontheprocessingofpersonaldata.

Inthefieldofcriminalandnationalsecuritymatters,theLuxembourglegislatoradoptedaseparateact(ActofAugust1,2018ontheprotectionofindividualswithregardtotheprocessingofpersonaldataincriminalandnationalsecuritymatters)totransposetheEUPoliceandLawEnforcementDirective2016/680intonationallaw.

Inadditiontothegeneraldataprotectionlegislativeframework,sector-specificlaws,aswellasgeneralguidanceissuedbytheLuxembourgSupervisoryAuthority,covertheprocessingofcertaincategoriesofdata(eg,processingofhealthdata,processingforanti-moneylaunderingpurposes,processingofpassengernamerecordsdata,processinginthecontextofsocialelections).Theprocessingofhealthdatainthecontextofinsuranceiscurrentlythesubjectofanewbill.

TheLuxembourg supervisoryauthority is theNationalDataProtectionCommission (“CNPD”).TheCNPDisresponsibleformonitoringandverifyingthatpersonaldataareprocessedincompliancewithdataprotectionlawsandnotablytheGDPR.


ThemainsourcefordataprotectioninLuxembourgistheGDPR.

Inaddition,theLawofAugust1,2018providesforspecialrulesforcertaintypesofprocessing;e-privacyaspectsare specifically regulated; and theadvertising sectorhasadopteda self-regulatoryframework.Forothersector-specificlaws,seequestion1.1.

(a) TheLawofAugust1,2018TheLawofAugust1,2018containsspecificrulesforthefollowingtypesofprocessing:(i) Personaldataprocessingforthepurposesofsurveillanceintheemploymentcontext:

Theprocessingofemployees’personaldataforsurveillancepurposescanbecarriedoutonlyinthecasesmentionedinArticle6(1)oftheGDPRandincompliancewiththeLaborCode.

307


For such processing of personal data, including video surveillance, the employermust, prior to data processing, inform the employee(s) concerned and the staffrepresentatives (or, in certain cases, the Labor and Mines Inspectorate). Theinformation given must contain a detailed description of the purpose(s) of theproposedprocessing, themodalities of implementationof the surveillance systemand,ifappropriate,theretentionperiodofpersonaldataorthecriteriatodeterminethat period, aswell as a formal commitment of the employer not to use the datacollectedforapurposeotherthanthatexplicitlyprovidedforinthepriornotification.

In addition, data processing carried out for compliance with health and safetyprovisions, for monitoring the production process or employees’ performance(wheresuchprocessingistheonlymeanstodeterminetheemployees’salary),orforimplementing and monitoring a flexible-time arrangement, is subject to a jointdecision-making process between the employer and the staff delegation, exceptwheresuchdataprocessingisrequiredforcompliancewithalegalobligation.

Moreover, in all cases of processing employees’ personal data for surveillancepurposes, the staff representatives, or, in theabsenceof such representatives, theemployeesconcerned,may,within15daysafterbeinggiventheadvanceinformation,submitarequesttotheCNPDforaprioropiniononthecomplianceoftheenvisagedprocessing.TheCNPD thenhas to give anopinionwithin amonthof the referral,duringwhichtime,mattersaresuspended.

(ii) Processing and freedom of expression and information: Controllers who processpersonal data for the sole purpose of journalism or academic, artistic or literaryexpressionareexemptfromthefollowingrules:• prohibitiononprocessingspecialcategoriesofpersonaldata;• thelimitationonprocessingpublicjudicialdata;• therulesapplicabletotransferstothirdcountries;• theobligationtoprovidecertaininformationtothepersonsconcerned;and• theobligationtogiveaccesstodatasubjectsincertaincircumstances.

(iii) Processingforthepurposesofscientificorhistoricalresearchorstatisticalpurposes:The legislator has specified appropriate safeguards in respect of processing ofpersonaldata for scientificorhistorical researchpurposesor statisticalpurposes.Thesemeasures include,notably, theappointmentofadataprotectionofficer, theperformanceofanimpactassessment,useofanonymizationandpseudonymizationtechniques,promoting theawarenessof thestaff involvedabout theprocessingofpersonaldataandprofessionalsecrecy.Thedatacontrollermustbeabletojustifyanyderogationfromthesesafeguards.

Providedthatthesemeasuresareimplemented,thedatacontrollermay:• limitthedatasubjects’rightstoaccess,rectification,restrictionofprocessing

andobjectionwheretheywouldpreventorseriouslyimpairtherealizationoftheresearchproject;and

• processspecialcategoriesofpersonaldatanecessaryforarchivingpurposesinthepublicinterest,scientificorhistoricalresearchorstatisticalpurposes.

308


(iv) Processingofspecialcategoriesofpersonaldata:Theprocessingofgeneticdataforthepurposesoftheexerciseofthespecificrightsofthecontrollerinthefieldoflaborlawandinsuranceisprohibited.

TheaforementionedrulesonthespecificprocessingpurposesapplytoalldatacontrollersanddataprocessorsestablishedinLuxembourg.

UndertheLawofAugust1,2018,thecertificationbodiesmustbeaccreditedbytheCNPD.

(b) E-privacyE-privacyaspectsareregulatedinLuxembourgbytwomaininstruments:(i) TheamendedActofMay30,2005concerningthespecificprovisionsforprotection

of the individual in respect of the processing of personal data in the electroniccommunicationssector,andamendingArticles88-2and88-4oftheCodeofCriminalProcedure(“ePrivacyLaw”);

(ii) ThelawofAugust14,2000onelectroniccommerce(“ElectronicCommerceLaw”).

See,further,question8.1.

(c) Self-regulatoryframeworksThe Commission Luxembourgeoise pour l’Ethique en Publicité (“CLEP”) acts as a self-regulatorybodyinLuxembourgfortheadvertisingsector.CLEPaimstomaintainstandardsofloyaltyandethicsforadvertisinginallmediathroughouttheGrand-DuchyofLuxembourg.CLEPhasenactedaCodeofEthicswhichsetsoutnon-compulsorygeneralguidelinesrelatingtoadvertising(the“AdvertisingCodeofEthics”).TheAdvertisingCodeofEthicsspecificallyregulatesonlinebehavioraladvertising(seequestion8.3).


(a) RegulatorsDataprotectionlawsareenforcedbytheCNPDandbythestatecourts.

UndertheLawofAugust1,2018,theCNPDhasalltheinvestigative,corrective,authorizationandadvisorypowersreferredtoinArticle58oftheGDPR,notably:(i) tocarryoutinvestigations,(ii) toobtain,fromthecontrollerandtheprocessor,accesstoallpersonaldataandtoall

informationnecessaryfortheperformanceofitstasks,(iii) toissuewarnings,(iv) toimposeatemporaryordefinitivelimitation,includingaban,onprocessing,and

(v) toadvisethecontrollerinaccordancewiththepriorconsultationprocedure.

Inaddition,theCNPDmayimposeadministrativefinesassetoutinArticle83ofGDPRandorder, at the expense of the person sanctioned, the complete or partial publication of itsdecisions.

TheCNPDhasthepowertobringanyinfringementsoftheGDPRoroftheLawofAugust1,2018totheattentionofjudicialauthoritiesand,whereapplicable,thepowertoinitiatelegalproceedingsinconnectionwiththeabove.

309


AnappealagainstthedecisionsoftheCNPDtakenpursuanttotheLawofAugust1,2018canbemadebeforetheAdministrativeTribunal,whichrulesonthemeritsofthecase.

(b) Self-regulatorybodiesThereisnoself-regulatorybodyresponsiblefortheenforcementofprivacylawsingeneral.

Inthefieldofadvertising,CLEPisresponsibleforenforcingtheprovisionsoftheAdvertisingCodeofEthics(includingthoseononlinebehavioraladvertising).

CLEPadvisestheadvertisingcommunityandhandlescomplaints.Itisalsoentitledtoactonitsowninitiative.CLEPcanaskformodificationsordecidetobananadvertisement,butitsdecisionsareonlybindingonmembersoftheLuxembourgAdvertisingCouncil(“CLP”).AnyadvertisermaybecomeamemberoftheCLPprovidedamembershipfeeispaid.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinLuxembourg?


2.2 Does privacy law in Luxembourg apply to companies outside the country? If yes, are therespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

AstotheprovisionsoftheGDPR,seetheEuropeanUnionchapter.

Therulesonspecificprocessingpurposes(eg,processingofemployeedataforsurveillancepurposes)undertheLawofAugust1,2018applyonlytodatacontrollersanddataprocessorsestablished inLuxembourg.


3.1 Howispersonalinformation/personaldatadefinedinLuxembourg?




Theprocessingofgeneticdataforthepurposesoftheexerciseofthespecificrightsofthecontrollerinthefieldoflaborlawandinsuranceisprohibited.Forspecificprocessingpurposes,seequestion1.2(a).



310


4 ROLES



5 OBLIGATIONS



InMarch2019,theCNPDpublishedalistofthetypesofprocessingoperationswhicharesubjecttotherequirementforadataprotectionimpactassessment(“DPIA”)underArticle35oftheGDPR.Thislistisnon-exhaustiveandincludesthefollowingprocessingoperations:

(a) processinginvolvinggeneticdata,incombinationwithatleastoneothercriterioncontainedin the European Data Protection Board’s adopted guidelines on DPIAs (the “Guidelines”).Healthprofessionalsprovidinghealthservicesarenotsubjecttothisrequirement;

(b) processing that includes biometric data for the purpose of identifying data subjects, incombinationwithatleastoneothercriterioncontainedintheGuidelines;

(c) processing involving the combination,matching or comparison of personal data collectedfromprocessingoperationswithdifferentpurposes(fromthesameordifferentcontrollers)whichproducelegaleffectsorhaveasimilarsignificantimpactonthedatasubject;

(d) processingwhichconsistsof,or includes,regularandsystematicmonitoringofemployees’activities,andwhichmayproducelegalorsimilarsignificanteffectswithregardtoemployees;

(e) processingof files likely tocontainpersonaldataof theentirenationalpopulation(exceptwhereaDPIAhasalreadybeencarriedoutaspartofageneralimpactassessment);

(f) processingforscientificorhistoricalresearchpurposesorforstatisticalpurposesasprovidedforintheLawofAugust1,2018;

(g) systematicmonitoringofthelocationofnaturalpersons;and

(h) processingbasedontheindirectcollectionofpersonaldatainconjunctionwithatleastoneother criterion contained in the Guidelines, where it is neither possible nor feasible toguaranteetherighttoinformation.


6.1 HowisdatasecurityregulatedinLuxembourg?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?


311


6.2 HowaredatabreachesregulatedinLuxembourg?Whataretherequirementsforrespondingtodatabreaches?


TheCNPDpublishedonitswebsiteadatabreachnotificationformtohelpcompaniestonotifydatabreachesinduetime.

7 INDIVIDUALRIGHTS





MarketingcommunicationsareregulatedbyGDPRrules(seetheEuropeanUnionchapter).

In addition, commercial communications are regulatedbyElectronicCommerceLawand ePrivacyLaw. The Electronic Commerce Law defines “commercial communications” as any form ofcommunicationdesignedtopromote,directlyorindirectly,thegoods,servicesorimageofacompany,organization or person pursuing a commercial, industrial or craft activity or exercising a liberalprofession.Thefollowingdonotinthemselvesconstitutecommercialcommunications:• informationallowingdirectaccesstotheactivityofthecompany,organizationorperson,in

particularadomainnameoranelectronic-mailaddress;• communications relating to the goods, services or image of the company, organization or

person compiled in an independent manner, particularly when this is without financialconsideration.

Commercialcommunicationsmustcomplywiththefollowingrequirements:(a) commercialcommunicationsmustbeclearlyidentifiableassuch;

(b) thenaturalorlegalpersononwhosebehalfthecommercialcommunicationsismademustbeclearlyidentifiable;and

(c) promotionalcontests,offersorgamesmustbeclearlyidentifiableassuch,andtheirconditionsof participation must be easily accessible and presented in a precise and unambiguousmanner.

Unsolicited commercial communications by electronic mail must be identifiable clearly andunambiguouslyonreceiptby therecipient.Thepracticeofsendingelectronicmail forpurposesofdirect marketing, disguising or concealing the identity of the sender on whose behalf thecommunicationismade,orwithoutavalidaddresstowhichtherecipientmaysendarequestthatsuchcommunicationscease,isprohibited.

When sendingunsolicited commercial communications tonaturalpersons, the general rule is thatpriorconsentoftherecipientisrequired(“opt-in”mechanism).

312


However,thereisanexception(“opt-out”mechanism),whereanaturalorlegalpersonobtainsfromitscustomerstheirelectroniccontactdetailsforelectronicmail,inthecontextofthesaleofaproductor a service, the same natural or legal personmay use these electronic contact details for directmarketingofitsownsimilarproductsorservices,providedthatcustomersare,clearlyanddistinctly,giventheopportunitytoobject,freeofchargeandinaneasymanner,tosuchuseofelectroniccontactdetailswhen theyarecollectedandon theoccasionofeachmessage incase thecustomerhasnotinitiallyrefusedsuch.Thisexceptionmustbeinterpretedrestrictively.





TheAdvertisingCodeofEthicsspecificallyregulatestheonlinebehavioraladvertising.

Onlinebehavioraladvertisingmustbeclearlyidentifiableassuch.Theuseofaspecificsymbolwhichisapparent,distinguishablefromthecontentofthemessageandperfectlyvisibleandlegible,shouldmakeitpossibletoinformthepublicaboutthebehavioralnatureofadvertising.

Adedicatedspaceshouldalsoprovidethepublicwithclearinformationonthedifferentpossibilitiesforrefusingoracceptingthedisplayofbehavioraladvertising,includingthemodalities:(a) toconsenttocookies;(b) todeletecookies;and(c) toobjecttothedisplayofanybehavioraladvertising(“opt-out”systems).

Professionalsshouldrefrainfromcreatingspecificcategoriesofadvertisingappealingtotheinterestsofchildrenof12yearsorunder.









313


9 DATATRANSFER





10 VIOLATIONS



RegardingsanctionsforbreachoftheprovisionsoftheLawofAugust1,2018:

(a) FordelayincomplyingwithanorderbytheCNPDtoprovideinformationorwithacorrectivemeasureenjoinedbytheCNPD:theCNPDhasthepowertoimposeperiodicpenaltypaymentsofuptofivepercentoftheaveragedailyturnovergeneratedbythedatacontrollerordataprocessorduringthelastfinancialyearperdayofdelay;

(b) Anypersonwhowillfullypreventsorimpedes,inanyway,theexecutionofthetasksoftheCNPDmaybesentencedtoimprisonmentforaperiodofbetween8daysand1yearand/orafineofbetween251and125000euros;and

(c) Violation of the rules on the processing of an employee’s personal data for surveillancepurposesmayresultinafineofupto125000eurosand/orimprisonmentofuptooneyear.



11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofLuxembourgwhichaffectprivacy?

None.


Therearetwohottopicsintheprivacylandscapeatthemoment:

(a) Brexit:ConsideringtheuncertaintiessurroundingadataflowsdealwiththeUnitedKingdom,the CNPD has published guidelines on the consequences of Brexit for international datatransfers. These guidelines aim to help companies, public bodies and LuxembourgassociationsthataretransferringpersonaldatatotheUK.

314


CompaniesconcernedshoulddeterminewhichoftheGDPRappropriateguaranteesisbestsuitedfortheirorganization,andshouldensurethatsuchguaranteesareinplacebyJanuary31,2020.

According to the CNPD, the conclusion of standard data protection clauses between theLuxembourg entity in question and the UK data importer may be the best option forbusinesses.

(b) Certification schemes: In July 2019, the CNPD published an updated draft version of theaccreditation requirements for certification bodies that wish to certify data processingoperationsaccordingtothecriteriaofGDPR-CARPA.

Thefinalversionsoftheaccreditationrequirementsforcertificationbodies,thecertificationmechanism,andthecertificationcriteriaofGDPR-CARPAwillbepublishedafterobtainingtheopinionoftheEuropeanDataProtectionBoard.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainLuxembourg?

After the entry into force of the GDPR, the CNPD published several guidelines clarifying certainsensitiveprivacyissues(videosurveillance,socialelections,dashcams,therightofpublicityetc).Whilenotbinding,theseguidelineswillmostlikelybethemainsourceforthecourtswheninterpretingGDPRprovisions. Therefore, companies shouldmake sure their processing activities complywith CNPDguidelines.

12 OPINIONQUESTIONS



The entry into application of the GDPR was accompanied by an increased awareness amongprofessionalsandindividualsaboutprivacychallenges,andhasledtoasignificantincreaseininquirieswiththeCNPD.

AccordingtotheCNPD’s2018annualreport,thenumberofwrittenrequestsandcomplaintsdoubledcomparedtopreviousyears.Mostcomplaintsconcernedtherightsofdatasubjects(righttoaccessandrighttobeforgotten),theretentionperiods,andthecomplianceofgeneraltermsandconditionsofe-commercewebsiteswiththenewdataprotectionrules.





315


In2018,theCNPDstartedtoimplementproactiveinvestigations.TheseinvestigationsarecarriedoutintheformofthematicauditsonthenewobligationsundertheGDPR.Forinstance,in2018,severalaudit procedures were commenced to check the compliance of data controllers with the rulesconcerningtheappointmentofdataprotectionofficers.

316

317

PRIVACY LAW – THE NETHERLANDS

1 PRIVACYLAW

1.1 HowisprivacyregulatedintheNetherlands?

Privacy is regulated on two levels in theNetherlands: on the level of the EuropeanUnion and onnationallevel.

On the level of EuropeanUnion, the EU General Data Protection Regulation (“GDPR”) is themostimportantapplicablesourceoflawwhichcameintoforceinMay2018.TheGDPRcoversallaspectsofprivacylawconcerningtheprocessingofpersonaldata.

Onnationallevelprivacyisregulatedinacoupleofdifferencesources.TherighttoprivacyhasbeenpartoftheDutchConstitutionsince1983andisdescribedinArticle10(1)astherighttorespectforhis/her privacy. This right encompasses privacy in the home, regarding correspondence,communicationbytelephone,telegraphandotherprivatemeansofcommunication,therighttonotbewatchedoroverheardinprivatesituations,therighttocarefultreatmentofpersonaldata,andtherighttorespectforinnerlifeandphysicalintegrity.SeveraloftheseaspectsofprivacyhaveaspecificconstitutionalguaranteeinotherArticlesoftheDutchConstitution.

The second and third paragraphs of Article 10 include twomandates given to the legislator: thelegislatormustestablishlawsthatprovidesrulesfortheprotectionofprivacyregardingtherecordingandprovisionofpersonaldata;andthelawmustregulatetherightofaccessandtherighttocorrectinaccurate personal data. The GDPR accommodates most of the legislation required by Article10(2),(3)oftheDutchConstitution.OtheraspectsarecoveredbytheDutchGDPRImplementationAct(“ImplementationAct”)and,fornationalsecurityandprocessingofpersonaldataforthedetectionandcriminalprosecution,inthePoliceDataLawandJudicialandCriminalRecordsLaw(“WJSG”).

TogetherwiththeGDPR,theNetherlandshasadoptedtheDutchImplementationAct.TheGDPRandImplementationActreplacedthePersonalDataProtectionAct(“Wbp”)thatwasanimplementationoftheECDataProtectionDirectiveandlargelyregulatedprivacyonanationallevel.

AfinalsourceoflawthatgovernsdataprotectionintheNetherlandsistheDutchTelecommunicationsAct.TheTelecommunicationsActisderivedfromtheePrivacyDirectiveandgovernsdataprotectionaspects such as cookies. Once the ePrivacy Regulation comes into force, it will replace theTelecommunicationsAct.


TheGDPRformstheprimarysourcefordataprotectionintheEuropeanUnionandthereforeintheNetherlands.TheGDPR,asanyEURegulation,isdirectlyapplicableinallEUMemberStatesanddoesnothavetobeimplemented.TheGDPRcoversmostaspectsofdataprotection.However,theGDPRcontainsacoupleofopeningclauses,permittingEUMemberStates to introduce(morerestrictive)nationalrulesoncertainprivacyaspects.

TheImplementationActbroadlycoverstwotopics:firstly,itestablishesthepositionandpowersofthe Dutch data protection authority (“AP”) as the supervisory authority. And secondly, it givessubstancetotheopeningclausesregardingthespecialcategoriesofpersonaldata.

318


Certainaspectsofmarketingactivities,includingdirectmarketingbye-mailortelephoneareregulatedintheTelecommunicationsAct(seequestion8.1).


TheNetherlandshasonlyonedataprotectionauthority,theAP.TheAPistaskedwithmonitoringtheGDPR, the ImplementationAct,andother lawsprotectingpersonaldata. Incaseofabreachof theprovisionsoftheGDPR,theAPisauthorizedtoimposeadministrativefines.TheImplementationActdoesnotgranttheAPanypowersbeyondthosesetoutintheGDPR.

Asindicatedinquestions1.1and1.2,certainprivacyaspectsareregulatedoutsideoftheGDPRandImplementation Act, in the Telecommunications Act. The supervisory authority for theTelecommunicationsAct(amongstothers)istheAuthorityforConsumersandMarkets(“ACM”).TheACMcanimposefinesforbreachoftheTelecommunicationsAct.

TheNetherlandsdoesnothaveanyself-regulatorybodiesthatenforceprivacylaw.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawintheNetherlands?

SeeEuropeanUnionchapter.

InadditiontothescopeoftheGDPR,theImplementationActappliestocompanies,whocontrolorprocesspersonaldata,whichareestablishedintheNetherlands,irrespectiveofwhetherornotthedata subjects are in the European Union. The Implementation Act also applies to companiesestablishedoutsidetheEuropeanUnioniftheprocessingofpersonaldataislinkedtoactivitiesintheNetherlands(seequestion2.2).

2.2 DoesprivacylawintheNetherlandsapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

Yes,privacylawappliestocompaniesoutsidetheNetherlandsonthebasisof:

(a) theGDPR: insituationswheretheGDPRisapplicable, itapplies tocompaniesoutside theNetherlands(seeEuropeanUnionchapter);

(b) theImplementationAct:theImplementationActappliestocontrollersandprocessorsthatarenotestablishedtheEuropeanUnion,iftheprocessingofpersonaldataofdatasubjectsintheNetherlandsislinkedto:(i) offeringgoodsandservicestodatasubjectsintheNetherlands,regardlessofwhether

apaymentbythedatasubjectsisrequired;or(ii) monitoringthebehaviorofsuchdatasubjects,insofarasthisbehaviortakesplacein

theNetherlands.

319



3.1 Howispersonalinformation/personaldatadefinedintheNetherlands?

“Personaldata”isdefinedbyArticle4(1)oftheGDPR(seeEuropeanUnionchapter).


ThecategoriesofpersonaldatathatareconsideredsensitivecanbefoundinArticle9(1)oftheGDPR.SeetheEuropeanUnionchapterforcommentsonthesecategories.Therearenospecificobligationsaroundsensitiveinformation,otherthantheobligationsintheGDPR.

InadditiontotheexemptionstoprocesssensitivepersonaldataasdefinedintheGDPR,Articles22–30of the ImplementationActprovideexceptions that legitimize theprocessing thereof.There areexceptionsconcerning:

(a) processingnecessaryforthefulfilmentoflegalobligations;

(b) processingpersonaldatarevealingracialorethnicorigin;

(c) processingpersonaldatarevealingreligiousbeliefs;

(d) processingofgeneticdata;

(e) processingofbiometricdata;

(f) processingofdataconcerninghealth;and

(g) processingofdatarelatingtocriminallawmatters.



4 ROLES



5 OBLIGATIONS



320



6.1 HowisdatasecurityregulatedintheNetherlands?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?


InordertohelpcompaniestoaddressdatasecuritystandardsasprescribedintheGDPR,theAPhasissuedonlineguidanceandQ&Asonthistopicandthetopicofdatabreachregistration.

6.2 How are data breaches regulated in the Netherlands? What are the requirements forrespondingtodatabreaches?


Inaddition, financial companiesgovernedby theFinancialSupervisionActareexempted fromtherequirementtonotifythedatasubjectincaseofadatabreach.

7 INDIVIDUALRIGHTS



Inaddition,theImplementationActcontainsanexemptiontoadatasubject’srightundertheGDPRnot to be subject to a decision based solely on automated processing, including profiling. Theexemptionappliestosituationswhereautomatedindividualdecision-making(otherthanprofiling)isnecessary for compliance with a legal obligation to which the controller is subject, or for theperformanceofataskcarriedoutforreasonsofpublicinterest.



SeeEuropeanUnionchapterforprivacylawobligations.

ThecollectionofpersonaldatathatwilllaterbeusedfordirectmarketingpurposesalwaysrequiresalegalbasisinthesenseofArticle6oftheGDPR.Whichrulesapplytotheuseofthepersonaldatafordirectmarketingdependsonthetypeofdirectmarketing,andwhetherornotthedirectmarketingisaimedatexistingorfuturecustomers.

Three types of direct marketing can be identified, each with their own set of rules under theTelecommunicationsAct:

(a) Digitaldirectmarketing:Thegeneralruleisthatdigitaldirectmarketingcanonlybesent(byemail,textorWhatsApp)ifpriorconsenthasbeenobtainedfromthedatasubject.Thereisoneexemptiontothisrule,namelythatpermissionisnotrequiredforoffersaimedatexistingcustomers,providedthattheofferconcernsthecompany’sown,similarproducts.

321


InadditiontotheirrightsundertheGDPR,theTelecommunicationsActalsoprovidesdatasubjectswiththerighttoobjecttotheuseoftheirpersonaldatafordigitaldirectmarketing.Datasubjectsshouldbegivenaclear,explicitandfreeofchargeopportunitytoexpresstheirobjectiontoprocessingeverytimetheyreceivedigitaldirectmarketing.Iftherightisinvokedthe company is no longer allowed to send digital direct marketing to the data subjectconcerned.

(b) Telemarketing: Thegeneral rule for telemarketing is that, if thepersonaldata is requiredlegitimately, permission is not required to telephone a data subject. However, theTelecommunicationsActcontainstwoexemptionstothisrule:(i) ifthedatasubjecthasinvokedtherighttoobjecttotheuseoftheirpersonaldatafor

telemarketingpurposes,thecompanyisnolongerallowedtocallthedatasubjectinquestion;and

(ii) if the telephone number of the data subject is listed in the Do Not Call Registry,althoughthisexemptiondoesnotapplytoexistingcustomers,whomthecompanyisallowedtocallwithanofferfortheirown,similarproductsandservices.However,underallcircumstancesandduringeveryconversation,thedatasubjectsshouldbemadeawareoftheirrighttoobjectandthepossibilitytoregisterintheDo-Not-Call-Register.

(c) Advertising by post: The last category of direct marketing as defined in theTelecommunicationsAct isadvertisingbypost.Differentrulesapply toexistingcustomersandfuturecustomers.However,ifthedatasubjecthasinvokedhis/herrighttoobject,itisnolongerpermittedtosendthemadvertisingbypost,irrespectiveofwhethertheyareexistingorfuturecustomers.(i) Existingcustomers:Personaldataofexistingcustomersismostlikelycollectedfor

processingpurposeotherthandirectmarketing.Inordertoprocesssuchpersonaldata,itshouldbeassessedwhetherornotthedirectmarketingpurposeiscompatiblewiththeinitialpurpose.Ifthepurposesarecompatible,advertisingbypostcanbesend to the data subject without prior consent. If the current purpose is notcompatible,itisnecessarytoacquirepriorconsentofthedatasubject.

(ii) Futurecustomers: Advertisingbyposttofuturecustomersrequirespermissionofthedatasubject,orthatthecompanyshouldhavealegitimateinterest(InvokingthisGDPRbasisisnotexcludedaccordingtorecital47oftheGDPR).

(iii) Postfilter:IfadatasubjectisregisteredinthePostfilterregistry,noadvertisingbypostmaybesent.AdvertisingbypostcanstillbeaddressedtoexistingcustomerswhoareregisteredinthePostfilterregistry.However, iftheyobjecttothispracticethecompanymustrefrainfromsendingadvertisingbypost.

BesidestheprovisionsoftheTelecommunicationsAct,twoself-regulatingcodesareapplicableintheNetherlandstomarketingcommunications:theEmailCode2012andtheTelemarketingCode2012(“CTM”). The Email Code applies to unsolicited advertisements via email, and the CTM applies totelephone conversations between telemarketer and consumers, where consumers are telephonedusingaDutchtelephonenumber.



322


InadditiontotheGDPRrules,theNetherlandshasastricterregimethatappliestotheuseoftrackingcookies.ThisstricterregimefollowsfromtheTelecommunicationsAct.

TheuseoftrackingtechnologyisregulatedintheTelecommunicationsAct,whichimplementedtheePrivacyDirective.











9 DATATRANSFER





10 VIOLATIONS



InadditiontothepenaltiesandsanctionssetoutintheGDPR,thefollowingadditionalpenaltiesandsanctionsareavailableintheNetherlandsforviolationsoftheGDPR:(a) themaximum administrative fine can be imposed for violation of Article 10 of the GDPR

(personaldatarelatingtocriminalconvictionsandoffences);and

(b) finesmayalsobeimposedonpublicauthorities.

323




11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureoftheNetherlandswhichaffectprivacy?

No.



ThehottesttopicisthedraftePrivacyRegulation,becausewhenitentersintoforceitwillreplacetheTelecommunicationsAct.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldataintheNetherlands?

Afteraperiodofrestraint,theAPhasstartedtotakethefollowingenforcementactions:

(a) as of January 1, 2020, it has imposed a ban on the processing of national identificationnumbersbytheDutchTaxAuthority;

(b) it imposed an incremental penalty payment on the Employment Insurance Agency (agovernment agency) for not implementing the appropriate security measures for theemployerloginportal;and

(c) itimposedafineontheHagaHospitalforfailingtohavetheinternalsecurityofitspatientfilesuptostandard.

12 OPINIONQUESTIONS







324

325

PRIVACY LAW – POLAND

1 PRIVACYLAW

1.1 HowisprivacyregulatedinPoland?

InPoland,theissueofprivacyandpersonaldataprotectionwasregulatedforthefirsttimebytheConstitutionoftheRepublicofPolandofApril2,1997.Inaddition,theprovisionsofthePolishCivilCodeonthepersonalinterestsofnaturalpersonsgrantindividualsprotectionwithrespecttotheirrightsonpersonalinformation.

ThefirstcomprehensiveregulationonprivacywassetoutintheActofAugust29,1997onPersonalDataProtection(“PDP”),whichimplementedtheDataProtectionDirective95/46/ECintothePolishlegalsystem.

The entry into force of the European General Data Protection Regulation (“GDPR”) had a greatinfluenceonthecurrentPolishdataprotectionregime.ThePDPhasbeenrepealedandreplacedbyanewlegalframework,implementingandsupplementingtheGDPR,consistingof:

(a) thePersonalDataProtectionActofMay10,2018(“PDPA”),whichmainlycoversinstitutionalandorganizationalmatters(ie,certificationmechanisms,operationsof thedataprotectionregulatoretc);

(b) theActofFebruary21,2019amendingcertainActsinconnectionwiththeimplementationoftheGDPR(“AmendingAct”),whichintroduceschangestoalmost170Polishsector-specificregulations,suchasthoseconcerningbankingortelecommunicationlaw.

ThesetogetherconstitutetheuniversallybindinglawintheterritoryofPoland(therearenospecificlocalregulationsgoverningthisissue).

The purpose inadopting these new national rules was to adjust the Polish legal system to therequirementssetforthbytheGDPR,whichisdirectlyapplicableandremainsthemostsignificantlegalsourceofdataprotectionrulesinPoland.Therefore,onlyspecificaspectswhichfalloutsidethescopeofthechapterontheEuropeanUnionwillbemorebroadlydiscussedbelow.


Asdiscussedabove, themainandprimarysourceof lawregulatingprivacy inPoland is theGDPR.Nevertheless, as the GDPR leaves open clauses for national regulation, the PDPA sets out somederogationsfromtheGDPR.Themostrelevantare:

(a) Article2:activitiesconsistingofediting,preparing,creatingorpublishingpressmaterialsanddataforthepurposeofartisticorliteraryexpressionareexemptedfromcertainobligations(eg,toprovideprivacynotices);

(b) Articles3–5a:conductingpublicservicesbydatacontrollers—ifrelatedtotheperformanceofpublicduties—isexemptedfromcomplyingwithcertainobligations(eg,toprovideprivacynoticesandrespondtosubjectaccessrequests);

(c) Article6:theprocessingofdatabyentitiesinthepublicfinancesectorarefullyexemptifsuchprocessingisnecessarytoperformtasksintheinterestsofnationalsecurity;

326


(d) Article6a:performanceofconstitutionalandstatutorycompetencesofthePresidentoftheRepublicofPoland,totheextentnotcoveredbynationalsecurity,isexemptedfromcomplyingwithcertainobligations.

ApartfromthePDPA,manyprovisionsregulatingpersonaldataprotectionissuesareprovidedforinsector-specificregulations.InthisregardtheAmendingActhasintroducedmanychanges,includingchanges to the laws regulatingmarketing activities. It specifically addresses theprovisions on theconsent which must be collected from subscribers or end users, and which has to meet therequirementsofdataprotectionlaw.InPolishlawthereisanobligationtoobtainpermissionforeg,directmarketingbyphoneorforplacingcookies.

Inaddition,theguidelinesissuedbythePersonalDataProtectionOffice(“PDPO”)maybehelpfulforaproperunderstandingofthedataprotectionregulations.Therearecurrently,severalsuchguidelines.Theyrefertomanyissuesrelatedtothepersonaldataprotection;eg,onedescribestheregulator’sapproachtodatabreaches.Theguidelinesareavailable,inPolish,ontheofficialwebsiteofthePDPO.


ThePDPAestablishedanewsupervisoryauthority—thePresidentofthePDPO,whichhasreplacedtheInspectorGeneralforPersonalDataProtection.ThemainroleofthePDPOistoensurecompliancewiththeGDPR,thePDPAandotherdataprotectionlawsinPoland.

InadditiontothepowerssetoutinArticle58oftheGDPR,thePDPOhassomeadditionalpowers;eg,anyassumptionsanddraftlegalactsconcerningmattersrelatedtopersonaldataprotectionmustbepresentedtothePDPOfor itsopinion.Moreover, thePDPOisauthorizedtorequestthecompetentauthoritiestoundertakealegislativeinitiativeortoissueormodifylegalactsinmattersrelatedtopersonaldataprotection.

Pursuant to the PDPA, the President of the PDPO is entitled to carry out inspections regardingcompliancewithpersonaldataprotectionregulations.SuchinspectionsarecarriedoutbyapersonauthorizedbythePDPOPresident,beinganemployeeofthePDPOoramemberoranemployeeofasupervisoryauthorityofanEUMemberstate.Suchinspectionmustmeetsomelegalrequirements(eg,withregardtotimeframe).

Pleasenote,thatthereisnoself-regulatorybodyinPolandenforcingtheprivacylaw.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinPoland?


2.2 DoesprivacylawinPolandapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?


327


ThePDPAprotectstherightsofnaturalpersonswithregardtotheprocessingofpersonaldatawithinthescopespecifiedinArticle3oftheGDPR.Therearenootherspecificnationalprovisionsgoverningthisissue.


3.1 Howispersonalinformation/personaldatadefinedinPoland?

ThePDPAdoesnotprovideany localderogations fromthedefinitionssetout inGDPR.Therefore,“personaldata”shouldbeunderstoodinaccordancewiththedefinitioncontainedintheArticle4(1)ofGDPR(seetheEuropeanUnionchapter).



In addition, Polish regulations on personal data protection contain specific rules on processing ofsensitivepersonaldatawithrespecttothefollowingentities:

(a) representativesoftheSupremeAuditOfficeareentitledtoprocesspersonaldata,exceptfordatarevealingpoliticalopinions,religiousorphilosophicalbeliefs,aswellasgeneticdataanddataonaddictions,sexlifeorsexualorientation;

(b) theCommissionerforHumanRightsandtheCommissionerforChildren’sRightsmayprocesssensitivepersonaldataforthepurposeoffulfilmentoftheirlegaltasks;

(c) theStateFireServiceispermittedtoprocesssensitivepersonaldatainordertorecruit itsmembers;

(d) thePolishNationalBankmayprocess,eg,biometricdatarelatingtofingerprints,voice,handsandveinsoffingersorhandsfromprovidersofservicestothePolishNationalBankorpersonstransportingassetswithmonetaryvalue;

(e) universitiesandotheracademicinstitutionsmayprocesssensitivepersonaldataforscientificpurposes,providedthatitdoesnotallowfortheidentificationofanydatasubject;and

(f) employersareallowedtoprocessemployees’biometricdatawithouttheemployees’consentif it isnecessary toensure controloveraccess toparticularly important informationor topremisesrequiringspecialprotection.

Apartfromtheabove,processingofpersonaldataforpurposeslinkedtotheactivitiesofpoliceandcriminaljusticeauthoritiesmustmeettherequirementsincludedintheActofDecember14,2018onthe Protection of PersonalData Processed in connectionwith the Prevention of and Fight againstCrime.



328


4 ROLES



5 OBLIGATIONS



Pursuant to the obligation deriving from the Article 37(7) of the GDPR, the PDPA provides for anotificationobligationregardingthedesignationofadataprotectionofficer(“DPO”).ThedesignationofaDPOmustbenotifiedtothePresidentofthePDPOwithin14daysfromthedateofthedesignation.ThenotificationshouldbedrawnupinelectronicformatandrequiresaqualifiedelectronicsignatureorasignatureconfirmedbyaPolishtrustedprofileattheePUAP(PolishElectronicPlatformforPublicAdministrationServices),whichisafree-of-chargemethodofauthenticationofacitizen’sidentityine-governmentalsystems.

Furthermore, the controller or processormustmake, immediately after the designation, the dataconcerningtheDPOavailableonitswebsiteorinagenerallyaccessiblemannerataplaceofpursuitofactivity.

IntheeventofthedesignatedDPO’sabsence,apersonmaybeappointedtoactasaDPO(adeputy).TheappointmentofadeputyDPOshouldbenotifiedtothePresidentoftheOfficeinthesamewayasthatforaDPO.

Inaddition,thePDPAspecifieswhich“publicauthorities”mustappointaDPO;namely:unitsofthepublicfinancessector,researchinstitutesandtheNationalBankofPoland.


6.1 HowisdatasecurityregulatedinPoland?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?


6.2 HowaredatabreachesregulatedinPoland?Whataretherequirementsforrespondingtodatabreaches?

UnderthePDPA,thePDPOhasacompetencetointroduceanonlinesystemenablingcontrollerstoreportdatabreaches.However,atpresent,nosuchsystemisavailable.

Instead,databreachescanbenotifiedtothePDPOelectronicallybycompletingaformavailableonthePDPO’swebsite.ThenotificationmustbesubmittedinPolish.Incaseofacross-borderdatabreach,

329


thecontrollermustanalyzewhether the leadsupervisoryauthorityregardingprocessingactivitiescoveredbythebreachisthePDPOoranotherEuropeansupervisoryauthority.

Pleasenote, thatEURegulation611/2013on thenotificationofpersonaldatabreaches isdirectlyapplicable in Poland. Therefore, some additional data breach notification obligations apply toprovidersofpubliclyavailabletelecommunicationsservices(eg,shorterperiodoftimeforrespondingtoapersonaldatabreach).

7 INDIVIDUALRIGHTS






Withrespecttomarketingcommunications,notonlydataprotectionlaw,butalsotheActofJuly16,2004onTelecommunications(“TL”)andtheActofJuly18,2002ontheProvisionofElectronicServices(‘‘APES’’)mustbetakenintoaccount.

Dueto theentry into forceof theAmendmentAct, someprovisionsof theTLandAPEShavebeenchanged.Themainamendmentsrefertotheconsentofsubscribersorendusers,whichhastocomplywiththeprovisionsonpersonaldataprotection.Forexample,consentisrequiredinorderto:

(a) usetelecommunicationsterminalequipmentandautomatedcallingsystemsforthepurposesofdirectmarketing;or

(b) send commercial information by electronic means of communication, including, but notlimitedto,electronicmail.

Therefore, sendingcommercial information (eg,byemailorSMS) toanaturalperson ispermittedsolely upon the recipient’s prior consent, which cannot be presumed and can be revoked at anytime.The same appliestodirect marketing using end telecommunications devices or automatedcallingsystems.

AccordingtoarecentdecisionofthePresidentoftheOfficeofCompetitionandConsumerProtection(which is the Polish authority responsible for consumer protection policy), such consentmust beobtainedfromtheconsumerseparatelyfromconsentregardinggeneralprocessingofpersonaldata(DecisionNoDOZIK-8.610.20.2017.KA/MO).



330


Concerningcookies,itisnecessarytoprovidesubscribersorenduserswithinformationrelatedto:

(a) thepurposeforwhichtheinformationisstoredandaccessed;and

(b) thepossibilityofdefiningtheconditionsunderwhichthisinformationisstoredandaccessed,byadjustingthesettingsofthesoftwareortheconfigurationoftheservice.

Cookiescanbeused,providedthatthesubscriberoruserconcernedgiveshis/herconsent,whichmaybeexpressedbymeansofserviceconfigurationorthesettingsoftheirsoftwareorbrowser.Asalreadymentionedabove,theconsenthastomeetdataprotectionrequirements.

Whatismore,thestoredinformationortheaccesstosuchinformationmustnotcausechangesintheconfiguration of the subscriber’s or end user’s telecommunications terminal equipment, or of anysoftwareinstalledonthatequipment.

Theaboverulesarenotapplicablewherethestorageofandaccesstotheinformationisnecessarytoperform a transmission through a public telecommunications network or provide atelecommunicationsserviceoranelectronically suppliedservice requestedbya subscriberorenduser.



Withthecustomer’spermission,aserviceprovidermayprocessotherdataconcerningsuchcustomerthat are not necessary to provide a given service by electronicmeans, but is for the purposes ofadvertising,marketresearch,andcustomerbehaviorandpreferenceresearch,whenresultsofsuchresearchservethepurposeofimprovingthequalityofservicesprovidedbytheserviceprovider.









331


9 DATATRANSFER


SeetheEuropeanUnionChapter.

Withregard to the transferofpersonaldataoutside thecountryorbetweengroupcompanies, thePDPAdoesnotimposeanyadditionalrequirements,suchasnotificationorreportingobligationstothePresidentofthePDPO.



10 VIOLATIONS



ThePDPAintroduceslowerfinancialadministrativefinesforpublicauthorities.Thefinesforselectedfinancialsectorunits,aresearchinstitute,andtheNationalBankofPolandcannotexceed100,000PLN(approximatelyEUR23,400).

AccordingtothedataavailableontheofficialwebsiteofthePDPO,todate,thePDPOhasimposedfiveadministrativefinancialpenaltiesfornoncompliancewithpersonaldataprotectionrulesorfailuretotakesufficientmeasurestoensureinformationsecurity(fourofthefivehavebeenenforcedagainstentitiesfromtheprivatesector).

Inadditiontoadministrativeliability,thePDPAsetsforthcriminalprovisionsandsanctions.Criminalsanctionsmaybeimposedonagivenentityfor:

(a) processingpersonaldata ifsuchprocessing isnotallowedor theprocessing iscarriedoutwithoutauthorization;or

(b) obstructingorhinderinginspectionofpersonaldataprocessing.

Violationtriggersacriminalfine,restrictionofpersonallibertyorimprisonmentofuptotwoyears(threeyearsifsuchprocessingconcernsspecialcategoriesofdata).



Individualsmaychallengetheviolationoftheirpersonaldatathroughcivilproceedings.

PursuanttoArticle92ofthePDPA,theprovisionsofthePolishCivilCodeapplytoclaimsarisingfromabreachofthepersonaldataprotectionprovisionssetforthintheGDPR.

332


11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofPolandwhichaffectprivacy?

AccordingtotheActofOctober7,1999onthePolishLanguage,consumershavetobeinformedinPolish.Therefore,anyprivacynotices,whichareaddressedtoconsumers,havetobeinPolish.


AccordingtothePDPO’ssectoralcontrolplanfor2020,thePresidentofthePDPOhasdecidedtocheckthelevelofcompliancewiththedataprotectionlawinbanks(regardingcopyingIDdocuments)andinthoseentitieswhichuseremotewaterreadingsystems.

Whatismore,pursuanttoinformationobtainedfromthePDPO,itisverylikelythatanagreementonunwantedtelemarketingcallswillbeconcludedbetweenthePresidentofthePDPO,thePresidentofthe Office for Competition and Consumer Protection and the President of the Office of ElectronicCommunications.Pleasenote,thatnoofficialinformationonthissubjecthasyetbeenreleased.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainPoland?

InPoland,thereis,asyet,nocurrentcommonenforcementpracticeinrelationtotheGDPR.However,theactivityofthePresidentofthePDPOhasrecentlyincreasedanditmaybeexpectedthatitwillkeeponrisingin2020.

12 OPINIONQUESTIONS


SincetheGDPRcameintoforce,therehasbeenarapidincreaseincomplaintslodgedwiththePDPO.BasedondatarevealedbythePDPO,about2,700complaintswerelodgedin2017,whilein2018thisnumberreachedalmost4,500.In2019ithasincreasedtothelevelofapprox7,000.Bearingthatinmind,thePDPOhasintroducedchangesinitsstructureinordertoimproveitsoperationsinthisarea.Newdepartments havebeen set upwithin thePDPO, such as aComplaintsDepartment to handleexclusivelycitizens’complaints,andtheInspectionsandBreachesDepartmenttohandlepersonaldataprotectionbreachesreportedbycontrollersandtheconductofinspectionsatcontrollers.Also,takingintoaccounttherisingawarenessinPolandoftheprotectionofpersonaldata,anewCommunicationDepartmenthasbeenestablished,whosetasksincludeinformingcitizenseffectivelyabouttheirrights(eg,byuseofhotlines).




ManycompaniesinPolandarestillwaitingforthedevelopmentofguidelinesandstandardsfortheestablishmentofappropriatemeansofprotectingpersonaldatawithintheirbusinessactivities.The

333


PDPOhassofarissuedonlyafewguidelineswhichcoversomeissuesconnectedwiththeapplicationofthedataprotectionregulationsinPoland.Theyareallavailableonitsofficialwebsite.

334

335

PRIVACY LAW – PORTUGAL

1 PRIVACYLAW

1.1 HowisprivacyregulatedinPortugal?

Privacyisregulatedbystatutorylaw,suchasconstitutionalrights,national lawandEuropeanlaw.All this legislation is interpreted and enforced by the Portuguese Data Protection Authority(Comissão Nacional de Proteção de Dados Pessoais, “DPA”) which is an independent body, withpowersof authority throughoutnational territory. It is endowedwith thepower to supervise andmonitorcompliancewiththelawsandregulationsintheareaofpersonaldataprotection,withstrictrespect for human rights and the fundamental freedoms and guarantees enshrined in theConstitutionandthelaw.ThePortugueseDPAissuesitsownguidelinesanddeliberationswhichmaybetakenintoaccountasabest-practicebasisandcouldbeusedbytheadministrativecourtswhenassessing the decisions and/or the administrative offence proceedings related to data protectionmatters.

ThemainlegalsourcefordataprivacyprotectionistheEuropeanGeneralDataProtectionRegulation(“GDPR”). At a national level, the Portuguese Parliament approved LawNo 58/2019, of 8 August(“GDPR Implementation Law”), which ensures the implementation of the GDPR in Portugal (seequestion1.2).

In addition to the guidelines issued by the Portuguese DPA, also the guidelines issued by theEuropeanDataProtectionBoardmayalsobeusedbythelegalandjudicialoperatorswhendealingwithprivacymatters.

Finally,therearespecificprivacystipulationsinothersectoriallaws.


ThemainlegalsourcefordataprivacyprotectionistheGDPR.

Atanationallevel,theGDPRImplementationLawestablishesspecificrequirementsapplicableto:

(a) employmentrelationships(article28);

(b) achild’sconsent(article16)(seefurtherquestion3.2(a));

(c) personaldataofdeceasedpersons(article17)(seefurtherquestion3.2(b));

(d) portabilityandinteroperability/interconnectionofdata(article18);

(e) videosurveillance(article19);

(f) rulesapplicabletodataprotectionofficers(articles9–13);and

(g) healthandgeneticdata(article29)(seefurtherquestion3.2(c)),

amongothers.

However,thePortugueseDPAissuedDeliberationNo2019/494on3September,accordingtowhichit states that it will not apply the following articles of the GDPR Implementation Law, because itconsiders that the Law violates the rule of law of the European Union and compromises theeffectivenessofGDPRdispositions:

336


(a) article 28(3)(a) (employee consent is not a lawful ground for data processing whereprocessingresultsinalegaloreconomicadvantagefortheworker),

(b) article2(1),(2)(territorialscopeofthelegislation)(seefurtherquestion2.2),

(c) article20(1)(dutyofsecrecyoverridesrightstoinformationandaccesstodata),

(d) article23 (processing/transmissionof personaldatabypublic entities forpurposesotherthanthoseforwhichdatawascollected)(seefurtherquestion4.1),

(e) articles37(1)(a),(h),(k),(2),38(1)(b),(2)(certainoffenses)(seefurtherquestion10.1),

(f) article39(1),(3)(criteriaforsettingamountoffine),

(g) article61(2)(expiryofconsent)and

(h) article62(2)(dateofineffectivenessofrulesonauthorizationsandnotificationstoDPA).

Withrespecttomarketingaspects,therelevantstipulationsfromadataprotectionpointofviewarecontained in the GDPR and in the E-Privacy Law (see further question 8). The legal frameworkapplicabletounfaircommercialpracticesalsoregulatescertainaspectsofmarketingactivities.


Portugaldoesnothaveanyself-regulatorybodieswhichenforceprivacylaw.

The data protection legislation is enforced by the Portuguese DPA, which carries out the tasksspecifiedinarticle57oftheGDPR,aswellas:

(a) gives its non-binding opinion on legislative and regulatory measures related to dataprotection, aswell as on legal instruments in discussionwith European and internationalinstitutions;

(b) monitorscompliancewithGDPRdispositionsand further legalandregulatorydispositionsrelated to personal data protection, rights, freedoms and guarantees of data subjects, andremedyandsanctionnon-compliance;

(c) makes available a list of data processing activities subject to a data protection impactassessment,underparagraph4ofarticle35oftheGDPR;

(d) preparesandsubmitstotheEuropeanCommitteeforDataProtection,thecriteriaprojectsfor the accreditation bodies for monitoring of codes of conduct and certification bodies,underarticles41and43oftheGDPR;and

(e) cooperates with the Portuguese Institute for Accreditation, under article 14 of the GDPRImplementationLaw.

ThePortugueseDPAexercisesthepowersestablishedinarticle58oftheGDPR.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinPortugal?


337


Building on article 2 of the GDPR, article 2(3) of the Portuguese GDPR Implementation LawspecificallyestablishesthatitdoesnotapplytopersonaldatafilescreatedandmaintainedundertheresponsibilityofthePortugueseRepublic’sSystemofInformation.

2.2 DoesprivacylawinPortugalapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?


By article 2(1) of the GDPR Implementation Law, the GDPR Implementation Law applies to theprocessingofpersonaldatacarriedoutinPortugaland,insomecircumstances,totheprocessingofpersonaldatacarriedoutoutsidethePortugueseterritory(article2(2)).

However,theDPAhasdecidedthatitwillnotapplytheseprovisionsinfuturecases,asitconsidersthatsuchrulesviolateGDPRdispositions,inparticularGDPRarticles3and56.


3.1 Howispersonalinformation/personaldatadefinedinPortugal?




In addition to the obligations contained in the GDPR, the GDPR Implementation Law specificallyestablishes specific requirements related to processing of special categories of personal data.Wehighlightthefollowingones:

(a) Child’sconsent(article16):Byarticle8oftheGDPR,thepersonaldataofachildmayonlybeprocessedifbasedonconsentandinrelationtotheofferofinformationsocietyservicesdirectlytohim/her,ifthechildisatleast13yearsold.Wherethechildisbelow13yearsold,suchprocessingislawfulonlyifconsentisgivenbysomeonewithparentalresponsibilityforthechild,preferablyusingsecureauthentication.

(b) Personal data of deceased persons (article 17): personal data of deceased persons areprotectedundertheGDPRwhensuchdatafallswithinthespecialcategoriesofpersonaldataunder article 9(1) of the GDPR or when the data relates to privacy, image or tocommunications, except as provided in GDPR article 9(2). The deceased person’s rightsprovided for in the GDPR, namely the right of access, rectification and erasure, may beexercised by the person so designated by the deceased person or, failing that, by his/herheirs. The data subjectmay instead determine that no-onemay exercise such rights afterhis/herdeath.

(c) Healthandgeneticdata (article29): access tohealthandgeneticdata isgovernedby the“needtoknow”principle,andthedatacontrollerisobligedtonotifythedatasubjectofanyaccess to such personal data, which means that the controller will, necessarily, have toimplement a traceability and notification mechanism. This article also imposes a duty ofconfidentialityonpersonswhohaveaccesstohealthdata.

338




4 ROLES



Inaddition,thePortugueseGDPRImplementationLawexceptionallyallows:

(a) the processing of personal data by public authorities for purposes other than thosedeterminedbythedatacollection.Thebasisforprocessingmustbethepursuitofapublicinterestthatcannototherwisebeserved;and

(b) thetransmissionofpersonaldatabetweenpublicauthoritiesforpurposesotherthanthosedetermined by the data collection. The processing shall be the subject of a protocolestablishing the responsibilitiesof each interveningentity, both in theactof transmissionandinotherprocessingtobecarriedout.

However, the Portuguese Data Protection Authority has decided that it will not apply theseexceptions,becauseitconsidersthattheyviolatearticle5(1)(b)oftheGDPR(seequestion1.2).

5 OBLIGATIONS



The Portuguese GDPR Implementation Law stipulates that it is mandatory for private entities toappoint adataprotectionofficerwhere theirmainprivateactivity involvesdataprocessingwhichrequirestheregularandsystematicmonitoringofdatasubjectsonalargescale,ordataprocessingonalargescaleofspecialcategoriesofdata,orofpersonaldatarelatedtocriminalconvictionsandadministrativeoffences.

Public bodies which are obliged to appoint a data protection officer are (i) the State; (ii) theAutonomousRegions(AzoresandMadeira);(iii) localauthoritiesandotherbodiesprovidedforbylaw; (iv) independent administrative entities; (v) the Bank of Portugal; (vi) public institutes; (vii)publichighereducationinstitutions;(viii)State-ownedandregionalandlocalbusinessenterprises;and(ix)publicassociations.

The performance of the data protection officer’s duties does not require professional certificationand, regardlessof thenatureof the legal relationshipwith thedata controller, thedataprotectionofficermaintainstechnicalautonomy.

339


Inaddition to thosegiven inarticles37–39of theGDPR, thedataprotectionofficer shallhave thefollowingtasks:

(a) ensurethatperiodicandunscheduledauditsarecarriedout;

(b) makeusersawareoftheimportanceofearlydetectionofsecurityincidentsandoftheneedtoimmediatelyinformthesecurityofficer;and

(c) ensure relations with the subjects on matters covered by the GDPR and by the nationallegislationondataprotectionmatters.


6.1 HowisdatasecurityregulatedinPortugal?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?


6.2 HowaredatabreachesregulatedinPortugal?Whataretherequirements forrespondingtodatabreaches?


7 INDIVIDUALRIGHTS






Inaddition,thelegalframeworkapplicabletodirectmarketinginPortugal ismainlybasedonLawNo41/2004,ofAugust18, lastamendedbyLawNo46/2012ofAugust29 (“E-PrivacyLaw”) thatimplemented the EC ePrivacy Directive and is applicable to direct marketing through automatedmeans(sms,mms,ems,automatedcallsandfax)andelectronicmail.

PleasenotethattheE-PrivacyLawdoesnotdistinguishbetweenprivateandprofessionalcustomers,butbetweennaturalandlegalpersons.

BythisLaw,thesendingofunsoliciteddirectmarketingcommunicationstoanaturalperson,throughautomatedmeanswhichdonotdependonhumanintervention, issubject tothepriorandexpressconsentoftheuser(opt-in).Consentmustmeettherequirementslaiddowninarticle7oftheGDPR.

340


However, it is possible to sendmarketing communications to legal entitieswithout prior consent(opt-out),providedthat:

(a) the legalentity isnot includedintheofficial listof legalentitiesthatopposethereceiptofsuchcommunications;and

(b) thelegalentityisgiventheopportunitytoopposethereceiptofsuchcommunications.

Withrespecttoexistingcustomers,incaseswherethedatacontrollerhasalreadyobtainedpersonaldataofthecustomer,thelawallowsforthesendingofmarketingcommunicationsaimingtopromotethe data controller’s own or similar products, provided that the customer is given the chance toopposethereceiptofmarketingcommunicationsatthetimeofthedatacollectionor,incaseswherethecustomerhasnotinitiallyrefusedtheprocessingoftheirdataformarketingcommunications,ineachcommunication(softopt-in).

Notethatarticle21(2)oftheGDPRalsoapplies(seetheEuropeanUnionchapter).



Withregardtocookies,theE-PrivacyLawestablishesthatthestoringofinformation,orthegainingof access to information already stored, in the terminal equipment of a subscriber or user is onlyallowed where the subscriber or user concerned has given his/her prior consent, having beenprovided with clear and comprehensive information in accordance with the data protectionregulations,interalia,aboutthepurposesoftheprocessing.

WenotethatpursuanttotheGDPR,consentshouldbegivenbyaclearaffirmativeactestablishingafreelygiven, specific, informedandunambiguous indicationof thedata subject’s agreement to theprocessing of personal data relating to him/her. Therefore, silence, pre-ticked boxes or inactivitycannotconstituteconsent.

Notwithstanding, this does not apply to technical storage or access which is strictly necessary inorderfortheproviderofaninformationsocietyservicetoprovideaservicewhichhasbeenexplicitlyrequestedbythesubscriberoruser.

TheE-PrivacyLawalsoprovidesforspecificrequirementsapplicabletotrafficdata.







341




ThePortugueseGDPRImplementationLawestablishesthattheprotectionofpersonaldatamustnotaffectthefreedomofspeech,informationandofthepress,includingdataprocessingforjournalistic,academic,artisticandliterarypurposes.Notwithstanding,freedomofspeechdoesnotlegitimizethedisclosureofpersonaldata,suchasaddressesandcontacts,exceptthoseincommonknowledge.



9 DATATRANSFER



Pursuant to the Portuguese GDPR Implementation Law, transfers of personal data to countriesoutside the European Union/third countries or to international organizations, carried out incompliancewithlegalobligationsbypublicentitieswithintheirauthoritypowers,areconsideredofpublicinterestunderarticle49(4)oftheGDPR.



10 VIOLATIONS



ThePortugueseGDPRImplementationLawprovidesforadditionaladministrativeoffencestothoseprovidedfor intheGDPR.However, thePortugueseDPAhasdecided(seequestion1.2)that itwillnotapplysomeoftheseinfuturecases,duetothefactthatithasconsideredthattheyviolatearticle83(4),(5)oftheGDPR.

Theminimumandmaximumlimitsonfinesforveryseriousandseriousadministrativeoffencesvaryaccording to the type of infringer (large company, small and medium-sized company or naturalperson).

TheDPAhasestablishedthepossibilityofwaivingtheapplicationoffinesforaperiodofthreeyearsasfromtheentryintoforceofthelaw,uponareasonedrequestmadebypublicentitiesaddressedtotheDPA.The legal provisionof thisprerogative shall be subject to re-evaluation three years afterAugust9.

342


TheGDPRImplementationLawspecifies(inarticles46–53)severalcrimeswithregardtopersonaldata,suchas:

(a) theuseofdataincompatiblewiththepurposeofthecollection;

(b) improperaccess;

(c) datadiversion;

(d) datacorruptionordestruction;

(e) insertionoffalsedata;

(f) breachofthedutyofconfidentiality;and

(g) failuretocomplywithobligationsundertheGDPRortheGDPRImplementationLaw.

Thepenalties,aswellasthetypesofcrimes,aresimilartothoseprovidedforinLawNo67/98of26October(theformerPortugueseDataProtectionLaw),exceptforthecrimeofviolationofthedutyofprofessionalconfidentiality,whosemaximumlimitisreducedbyhalf.

Attemptingtocommitsuchcrimesisalsoalwayspunishable.



11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofPortugalwhichaffectprivacy?

None.



11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonal information/personaldatainPortugal?

ThePortugueseDPAhasstartedtobringadministrativeoffenseproceedings:

(a) Inparticular,ithasimposedafineof400,000EurosonahospitalforthreeviolationsoftheGDPR,namely:(i) violationoftheprocessingbasicprinciples;(ii) violationoftheintegrityandconfidentialityofpersonaldata;and(iii) failure to implement technical and organizational measures to ensure a level of

securityadequatetotheriskoftheprocessing.

(b) It has imposed a fine of 107,000 Euros on a consumer protection association for sendingunsolicited emails for direct marketing or advertising purposes without obtaining priorconsent(Article6oftheGDPRandarticle13-AoftheE-PrivacyLaw).

(c) A fine of 20,000 Euros was imposed on a car brand for denial of the right of access torecordedphonecallsbythedatasubject.

343


12 OPINIONQUESTIONS





With the entry into force of the Portuguese GDPR Implementation Law, it is expected that thePortugueseDPAwillinitiaterandomauditstocheckcompliancewithdataprotectionlawonamorefrequentbasis,aswellascarryoutauditsinitiatedbyindividualcomplaints.

Additionally, we also envisage an increase in claims from a data protection law and consumerprotectionlawperspective.



CompaniesandjudicialandlegaloperatorsmayfaceuncertaintiescausedbythedecisionoftheDPA,whichhasdecidedthatitwillnotapplyseveralprovisionsofthePortugueseGDPRImplementationLaw(seequestion1.2).Thisdecisionhasnotyetbeenanalyzedand/orclarifiedbythePortuguesecourts.

344

345

PRIVACY LAW – ROMANIA

1 PRIVACYLAW

1.1 HowisprivacyregulatedinRomania?

InRomania,privacyisregulatedbystatutorylaw,therighttoprivacybeingstatedasaconstitutionalright. Moreover, the right to privacy is reinforced in the Romanian Civil Code as well as severalqualifiedlaws,applyingtherelatedEUprovisions.

Ensuring the right to privacy to its citizens has always been a major concern for the Romanianstatutorybodies,whichhaveshown,overtime,greatattentiontothissubjectbystrictlyregulatingmethodsofenforcingit.

TheRomanianConstitutionestablishesinArticle26that“Thepublicauthoritiesaredeemedtorespectandprotecttheintimate,familyandprivatelife.”

The Romanian Supreme Court has also shown great attention to aspects related to data privacy,stating,inawell-knowndecision,that“surnameandforenameareconsideredpersonaldata,whetherornotthere isenoughto identifythepersons. Intherequirementsof freeaccessto informationofpublicinterest,whentheinformationofpublicinterestandinformationrepresentingpersonaldataare comprised in the same document, the public interest information may be accessed solely byanonymizingpersonaldata.”

ThepreviousECDataProtectionDirectivewasappliedinRomaniabyPrivacyLawNo677/2001ontheProtectionofIndividualswithRegardtotheProcessingofPersonalDataandtheFreeMovementofSuchData,(nowrepealed),whichwasthenthemainlegalinstrumentfortheprotectionofthedatasubjects’rights.

Currently,theopenclausesoftheGDPRareimplementedinRomaniathroughLawNo190/2018onGDPRimplementingmeasures(“PrivacyLaw”),LawNo129/2018foramendingandsupplementingLaw No 102/2005 regarding the establishment, organization and functioning of the NationalSupervisory Authority for Personal Data Processing (“Law 129/2018”), that aligns the Romaniansupervisoryauthority’spowerswiththeGDPR,aswellasseveralguidelinesissuedbytheRomaniansupervisoryauthority,theNationalSupervisoryAuthorityforPersonalDataProcessing(“ANSPDCP”).

Law129/2018mostlycontainsadministrativestipulationsandrelevantaspectsontheenforcementoftheprovisionsoftheGDPRandofthenationallegislation,whilstthePrivacyLawimplements,asitsnameprovides,theopenclausesofGDPR.

Focusingonadvertising,LawNo506/2004regardingpersonaldataprocessingandtheprotectionofprivatelifeintheelectroniccommunicationsector(“Law506/2004”)regulatesthecommunicationssent through the public electronic communication networks and through the electroniccommunicationservicesprovidescertainrequirementsthatneedtobecompliedwithwhensendingelectroniccommunicationstodatasubjects.

346



As forall theEUstates, inRomania, theGDPRrepresents the fundamentalsource forensuringtheimplementationofdataprotectionrights,aswellasalltherelevantaspectsconcerningdataprivacy.

ThemainprovisionsestablishedbythePrivacyLaw,whenimplementingtheopenclausesofGDPRconcernthefollowingaspects:

(a) defining the national identification number as the number with which an individual isidentifiedinpublicrecords,suchaspersonalidentificationnumber,theseriesandnumberoftheidentitydocument,passportnumberandnumberofdrivinglicenseorthenumberofsocialhealthinsurance;

(b) how public authorities are treated in comparison to private operators with respect toenforcingdataprotectionprovisions;

(c) dataprocessingatwork;and

(d) thattheprocessingofgeneticdata,biometricdataandhealthdataispermittedsolelywiththeexplicitconsentofthedatasubjectorifprocessingisbasedonalegalprovision.

Focusingontheadvertisingaspectofdataprivacy,LawNo506/2004regulatesthecommunicationssent through public electronic communication networks and through electronic communicationservices,emphasizing theprovisionsofArticle6of theGDPR, stating thatanaturalpersonshouldreceiveelectroniccommunications(oranyothertypeofcommunications)onlyupongrantingconsent.

AdditionalprovisionsoncommercialcommunicationsareregulatedbyLawNo365/2002regardingelectroniccommerce(“Law365/2002”), thatalongside theGDPR,establish thatsendingelectroniccommunicationsisforbiddenifanaturalpersondidnotgivehis/herpriorconsent.


AllaspectsconcerningprivacyareenforcedbyANSPDCP,theRomaniansupervisoryauthority.Inthisrespect, ANSPDCP can perform investigations at a controllers’ headquarters in order to establishwhetherprivacy laws are adequately implemented; and can issue sanctions, including fines,wheninfringementsofdataprotectionprovisionsareobserved.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinRomania?

Privacylawappliestobothpublicandprivatecontrollersandprocessors.However,publicauthoritiesandbodiesbenefitfromapreferentialtreatmentwhenitcomestosanctions.Onlypublicentitieshavea90-dayperiod,fromthereportidentifyingandsanctioningtheinfringement,fortheremediationandthefulfillmentofthelegalobligations,whileprivateentitiesdonotbenefitfromsuchagraceperiod.

347


2.2 DoesprivacylawinRomaniaapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

GiventhatthePrivacyLawimplementstheopenclausesoftheGDPR,itsprovisionsapplywheneverthe GDPR is applicable. Therefore, the Romanian Privacy Law is applicable to companies outsideRomaniathatprocesspersonaldatainRomaniaortransferdatatothosecountriesthatfallwithinthescopeoftheGDPR.


3.1 Howispersonalinformation/personaldatadefinedinRomania?

TheRomanian legalprovisionshavenotdefined“personaldata”,giventhat it isalreadydefined inArticle4(1)oftheGDPR.



Furthermore,theRomanianPrivacyLawestablishesthatprocessingofgeneticdata,biometricdataandhealthdataispermittedsolelywiththeexplicitconsentofthedatasubjectorwhereprocessingisbasedonalegalprovision.

Moreover,thePrivacyLawprovidesthatwhenspecialcategoriesofpersonaldataareprocessedbasedonpublicinterest,thecontrollermustimplementthefollowingsafeguards:

(a) implementtheadequatetechnicalandorganizationalmeasuresforfulfillingtheprinciplesoftheGDPR,especiallydataminimization,dataintegrityandconfidentiality;

(b) appointadataprotectionofficer,whennecessary;

(c) establishstorageperiodsbasedonthenatureandpurposeofprocessing,aswellasspecificperiodsafterwhichpersonaldatamustbeerasedorrevisedforerasure.



4 ROLES



348


5 OBLIGATIONS



Moreover,ifspecialcategoriesofpersonaldataareprocessedonalargescaleforadvertisingpurposes,adataprotectionimpactassessmentisrequired.


6.1 HowisdatasecurityregulatedinRomania?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

TheGDPRimposesthegeneralframeworkregardingthestandardrequiredinensuringthesecurityofpersonaldata.

Companies,aswellaspublicauthoritiesandbodies,alsohave,asaninstrumentinimplementingtheadequatesecuritystandard,theconsultationprocedurewithANSPDCP.Therefore,theseentitiescanfileaformallettertothenationalsupervisoryauthoritywithrespecttoacertaintypeofprocessing,requiringadviseinordertoascertainthepropermethodofestablishingthesecurityofpersonaldata.

6.2 HowaredatabreachesregulatedinRomania?Whataretherequirementsforrespondingtodatabreaches?

Complementary with the GDPR, ANSPDCP has issued a form for notifying data breaches, helpingcontrollerstocomplywithall the legalrequirements inordertoensurethatthebreachishandledcorrespondingly.

7 INDIVIDUALRIGHTS


SeetheEuropeanUnionchapter,andseequestion1.1above.




Additionally,Law506/2004andLaw365/2002establishthatexplicitconsentisrequiredforanaturalpersontoreceiveelectroniccommunications.

349





Processingpersonaldatafortargetingpurposesandinordertoanalyzethebehaviorofdatasubjectsin relation to certain advertising campaigns has always been a sensitive subject from the legalperspective.

Datasubjectsmustbeproperlyinformedwhentheyaresubjecttoprofilingand,ifconsentisrequired,onlyexplicitconsentispermitted.

Moreover,inordertoensureanadequatebalancebetweentherightsofdatasubjectsandtherightofthecontroller,performingadataprotectionimpactassessmentisrecommended,ifnot,insomecases(eg,processingonalargescale,processingsensitivedata)mandatory.









9 DATATRANSFER





350


10 VIOLATIONS



Inaddition,thePrivacyLaw,aswellascertainproceduresissuedbyANSPDCP,establishthatanycasehandler can issue a fine up to EUR 300,000 when performing an investigation at a controller’sheadquarterifaninfringementoccurs,withoutanypriorapprovalfromthepresidentofANSPDCP.



11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofRomaniawhichaffectprivacy?

Notapplicable.


AsforeveryMemberStateoftheEuropeanUnion,thedraftofePrivacyRegulationisasubjectthatconstantlyneedstobefollowedinRomania.PleaseseetheEuropeanUnionchapter.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainRomania?

ANSPDCPhasissuedseveralfinesonRomaniancompanies,aswellasonaflatowners’association.Most of the fines concerned the inadequate, or failure to implement the adequate, technical andorganizationalmeasures.

So far, no specific guideline on imposing fines has been issued, yet the sanctions imposed on theinfringingentitieswerewaybelowthethresholdofeitherEUR20millionorEUR40million.

Generally,thesanctionsimposedontheentitieshavenotexceededtheamountofEUR130,000.

12 OPINIONQUESTIONS





351



Although theGDPRand thenationalprovisionsregulatemanyaspectsofdataprivacy, the levelofdiligencethatcompaniesmusthaveinordertocomplywiththedataprivacyrequirementsisnotyetclearlyregulated.

Untilastrongbaseofcaselawbecomesavailable,allthatentitiescandoistoperpetuallycomplywithanon-goingprocessofalignmentwiththedataprivacyprovisionsandestablishedpractice.

352

353

PRIVACY LAW – SLOVAKIA

1 PRIVACYLAW

1.1 HowisprivacyregulatedinSlovakia?

PrivacyisprimarilyregulatedbyEuropeanlaw,namelyEuropeanGeneralDataProtectionRegulation(“GDPR”).FormoreinformationontheGDPR,pleaseseetheEuropeanUnionchapter.

However,certainaspectsofprivacyareregulatedbystatelaw,inparticular,SlovakActNo18/2018ColonPersonalDataProtection(“DPA”).


KeylawsregulatingprivacyinSlovakiaaretheGDPRandtheDPA.

TheGDPRisdirectlyapplicableinSlovakiaandthereforemostprocessingactivitiesaregovernedbytherulesandprinciplescontainedintheGDPR.

TheDPAbasicallycomplementstheGDPRincaseswheretheGDPRdoesnotapplytodataprocessing,or where the GDPR leaves space for EU Member States to define categories of exceptions andderogationsfromtheGDPRintheirlegalsystems.ThescopeoftheDPAisthereforethealignmentoftheSlovaknationallegislationondataprotectionwiththeGDPR.Atthesametime,theDPAreactstoseveral opening clauses of theGDPR anduses the option contained in theGDPR to define certainexceptionsandderogationsfromprovisionsoftheGDPR.TheDPAalsorepresentsatranspositionintoSlovaklawofDirective2016/680/EUontheprotectionofindividualswithregardtotheprocessingofpersonaldatabythecompetentauthoritiesforthepurposeofpreventing,investigating,detectingorprosecutingforthepurposeofenforcingcriminalsanctionsandonthefreemovementofsuchdata.Lastly,theDPAregulatesthestatus,scopeandorganizationalstructureoftheSlovakDataProtectionOffice(“DPO”).

WhiletheprocessingofpersonaldataisgovernedbytheGDPRandtheDPA,certainprivacyaspectsofonlinemarketingactivities,suchasdirectmarketingbyemailortelephone,arealsoregulatedbyotherlaws,includinginparticulartheSlovakActonElectronicCommunications,whichimplementsvariousEUlaw,includingtheePrivacyDirective.


PrivacylawisenforcedbytheSlovakDPO,whichisentitledtoinspectandassessthecomplianceofdataprocessingoperationswiththeGDPRandtheDPA,andtoissueordersandfinesincaseswheredataprotectionlawshavebeenviolated.TheSlovakDPOalsopublishesspecificguidelinesinterpretingtheGDPRandtheDPA.Theguidelinesarenotbinding,butrepresentausefulsourceofinformationforentitiesprocessingpersonaldataaswellasfordatasubjects.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinSlovakia?


354


2.2 DoesprivacylawinSlovakiaapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?


(a) TheGDPRappliestocompaniesoutsideSlovakiaincasesspecifiedinArticle3oftheGDPR.

(b) Parts of the DPA apply to the processing of personal data of data subjects in the SlovakRepublic by a controller or processor with headquarters, place of business, branch,establishment, or permanent residency not located in an EU Member state, where theprocessingofpersonaldataisrelatedto:(i) theofferingofgoodsorservices,irrespectiveofwhetherpaymentisrequired,toa

datasubjectinSlovakRepublic;or(ii) themonitoringofthebehaviorofdatasubjects,insofarastheirbehaviortakesplace

withinSlovakRepublic.

FormoreinformationpleaseseetheEuropeanUnionchapter.


3.1 Howispersonalinformation/personaldatadefinedinSlovakia?

PersonaldataislegallydefinedinArticle4oftheGDPR.AnidenticaldefinitioniscontainedinArticle2oftheDPA.

FormoreinformationpleaseseetheEuropeanUnionchapter.



BasedononeoftheGDPRopeningclauses,theDPAallowstheprocessingofgeneticdata,biometricdata or data concerning health, and also in cases set forth in special regulations or internationaltreatiesbindingupontheSlovakRepublic.Forexample,healthandgeneticdatamaybeprocessedwithintheprovisionofhealthcare;biometricdatacanbeprocessedforidentificationinsidenuclearsites;andvoicebiometricscanbeprocessedintheprovisionofbankingservices.



355


4 ROLES



5 OBLIGATIONS



InaccordancewithArticle35(4)oftheGDPR,theSlovakDPOhasissuedalistofthekindofprocessingoperationswhicharesubjecttotherequirementforadataprotectionimpactassessment(“DPIA”).Amongothermatters, aDPIA isnecessary forprofiling, an assessmentof credibilityor a solvencyassessment.


6.1 HowisdatasecurityregulatedinSlovakia?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?


6.2 Howaredatabreachesregulated inSlovakia?Whatare therequirements forrespondingtodatabreaches?


7 INDIVIDUALRIGHTS






InadditiontotheGDPR,whichregulatestheprocessingofpersonaldata,Slovaklawscontainspecificrules relating to thepermissibility and themeansof commercial communications.These rules aremainlycontainedintheSlovakActonElectronicCommunicationsandtheSlovakActonAdvertising.

356


Forthepurposesofdirectmarketing,phonecallsoruseofautomatedcallandcommunicationsystemswithout human intervention, facsimile, electronic mail, including short message service, to thesubscriber or user are permitted only with his/her prior consent, which consent must bedemonstrated.Priorconsentoftherecipientisnotrequiredinthecaseofdirectmarketingofsimilargoods and services to a recipient whose contact information was duly obtained by the sameentrepreneurinconnectionwithaprevioussaleofthegoodsorservices.

Therecipientofanemailmustbegiventheopportunitytorefusesuchuseofcontactinformationatanytime. It is forbiddentosendemailsthatdonotshowthe identityandaddressofthesendertowhichtherecipientmaysendarequesttostopsendingsuchmessages.



In addition to the privacy restrictions regarding tracking technologies contained in theGDPR, theSlovak Act on Electronic Communications rules that storing information, or gaining access toinformationstored,inauser’sterminalequipment(notonlypersonaldatabutalldatawhicharebeingtracked)ispermissibleonlyiftheuserhasgivenhis/herconsent,onthebasisofclearandcompleteinformationaboutthepurposeofsuchaction.Theuseofappropriatesettingsofawebbrowserorothercomputerprogramshallalsobedeemedtobeconsentforthispurpose.Thisdoesnotpreventthe technical storage of, or access to, datawhose the sole purpose is to transmit or facilitate thetransmissionofthemessageoverthenetwork,norwhereitisstrictlynecessaryfortheprovisionofthewebsiteserviceexplicitlyrequestedbytheuser.Theserules,basedontheePrivacyDirective,areexpectedtobereplacedsoonbytheePrivacyRegulation.











357


9 DATATRANSFER





10 VIOLATIONS



In addition to sanctions for breach of the GDPR, the DPA specifies sanctions for breach of thoseprovisionsoftheDPAwhicharebasedonopeningclausesoftheGDPR.Finally,accordingtotheDPA,the Slovak DPOmay impose a procedural fine on anyone who does not cooperate during a dataprotectioninspection.



11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofSlovakiawhichaffectprivacy?

None.


Fromtheprospectiveofprivacy,thehottesttopiciscertainlythedraftePrivacyRegulation.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainSlovakia?

AtthetimewhentheGDPRandtheDPAbecameeffective,theSlovakDPOunofficiallysuggestedthatitwouldnot imposeany fines foraperiodof12months.Sincethose12monthshavenowpassed,companiescannolongerrelyontheforbearanceoftheDPO.

358


12 OPINIONQUESTIONS


BeforetheGDPRwasadopted,Slovaklegislationhadalreadylaiddowndetailedrulesrelatingtotheprocessingofpersonaldata.However,fewcompaniesseemedtotaketheserulesseriously.ComparedtothesanctionsthatmaybeimposedundertheGDPR,onlysymbolicpenaltieswereimposed,sotheareaofpersonaldataprotectionwaspaidrelativelylittleattention.TheadoptionoftheGDPRcausedgreathysteriainSlovakia,whichculminatedinMay2018,when,inparticular,smallandmedium-sizedcompaniesstartedtolookforlastminutesolutionstorespondtoGDPRrequirements.ThankstotheGDPR,privacyhasbecomeanessentialpartofeverybusiness.




Therearestill lotofuncertainties regardingpersonaldataprocessingandprivacy.This isbecausethereisnotyetsufficientcaselaw,noruniformguidelinesfortheinterpretationofallGDPRclauses.Companies should therefore continue to monitor developments in the privacy landscape andcontinuouslyevaluatethecomplianceoftheirdataprocessingoperationswithprivacylaws,especiallyfollowing interpretation by the supervisory authorities and courts. As far as online marketing isconcerned,companiesshouldalsogetreadyfornewrulesundertheePrivacyRegulation.

359

360

PRIVACY LAW – SPAIN

1 PRIVACYLAW

1.1 HowisprivacyregulatedinSpain?

PrivacyisaconstitutionalrightinSpain.Itisconsideredtobeanessentialandfundamentalrightofevery Spanish citizen, and canbe regulatedonlybyorganic laws,which are thehighest (after theSpanishConstitution) inrankof legal regulationsandrequireaspecialapprovalproceeding in theParliament.

Article18oftheSpanishConstitutionprovidesthatprivacy,alongwithpersonalhonorandpersonalimage,isafundamentalright.Thisprovisiondeclaresallpersonalcommunicationstobeconfidential,includingtelephone,postalanddigitalcommunications,andrestrictstheuseofinformaticsinordertoprotectthehonorandthepersonalandfamilyprivacyofSpanishcitizens,aswellasthefullexerciseoftheirrights.

The first specific regulation about data protection was the Spanish Organic Law 15/1999, whichtransposedtheDataProtectionDirective95/46/ECintoSpanishLawandestablishedthefirstnationalgovernmentalbodywithcompetencesinthisarea:theSpanishDataProtectionAgency(“AEPD”).

InadditiontotheAEPD,thereareotherthreeadministrationswithcompetencesonprivacylaw,butmainly limited to supervise regional public authorities: the Basque Data Protection Agency; theCatalonian Authority onData Protection; and the Council of Transparency andData Protection ofAndalusia.TheregionofMadridestablishedalsoitsownregionalagencyfordataprotectionin2005butitwasclosedin2013.


AsaconsequenceoftheGDPR,OrganicLaw15/1999wasderogatedandreplaced,fromDecember7,2018,bythecurrentregulation,theOrganicLaw3/2018ontheProtectionofPersonalDataandtheGuaranteeofDigitalRights(“LOPD”).

TheGDPR is themain source for privacy regulation in Spain, as in the rest of EUMember States;however,duetothemarginofadaptationleftbytheEuropeanlegislatortothenationalauthorities,theSpanishLOPDhasdevelopedsomeparticularities,whichcanbesummarizedasfollows:

(a) TheLOPDintroducestheconceptof“datablocking”,notpresentintheGDPR,butwhichtheSpanish law defines as the “identification and reservation of the personal data, adoptingtechnicalandorganizationalmeasures,topreventitsprocessing,includingitsvisualization,except for the provision of data to judges and courts, the Public Prosecutor’s Office orcompetent Public Administrations, in particular the data protection authorities, for therequirementofpossibleresponsibilitiesderivedfromtheprocessingandonlyforthetermofprescriptionofthesame”(see,further,question5.1);

(b) Theminimumageatwhichanyindividualhascapacitytogiveconsentisfixedat14years;

(c) TheLOPDspecifiessomeadditionalentitiesandbodieswhichhavetheobligationtoappointadataprotectionofficer(“DPO”)(eg,educationalentities,banks,insurancecompanies,sportfederations, energy distribution companies, financial institutions, health and medicalcorporations,etc);

361


(d) Regarding the duty to inform, this must be presented through a layered (or granular)informationsystem.Thefirstlayermustcontainsomebasicminimuminformation,makingtheresteasilyavailableforconsultationonasecondlayer(see,further,question3.3);

(e) Thereisspecialprovisionforpersonaldataofdeceasedpersons(see,further,question3.1);

(f) There is legal presumption of lawful processing based on a legitimate interest or publicinterestinsomespecificsituations(eg,processingofcontactdataincommercialtransactions;videosystemsofsurveillance;advertisingexclusionsystems;etc);

(g) Therolesanddutiesofthedatacontrollerandthedataprocessorareclarified(seequestion4.1);

(h) Privacyviolationsaregradedintothreecategories(minor,severe,verysevere)andsanctionsestablishedinaccordancewiththisclassification(seequestion10.1);

(i) Theinclusionofapersonona“creditblacklist”issubjecttospecificandverystrictconditions;

(j) Dataprocessingforelectoralpurposeshasaspecificregulation(seequestion11.1);

(k) Data processing agreements dated before May 25, 2018 will remain valid until theirexpiration.Iftheagreementhasnoexpirationdate,itwillbeinforceuntilMay25,2022;and

(l) Anewcatalogueofunfaircompetitionpracticesrelatingtheuseofpersonaldatahasbeenenacted.

Althoughitwasnotincludedintheinitialbill,thefinaltextoftheLOPDalsoincludesaspecificchapteraboutdigital rights, regulating, eg, employees’ rights todigitaldisconnectionwhen theyarenot inworkingtime,therightofaccesstotheinternet,therighttodigitaleducation,theprincipleofnetworkneutrality,aswellastherighttobe forgotten,portabilityandrulesgoverningtherighttoaccessadeceasedperson’sdigitalcontent.

On the other hand,Organic Law1/82 regulates the civil protection of honor, personal and familyprivacyandpersonalimage(personalityrights).Insomecases,theviolationoftheserightsmighthavealsocriminalconsequences(seearticle197oftheSpanishCriminalCode).

Another two regulations containing relevant provisions on privacy are the e-Commerce Law (Ley34/2002),whichimplementedECDirective2000/31onelectronicandsomeoftheprovisionsofECDirective 2002/58 on Privacy and Electronic Communications; and the Law on GeneralTelecommunications(Ley9/2014).

Finally, there are a number of sectorial regulations including specific provisions about privacy,includingregulationsconcerningconsumers,unfaircompetition,health,insurance,employment,etc.

The Spanish AEPD is the competent authority not only to enforce legal protection against somerestrictedpracticesaffectingprivacy,butalsoregulateson,amongothers,anti-spamactivitiesande-commerceregulations.


TheenforcementofboththeGDPRandtheLOPDonanationallevelbelongsexclusivelytotheAEPD,the Spanish supervisory authority. The AEPD’s decisions can be appealed to the ContentiousAdministrativeCourt,and,oncassationlevel,totheSupremeCourt.Duetotheconstitutionalnatureofprivacyrights,theConstitutionalCourtisalsoentitledtoreviewlowercourts’decisions.

362


The role of the AEPD is not only to inspect and sanction, but also to help and guide citizens andcorporationsinthepermanentcomplianceofpersonaldataregulations,therefore,itpublishesonaregularbasis,guidesanddocumentsofferingorientationandinterpretationofthecurrentrules. In2018and2019theAgencypublishedthefollowingguides:

(a) Guideabouttheuseofcookies;

(b) Guideabouttheprivacybydesign;

(c) Practicalguidesaboutperformanceofriskanalysisanddataprotectionimpactassessments(“DPIA”s);

(d) Guideabouttheuseofvideosurveillanceandbiometricsystems;

(e) Guidefornotificationofsecuritybreaches;

(f) Guideabouttherightofinformation;and

(g) othersectorialguides(eg,forPublicAdministrations,educationcenters,etc).

Inaddition,theAEPDprovidesahelptool,calledFacilita.Thistoolhelpscompaniesandprofessionalswhoprocess low-risk personal data to complywith the newGDPR. It takes the formof an onlinequestionnairetakingamaximumof20minutestocomplete,whichcompaniesandprofessionalscanuse;firstly,toverify,bymeansofaseriesofquestions,thatthedatatheyprocesscanbeconsideredlowriskand,secondly,toobtaintheessentialdocumentsrequiredtoenablethemtocomplywiththeGDPR.FacilitaaddstootherinitiativesthattheAEPDhaslaunchedtopromotecompliancewiththeGDPR, including the Certification Scheme for DPOs to provide security and reliability both to theprofessionalprivacyenterprisesandtotheentitiesthathiretheirservices.

OneexampleoftheAEPDbringingactionisthecase,in2010,againstGoogle,broughtasaconsequenceof a complaint froma Spanish citizen seeking to removehis name fromoldnews indexedby thisInternetengine.ThecasewasreviewedbytheCJEU(case131/12,GoogleSpainSL,GoogleIncvAgenciaEspañoladeProteccióndeDatos,MarioCostejaGonzález),whichconfirmedthedecisionagainstGoogle,andthe“righttobeforgotten”.

ProceedingsforenforcementofpersonalityrightsarebroughtbeforetheCivilandCriminalCourts.Insuchproceedings,theparticipationofthepublicprosecutorismandatory.

Thereisnoself-regulatorysystemrelatingtodisputesaboutprivacy;however,Autocontrol,whichistheselfregulatoryorganizationfortheadvertisingindustry,offersapre-clearanceservicetocomplywith Data Protection regulations (“Data Advice”). Autocontrol also provides mediation servicesrelatingtoclaimsaboutprivacy.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinSpain?


InadditiontothescopeoftheGDPR,theLOPDappliestoallcontrollersorprocessorswhoprocesspersonaldatainSpain,oroutsideofSpainwhenthedatareferredtopersonsinSpain.

363


2.2 Doesprivacy law inSpainapply tocompaniesoutside thecountry? Ifyes,are therespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

Yes.AccordingtotheLOPD,theSpanishlocalrepresentativeofanycontrollerorprocessorestablishedoutsideofSpainhasjointliabilitywiththecontroller/processor,andthelocalsupervisorisentitledtoapplytheprovisionsoftheGDPRandLOPDtosuchlocalrepresentative.


3.1 Howispersonalinformation/personaldatadefinedinSpain?

PersonaldataislegallydefinedinArticle4(1)oftheGDPR(seetheEuropeanUnionchapter).

Regardingthepersonaldataofdeceasedpersons,theSpanishLOPDallowssuccessorstomakeuseofthedeceased’srightofaccess,andtherightstorequesttheerasureandrestrictionofpersonaldata,unlessthisisexpresslyforbiddenbyLaworbythewillofthedeceased(thedatasubject).


TheSpanishLOPDdoesnotaddnewcategoriesofsensitivedatatothoselistedintheGDPR;howeveritexcludestheexceptiongrantedbyArticle9(2)(a)oftheGDPRwherebymereconsentgrantedbythedatasubjectcanlifttheprohibitionontheprocessingofspecialcategoriesofpersonaldata(ideology,union membership, religion, sexual orientation, race, creed, or ethnicity), in order to avoiddiscriminatorysituations.

Additionally, situations under which data of a criminal nature may be processed are expresslyregulated.

The LOPD states that the processing of personal data for purposes of preventive or occupationalmedicine,orpublicinterestintheareaofpublichealth,isallowedonthegroundsofpublicinterest,butthispermissionmustbebasedonastandardwiththerankoflaw,andthislawcouldestablishadditionalrequirementsregardingsecurityandconfidentiality.



Transparency:therightofdatasubjectstobeinformedaboutanyprocessingisimplementedwithina granular system, in which certain minimum information (identity of the controller and itsrepresentative,thepurposeforprocessing,therightsofthedatasubjects,originofthedataiftheywerenotcollectedfromthedatasubject)mustbealwaysprovidedina“firstlayer”,withdirectandimmediateaccessavailabletofullinformationonasecondlayer.

Accuracy:theSpanishLawprovidessome“safeharbor”situationsforacontroller,wherebyitwillnotbe responsible for inaccuratedata, if reasonablemeasures toensuredeletionor rectificationweretaken.

364


4 ROLES


TheSpanishLOPDclarifiestherolesestablishedbyGDPR.Inparticular,a“controller”isthepersonwho,inhisownnameandwithoutnoticeofactingonbehalfofanother,establishesrelationswiththedatasubjects,evenwhenthereisaprocessor’scontract.Thisprovisionwillnotapplytoprocessorsoperatingwithintheframeworkofpublicsectorcontractinglegislation.

Processorsusingdatafortheirownpurposeswillbealsoconsideredascontrollers.

5 OBLIGATIONS



TheAEPDhaspublishedalistofsituationsinwhichriskimpactassessmentsaremandatory;andalsoalistofsituationsandactionsexcludedfromthisobligation(seequestion11.3).

AnotherdifferenceintheSpanishprivacylegalframeworkrelatestotheadvertisingexclusionsystems(eg,“ListasRobinson”),regulatedspecificallyinArticle23oftheLOPD.Alladvertiserscarryingoutcommercial communicationsmust check these lists and exclude from their campaigns those datasubjectswhodonotwishtoreceivecommercialcommunications.Anexceptiontothisruleiswherethe affected person has granted previously his/her consent to that particular commercialcommunication.

TheappointmentofaDPOiscompulsoryandmustbecommunicatedtotheAEPDincertaincases,including entities carrying out advertising and commercial research activities based on the datasubjects’preferencesorcarryingoutdatasubjects’profilingactions.

From the point of view of electronic commercial communications, under the e-Commerce Law,unsolicitedcommunicationsareonlypermittedifthereisacommercial/contractualrelationshipwiththedatasubject,orifexpressconsenthasbeengranted.Anopt-outpossibilitymustbeofferedineverycommunication.

“Datablocking”,isoneoflegalinnovationsoftheSpanishLOPD(seequestion1.2(a)).Controllersareobligedtoblockpersonaldataattheendofprocessing.Thismeansthatthedataareundertechnicaland organizational measures which avoid future processing actions but allow data disclosure ifrequiredbythecompetentauthorities.

365



6.1 HowisdatasecurityregulatedinSpain?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?


Providers of telecommunication services have special duties which are regulated by the GeneralTelecommunicationAct.

TheAEPDhaspublishedaguideaboutdatasecurityandbreachwhichisavailableonitswebsite.

TheLOPDprovidesalistofscenariosunderwhichtheadoptionandimplementationoftechnicalandorganizationalmeasuresisnecessary,inviewofthepotentialrisks.

6.2 HowaredatabreachesregulatedinSpain?Whataretherequirementsforrespondingtodatabreaches?

Data breachesmust be reported to the AEPDwithin 72 hours unless the personal data breach isunlikelytoresultinarisktotherightsandfreedomsofnaturalpersons.InSpain,thenotificationcanbemadebythecontrollerusingstandardizedformsthroughanon-linesystemcreatedbytheAgencyfor this purpose (certified electronic signature is required): https://sedeagpd.gob.es/sede-electronica-web/vistas/formBrechaSeguridad/procedimientoBrechaSeguridad.jsf

7 INDIVIDUALRIGHTS


InadditiontotheindividualrightsgrantedbytheGDPR,theSpanishLOPDadditionallyprovidessomeminorclarifications:

(a) Theexerciseoftherightofaccessmaybeconsideredrepetitiveifexercisedonmorethanoneoccasionduringaperiodofsixmonths,unlessthereislegitimatecauseforit.

(b) There is a presumption of lawful processing, based on legitimate interest, regarding thepersonalcontactdataofapersonworkingorrenderingaservice(directlyasindividualtraderorasworkerofacorporation)tothecontroller.

(c) There isapresumptionof lawfulprocessing,basedonpublic interest, regarding thevideosurveillancesystemsinworkingplacesandpublicareas.Avisibleandpublicnoticeregardingthepresenceofcamerasiscompulsory.Theimagesrecordedmaybeusedasaformoflaborcontrolofemployeesiftheyhavebeeninformedinadvance.Again,iftheemployeeshavebeeninformedinadvance,theemployerisentitledtoaccessthecompany’sdigitaldevicesusedbythe employees for the purpose of controlling their compliance with the employmentrelationship.

(d) Therightofaccessisconsideredfulfilledifthecontrolleroffersthedatasubjectmeansthatpermanentlyguaranteesremote,directandsecureaccesstohis/herpersonaldata.

366




InadditiontoregulationundertheGDPR,theSpanishlegalframeworkhassomeparticularitiesarisingnotonlyfromtheLOPDbutalsofromotherregulations(seequestion1.2above).Thefollowingarethemostrelevant:

(a) Whenconsentissoughtfortheprocessingofthedataforseveralpurposes,itwillbenecessarytostatespecificallyandunequivocallythatsuchconsentisgrantedforallofthesepurposes.

(b) Acontractmaynotbemadesubjecttothedatasubjectconsentingtotheprocessingoftheirpersonaldataforpurposesthatarenotrelatedtothemaintenance,developmentorcontrolofthecontractualrelationship.

(c) Sendingunsoliciteddigitalcommercialcommunicationsisonlyallowableiftherehasbeenapreviouscommercial/contractualrelationshipwiththedatasubject,orifexpressconsenthasbeen granted (see question 5.1). An opt-out possibility must be offered in everycommunication.

(d) When entities developing advertising activities and commercial inspection, includingcommercialresearchandmarketing,processdatabasedonusers’preferencesorelaborateusers’ profiles of the same, they must appoint a DPO and inform the AEPD of suchappointment.

(e) Seequestion5.1aboutadvertisingexclusionsystems.

(f) No pre-checked boxes are allowed. Consentmust be positive and the consent formmustalwaysincludethefirstlayerofminimumcompulsoryinformation.


ThereisspecificguidanceaboutcookiesissuedbytheAEPDinNovember2019.ExpressandpositiveconsentisrequiredinapplicationofGDPRrules;however,theoption“ifyoucontinuebrowsingyougrantyourconsenttoouruseofcookies”ispermittedundercertainconditions.

The guidelines also recommend that ambiguous sentences or difficult legal language should beavoided,soallinformationprovidedtotheusermustbedirect,simple,completeandtransparent.Theconsentofminors(below14yearsold)isalsocovered.


This kind of advertising usually involves data processing based on users’ preferences and/orelaborationofusers’profiles.AnyentityperformingtheseactionsmustappointaDPOwhomustberecordedontheAEPD’slist.

Ontopofthis,theAEPDhasincludedthiskindofdataprocessingamongthoseonits“Blacklist”(basedontheWP29Guidelines)requiringariskimpactassessmentandaDPIA,ifthedataprocessingallowstheidentificationofusers.

367



IfthedatasharedaresubjecttoGDPRregulation,andtheassignee(thirdparty) isnotaprocessorworkingforthecontroller,allprovisionsoftheGDPRaboutdatatransfersmustbecompliedwith.






Loyaltyprogramsmaybeconsideredtobeacommercialrelationship,whichentitlesthecontrollertoprocess data on the basis of this consent (agreement) and allows him to send commercialcommunicationstotheclient.

Sendingpromotionswithoutpreviousconsent,orwithoutapreviouscommercialrelationshipwouldbeaviolationofbothprivacyande-commerceregulations.

9 DATATRANSFER





10 VIOLATIONS


AlthoughGDPRdoesnotauthorizethecreationofcataloguesofoffenses,theSpanishLawprovidesaclassificationofviolationsandthetermofstatuteoflimitationsisasfollows:

(a) Very severe: Article 72 of the LOPD lists of violations considered very serious offenses(eg,processing without any conditions of lawfulness, failure to comply with the duty ofinformation, international transfers without safeguards, etc). There is a 3-year limitationperiodforsuchoffenses.

(b) Severe:Article73providesalistofviolationsconsideredseriousoffenses(eg,processionofpersonaldataofaminorwithoutconsent,obstructionorrepeatedviolationoftherightsofaccess,rectificationetc).Thereisa2-yearlimitationperiodfortheseoffenses.

368


(c) Minor:Article74listsviolationsconsideredasminorinfringements,suchasfailuretocomplywith principle of transparency of information or right of information. There is a 1-yearlimitationperiodfortheseoffenses.

Additionally,theLOPDprovidesasecondclassificationoflimitationperiods,accordingtothepossibleeconomicsanctions,wherebysanctionsequalorunder40,000euroshavealimitationperiodof1year;sanctionsbetween40,001and300,000euroshavealimitationof2years;andsanctionsover300,001euroshavealimitationperiodof3years.


Yes,individualsareentitledtofileclaimsbeforetheAEPDbothbynameoranonymously,reportingviolations of their own or third parties’ privacy rights. Employees may also use whistleblowingreportingsystems.

There several provisions regulating the whistleblowing system and stating, eg, the controller’sobligationtoinformallemployeesaboutthesystem.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofSpainwhichaffectprivacy?

ThenewLOPDmodifiedtheLawoftheGeneralElectoralSystemintroducing,througharticle58bis,anexception forpoliticalparties,whichwereallowed tocollectdataoncitizens’politicalopinions“obtainedinwebpagesandotherpublicsourcesfortherealizationofpoliticalactivitiesduringtheelectoralperiod”.Politicalpartieswerealsoentitledtosendelectoralpropaganda“byelectronicmeansor messaging systems”, as well as through “social networks or equivalent media”, without thesecommunicationsbeingconsideredcommercial(noapplicationofe-CommerceRegulation).

ThisprovisioncausedhugepublicconcernandwaschallengedbeforetheConstitutionalCourt,whichdeclaredonMay2019thatthismodificationoftheElectoralActwascontrarytotheConstitutionandvoid.


Theprotectionofminorsis,amongothers,averyrelevantissueforthelocalauthorityatthismoment.Aspecificdigitaltoolhasbeenimplementedforthispurpose(AseguraTIC).

AEPDisalsowarningaboutsomecompanieswhichareofferingadaptationservicesandlegaladviceabouttheGDPRforzeroorverylowcost.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainSpain?

TheGDPRestablishesthat,whereitisprobablethatprocessingislikelytoresultinahighrisktotherightsandfreedomsofnaturalpersons,thecontrollermustcarryoutaDPIA,takingintoaccounttheorigin,nature,particularityandseverityof the risk.Eachsupervisoryauthoritymustestablish thetypes of processing operations that require an impact assessment. Based on this, the AEPD haspublished a list of processing operations in which an impact assessment is mandatory

369


(www.aepd.es/media/criterios/listas-dpia-es-35-4.pdf). It is thusnecessary to carryout an impactassessmentincaseswheretheprocessingmeetsatleasttwocriteriaonthelist,whichinclude,eg:

(a) theprofilingorassessmentofsubjects;

(b) theobservation,monitoring,geolocationorcontrolof thedatasubject inasystematicandexhaustivemanner;

(c) theuseofspecialcategoriesofpersonaldata,datarelatedtocriminalconvictionsordatathatallowtodeterminetheeconomicsolvency;

(d) theuseofbiometricdatatouniquelyidentifyaperson;

(e) theuseofgeneticdata;or

(f) theuseoflarge-scaledata.

Inthisway,controllershavemoresecuritywhendeterminingwhichprocessingoperationsarelikelytoresultinahighriskandthereforerequireanimpactassessment.

ThelisthasbeencommunicatedtotheEuropeanDataProtectionBoard,whichhasissuedafavorableopiniononit,followingthecriteriaestablishedintheassessmentofallthelistssentbythenationalauthorities.

Previously,theAEPDhadpublishedanotherlistcontainingthoseprocessingactivitiesforwhichitisnotmandatorytocarryoutanimpactassessment(www.aepd.es/media/guias/ListasDPIA-35.5l.pdf).

12 OPINIONQUESTIONS






Privacylawhasbecomeaverysensitiveissueamongstconsumers,employees,andcitizensofallagesandwalksof life.Asa consequence, thenumberof complaints foroffenses relating toprivacyhasincreasednotably.Companiesmustbeverycareful regardingmarketingactivitiesandonthealertwhenreceivinganyquestionorclaimrelatingtopersonaldata.

370

371

PRIVACY LAW – SWEDEN

1 PRIVACYLAW

1.1 HowisprivacyregulatedinSweden?

InSweden,privacyisregulatedbyvariousstatutorylawsandregulations.Forinstance,theInstrumentof Government, Sweden’s primary constitutional law, provides provisions on the protection ofindividuals’privacy.Inaddition,otherSwedishlegislation,aswellasEuropeanUnionlaw,alsogovernprivacy. Furthermore, the data protection authority has issued guidelines which, although non-binding,assistpractitionerstocomplywithprivacyissues.

PrivacyhasbeenahottopicforarelativelylongtimeinSweden.Populationandhousingcensusescarriedoutbypublicauthoritiesinthe1970scauseddebateonpersonalintegrity,sincethecensuseswereconductedbylinkingdifferentregisterskeptbypublicauthorities.Eventually,thisdebateledtotheSwedishGovernmentOfficialReport (SOU1972:44) “Dataand Integrity”.The reportproposedchangestotheSwedishFreedomofthePressActandthepredecessortothecurrentSwedishPublicAccess to Information and Secrecy Act, both being statutes of importance in the field of privacy.However, and perhaps most relevant with regard to the processing of personal data, the reportincludedapropositionforanewdatalawaswellasintroducinganewcriminaloffenceofhackingintotheSwedishPenalCode.Eventually,andpromptedbythereport,SwedenbecamethefirstEuropeanstatetoenactalawontheprocessingofpersonaldata—the1973SwedishDataAct.

TheDataActwasinforceuntil1998,whentheSwedishPersonalDataAct,basedontheDataProtectionDirective95/46/EC,wasenacted.ThePersonalDataActwasinturnrepealedonMay25,2018,whentheEuropeanGeneralDataProtectionRegulationenteredintoforce.


TheEuropeanGeneralDataProtectionRegulation(“GDPR”)istheprimarysourcegoverningprivacyinSweden.

Aside from the GDPR, Sweden has adopted the Data Protection Act, supplemented by the DataProtection Ordinance (2018:219). The Data Protection Act is subsidiary law, meaning that itsprovisionsdonotapplyifthereisspecificlegislationgoverningthesamematter.

Inaddition,therearesocalled“RegistryActs”governingspecificaspectsofregister-keepinginvolvingpersonaldata.Tomentionafew,theRegistryActsgovernfieldssuchaslawenforcement,financialactivities,andhealthcare.Ingeneral,theRegistryActsaredirectedatpublicauthorities,butinsomecases, the Registry Acts also apply to private entities, depending on what activities the relevantcontrollerorprocessorisinvolvedin.

The SwedishElectronic CommunicationAct (“LEK”), often referred to as the “Cookie Law”, is alsorelevanttoprivacy.TheLEKimplementedtheePrivacyDirective2002/58/EC.

372



SwedenhasappointedtheSwedishDataProtectionAuthority(“SDPA”)asitssupervisoryauthorityfordataprotection.TheSDPAisthereforethesupervisoryauthorityoftheGDPR,theDataProtectionAct,theDataProtectionOrdinanceaswellasanumberofotherlaws(eg,someoftheRegistryActs).

Thescopeof theSDPA’smissionfollowsfromGDPRArticle51.Aside fromtheprovisionsofGDPRArticle51,theroleoftheSDPAisfurtherexplainedintheSwedishRegulationwithInstructionsfortheSDPA(2007:975).ThisRegulationstatesthattheSDPA’smissionistoensurethatfundamentalhumanrightsareprotectedinconnectionwiththeprocessingofpersonaldata,tofacilitatethefreeflowofpersonal data within the EU, and to ensure that good practices are observed in credit and debtcollectionoperations.

ThepowersoftheSDPAfollowsfromGDPRArticle58andinclude,interalia,theauthoritytoorderthecontrollerandtheprocessortoprovideanyinformationitrequiresfortheperformanceofitstasks,andtocarryoutinvestigationsintheformofdataprotectionaudits.Uponviolationofdataprotectionlaw,theSDPAisauthorizedtoissuewarnings,injunctions,andimposeadministrativesanctionsinlinewiththeGDPR.

Swedenhasnoself-regulatorybodiesenforcingprivacylaw.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinSweden?

SeetheEuropeanUnionchapterwithregardtowhichcompaniesaresubjecttotheGDPR.

Chapter1Section5oftheDataProtectionActsetoutitsscopeofapplication,makingtheActapplyto:

(a) processingofpersonaldataconductedfromacontrollers’/processor’splaceofestablishmentinSweden;

(b) processingofpersonaldata conductedbya controllernot established inSweden,but in alocationwhereSwedishlawappliesaccordingtointernationallaw;or

(c) processingofpersonaldatacarriedoutbyacontroller/processorestablishedinathirdstate,iftheprocessingconcernsdatasubjectslocatedinSweden,andifsuchprocessingisconnectedtoeithertheofferingofgoodsorservicestosuchdatasubjects,orthemonitoringofsuchdatasubjects’behaviorinSweden.

The territorial scopeof theDataProtectionAct is rathersimilar to thewordingofGDPRArticle3,althoughwithSwedenastheterritorialreferencepointinsteadoftheEuropeanUnion.AsisapparentfromtheterritorialscopeoftheDataProtectionAct,acompanyestablishedoutsideofSwedencouldstillhavetocomplywiththeprovisionsoftheAct.

The Registry Acts have different scopes of application, each being adapted to its relevant field ofbusiness.

373


2.2 DoesprivacylawinSwedenapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

Yes,privacylawinSwedencanapplytocompaniesoutsideSweden.Seequestion2.1.

SwedishlawdoesnotsetoutanyrequirementtohaveacompanyrepresentativeinSweden.


3.1 Howispersonalinformation/personaldatadefinedinSweden?

TheDataProtectionAct and theRegistryActs refer to thedefinitionsprovidedby theGDPR.ThismeansthattheSwedishdefinitionof“personaldata”isidenticaltothedefinitionprovidedbytheGDPRArticle4(1).Foradetaileddescriptionofthedefinitionof“personaldata”,seetheEuropeanUnionchapter.


InSweden,specialcategoriesofpersonaldataandsensitivepersonaldataaredefinedasprovidedbytheGDPR.SeetheEuropeanUnionchapter.

Chapter3oftheDataProtectionActsetsoutprovisionsrelevanttotheprocessingofcertaincategoriesof sensitive personal data. In general, Chapter 3 of the Data Protection Act provides a number ofexceptions to the general prohibition on processing sensitive personal data set out by GDPRArticle9(1). The exceptions apply to sensitive personal data processed within the fields ofemployment,socialsecurityandsocialprotectionlaw.Onesuchexceptionisthatanemployermayprocesssensitivepersonaldataaboutitsemployeesforthepurposesoffulfillingitsobligationsunderlaborlaw,socialsecurityorsocialprotectionlaw,withouttheemployee’sconsent.

InSweden,eachSwedishcitizen(aswellasnon-citizensinsomesituations)hastheirownpersonalidentificationnumberusedtoidentifytheindividual.Processingofpersonalidentificationnumbersisnot significantly controversial in Sweden, in comparison to otherMember States of the EuropeanUnion.Personalidentificationnumbersare,nevertheless,consideredasaspecialcategoryofpersonaldataunderSwedishlaw.ThisfollowsfromChapter3Section10oftheDataProtectionAct.Accordingto the Data Protection Act, personal identification numbers may be processed without the datasubject’sconsentonlyifsuchprocessingisjustifiable,takingintoaccount:

(a) thepurposeoftheprocessing,

(b) theimportanceofasafeidentification,or

(c) anyotherremarkablepurpose.

Withregardtochildren’spersonaldata,Chapter2Section4oftheDataProtectionActsetsoutthat,whenofferinginformationsocietyservicestoachilddomiciledinSweden,processingofpersonaldataofsuchchildshallbelawfulbasedonthechild’sconsent,butonlyifthechildisatleast13years.Ifthechildislessthan13years,processingofthechild’spersonaldataislawfulonlyif,andtotheextentthat,consentisgivenorauthorizedbytheholderofparentalresponsibility.Thus,Swedenappliesthelowestagelimitfortheprocessingofchildren’spersonaldatapermittedundertheGDPR.

374




4 ROLES



5 OBLIGATIONS



TheSDPAhaspublishednon-bindingguidelinesonthekeyprinciplesoftheGDPR.Theseguidelinessetoutanumberofmeasuresthatcompaniesshouldtakeinorderfortheirprocessingofpersonaldatatobelawful.Theguidelinessetoutthefollowingpointsaskey(thoughincludeothers):

(a) Informthedatasubjectsthattheirpersonaldataiscollected;

(b) Decideinadvancewhatthepersonaldatashallbeusedfor,anddonotusethepersonaldataforotherpurposes;

(c) Donotcollectmorepersonaldatathanneededtofulfilthepurposeforwhichthepersonaldatawascollected;

(d) Ensurethatthepersonaldataarecorrectandupdated;

(e) Protectthepersonaldataprocessed;and

(f) Erasepersonaldatathatisnolongernecessarytoprocess.

TheSDPAhasalsoincludedachecklistforcompaniestofollowinordertobecompliantwiththeGDPR.


6.1 HowisdatasecurityregulatedinSweden?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?


TheSDPAhasstatedthatitwillnotprovidedetailedinstructionsforcontrollersorprocessorsonwhatsecuritymeasurestotakeinordertocomplywiththesecuritystandardsoftheGDPR.However,ithasprovidednon-bindingguidelinesonwhatsecuritymeasurescompaniescantakeinordertofulfilthesecuritystandardsoftheGDPR.Theseguidelinesshouldbetreatedasrecommendations,ratherthananexactstatementofwhatisrequiredinordertobecompliantwiththeGDPR.

375


Initsguidelines,theSDPAstates:

(a) thecontroller (or,asapplicable, theprocessor)mustbeawareofwhatpersonaldata theyprocess.

(b) transparencywithregardtotheprocessingofpersonaldata(eg,communicationwithdatasubjectsviaaprivacypolicy)iskey.

(c) the importance of following the rigorous requirements with regard to keeping ofdocumentation,setoutbytheGDPR,andofcontinuouslyconductingimpactassessmentsandperformingvulnerabilitytests.

6.2 HowaredatabreachesregulatedinSweden?Whataretherequirementsforrespondingtodatabreaches?


TheLEKcontainsrequirementsforprovidersofpublicelectroniccommunicationsservicestonotifythesupervisoryauthorityaboutprivacyincidents.TheSwedishPostandTelecomAuthority(“PTS”)isthesupervisoryauthoritywithregardtotheLEK.Chapter6Section1oftheLEKdefinesa“privacyincident” as an event leading to unintentional or unauthorized destruction, loss or alteration, orunauthorized disclosure of or unauthorized access to information processedwhen offering publicelectronic communication services. If aprivacy incidentoccurs, itmustbe reported toPTS.Undercertaincircumstances,forinstanceiftheprivacyincidentmayhavenegativeeffectsfortheusersorsubscribers,oronPTS’request,usersorsubscribersmustalsobenotifiedabouttheprivacyincident.

PTShasidentifiedthatproblemsmayariseindeterminingwhetheranincidentshouldbereportedasaprivacyincident,andthustothePTS,orasapersonaldatabreach(asdefinedbytheGDPR),andthustotheSDPA.Therefore,PTShasissuednon-bindingguidelinestohelpinmakingthisdistinction.Asageneral rule, an incident (if considered a personal data breach thatmust be reported) should bereportedtotheSDPAonlyifitshouldnotbereportedtothePTSpursuanttotheprovisionsofLEK,becauseofLEK’scharacterasalexspecialisinrelationtoGDPR.

7 INDIVIDUALRIGHTS



The Data Protection Act set out a number of limitations to data subjects’ rights under GDPR. Forinstance,GDPRArticle15doesnotapplytopersonaldatathathasnothaditsfinalconfigurationwhenthe data subject submitted his/her request. Thismeans that a controller is not obliged to includeconcepts,draftsorsimilarwhenfulfillingitsobligationspursuanttoGDPRArticle15.Thisexceptioncomeswithlimitations,eg:

(a) ifthepersonaldatainquestionhasbeensubmittedtoathirdparty,

(b) ifitisprocessedforarchivepurposesofpublicinterestorstatisticalpurposes,or

(c) ifthepersonaldatahasbeenprocessedformorethanoneyeareventhoughithasnotbeenfinalized.

376


Inaddition,theexceptiondoesnotapplytotextsintendedtobechangedorfinalizedonacontinuousbasis.

In addition,GDPRArticles13-15donot apply topersonaldata that the controller cannotdiscloseaccordingtoEUorSwedishLaw,suchasthePublicAccesstoInformationandSecrecyAct.ThisfollowsfromChapter5Section1oftheDataProtectionAct.




The SwedishMarketing Practices Act sets out provisions relevant formarketing via email, fax ortelephone.According toSection19of theMarketingPracticesAct, a tradermay,whenperformingmarketingmeasurestowardsnaturalpersons,useemail,faxorautomaticcallingdevicesoranyothersimilar automatic system for individual communication not operated by an individual, only if thenatural person has given his/her prior consent. However, the Marketing Practices Act sets outexceptionstothisgeneralrule,meaningthatconsentisnotalwaysrequired.

If thetraderhasreceivedthenaturalperson’selectronicaddressforelectronicmail inconjunctionwiththesaleofthetrader’sproducts,theconsentrequirementdoesnotapplyifthefollowingitemsarefulfilled:

(a) thenaturalpersonhasnotobjectedtotheuseoftheelectronicaddressforthepurposeofmarketingviaelectronicmail;

(b) themarketingmeasurerelatestothetrader’sownsimilarproducts;and

(c) thenaturalpersonisclearlyandexplicitlygiventheopportunitytoobject,simplyandwithoutcost,totheuseofsuchelectronicaddressformarketingpurposes,whentheelectronicaddressiscollectedaswellasuponanysubsequentmarketingmeasure.

Withregardtoprocessingofpersonaldatafordirectmarketingpurposes,Swedishcaselaw(althoughbasedontherepealedPersonalDataAct)statesthattradersmaysendmarketingmessagestonaturalpersonsifthereisanactiverelationbetweentheorganizationandthenaturalperson.Alsofollowingfromcaselaw,organizationsmay,atleastasageneralrule,processpersonaldataforoneyearfromthedateonwhichthepurposeforwhichthepersonaldatawascollectedwasfulfilled.Itisnotablethatatradermayonlyprocessthepersonaldataforspecificpurposes.Forinstance,theSDPAhasstatedthataretailersellingsportinggearmaykeep informationabout itscustomers inorder toperformdirectmarketingmeasuresaimedatthedatasubjectwithregardtotheretailer’ssimilarproducts.


SeetheEuropeanUnionchapterwithregardtoprocessingofpersonaldata.

When using tracking technologies, compliance with the LEK may be required. The LEK sets outprovisionsrelevantfortheuseofcookiesandothertechnologieswhereinformationisstoredinorretrievedfromterminalequipment.

377


Chapter 6 Section 18 of the LEK states that information may be stored in, or retrieved from, asubscriber’sorauser’sterminalequipment(eg,useofcookies)onlyifthesubscriber/userisprovidedwithaccesstoinformationonthepurposesfortheprocessingandiftheyhavegiventheirconsenttoit.Thisdoesnotapplyto:

(a) the storage or retrieval necessary for the transmission of an electronic message via anelectroniccommunicationsnetwork,or

(b) storageorretrievalnecessarytomakeavailableaserviceexplicitlyrequestedbytheuserorthesubscriber.

The LEK does not give detailed information regarding how to give users or subscribers access toinformationandhowtoobtainavalidconsent.However,thegovernmentbillwhichprovidesguidanceto the LEK states that consent to the use of cookies may be given by the web-browser settings(eg,allowingcookiesinthebrowsersettings),although,beyondthis,thegovernmentbillissilentonthematterofhowavalidconsentshouldbegivenundertheLEK.











9 DATATRANSFER





378


10 VIOLATIONS





11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofSwedenwhichaffectprivacy?

TheprincipleofpublicaccesstoofficialrecordshasbeenincorporatedintotheFreedomofthePressAct.Theprincipleappliestopublicauthorities.Thismeansthatanyperson(regardlessofcitizenship)hastherighttostudyofficialrecordskeptbyapublicauthority.

TheGDPRdoesnotpreventpersonaldatainpublicrecordsfrombeingtransferredtoanindividualmakingarequesttostudyanofficialrecord.Ifthepublicauthoritytransferstheofficialrecord,whichincludespersonaldata,itmustneverthelesscomplywithcertainprovisionsoftheGDPR.Forinstance,if the public record includes sensitive personal data, the public authority must take appropriatesafeguardstocompensatefortheinfringementthetransfermeansforthedatasubject.

Incertainsituations,thegeneralmarketingrulesundertheMarketingPracticesActcouldalsoapplytoprivacyrelatedmatters.Forinstance,ithasbeenarguedthatabreachofprivacycouldsometimesbe considered as an unfairmarketingmeasure, depending on the circumstances surrounding thebreach.


AsisthecaseinmanyotherMemberStates,ahottopicinSwedenisthedraftePrivacyRegulation.SeetheEuropeanUnionchapter.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainSweden?

No.

12 OPINIONQUESTIONS



TheSDPAhasstartedtobecomemoreactiveintermsofissuingfinesandconductingaudits.DuringthefirstperiodaftertheenteringintoforceoftheGDPR,theSDPAwassomewhatreluctanttoissuefinesaswellastoperformaudits.ItisprobablethatthedevelopmentoftheSDPAwillcontinue,whichcouldmeanthatwewillseeanincreasingnumberoffinesandauditsintheyearstocome.

379




InSweden,ashasbeenmentionedinquestion12.1,wemayseeamoreactiveSDPAinexercisingitspowers.Consequently,wemayseemoreguidingjudgmentsoncomplexprivacyissuesintheyearstocome.


Oneofthechallengesistoconnectnewtechnology,aswellascompanieswithbusinessesinvolvingsuchtechnology,totheprivacylandscape.

380

381

PRIVACY LAW – GHANA

1 PRIVACYLAW

1.1 HowisprivacyregulatedinGhana?

PrivacyisregulatedbyActsofParliamentandbythe1992ConstitutionoftheRepublicofGhana.


(a) The1992ConstitutionofGhanacontainsprinciplesthatrecognizeandprotecttherighttoprivacyofitscitizens.Article18(2)ofthe1992ConstitutionofGhanaprovidesfortheprivacyofindividualsandthatthisrightshouldnotbeinterferedwithexceptinaccordancewiththelaw,andforpublicsafety,economicwellbeingofthecountry,healthormoralreasons,orforthepreventionofcrimeandorprotectionofothers.

(b) Act 843, the Data Protection Act 2012 (“Data Protection Act”) is the principal Act whichprotects the privacy of the individual and personal data, and regulates the processing ofpersonalinformation.

Thereareotherlawswhicharesector-specificandimpactdataprotection/privacyinGhana.Theseinclude:

(c) Act775, theElectronicCommunicationsAct2008 (as amendedbyAct786, theElectronicCommunications(Amendment)Act)(“ElectronicCommunicationsAct”);aswellas

(d) the Electronic Communications Regulations 2011 (LI 1991) (“Electronic CommunicationsRegulations”).


PrivacylawisenforcedbytheDataProtectionCommission(“DPC”),whichisabodysetupbytheDataProtectionActforthispurpose.

In addition, electronic communications are regulated by the National Communications Authority(“NCA”).

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinGhana?

TheDataProtectionActprovidesthatadatacontrollermaynotprocesspersonaldataunlessithasbeenregisteredundertheAct.Suchregistrationisrenewableevery2years.

A “data controller” is defined as a personwho either alone, or jointlywith other persons, or as astatutoryduty,determinesthepurposefor,andthemannerinwhich,personaldataisprocessedoristobeprocessed.

Thus,anycompanythat,asastatutoryduty,determinesthepurposefor,andthemannerinwhich,personaldataisprocessedoristobeprocessedwillbesubjecttoprivacylaws.

382


2.2 DoesprivacylawinGhanaapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

TheDataProtectionActappliestopersons/companiesoutsideGhanainthefollowingcircumstances:

(a) thedatacontrollerisestablishedinGhanaandthedataisprocessedinGhana,

(b) the data controller is not established in Ghana, but uses equipment or a data processorcarryingonbusinessinGhanatoprocessthedata,or

(c) processingisinrespectofinformationwhichoriginatespartlyorwhollyfromGhana.

All data processors are required to registerwith theDPC. Those not incorporated in Ghanamustregisterasanexternalcompany.


3.1 Howispersonalinformation/personaldatadefinedinGhana?

TheDataProtectionActdefines “personaldata”asdataaboutan individualwhocanbe identifiedeitherfromthedata,orfromthedataorotherinformationinthepossessionof,orlikelytocomeintothepossessionof,thedatacontroller.


TheDataProtectionActdefines“specialpersonaldata”aspersonaldatawhichconsistsofinformationthatrelatesto:

(a) therace,colour,ethnicortribaloriginofthedatasubject;

(b) thepoliticalopinionofthedatasubject;

(c) thereligiousbeliefsorotherbeliefsofasimilarnatureofthedatasubject;

(d) thephysical,medical,mentalhealthormentalconditionorDNAofthedatasubject;

(e) thesexualorientationofthedatasubject;

(f) thecommissionorallegedcommissionofanoffencebytheindividual;or

(g) proceedingsforanoffencecommittedorallegedtohavebeencommittedbytheindividual,thedisposalofsuchproceedingsorthesentenceofanycourtintheproceedings.


(a) Personaldatashouldbeprocessedwithoutinfringingtheprivacyrightsofthedatasubjectandshouldbedoneinalawfulandreasonablemanner.

(b) Personal data may only be processed for a purpose that is necessary, relevant and notexcessive.

383


(c) Consentofthedatasubjectisrequiredtoprocesspersonaldata,unlessitisforthepurposeofacontract,requiredbylaw,fortheperformanceofastatutorydutyortoprotectthelegitimateinterestofthedatasubjectordatacontroller.

4 ROLES


Yes.TheDataProtectionActdifferentiatesadataprocessorfromadatacontrollerasfollows:

(a) A“datacontroller”isapersonwhoeitheralone,orjointlywithotherpersons,orasastatutoryduty,determines thepurposeor themanner inwhichpersonaldata isprocessedor tobeprocessed.

(b) A“dataprocessor”isanypersonotherthananemployeeofthedatacontrollerwhoprocessesthedataonbehalfofthedatacontroller.

Thedatacontrollerbearstheresponsibilityforthedatathatisbeingprocessedonitsbehalf,asitisthe entity registeredwith theDPCandwill beheld liable in the eventof abreachunder theDataProtectionAct.

5 OBLIGATIONS


The Data Protection Act places an obligation on data controllers to register with the DPC beforecollectingorprocessingpersonaldata,whethertheentityislocatedinoroutsideofGhana.

TheDPC, in this instance, isaprivacyauthority.RegistrationwiththeDPCisrenewableeverytwoyears. The Data Protection Act provides for appointment of privacy officers and stipulates thatpersonaldatashouldnotberetainedforaperiodlongerthanisnecessarytoachievethepurposeforwhichthedatawasgathered.

Inaddition,thedatacontrollermusttakestepstosecuretheintegrityofpersonaldatainitspossession,andadoptmeasurestoprevent,lossorunauthorisedaccesstothedata.

Furthermore,adataprotectionsupervisormustbeappointed,whosedetailsmustbeenteredatthepointofregistrationwiththeDPC.


6.1 HowisdatasecurityregulatedinGhana?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

Section28oftheDataProtectionActprovidesforthesecuritiesmeasuresforprotectingdata.Thedatacontroller must adopt general practices and procedures, as well as specific industry rules andregulations,inordertosecurethepersonaldataithasgathered.

384


6.2 HowaredatabreachesregulatedinGhana?Whataretherequirementsforrespondingtodatabreaches?

ThedatacontrollermustnotifytheDPCandthedatasubjectoftheunauthorisedaccessoracquisition,where there are reasonable grounds to believe that the personal data of a data subject has beenaccessed or acquired by an unauthorised person, and take steps to ensure the restoration of theintegrityoftheinformationsystems.

Apersonwhofailstoregisterasadatacontroller,butprocessespersonalinformation,commitsanoffenceandwillbeliable,onconviction,toafineofnotmorethan200penaltyunits(approxGHC2,400(US$432)),oratermofimprisonmentofnotmorethantwoyears,orboth.

TheDPCmustinvestigateandlookintocomplaintsmadebydatasubjectsagainstadatacontrollerwith respect to processing data, and,where applicable, direct the data controller to take steps toremedythesituationordesistfromtheactscomplainedof.

7 INDIVIDUALRIGHTS


Thedata subject can refuse to consent tohis/herdatabeingprocessedanddatamustbe sourceddirectlyfromthedatasubject.Itmaybesourcedindirectlyonlyifitisinformationalreadyinthepublicdomainorinformationforprosecutionofanoffence,conductofatrialincourt,orenforcementofalawwhichimposespecuniarypenaltiesorconcernsrevenuecollection.

ThedatasubjectalsohastherighttocomplaininwritingtotheDPCwherehis/herrightsarebeingbreachedundertheDataProtectionAct.



Electroniccommunicationsareregulatedby theElectronicCommunicationsActandtheElectronicCommunicationsRegulations.

The Electronic Communications Regulations provide for privacy and secrecy in electroniccommunications.Under theRegulations, personsother than the senderor intended recipientwhosteal,intercept,alter,divertorunlawfullydisclosetransmittedmessagesordatacommitanoffenseandareliableonsummaryconvictiontoafineofnotmorethan500penaltyunits(approxGHC6,000(US$1,080)),oratermofimprisonmentofnotmorethan5years,orboth.

Moreover, operatorsmust employ international best practices in the industry topromoteprivacy,secrecyandsecurityofcommunicationandpersonalaccounts/datarelated tosubscribers.Anyonewhobreaches this is liable to a fineofnotmore than500penaltyunits, or a fine indicated in theperson’slicencewherehigher.

385



TheDataProtectionActissilentontrackingtechnology.


TheElectronicCommunicationsRegulationsprovide thatapersonwhowishes to sendunsolicitedcommunicationsfordirectmarketingbyacall,emailortextmessagemustfirstobtaintheconsentofthesubscriber.Thecommunicationmustincludethenameandcontactdetailsofthesenderwhereitcanbe reached freeof charge.Where theunsolicited communication is bymeansof an email, thesendermustensurethatitsidentityisnotconcealedandmustprovideavalidaddresstowhichthesubscribercanrequestthepersontodesistfromsendingsuchmessages.


TheDataProtectionActprovides that thedatasubject’spriorwrittenconsentmustbesoughtandobtainedbeforethedatacanbeobtainedorprovidedforthepurposesofdirectmarketing.Italsogivesthedatasubjecttherighttogivenoticeinwritingtothedatacontrollerthatitshouldnotprocesshispersonaldataforthepurposeofdirectmarketing.


TheDataProtectionActissilentondatabrokers.


ThoughtheDataProtectionActdoesnotspecificallyprovideforprivacywithrespecttosocialmedia,Section40(4) states that directmarketing includes the communicationbywhatevermeansof anyadvertisingormarketingmaterialwhichisdirectedtoparticularindividuals.


LoyaltyprogrammesandpromotionsareregulatedbytheGamingCommissionwhichiscreatedandregulatedbytheGamingAct2006(Act721).

ThisActsetsguidelinesforrunningpromotionalandloyaltyprogrammesinGhanaandcategorizesthosethatneedtoberegisteredornotbytheGamingCommissionbeforetheycantakeplace.

UndertheGamingAct,gamesofchancemustbelicencedbytheGamingCommission.However,gamesofchanceincidentaltocertainentertainment,suchasafeteorbazaar,andthosepromotedbyasocietyiflimitedtoitsmembers,areexemptedfromtheneedforlicensesaslongastheycomplywithcertainprovisions.

SanctionsforthebreachoftheGamingActincludevarioustermsofimprisonmentandfinesrangingbetween250and1,000penaltyunits(approxGHC3,000–12,000(US$540–2,160)).

386


9 DATATRANSFER


Section25oftheDataProtectionActstates:

“(1) Whereadatacontrollerholdspersonaldatacollectedinconnectionwithaspecific purpose,furtherprocessingofthepersonaldatashallbeforthatspecificpurpose.

(2) Apersonwhoprocessesdatashalltakeintoaccount:(a) therelationshipbetweenthepurposeoftheintendedfurtherprocessingand

thepurposeforwhichthedatawascollected,

(b) thenatureofthedataconcerned,

(c) themannerinwhichthedatahasbeencollected,

(d) theconsequencesthat the furtherprocessing is likelytohave forthedatasubject,and

(e) the contractual rights and obligations between the data subject and thepersonwhoprocessesthedata.

(3) Thefurtherprocessingofdata isconsideredtobecompatiblewiththepurposeof collectionwhere:

(a) thedatasubjectconsentstothefurtherprocessingoftheinformation,

(b) the data is publicly available or has been made public by the personconcerned…”


CompaniesshouldbemindfulofSection25oftheDataProtectionAct,aswellastheneedtoalsonotifythedatasubjectandobtainhis/herconsentwhereneededbeforeutilisingthedatagathered.

10 VIOLATIONS


PenaltiesforoffencescommittedundertheDataProtectionActinclude,amongstothers:

(a) forfailingtoregisterasadatacontrollerbutengaginginprocessingofpersonaldata:afineofnotmorethan250penaltyunits(approxGHC3,000(US$540)),oratermofimprisonmentof2years,orboth;

(b) forpurchasingorknowinglyobtainingordisclosingpersonaldatatoanotherperson:afineofnotmorethan250penaltyunits,oratermofimprisonmentof2years,orboth;

(c) for saleofpersonaldata:a fineofnotmore than2,500penaltyunits (approxGHC30,000(US$5,400)oratermofimprisonmentofnotmorethan5yearsorboth;and

(d) foralloffensesforwhichtheActdoesnotspecifythepenalty:afineofnotmorethan5,000penaltyunits(approxGHC60,000(US$10,800)oratermofimprisonmentofnotmorethan10years,orboth.

387



The1992ConstitutionofGhanacontainsprinciplesthatrecognizeandprotecttherighttoprivacyofitscitizens.

Article18(2)oftheConstitutionprovidesfortheprivacyofindividualsandthatthisrightshouldnotbeinterferedwithexceptinaccordancewiththelawandforpublicsafety,economicwellbeingofthecountry,healthormoralreasons,orforthepreventionofcrimeorprotectionofothers.

TheConstitutionalsoprovidesthatwherethefundamentalrightsasprovidedforintheConstitutionarebreached,theaffectedpersonmayapproachthehighcourtforredress.

Section39(1)oftheDataProtectionActstatesthat“Anindividualshallatanytimebynoticeinwritingtoadatacontrollerrequirethedatacontrollertoceaseornotbeginprocessingforaspecifiedpurposeor ina specifiedmanner,personaldatawhichcausesor is likely tocauseunwarranteddamageordistresstotheindividual.”

Furthermore,Section43oftheDataProtectionActprovidesthatwhereanindividualsuffersdamageor distress through the contravention by a data controller of the requirements of the Act, thatindividualisentitledtocompensationfromthedatacontrollerforthedamageordistress.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofGhanawhichaffectprivacy?

Wearenotawarethatanysuchrulesexistatthistime.


There is a Bill proposed for the regulation of Advertising in Ghana. The Bill is currently beforeParliament.Oncepassed,itwillbethemajorlawregulatingadvertisinginGhana.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainGhana?

Personal data processed by an individual for the purpose of that individual’s personal, family orhouseholdaffairsisexemptedfromthedataprotectionprinciples,asispersonaldatawhichconsistsof a reference given in confidence by the data controller for the purpose of education, training,employment,orappointmenttoanofficeofthedatasubject,orprovisionofanyservicebythedatasubject.

TheprocessingofpersonaldataisalsoexemptfromtheprovisionsoftheDataProtectionActifitisforthepurposeofpublicorder,safety,moralityornationalsecurity.

TheActalsodoesnotapplytotheprocessingofpersonaldatafortheprotectionofmembersofthepublicagainstlossormalpracticeintheprovisionofbanking,insurance,investmentorotherfinancialservices,oragainstdishonestyintheprovisionofprofessionalservices,orwheretheprocessingisforthedischargeofafunctionconferredunderanenactmentontheParliamentofthegovernmentorforhealthcareordiseasepreventionetc.

388


12 OPINIONQUESTIONS


The introduction of the Data Protection Act has created the DPC,which is actively regulating thecollation, use and dissemination of data in Ghana. Thus, people are more aware of the issuessurrounding data protection and privacy in Ghana. Also, the existence of a regulator which canprosecuteoffendersservesasadeterrentforviolationofprivacyandtendstoreducesuchincidences.


Duetotheadvanceoftechnology,theremaybegreaterchallengesinensuringthesecurityandprivacyofpersonadataacrosstheglobe,andthismaytriggerchangesintheregulationsofprivacyacrosstheworldtodealwithsuchchallenges.


Amajorchallengewillbesecuringdatathathasbeengatheredfromhackersorunauthorisedusers,duetotheadventoftechnology.

389

390

PRIVACY LAW – GUATEMALA

1 PRIVACYLAW

1.1 HowisprivacyregulatedinGuatemala?

Currently, Guatemala lacks data privacy specific legislation; therefore, there are no regulationsdetailingmatters such as how data can be collected, legally processed, transferred and enforced.However,thereisaspecificlawregardingaccesstopublicinformation,which,amongothermatters,coverspersonaldatacontainedinpublicarchivesorrecords.

Instead, data privacy protection is based on the Constitution, underwhich the right to privacy isacknowledged. The Constitutional Court has issued decisions covering the right to privacy,interpreting the extension of such right. The Court has applied the principle to informed self-determinationandaccesstodatabases,inwhichpersonalinformationiscontained.

ThePublicInformationAccessLaw,Decree57-2008ofCongress,containsaspecificchapter“HabeasData”, defining this as the guarantee that every person has to exercise the right to knowwhat isrecordedabouthim/her inpublicrecords,andthepurpose forwhichsuchdata isused,aswell toexercise theright toprotect,update,amendorrectifysuchdata.Decree57-2008applies topublicentitiesorentitiesthatmanagepublicfundsand/orhavecompetenceinpublicadministration.


ThefollowingarethekeylawsregulatingprivacyinGuatemala:

(a) PoliticalConstitutionoftheRepublicofGuatemala;

(b) PublicInformationAccessLaw,Decree57-2008ofCongress;and

(c) CriminalCode,Decree17-73ofCongress.


Privacy is enforced through tribunals via constitutional actions, in particular the “amparo” action.Dependingontheinfringement,thereareadministrative,civilandcriminalproceduresthatcouldbeinitiated,since,underthecurrentlegalframework,thereisnoprivacyregulatornorself-regulatorybodies.

Sincetherighttoprivacyisahumanright,individualscanalsoseeklegalsupportthroughthehumanrightsombudsman,inordertoobtainprotectionregardingpersonaldataandprivacy.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinGuatemala?

AllcompaniesaresubjecttoprivacyprovisionscontainedintheConstitutionandaresubjecttothejurisprudencethatemanatesfromtheConstitutionalCourt.Althoughthe“amparo”isapersonalaction,principlesstatedby theConstitutionalCourtwhen interpreting theConstitutionmaybeofgeneralapplication.

391


Aspreviouslyexpressed,lackofspecificregulationsmakesforadomesticprivateenvironmentthatfails toprovideanyguidanceastospecificpractices,managementandprotectionofpersonaldata.OtherthantheprovisionscontainedinDecree57-2008,underthe“HabeasData”chapter,therearefewapplicableregulations.

2.2 DoesprivacylawinGuatemalaapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

Lawandjurisprudenceapplyterritorially(thatis,locally),butapplytobothnationalandnon-nationalcompaniesoperatinginGuatemala.


3.1 Howispersonalinformation/personaldatadefinedinGuatemala?

Under Decree 57-2008, “personal information”/”personal data” is any information related to anidentifiedoridentifiablenaturalperson.

Additionally,theConstitutionalCourthasstatedthat“personaldata”shouldbeconsideredasbeingalldatathatallowstheidentificationapersonandenablesthedeterminationofhis/heridentity(eg,fromanidentificationnumberto,amongothers,physical,social,cultural,andeconomiccharacteristicsofsuchperson).


TheonlylawthatprovidesforsuchaclassificationisDecree57-2008,whichdistinguishesbetweenpersonaldataandsensitiveinformation.“Sensitiveinformation”includes:

(a) physicalcharacteristics;

(b) moralcharacteristics;

(c) factsorcircumstancesofone’sprivatelifeoractivities,suchashabits,racialorigin,ethnicity,politicalideologiesandopinions,beliefsorreligiousconvictions;

(d) stateofphysicalormentalhealth;

(e) sexualorientation;and

(f) moralandfamilysituationsandotherintimateissuesofsimilarnature.


FollowingtheinterpretationthattheConstitutionalCourthasgiventothematter,theprinciplestobeconsideredbyanycompanyforprocessingpersonalinformationare:

(a) toobtaintheexplicitconsentofthedatasubject;

(b) nottocommercializethedatawithoutauthorizationfromthedatasubject;

392


(c) toguaranteetothedatasubject:(i) therighttoconsulthis/herdata,(ii) therighttocorrecthis/herdata,(iii) confidentiality,unlessthedatasubjecthasgivenexpressauthorizationforthedatato

beusedinspecificways.

4 ROLES


No,duetothelackofaspecificprivacylawinthecountry,rolesapplicabletotheprocessingofpersonaldataarenotdefined.Therecommendationisforcompaniestodealwithitcontractually,consideringbestpractices.

5 OBLIGATIONS


Lackofaspecificlawmeansthatalistofkeyobligationscannotbegiven.However,decisionsfromtheConstitutional Court refer to principles to be considered by any company for processing personalinformation,namely:

(a) toobtaintheexplicitconsentofthedatasubject;


(c) toguaranteetothedatasubject:(i) therighttoconsulthis/herdata,(ii) therighttocorrecthis/herdata,(iii) confidentiality,unlessthedatasubjecthasgivenexpressauthorizationforthedatato

beusedinspecificways.

Asregardspersonaldatainadvertising,thiscannotbeusedwithouttheexpressauthorizationofthedatasubject.


6.1 HowisdatasecurityregulatedinGuatemala?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

Underthesectiontitled“HabeasData”ofDecree57-2008,thoseholdingthepersonaldataofothersareobligedtoadoptpropermeasurestoguaranteethesecurity,confidentialityofpersonaldataandavoiditsalteration,lossandunauthorizeduse.

393


Personaldatasecurityingeneralissubjecttocivillaw,particularlyasregardsanybreachofadatarecipient’s responsibilitiesandanydamages thatcouldresult from it; therefore, companiesshouldconsidercontractualwordinginordertodefinethescopeoftheirliabilities.

6.2 HowaredatabreachesregulatedinGuatemala?Whataretherequirementsforrespondingtodatabreaches?

There is no specific regulation to address data breaches; this means there are no mandatoryrequirementsorprocedurestocomplywithinresponsetotheunauthorizeduseofthedatabyadatarecipient, or to inform thedata recipient of databreaches.Notwithstanding the above, it is highlyrecommendableforanycompanytosetupaprotocoltobeimplementedinresponsetodatabreaches.

TheCriminalCoderegulatesspecificcrimesregardingdatasecuritybreaches,suchas:

(a) deletionofdatabases,

(b) creationofprohibitedrecords,

(c) unauthorizedalterationoftheinformationcontainedinthedatabasesand

(d) unauthorizeduseofdata.

Decree57-2008alsoregulatesspecificcrimesregardingdatasecuritybreaches,namely:

(e) theunauthorizedcommercializationofpersonaldata,

(f) theunauthorizedalterationordestructionofinformationcontainedinarchives,

(g) theunjustifiedretentionofinformationand

(h) thedisclosureofconfidentialinformation.

7 INDIVIDUALRIGHTS


TheConstitutionalCourtofGuatemalahasestablishedthattherightsoftheindividualinrelationtohis/herpersonaldataare:

(a) therighttoconsulthis/herdata;

(b) therighttocorrecthis/herdata;

(c) therighttoconfidentialityofcertaininformationfromanyunauthorizedthirdparty;

(d) theright tohavecertain informationexcludedthatmaybeconsideredextremelysensitivewhereitistheproductofnewsordatathatconcernsonlytheinterestedparty;and

(e) therightthatcommercializationofhis/herpersonaldatabedoneonlywithhis/herexpressauthorization.

394




Marketing communications are not specifically regulated in Guatemala. Therefore, the content ofcommunications should observe the different regulations that are disseminated in different laws.Althoughcurrentlythisisnotaregulatedpractice,companiesshouldatleastconsiderthatindividualsshouldhavetherighttorequestthecessationofemailmarketingandpushnotifications.


TheuseoftrackingtechnologiesisnotregulatedinGuatemala.However,basedonthedecisionsoftheConstitutionalCourt,peopleareentitledtobeinformedhowinformationandactivityonlineistracked,registeredorcontrolled.


Thesekindsofpublicityarenotspecificallyregulated.Nevertheless,theConstitutionalCourtdecisionsmakes it clear that giving of information and obtaining consent are key. Themain principles thatcompaniesshouldobserveare:

(a) toobtainexplicitconsent;


(c) toguaranteetothedatasubject:(i) therighttoconsulthis/herdata,(ii) therighttocorrecthis/herdata,and(iii) confidentiality,unless there is expressauthorization from thedata subject for the

datatobeusedinspecificways.


There is no specific regulation regarding this topic. Nevertheless, the Constitutional Court ofGuatemalahasruledthattheuseofanypersonaldataneedsexpressconsentfromthedatasubject.Therefore,followingtheabovesaid,theotherprinciplesalsoapply,meaningthatalldatasubjectshavetheright:

(a) toknowthecontentofhis/herpersonaldata;and

(b) tohaveguaranteedtherighttoconsultandcorrecthis/herdataandtherightofconfidentialityinthecustomermatchingprocess.


Therearenospecificprivacy rules thatgoverndatabrokers.However, theConstitutionalCourtofGuatemala has ruled in respect of this matter. Data brokers, in order to gather, disseminate andcommercializepersonaldata,mustobservethefollowingrequirements:

395


(a) Thecollectionofanypersonaldataneedstohaveadefinedpurpose,anditmustbecollectedinalegalandvoluntarymannerfromthedatasubject.

(b) Expressconsentofthedatasubjectisrequiredforuseofanypersonaldata;suchuseneedstobecompatiblewiththepurposeforwhichthedatawascollected.

(c) Adequatemechanismsofcontrolmustbeinplacefor:(i) thedatabrokertodeterminetheveracityofthedata;(ii) thedatabrokertobeabletoupdatethedataunderitssolelyresponsibility;and(iii) thedatasubjecttohavetherighttorectifythedata.


Therearenospecificlawsregulatingsocialmedia.Nonetheless,theConstitutionalCourthasstatedconsiderations relating to data privacy, particularly considerations as to data privacy and right ofintimacyandexplicitconsent.Inthisregard,theCourthasstatedthat:

(a) Thecollectionofanypersonaldatamusthaveadefinedpurpose,anddatamustbecollectedinalegalandvoluntarymannerfromthedatasubject.

(b) Expressconsentofthedatasubjectisrequiredforuseofanypersonaldata;suchuseneedstobecompatiblewiththepurposeforwhichthedatawascollected.

(c) Thosewhoregisterandusepersonalinformationmustimplementadequatemechanismsofcontrolfor:(i) therecipienttodeterminetheveracityofthedata;(ii) therecipienttobeabletoupdatethedataunderitssolelyresponsibility;and(iii) thedatasubjecttohavetherighttorectifythedata.

Additionally,companiesoranypersonthatinteractswithpersonaldatainsocialmediamustbeawarethatslanderispunishedundertheCriminalCode.


Loyaltyprogramsandpromotionsarenotspecificallyregulated.However,companiesmustnotonlyprovideproperandclearinformationwhencollectingdataandstatetheusestowhichtheyintendtoputit,butalsoobtainanexplicitconsentfromthedatasubject.

9 DATATRANSFER


Therequirementsthatmustbeobservedfordatatransferarethesameasthosethatdatabrokersordatarecipientsmustobserve.See,eg,question8.5.

396



CompaniesmustobservetherequirementsimposedbytheConstitutionalCourt(see,eg,question8.5).Inaddition,datarecipientsthattransferdatamustsecure,inanyway(ie,acontract),thattheentityreceivingthedatausesitsubjecttothesamerestraints.

10 VIOLATIONS


(a) TheCriminalCodestipulatesthefollowingpenalties:(i) Destructionofdatabase:Prisontermofbetween6monthsand4yearsandafineof

Q200.00–Q2,000.00.(ii) Creationofprohibitedrecords:Prisontermofbetween6monthsand4yearsanda

fineofQ200.00–Q1,000.00.(iii) Unauthorized alteration of information contained in databases: Prison term of

between1and5yearsandafineofQ500.00–Q3,000.00.(iv) Unauthorizeduseofdata:Prisontermofbetween6monthsand2yearsandafineof

Q200.00–Q1,000.00.(v) Slander:Prisontermofbetween2and5years.

(b) Asmentioned,Decree57-2008ofCongressalsocontainscertaincrimesforwhichsanctionsare:(i) Unauthorizedcommercializationofpersonaldata:Prisontermofbetween5and8

yearsandafineofQ50,000.00–Q100,000.00.(ii) Alteration or destruction of information contained in archives: Prison term of

between5and8yearsandafineofQ50,000.00–Q100,000.00.(iii) Unjustified retention of information: Prison term of between 1 and 3 years and

disqualificationfortwicetheprisontimeandafineofQ10,000.00–Q50,000.00.(iv) Disclosureofconfidential information: Prisontermofbetween5and8yearsand

disqualificationfortwicetheprisontimeandafineofQ50,000.00–Q100,000.00.


Yes,theaffectedindividualshavethe“amparo”action.Thepotentialremedyistostoptheactionthatisinfringingtheirrights.

IndividualsalsohavepossibilityofbringingacriminalactionforthespecificcrimescontainedintheCriminalCodeandDecree57-2008(seequestion10.1).Anotherpossibilitycouldbetobringacivilaction, which might be exercised as a consequence of the criminal procedures or exercisedindependently.Ineithercase,thepotentialremedyisdamages.

397


11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofGuatemalawhichaffectprivacy?

Atthemoment,thedecisionsoftheConstitutionalCourtaretheonlyreliablerulesthatcanbeusedasareferenceinprivacymatters;however,thesedecisionsmaybelimitedincertaincases,asthesewereappliedtospecificcasesthatallfollowed“amparo”actionsinwhichparticularfactswereobserved.Therefore, it isessential thatbestpractices,protocolsandcontractualwordingbetweenparties tobuildandprotectdataprivacyaredrawnup.Guatemalaisstillatanearlystageinprivacymatters,butweareoptimisticthatadataprotectionlawwillbeenactedbyCongressinthenearfuture.


Companiesneedtobeawarethatthedraftbillregardingpersonaldataprotectionmaybeenacted.Thisdraftbillcontains,amongotherthings:

(a) adefinitionofpersonaldataandsensitivepersonaldata,

(b) theprinciplesforthetreatmentofpersonaldata,

(c) therightsofthedatasubject,

(d) thescopeofconsent,

(e) thedefinitionandobligationsofthedatarecipient,

(f) theconditionsforthetransferanddeletionofthedata,

(g) theregulatorybodies,proceduresandsanctions.

In brief, this draft bill will give clarity about the matters that only the Constitutional Court haspronouncednowadays.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainGuatemala?

Wehavenospecificadditionaladvice,but,wouldreiterate,lackoflegislationdoesnotimplyfreedomofaction; thus, appropriatenotices, informationandexplicit consent isadvisable for companies inordertoproperlydocumentmanagedataofthirdpartiesandshareortransferittoothers.Workbasedonbestpracticesishighlyrecommended.

12 OPINIONQUESTIONS


Thismatterhastakenonmoreandmorerelevancewithtime.Individualshavebecomemoreawareofthevalueoftheirpersonaldata,andoftheirrighttoexerciseanddemandprivacy.Theuseofparticulardatabrokershadledtosituationsthatpropelledindividualstoseekprotectionvia“amparo”action.Inthis sense, theConstitutionalCourthas recognized the right todataprivacy, rightof intimacyandexplicitconsentandhasstipulatedfixedrequirementsthatdatarecipientsmustobserve(seeearlierquestions).

398



WeenvisionthattheConstitutionalCourtwillissueanexhortativedecision,inwhichitencouragesCongresstoissueaspecificlawondataprivacy.SuchspecificlawcouldbethedraftbillthathasbeenbeforeCongresssince2009.


Companiesmustproperlymonitorhowdataisobtainedandmanagedinordertosecureabalanceinthelegalsystembetweenalackofaspecificlawandtheimplementationofreasonableandappropriatedocumentsfortheuseofthepersonaldata,relyingonbestpractices.

Additionally,theywillalwayshavetodoublecheckagreementsthattheymakewithothercompanies,toensurethattheseothercompaniesobservethesameparametersofprotectionandsecurity.

399

400

PRIVACY LAW – HONDURAS

1 PRIVACYLAW

1.1 HowisprivacyregulatedinHonduras?

ThereisnospecificlawtoregulateprivacyforHonduras.Laws,suchastheConsumerProtectionLaw,andsomeothersregardinghowgovernmentofficials/institutionsmusthandleinformationforclinicaltrials, industrialpatentsandother relatedmatters, giveaverysmall regulatory frameworkon thematter.

Inpractice,companiestendtoapplyinternationalstandardsfordataprivacyasbesttheycan,inordertobeabletocommercialize/operateinregionalmarkets;however,theseregulationsarenotenforcedinHonduras.


ThekeylawwouldbetheConsumerProtectionLaw,which,verybroadly,touchesonhowcompaniesmustmanagetheinformationgiventothembyconsumers,ifconsumerdatabasesaremanagedbyacompany.

The Financial System Law also briefly states that companies in the same group can freely shareinformationaboutconsumers/clientsamongsttheirgroupcompanies.


The Direction for Consumer Protection Office, which is managed by the Honduran EconomicDevelopmentMinistry, isthebodywhereconsumerscanfilecomplaintsagainstcompaniesforanymismanagementofinformation.

Somegovernmentagencieshaveinternalregulationswhichsetoutwhatinformationisconsideredsensitiveorprivate,theprecautionsthatmustbetakeninordertoprotectsuchinformation,andtheconsequencesofanybreaches.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinHonduras?

AsConsumerProtectionisthemainregulatoryframework,allcompanieswhosellproductsdirectlytoend-consumersaresubjecttoprivacylaw.

2.2 DoesprivacylawinHondurasapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

No.

401



3.1 Howispersonalinformation/personaldatadefinedinHonduras?

TheConsumerProtectionLawbrieflystatesthatcompaniesmaynotselloruseconsumerinformationforfinancialpurposes,butcansharedatabaseswitheachother.Thereisnodistinctionbetweenwhatinformationissensitiveandwhatisnot.


TheHonduranregulatoryframeworkdoesnotmakeadistinctiononwhatcanbeconsideredsensitiveinformation.


Certainspecificsectorsarerequiredtoprovideallrequiredinformation,includingprivateinformation,to their regulatory bodies. For example, financial institutions are obligated to provide any and allrequiredinformationtotheNationalBankingandInsuranceBoard.

Other than that, therearenospecificprinciples thatcompaniesarerequired to follow. Inpractice,internationalstandardsoftransparencyandchoiceareusedbyregionalandinternationalcompaniesthatoperateinthecountry.

4 ROLES


No.

5 OBLIGATIONS


Therearenoobligationsonthehandlingof informationofclients/consumers.WhatHonduranlawregulatesistheperiodoftimeforwhichcompaniesmustmaintaininformationonadcampaignsintheir files and have hot-lines for consumer complaints for their ads. There are also regulationsforbiddingadvertisingthattargetscompetition.

402



6.1 HowisdatasecurityregulatedinHonduras?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

A law has recently been approved to regulate data security in companies which offer anelectronic/digitalsignatureservice.Thereareminimumtechnicalrequirementsforcompanieswhooffer these services, which are reviewed from time to time by the Intellectual Property office inHonduras.CurrentlyonlytwocompaniesarecertifiedtoprovidethisserviceinHonduras.

6.2 HowaredatabreachesregulatedinHonduras?Whataretherequirementsforrespondingtodatabreaches?

Databreachesarenotyetregulated.

7 INDIVIDUALRIGHTS


The Honduran Constitution recognizes that everyone has the right to access information aboutthemselvesortheirassetsinanexpeditiousandfreemanner,whethersuchinformationiscontainedinpublicorprivatedatabases,andhastheright,ifnecessary,toupdate,rectifyand/oramendit.



Marketingcommunicationsarenotregulatedfromaprivacyperspective.Financialsystemlawsonlyregulatethetimeperiodsduringwhichcompaniescancontactclients.


Trackingtechnologiesarenotregulatedfromaprivacyperspective.


Targetedadvertisingandbehavioraladvertisingarenotregulatedfromaprivacyperspective.


Thesharingofdatawiththirdpartiesforcustomermatchingisnotregulated.


No.

403



Socialmediaisnotregulatedfromaprivacyperspective.


Companies are allowed to collect consumer information during promotions or loyalty programs;however,therearenoregulationshowthisinformationistobestored.

9 DATATRANSFER


Group companies can transfer data freely amongst themselves. There are no regulations on datatransferoutsidethecountry.


No.

10 VIOLATIONS


Ifabreach/leakofprivateinformationcanbetracedtoacompany,andthiscausesdamagetothepartywhoseinformationhasbeenbreached,theaffectedpartycanfilecivilandcriminalcharges.

IfthebreachiscoveredbytheConsumerProtectionLaw,itispunishablebyfinesfromUS$400toUS$4,000,000,dependingontheseverityandrecurrenceofthebreach.


Everyonehastherighttoaccessinformationaboutthemselvesortheirassetsinanexpeditiousandfreemanner,whetheritiscontainedinpublicorprivatedatabases,andhastheright,ifnecessary,toupdate,rectifyand/oramendit.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofHonduraswhichaffectprivacy?

PrivacyisonlybeginningtobeasubjectofrelevanceinHonduras;thus,rulesgoverningitstemfrominternationalpracticesandregulationsratherthanwithinthecountry.


AbillforregulatingdataprotectionhasbeenbroughtbeforeCongress.Thisreceivedalotofattentionin2017but thisdwindledat theendof2018.Congress isexpectedtopick itbackup in2020.Seequestion11.3.

404


Additionally, data security is becoming very important in Honduras because of electroniccommunications,signaturesandonlinebanking.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainHonduras?

TheBillinCongressfordataprotectionusestheinternationalminimumstandardsforprivacy,whichmanylocalcompaniesdonotyetcomplywith.Manycompanieswillneedtogetuptospeedandmeettheinternationalminimumstandardstoavoidsanctionsandpenaltiesinthefuture.

12 OPINIONQUESTIONS


Globalizationandregionaleffortshavehadabigimpact.Companiesareexpectingtomanagemostoftheirbusinessononlineplatforms,whichwillpushthemtorequireregulationsondatasecurityandhowcompanieswhoprovidecloudservicesmustmanagetheinformation.Wearealreadyseeingthiswiththeelectronicsignatureregulationandimplementation(seequestion6.1).


In fiveyears, thecountrywillhopefullyhaveaspecific regulatory framework forprivacyanddatasecurity,notonlyinadvertising,butforconsumers,patients,clients,etc.


Therearen’tmanychallengesnow,asthereislittletonoregulation.Challengesaregoingtocometocompaniesaccustomedtothecurrentlandscape,whichwillhavetoadapttotheimplementationofnewregulationinthecountry.

405

406

PRIVACY LAW – HONG KONG

1 PRIVACYLAW

1.1 HowisprivacyregulatedinHongKong?

PrivacyperseisnotprotectedinHongKong.Thetortof“breachofprivacy”establishedbytheHighCourtofEnglandandWalesinthecaseofMosleyvNewsoftheWorldNewspaperin2008maypossiblybetakenasapersuasiveauthorityforasimilaractionintheHongKongcourts—somethingwhichhasnotyethappened.

Article17oftheInternationalCovenantforProtectionofRightswasimposedontheHongKongSARbyArticle39oftheBasicLawofChinaforHongKongandestablishesapositivedutytoprotecttherightofprivacy.Itisclearlydifficult,ifnotimpossible,todefinetheparametersoftherightofprivacyinpreciseterms,butitisclearthatthecommonlawdoesrecognizetheintrusionuponprivacyofapersonwhocanshowthecommissionofanestablishedtortsuchasbreachofconfidence.Herethevictimhasacauseofactionwhichcaneffectivelyoperate tosetupaseparateandconjoinedrightestablishedonthesamefacts,butwhichissubsumedtoconstitutethetortofbreachofconfidencewhichisrecognizedbythecourts.


TherearenolawsinHongKongregulatingprivacyperse.TheessentialfoundationofHongKong’ssocialstructurehasalwaysbeentotalfreedomofexpressionandithasalwaysbeenananathematoseektoimposecontrolonthis.


Thereisnostatutorymachinerytoenforceprivacy.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinHongKong?

Neithercompaniesnorindividualsaresubjecttoprivacylawperse.

2.2 DoesprivacylawinHongKongapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

ThereisnoprivacylawinHongKongwhichappliestocompaniesoutsideHongKong.


3.1 Howispersonalinformation/personaldatadefinedinHongKong?

ThePersonalData(Privacy)Ordinance(“PDPO”),whichwasenactedin1996,isthefirststatutorylawinHongKongaimedatandprotectingtheprivacyofindividualsinrelationtopersonaldata,andtoprovideformattersincidentaltheretoorconnectedtherewith.

407


Pursuant to the PDPO, “Personal Data” means any data (itself defined as any representation ofinformation(includinganexpressionofopinion)inanydocumentandincludesapersonalidentifier):

(a) relatingdirectlyorindirectlytoalivingindividual;

(b) from which it is practicable for the identity of the individual to be directly or indirectlyascertained;and

(c) inaforminwhichaccesstoorprocessingofthedataispracticable.

This definition is commonly interpreted to include theHongKong identity cardnumber of a datasubject,andisarguablyextendibletosuchrepresentationsofinformationasbiometricmeasurementsuchasirisorgait(thewayyouwalk).


Biometric,health,video,geo-locationandfinancialdataanddataandrelatedtochildrenrepresentthecategoriesofpersonaldatasubjecttotheprotectionofthePDPO.


Therearesixdataprotectionprinciples(“DPPs”)scheduledtothePDPOwhichare:

(a) DPP1:purposeandmannerofcollection;

(b) DPP2:accuracyanddurationofretention(seefurtherquestion6.1(a));

(c) DPP3:useofdata;

(d) DPP4:datasecurity(seefurtherquestion6.1(b));

(e) DPP5:opennessandtransparency(seefurtherquestion5.1(a));and

(f) DPP6:accessandcorrection(seefurtherquestion7.1(b)).

4 ROLES


Inrelationtopersonaldata,thePDPOdefines:

(a) “datauser”asapersonwho,eitheraloneorjointlyorincommonwithotherpersons,controlsthecollection,holding,processingoruseofthedata;

(b) “datasubject”astheindividualwhoisthesubjectofthedata;and

(c) “data processor” as a third party to whom all activities involving personal data aresubcontractedbythedatauser.

UnderthePDPOthereisnodirectconnectionbetweenthedatasubjectandthedataprocessorbutthePDPOrequiresthatthedatausermustenterintoastringentcontractualrelationshipwiththedata

408


processorrequiringthedataprocessortoobserveallrelevantaspectsofthePDPOintheprocessingofthepersonaldatabythedataprocessorforandonbehalfofthedatauser.

5 OBLIGATIONS


(a) DPP5requiresthatallpracticablestepsbetakentoensurethatapersoncanascertainadatauser’s policies and practices in relation to personal data. This data principle is normallyhonoredandobservedbythepublicationbythedatauserofaPersonalInformationCollectionStatementandaPrivacyPolicyStatement.

(b) ThePDPO(originallyenactedin1996)ismuchlessextensiveinitsrequirementsrelatingtopersonal data privacy than the 2016 GDPR of the European Union. Accordingly, there iscurrentlynorequirementinHongKongtoappointaprivacyofficer,nortoregisterwiththeCommissioner,nortoconductriskimpactassessments,althoughvoluntarycompliancewithsuchpreceptswouldlikelymeritcommendationbytheCommissioner.

(c) ThedutyofkeepingsecurerecordsofdataprocessingoperationsisimposedbyDPP4(seequestion6.1(b)).


6.1 HowisdatasecurityregulatedinHongKong?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

(a) UnderDPP2,allpracticablestepsmustbetakenbythedatausertoensurethatpersonaldatais accurate having regard to the use purpose (including any directly related purpose) forwhichthepersonaldataisoristobeused.

Allpracticablestepsmustbetakentoensurethatthepersonaldataisnotkeptlongerthanisnecessaryforthefulfilmentofthepurpose(includinganydirectlyrelatedpurpose)forwhichthedataoristobeusedand,asstatedinquestion4.1above,wherethedatauserengagesadataprocessorwhetherinsideoroutsideHongKongthedatausermustadoptcontractualorothermeanstopreventanypersonaldatatransferredtothedataprocessorfrombeingkeptlongerthanisnecessaryforprocessingofthedataandinthisprinciple“dataprocessor”meansapersonwho:(i) processespersonaldataonbehalfofanotherperson;and(ii) doesnotprocessthedataforanyoftheperson’sownpurposes.

(b) DPP4requiresthatthedatausershalltakeallpracticablestepstoensurethatpersonaldata(includingdatainaforminwhichaccesstoorprocessingofthedataisnotpracticable)heldbyadatauserareprotectedagainstunauthorizedoraccidentalaccess,processing,erasure,lossorusehavingparticularlyregardtothekindofdata,thephysicallocationofstorageofthedata,securitymeasuresincorporatedintoanyequipmentofstorageofthedataandanymeasurestakenforensuringtheintegrity,prudenceandcompetenceofpersonshavingaccesstothedataandanymeasurestakenforensuringthesecuretransmissionofthedata.

409


WhereadatauserengagesadataprocessorwhetherwithinoroutsideHongKongtoprocesspersonaldata on behalf of the data user, the data usermust adopt contractual or othermeans to preventunauthorizedoraccidentalaccess,processing,erasure,lossoruseofthedatatransferredtothedataprocessorforprocessing.

6.2 HowaredatabreachesregulatedinHongKong?Whataretherequirementsforrespondingtodatabreaches?

Anindividual,orarelevantpersononbehalfofanindividual,maymakeacomplainttothePersonalDataPrivacyCommissioner(“theCommissioner”)aboutanactorpractice:

(a) specifiedinthecomplaint;and

(b) which:(i) hasbeendoneorengagedinorisbeingdoneorengagedin,asthecasemaybe,bya

datauserspecifiedinthecomplaint;(ii) relatestopersonaldataofwhichtheindividualisor,inanycaseinwhichthedata

userisrelyinguponanexemptionundertheOrdinance,maybe,thedatasubject;and(iii) maybeacontraventionofarequirementunderthePDPO.

AcomplaintmustbeinwritinginChineseorEnglish,buttheCommissionerisempoweredtoacceptacomplaintinanotherform.

Before the Commissioner carries out an investigation into the complaint, hemust serve notice inwritingontherelevantdatauserinformingthedatauserofhisintentiontocarryouttheinspectionorinvestigation as the casemay be. The PDPO empowers the Commissioner for the purposes of aninspectiontoenterpremisesandcarryoutinvestigations.TheCommissioneralsohasthepower,forthepurposes of any investigation, carry out a hearing. Counsel and solicitors donot have right ofaudience,althoughtheymayappeariftheCommissionerthinksfit.

WheretheCommissionerhascompletedaninspection,hemustinformtherelevantdatauseroftheresultoftheinspectionandofanyrecommendationswhichhemaymakearisingfromtheinspection.Hemayalsopublishareportsettingouthisrecommendationsinsuchmannerashethinksfit.

Where,followingcompletionofaninvestigation,theCommissionerisoftheopinionthattherelevantdatauseriscontraveningarequirementunderthePDPO,hemayserveawrittennoticeonthedatauserdirectinghim to remedyand, if appropriate,preventany recurrenceof thecontravention.Anenforcementnoticemust:• statethattheCommissionerisoftheopinionthattherehasbeencontraventionofthePDPO

bythedatauser;• givehisreasonsforhisopinion;and• specify the requirement of the PDPO which in the opinion of the Commissioner is being

contravened.

Adatauserwhocontravenesanenforcementnoticecommitsanoffenceandisliabletoafineandtoimprisonmentfor2years.

410


7 INDIVIDUALRIGHTS


(a) DPP5requiresthatallpracticablestepsmustbetakentoensurethatapersoncanascertainadatauser’spoliciesandpracticesinrelationtopersonaldata.ThisdataprincipleisnormallyhonoredandobservedbythepublicationbythedatauserofaPersonalInformationCollectionStatementandaPrivacyPolicyStatement.

(b) DPP6providesthatadatasubjectisentitledtofindoutwhetheradatauserholdspersonaldata of that data subject and it is entitled to request access to thepersonal datawithin areasonabletime,atafeethatisnotexcessive,inareasonablemannerandinaformthatisintelligible.Iftherequestisrefused,thedatasubjectmustbegivenreasons.



(a) DirectMarketingbydatauser

ThePDPOrequiresthatadatauserintendingtousedirectmarketingmeans(ie,bymail,fax,emailorothermeansofcommunication,orbytelephonecallstospecificpersons—andnotatlarge)must:(i) informthedatasubjectthat:

• the data user has the intention of using his/her personal data for directmarketing;

• itmaynotusethepersonaldatawithouthis/herconsent;and

(ii) providehim/herwithdetailsof:• thekindsofpersonaldatatobeusedinthedirectmarketing;and• theclassesofmarketingsubjects.

Thismustbedoneinsufficientdetailtoenableapracticableaccessbythedatasubjecttoascertainthegoods,facilitiesorservicestobemarketedwithareasonabledegreeofcertainty.

(iii) providethedatasubjectwithdetailsofachannelthroughwhichthedatasubjectmay,without chargeby thedatauser, communicate consent to the intendeduseof thepersonaldata.

Aftertherequirednotificationtothedatasubject,thedatausermustobtainthevoluntary,explicitconsent(whichcanbeoral)ofthedatasubjecttothedetailedcommunicatedintentionofuseofthepersonaldatainallmessagesofdirectmarketing.

Iftheconsenthasbeengivenorally,thedatauserhas14daysfromreceivingtheoralconsenttosendawrittenconfirmationtothedatasubjectconfirmingthedateofthereceiptoftheoralconsent,thepermittedkindofpersonaldataandthepermittedclassofmarketingsubjectsanditisrequiredthattheusetobemadebythedatausermustbeconsistentwiththeconsentofthedatasubject.

411


(b) Provisionofpersonaldatabythedatausertoathirdpartyfordirectmarketingbythatthirdparty

Adatauserwhointendstoprovidethepersonaldataofadatasubjecttoathirdpersonforusebythatthirdpersonindirectmarketingmust:

(i) informthedatasubjectinwriting:• ofthatintention;and• thatitmaynotprovidethedatawithouthis/herwrittenconsent.

(ii) providehim/herwiththefollowingwritteninformation:• confirmationthatthedatauseristoprovidethedataforgain,• thekindsofpersonaldatatobeprovided,• theclassesofpersonstowhichthepersonaldataistobeprovided,and• theclassesofmarketingsubjectsinrelationtowhichthepersonaldataisto

beused;and

(iii) provide the data subject with a channel through which the data subject maycommunicatehis/herconsentinwritingwithoutchargebythedatauser.

Unlessthedatauserhascompliedwiththeaboverequirementsandhasreceivedthewrittenconsentof thedata subjecteithergenerallyor selectively to the intendedprovisionof thepersonaldata,thedatausercannotprovidethedatasubject’spersonaldatatoathirdpartyforusebythatthirdpartyindirectmarketing.

A data subjectwho has been providedwith information by a data usermay, at any time,requirethedatausertoceasetoprovidehis/herpersonaldatatoanyotherpersonforusebythatotherperson,andrequirethedatausertonotifyanypersontowhomthedatahasbeensoprovidedtoceasetheuseofthedataindirectmarketing.

Theconsentorthewrittenconsentofthedatasubject(asrequiredby(a)or(b)above)maybegivenbywayof:• ageneralblanketconsentbythedatasubjecttothedatausertotheuseoforthetransferof

his/her personal data in respect of all kinds of personal data or all classes of marketingsubjectsasspecifiedintheconsent;or

• anexpressselectionofachoicebythedatasubjecttoprovideconsenttosomeorallinthecategoriesof:o thekindsofpersonaldataheldbythedatauser;o theclassesofthefullrangeofmarketingsubjectsofferedbythedatauser;ando theintendedclassoftransfereesforuseofthepersonaldataindirectmarketing.

Silencedoesnotconstituteconsent,butadatasubjectcanrefusetogiveanyconsent.


Thereisnoregulationoftrackingtechnologiesfromaprivacyperspective.

412



Targetedadvertisement,beingdirectmarketing,isgovernedbythePDPO(seequestion8.1).

UnderthePDPOadatasubjectmayatanytimerequireadatausertoceasetousehis/herpersonaldataindirectmarketing.Uponreceiptofsuchnotificationadatausermust,withoutchargetothedatasubject,ceasetousethepersonaluserconcerned.Wheretheopt-outchoiceisexpressedorallybythedatasubject,thedatausermustfollowuptocomplywiththerequirement.

WhilethePDPOregulatesdirectmarketingbyanymeanstoadatasubject,theUnsolicitedElectronicMessagesOrdinance(“UEMO”),administeredbytheCommunicationsAuthorityoftheGovernmentoftheHongKongSAR,regulatesthesendingofcommercialelectronicmessageswithaHongKonglink.A“commercialelectronicmessage”isdefinedasamessagesenttoanelectronicmailaddresswhosepurpose(oroneofthepurposesofwhich)is:• tooffertosupplygoods,services,facilities,landoraninterestinland;• tooffertoprovideabusinessopportunityoraninvestmentopportunity;• toadvertiseorpromotegoods,services,facilities,landoraninterestinland;• toadvertiseorpromoteabusinessopportunityoraninvestmentopportunity;• toadvertiseorpromoteasupplier,oraprospectivesupplier,ofgoods,servicesfacilities,land

oraninterestinland;or• toadvertiseorpromoteaprovider,oraprospectiveproviderofabusinessopportunityoran

investmentopportunity,inthecourseoforinfurtheranceofbusiness.

Thereisa“HongKonglink”ifthemessage:• originatesinHongKong;• issenttoHongKong;• issenttoaHongKongtelephoneorfaxnumber;• issenttoatelecommunicationsdeviceinHongKongthatisusedtoaccessthemessage;or• issenttoanelectronicaddressthatisallocatedorassignedbytheCommunicationsAuthority.

TherestrictionofthedefinitiontoaHongKonglinkrecognizestheimpossibilityofincludingcoverageandapplicationtoemailsenttoanaddressoverseatoHongKongbecausethereisnointernationalprotocolfordealingwithsuchmessages.

TheUEMOistechnologyneutralandcoversalltypesofcommercialelectronicmessagesirrespectiveofthetechnologyusedbythesenders. Ifthemessageisanemail,allsenderinformationshouldbeprominentlydisplayedeitheratthetop,oratthebottom,ofthebodyoftheemailmessageandbereasonablyvisibleintermsofthefontsize,positionandcontrast/color.

ThesenderofanelectronicmessagewithaHongKonglinkisrequiredtoobtaintheconsentoftheaddressees,whichmaybegivenandwithdrawnbymeansofanelectronicmessageorinanyothermanner.Itissafertorequireandrelyuponwrittenconsentorwrittenwithdrawalforthegivingorwithdrawalofsuchconsent.Ifapersonotherthantheregistereduserofanelectronicaddressusestherelevantaccounttosendanelectronicmessageaboutconsentoraboutthewithdrawalofconsentthatpersonshallbetreatedashavingbeenauthorizedtosendthatmessageonbehalfoftheregistereduser.

413


No person may acquire or supply or offer to supply the following to another person for use inconnectionwith,ortofacilitate,thesendingofcommercialelectronicmessagesthathaveaHongKonglinkwithouttheconsentoftheregistereduseroftheelectronicaddresstowhichtheyaresent:• addressharvestingsoftware,• arighttouseaddressharvestingsoftware,• aharvestedaddresslist,or• arighttouseaharvestedaddresslist.

Normayapersonuseaddressharvestingsoftwareoraharvestedaddresslistinconnectionwith,ortofacilitate,thesendingofcommercialelectronicmessagesthathaveaHongKonglinkwithouttheconsentoftheregisteredusersoftheelectronicaddressestowhichtheyaresent.

Apersontowhomanunsubscriberequestissentmustensurethatarecordoftherequestisretainedintheformatinwhichitwasoriginallyreceivedforatleastthreeyearsaftertherequest.Acommercialelectronicmessagemustnotbesentafterthedateonwhichanunsubscriberequestissent.

NormayacommercialelectronicmessagewithaHongKonglinkbesenttoanelectronicaddressthat,at the time themessage is sent, is listed inaDo-Not-CallRegister.Thepurposeof theDo-Not-CallRegisteristoprovide:• registeredusersofelectronicaddresseswithaconvenientmeansbywhichtheymaynotify

sendersofcommercialelectronicmessagesthattheydonotwishtoreceivesuchmessagesatthoseelectronicaddresses;and

• senders of commercial electronicmessages with a convenientmeans by which theymayascertain whether a registered user of an electronic address does not wish to receiveunsolicitedcommercialelectronicmessagesatthatelectronicaddress.


ThePDPOprovidesthatadatauserproposingtocarryoutamatchingproceduremustmakearequestinthespecifiedformtotheCommissionerseekinghisconsenttothecarryingoutofthatprocedure.

“MatchingProcedure”isdefinedasaprocedurewherebypersonaldataiscollectedforoneormorepurposesinrespectof10ormoredatasubjectsandcomparingitwithpersonaldatacollectedforanyotherpurpose in respectof thosedata subjectswhere thecomparison iseither for thepurposeofproducingorverifyingdataorproducesorverifiesdatainrespectofwhichitisreasonabletobelievethatitispracticablethatthedatamayineithercasebeusedwhetherimmediatelyoratanysubsequenttimeforthepurposeoftakingadverseactionagainstanyofthosedatasubjects.

TheCommissionerisrequiredtodetermineamatchingprocedurerequestbytakingintoaccountthemattersinSchedule5tothePDPO,whichare,broadly,tocheckthattherequest is inlinewiththepublic interest, to ensure accuracy of any personal data produced or verified by the matchingprocedureandtoidentifythebenefitstobederivedfromcarryingoutthematchingprocedure.

Seequestion8.1astotheprovisionsofthePDPOcontrollingtheintendedtransferbyadatauserofthepersonaldataofthedatasubjecttoathirdpartyfordirectmarketingbythatthirdparty.

414



There are no privacy rules in Hong Kong governing data brokers except the provisions of PDPOrequiringtheconsentofthedatasubjecttotheprovisionbythedatauserofhis/herpersonaldatatoathirdpartyforusebythatthirdpersonindirectmarketing(astowhichseequestion8.1(b)).


SocialmediaisnotdirectlydefinedorcoveredbyanyspecificdedicatedlawinHongKong,buttheprovisionsofthePDPOrelatingtodirectmarketing,andoftheUEMOrelatingtounsolicitedelectronicmessages,allapply.


LoyaltyprogramsandpromotionsarenotdirectlydefinedorcoveredbyanyspecificlawinHongKong;buttheprovisionsofthePDPOrelatingtodirectmarketing,andoftheUEMOrelatingtounsolicitedelectronicmessages,allapply.

9 DATATRANSFER


Therearenorestrictions imposedbystatuteondata transfer.Section33of thePDPO,prohibitingtransferofpersonaldatatoplacesoutsideHongKongexceptinspecifiedcircumstances,remainsonthestatutebookbuthasneverbeenbroughtintoeffect.


Iftransferofdatawastheintendedpurposewhenthedatawasoriginallycollected,oristhepurposeofanextendeduseofcollectedpersonaldata,thentheconsentofthedatasubjectmustbeobtained.

10 VIOLATIONS


(a) Asspecifiedinquestion6.2,adatauserwhocontravenesanenforcementnoticecommitsanoffenceandisliabletoafineandtoimprisonmentfortwoyears.

(b) Offensesfornon-compliancewiththePDPO:(i) Usebyadatauserofpersonaldataindirectmarketingandfailingtogivetherelevant

detailstothedatasubjectorprovideachanneltoindicateconsenthasamaximumpenaltyofafineof$500,000andimprisonmentfor3years;

(ii) Usebyadatauserofthepersonaldataofadatasubjectindirectmarketingwithoutobtaininghis/herconsent to the intendedusehasamaximumpenaltyofa fineof$500,000and3yearsimprisonment;

(iii) Usebyadatauserofthepersonaldataofthedatasubjectindirectmarketingandfailingtoinformthedatasubjectthatthedatausermust,withoutcharge,ceasetouse

415


thepersonaldataindirectmarketingifthedatasubjectsorequireshasamaximumpenaltyofafineof$500,000and3yearsimprisonment;

(iv) Failureofadatausertocomplywitharequestbyadatasubjecttoceasetousehis/herpersonaldataindirectmarketinghasamaximumpenaltyofafineof$500,000and3yearsimprisonment;

(v) Failurebyadatauserintendingtoprovidepersonaldatatoanotherpersonforuseindirectmarketing togive thedatasubjectall the requireddetails inwritingand toprovideachannelbywhichtogiveconsenthasamaximumpenalty(ifforgain)ofafine of $1M and 5 years imprisonment, and a fine of $500,000 and 3 yearsimprisonment(ifnotforgain);

(vi) Adatauserprovidingthepersonaldataofadatasubjecttoanotherpersonforuseindirectmarketingbythatotherpersonwithoutreceivingthewrittenconsentofthedatasubjectand, if forgain,havingspecified the intention to thedatasubjectandensuring that the provision of the data is consistentwith the consent of the datasubject, has a maximum penalty (if for gain) of a fine of $1M and 5 yearsimprisonment,andafineof$500,000and3yearsimprisonment(ifnotforgain);

(vii) Failurebyadatausertocomplywiththerequestofadatasubjecttoceasetoprovidehis/herpersonaldataforuseindirectmarketingortonotifyanydatatransfereeinwritingtoceasetousethedataindirectmarketinghasamaximumpenalty(if forgain)ofafineof$1Mand5yearsimprisonment,andafineof$500,000and3yearsimprisonment(inanyothercase);and

(viii) Failurebyadatatransfereetocomplywiththewrittennotificationfromadatausertoceaseusingthepersonaldataofadatasubjectindirectmarketinghasamaximumpenaltyofafineof$500,000and3yearsimprisonment.

(c) The following offences for knowing contravention of prohibitions in the UEMO carry amaximumpenaltyofafineof$1Mand5yearsimprisonment:(i) Contravention of the prohibition on supply of address harvesting software or a

harvestedaddresslistortheprohibitiontouseeither;(ii) Contravention of prohibition on acquisition of address harvesting software,

harvestedaddress listor the right touseeither inconnectionwith thesendingofcommercialelectronicmessageswithaHongKongLinkwithouttheconsentoftheregisteredusersoftheelectronicaddressestowhichtheyaresent;

(iii) Failure by a person to obtain the consent of the registered user of an electronicaddresstowhicharesentcommercialelectronicmessageshavingaHongKongLinkwiththeuseofaddressharvestingsoftwareoraharvestedaddresslist;and

(iv) ContraventionoftheprohibitionuponsendingacommercialelectronicmessagewithHongKongLinktoanelectronicaddressobtainedusinganautomatedmeans.


Asstatedinquestion10.1,theprincipalsanctionsagainstbreachofthestatutoryrequirementsofthePDPOoroftheUEMOarecriminalandattractfinesandjailpenalties.

GiventhatthereisnolawinHongKongexpresslyprohibitingfreedomofexpression,thereareveryfewremediesat lawthatthedatasubjectcanturnto.Theremaybethepossibilityofanactionforbreachofconfidence(seequestion1.1).

416


11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofHongKongwhichaffectprivacy?

No.


No.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainHongKong?

No.

12 OPINIONQUESTIONS


The2013amendmentstothePDPOsubstantiallyextendthecontrolsondirectmarketingandarebyfarthestrongestsanctiononpersonaldataprivacytodate.

Theintroductionoftheseamendmentswasgeneratedbyafeelingthatcontrolsondirectmarketingutilizingpersonaldatawerenotadequateorsufficientandthestringentforceoftheamendments,withsubstantiallyincreasedpenalties,wasaccordinglytabledandenactedin2013.


Thepositionislikelytoremainstableinitspresentformat.


ManyprovisionsoftheGDPRoftheEuropeanUnionarenotedwithappreciationintheHongKongcommunity.ThePDPOdoesnotgoasfarastheGDPRinprotectionofpersonaldataprivacy,andthefeelingisthatlegislationtoimplementcertainaspectsoftheGDPRwouldbewelcomeandeffectivebutthereisnoclearwayforwardyetinthisin2020.

417

418

PRIVACY LAW – INDIA

1 PRIVACYLAW

1.1 HowisprivacyregulatedinIndia?

TherighttoprivacyhasbeenrecognizedasafundamentalrightunderArticle21oftheConstitutionbytheSupremeCourtofIndiainthelandmarkjudgmentinthecaseofJusticeKSPuttaswamy(Retd)vUnionofIndia(August2017).

SupremeCourtofIndiainthecaseofRajagopalvStateofTamilNadu(1994)alsoelaboratedonthescopeofaprivacyrightandheldthat,unlikemost fundamentalrightwhichapplyonlyagainst thestate (because of the state’s ability to curb the freedoms of citizens), the right to privacy appliesagainstboththestateandfellowcitizens,stating:

“Therighttoprivacyis implicit intherightto lifeandlibertyguaranteedtothecitizensofthiscountrybyArticle21.Itisa“righttobeletalone”.Acitizenhasarighttosafeguardtheprivacy of his own,his family, marriage, procreation, motherhood, child-bearing andeducation amongothermatters.None canpublish anything concerning the abovematterswithouthis consentwhether truthfulorotherwiseandwhether laudatoryorcritical. Ifhedoes so,hewouldbeviolating the right toprivacyof thepersonconcernedandwouldbeliableinanactionfordamages.Positionmay,however,bedifferent, ifapersonvoluntarilythrustshimselfintocontroversyorvoluntarilyinvitesorraisesacontroversy.”

In view of the above judgments of Supreme Court of India, the right to privacy is available to allcitizensagainstanyviolationbygovernmentalandprivateorganizations.


Indian Contract Act 1872, Information Technology Act 2000 (“IT Act”) and the InformationTechnology (Reasonable security practices and procedures and sensitive personal data orinformation)Rules,2011(“ITRules”)aretherelevantstatutesforprotectionofdataorinformation:

(a) IndianContractAct1872providescivilremedyincaseofviolationofcontractindisclosingpersonalinformationwithoutconsent.

(b) TheITActisthemostimportantlegislationwhichregulatesthedataprivacy.

Section43Aof the ITAct (asamended in2008)provides for compensationwhereabodycorporatehasfailedtoprotectdataduetoitsnegligencein implementingandmaintainingreasonable security practices and procedures which results in wrongful loss or wrongfulgaintoanyperson.

Explanation(ii)toSection43Adefines“reasonablesecuritypracticesandprocedures”as:

“security practices and procedures designed to protect such information fromunauthorizedaccess, damage,use,modification,disclosureor impairment, asmaybespecifiedinanagreementbetweenthepartiesorasmaybespecifiedinanylawfor the timebeing in forceand in theabsenceofsuchagreementorany law,suchreasonablesecuritypracticesandprocedures,asmaybeprescribedbytheCentralGovernmentinconsultationwithsuchprofessionalbodiesorassociationsasitmaydeemfit”.

419


(c) IT Rules: The above-mentioned provisions of the Information Technology Act 2000 areimplemented in conjunction with the IT Rules, which have been framed to regulate thecollection,processing/handling,disclosureetcofpersonalinformationbytheorganizations.


Nostateor central authoritieshavebeendesignatedpurely for theenforcementand regulationofdataprotectionlaws.However,anyaggrievedpersonhastherighttobringamatterofconcerntoacourt of suitable jurisdiction. Where the claim for injury or damage does not exceed 50 millionrupees,theCentralGovernmentappointsanadjudicatingofficerforholdinganinquiryinthematter.The adjudicating officer has the powers of a civil court, and all proceedings before it are judicialproceedings.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinIndia?

Allgovernmentalandprivateorganizationsaresubjecttoprivacylaws.

2.2 Doesprivacy law in Indiaapply to companiesoutside thecountry? If yes,are there specificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

Section75oftheITActspecifiesthattheprovisionsofthisActapplytoanyoffenceorcontraventioncommitted outside India by any person (including companies), irrespective of his nationality. TheprovisionsoftheITActapplyonlyiftheact/conductconstitutingtheoffence/contraventioninvolvesacomputer,computersystemorcomputernetworklocatedinIndia.


3.1 Howispersonalinformation/personaldatadefinedinIndia?

“Personalinformation”meansanyinformationthatrelatestoanaturalperson,which,eitherdirectlyor indirectly, incombinationwithother informationavailableor likely tobeavailablewithabodycorporate,iscapableofidentifyingsuchperson.


“Sensitivepersonaldataorinformation”ofapersonmeanssuchpersonalinformationwhichconsistsofinformationrelatingtopassword;financialinformation,suchasbankaccountorcredit/debitcardor other payment instrument details; physical, physiological and mental health condition; sexualorientation;medicalrecordsandhistory;andbiometricinformation.

However,anyinformationthatisfreelyavailableoraccessibleinpublicdomainorfurnishedundertheRighttoInformationAct2005oranyotherlawforthetimebeinginforcewillnotberegardedassensitivepersonaldataorinformation.

420


Thespecificobligationsinrelationtosensitiveinformationareasfollows:

(a) Consent has to be obtained in writing by letter, fax or email from the provider of thesensitivepersonaldataorinformationregardingthepurposeofusebeforecollectionofsuchinformation.

(b) Sensitivepersonaldataorinformationmaynotbecollectedunless:(i) the information is collected for a lawful purpose connected with a function or

activityofthebodycorporateoranypersononitsbehalf;and(ii) thecollectionofthesensitivepersonaldataorinformationisconsiderednecessary

forthatpurpose.

(c) Abodycorporateoranypersononitsbehalfholdingsensitivepersonaldataorinformationmaynotretainthat informationfor longerthanisrequiredforthepurposesforwhichtheinformationmaylawfullybeusedorisotherwiserequiredunderanyotherlawforthetimebeinginforce.

(d) Disclosureofsensitivepersonaldataorinformationbyabodycorporatetoanythirdpartyrequirespriorpermissionfromtheproviderofsuchinformation,unlesssuchdisclosurehasbeenagreedtointhecontractbetweenthebodycorporateandproviderofinformation,orwherethedisclosureisnecessaryforcomplianceofalegalobligation.

(e) A body corporate or any person on its behalfmay not publish sensitive personal data orinformation.

(f) Athirdpartyreceivingsensitivepersonaldataorinformationfromabodycorporateoranypersononitsbehalfmaynotdiscloseitfurther.


(a) Thebodycorporateoranypersonwhoonitsbehalf,collects,receives,possess,stores,dealsorhandlepersonal informationmustprovideaprivacypolicyforhandlingofordealing inpersonalinformation.Suchpolicyshallbepublishedonitswebsiteandmustprovide:(i) clearandeasilyaccessiblestatementsofitspracticesandpolicies;(ii) thetypeofpersonalorsensitivepersonaldataorinformationcollected;and(iii) thepurposeofcollectionandusageofsuchinformation.

(b) Thebodycorporateoranypersononitsbehalfmust,priortothecollectionofinformationincluding sensitive personal data or information, give the provider of the information theoptionnottoprovidethedataorinformationsoughttobecollected.

(c) Theproviderofinformationmustalsohavetheoptiontowithdrawitsconsent,atanytime,whileavailingtheservicesorotherwise.

(d) A body corporate or any person on its behalf may transfer sensitive personal data orinformationtoanyotherbodycorporateorpersoninIndia,orlocatedinanyothercountrythatensuresthesamelevelofdataprotectionthatisadheredtobythebodycorporate.Suchtransferisallowedonlyifitisnecessaryfortheperformanceofthelawfulcontractbetweenthebodycorporateoranypersononitsbehalfandtheprovideroftheinformation,orwheresuchpersonhasconsentedtodatatransfer.

421


4 ROLES


ThecurrentITActandITRulesdonotrecognizetheterm“dataprocessor”.However,thePersonalDataProtectionBill2018,whichhasnotyetbeenbroughtintoforce,defines“dataprocessor”as“anyperson,includingtheState,acompany,anyjuristicentityoranyindividualwhoprocessespersonaldataonbehalfofadatafiduciary,butdoesnotincludeanemployeeofthedatafiduciary”.

The Bill further provides that the data fiduciarymay only engage, appoint, use or involve a dataprocessortoprocesspersonaldataonitsbehalf throughavalidcontract.Thedataprocessormustnotfurtherengage,appoint,use,orinvolveanotherdataprocessorintherelevantprocessingonitsbehalfexceptwith theauthorisationof thedata fiduciary,unless thecontractsopermits.Thedataprocessor,andanyemployeeofthedatafiduciaryorthedataprocessor,mayonlyprocesspersonaldata in accordance with the instructions of the data fiduciary, unless they are required to dootherwise by law, and must treat any personal data that comes within their knowledge asconfidential.

5 OBLIGATIONS


Thisquestionhasbeencoveredinprevioussections.


6.1 HowisdatasecurityregulatedinIndia?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

Abodycorporate/persononitsbehalfwillbeconsideredtohavecompliedwithreasonablesecuritypractices and procedures if it has implemented such security practices and standards, and has acomprehensivedocumentedinformationsecurityprogrammeandinformationsecuritypoliciesthatcontain managerial, technical, operational and physical security control measures, that arecommensurate with the information assets being protected andwith the nature of business. Theinternational Standard IS/ISO/IEC 27001 on “Information Technology— Security Techniques—InformationSecurityManagementSystem—Requirements”isonesuchstandard.

Any industry association or an entity formed by such an association, whose members are self-regulatingbyfollowingotherthanIS/ISO/IECcodesofbestpracticesfordataprotection,mustgetitscodes of best practices duly approved and notified by the Central Government for effectiveimplementation.Thebodycorporate/persononitsbehalfwhichhasimplementedeitherIS/ISO/IEC27001standardor thecodesofbestpractices fordataprotectionasapprovedandnotifiedby theCentral government, will be deemed to have complied with reasonable security practices andprocedures,providedthatsuchstandardorthecodesofbestpracticeshavebeencertifiedoraudited

422


onaregularbasisbyanindependentauditor,dulyapprovedbytheCentralGovernment.Suchauditofreasonablesecuritypracticesandproceduresshouldbecarriedoutbyanauditoratleastonceayear,orasandwhenthebodycorporate/persononitsbehalfundertakesasignificantupgradeofitsprocessandcomputerresource.

6.2 HowaredatabreachesregulatedinIndia?Whataretherequirementsforrespondingtodatabreaches?

Intheeventofadatasecuritybreach,thebodycorporateorapersononitsbehalfwillberequiredtodemonstrate,asandwhencalledupontodosobytheagencymandatedunderthelaw,thattheyhaveimplemented security controlmeasures asper theirdocumented information securityprogrammeandinformationsecuritypolicies.

7 INDIVIDUALRIGHTS


RighttoprivacyhasbeenrecognizedasafundamentalrightunderArticle21oftheConstitutionbytheSupremeCourtofIndia.Therefore,righttoprivacyisavailabletoallcitizensagainstanyviolationbygovernmentalandprivateorganizations.



Therearenostatutoryregulationsgoverningmarketingcommunicationthroughemails.

AdvertisingthroughunsolicitedcallsandmessagesisregulatedbytheTelecomRegulatoryAuthorityof India (“TRAI”). TRAI has issued the Telecom Commercial Communication Customer PreferenceRegulations 2010 to curb a growingmenace, and effectively regulate unsolicited commercial callsand messages. TRAI has also issued a notification prohibiting unsolicited commercialcommunications (“UCC”) through SMS. All mobile operators have to prefix an identification tagbeforeallapplication-to-peer(“A2P”)SMStextssentfromtheirSMScenters.

TRAI has used multiple means to deter SMS spam and unsolicited telemarketing, includingmandatory registration for telemarketingandSMSmarketing,which includesprovisions requiringmarketers to respect a nationwide “Do Not Call” list, the Telecom Commercial CommunicationsCustomerPreferencePortal(“NCCP”).TRAIadditionallyapproachesthisfromapricingperspective,levying higher termination charges for transactional SMS texts to raise the costs of bulk SMS andmakeituneconomicaltosendunsolicitedSMScampaigns.

TheNCCP isadatabasecontainingavarietyof informationprescribed in theTelecomCommercialCommunicationsCustomerPreferenceRegulations2010.

423



The current IT Act and IT Rules do not address issues relating to use of tracking technologies(eg,cookies,pixels,SDKs).


ThecurrentITActandITRulesdonotaddressissuesrelatingtotargetedadvertisingandbehavioraladvertising.


ThecurrentITActandITRulesdonotspecifythetypeofnoticeandconsentrequired.




The statutes and regulations discussed above also apply to social media. There are no specificregulationsconcerningsocialmediafromprivacyperspective.


Thestatutesandregulationsdiscussedabovealsoapplytoloyaltyprogramsandpromotions.Therearenospecificregulationsconcerningloyaltyprogramsandpromotions.

9 DATATRANSFER


AbodycorporateoranypersononitsbehalfmaytransfersensitivepersonaldataorinformationtoanyotherbodycorporateorapersoninIndia,orlocatedinanyothercountrythatensuresthesamelevel of data protection that is adhered to by the body corporate. However, the transfer will beallowed only if it is necessary for the performance of the lawful contract between the bodycorporate/any person on its behalf and the provider of information, or where such person hasconsentedtodatatransfer.


No.

424


10 VIOLATIONS


Whereabodycorporate,possessing,dealingorhandlinganysensitivepersonaldataorinformationin a computer resource which it owns, controls or operates, is negligent in implementing andmaintaining reasonable security practices and procedures and thereby causes wrongful loss orwrongful gain to any person, such body corporate will be liable to pay damages by way ofcompensationtothepersonsoaffected.


Theright toprivacy isprotectedasan intrinsicpartof theright to lifeandpersonal libertyunderArticle 21 and as a part of the freedoms guaranteed by Part III of the Constitution. Therefore,individuals have a private right of action. Potential remedies include damages by way ofcompensation.Further,theITActspecifiesthatifanyperson,includinganintermediary,who,whileproviding services, has secured access to any material containing personal information aboutanother person with the intent to cause or knowing that he is likely to cause wrongful loss orwrongful gain, discloses, without the consent of the person concerned, or in breach of a lawfulcontract,suchmaterialtoanyotherperson,hewillbepunishedwithimprisonmentforatermofuptothreeyears,orwithafineofupto500,000rupees,orwithboth.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofIndiawhichaffectprivacy?

No.


ThePersonalDataProtectionBill2018forregulatingtheprocessingofpersonaldataofindividuals(data principals) by government and private entities (data fiduciaries) incorporated in India andabroad,hasbeenintroducedbythegovernmentofIndia.ThisBill,whenenacted,willbringaboutadramaticchangeintheprivacylaws.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonal information/personaldatainIndia?

Webelievealltherelevantstatutesandregulationhavebeencoveredinprevioussections.

12 OPINIONQUESTIONS


TheSupremeCourtofIndia,inJusticeKSPuttaswamy(Retd)vUnionofIndia,hasrecentlyrecognizedtherighttoprivacyasa fundamentalright,emergingprimarily fromArticle21oftheConstitution.With the recognitionof privacy as fundamental right, a needhas arisen for a comprehensivedataprotection framework to unlock the data economywhile keeping the data of citizens secure and

425


protected.ThishasledtotheintroductionofthePersonalDataProtectionBill2018,whichisyettobebroughtintoforce.


TheenactmentofthePersonalDataProtectionBill2018willenhancedataprotectionandminimiseintrusionintotheprivacyofanindividualcausedbythecollectionandusageoftheirpersonaldata.


The changing privacy landscape creates significant risks for the companies. Changing regulatoryrequirementsisoneofthemainconcernsofthecompanies.Also,dataprivacychallengesandriskoflitigationiseverincreasing.

426

427

PRIVACY LAW – ISRAEL

1 PRIVACYLAW

1.1 HowisprivacyregulatedinIsrael?

PrivacyinIsraelisgovernedbyacombinationoflaws,regulationsandorders.Firstandforemost,theKnesset, Israel’s Parliament, is responsible for enacting laws, including laws relating to privacy.Accordingly, theKnessetenactedthePrivacyProtectionLaw1981(“PPL”).ThePPLempowerstheMinisterofJustice,withtheapprovalbytheConstitution,LawandJusticeCommitteeoftheKnesset,tosetregulationsandissueorders.


Though Israel does not have awritten constitution, there are a set of “Basic Laws”which have aconstitutionalstatus.AccordingtoSection7(HumanDignityandLiberty)oftheBasicLaw,allpersonshavearighttoprivacyandintimacy.

ThePPListheprimarylawrelatingtoprivacy.Itgenerallygovernstwotypesof“privacy”.Thefirstdeals with the “classic” privacy rights to which individuals are entitled. The second relates todatabases,namely,collecting,storingandhandlinginformation/data.

TheMinister of Justice, in accordancewith his powers pursuant to the PPL, has set a number ofregulationsandorders,including,butnotlimitedto:

(a) ThePrivacyProtectionRegulations(InformationSecurity)2017;

(b) ThePrivacyProtectionRegulations(Transferring Information toDatabasesOutside Israel)2001;

(c) ThePrivacyProtectionRegulations(SettingDatabaseswhichIncludeInformationnottobeExposed)1987;

(d) ThePrivacyProtectionRegulations (Conditions forHolding and Securing Information andMethodsofTransferringInformationbetweenPublicBodies)1986;and

(e) The Privacy Protection Regulations (Conditions for Reviewing Information and LegalProcedureofAppealingaRefusaltoRevealInformation)1981.


Firstand foremost,privacy law isenforcedby the Israelicourts. Ifan individualconsiders thathisprivacyhasbeeninfringed,hemaybringacivilactionagainsttheinfringerbeforeacourtoflaw.

Extremeintentionalinfringementofprivacyrightsmaybesubjecttocriminallaw.Insuchcases,theState,viatheProsecutor’sOffice,willbringcriminalproceedingsagainsttheinfringerbeforeacourtoflaw.

TheDatabaseRegistrar,derived fromthePPL, isresponsible for theregistration,enforcementandadministration of computerized databases. The Database Registrar heads the Privacy ProtectionAuthority,whichistheIsraeliregulatoryandenforcingauthorityforpersonaldigitalinformation.TheAuthorityisresponsiblefortheprotectionofallpersonalinformationheldindigitaldatabases.

428


2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinIsrael?

ThePPLandtheregulationsderivedfromit,applytoindividualsandalltypesofcompanies.Moreover,thePPLappliestoStateofIsraelandpublicbodies,suchasgovernmentaloffices,cities,municipalitiesandallbodieswhichfulfilpublicroles.

2.2 Doesprivacy lawinIsraelapplytocompaniesoutsidethecountry? Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

ThePPLcanbedividedintotwoparts.Thefirstpartrelatestotheclassicprivacyprotectiontort—thepartwhichforbidstheinfringingofanother’sprivacy.ItisclearthatthispartofthePPLappliestoall companies, including companies outside Israel. Hence, foreign companiesmay not infringe theprivacyrightsofIsraelis.

Thesecondpartof thePPLrelates todatabases—namely thecollecting, storing, transferringandhandlingofinformation/data.Whileit isclearthattheclassicprivacylawappliestoallcompanies,includingcompaniesoutsideIsrael,itisnotclearwhetherthesecondpartofthePPLanditsderivedregulationsrelatetocompaniesoutsideIsrael.Intheory,accordingtotheletterofthePPL,thereisnodistinctionbetweenIsraeliandnon-Israelicompanies.Thus,onecouldarguethatthePPL,includingthedatabasechapters,applytobothforeignanddomesticcompanies.

However,thisinterpretationwouldcauseunrealisticresults.Forexample,foreigncompanieswouldbeboundbyboththeirlocaldatabaselawsandIsraelilaws,resultinginbothdualityandcontradictionbetween two sets of laws. It should be noted that the Israeli courts, given the task of legalinterpretation,havenot,asyet,ruledonthisissue.


3.1 Howispersonalinformation/personaldatadefinedinIsrael?

UnderSection7of thePPL,“personal information”meansdataonthepersonality,personalstatus,intimateaffairs,stateofhealth,economicposition,vocationalqualifications,opinionsandbeliefsofaperson.


(a) UnderSection7ofthePPL,“sensitiveinformation”means:(i) dataonthepersonality,intimateaffairs,stateofhealth,economicposition,opinions

andbeliefsofaperson;and(ii) information that the Minister of Justice has by order, with the approval of the

Constitution,LawandJusticeCommitteeoftheKnesset,determinedissensitive.

(b) AccordingtotheConsumerProtectionRegulations(AdvertisementsandMarketingMethodsTargetedatMinors)1991,itisprohibitedtouseinformationrelatingtominorsforadvertisingandmarketingpurposes,withoutparentalorguardianconsent.

429


(c) According to court rulings, an individual’s credit card information is considered sensitiveinformation.

(d) Informationrelatingtostatesecurityisconsideredsensitive,asisbiometricdata.

In comparison to “regular” information, sensitive information demands additional care whilehandling/storing.Additionally,thepublicisusuallyrestrictedinitsaccesstosensitiveinformation.


Companies,interalia,needtodefinewithina“definitiondocument”,themethodsofgatheringandtheuseofthedata,theobjectsofthedata’suse,therisks,theappointmentofadatabasemanagerandsupervisor.TheInformationSecuritySupervisor(seequestion2.4)mustsetsecurityprocedures,andensurethatonlyauthorizedindividualshaveaccesstothestoredinformation.

ThePrivacyProtectionRegulations(InformationSecurity)2017definesfourtypesofdatabases:

(a) Databasesboundbythestrictestsecurityobligations;

(b) Databaseswithmediumsecurityobligations;

(c) Databaseswithbasicsecurityobligations;and

(d) Databasesmanagedbyanindividualwhichareboundbyrelativelylenientobligations.

It should be noted that certain types of databases require registration at the Database Registry.AccordingtothePPL,adatabaseowner,includingacompany,isobligatedtoregisterhisdatabaseifoneofthefollowingapplies:

(1) thedatabasecontainsinformationonmorethan10,000persons;

(2) thedatabasecontainssensitiveinformation;

(3) thedatabaseincludesinformationonpersons,andtheinformationwasnotdeliveredtothisdatabasebythem,ontheirbehalf,orwiththeirconsent;

(4) thedatabasebelongstoapublicbody;or

(5) thedatabaseisusedfordirect-mailingservices.

4 ROLES


First and foremost, under the PPL, the owner of a database is responsible for securing storedinformation/data. Under the Privacy Protection Regulations (Information Security) 2017,companies/individuals, excluding sole individualsmanaging data bases or sole owned companies,mustappointanInformationSecuritySupervisor.

The Privacy Protection Regulations (Information Security) 2017 define “Information SecuritySupervisor” and “Database Manager”. The Database Manager is responsible for the InformationSecuritySupervisor,whomustreporttotheManager.

430


5 OBLIGATIONS


Firstandforemost,underthePPLanditsderivedregulations,itisprohibitedtoinfringeanindividual’sprivacy, unless the individual provideshis consent.Namely, onemaynotuse forprofit a person’simage, voice, name and personal affairs. Hence, advertisers should obtain clear consent from thesubject appearing in their advertisements. When minors appear in advertisements, parental orguardianconsentmustbeprovided.

Companiesmustappointofficersresponsibleforsecuringdataandmustfollowstrictproceduresforsecuringdata.Therulesandproceduresarequitemeticulousandcomplex.Asthesensitivityofthestoreddataincreases,thedemandsandproceduresincrease.

Asmentionedinquestion2.3above,ifthestoreddatafallsundercertaincriteria,thedatabaseowners,arerequiredtoregistertheirdatabasewiththeDatabaseRegistrar.


6.1 HowisdatasecurityregulatedinIsrael?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

Datasecurity isregulatedbythePPLandthePrivacyProtectionRegulations(DataSecurity)2017.Therearedifferenttypesofdatabases,namely:

(a) Databasesheldbyanindividual;

(b) Databaseswhicharesubjecttoabasiclevelofsecurity;

(c) Databaseswhicharesubjecttoamediumlevelofsecurity;

(d) Databaseswhicharesubjecttohighlevelofsecurity;and

(e) Biometricdatabases.

ThePrivacyProtectionRegulations(DataSecurity)2017,clearlyprescribethemethodofclassifyingdifferenttypesofdatabases.Onceadatabaseholderidentifiesthetypeofdatabaseheowns,hemayobservetheapplicablerules.

6.2 HowaredatabreachesregulatedinIsrael?Whataretherequirementsforrespondingtodatabreaches?

DatabreachesareprimarilyregulatedbythePrivacyProtectionRegulations(DataSecurity)2017.Adatabaseownermust composea “databasedefinitiondocument”.Thisdocumentmust include therisksassociatedwithhandlingthedatabaseandthemethodsofdealingwithdatabreaches.

Additionally, companies must compose a “security procedure document” which prescribes themethodsofdealingwithsecuritybreaches.Further,companieswhichhandlesensitiveinformation,interalia,mustinformtheRegistrarintheeventofaseriousdatabreachhasoccurred.

431


7 INDIVIDUALRIGHTS


Firstandforemost,IsraelishaveaconstitutionalrighttoprivacyundertheBasicLaw:HumanDignityandLiberty.UnderthePPL,individualshavearightnottohavetheirprivacyinfringed.

Individualshavearighttoinspecttheirpersonalinformationwhichisstoredindatabases.Further,individualshavetherighttorequestthattheinformationrelatingtothemisaccurateandcomplete.



MarketingcommunicationsareregulatedbytheIsraelCommunicationsAct(TelecommunicationsandBroadcasting)1982.UndertheIsraelCommunicationsAct(TelecommunicationsandBroadcasting)1982, it is prohibited tomarket via emails, texts, push notifications or automatic diallingwithoutreceivingunequivocalconsentfromtheaddresseepriortosendingthecommunication.Accordingly,Israelisconsideredan“optin”country.


Cookies,intheirtraditionalmeaning(ie,assistingawebsiteuserbynegatingtheneedtore-registerhisparticulars)seemlegal.However,theuseofaperson’sregisteredinformationbythirdpartiesformarketingpurposesisproblematic,tosaytheleast.

ThePPLandtheIsraelComputersLaw1995regulatetheabovetopics.

AccordingtoSection2(9)ofthePPL,“using,orpassingontoanother,informationonaperson’sprivateaffairsotherwisethanforthepurposeforwhichitwasgiven”isconsideredaninfringementofprivacy.

AccordingtoSection4oftheIsraelComputersLaw,apersonwhounlawfully“penetratescomputermaterial”locatedinacomputerisliabletoimprisonmentforaperiodofthreeyears;“penetrationintocomputermaterial”meanspenetrationbymeansofcommunicationorconnectionwithacomputer,orbyoperating it,butexcludingpenetrationintocomputermaterialwhichconstituteseavesdroppingundertheEavesdroppingLaw1979.

Clearly,thelawinIsraelrelatingtocookiesisoutdated.However,itseemsthatif:

(a) anindividualgiveshisconsenttotheuseofcookies,and

(b) theuserdisclosesthepurposesofthecookiesandthefactthatinformationwillbetransferredtothirdparties,

thentheuseofcookieswillbelegal.

432


8.3 Howistargetedadvertisingandbehaviouraladvertisingregulatedfromaprivacyperspective?

UnderSection2(9)ofthePPLandSection4oftheComputersLaw(seequestion6.2),itwouldseemthelegalityofbehaviouraladvertisingshouldbedeterminedbyknowledgeandconsent.Hence,iftheconsumerknowsbeforehandwhoisgoingtousetheinformationheprovidesandforwhatpurposes,behavioraladvertisingshouldbelegal.


Whentargetingconsumersbymeansofinformationobtainedfromcustomermatchingdatabases,theadvertiser/marketermustgivethefollowinginformationtotheconsumer:

(a) thattheinformationhasbeenobtainedfromaconsumermatchingdatabase,andidentifythedatabase,

(b) theconsumer’srighttobedeletedfromthedatabaseand

(c) thepreciseidentityofthedatabaseowner.


First and foremost, as prescribed in the PPL, data brokers need to register their database at theDatabaseRegistry.Withintheregistration,thebrokermustdisclose:

(a) theidentityofthedatabaseregistrant;

(b) thepurposeofthedatabase;

(c) thetypeofstoreddata;

(d) thesourceofthecollecteddata;and

(e) themethodsofobtainingthedata.


The topic of social media is not regulated by separate and specific laws. The general provisionsdescribedaboveapply to socialmedia.Thus, it is prohibited to infringe aperson’sprivacyby anymeansormethods,includingsocialmedia.

9 DATATRANSFER


Thetransferofdata isregulated intheProtectionofPrivacyRegulations(TransferofDatatoDataBasesOutsideStateBorders)2001.

Undertheseregulations,subjecttoqualifications,apersonmustnottransfer,norenablethetransferabroadofdatafromdatabasesinIsrael,unlessthelawofthecountrytowhichthedataistransferredensuresalevelofprotectionnolesserthanthelevelofprotectionofdataprovidedforbyIsraeliLaw,andthefollowingprinciplesshallapply:

433


(a) Datamustbegatheredandprocessedinalegalandfairmanner;

(b) Datamustbeheld,usedanddeliveredonlyforthepurposeforwhichitwasreceived;

(c) Datagatheredmustbeaccurateanduptodate;

(d) Therightofinspectionisreservedtothedatasubject;

(e) Theobligationtotakeadequatesecuritymeasurestoprotectdataindatabasesismandatory.


An Israeli company may transfer data to a company outside Israel if the receiving company iscontrolledbythetransferringcompany,andthereceivingcompanyensuresprivacyprotection.

10 VIOLATIONS


Aninfringementofprivacymayresultinciviland/orcriminalproceedings.

According the PPL, an infringement of privacy is considered a tort. A courtmay award a plaintiffbetweenNIS50,000–100,000(approximatelyUS$14,500–29,000)withouttheneedtoproveactualdamages.

Inasevereprivacyinfringement,wherebytheinfringeractedintentionally,criminalproceedingmaybebroughtagainsttheinfringerbytheState.Suchcrimeispunishablebyaprisontermofupto5yearsandafinenotexceedingNIS50,000.

Inadditiontomonetarycompensation,infringementsrelatingtodatabases,andtheregistrationandhandlingofinformationmayresultinaone-yearprisonterm.

Further,inprivacyactions,acourtmayorderinjunctionsandvariousorders,includingpublishingitsrulingsanddestroyingmaterialwhichviolatesprivacy.


As described above in question 8.1, individuals have a right of action resulting in the remediesdescribedabove.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofIsraelwhichaffectprivacy?

N/A


N/A

434


11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainIsrael?

N/A

12 OPINIONQUESTIONS


Followingunfortunate incidences inwhichnursery school childrenwereharmedby staff, apublicoutcryresultedintheenactmentoftheInstalmentofCamerasfortheProtectionofToddlersinDaycareNurseries 2018. Unfortunately, senior citizens have also been victims of mistreatment by staff inretirementhomesashavethementallychallengedincarefacilities.

Inshort,weakerindividualsareoftenharmedbythosewhoareentrustedwiththeirprotectionandcare.Thus,similarlytodaycarenurseries,itisquitepossiblethatinthefuture,cameraswillbeinstalledinretirementhomes,hospitalsandotherfacilitiesfortheweakandhelpless.

Further,thereispresentlywideuseofcamerasinmunicipalitiesandcitieswhichmonitorinhabitantsin public places. The use of cameras will definitely increase in the future. Hence, in addition tomonitoringindividualsintheweb,wecanexpectincreasedmonitoringofouractivitiesoncamera.


TheGeneralDataProtectionRegulation (“GDPR”)whichentered force in theEuropeanUnion,hasdrawnvastinterestinIsrael.ThoughIsraelisacountrythatrelativelyrespectsprivacyrights,itisnotatparwiththeEuropeanUnion.OnecanexpectchangesinthelocallegislationwhichmimictheGDPR.

Additionally,atpresent, the lawinrelationto foreigncompanies,especially intheareasofstoring,handling and transferring data, is unclear. Hence,more thought and regulationwill be needed toaddressIsraeliprivacylegislationvisàvisforeigncompanies.


Inordertocomplywiththevariousprivacy-relatedlawsandregulations,whicharequitecomplicatedtosaytheleast,companieswillneedtospendmoreenergy,timeandthoughtontheissueofprivacyprotectionandthehandlingofinformation/data.

Companieswillneedtospendanincreasedandsignificantamountoftheirincomeonexpertadviceandprivacycomplianceofficerswithintheirorganizations.

435

436

PRIVACY LAW – JAMAICA

1 PRIVACYLAW

1.1 HowisprivacyregulatedinJamaica?

PrivacyisminimallyregulatedinJamaica.

Currently,therighttoprivacyisexpresslycontainedinJamaica’sConstitutionpursuanttotheCharterofFundamentalRightsandFreedomsinChapterThree.

TherighttoprivacyisalsoreferredtointheCopyrightActof1993(lastamended2015)inrelationtophotographsandfilms.

The Government has an ICT Policy (March 2011) which addresses the issue of digital privacy ofcustomerinformation.Thisstates:

“Privacyofcustomerinformationcanbecompromisedbyvirtueofunauthorizedaccess.Itis,however, recognized that in certain specific circumstances (national securityanddefence)provision may be made for access to personal information. Possible violations includearchivingofpersonallyidentifiablecustomerinformationformarketingandsalespurposeswithoutpriorwrittenorelectronicconsent,andfailuretodisclosepolicyregardingusageofinformation, unauthorized recording of communication and installation of rogueprogrammes.”

The objective is tominimize the risks of the unauthorized access and the disclosure of customerinformation.Against thisbackground, thegovernmenthas committed topassing legislationwhich,among other things, will impose sanctions for the invasion of privacy, unauthorized access andunauthorizeduseofcustomerinformation.

ADataProtectionBill iscurrentlybefore the JointSelectCommitteeofParliament.Thepublicwasinvited to submit comments on the Bill, and the Joint Select Committee will then makerecommendationsforchangestotheBillbeforeitispassed.ThegovernmentanticipatesthattheBillwillbepassedbyMarch2020.


Pleaseseeabove.

The Charter of Fundamental Rights and Freedoms in Chapter Three of the Jamaican Constitutionprovidesfor:

“Therighttoeveryoneto:(i) protectionfromsearchofthepersonandproperty;(ii) respectforandprotectionofprivateandfamilylife,andprivacyofthehome;and(iii) protectionofprivacyofotherpropertyandofcommunication.”

TheCopyrightActrecognizestherighttoprivacyinphotographsandfilms.Apersonwhocommissionsthetakingofaphotographorthemakingofafilmfordomesticorprivatepurposescanpreventthecopying,broadcastingandothercommercialuseofsuchphotographorfilm.

437


TheJamaicanCodeofAdvertisingPractice,whichisaself-regulatorycode,makesreferencetoprivacyin thecontextof requiring theconsentof livingsubjects for theuseof their images inadvertising.Consentisnotrequiredwhere,intheCouncil’sopinion,thereferenceorportrayalinquestionisnotinconsistentwith the subject’s right to a reasonabledegreeof privacy, anddoesnot constitute anunjustifiablecommercialexploitationofhisfameorreputation.

ThereareotherstatutesinJamaicawhichimpactonprivacy,including:

(a) InterceptionofCommunicationsAct2002;

(b) CyberCrimesAct2015;

(c) AccesstoInformationAct2002;and

(d) theoldOfficialSecretsAct.

The Interception of Communication Act makes it unlawful for a person to intentionally interceptcommunicationstransmittedbymeansofatelecommunicationsnetwork.


Therearecurrentlynoregulatorybodieswhichspecificallyenforceprivacylaws.

ThedraftDataProtectionBillprovidesforthecreationofanoffice,tobeknownastheInformationCommissioner,tomonitorandenforcecompliancewiththedataprotectionlaws.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinJamaica?

AllcompaniesoperatinginJamaicaaresubjecttothelawsofJamaica.

2.2 DoesprivacylawinJamaicaapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

N/A


3.1 Howispersonalinformation/personaldatadefinedinJamaica?

“Personaldata”isdefinedinthedraftDataProtectionBillas:

“datarelatingtoalivingindividualwhocanbeidentified:(a) fromthedata;or(b) fromthedataandotherinformationinthepossessionof,orlikelytocomeintothepossessionof,thedatacontroller,and includes any expression of opinion about the individual and any indication of theintentionsofthedatacontrolleroranyotherpersoninrespectoftheindividual”.

438



ThedraftDataProtectionBilldefines“sensitivepersonaldata”asconsistingofanyofthefollowinginformationinrespectofadatasubject:

(a) geneticdataorbiometric;

(b) filiation,orracialorethnicorigin;

(c) politicalopinions,philosophicalbeliefs,religiousbeliefsorotherbeliefsofasimilarnature;

(d) membershipinanytradeunion;

(e) physicalormentalhealthorcondition;

(f) sexlife;and

(g) thecommissionorallegedcommissionofanyoffencebythedatasubjectoranyproceedingsforanyoffencecommittedorallegedtohavebeencommittedbythedatasubject,thedisposalofsuchproceedingsorthesentenceofanycourtinsuchproceedings.


ThedraftDataProtectionBillprovideseightstandardsfortheprocessingofdata:

(a) FirstStandard:Personaldatashallbeprocessedfairlyandlawfully.

(b) SecondStandard:Personaldatashallbeobtainedonlyforoneormorespecifiedandlawfulpurposesandshallnotbefurtherprocessedinanymannerincompatiblewiththosepurposes.

(c) ThirdStandard:Personaldatashallbeadequate,relevantandnotexcessiveinrelationtothepurposeforwhichtheyareprocesses.

(d) FourthStandard:Personaldatashallbeaccurateandwherenecessary,keptuptodate.

(e) FifthStandard:Personaldataprocessedforanypurposeshallnotbekeptforlongerthanisnecessaryforthatpurpose.

(f) Sixth Standard: Personal data shall be processed in accordance with the rights of datasubjects.

(g) SeventhStandard:Appropriatetechnicalandorganizationalmeasuresshallbetaken:(i) againstunauthorisedorunlawfulprocessingofpersonaldataandagainstaccidental

lossordestructionsof,ordamagetopersonaldata;(ii) toensurethattheCommissionerisnotified,withoutanyunduedelay,ofanybreach

of thedata controller’s securitymeasureswhichaffectormayaffectanypersonaldata.

(h) Eighth Standard: Personal data shall not be transferred to a State or territory outside ofJamaicaunlessthatStateorterritoryensuresanadequatelevelofprotectionfortherightsand freedoms of data subjects in relation to the processing of personal data (see alsoquestions9.1and9.2).

439


4 ROLES


“Datacontroller”isdefinedinthedraftDataProtectionBillas“anypersonorpublicauthoritywho,eitheraloneorjointlyorincommonwithotherpersonsdeterminesthepurposesforwhichandthemannerinwhichanypersonaldataare,oraretobe,processed,andwherepersonaldataareprocessedonly for purposeswhich they are required under enactment to be processed, the personwho theobligationtoprocessthedataisimposedbyorunderthatenactmentisforthepurposesofthisActadatacontroller”.

Ontheotherhand,a“dataprocessor”isdefinedas“anypersonotherthananemployeeofthedatacontroller,whoprocessesthedataonbehalfofthedatacontroller”.

5 OBLIGATIONS


ThedraftDataProtectionBillprovidesseveralobligationsonthepartofthedatacontroller:

(a) Registration:TheInformationCommissionermustmaintainaregisterofalldatacontrollers.Personaldatamustnotbeprocessedbyanydatacontrollerunlesstheregistrationparticularsofthatdatacontrollerareincludedintheregister.FailingtodosoisanoffenceundertheBill.

(b) Appointing a data protection officer: A data controller must appoint an appropriatelyqualifiedpersontoactasthedataprotectionofficer,responsible,inparticular,formonitoringinanindependentmannerthedatacontroller’scompliancewiththeprovisionsoftheDataProtectionAct.

(c) Dataimpactassessments:Adatacontrollermustsubmitadataimpactassessmentinrespectofalldatainitscustodyorcontrolwithin90daysoftheendofthecalendaryear.

TheInformationCommissionermayrequestanimpactassessmentonbehalfofanindividualwhoisdirectlyaffectedbyprocessingofpersonaldatabythatdatacontroller.

TheInformationCommissionermayalsoissueassessmentnoticesorinformationnoticestodeterminewhetheradatacontrollerisactingincompliancewiththelaw.

(d) Dutytocomplywithdataprotectionstandards:Itisthedutyofadatacontrollertocomplywiththedataprotectionstandardsinrelationtoallpersonaldatawithrespecttowhichitisthedatacontroller.

Even companies located outside of EU jurisdiction must comply with the General DataProtectionRegulation(“GDPR”)iftheyprocessthepersonaldataofEUcitizens,whoaretheprimarybeneficiariesofthelaw.

440



6.1 HowisdatasecurityregulatedinJamaica?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

N/A

6.2 HowaredatabreachesregulatedinJamaica?Whataretherequirementsforrespondingtodatabreaches?

UnderthedraftDataProtectionBill,wheretheCommissionerissatisfiedthatadatacontrollerhascontravenedoriscontraveninganyofthedataprotectionstandards,theCommissionermayservethedatacontrollerwithanoticewithaviewtoachievingcompliance.

7 INDIVIDUALRIGHTS


TheCharterofFundamentalRightsandFreedomsprovidesfortherightofeveryoneto:

(a) protectionfromsearchofthepersonandproperty;

(b) respectforandprotectionofprivateandfamilylife,andprivacyofthehome;and

(c) protectionofprivacyofotherpropertyandofcommunication;

UnderthedraftDataProtectionBill,adatasubjectwillalsohavethefollowingrights:

(d) rightofaccesstopersonaldata;

(e) righttopreventprocessinglikelytocausedamageordistress;

(f) righttopreventprocessingforpurposesofdirectmarketing;

(g) rightsinrelationtoautomateddecision-taking;and

(h) righttorectificationofinaccuracies.



Therearecurrentlynoregulationsformarketingcommunicationsfromaprivacyperspective.

UnderthedraftDataProtectionBill,anindividualisentitledatanytime,bynoticegivenorallyorinwritingtoadatacontroller,torequirethedatacontrollernotto,ortoceaseprocessingthatindividual’spersonaldataforthepurposesofdirectmarketing.


Therearecurrentlynoregulationsontrackingtechnologies.

441



Therearecurrentlynoprivacyregulationsfortargetedadvertisingandbehaviouraladvertising.


Therearecurrentlynoregulationsfornoticeorconsentforadvertiserstosharedatawiththirdpartiesforcustomermatching.


No.Therearenospecificprivacyrulesgoverningdatabrokers.


Therearecurrentlynoprivacyregulationsforsocialmedia.


Thereiscurrentlynoregulationofloyaltyprogramsfromaprivacyperspective.

9 DATATRANSFER


UnderthedraftDataProtectionBill,theeighthstandardfortheprocessingofpersonaldataprovidesthatdatamustnotbetransferredtoaStateorterritoryoutsideofJamaicaunlessthatStateorterritoryensuresanadequatelevelofprotectionfortherightsandfreedomsofdatasubjections.

Regardshallbegivento:

(a) thenatureofthepersonaldata;

(b) theStateorterritoryoforiginoftheinformationcontainedinthedata;

(c) theStateorterritoryoffinaldestinationofthatinformation;

(d) thepurposesforwhichandtheperiodduringwhichthedataareintendedtobeprocessed;

(e) thelawinforceintheStateorterritoryinquestion;

(f) theinternationalobligationsofthatStateorterritory;

(g) anyrelevantcodesofconductorotherruleswhichareenforceableinthatStateorterritory;and

(h) anysecuritymeasurestakeninrespectofthedatainthatStateorterritory.

442



UnderthedraftDataProtectionBill,theeighthstandard(seequestion9.1)doesnotapplytoatransferwhere:

(a) thedatasubjectconsents;or

(b) transferisnecessaryfortheperformanceof/enteringintoacontractwiththedatasubject;

(c) transfer is necessary for the conclusion or performance of a contract between the datacontrollerandapersonotherthanthedatasubjectwhichis:(i) enteredintoattherequestofthedatasubject,and(ii) isintheinterestofthedatasubject;

(d) transferisnecessaryforreasonsofpublicinterest;

(e) transfer is necessary for legal proceedings, obtaining legal advice, or for establishing,exercisingordefendinglegalrights;

(f) transferisnecessarytoprotectthevitalinterestsofthedatasubject;

(g) thepersonaldatatobetransferredisincludedonapublicregister,andanyconditionssubjecttowhichtheregisterisopentoinspectionarecompliedwithbyanypersontowhomthedataisormaybedisclosedafterthetransfer;or

(h) transferismadeontermswhichareofakindapprovedbytheCommissionerasbeingmadein such manner as to ensure adequate safeguards for the rights and freedoms of datasubjection.

10 VIOLATIONS


PenaltiesandsanctionsundertheincomingDataProtectionActareexpectedtobeincludedinDataProtectionRegulations,whichhavenotyetbeendrafted.

TherearealsoremediesundertheLawofConfidenceforbreachofconfidence.


No.Individualsdonothaveaprivaterightofaction.However,ifinformationisdisclosedinconfidence,thereisarightofactionforbreachofconfidence.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofJamaicawhichaffectprivacy?

WhiletherearenorulesparticulartoJamaicawhichaffectprivacy,theincomingDataProtectionActwillcertainlyhaveamajorimpactonthecultureofdoingbusinessinJamaica.

443


ThiswillbeamajorchangeforJamaicancompanies,astherearecurrentlynorealrestrictionsontheprocessing anduse of an individual’s data, and data is often sharedwith other companies for thepurposesofmarketing.

Due to the implementation of the European Union’s GDPR, and the pending Data Protection Act,companiesinJamaicaarebeingsensitizedtotheGDPR,andsomecompaniesthathandleinformationofEUcitizensaretakingstepstoimplementitsregulations.


ThedraftDataProtectionActandaccompanyingDataProtectionRegulationswillhaveamajorimpacton companiesonceenacted.TheCyberCrimesAct is alsodue for review.There is alsoaNationalIdentificationBillwhichhasprivacyimplications.Initsoriginalformat,itwasdeemedunconstitutionalinrelation to theConstitutional right toprivacy. Ithasbeensubsequentlyamended toremove theinfringingportionsoftheBill.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainJamaica?

AlthoughtheDataProtectionActhasnotyetbeenenacted,decisionsfromthecourtsinJamaicahaveshownthattherighttoprivacyisheldhighlyasaconstitutionalright.Accordingly,companiesshouldtakecaretoprotectanindividual’sprivacyevenbeforetheActcomesintoforce.

CompaniesinJamaicaareadvisedtostartpreparingtomeetthedataprotectionstandards.WhilsttheBill is stillbeing reviewedandsomechangeswillbemade, it isnot likely that thedataprotectionstandardswillbealtered,astheyarebasedontheEU’sdataprotectionstandards.

12 OPINIONQUESTIONS


AsindicatedinthedraftDataProtectionBill’sMemorandumofObjectsandReasons,Jamaica’streatyobligations(CARIFORUM)undertheEconomicPartnershipAgreemententeredintowiththeEuropeanUnionrequireitto“establishappropriatelegalandregulatoryregimes,inlinewithhighinternationalstandards,withaviewtoensuringanadequatelevelofprotectionofindividualswithregardtotheprocessingofpersonaldata”.


WiththeenactmentoftheDataProtectionAct,weanticipatethattheprivacylandscapewillbefarmoredeveloped.ItisexpectedthatcompanieswillbegivenatransitionperiodtoensurecomplianceoncetheActcomesintoeffect.


TheDataProtectionAct,whenpassed,willbetransformativetoJamaica,astherewillhavetobemajoradjustmentsincurrentpracticesforcompaniestoensurecompliance.

444

445

PRIVACY LAW – JAPAN

1 PRIVACYLAW

1.1 HowisprivacyregulatedinJapan?

Privacyandtheprotectionofpersonalinformationarerightsarisingunderamixtureofconstitutional,statuteandcaselaw.


(a) Privacygenerally:Anindividual’s(Japaneseorforeign)righttoprivacyisprotectedundertheJapaneseConstitutionandisconstruedasrangingfromarightnottohaveone’sprivateaffairsintrudedupontotherighttocontrolone’sowninformation.Therighttoprivacyhasalsobeenrecognizedintortlaw.Privacyrightsdonotextendtocorporations.Otherthantheprovisions of the Japanese Constitution, there are no laws specifically relating to theprotectionofprivacy.Privacyrights(asopposedtotheprotectionofpersonalinformation)areanundevelopedareaoflawinJapanwhencomparedtothosefoundinotherdevelopednations,particularlyincertainEUcountries.

(b) Personal Information: Personal information is primarily protected under the Act onProtection of Personal Information (“APPI”) and related guidelines which govern thecollection, storage, usage andprocessingof personal information in Japan.TheAct on theProtection of Personal Information Held by Administrative Organs and the Act on theProtectionofPersonalInformationHeldbyIncorporatedAdministrativeAgencies,etcprotectpersonalinformationinthepublicsector.

Socialsecuritynumbers(commonlyknownas“MyNumbers”)aresubjecttoaspecificdataprotectionregimeundertheActontheUseofNumberstoIdentifyaSpecific Individual inAdministrativeProcedures,whichissomewhatstricterthanthatundertheAPPI.

GeneralGuidelines relating to theAPPI (which are applicable to all private sectors) covermatters such as transfers of personal information to a third party in a foreign country,obligations due diligence and recordkeepingwhen transferring personal information to athirdparty,anddataanonymization.

Certainministrieshavebeendelegatedauthoritytoissueguidelinesfortheimplementationof the APPI for the industries they regulate (the “Sector-Specific Guidelines”). There areSector-SpecificGuidelines in the finance,healthcare, telecommunicationandpostal sectors(issued by the Financial Services Agency, the Ministry of Health, Labor andWelfare, theMinistry of Internal Affairs and Communications and theMinistry of Internal Affairs andCommunication,respectively).

Therearealsosupplementaryruleson thehandlingofpersonaldata transferred fromtheEuropeanUniononthebasisoftheEUadequacydecisionconcerningtheAPPI.

(c) Self-regulation — Privacy Mark System: The Japan Information Society PromotionAssociationestablishedthePrivacyMarkSystemandhasoperateditsince1998inordertoimplementmeasurestoprotectpersonalinformation.Thesystemevaluatesbusinessesandother entities that comply with the Japanese Industrial Standards (JIS Q 15001 PersonalInformationProtectionManagementSystem—Requirements)andproperlyprotectpersonalinformation,andassignsaPrivacyMarktoindicatecompliance,whichtherecipientcanuseforbusinessactivities.

446


The purposes of the Privacy Mark are to raise consumer awareness of the protection ofpersonal informationandprivacythroughtheuseofvisibleprivacymarks,andtoprovidebusinessoperatorswithan incentivetogainsocial trust inresponsetogrowingconsumerawareness of the protection of personal information and privacy by promoting theappropriatehandlingofpersonalinformationprivatematters.


The right to privacy and personal information protection law is enforced through the courts, barassociations,thePersonalInformationProtectionCommittee(“PPC”)andotherregulatorsincertainbusinesssectors.

Apersonwhobelievestheirprivacyrightshavebeeninfringedcanapplytoacourtforinjunctivereliefand/orcompensationfordamagessuffered.

The JapanFederalBarAssociation(“JFBA”), inaccordancewithArticle1of theAttorneyAct(“Themissionoflawyersistoprotectfundamentalhumanrightsandtoachievesocialjustice”):

(a) acceptsrequestsforhumanrightsrelieffromvictimsofhumanrightsviolationsandrelatedpersons,includingapersonwhoisviolatedregardinghis/herprivacy,

(b) investigatesthefactsoftherequestsandthefactsoftheviolations,and

(c) whenitfindsthathumanrightsviolationsorhumanrightsviolationsarelikelytooccur,aimstoeliminateorimprovehumanrightsviolationsbytakingmeasuressuchas:(i) warnings(providingitsopinionsandurginganappropriateresponse),(ii) recommendations(providingitsopinionsandseekingappropriateresponses),or(iii) requests (providing its opinions and requesting appropriate response) against

humanrightsoffendersortheirsupervisoryauthorities.

Inordertoensurethatthemeasurestakenareimplemented,theJFBAmakesinquiriesofthepartiesafter a certainperiodof time regarding cases inwhichwarnings, recommendations, requests, andothermeasuresweretaken.Iftheanswerisnotsufficient,asecondinquirymaybemade(postactioninquiry).Althoughtheabovehumanrightsremediesarenotlegallyenforceable,theyareinfluentialinpractice,andinmanycasestheyarecompliedwith,andthisprocedurehasgainedthepublic’strust.

ThePPCistheprimaryregulatorybodyfordataprotectioninJapan,andisresponsibleforsupervisingentitieshandlingpersonalinformationwhicharesubjecttotheAPPIandforregulationofthehandlingofMyNumbers.IfSector-SpecificGuidelineshavebeenissued,theissuingregulatorwillberesponsibleforenforcingthem.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinJapan?

AllcompaniesaresubjecttoJapan’sprivacylaws.

TheAPPIappliestoabusinessoperatorusingapersonalinformationdatabaseforitsbusiness—a“PersonalInformationController”(“PIC”)—andthehandlingofthatinformationbythePICbutdoesnotapplyto:

447


(a) broadcasting institutions, newspaper publishers, communication agencies and other press(includingindividualsengagedinnewsreportingastheirbusiness)forthepurposeofnewsreporting,whichmeansinformingmanyandunspecifiedindividualsorentitiesofobjectivefactsasfact(aswellasopinionsorviewsbasedonsuchfacts);

(b) abusinessoperator that conducts literaryworkas itsbusiness for thepurposeof literarywork;

(c) colleges, universities, other institutions or organizations engaged in academic studies, orentitiesbelongingtothemforthepurposeofacademicstudies;

(d) religiousorganizationsforthepurposeofreligiousactivities(includingincidentalactivities);and

(e) politicalorganizationsforthepurposeofpoliticalactivities(includingincidentalactivities).

However,eachentityhandlingpersonalinformationlistedabovemustendeavortotakethenecessaryand appropriate measures to control the security of personal information, to ensure the properhandlingofpersonalinformation,andfortheprocessingofcomplaintsaboutthehandlingofpersonalinformation,andmustalsoendeavortoannouncepubliclythecontentofthosemeasures.

TheexemptionfromtheAPPIforbusinessoperatorshandlingsmallamountsofpersonalinformationwasabolishedin2017.

“Handling” is regarded as collection (acquisition), retention, use, transfer and any other acts ofhandlingpersonalinformation.

2.2 Doesprivacy lawin Japanapply tocompaniesoutsidethecountry? Ifyes,are therespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

The constitutional right toprivacydoesnot apply to companies outside Japan. CertainobligationsundertheAPPIapplytoacompanyoutsideJapanwhereithandlespersonalinformationaspartofabusinessand inrelationtosupplyingagoodorservice toaperson in Japanhasacquiredpersonalinformationrelatingtothepersonorhasanonymouslyprocessedinformationproducedbyusingthesaidpersonalinformation.Theobligationswhichapplyextra-territoriallyinclude:

(a) tospecifyandnotifyorpublicizethepurposeofutilizationofthepersonalinformation,andtouseitwithinthatpurpose;

(b) tokeeppersonaldataaccurateandup-to-date,andtodeleteitwhennolongerrequired;

(c) totakemeasurestoprotectthedataagainstleaks,etc.;

(d) tosuperviseemployeeshandlingpersonal informationandanyserviceproviderentrustedwiththehandlingofpersonaldata;

(e) tocomplywiththerulesgoverningdisclosuretoathirdparty;

(f) topublicizeprivacypolicies;

(g) tocomplywiththerightsofadatasubjecttoaccess,correct,andstoptheillegaluseofpersonaldata;and

(h) tocomplywithcertainrulesregardinganonymizedinformation.

ThereisnorequirementthatsuchacompanyhavearepresentativeinJapan.

448


AlthoughthePPCcannotenforceitsordersforcompliancewiththeAPPI,etc,againstsuchanoffshorePIC,itmayprovideinformationtoforeignregulatoryauthoritiesfortheirownregulatoryenforcementpurposes.


3.1 Howispersonalinformation/personaldatadefinedinJapan?

“Personalinformation”isdefinedundertheAPPIasinformationrelatingtoalivingindividualinJapanwhichfallsunderanyofthefollowingitems:

(a) thosecontaininganame,dateofbirth,orotherdescriptions,etc.(meaninganyandallmatters(excludinganindividualidentificationcode)stated,recordedorotherwiseexpressedusingvoice, movement or other methods in a document, drawing or electromagnetic record(meaningarecordkeptinanelectromagneticform(meaninganelectronic,magneticorotherformsthatcannotberecognizedthroughthehumansenses)wherebyaspecificindividualcanbe identified (including those which can be readily collated with other information andtherebyidentifyaspecificindividual);and

(b) thosecontaininganindividualidentificationcode.An“individualidentificationcode”includes:(i) characters,numbers,symbolsand/orothercodesforcomputerusewhichrepresent

certainspecifiedphysicalcharacteristics(suchasDNAsequences,facialappearance,irispatterns,vocalizations,postureandwalkingmovements,fingerandpalmprints,andveinpatterns)andwhicharesufficienttoidentifyaspecificindividual;

(ii) certain identifier numbers, such as those on passports, driver’s licenses andresident’scards,andthe‘MyNumber’individualIDnumber;

(iii) uniquecharacters,numbers,symbolsandothercodesdesignatedbytheEnforcementOrdinancethatareassignedtoandspecifiedonhealthandcareinsurancecards;and

(iv) anycharacters,numbers,symbolsandothercodesdesignatedbytheEnforcementRulesofthePersonalInformationProtectionCommissionasbeingequivalenttoanyoftheabove.


“Sensitivepersonalinformation”meansanypersonalinformationrelatingtomatterssuchasphysicalormentaldisabilities,medicalrecords,medicalandpharmacologicaltreatment,andarrest,detentionorcriminalproceedings(whetherasanadultorajuvenile).Itisnecessarytoobtaintheconsentfromthe data subject in order to obtain or transfer sensitive personal information unless one of theexceptionsdiscussedatquestion9.1(a)appliesTheopt-outsystem(deemedconsentgivenwherethedatasubjecthasbeengiventhechancetorefuseconsentbuthasnotdoneso)cannotbeusedforatransferofsensitivepersonalinformation.

449



APICmust:(a) notcollectpersonalinformationbyfraudulentorotherunlawfulmeans;

(b) beforeacquiringpersonal information,notify thedatasubjectof thepurposeofuseof thepersonalinformationorpublishthatpurposeofuseinamanneraccessibletothedatasubject;

(c) onlyobtain,use,maintainandtransferpersonalinformationwithinthescopeofthepurposeofuse;

(d) implement safetymanagementmeasures for the acquisition, storage and use of personalinformation,andtheappropriatesupervisionofemployeesandcontractors;and

(e) notifyeachdatasubjectoftheprocedureforthedatasubjecttorequirecorrection,etc,oftheirpersonaldataandwheretocomplainaboutthePIC’shandlingofpersonaldata.

4 ROLES


No,therearenospecificrolesbasedonhowpersonalinformationisheldorprocessedinJapan;adataholder/controlleristhePICundertheAPPI(seethedescriptionabove),andalthough“processor”isnotdefinedbytheAPPI, it isbroadlyregardedasanentitytowhichaPICentruststhehandlingofpersonaldatainwholeorinpartwithinthescopenecessaryfortheachievementofthepurposeofutilization (eg, entrusting personal data to a service provider such as a cloud computing serviceprovider or a mailing service provider for the purpose of having them provide the PIC with theservices).AdataprocessorwhichisnotaPICisnotregulatedundertheAPPI,thoughthePICwhichinstructsitwillhavesupervisionandsimilarobligations.

5 OBLIGATIONS


ThekeyobligationsofaPICaresetoutatquestion3.2;therearenospecificobligationsunderJapan’sprivacylaws.

Neitherprivacylawnordataprotectionlawimposesspecificobligationsonadvertising.AsgeneralmattersundertheAPPI,companieshavetoposttheirprivacypolicyandhandleprivacyandpersonalinformationinaccordancewiththeprivacypolicy.

APICisnotrequiredtoappointadataprotectionofficer,thoughthePPCsuggeststhataPICappointapersonresponsibleforhandlingpersonalinformation.Certainprivateorganizationsorassociationshavecreatedqualificationsas“dataprotectionofficer”orequivalent,andissuethemtopersonswhohavepassedexaminationssetbythem.

450


APICisrequiredtokeeprecordsofthetransferofpersonalinformation(seequestion3.3above)andshouldsuperviseanydataprocessorappointedbyitandtakeappropriatemeasurestosecurepersonalinformationheldbyit.

APICisnotrequiredtoregisterwiththePPCoranyotherbody.

IfaPICwishestouseanopt-outtoeffectatransferofpersonalinformationwithouttheconsentofthedatasubject,itmustfirstfiletheopt-outwiththePPC.


6.1 HowisdatasecurityregulatedinJapan?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

TheAPPIrequiresaPICtotakenecessaryandappropriateactionforthesecuritycontrolofpersonaldataheldbyit,includingpreventingtheleak,lossordamageofthehandledpersonaldata.

APPIGuidelinesrequirethefollowingmeasuresfordatasecurity:

(a) preparationofbasicpolicies;

(b) establishmentofdisciplineonthehandlingofpersonaldata;

(c) organizationalsafetymanagementmeasures(ie,establishmentofanorganizationalsystem,operationinaccordancewithregulationsonthehandlingofpersonaldata,establishmentofmeanstoconfirm,andestablishmentofasystemforrespondingtoleaks);

(d) personnelmanagementmeasures(employeeeducation);

(e) physical safety management measures (ie, management of areas where personal data ishandled,preventionofleaks,deletionofpersonalinformation,disposalofelectronicmedia);and

(f) technicalsafetycontrolmeasures(accesscontrol,preventingunauthorizedaccess).

ThereisnominimumstandardrequiredbytheAPPIGuidelines,thoughtheydoprovideexamplesfordatasecuritystandards.

6.2 HowaredatabreachesregulatedinJapan?Whataretherequirementsforrespondingtodatabreaches?

ThePPChasissuedguidelinesinrelationtorequirementsforrespondingtodatabreaches,whichstatethatitisdesirabletotakethefollowingactionsfollowingadatabreach:

(a) internalreportingandpreventionofexpansionoraggravationofanydamage;

(b) investigationofthefactsandinvestigationofthecause;

(c) identificationofthescopeoftheimpactofthebreach;

(d) reviewandimplementationofmeasurestopreventarecurrence;

(e) promptcontactwiththeaffectedperson(s)unlesstheleakeddataisencryptedatahighlevel;and

(f) publicationoffactsandmeasurestopreventarecurrence.

451


ThePICmustalsomakeeffortstopromptlynotifythePPCofabreachunless:

(a) theleakeddataisencryptedatahighlevel;

(b) alltheleakeddatahasbeencollectedbythePICpriortobeingseenbythirdparties;

(c) thereisnoriskofanyspecificindividualbeingidentifiedfrom,ortheaffecteddatasubjectsbeingharmedbyuseof,theleakeddata;

(d) thedatalosswasobviouslyonlyinternalandnotanexternalleak;or

(e) theleakisobviouslyinsignificant(eg,amisdeliveryofparcelwherethepersonalinformationisonlyonthedeliveryaddresslabel).

Inpractice,aPICsufferingadatabreachshouldalwaysconsiderconsultinglocalcounseltoassesstheseverityofthebreachandtheadvisabilityofreportingtothePPC,andifandhowtonotifyaffecteddatasubjects.Thisisparticularlysoas“desirable”,“makeefforts”and“promptly”arenotdefinedinthedatabreachguidelines.

WhereaPIChasentrustedpersonaldatatoapersonalinformation/dataprocessorandthepersonalinformation/dataprocessorwassubjecttothedataloss,theobligationsabovefallonthePIC.

ThePPChaspublishedareportingformonitswebsite,onlyavailableinJapanese.

IfadatalosshasoccurredandbeenreportedtothePPC,voluntarilyorattherequestofthePPC,thePPCmay investigate the background to the loss, the PIC’s datamanagement procedures, and theactionsthePIChastaken(ornottaken)tonotifytheaffectedparties(andthePPC).ThePPCmaythenissuesguidanceonwhatactionsthePICshouldtake.

7 INDIVIDUALRIGHTS


Ifrequestedbyadatasubject,aPICmustdisclose,inwritingandwithoutdelay,tothedatasubjectthedatasubject’spersonaldataheldbyit,unlessthedatasubjecthasagreedtoreceivingitbyothermeans(eg,aselectronicdata).Accesscanberefusedifitwouldresultin:

(a) injurytothelifeorbodilysafety,propertyorotherrightsandinterestofthedatasubjectoranythirdparty;

(b) amaterialinterferencewiththePIC’sbusinessoperations;or

(c) aviolationofotherJapaneselawsprohibitingdisclosure.

Datasubjectsalsohavetherighttorevise,correct,amendordeletetheirpersonaldata,andtorequestcessationofuseoftheirpersonaldataifthisisusedforapurposeotherthantheoneoriginallystated,orifitwasacquiredbyfraudulentorotherunlawfulmeans.IfadatasubjectrequestsaPICtoceaseusingtheirpersonaldata,thePICmustdosounlesstherequestisunreasonable,orthecessationwouldbecostlyorwouldotherwisebedifficult(eg,therecallofbooksalreadydistributed).

452




UndertheAPPI,personalinformation(suchasname,address,emailaddressandtelephonenumber)maynotbeusedoutside thescopeof thespecifiedpurposeofusewithout theconsentof thedatasubject.Ifamarketer(asaPIC)breachestheserequirements(eg,usingtheemailaddressofadatasubject which was not provided by the data subject or published), it will infringe the personalinformationofthedatasubject,especiallyforB2Cmarketing.

Explicitconsentisusuallyrequiredforsendingmarketingcommunications.Noentityorindividualispermitted to send an email and/or text message containing commercial advertising without therecipient’sexplicitconsentorpriorrequestundertheActonRegulationofTransmissionofSpecifiedElectronicMail.

Marketing emails, messages, etc, must contain prescribed information. This includes expresslyindicating the true identity and contact details of the sender in such marketing emails, etc; andexpresslyindicatingcontactdetails(URLoremailaddress)tooptoutofreceivingfurthermarketingemails,etc.

Iftheemail,etc,isrelatedtomailordersalesorspecifiedrights(suchas(i)therighttouseafacilityortoreceiveaservice,whichissoldinatransactionconnectedwithpeople’sdailylives,(ii)acorporatebondorothermonetaryclaim;and(iii)ashareinastockcompanyorapartnershipinterest,etc)itisprohibited, under theAct onSpecifiedCommercialTransactions (“ASCT”), for a seller or a serviceprovidertoadvertiseviaemail,etc(ie,bysendingadvertisingtextsoranyotherdatabyelectronicormagneticmeans inawaythatcauses it tobedisplayedonthescreenof thecomputerusedbytheadvertising target)with regard to the terms and conditions underwhich the seller or the serviceprovider sells goodsor specified rightsorprovides services throughmail order sales,without theconsentoftheadvertisingtarget,except:

(a) when sending email, etc, advertising regarding the terms and conditions underwhich thesellerortheserviceprovidersellsgoodsorspecifiedrightsorprovidesservicesthroughmailordersales(“mailorderemail”)attherequestoftheadvertisingtarget;

(b) whensendinganemail,etc,withimportantmattersrelatedtothemailorderemail,suchasconfirmationofanagreement,orderconfirmation,deliverynotification,withadvertisingasapartoftheemail;or

(c) whensendinganemail,etc,thatadvertisesmailordersaleswherethecompetentministryhasfoundsuchtobeunlikelytoprejudicetheinterestsofthetargetoftheemail.

Evenifasellerorserviceproviderthathasobtainedanadvertisingtarget’sconsentorrequesttosendamailorderemailmaynotdosoifthetargetlaterindicatesanunwillingnesstoreceivetheemail.

When sendingamail orderemail, a selleror serviceprovidermustkeepa specified recordof theconsentoftheadvertisingtargetorofhavingreceivedarequestfromtheadvertisingtargettosendtheemail,andmustpreservethoserecords.

453



InJapan,theuseoftrackingtechnologiessuchascookiesbycompaniesisnotregulated,thoughsomecompanieshavevoluntarilyadopteda“CookiePolicy”.

However,thePPCisconsideringregulatingtheuseofcookiesbycompaniesafteritwasdetectedthatcookiesandotherinformationwereusedtoidentifyindividualsonajob-huntinginformationsiteforstudents.TheFairTradeCommissionhasalsotakenissuewiththemonopolizationofthemarketbyplatformsandhasbeguntoconsiderrestrictingtheuseofcookies.


Therearenospecificregulationsontargetedadvertisingandbehavioraladvertising.

However,theJapanInteractiveAdvertisingAssociation(“JIAA”),constructedbycompaniesinvolvedintheinternetadvertisingbusinesssuchasmediaandadvertisingcompanies,hasproducedGuidelinesonTargetingAdvertising.


If the data falls within the scope of personal information under the APPI, the transfer consentrequirementsandrestrictionsundertheAPPIwouldapply(seequestion3.3above).


No,butifthedatabrokerisaPICthedatahandling,transfer,etc,obligationsundertheAPPIwouldapplytoitandthePICshouldrecordthetransferofpersonaldatatoathirdpartyinaccordancewiththeAPPIGeneralGuidelines(seequestion9.1(c)below).


Thereisnospecificregulationonsocialmediafromaprivacyordataprotectionperspective.


Thereisnospecificregulationonloyaltyprogramsandpromotionsfromaprivacyordataprotectionperspective.

9 DATATRANSFER


(a) GeneralRules: A PICwhich holds personal informationmust not transfer personal data(ie,personalinformationcompiledinapersonalinformationdatabase,etc)toathirdpartywithoutobtainingthedatasubject’sconsenttodosoinadvance,exceptif:(i) the PIC provides the third party with personal data as permitted by laws and

regulations;

454


(ii) itisnecessaryforthePICtoprovidethethirdpartywiththepersonaldatainordertoprotectthelife,body,orpropertyofanindividual,anditisdifficulttoobtaintheconsentofthedatasubject;

(iii) thereisaspecialneedforthePICtoprovidethethirdpartywiththepersonaldatainorder to improve public health or promote healthy child development, and it isdifficulttoobtaintheconsentofthedatasubject;

(iv) itisnecessaryforthePICtoprovidethethirdpartywiththepersonaldatainordertocooperatewithanationalgovernmentorgan,localgovernment,oranindividualorabusinessoperatorentrustedtherebywithperformingtheaffairsprescribedbylawsandregulations,andobtainingtheconsentof thedatasubject is likelyto interferewiththeperformanceofthoseaffairs;or

(v) thetransferismadepursuanttoan“optout”whichsatisfiesconditionsspecifiedbylawandguidelines(seequestion9.2below)(Notethatthisexceptiondoesnotapplytosensitivepersonalinformation).

Anonymized information may be transferred to a third party without the consent of theoriginaldatasubject(asitwillnolongerconstitutepersonalinformation),providedthatthetransferor PIC makes public both the fact of the transfer and what types of personalinformationareincludedinit,andnotifiestherecipientthattheinformationisanonymizedinformation.

(b) Transfer to third party: Guidelines clarify that the exchange/transfer of personal databetween subsidiaries, jointly controlled companies and group companies; between afranchisoranditsfranchisees;orbetweenthesameprofessions/industryareconsideredtobeatransfertoathirdpartyunlessdeemedotherwise.

However,apersonbeingprovidedwithpersonaldataisnotdeemedtobeathirdpartyforthepurposeoftransferofthedata:(i) if it is a person towhom the PIC has entrusted all or part of the handling of the

personaldatawithinthescopenecessaryforachievingthepurposeofuse;(ii) ifthepersonaldataisprovidedtothepersonwhenitsucceedstothebusinessofthe

originalPICduetoamergerorsimilarcircumstances;or(iii) ifpersonaldataisusedjointlybyPICs,providedthattheyeithernotifytheperson

(datasubject)inadvanceof:(1) thisjointuse,(2) theitemsofthepersonaldatausedjointly,(3) theextentofthejointusers,(4) thepurposesofjointuse,and(5) the name of the individual or business operator who is responsible for

managing the personal data, or make the foregoing information readilyaccessibletothepersoninadvance.

Whereatransferofpersonaldataistoapersonorentitywhichisnotathirdparty,furthertransferofthepersonaldatabythatpersonorentitywouldbesubjecttotheconsentrulesandexceptionsapplicabletosuchtransfersdescribedinthisarticle.

(c) TransfersOffshore: The transfer by a PIC of personal data to a third party in a foreigncountry(otherthaninrelianceononeoftheexceptionslistedin(a)above)issubjecttothefollowingrequirementsinadditiontothosegenerallyapplicabletotransfersofpersonaldata:

455


(i) whereconsent to the transfer isgivenby thedata subject, itmustbeclear that itcoversthetransfertoathirdpartyinaforeigncountry;andthedatasubjectmustbeprovided,whengivingtheconsent,withinformationnecessaryforjudgingwhetherto provide the consent (eg, the foreign country is identified or identifiable or thecircumstanceswheresuchdatatransferwillbemadehavebeenclarified);or

(ii) intheabsenceofsuchconsent,ifthetransferorwishestorelyonanopt-outorthefact that the transfer isnot toa thirdpartyasanexception to therequirement toobtain the data subject’s consent to the transfer, it is also necessary that thetransferee:(1) is in a country on a list of countries issued by the PPC as having a data

protectionregimeequivalenttothatundertheAPPI;or(2) implements data protection standards equivalent to those which PICs

subjecttotheAPPImustfollow.

AsofthedateofthisarticleonlycountriesintheEuropeanUnionandtheEuropeanEconomicAreaareonthelistofcountries.IfthecountryofthetransfereeisnotintheEU/EEA,a transferorPICwouldhave to relyon the transferee implementingdataprotectionstandardsequivalenttotheAPPIinordertoeffectatransferofpersonalinformationoffshorewithoutthedatasubject’sconsentorinrelianceonanexceptionlistedabove.Suchanequivalentstandardcanbesatisfiedbythetransferorandthetransferee(a)enteringintoacontract;or(b)iftheyareinthesamecorporategroup,bothbeingsubjecttobindingstandardsofthegroupforthehandlingofpersonaldata,pursuanttowhichthetransfereeissubjecttoalltheobligationsimposedbytheAPPIonPICswhoaresubjecttoit,andwhichmustincludecertainspecifiedmatters,suchaspurposeofuse,record-keepinganddetailsofsecuritymeasures;or(c)wherethetransfereeisaccreditedunderAPEC’sCrossBorderPrivacyRulessystem(asystemfor building trust among consumers, businesses and government agencies forpersonalinformationdistributedacrossbordersintheAPECregion).

On July 17, 2018, the European Union and Japan agreed to recognize each other’s dataprotection regimes as providing adequate provisions for the protection of personalinformation(seequestion12.1(c)below).


(a) Record keeping: A transfer of personal data requires that the transferor PIC and thetransferee(ifaPIC,orifitbecomesaPICasaresultofthetransfer)keepspecifiedrecords,andthetransfereeisalsorequiredtomakeenquiriesastothesourceofthepersonaldatatransferred.Bothrecordsandenquiriesarerequiredunlessthetransferwasmadeinrelianceonanexception(seequestion9.1(a))orthetransfereeisnotathirdparty.

Thus,thetransferormustkeeparecordof:(i) (ifthetransferwasmadeinrelianceonanopt-out)thetransferdate;(ii) thenameorotheridentifierofthetransfereeandthedatasubject,andthetype(s)of

datatransferred(eg,name,age,gender);and(iii) thedatasubject’sconsenttothetransfer,or,ifconsenthasnotbeenobtainedandthe

transferwasmadeinrelianceontheopt-out,thatfact.

456


Thetransfereemustkeeparecordof:(iv) (ifthetransferwasmadeinrelianceonanopt-out)thedateitreceivedthepersonal

data;(v) thenameorother identifierof thetransferorand itsaddress(andthenameof its

representativeifthetransferorisalegalentity),andthenameofthedatasubject;(vi) thetype(s)ofdatatransferred;(vii) thedatasubject’sconsenttothetransfer,or,iftheconsenthasnotbeenobtainedand

ifthetransferwasmadeinrelianceonanopt-out,thatfact;(viii) if anopt-outhasbeen reliedon, the fact that theopt-outhasbeen filedwith, and

publishedby,thePPC;and(ix) how the transferor acquired the personal information transferred (having first

ascertainedthis).

(b) Opt-outs:Personaldata(otherthansensitiveinformation)canbetransferredusinganoptout(ie,asystemwherebyadatasubjectisnotifiedoftheproposedtransferofitspersonalinformationtoathirdpartyandgiventheopportunitytoobjecttothattransfer)toobtainconsent,butonlyafterthePIChasnotifiedthedatasubjectof,ormadereadilyavailabletothedatasubject,andfiledwiththePPC,allofthefollowinginformation,andaperiodnecessaryforthedatasubjecttoexerciseitsopt-outrighthasexpired:(i) thatthetransferiswithinthescopeoftheoriginallystatedpurposeofutilisation;(ii) thespecificpersonaldatatobetransferred;(iii) themeanswithwhichthepersonaldatawillbetransferred;(iv) thefactthatthetransferofthepersonaldataissubjecttoanopt-out;and(v) wheretoprovidesuchopt-outexercisenotice.

10 VIOLATIONS


TheAPPIprovidescriminalpenaltiesforviolationofpersonaldatasecurity.Forexample,aPIC(oritsdirector,representativeoradministratorifitisacorporatebody),itsemployee,orapersonwhousedto be such a business operator or employee which has provided, or used by stealth, personalinformationdatabasesetc,(includingtheirwhollyorpartiallyduplicatedorprocessedones),thattheyhandled inrelationtotheirbusiness, forthepurposeofseekingtheirownorathirdparty’s illegalprofits,maybepunishedbyimprisonmentwithworkfornotmorethanoneyearorafineofnotmorethanJPY500,000.

IfthePPChasissuedanorderforimprovementinrespectofadatabreach,failuretocomplywithitwillrenderanindividualwhoisthePIC,orthedirectororemployeeofthePICinchargeofthebreachifthePICisanentity,topossiblecriminalimprisonmentforupto6monthsoracriminalfineofuptoJPY300,000,andthesamecriminalfineforthePICasanentity.

Inaddition,manySector-SpecificGuidelinesauthorizetherelevantregulatorstoenforcetheAPPIandguidelinesbyrenderingbusiness improvementorders,orbusinesssuspensionorders in theworstcases,againstprovidersofservices,whichrequirelicensesfromtheregulator“wherenecessaryforensuringtheappropriateoperationofthebusiness”.

457



Data subjects may seek compensation for breaches of the APPI which relate to their personalinformation and which cause them loss. The compensation paid in such cases has ranged fromJPY1,000perdatasubjectinabroadleakagecasetoseveralmillionyenforaviolationofprivacy.PICswhichhavesufferedadatalosshaveoftenvoluntarilyofferedcompensationtoaffectedparties,bothtoforestallanyproceedings,andtomaintaingoodpublicrelations.

Actionsforbreachoftheconstitutionalrighttoprivacyorbreachofprivacyintortcanbebroughtbeforethecourts,thougharerare.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofJapanwhichaffectprivacy?

No.


ItisexpectedthatAPPIwillberevisedin2020,andcompaniesneedtobeawareoftheamendments.(Pleaseseequestion12.1below.)

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainJapan?

No.

12 OPINIONQUESTIONS


Japan’sdataprotectionlawshadnotbeenupdatedformanyyearsandwereseentobefallingbehindtheregimesinotherdevelopedcountries,notablythoseoftheEuropeanUnion,andtherewasapublicperceptionthatpersonalinformationmaybemisused.Asaresult,theAPPIwassubstantiallyrevisedin2017,andanewoversightregimebasedonthePPC(whichwasestablishedonJanuary1,2016)introduced.Theprimaryrevisionsare:

(a) Traceabilityrequirement:anewregimetorequireduediligenceandrecord-keepingondatatransfers(seequestion9.2above);

(b) Use of encrypted anonymous data: through clarification of the definition of “personalinformation” and defining “encrypted anonymous information”, use of such encryptedanonymousinformationwillbeliberalizedandacceleratetheuseofbigdata;

(c) Transferring personal data overseas: the PPC held discussions with the EuropeanCommissioninordertoestablishaframeworkontheAPPItoensurethesmoothandmutualtransferofpersonaldatabetweenJapanandtheEuropeanUnion.Withthecomingintoforceof the General Data Protection Regulation (“GDPR”), the PPC obtained a decision of an“adequate level”ofprotection from theEuropeanCommission.Thishas resulted inanew

458


regime of frictionless transfers of personal information between Japan and the EuropeanUnioncomingintoeffectonJanuary23,2019,creatingwhattheEUCommissiondescribedas“theworld’s largest area of safe transfers of data based on a high level of protection forpersonal data”. The PPC has issued supplementary rules to the APPI to give effect to theadequacydecision;

(d) AbolitionoftheexemptionfromtheAPPIofholdersofsmallamountsofpersonalinformation;and

(e) Requirementsgoverningtheuseof“optout(s)” forconsenttodatatransfers(seequestion9.2(b)).


(a) PrivacyprotectionwillbestrengthenedwithaviewtoprotectingprivacynotonlyinJapanbutalsoinothercountries,suchastheEuropeanUnionMemberStates,aroundtheworld.

(b) Ontheotherhand,sincethedemandfortheuseofbigdataandotherdataisincreasing,itisexpectedthatnewruleswillbeestablishedtoenabletheuseofdatawidely,aftermakingthedatapseudonymizedandanonymized.

(c) ThePPCisconsideringrevisingtheAPPI,accordingtothe“SummaryofOutline”asfollows:

(i) Datasubjects’rights• Expanddatasubject’srightsbyrelaxingtherequirementsfortheentitlement

forrequiringdatacontrollerstoceaseusingortransferringpersonaldata;• Abolishtheexemptionforpersonaldataheldbyadatacontrolleronlyforsix

monthsorlessfromdatasubject’srightstoaccess,etc;and• Tightenthescopeofthe“Opt-out”exceptiontothegeneralrequirementfor

datasubject’sconsenttodatatransfers.

(ii) Obligationsofadatacontroller• Make data breach notifications to the PPC and affected data subjects

“obligations”ofthedatacontrollerifcertaincriteria(ie,numberofaffecteddatasubjects,etc)ismet(underthecurrentrules,thedatacontrollerisonly“requiredtomakeefforts”tonotifytothePPCanditisonly“desirable”tonotifytheaffecteddatasubjects);

• NotchangethetimingrequiredforthefirstbreachnotificationtothePPCfrom the current requirement “sumiyakani” (meaning promptly, notspecifyingaspecificdeadline),butallowthePPCtosetaspecificdeadlinedate for updated/conclusive investigation reports/recurrence preventionmeasurereports;and

• Clarify that a data controller must not use personal information “in aninappropriatemanner”.

(iii) Measurestopromotebetterprotectionsbydatacontrollers• Expandthescopeofmatterswhichadatacontrollerisrequiredtopublish

(eg,protectionmeasures,detailsofhowitprocessespersonaldata).

459


(iv) Datautilization• Introduce rules for “pseudonymized” data (between personal data and

anonymized data). Whilst controllers’ obligations in handlingpseudonymizeddatawillberelaxed,transfersofsuchdatatothirdpartieswillberestricted;

• Applyregulationsonpersonaldatatransferswherethesubjectdataisnotpersonaldataforatransferor,butitisforadatatransferee;and

• Addmoreexamplesofdatatransfersallowedwithoutconsentduetopublicinterest.

(v) Penalties• ReviewthecriminalpenaltiesunderthecurrentAPPI.

(vi) Expandthescopeofextra-territorialapplicationoftheAPPI• Make offshore controllers of personal information or anonymized

information of data subjects in Japan subject to the PPC’s reporting andimprovement orders; clarify that the PPC can publish cases of offshorecontrollerswhodonotcomplywithsuchorders;and

• (Whereadatasubjectcanrequirethedisclosureofdetailsofdataprotectionmeasureswhenhis/herpersonaldataistransferredtooffshoretransfereesundertheexceptiontotheconsentrequirementdueto implementationofdata protection standards equivalent to the APPI (see question 9.1(c)(ii)above). Require a data controller to notify data subjects of the foreigncountrytowhichtheirdataistransferredandgivedetailsofprotectionlevelsaffordedbydataprotectionlawsinthatcountry.

Comments fromthepublicon the “Outline”were invited tobesubmitteduntil14 January2020.

ThePPChasannouncedthat(a)itwilldraftthebillofamendmentstotheAPPIandaimstosubmit the bill to the ordinaryDiet in 2020 (an ordinaryDiet session is usually betweenJanuaryandJuneorJulyeveryyear);and(b)amendmentsinthebillwhichrequiresometimefortheregulators,businessesandthepublictoprepareforwillbeimplementedaftersuchpreparationperiodfollowingimplementationofthelegislation.


(a) BroaderregulationandinterventionbythePPC,inparticular,incross-borderdatatransfersanddataleaks.

(b) As regulations will be tightened to protect personal information and privacy, it will benecessary to establish internal regulations to enable compliance with regulations, and toensurethatemployeesfullyunderstandtheimportanceofprivacy.

(c) Cyber-attacksarebecomingmoresophisticated;inordertoavoidtheriskofdataleaks,itisnecessary to reviewdata security in a timelymanner andensure the security level of theequipmentused.

(d) As global harmonization of regulations and the extraterritorial application of nationalinformation protection laws is expected to be widespread, it is necessary to collectinformationon, andupdate,notonlynational laws,butalso relevantnational informationprotectionlaws,andtorespondasnecessary.

460

461

PRIVACY LAW – KENYA

1 PRIVACYLAW

1.1 HowisprivacyregulatedinKenya?

Currently,thelawofprivacyinKenyaisregulatedbyalayeredlegalframeworkwhichsetsoutthelegal obligations, rights and remedies that apply to state bodies, public and private corporateenterprisesandindividuals.ThefundamentalrightofprivacyisprimarilyenshrinedintheprovisionsoftheConstitutionofKenya2010andintheprovisionsofthenewly-enactedDataProtectionAct2019(“DPA”),aswellasvariousotheracts,professionalcodesandcourtjudgments.TheDPA,whichwasassentedtobythePresidentofKenyaonNovember11,2019,andcameintoeffectonNovember25,2019,intendstobringintoeffecttherightofprivacyasprovidedforintheConstitutionbysettingouttherequirementsfortheprotectionofpersonaldataprocessedbybothpublicandprivateentities.TheDPAalsosetsouttherightsofdatasubjectsanddutiesofdatacontrollersanddataprocessors,aswellasthedataprotectionprinciplesthatapplytotheprocessingofpersonaldata.Theseprincipleswillbebindingondatacontrollersanddataprocessors,whetherpublicorprivateentities.


The general framework of statutes that caters to the protection of the right to privacy in Kenyacomprises:

(a) ConstitutionofKenya2010(“Constitution”);

(b) DataProtectionAct2019;(“DPA”);

(c) AccesstoInformationActNo3of2016;

(d) ComputerMisuseandCybercrimesActNo5of2018(“ComputerMisuseAct”);

(e) KenyaInformationandTelecommunicationsActNo2of1998(“KICA”);

(f) OfficialSecretsActNo31of2016(“OSA”);

(g) HIVandAIDSPreventionandControlActNo14of2006(“AIDSAct”);

(h) KenyaInformationandCommunication(Amendment)Bill2019(“SocialMediaBill”);

(i) CodeofAdvertisingPracticeandDirectMarketingbytheAdvertisingStandardsBodyofKenya(“CAPCode”);and

(j) Guidance Note on Cybersecurity by the Central Bank of Kenya, issued on August 2017(“CBKGuidance”).


Both the Courts and sector-specific regulatory bodies such as the Office of the Data ProtectionCommissioner (“Commissioner”)and theCommunicationAuthorityofKenyaenforceprovisionsofprivacylawinKenya.TheDPAprovidesfortheestablishmentoftheCommissioner,whosefunctionswill include overseeing the implementation and enforcement of the DPA, the establishment andmaintenanceoftheregisterofdatacontrollersanddataprocessors,andinvestigatinganycomplaintsrelatingtoanypurportedinfringementofanyoftheprovisionsoftheDPA.NotethatasatJanuary8,2020,theCommissionerhasyettobeappointed.Weanticipatefurtherupdatesontheestablishment

462


oftheofficeitselfandtheappointmentoftheCommissionerbeingannouncedinJuneorJuly2020,however,thishasnotbeenconfirmed.UntilsuchtimeastheCommissionerisappointed,allprivacylaw-relatedmatterswillberesolvedbythecourts,andcompliancewiththeDPAwillbeeffectivelyself-regulated.

Asregardsanyself-regulatorybodies,with theDPAstill in its infancy, therearenoself-regulatorybodiesassuch.AsandwhentheCommissionerisappointed,oneofthefunctionsoftheCommissionerwillbetopromoteselfregulationamongdatacontrollersanddataprocessors.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinKenya?

(a) TheConstitutionisbindingonallStateorgansandallpersons.Further, itprovidesthatallpersons have the right to privacy. The Constitution defines a “person” as a company,associationorotherbodyofpersons,whetherincorporatedorunincorporated.Assuch,anycompanyoperating,orotherwiseprovidingservices,inKenyaisboundbytheConstitution,whetherornotsuchcompaniesareincorporatedinKenya.

(b) TheDPAapplies toalldatacontrollersanddataprocessorswhoprocesspersonaldatabyautomated or non-automated means. There are no residency requirements where theprocessingisdonebyautomatedmeansandtheDPAthereforeappliestoforeignandlocalcompanies in this context. However,where personal data is processed by non-automatedmeans,theDPAwillapplyonlyiftherecordeddataformsawholeorapartofafilingsystembyadatacontrollerordataprocessorwho:(i) isestablishedorordinarilyresidentinKenyaandprocessesdatawhileinKenya,or(ii) isnotestablishedorordinarilyresidentinKenyabutwhoprocessesthepersonaldata

ofdatasubjectsinKenya(whetherornotthedatasubjectisaKenyancitizen).

(c) TheAccess to InformationAct applies to both public and private bodies. Itsmain objectsinclude:(i) givingeffecttotheConstitutionalrighttoaccessinformation;(ii) providingaframeworkforpublicentitiesandprivatebodiestoproactivelydisclose

information that theyholdand toprovide informationonrequest in linewith theconstitutionalprinciples;and

(iii) providingaframeworktofacilitateaccesstoinformationheldbyprivatebodiesincompliancewithanyrightprotectedbytheConstitutionandanyotherlaw.

The Act defines a “private body” to include any entity that receives public resources andbenefits, utilizes public funds, engages in public functions, provides public services, hasexclusivecontractstoexploitnaturalresourcesorisinpossessionofinformationwhichisofsignificant public interest due to its relation to the protection of human rights, theenvironmentorpublichealthandsafety,or toexposureof corruptionor illegalactionsorwherethereleaseoftheinformationmayassistinexercisingorprotectinganyright.

463


2.2 DoesprivacylawinKenyaapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

The DPA will apply to companies registered or otherwise located outside of Kenya that processpersonaldataofdatasubjectslocatedinKenya.TheCommissionerwillprescribethethresholdsformandatory registration by data controllers and data processors with the Commissioner, andregistration with the Commissioner will apply to all companies, whether or not they have anestablishmentinKenya.

TheDPAprovides that adata controllerordataprocessor ‘may’ appoint adataprotectionofficer;however,itisnotyetclearwhetherthiswillbeanabsoluterequirementimposedondatacontrollersand data processors not established or ordinarily resident in Kenya. The DPA places a particularemphasisonthedesignationofadataprotectionofficerwherethecoreactivitiesofthedatacontrolleror processor require the regular and systematic monitoring of data subjects or where the coreactivitiesentailprocessingsensitivecategoriesofpersonaldata.Thatsaid,itisimportanttoreiteratethattherequirementtoappointadataprotectionofficerisdraftedasadiscretionaryobligationratherthanamandatoryrequirement.


3.1 Howispersonalinformation/personaldatadefinedinKenya?

(a) Under theDPA, “personal data” is any information relating to an identifiedor identifiablenaturalperson.An‘identifiablenaturalperson’meansapersonwhocanbeidentifieddirectlyorindirectly,byreferencetoanidentifiersuchasaname,anidentificationnumber,locationdata, an online identifier, or to one or more factors specific to the person’s physical,physiological,genetic,mental,economic,culturalorsocialidentity.

(b) Under the Access to Information Act, “personal information” is somewhat broader and isdefinedas:(i) information relating to the race, gender, sex, pregnancy, marital status, national,

ethnicorsocialorigin,color,age,physical,psychologicalormentalhealth,well-being,disability,religion,conscience,belief,culture,languageandbirthoftheindividual;

(ii) informationrelatingtotheeducationorthemedical,criminaloremploymenthistoryof the individual or information relating to financial transactions in which theindividualhasbeeninvolved;

(iii) anyidentifyingnumber,symbolorotherparticularassignedtotheindividual;(iv) the fingerprints, blood type, address, telephone or other contact details of the

individual;(v) correspondencesentbytheindividualthatisofaprivateorconfidentialnature,or

further correspondence thatwould reveal thecontentsof theoriginatingperson’sopinionorviewsoveranotherperson;

(vi) anyinformationgiveninsupportoforinrelationtoanawardorgrantproposedtobegiventoanotherperson;or

(vii) contactdetailsofanindividual.

464



TheDPAdefines “sensitivepersonal data” as data revealing a natural person’s race, health status,ethnicsocialorigin,conscience,belief,geneticdata,biometricdata,propertydetails,maritalstatus,familydetails(includingnamesoftheperson’schildren,parents,spouseorspouses),sexorthesexualorientationofthedatasubject.TheCommissionermayprescribefurthercategoriesofpersonaldatawhichmayclassifiedassensitivepersonaldataatanytime.

The DPA defines “biometric data” as data resulting from specific technical processing based onphysical, physiological or behavioral characterization, including blood typing, fingerprinting, DNAanalysis,earlobegeometry,retinalscanningandvoicerecognition.

Under theDPA, sensitivepersonaldatamustbeprocessed inaccordancewith theoverridingdataprotection principles set out in the DPA. These principles, referred to as the “Data ProtectionPrinciples”,requireeverydatacontrollerandprocessortoensurethatpersonaldatais:

(a) processedinaccordancewiththerighttoprivacyofthedatasubject;

(b) processedinalawful,fairandtransparentmanner;

(c) collectedforanexplicit,specifiedandlegitimatepurpose;

(d) adequate,relevantandlimitedtowhatisnecessary;

(e) collectedonlywhereavalidexplanationisprovidedwheneverinformationrelatingtofamilyorprivateaffairsisrequired;

(f) accurateandkeptup-to-date;

(g) keptfornolongerthanisnecessary;and

(h) nottransferredoutsideofKenyaunlessthereisproofofadequatedataprotectionsafeguardsortheconsentofthedatasubjectisobtained.

Inthecontextofthetransferofanysensitivepersonaldata,theconsentofthedatasubjectmustbeobtainedpriortothetransferandtheremustbeaconfirmationofappropriatesafeguardsbeinginplace.

Furthermore, sensitive personal data which relates to the health of a data subject may only beprocessed by or under the responsibility of a healthcare provider or by a person subject to theobligationofprofessionalconfidentialityunderanylaw.

In addition to the requirementsunder theDPA, theHealthAct imposes confidentiality obligationsregardinghealthdata.Itprovidesthatinformationconcerningauser,includinginformationabouthisorherhealthstatus,treatmentorstayinahealthfacility,isconfidentialexceptwheresuchinformationis disclosed under a court order or informed consent or for health research and policy planningpurposes.


CompaniesmustcomplywiththeDataProtectionPrinciplesoutlinedinquestion3.2.

465


4 ROLES


The DPA applies equally to both data controllers and data processors; and both controllers andprocessorsarerequiredtoregisterwiththeCommissioner.

Thenatureoftherolewillaffectthereportingrequirementsthatmustbecompliedwithintheeventof a breach. The DPA requires the controller to notify and communicate the breach to theCommissionerandthedatasubjectintheprescribedinstances.However,adataprocessorisrequiredtonotifythedatacontrolleronly,withoutdelayand,wherereasonablypracticable,within48hoursofbecomingawareofabreach.

The DPA further requires that a data processing agreement must be entered into where a datacontrollerusestheservicesofadataprocessor.Thisagreementmustexpresslyprovidethatthedataprocessorwillactonlyontheinstructionsofthedatacontrollerandthatthedataprocessoragreestobeboundbytheobligationsofthedatacontroller.

5 OBLIGATIONS


TheDPAandtheframeworkofvariousstatutesthatupholdtherighttoprivacymaintainthat,whendealingwithpersonalinformation,datasubjectsmustbemadeawareoftheirrightsundertheDPA.Therightsare:

(a) toknowhowtheinformationwillbeused;

(b) toaccessthedata;

(c) toobjecttotheprocessingoftheirdata;

(d) torequirethecorrectionoffalseormisleadingdata;and

(e) torequirethedeletionoffalseormisleadingdata.

TheserightsmustbeupheldinadditiontotheDataProtectionPrincipleshighlightedinquestion3.2.

TheDPArequirestheretobealawfulbasisfortheprocessingofpersonaldata,andadatacontrollerordataprocessormaynotprocesspersonaldataunless(i)theconsentofthedatasubjecthasbeenobtained;or(ii) theprocessing isnecessaryforcertainprescribedcircumstances, includingfortheperformanceofacontracttowhichthedatasubjectisparty.

Regardingconsent,theDPAallowsforthewithdrawalofconsentatanytime.

Astowhatamountsto“consent”,theDPAfollowsgenerallyinternationallyacceptedstandardsinthattheconsentmustbe“express,unequivocal,free,specificandinformedindication…byastatementorclearaffirmativeaction”.Itisclearthatapositiveactionfromthedatasubjectisrequiredratherthan

466


anyformofdeemedconsentorrequiringthedatasubjecttowithdrawtheirconsent(eg,bywayofanopt-out).

The law places particular emphasis on the need to obtain the consent of the data subject beforedisclosinginformationtothirdpartiesortransferringitoutsidethejurisdiction.Afurtherrequirementistoensurethatadequatesecurityandtechnicalmechanismsareinplacetosecuretheinformation.

There are no legal requirements to implement privacy policies; however, a privacy policy is amechanism by which companies can comply with their obligations under the DPA. The relevantobligationswouldincludecomplyingwiththeDataProtectionPrinciples,notifyingthedatasubjectofhis/her rights, complying with the duty to notify the data subject of certain requirements andinformingthedatasubjectofthemannerinwhichitmayobjecttoprocessing.

Dataprotectionimpactassessmentsshouldbecarriedoutwhereaprocessingoperationislikelytoresultinahighrisktotherightsandfreedomsofadatasubject.TheformatofanimpactassessmentwillbeprescribedbytheCommissioner.

TheappointmentofadataprotectionofficerandtherequirementtoregisterwiththeCommissionerhave already been discussed above at question 2.2. Comprehensive recordkeeping of processingactivitiesshouldformpartoftheinternalprocessesofdatacontrollersanddataprocessorsinorderto ensure compliance with the DPA, particularly in the event of any audit carried out by theCommissioneraspermittedundertheDPA.

TheDPAdoesnotcontainanyspecificprovisionswhichrelatetoadvertising;however,itdoesprovidethatpersonaldatacannotbeused forcommercialpurposesunless theexpressconsentof thedatasubjecthasbeenobtained,orthedatacontrollerordataprocessorisauthorizedtodosounderanywrittenlawandthedatasubjecthasbeeninformedofthis.


6.1 HowisdatasecurityregulatedinKenya?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

The DPA aims to provide unified regulation of data in Kenya. The DPA contains provisions forregulationofdatabreaches,buthasnotexpresslyprovidedforanyminimumstandardforsecuringdata.TheDPAonlyspecifiesthatthetechnicalandorganizationalmeasurestobeimplementedmusttakeintoconsiderationtheamountofpersonaldatacollected,theextentoftheprocessing,theperiodofstorage,theaccessibilityofsuchdata,thecostofprocessingdataandthetechnologiesandtoolsused. Furthermore, as part of the registration process to be complied with under the DPA, theapplicationtotheCommissionermustincludeageneraldescriptionoftherisks,safeguards,securitymeasuresandmechanismsinplacetoensuretheprotectionofpersonaldata.

Itisworthhighlightingthattheregulationofthebankingandfinancialservicessectorisstricterinrelationtohowregulatedentitiesarerequiredtoprotecttheirdata.TheCentralBankofKenyahaspublishedguidelinesthatserveastheminimumstandardthatbanksandpaymentserviceprovidersshouldadoptwhendealingwiththesecurityoftheirdata.Forinstance,theCBKGuidancerequiresregulatedentitiestohaveinplaceacybersecuritystrategy,governancecharterpolicyandframework,which shouldbebasedon the institution’s riskprofile, size, complexity andnatureof its businessprocesses.Italsorequiresthatregulatedentitiesmaintainacurrententerprise-wideknowledgebaseoftheirusers,devices,applicationsandrelationshipswiththecustomers.Furthermore,itrequiresthat

467


institutionssetupspecificmechanismstoensurethattheirdataisprotected.Theymustalsoconductannualindependentthreatandvulnerabilityassessmentteststoensuretheyarepreparedintheeventofanunforeseenattackthroughcyber-crime.

6.2 HowaredatabreachesregulatedinKenya?Whataretherequirementsforrespondingtodatabreaches?

TheDPAdefinesa“personaldatabreach”asabreachofsecurityleadingtotheaccidentalorunlawfuldestruction,loss,alteration,unauthorizeddisclosure,of,oraccessto,personaldatatransmitted,storedorotherwiseprocessed.

TheDPA requiresdata controllers orprocessors to communicate thebreach to theCommissionerwithin72hoursofbecomingawareofthebreach,andtocommunicatethebreachtothedatasubjectinwritingwithinareasonableperiod,unlesstheidentityofthedatasubjectcannotbetraced.Wherethedataprocessorbecomesawareofthebreach,itmustcommunicatesuchfacttothedatacontrollerwithin 48 hours upon becoming aware of the breach. The data controller is not required tocommunicate the breach to the data subject where appropriate security safeguards have beenimplemented.Thesesafeguardsmayincludetheencryptionofaffectedpersonaldata.

ThedatacontrollermaydelayorrestrictitscommunicationtothedatasubjectortotheCommissionerasnecessaryforthepurposeofpreventing,detectingorinvestigatinganoffencebyaconcernedorrelevantbody.

The communication to the Commissioner and data subject should contain, among other things, adescription of the nature of the breach, description ofmeasures taken to address the breach, andrecommendation of measures the data subject should take to mitigate the effects of the datacompromise, as well as a contact point should the Commissioner or data subject require furtherinformation.

7 INDIVIDUALRIGHTS


UndertheConstitution,everypersonhas therightofprivacy,which includestherightnot tohaveinformationabouttheirfamilyorprivateaffairsunnecessarilyrequestedorrevealed,ortheprivacyoftheircommunicationsinfringed.ThisrighthasbeenprotectedbytheHighCourtandtherehavebeenseveralsuccessfulclaimsbeforetheHighCourtontheprotectionoftheconstitutionalrighttoprivacy.

UndertheDPA,individualshavetheright:

(a) tobeinformedabouttheusetowhichpersonaldataistobeput;

(b) toaccesstheirpersonaldatainthecustodyofthedatacontrollerorprocessor;

(c) toobjecttotheprocessingoftheirpersonaldata;

(d) tocorrectionoffalseormisleadingdata;and

(e) tothedeletionoffalseormisleadingdata.

468




Asmentionedabove,theDPArequiresthedatacontrollerorprocessortoobtaintheconsentofthedatasubjectbeforeprocessingpersonaldataforcommercialpurposes.

Thedata subjecthas the right toobject to theprocessingofpersonaldata (whichcan includeanyprofiling to the extent necessary) for any commercial use. Where the data subject objects, theirpersonaldatacannotbeprocessedforanycommercialuse.

TheDPAprovidesthattheCabinetSecretarymay,inconsultationwiththeCommissioner,prepareacodeofpracticeforthecommercialuseofpersonaldata.


Theuse of any tracking technologies that generate location data of a data subject, or any formofprofiling,mustbecarriedoutinaccordancewiththeDPAifitgeneratesanyformofidentifiersfromwhichapersoncanbe identifieddirectlyor indirectly (as thiswouldconstitutepersonaldataandpossiblysensitivepersonaldata).Asidefromthis,therearenoexpressprovisionsorrestrictionswhichprohibitorotherwisegoverntheuseoftrackingtechnologiesunderKenyanlaw.


As at the date of writing, Kenyan law does not have express laws on the regulation of targetedadvertisingandbehavioraladvertising.However,alltargetedorbehavioraladvertisingwouldhavetocomplywiththeconstitutionalrighttoprivacyandtheDPA(particularlyinsofarasanysuchformsofadvertisingmayamounttoprofilingandwherethismayincludesensitivepersonalinformation).Withthisinmind,theuseofanypersonaldatacollectedmustbelimitedtothepurposesforwhichitwascollected.TheprovisionsoftheCAPCodearealignedwiththerequirementsundertheDPA.


Kenyanlawdoesnotexpresslyprovideforarequiredtypeofnoticeorconsentinordertosharedatawith thirdparties.TheDPAsimplyrequires that thedatasubjectbenotifiedof the intent tosharehis/herdatawiththirdpartiesandthesafeguardsadoptedwheredataistransferredtoathirdpartypriortocollection.Additionally,personaldatamaybecollectedindirectlywherethedatasubjecthasconsentedtothecollectionfromanothersource.


Therearenospecificprivacyrulesgoverningdatabrokers;however,adatacontrollerwho,withoutlawfulreason,disclosespersonaldatainanymannerthatisincompatiblewiththepurposeforwhichthedatawascollectedcommitsanoffenseundertheDPA.Moreover,anypersonwhoofferstosellpersonaldatawherethedatahasbeenobtainedunlawfully(ie,inamannerthatisincompatiblewiththepurposeofcollection)commitsanoffense.Anadvertisementindicatingthatpersonaldatais,ormaybe,forsaleconstitutesanoffertosellthepersonaldataundertheDPA.

Thedefinitionsofdataprocessorsanddatacontrollersarebroadandwouldincludedatabrokersintheirambit.

469



Kenyan lawdoesnothaveprovisionsontheregulationofsocialmediacompanies.However, thesecompanieshavetoensurethatusers’righttoprivacyisprotectedundertheConstitution.Inaddition,theSocialMediaBillisstillbeingconsideredbythelegislatureafteritsfirstreadinginParliamentonOctober2,2019.

TheSocialMediaBillwill,ifpassed,introducestringentregulationofuseofsocialmediainthecountry.TheBillseekstolicensesocialmediacompaniesbyrequiringthem,amongotherthings,tokeepallthedataoftheusersoftheirplatformsandsubmitthistotheCommunicationsAuthorityofKenyawhenrequired.Assuch,iftheSocialMediaBillispassedintolaw,therewillbeseriousprivacyimplicationsfortherightsofdatasubjects.


Although there is no specific regulation of loyalty programs and promotions from a privacyperspective, the DPA does apply where such programs collect personal data, and, in particular,sensitive personal data (which can include property details and marital details). In thesecircumstances,theinformationmustbecollected,processedandstoredinaccordancewiththeDPA.This would apply to any proposed commercial exploitation of any such data collected, which isrestricted(seequestion8.1regardingthecommercialuseofdata).

9 DATATRANSFER


TheDPAdoesnotbarthetransferofdataoutsideKenya.However,the8thDataProtectionPrincipleprovides thateverydatacontrollerorprocessormustensure thatpersonaldata isnot transferredoutsideofKenyaunlessthereisproofofadequatedataprotectionsafeguardsorthedatasubjecthasconsentedtosuchtransfer.Additionally,theDPAsetsoutconditionsthatmustbemetbeforedataistransferredoutsideKenya.Accordingly,adatacontrollerordataprocessormaytransferpersonaldatatoanothercountryonlywhere:

(a) ithasgivenprooftotheCommissioneroftheappropriatesafeguardswithrespecttosecurityandprotectionofthepersonaldata;

(b) ithasgivenprooftotheCommissioneroftheappropriatesafeguards,whichincludeensuringthatthejurisdictionstowhichdataisbeingtransferredhavecommensuratedataprotectionlaws;

(c) thetransferisnecessaryfor:(i) performanceofacontractbetweenthedatasubjectandthedatacontrollerordata

processor;(ii) theconclusionorperformanceofacontractintheinterestofthedatasubjectbetween

thecontrollerandanotherperson;(iii) anymatterofpublicinterest;(iv) establishment,exerciseordefenseofalegalclaim;(v) protectionofthevitalinterestsofthedatasubjectorotherpersons,wherethedata

subjectisphysicallyorlegallyincapableofgivingconsent;or(vi) compellinglegitimateinterestspursuedbythedatacontrollerordataprocessorthat

arenotoverriddenbytheinterests,rightsandfreedomofthedatasubject.

470


It isnotclearwhetheralloftheprovisionsunder(a)–(c)mustbesatisfiedandit ishopedthattheCommissionerwillclarifytherequirementstobemetforanycross-borderdatatransfers.Untilsuchtimeastherequirementshavebeenclarified,wewouldrecommendthatpartiesensuretheycomplywith(a)or(b)andoneofthesub-conditionsunder(c).

SensitivepersonaldatamayonlybeprocessedoutsideKenyauponobtainingthepriorconsentofthedatasubjectanduponobtainingconfirmationofappropriatesafeguardsinthereceivingjurisdiction.Until further guidance is issued by the Commissioner, the onus will be on the data controller orprocessortoshowthatappropriatesafeguardsareinplace.TheCommissionermayrequestthedatacontrollerordataprocessortransferringpersonaldataoutofKenyatodemonstratetheeffectivenessofthesafeguardsorexistenceofcompellinglegitimateinterests.UndertheDPA,theCommissionerisfurtherentitledtoprohibit,suspendorsubjectthetransfertosuchconditionsasmaybedetermined.


Incertaininstances,theCabinetSecretaryforInformation,CommunicationsandTechnologymay,ongroundsof strategic interestsof theStateorprotectionof revenue,prescribe that certain typesofprocessingonlybeeffectedthroughaserverordatacenterlocatedinKenya.

TheDPAdoesnotaddressanyissuesthatmayarisefromanyintra-grouptransfers.

10 VIOLATIONS


(a) UndertheKenyaInformationandCommunicationsAct(i) Unauthorized access to a computer system: any person who gains access to a

computersystemforthepurposeofsecuringaserviceorinterceptsafunctionof,oranydatawithinacomputersystemisguiltyofanoffense.Thepenaltyuponconvictionis imprisonment fora termnotexceeding threeyearsora finenotexceedingKES500,000(US$5,000)orboth.Furthermore,if,duringthecommissionoftheoffense,data is suppressed or impaired, the penalty is a fine not exceeding KES 200,000(US$2,000)orimprisonmentforatermnotexceedingtwoyearsorboth.

(ii) Unauthorized disclosure of a password: any person who knowingly discloses apassword toaccessa computer system forunlawfulgaincommitsanoffence.ThepenaltyisafinenotexceedingKES200,000(US$2,000)orimprisonmentforatermnotexceedingtwoyearsorboth.

(b) UndertheDataProtectionAct(i) Administrative Penalty: The maximum penalty that may be imposed by the

CommissionerforaninfringementoftheDPAisKES5million(US$50,000)or,inthecaseofanundertaking,upto1%ofannualturnover,whicheveristhelower.

(ii) GeneralPenalty:Whereapersoncommitsanoffenseandnospecificpenaltyhasbeenprovided, or otherwise contravenes the DPA, they may be liable to a fine notexceeding KES 3 million (US $30,000) or imprisonment to a term not exceeding10yearsorboth.

471


Inadditiontothegeneralpenaltyabove,theCourtmay,topreventacontraventioncontinuing,orderforfeitureofequipmentusedincommittingtheoffenseorprohibitanyactrelatedtothecontravention.

(iii) Failure to comply with an enforcement notice: If a person is served with anenforcementnotice,failuretocomplyisanoffence.ThemaximumpenaltythatcanbeimposedisKES5million(US$50,000)orimprisonmenttoatermnotexceedingtwoyearsorboth.

(iv) ObstructingtheDataCommissioner:ItisanoffenseforanypersontoobstructtheCommissionerintheexerciseofitspowers,failtoprovideinformationorassistance,deny entry to the Commissioner or give the Commissioner false or misleadinginformation. The penalty upon conviction is a fine not exceeding KES 5 million(US$50,000)orimprisonmentforatermnotexceedingtwoyearsorboth.

(v) DamageasaresultofinfringementoftheDPA:AnypersonwhosuffersdamageasaresultofinfringementoftheprovisionsoftheDPAisentitledtodamagesfromthedatacontrollerorprocessor.

(vi) Unlawfuldisclosureofpersonaldata:Itisanoffenseforadatacontrollertodisclosepersonal informationwithout any lawful reason and in anymanner incompatiblewiththepurposesforwhichthedatahasbeencollected.Itisalsoanoffenseforadataprocessor,without lawful reason, to disclosepersonal dataprocessedby thedataprocessor,withoutthepriorauthorityofthedatacontroller.Further,itisanoffenseforapersontoobtainaccesstopersonaldata,ortoobtaininformationconstitutingsuchdata,withoutpriorauthorityofthedatacontrollerorprocessor,ortodisclosepersonaldatatothirdparty.The DPA criminalizes any offer to sell personal data/any advertisement to sellpersonaldata.

(c) UndertheHIV&AIDSPreventionandControlAct

AnypersonwhodisclosestheHIVtestresultsofanotherpersonwithouttheirconsentcommitsanoffense.ThepenaltyuponconvictionisafinenotexceedingKES100,000(US$1,000)orimprisonmentforatermnotexceedingtwoyearsorboth.


Yes.Thelawprovidesthatindividualscaninstituteactionsforbreachofprivacy.

UndertheConstitution,Article22providesthateverypersonhastherighttoinstituteproceedingsallegingthebreachofconstitutionalrights.TheHighCourthasjurisdictionoverclaimsofinfringementofthebillofrightsintheConstitution.Assuch,iftherightofprivacyisinfringedupon,onecaninstituteaclaimintheHighCourt.Itisimportanttonotethatanypartyallegingthebreachofconstitutionalrightsshoulduseareasonabledegreeofprecisioninsettingoutthecomplaint,theprovisionssaidtobeinfringedandthemannerinwhichtheyareallegedtobeinfringed.

TheHighCourtcangrantremediessuchasadeclarationofrights,aninjunction,aconservatoryorderandadeclarationofinvalidityofalaw,anorderforcompensationandorderforjudicialreview.

UndertheDPA,anindividualcanlodgeacomplaintwiththeCommissioner,whichmayinvestigatethecomplaint. Where the Commissioner is unable to obtain an amicable solution, it must notify thecomplainantinwriting.ApersonwhosuffersdamagebecauseofcontraventionoftheDPAisentitledtocompensationfromthedatacontrollerordataprocessor.

472


11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofKenyawhichaffectprivacy?

TherearecurrentlynolawsparticulartoKenyanculturethataffectprivacy.


(a) TheSocialMediaBill:TheSocialMediaBillseekstointroducestringentregulationoftheuseofsocialmedia in thecountry. It seeks to licensesocialmediacompaniesby,amongotherthings,requiringthemtokeepallthedataoftheusersofitsplatformandsubmitthistotheCommunicationsAuthorityofKenyawhenrequired.Assuch, if thisBill ispassed into law,therewillbeseriousimplicationsfortheprivacyrightsofdatasubjects.

(b) The Data Protection Act: As indicated earlier (see question 1.3), we anticipate that theCommissioner will issue further regulations, guidance or codes in relation to theimplementationandapplicationoftheDPA.Thecontentofthisguidancewillnotbesubjecttopublicdebateanditisdifficulttoascertainhowprescriptive,prohibitive,liberalorrestrictivethisguidancewillbe.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainKenya?

No.

12 OPINIONQUESTIONS


Lately, there has been an increase in the number of Kenyans who have access to the internet.Accordingly,therehasbeenashiftbyParliamenttowardsincreasedregulationofinformationsharedoverautomatedplatforms.TheKenyangovernmenthasalsobegunmovingfrommanualstorageofdatatoautomatedstorage,withaviewtoachievinggreaterefficiencyinthedeliveryofgovernmentservices. However, the growing volumes of personal data that the government is collection haveresultedinseveralcourtcasesagainstitinrelationtoprivacyprotection.


Giventhecurrenttrajectoryofthelandscape,weenvisionthatprivacyinKenyawillbesubjecttomoreregulationduetoagrowingappreciationoftheneedforregulationandprotectionofinformation.Thiswill also bring about more certainty in terms of the rights and compliance obligations of datacontrollers and data processors. Additionally, access to internet and data services is expected tocontinuetogrow,andweanticipateaddedgrowthinthenumberofcompaniesofferingecommerceservices.

473



(a) Databreaches:Intheprocessoftransitioningfromanaloguedatastoragesystemstodigitalsystems,therehavebeeninstanceswherecompanieshavesufferedsignificantdatabreaches.Lackofappreciationoftherequiredsecurityandtechnicalsafeguardsisacontributoryfactor.

(b) Increase in regulatory burden and associated costs: Regulation of data is increasing ascompaniesarecomingtotermswiththechangedlegallandscapeandthenecessitytoensurethey comply with the local privacy laws. While international companies may be moreaccustomed to compliancewith theEuropeanUnion’sGeneralDataProtectionRegulation,local companieswill have to ensure that sufficient time andmoney are allocated towardsensuringcompliancewiththeDPA.

(c) Litigationrisk:Owingtoanincreaseinregulation,companieswillfindthemselvesbeforethecourtswhichhavethejurisdictiontodeterminebreachofprivacyissues.Therehavealreadybeeninstanceswherelitigantshavesoughttoprotecttheirconstitutionalrightsbeforethecourts.Forexample,awell-knownuniversityinKenyawassuedfortestingandrevealingtheresultsoftheHIVtestofoneofitsemployeeswithoutherconsent.Itisnotyetclearwhattheextent of the enforcement actions to be taken by the Commissionerwill be, but, with anincreasingly aware population, companies should brace themselves for increasedinvestigationsandenforcementsactions.

474

475

PRIVACY LAW – MALAYSIA

1 PRIVACYLAW

1.1 HowisprivacyregulatedinMalaysia?

PersonaldataprivacyisregulatedunderthePersonalDataProtectionAct2010(“PDPA”).


TheprimarysourceoflawgoverningpersonaldataprivacyisthePDPA.


PrivacylawisenforcedbythePersonalDataProtectionCommissionerandbythepublicatlarge.AnyindividualorrelevantpersonmaymakeacomplaintinwritingtotheCommissioner,whowilltheninvestigatethematter.Investigationmaycontinuedespitewithdrawaloftheinitialcomplaint.Ifadatauser is foundtohavecontravenedanyprovisionsof thePDPAafter investigation iscompleted, theCommissionermayissueanenforcementnoticeoutliningdirectionstobecompliedwithbythedatauser.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinMalaysia?

ThosethatcollectpersonaldatatobeprocessedortobefurtherprocessedinMalaysia.

2.2 DoesprivacylawinMalaysiaapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

MalaysianprivacylawappliesiftheforeigncompanycollectspersonaldatawhichistobeprocessedorisintendedtobefurtherprocessedinMalaysia.


3.1 Howispersonalinformation/personaldatadefinedinMalaysia?

“Personaldata”meansanyinformationinrespectofcommercialtransaction,which:

(a) is being processed wholly or partly by means of equipment operating automatically inresponsetoinstructionsgivenforthatpurpose;

(b) isrecordedwiththeintentionthatitshouldwhollyorpartlybeprocessedbymeansofsuchequipment;or

(c) isrecordedaspartofarelevantfilingsystemorwiththeintentionthatitshouldformpartofarelevantfilingsystem,

thatrelatesdirectlyorindirectlytoadatasubject,includinganysensitivepersonaldataandexpressionofopinionaboutthedatasubject.

476



“Sensitivepersonaldata”includesanypersonaldataconsistingof informationastothephysicalormentalhealthor conditionof adata subject,hispoliticalopinions, racialorethnicorigin, criminalrecord or allegation of criminal activity, religious beliefs or other belief of a similar nature, thecommissionorallegedcommissionbyhimofanyoffence,oranyotherpersonaldataastheMinistermaydeterminebyorderpublishedintheGazette.


Therearesevenprinciplesthatcompaniesneedtofollow:

(a) General:Adatausermustnotprocesspersonaldataunlessthedatasubjecthasgivenconsent.

(b) NoticeandChoice:Adatausermust,bynoticeinwriting,informadatasubject:

(i) thathis/herpersonaldataisbeingprocessedbyoronbehalfofthedatauser,

(ii) thepurposeforwhichthedataisbeingoristobecollectedandfurtherprocessed,and

(iii) the data subject’s right to request access to and to request correction of his/herpersonaldata.

(c) Disclosure:Nopersonaldatamay,withouttheconsentofthedatasubject,bedisclosedforanypurposeotherthanthepurposeforwhichitwastobedisclosedatthetimeofcollectionnormayitbedisclosedtoanypartyotherthanathirdpartyknownbythedatasubject.

(d) Security:Adatausermust,whenprocessingpersonaldata,takepracticalstepstoprotectthepersonal data from any loss, misuse, modification, unauthorized or accidental access ordisclosure,alterationordestruction.

(e) Retention: Thepersonal dataprocessed for anypurposemustnot be kept longer than isnecessaryforthefulfilmentofthatpurpose,andadatauserhasadutytotakeallreasonablestepstoensurethatallpersonaldataisdestroyedorpermanentlydeletedifitisnolongerrequiredforthepurposeforwhichitwastobeprocessed.

(f) DataIntegrity: Adatausermusttakereasonablestepstoensurethatthepersonaldata isaccurate, complete, not misleading and kept up-to-date, having regard to the purpose,includinganydirectly-relatedpurpose,forwhichthepersonaldatawascollectedandfurtherprocessed.

(g) Access:Adatasubjectmustbegivenaccesstohispersonaldataheldbyadatauserandbeable to correct that personal data where the personal data is inaccurate, incomplete,misleading or not up-to-date, except where compliance with a request to such access orcorrectionisrefusedunderthePDPA.

477


4 ROLES


Therearenospecificrolesassignedincompaniesinrelationtoprocessingofpersonaldata.However,thelawdefines“DataProcessor”and“DataUser”asfollows:

(a) “DataProcessor”,inrelationtopersonaldata,meansanyperson,otherthananemployeeofthedatauser,whoprocessesthepersonaldatasolelyonbehalfofthedatauser,anddoesnotprocessthepersonaldataforanyofhisownpurposes.

(b) “DataUser”meansapersonwho.eitheraloneorjointlyorincommonwithotherpersons.processesanypersonaldataorhascontroloverorauthorizestheprocessingofanypersonaldata,butdoesnotincludeadataprocessor.

5 OBLIGATIONS


Thelawspecifiesthatadatausermustceaseornotbeginprocessingthepersonaldataofadatasubjectforthepurposeofcommunicationbymeansofanyadvertisingormarketingmaterialifthedatasubjecthasnotifiedthedatauserinwritingofhis/herwishnottohavehis/herpersonaldataprocessedorfurtherprocessedforsuchpurposes.


6.1 HowisdatasecurityregulatedinMalaysia?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

Datasecurityisbasedonastandardofreasonableness.Whereprocessingofpersonaldataiscarriedoutbyadataprocessoronbehalfofthedatauser,thedatausershall,forthepurposeofprotectingthepersonaldata fromany loss,misuse,modification,unauthorizedoraccidentalaccessordisclosure,alterationordestruction,ensurethatthedataprocessor:

(a) providessufficientguaranteesinrespectofthetechnicalandorganizationsecuritymeasuresgoverningtheprocessingtobecarriedout;and

(b) takesreasonablestepstoensurecompliancewiththosemeasures.

6.2 HowaredatabreachesregulatedinMalaysia?Whataretherequirementsforrespondingtodatabreaches?

Databreachesareself-regulated.AnyindividualorrelevantpersonmaymakeacomplaintinwritingtotheCommissioner,whowilltheninvestigateintothematter.Investigationmaycontinuedespitewithdrawaloftheinitialcomplaint.IfadatauserisfoundtohavecontravenedanyprovisionsofthePDPA,afterinvestigationiscompleted,theCommissionermayissueanenforcementnoticeoutliningdirectionstobecompliedwithbythedatauser.

478


7 INDIVIDUALRIGHTS


Therearethreerightsofdatasubjects,namely:

(a) Right to access to personal data: An individual is entitled to be informed by a data userwhetherhis/herpersonaldataisbeingprocessedbyoronbehalfofthedatauser.

(b) Righttocorrectpersonaldata:Adatasubjectmaymakeadatacorrectionrequestinwritingto thedatauser ifhe/sheknowsthathis/herpersonaldatabeingheldby thedatauser isinaccurate,incomplete,misleadingornotup-to-date.

(c) Righttowithdrawconsenttoprocesspersonaldata:Adatasubjectmaybynoticeinwritingwithdrawhis/herconsenttotheprocessingofhis/herpersonaldata.



Adatasubjectmay,atanytime,notifythedatauser,inwriting,toceaseornottobeginprocessinghis/herpersonaldataformarketingcommunications.Ifthedatauserfailstocomplywiththenotice,thedatasubjectmaysubmitanapplicationtotheCommissionertorequirethedatausertocomplywiththenotice.TheCommissionerthenmayrequirethedatausertocomplywiththenotice.Adatauser who fails to comply with the Commissioner’s requirement commits an offence and will, onconviction,beliabletoafinenotexceedingtwohundredthousandringgitortoimprisonmentforatermnotexceedingtwoyearsortoboth.


A service provider may collect and maintain necessary data or information of a data subject fortrackingpractices.However,thecollectionandmaintenanceofsuchdataorinformationmustfollowthefollowinggoodpractices:

(a) fairlyandlawfullycollectedandprocessed;

(b) processedforlimitedpurposes;

(c) adequate,relevantandnotexcessive;

(d) accurate;

(e) notkeptlongerthannecessary;

(f) processedinaccordancewiththedatasubject’srights;

(g) secure;and

(h) notbetransferredtoanypartywithoutpriorapprovalfromthedatasubject.

479



N/A.


N/A.


N/A.


Theuse,collectionandprocessofpersonaldatamustbe inaccordancewiththePDPA.TransferofpersonaldatatoathirdpartyorplacesoutsideMalaysiamustbedonewiththepriorconsentofthedatasubject.


Theuse,collectionandprocessofpersonaldatamustbe inaccordancewiththePDPA.TransferofpersonaldatatoathirdpartyorplacesoutsideMalaysiamustbedonewiththepriorconsentofthedatasubject.

9 DATATRANSFER


Transferofpersonaldata to a thirdpartyorplacesoutsideMalaysiamustbedonewith thepriorconsentofthedatasubject.Additionally,adatausermaytransferanypersonaldatatoaplaceoutsideMalaysiaunderthefollowingcircumstances:

(a) thetransferisnecessaryfortheperformanceofacontractbetweenthedatasubjectandthedatauser;

(b) thetransferisnecessaryfortheconclusionorperformanceofacontractbetweenthedatauseranda thirdpartywhich isentered intoat therequestof thedatasubjector is in theinterestofthedatasubject;

(c) thetransferisforthepurposeofanylegalproceedingsorforthepurposeofobtaininglegaladviceorforestablishing,exercisingordefendinglegalrights;

(d) thedatauserhastakenallreasonableprecautionsandexercisedallduediligencetoensurethatthepersonaldatawillnotbeprocessedinanymannerwhichwouldbeacontraventionofthePDPA;

(e) thetransferisnecessaryinordertoprotectthevitalinterestsofthedatasubject;or

(f) thetransferisnecessaryasbeinginthepublicinterest.

480



None.

10 VIOLATIONS


Adatauserwhocontravenesthepersonaldataprotectionprinciples(seequestion3.3)commitsanoffenceandwill,onconviction,beliabletoafinenotexceedingthreehundredthousandringgitortoimprisonmentforatermnotexceedingtwoyearsortoboth.


Privateindividualshavenoprivaterightsofaction.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofMalaysiawhichaffectprivacy?

None;exceptforreligiousorracialharmony.


No,therearenoimminentchanges.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainMalaysia?

Noidentificationcardorpassportmayberetainedforanyperiod—onlyforidentificationpurposes.

12 OPINIONQUESTIONS


None.


Whatweforeseeistheperverseimplementationoffacialandfingerprintscanningforprivateuse.


Thechallengesforthefuturewithintheprivacylandscapearetheperverseuseofartificialintelligenceandsurveillanceofprivateindividual.

481

482

PRIVACY LAW – MEXICO

1 PRIVACYLAW

1.1 HowisprivacyregulatedinMexico?

Privacylawisconsideredasahumanright,accordingtotheFederalConstitution.TherearetwomainregulationsonprivacyinMexico:

(a) TheMexicanData Privacy Law for the Private Sector (“Privacy Law”): this is an omnibusregulationandithasbeeninforcesinceJuly5,2010;and

(b) TheGeneralDataProtectionLawforthePublicSector(“PublicSectorDataLaw”)hasbeeninforce since January 26, 2017: this is also a general regulation addressed at governmentagenciesprocessingpersonaldata;however,asthis isageneralregulation, itonlysetsthestandardsfordataprocessing,andeachstatehasitslocaldataprotectionlawforpublicsector.


Currently,theMexicandataprivacyregulationisbasedonthefollowinglaws:

(a) TheFederalConstitutionrecognizesdataprivacyasahumanright(Articles6and16);

(b) ThePrivacyLaw;

(c) TheRulesforthePrivacyLaw(“Rules”);

(d) TheConsumersProtectionLaw(theonlyregulationfocusingonadvertisingaspects,whereitisstatedthatsuppliersshouldprovideanadequateuseofpersonaldata,accordingtoprivacylaws);

(e) ThePublicSectorDataLaw;

(f) Localregulations,egtheCivilLiability,HonorandPrivateLifeAct(applicableforMexicoCity,only);

(g) MexicoisthesecondLatinAmericancountrytoaccedetotheConventionfortheProtectionofIndividualswithregardtoAutomaticProcessingofPersonalData,alsoknownas“Convention108”,anditsAdditionalProtocol,andthusbecomesits53rdParty;and

(h) Mexico is alsoamemberpartyof theAsia-PacificEconomicCooperation (“APEC”)PrivacyFramework.


ThedataprotectionauthorityinMexicoistheMexicanInstituteofTransparencyandPersonalDataProtection(“INAI”)anditistheauthorityinchargeof:

(a) transparencyandaccesstopublicinformation;and

(b) personaldataprotection.

TheINAIisaconstitutionalandautonomousentity,ithasenoughcapacitiestoenforcethelawwithoutmeddlingfromothergovernmentalentities.

483


2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinMexico?

ThoseregulatedbyprivacylawinMexicoareprivateindividualsandlegalentitiesthatcarryouttheprocessingofpersonaldata,withtheexceptionof:

(a) Creditinformationsocieties(inthecaseoftheLawtoRegulateCreditInformationSocietiesandotherapplicableprovisions),and

(b) personswhocarryoutthecollectionandstorageofpersonaldatawhichisforpersonaluseonly,andwithoutpurposesofdisclosureorcommercialuse.

2.2 DoesprivacylawinMexicoapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

No.


3.1 Howispersonalinformation/personaldatadefinedinMexico?

“Personaldata”isdefinedasanyinformationconcerninganidentifiedoridentifiablenaturalperson.


“Sensitivedata”referstopersonaldatathataffectsthemostintimatesphereofitsowner,orimproperuseofwhichmaycausediscriminationorcarriesaseriousriskforanindividual.Inparticular,sensitivedataisthatwhichmayrevealaspectssuchas:

(a) racialorethnicorigin,

(b) presentandfuturestateofhealth,

(c) geneticinformation,

(d) religious,philosophicalandmoralbeliefs,

(e) tradeunionmembership,

(f) politicalopinions,and

(g) sexualpreference.

Aspecificobligationaroundsensitivedataisthatexplicitandwritten(electronicmeansareallowed)consentofindividualsmustbeobtainedpriortothedataprocessing(sensitivedataisbasedontheopt-insystem;otherpersonaldataisbasedontheopt-outsystem).

Also,finesfordataprocessinginfringementcanbedoubledwhenitcomestosensitivedata.

484



TheprinciplesthatgoverndataprivacyinMexicoare:

(a) lawfulness,

(b) consent,

(c) information,

(d) quality,

(e) purpose,

(f) loyalty,

(g) proportionalityand

(h) responsibility.

4 ROLES


Yes,theMexicanPrivacyLawassignsdifferentrolestosubjectsbasedonhowtheyprocesspersonaldata.Therearetworoles:

• Controllerisanindividualorlegalentityofaprivatenaturewhodecidesontheprocessingofpersonaldata.

• Processor:isanindividualorlegalentitywhoaloneorjointlywithotherpersonsprocessespersonaldataonbehalfofthecontroller.

The controller and processor should sign a contract, or at least include a clause in their serviceagreement, inorder tosetoutminimumstandardsonprocessingpersonaldata, includingsecuritystandards.Theagreementsbetweenthecontrollerandprocessorrelatingtoprocessingmustbe inaccordancewiththerelevantprivacynotice.

The processor has the following obligations in respect of processing carried out on behalf of thecontroller:

(a) processpersonaldataonlyinaccordancewiththeinstructionsofthecontroller;

(b) refrain from processing personal data for purposes other than those instructed by thecontroller;

(c) implement security measures in accordance with the Privacy Law, its Rules and otherapplicableprovisions;

(d) keeppersonaldataconfidential;

(e) deletethepersonaldatasubjecttoprocessingoncethelegalrelationshipwiththecontrollerhascometoanend,orontheinstructionsofthedatacontroller,providedthatthereisnolegalprovisionrequiringtheconservationofpersonaldata;and

(f) refrain from transferring personal data unless either the controller so instructs, thecommunicationderivesfromsubcontracting,orwhensorequiredbythecompetentauthority.

485


5 OBLIGATIONS


Keyobligationsare:

(a) obtainingconsumer’sconsentpriortodataprocessing;

(b) postingaprivacypolicypriortodataprocessing;

(c) appointingadataprivacyofficer;

(d) complying with the so-called “ARCO rights” (ie, the data subject’s rights of Access,Rectification,CancellationandOpposition);and

(e) complyingwiththeprinciplesfordataprocessing(seequestion3.3).


6.1 HowisdatasecurityregulatedinMexico?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

Thelawrequirescontrollerstotaketechnicalandphysicalsecuritymeasurestoprotectpersonaldataagainstbreach,loss,alteration,destructionoruse,accessorunauthorizedprocessing.

6.2 HowaredatabreachesregulatedinMexico?Whataretherequirementsforrespondingtodatabreaches?

Intheeventofanydatabreach,thecontrollermustinformthedatasubjectwithoutdelay,whenthereisariskofhis/herrighttoprivacybeinginfringed,sohe/shecantakethenecessaryactions.

7 INDIVIDUALRIGHTS


IndividualshaveARCOrights:ie,Access,Rectification,CancellationandOpposition.Currently,therighttodataportabilityisonlyapplicableforthePublicSectorDataLaw.



MarketingcommunicationisallowedunderthePrivacyLaw,aslongasthedatasubjectisinformedpriortodataprocessing.SpamisforbiddenundertheConsumersProtectionLaw.

486



Controllers are obliged to inform data subjects when using tracking technologies, as part of theInformationPrinciple(seequestion3.3).


Controllers are obliged to inform data subjects when they are using targeted advertising andbehavioraladvertising,asapartoftheInformationPrinciple(seequestion3.3).


Aprivacynoticeshouldindicatethatthecontrolleristransferringpersonaldatatothirdpartiesandforwhatpurposes.


No.


TherearenospecificregulationsonsocialmediainthePrivacyLaw,otherthanthatsocialmediacanbeconsideredasapublicaccesssource. In thepublicsector, therearerecent judgments issuedbyFederal courts stating that public officers may not block users, as this is inhibiting the right ofinformationaccess.


Therearenospecific regulations for loyaltyprograms,although therearesomespecifyprovisionsregardingpromotionsinthePrivacyLawandtheConsumersProtectionLaw.

9 DATATRANSFER


Nationalorinternationaldatatransfers(otherthantoaprocessor)mayonlybecarriedoutifthedatasubjectgiveshis/herconsentandthecontrollermustprovidethethirdpartywiththeprivacynoticerelevanttothedatasubjectandinformthethirdpartyastothepurposesforwhichthedatamaybeprocessed towhich thedata subjecthas consented.The third-party recipientmustmeet the sameminimum-securitystandardsasarerequiredfromcontrollers.Seequestion4.1astotherequirementsonprocessors.


Noconsentisrequiredwhentransferringdatabetweengroupcompanies.

487


10 VIOLATIONS


Forviolationsofprivacyordatasecuritylaw,thelawprovidesalistofactionsthataregroundsforsanction.Finesfrom100to320,000timesthecurrentminimumdailywage(approximatelyUS$5.38aday)maybeimposed,andmaybedoubledwhenitcomestosensitivedata.

Sanctionsmaybeimposedwithoutprejudicetoanycivilorcriminalliabilitythatcanarise.


Yes,individualshaverightofactionswhenthePrivacyLawisinfringed.Accordingtoarticle58ofthePrivacyLaw,individualswhoconsiderthattheyhavesuffereddamageorinjurytotheirpropertyorrights as a result of non-compliance with the provisions of the Privacy Law by the controller orprocessormaybringactionsforcompensatorydamagesinaFederalcourt.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofMexicowhichaffectprivacy?

PrivacyisregulatedlocallyineachofthestatesofMexicothroughthecivillaw,wherebyindividualsmaypursuecivilliabilityactions.


• TheFintechLaw,whichcameintoeffectonMarch10,2018,isintendedtobuildaregulatoryframeworkaimedatthedevelopmentofinnovativefinancialservices,increasingthelevelofcompetitionandfinancialinclusion,aswellasplacingMexicoattheforefrontoftheindustry.The Fintech Law currently recognizes two types of financial technology institutions(crowdfundinginstitutionsandelectronicmoneyinstitutions)andaninnovative,orsandbox,model.

• In2019,asetofOfficialStandardsfore-commerceplatformswasenacted.Thesestandardsrequiree-commerceplatformstocomplywithprivacyregulations.

• Intheupcomingmonthsaregulationondroneswillbedrafted.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainMexico?

InMexico,theburdenofproofliesoncontrollers.

488


12 OPINIONQUESTIONS


In2019,13outof32statesinMexicopassedtheGeneralLawonWomen’sAccesstoaLifeFreeofViolence;theselocallawscriminalizerevengeporn,grooming,andsexting,amongothermatters.Someofthesestateswhichhavepassedthislaware:Jalisco,Puebla,Oaxaca,Chiapas,Veracruz,andYucatan;theCityofMexicoiscurrentlyanalyzingthislaw.

The trigger for this law is theurgentneed to criminalize a very commonpracticeon the internet,namelythesharingofexplicitvideosandphotographsdepictingsexonsocialmediaandpostingthemonpornsites.


• Moreinternationalcooperation;

• Mexicanframeworkneedstoimprovemechanismstoprotectchildren’sonlineprivacy.


Onemajorchallengecompaniesfaceisthecostof implementingaprivacypolicyaccordingtolocal(national)frameworks.

489

490

PRIVACY LAW – NEW ZEALAND

1 PRIVACYLAW

1.1 HowisprivacyregulatedinNewZealand?

Privacy inNewZealand isregulatedbyacombinationofstatute,associatedregulationsandcodes.There isalsoa common law tortof invasionofprivacy.Themainstatute regulatingprivacy is thePrivacyAct1993(“PrivacyAct”).Self-regulatoryframeworksincluding,eg,theAdvertisingStandardsAuthority’scodes,alsoregulateprivacytoacertaindegree.


ThekeylawregulatingprivacyisthePrivacyAct.ThePrivacyActsetsoutprivacyprincipleswhicharethekeyprinciplesthatcompaniesneedtofollow,asfurtherdetailedatquestion3.3.UnderthePrivacyAct,thePrivacyCommissionerhasthepowertoissuecodesofpractice.Thesecodesbecomepartofthelaw.Thecurrentcodesofpracticeinclude:

(a) CivilDefenseNationalEmergencies(InformationSharing)Code2013;

(b) CreditReportingPrivacyCode2004;

(c) HealthInformationPrivacyCode1994;

(d) JusticeSectorUniqueIdentifierCode1998;

(e) SuperannuationSchemesUniqueIdentifier1995;and

(f) TelecommunicationsInformationPrivacyCode2003.

There are also self-regulatory frameworks which regulate privacy, including the New ZealandAdvertisingStandardsAuthority(“ASA”)anditsadvertisingcodes.


TheprovisionsofthePrivacyActandassociatedcodesareenforcedbythePrivacyCommissioner.AdecisionofthePrivacyCommissionercanbeappealedtotheHumanRightsReviewTribunal,whichisanindependentjudicialbody,separatefromtheofficeofthePrivacyCommissioner.AbreachoftheprivacyprovisionscontainedintheASA’scodesisenforcedbytheASA.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinNewZealand?

ThePrivacyActapplies to “agencies” thataredefinedas “anypersonorbodyofpersons,whethercorporate or unincorporate, and whether in the public sector or the private sector; and, for theavoidanceofdoubt,includesadepartment.”

491


2.2 Doesprivacy law inNewZealandapply to companiesoutside the country? If yes, are therespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

Yes,iftheyoperateinNewZealand.Therearenospecificrequirementsapplicableonlytooverseascompanies.


3.1 Howispersonalinformation/personaldatadefinedinNewZealand?

ThePrivacyActdefines “personal information”as informationaboutan identifiable individualandincludesinformationrelatingtoadeath.


The Privacy Act does not specifically define “sensitive personal information”; the definition of“personal information”means that the PrivacyAct applies to all personal information, not just orspecifically in relation to sensitive information. However, codes of practice that the PrivacyCommissionerissues,referredtoaboveatquestion1.2,areexamplesofareaswheretherearespecificprivacyrequirements.Forexample,theHealthInformationPrivacyCodesetsoutrulesforthehealthsector.

TheASA recognizes the sensitivityofpersonal information relating to children in itsChildrenandYoung People’s Advertising Code, which includes a rule that extreme care must be taken whenrecordingorrequestingthepersonaldetailsofchildrenandyoungpeopletoensurethattheirprivacyisprotectedandthattheinformationisnotusedinaninappropriatemanner.Theassociatedguidelinesincludethatifanadvertisementindicatesthatpersonalinformationaboutachildwillbecollected,thismustincludeastatementthataparent’sorguardian’sconsentisrequired.Theadvertisermustalsonotcollectmoreinformationfromachildthanthatwhichisneededfortherelevantactivity.


ThePrivacyActsetsoutprivacyprincipleswhicharethekeyprinciplesthatcompaniesneedtofollow.Asummaryoftheprinciplesissetoutbelow.

(a) Collection:Personalinformationcanonlybecollectedforlawfulpurposes,anditscollectionmustbenecessary for thatpurpose.The informationshouldbecollecteddirectly fromtheindividual,unlesscertaincircumstancesapply, forexample if the individualauthorizes thecollectionoftheinformationfromsomeoneelse.

Whentheinformationiscollected,theindividualneedstobemadeawarethat:(i) theinformationisbeingcollected;(ii) thepurposeforwhichtheinformationisbeingcollected;(iii) theintendedrecipientsoftheinformation;(iv) thenameandaddressoftheentitythatiscollectingtheinformationandtheentity

thatwillholdtheinformation;

492


(v) iftheinformationisauthorizedorrequiredbylaw,detailsofthis;(vi) theconsequences(ifany)ifalloranypartoftheinformationisnotprovided;and(vii) theperson’srighttoaccess,andcorrectpersonalinformation.

Personal information cannot be collected by unlawful means or by means that, in thecircumstancesareunfairorintrudetoanunreasonableextentonthepersonalaffairsoftheindividual.

(b) StorageofPersonalInformation:Personalinformationmustbeprotected,bysuchsafeguardsasarereasonableinthecircumstances,againstloss,access,use,modificationorunauthorizeddisclosureandothermisuse.

(c) AccesstoandCorrectionandAccuracyofPersonalInformation:Individualshavetherighttoaccessandcorrectpersonalinformation.Thisissubjecttocertainlimitations,suchaswherethedisclosurewouldendangerthesafetyofanindividual,oriftheinformationcannoteasilyberetrieved.Anentityholdingpersonalinformationshouldnotusethatinformationwithouttakingallreasonablestepsinthecircumstances,toensurethat,havingregardtothepurposeforwhich the informationmaybeused, the information is accurate, up todate, complete,relevantandnotmisleading.

(d) Retention: Personal information shouldonlybeheld for the timeperiod required for thepurposeforwhichitmaybelawfullyused.

(e) Use: Personal informationmayonlybeusedforthepurposeforwhichthe individualwasadviseditwascollectedfor.Thereareaverylimitednumberofexceptionstothis,forexampleiftheinformationisusedinaforminwhichtheindividualisnotidentified.

(f) Disclosure: Personal information may only be disclosed if that disclosure is one of thepurposesinconnectionwithwhichtheinformationwasobtainedorisdirectlyrelatedtothepurposes for which the information was obtained. Disclosure that is authorized by theindividualconcernedortotheindividualconcernedisalsopermitted.Therearealsoalimitednumberoffurtherpermitteddisclosures,suchasifthedisclosureisnecessarytopreventaseriousthreatpublicsafety.

(g) UniqueIdentifiers: Anentitycannotrequireanindividualtodiscloseanyuniqueidentifier(whichwould include for example a passport number) unless disclosure is for one of thepurposesforwhichthatuniqueidentifierwasassignedorforapurposethatisdirectlyrelatedtooneofthosepurposes.Anentitymustalsonotassignauniqueidentifiertoanindividual,unlessitisrequiredtoenabletheentitytocarryoutoneormoreofitsfunctionsefficiently.

4 ROLES


No, the Privacy Act does not assign different roles to companies based on how they processinformation.

493


5 OBLIGATIONS


The key obligations under the Privacy Act are compliance with the privacy principles, set out atquestion 3.3. In addition, the PrivacyAct requires that each organization has at least one PrivacyOfficer. The responsibilities of a PrivacyOfficer include, encouraging compliancewith the privacyprinciples, dealing with any requests made under the Privacy Act, working with the PrivacyCommissionerinrelationtoanyinvestigationsandotherwiseensuringcompliancebytheorganizationwiththePrivacyAct.

Theprivacyprinciplesrequirethatorganizationsinformindividualsaboutinformationthatisbeingcollectedandthepurposeforwhichitisused,amongstotherthings.Thisisnormallycontainedinaprivacypolicyorprivacystatement.

UndertakingaPrivacyImpactAssessmentisnotspecificallyrequiredbythePrivacyAct.However,itcanbeausefulprocesstogothroughtoidentifyanyissuesearly,makingthemeasiertoaddress.


6.1 HowisdatasecurityregulatedinNewZealand?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

Data security is primarily regulated by the Privacy Act and its information privacy principles. Asmentioned above at question 3.3, these core principles protect people’s privacy by governing thecollection, storage, and use of personal information, while also providing for legitimate use ofinformationbygovernment,businesses,andotherorganizations.

In particular, principle 5 establishes the minimum standard for storage and security of personalinformation.Thatis,anyagencythatholdspersonalinformationmustensurethat:

(a) the information is protected by such security safeguards as it is reasonable in thecircumstancestotakeagainst:(i) loss;(ii) access,use,modification,ordisclosure,exceptwiththeauthorityoftheagencythat

holdstheinformation;(iii) othermisuse;and

(b) ifitisnecessaryfortheinformationtobegiventoapersoninconnectionwiththeprovisionof a service to the agency, the agencymust do everything reasonablywithin its power topreventunauthorizeduseordisclosureoftheinformation.

Asreferredtoabove,anyorganizationholdingdataonidentifiableindividualsisrequiredtoappointaPrivacyOfficertomonitorcompliancewiththePrivacyActanddealwithprivacybreaches.

Further, the codes of practice issued by the Privacy Commissioner impose additional obligationsregarding securing data for certain classes of agencies, such as credit reporters andtelecommunicationsproviders.

494


There are also various standards, guides, manuals and assessments that assist organizations inaddressingdatasecuritystandardsimposedbythePrivacyActandcodesofpractices,suchas:

(a) ISO/IEC27001:2013standard—Thisstandardspecifiestherequirementsforestablishing,implementing,maintainingandcontinuallyimprovinganinformationsecuritymanagementsystemforallorganizations.Italsoincludesrequirementsfortheassessmentandtreatmentofinformationsecurityriskstailoredtotheneedsoftheorganization.

(b) The Protective Security Requirements (“PSR”) — The PSR outlines the Government’sexpectations for managing personnel, physical and information security. The PSR alsoincludestheNewZealandInformationSecurityManual,whichisintendedtoassistnotonlygovernmentdepartmentsandagenciesand their serviceproviders,butalsoprivatesectororganizations.

(c) DigitalGovernmentNZ:RiskAssessmentProcess—TheGovernmenthasalsodevelopedagenericsecurityriskassessmentprocessintendedtoassistcompanieswithensuringthattheymeettherequirementtohavearobustriskassessmentprocess.

6.2 HowaredatabreachesregulatedinNewZealand?Whataretherequirementsforrespondingtodatabreaches?

DatabreachesareregulatedbythePrivacyAct.Currently,thePrivacyActdoesnotcontainmandatorybreachreportingrequirements.However,thisisunderreviewaspartofthereviewofthePrivacyAct,asfurtherdiscussedbelow.

ThePrivacyCommissionerrecommendsthatthefollowingstepsaretakenbyanaffectedorganizationasquicklyaspossibletominimizeanyharmtotheaffectedindividualsandtheorganizationconcerned:

(a) Containthebreachandmakeafirstassessment—Thismayincludestoppingunauthorizedpractices,retrievinglostinformation,disablingthebreachedsystem,cancellingorchangingcomputer access codes and fixing weaknesses in the organization’s physical/electronicsecurity.Itmayalsobenecessarytoconsiderwhethertoinformtheorganization’sinsurer,internalauditors,riskmanagersandlegaladvisers(andifthebreachinvolvestheftorcriminalactivity,notifythepoliceandretainkeyevidence).

(b) Evaluate the risks—The organization should consider the types of personal informationinvolved,what that informationmight show,howeasy it is tohack, the cause, extent andpotentialharmofthebreachandwhoholdstheinformation.

(c) Notifyaffectedpeople—Therequirementsandextentofnotificationiscurrentlyconsideredonacasebycasebasis.Ifthereisnoharm,notificationmaynotbenecessary.

(d) Preventarepeat—Thisisintendedasalonger-termsolutiontodeveloppreventionstrategiesand could be affected by organizations establishing a comprehensive security plan for allpersonalinformation.ThePrivacyCommissionerrecommendstheInternationalOrganizationforStandardizationstandardsasastartingpoint.Further,organizationsmay,dependingonthesignificanceofthebreach,needtoundertakeasecurityauditandreviewtheirpoliciesandpractices.

ThePrivacyActiscurrentlyundergoingreview.AnewPrivacyBill(“PrivacyBill”)wasintroducedin2018andisexpectedtobeenactedintolawin2020.OneofthekeyproposedchangestothePrivacyActismandatorydatabreachnotification,whichwillrequirepublicandprivatesectoragenciestonotifyaffectedindividualsandthePrivacyCommissioneriftheyexperienceadatabreachwhichposesariskofharm.FailuretodosocouldresultinafineofuptoNZ$10,000.

495


7 INDIVIDUALRIGHTS


Theprivacyprinciplesmentionedaboveatquestion3.3underthePrivacyActmustbefollowedbybusinesseswhencollecting,usingandstoringanindividual’spersonalinformation.Pursuanttotheseprinciples,whenabusinessgathersinformationaboutanindividualtheymust:

(a) obtainpermissionfromtheindividualtodoso;

(b) beclearaboutwhattheyaregatheringandwhattheywilluseitfor;

(c) not share personal informationwithout the individual’s knowledge or approval unless anexceptionapplies;

(d) informtheindividualoftheirrighttoaccesstheinformationand, ifnecessary,correctthatinformationifitisincorrectoroutofdate;and

(e) ensuretheinformationisaccurateandkeptsecurely.Whenthebusinessnolongerneedstheinformation,theymustsafelydestroyit.

IntheeventofabreachofanyoftheinformationprivacyprinciplesorotherprovisionsofthePrivacyAct, the individual concerned can make a complaint to the Privacy Commissioner who will beresponsibleforinvestigatingthebreach.Asmentionedatquestion6.2,underthenewPrivacyBillitisproposedthatbusinesseswillberequiredtonotifyaffectedindividualsandthePrivacyCommissioneriftheyexperienceadatabreachwhichposesariskofharm,andfailuretodosocouldresultinafineofuptoNZ$10,000.Further,ifaprivacybreachmatterisnotsettledwiththePrivacyCommissioner,thenthedecisioncanbeappealedtotheHumanRightsReviewTribunal.



ThePrivacyActprimarilyregulatesmarketingcommunicationsfromaprivacyperspective.Generally,marketers must tell consumers in clear, simple language what information about them is beingcollected,whatitwillbeusedfor,whoitwillbedisclosedto(ifanyone)andthatthecustomerhastherighttoaccessandcorrecttheirowninformation.

TheUnsolicitedElectronicMessagesAct2007providesthatanindividualororganizationthatsendscommercialelectronicmessages,suchasemailsandtextmessages,mustnotifytherecipientofwhothesenderisandhowtocontactthem.Themessagemustalsoincludeafunctionalandfreeofchargeunsubscribefunction.


If abusiness intends touse cookies, orother tracking technologies, onwebsitesor apps to collectinformation about consumers, then the business should clearly notify consumers that suchtechnologiesareinuse,howtheyareused(ie,whatpersonalinformationisbeingcollectedandwhatitwillbeusedfor)andobtainconsent.

496



InadditiontotheinformationprivacyprinciplesunderthePrivacyActregardingcollection,purpose,anddisclosure (if any)ofpersonal information, rule1(b)of theASA’sAdvertisingStandardsCoderequiresthatadvertisersobtainappropriateconsentfromconsumersbeforeengaginginpersonalizeddirect advertising communications. The following guidelines are to be followed by advertisers ininterpretingthatrule:

(a) personalinformationthatispubliclyavailablemaybeusedforpersonalizeddirectadvertisingcommunications,providing that the information isnotaccompaniedbya statement to theeffectthepersondoesnotwishtoreceivesuchadvertising;

(b) private personal information may be used for personalized direct advertisingcommunicationsprovidingthatconsenthasbeenobtainedfromthepersontocollect,store,andusetheirinformationforadefinedpurposeandtheinformationcollectedisonlyusedforthatpurpose;and

(c) itmustbecleartotherecipientofanypersonalizeddirectadvertisingcommunicationhowtheycanunsubscribeoropt-out.


ThePrivacyActcontainsspecificprovisionsrelatingtodatamatchingbetweencertainpublicsectoragencies(providedthatanumberofrulesareadheredto),butnotinrelationtodatamatchingintheprivatesector.Asaresult,datamatchingintheprivatesectoris,forthemostpart,regulatedbytheprivacyprinciplesrelatingtothecollection,useanddisclosureofpersonalinformationandtheuseofuniqueidentifiers.

Generally,advertiserscannotdisclosepersonalinformationtoathirdpartywithoutalegalbasistodoso(eg,thatthedisclosureoftheinformationisoneofthepurposesorisdirectlyrelatedtothepurposesin connection with which the information was obtained). If information is shared between anadvertiser and a third party, the permitted uses of that information by each party needs to beconsidered,aswellasthesecurityoftheinformation.


Currently,therearenospecificlawsorregulationsinNewZealandgoverningtheoperationofdatabrokers.

UnderthePrivacyAct,anagencyisexemptfromtherequirementtocollectinformationdirectlyfromtheindividualconcernediftheagencybelieves,onreasonablegrounds,thattheinformationispubliclyavailable.However, if individualsdonothavetherightandthemeanstoknowwhichdatabrokershaveinformationaboutthemformarketingpurposesortoseewhatinformationisbeingcollectedandhowitisbeingused,thenitispossiblethatcollectionofpersonalinformationbydatabrokerscouldbeconsideredunfairorintrusivetoanunreasonableextentuponthepersonalaffairsoftheindividualconcerned(particularlyforchildrenandothervulnerableconsumers).ThiswouldamounttoabreachofthePrivacyAct.

497



SocialmediaismainlyregulatedfromaprivacyperspectivebytheprovisionsofthePrivacyAct.Theinformationprivacyprinciplesgiveindividualstherighttoknowwhatinformationaboutthemisbeingcollected,whatitwillbeusedforandwho(ifanyone)itwillbedisclosedto,aswellastherighttobeinformedoftheirabilitytoaccessandcorrecttheirinformation.Inrelationtotextmessagesoremails,socialmediaplatformswillbesubject to theprovisionsof theUnsolicitedElectronicMessagesAct2007asreferredtoaboveinresponsetoquestion8.1.

Otherwise,socialmediaremainsrelativelyunregulatedfromaprivacyperspectiveinNewZealand.However, in recognition of changes in the use of data, the Privacy Commissioner has submitted asubstantialsetofrecommendationsforthePrivacyBill,someofwhichwillimpactdirectlyontheuseofpersonalinformationbysocialmediaplatforms.Theseinclude:

(a) righttoerasure,

(b) fairuseofpersonalinformation,

(c) algorithmictransparency(opennessaboutthepurpose,structureandunderlyingactionsofalgorithmsusedtomanipulatedata)and

(d) recommendationsinrelationtomandatorybreachnotificationsandpenaltiesforseriousnon-compliance.

Further, thePrivacyCommissionercouldbegiventhepowerto issueacompliancenoticetosocialmedia platforms found to not be complyingwithNewZealand’s privacy laws. Compliance noticeswouldbeenforceableintheHumanRightsReviewTribunalandifaplatformdoesnotcomply,itcouldfacecosts,aswellasafineofuptoNZ$10,000.


ThereisnospecificNewZealandlegislationthatgovernsloyaltyprogramsandpromotionalactivitiesfromaprivacyperspective. Inorder tocomplywith the informationprivacyprinciples,businessesshouldprovideallparticipantsofloyaltyprogramsandpromotionswithacopyofitsprivacypolicy.Thisshouldincludeaccurateinformationabout:

(a) whatpersonalinformationthebusinesswillcollect,

(b) whatitwillbeusedfor,

(c) howitwillbesecurelystored,

(d) whetheritmaybedisclosedorshared(includingwiththirdparties,online,andoverseas)and

(e) howtheindividualcanaccessandcorrecttheinformation.

Personal informationused for theseprogramsorpromotionalofferscannotbekept longer than isrequiredforitslawfuluse,ie,beyondcompletionoftheprogramorpromotionaloffer.

498


9 DATATRANSFER


Thehandlingof“personalinformation”(asdefinedinthePrivacyAct)mustcomplywiththePrivacyAct’sprivacyprinciples(seequestion3.3).Anorganizationmustnottransferpersonalinformationtoanotherorganizationexceptincompliancewiththeprivacyprinciples.ThePrivacyCommissionermayissueatransferprohibitionnoticeunderSection114DofthePrivacyAct,prohibitingthetransferofpersonalinformationassetoutinthenotice.

ThecurrentversionofthePrivacyBillprohibitsthedisclosureofpersonalinformationoverseasunlessanagencycanbesatisfiedofoneofthesetcriteria(eg,thattheforeignpersonreceivingthepersonalinformationissubjecttoprivacylawsthat,overall,providecomparablesafeguardstothoseintheBill)issatisfied.


ThePrivacyBillproposesthatacompany(actingasanagentforanother)thatisstoringorprocessinginformationforanothercompanythatusesordisclosesinformationforitsownpurposeswillbeheldaccountable and treated as holding the information (even if that company is not situated in NewZealand),forexample,clouddatastorageprovidersandinformationsentoverseasforprocessingonbehalfofanagency, incertaincircumstances.Similarly,acompanywillremainaccountable fortheinformationheldbyanotherpersonasitsagent.

10 VIOLATIONS


Ifthereisabreachofoneormoreprivacyprinciples,theaffectedindividualcanmakeacomplainttothePrivacyCommissioner. If thematter is not able tobe resolved, and thePrivacyCommissionerconsidersthattherehasbeenan“interferencewithprivacy”,thePrivacyCommissionermaythenreferthecomplainttotheDirectorofHumanRightsProceedings.IfthePrivacyCommissionerdoesnotreferthemattertotheDirectorofHumanRightsProceedings,theindividualmaybringthecasedirectlytotheHumanRightsTribunal.

TheTribunalmayissueacompliancenotice,orderingthatanagencydoes(ordoesnotdo)somethingand/orawardthecomplainantwithcompensation.TheTribunalhasawardeduptoNZ$10,000forlessseriousbreachesanduptoNZ$50,000formoreseriousbreaches.ThegreatestawardtheTribunalhasorderedinrespectofaprivacymatterwasoverNZ$168,000.TheTribunalhastheabilitytoawarddamagesuptoNZ$350,000.

Further,apersoncommitsanoffenceunderthePrivacyActandisliableuponconvictionforuptoNZ$2,000for:(a) obstructingornotcomplyingwiththePrivacyCommissionerintheexerciseitspowerunder

thePrivacyAct;

(b) knowinglymisleadingtheCommissionertoexerciseitspowersunderthePrivacyAct;or

(c) misrepresentingtheirauthorityunderthePrivacyAct.

499


The current version of the Privacy Bill raises themaximum liability for the above offences to NZ$10,000andcreatesnewoffences,including:

(d) misleadinganagencytoobtainaccesstosomeoneelse’spersonalinformation;and

(e) destroyingadocumentcontainingpersonalinformation,knowingarequesthasbeenmadeforit.

There are various statuteswhich prohibit certain types of intrusion (eg, using devices tomonitorprivateconversations,oropeningaletteraddressedtoanotherperson)andwhichcreateoffensesinordertoprotectaperson’sprivacyinterestandpreventthedisclosureofcertaininformation.


Individualsmaybringacommonlawclaimforaninvasionofprivacy.

Individualscanseekaninjunctiontopreventinvasionoftheirprivacy.

Generaldamages(forexample,compensationforhurtandupset)andexemplarydamagesarealsoavailableasremedies.

As referred to above, an individual personally affected by the breach (or that individual’srepresentative)maymakeacomplainttothePrivacyCommissioner.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofNewZealandwhichaffectprivacy?

TherearenospecificprivacyruleswhichrelatetothecultureofNewZealand.


Asdiscussedatquestion6.2,thePrivacyActiscurrentlyunderreview.Allcompaniesthatcollect,storeandusepersonalinformationabouttheiremployeesand/orcustomerswillneedtobeawareofthechangesthePrivacyBillmakestoNewZealand’scurrentprivacylaw.Keychangesincludemandatoryreportingrequirementswithrespecttocertaindatabreachesandthestrengtheningofcross-borderdataflowprotection.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainNewZealand?

IfyouareprocessingpersonaldatainNewZealand,werecommendthatyouseekspecificNewZealandlegaladvicetoensurethatyouarecomplyingwithyourprivacyobligationsinthecontextinwhichyourbusinessisoperating.

500


12 OPINIONQUESTIONS


SinceitsintroductionofthePrivacyAct,thePrivacyActhascontinuedtoactastheprimarysourceoflegislationforaddressingprivacyanddataissuesinNewZealand.Thelegislationadoptsaprinciple-based approach, has been drafted on a technologically neutral basis, and has remained relativelyunchangedsinceitsoriginalenactment.However,asdetailedinquestion12.2,asignificantrevisionoftheprivacyregimeiscurrentlyunderdiscussionintheNewZealandParliament.Thisreformislikelyaresponsetotheadvancementandproliferationofthedigitaleconomywhichhassignificantlyalteredtheprivacylandscape.


As noted at question 6.2, the Privacy Bill will strengthen privacy protections, focusing on earlyinterventionandriskmanagementbythosewhoholdorhandlepersonal information.ThecurrentversionofthePrivacyBillproposeskeyreforms:

(a) Mandatory reporting requirements — agencies are required to report to the PrivacyCommissionerandthe individualconcernedwhere therehasbeenaprivacybreachwhichposesariskofharm.

(b) GreaterscopeofpowersforthePrivacyCommissioner—thePrivacyBillinitscurrentformgivesthePrivacyCommissionermoreinformation-gatheringpowers,theauthoritytoissue“ComplianceNotices”(whichrequireanagencytodoorstopsomething)andtheabilitytomake binding decisions on complaints in relation to the access of information under thePrivacyAct.

(c) Cross-border protections— In light of the ease of data flowing between jurisdictions, topromote accountability and satisfactory protections of the personal information of NewZealandindividuals,NewZealandagencieswillberequiredtobesatisfiedthatanypersonaldataitsendsoverseaswillbeprotectedbyequivalentorbetterprivacystandards.

(d) Penalties— in recognition of the importance of privacy protection, the enactment of thePrivacyBill in itscurrent formwill introducevariousnewpenaltiesandheavier fines(seequestion10.1).


Withtheincreasinginter-connectednessofcompaniesandflowofdataacrossborders,companieswillneedtoensuretheyremaincompliantwithprivacylawsinnotonlytheirhomejurisdiction,butwithprivacylawsandstandardsinotherjurisdictions.

501

502

PRIVACY LAW – NICARAGUA

1 PRIVACYLAW

1.1 HowisprivacyregulatedinNicaragua?

In Nicaragua privacy is regulated by Law No 787 on the Protection of Personal Data, which wasapprovedbythe legislativebranchon21March2012andcameintoeffectuponpublicationintheOfficialJournalon29March2012.

Thislawregulatestheprocessingofpersonaldatarelatingtobothnaturalpersonsandlegalentitiesregardlessofwhetheritiscarriedoutbyautomatedmeansornot.Theobjectiveofthislaw,asstatedin Article 1, is to guarantee the right to personal and family privacy, as well as the right toinformationself-determination.


Keylawsare:

(a) theLawontheProtectionofPersonalData;and

(b) RegulationstotheLawontheProtectionofPersonalData(Decree36-2012),inforcesinceOctober17,2012.


TheLawontheProtectionofPersonaldataprovides for thecreationofaDirectorate forPersonalDataProtectionwithintheMinistryofFinanceandPublicCredit.ThisDirectoratewillbeinchargeofmany data-protection related activities, such as operating a database registry, issuing regulations,monitoringcomplianceaswellasimposingadministrativesanctions(incasesofviolations).

However,atthepresenttime,theDirectoratehasnotyetbeencreated,and,therefore,theLawisnotfully applicable, as it is not possible to comply with certain requirements of the law, such asregistering in theDirectorate’s database. Furthermore, it is not possible to impose administrativesanctions(incasesofviolations)andthereiscurrentlynoentityinchargeofmonitoringcompliance.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinNicaragua?

BothpublicentitiesandprivatecompaniesaresubjecttotheNicaraguanprivacylaw.

2.2 Does privacy law in Nicaragua apply to companies outside the country? If yes, are therespecific obligations for companies outside the country (eg, requiring a companyrepresentativeinthecountry)?

No.ThereisnoexplicitmentionoftheterritorialscopeoftheLawontheProtectionofPersonalData,which, bydefault, limits its scopeof application to entities established in theNicaraguan territoryprocessingdatacontainedindatabaseskeptwithinNicaragua.

503



3.1 Howispersonalinformation/personaldatadefinedinNicaragua?

“Personaldata”isdefinedasanyinformationrelatingtoanidentifiedoridentifiablenaturalpersonsorlegalentities.


According to Nicaraguan law, “sensitive personal data” is all information that reveals the racial,ethnic, political affiliation, religion, philosophical or moral creed, unionmembership, health data,sexual preferences, criminal or administrative records, financial information, and any otherinformationthatmaybegroundsfordiscrimination.

Sensitivepersonaldatacanonlybeobtainedandprocessedforreasonsofgeneralinterest,withtheconsentof theownerof thedata,or throughacourtorder. Itmayalsobe treated forstatisticalorscientific purposes when their holders cannot be identified. Personal data, relating to criminalrecordsoradministrativeoffenses,canonlybeprocessedbythecompetentpublicauthorities.

Personal data related to health, in hospitals, clinics, public and private health centers andprofessionalslinkedtohealthcanonlyrefertothephysicalormentalhealthofpatients,preservingprofessionalconfidentiality.


(a) Notice: Datasubjects shouldbegivennoticewhen theirdata isbeingcollectedaswellascontactinformationfortheentitycollectingthedata.

(b) Purpose: Datasubjectsmustbe informedabout thepurposes forwhich theirdatawillbeusedandwhetheritisvoluntaryormandatorytoprovidetheinformation.

When it no longer serves the purpose for which it was collected, personal informationshouldbedeleted.

Theinformationcollectedshouldonlybeusedforthepurposestatedandnotforanyotherpurposes. If there is a change from the purpose forwhich the informationwas originallycollected,theindividualmustbeinformedbytheentitycollectingit.

(c) Consent:Consentmustbefreelygiven.Asageneralrule,tacitconsentisvalid.However,forpurposes of processing financial data or other sensitive information, express consent isrequired.

(d) Security:Thecollecteddatashouldbekeptsecuredfromanypotentialabuses.Asaresult,the entity collecting the data must take appropriate technical measures to prevent anyunauthorizedaccessoruseoftheinformation.

(e) Disclosure:Datasubjectsshouldbeinformedastowhoiscollectingtheirdata.

(f) Access: Datasubjectsshouldbeallowed toaccess theirdataandmakecorrections toanyinaccuratedata.

(g) Accountability:Datasubjectsshouldhaveamethodavailabletothemtoholddatacollectorsaccountableforfollowingtheprinciplesoutlinedabove.

504


4 ROLES


No.The law inNicaraguadoesnotassigndifferent roles tocompaniesbasedonhowtheyprocesspersonaldata.

5 OBLIGATIONS


(a) TheLawontheProtectionofPersonalDatarequires:

(i) Postingaprivacypolicyinlocallanguage(Spanish).

(ii) Registering with the Directorate for Persona Data Protection (when suchDirectoratehasbeenestablished—seequestion1.3).

(b) Additionally, the Law on the Protection of Rights of Consumers and Users (LawNo 842)broadly defines advertising as: “all formof public communicationmadeby a provider forpromoting directly or indirectly the acquisition of goods and/or services is consideredadvertising.”Thisincludestheactionofsendingmarketinge-mailsandtextmessages.

Thefollowinggeneralprinciplesshouldbefollowed:

(i) Thecommunicationsmustoffertherighttooptoutoffuturecommunicationsortorevokeconsent.

(ii) The communications (advertising) must be free from false or misleadinginformation.

(iii) Unless the information has been obtained from publicly available sources, allpersonal information maintained in direct marketing databases can only beincluded with the consent of the individuals concerned. In any case, theseindividualshavetherighttoaccesstheirinformationstoredinsuchdatabases.


6.1 HowisdatasecurityregulatedinNicaragua?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

DatasecurityisalsoregulatedbytheLawontheProtectionofPersonalData.

This Law states that data controllers must adopt the necessary technical and organizationalmeasures toguarantee the integrity, confidentialityandsecurityofpersonaldata, toprevent theiradulteration, loss, consultation, treatment, disclosure, transfer or unauthorized disclosure and todetect internationaldeviationsornot,ofprivate information,whether theriskscome fromhumanactionorfromthetechnicalmeansused.

505


Additionally, the law provides for the Directorate for Personal Data Protection to implement therequired regulations. However, in view that said directorate has yet to be created, there are noparticularstandardsinplaceforsecuringdata.

6.2 HowaredatabreachesregulatedinNicaragua?Whataretherequirementsforrespondingtodatabreaches?

Atpresent,due to the fact that thecompetentauthority(Directorate forPersonalDataProtection)hasyettobecreated,forallpracticalpurposesdatabreachesarenotbeingregulated.

However, theNicaragua lawestablishes that breachesmaybeminoror serious, and the followingsanctionsarecontemplated:

(a) suspensionofoperationsrelatedtotheprocessingofpersonaldata;and

(b) thetemporaryorpermanentclosureorcancellationofthedatacontroller’soperations.

AccordingtotheLawonProtectionofPersonalDataanditsRegulations,theownersofdatahavetheright to be notified of any adulteration, loss, consultation, treatment, disclosure, transfer orunauthorizeddisclosureoftheirdata.

7 INDIVIDUALRIGHTS


Individualshavethefollowingprivacyrights:

(a) Rightofaccessandrectification;

(b) Righttoerasure;

(c) Righttowithdrawconsent;

(d) Dataportability;

(e) Righttorestrictionofprocessing;and

(f) Righttolodgeacomplaintwiththeregulatoryauthority.



Marketing communicationsmay only incorporate personal datawith the consent of the owner orunlessthedatawasobtainedfromsourcesaccessibletothegeneralpublic.

Theownerofthedatamayexercisetherightofaccesswithoutcharge,andmay,atanytime,requestthedeletionofitsdatafiles.

The entity conducting the marketing communications must offer the data owner the chance toexpress their refusal to continue receiving such materials or, where appropriate, to revoke theirconsentinaclearmannerandatnocost.

506



Theuseoftrackingtechnologiesisnotregulated.OncetheDirectorateforPersonalDataProtectioniscreated,thisbodywillbeabletodraftspecificregulationsinsuchregard.


There is no specific regulation for targeted advertising and behavioral advertising. Once theDirectorateforPersonalDataProtectioniscreated,thisbodywillbeabletodraftspecificregulationsinsuchregard.


Advertisersshouldprovidenoticetothedata’sowners,informingthemthatthedataistobesharedandthepurposeofdoingso.


Databrokersmust:

(a) takethenecessarysafetymeasures;

(b) keepdataconfidential;and

(c) obtainregistration.


OurLawonProtectionofPersonalDataprovidesthatownersofthepersonaldatahavetherighttorequestsocialnetworks,browsersandserverstodeleteandcancelanyoftheirpersonaldatafoundintheirfiles.

Inthecaseofdatafilesofpublicandprivateinstitutionsthatoffergoodsandservicesandthatforcontractualreasonscollectpersonaldata,oncethecontractualrelationshipisterminated,theownersofthedatamayrequestthatallpersonalinformationbedeleted.


AccordingtotheLawontheProtectionofPersonalData,theownersofthepersonaldatashouldbeinformed of their rights over such data, the origin of the data and the entity responsible for thehandlingofthesame.Thepersonaldatacanonlybeincorporatedwiththeowner’sconsentunlessitwasobtainedfromsourcesaccessibletothegeneralpublic.

Theownersofthedatamayexercisetherightofaccesswithoutcharge,andmay,atanytime,requestthedeletionoftheirdatafiles.

507


9 DATATRANSFER


PleasenotethattheNicaraguanLawontheProtectionofPersonalDatastatesthatpersonaldatamayonly be transferred to third countries if that country provides an adequate level of protection.However, itdoesnotspecifywhatconstitutesanadequate levelofprotection.Assuch, itwouldbetheregulatoryauthority(DirectorateforPersonalDataProtection),whichhasyettobecreated,thatwouldestablishthenormsconcerningtheminimumstandardsofadequatelevelofprotection.


Notatpresent.

10 VIOLATIONS


(a) Suspensionofoperationsrelatedtotheprocessingofpersonaldata;

(b) Closureorcancellationofthedatacontroller’soperations,temporarilyorpermanently.

(c) Compensationofdamages.


Yes.AccordingtotheLawonProtectionofPersonalData,theownerofthedatamayfileapersonaldata protection action before the governing body (Directorate of Personal Data Protection).However,suchactionisnotavailableatpresentastheDirectorateofPersonalDataProtectionhasyettobecreated.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofNicaraguawhichaffectprivacy?

No.


Notcurrently.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonal information/personaldatainNicaragua?

Notcurrently.

508


12 OPINIONQUESTIONS


InNicaragua, theprivacy landscapehasnotchangedoverthepast fewyears.AlthoughtheLawontheProtectionofPersonalDatahasbeeninforcesince2012,theregulatoryauthority(DirectorateofPersonalDataProtection)hasyettobecreated.Asaresult,thelawisnotentirelyenforceable.


Thereissomeexpectationthatatsomepointtheregulatoryauthority(DirectorateofPersonalDataProtection)willbecreated.


Atpresent,therearenoregulationsinplacebecausetheregulatoryauthorityhasyettobecreated.However,oncecreated,companieswillneedtopaycloseattentiontotheregulationsbeingdrafted.

509

510

PRIVACY LAW – NIGERIA

1 PRIVACYLAW

1.1 HowisprivacyregulatedinNigeria?

Nigeriadoesnothaveaprincipaldataandprivacyprotectionlaw.However,theConstitutionoftheFederalRepublicofNigeria1999(asamendedin2011)providesprotectionfortherighttoprivatelifeunderitsSection37.TheNigerianLegislaturehasalsopassedtheNigeriaDataProtectionRegulations2019(“NDPR”).TheseRegulationswereissuedbytheNationalInformationTechnologyDevelopmentAgency (“NTDIA”) on January 25, 2019, pursuant to the National Information TechnologyDevelopmentAgencyAct2007.


TheNDPRisthemostrelevantlawwhichdealswithdataprotectionandprivacy.

Otherlawswhichcontainlimitedprovisionsonprivacyare:

(a) TheConstitutionFederalRepublicofNigeria1999(asamendedin2011);

(b) NationalInformationTechnologyDevelopmentAgencyAct2007;

(c) FreedomofInformationAct2011;

(d) NigerianCommunicationsAct2003;

(e) ChildRightsAct2003;

(f) Cybercrimes(Prohibition,PreventionEtc)Act2015;

(g) NationalIdentityManagementCommissionAct2007;

(h) ConsumerCodeofPracticeRegulations2007;

(i) NigerianCommunicationsCommission(RegistrationofTelephoneSubscribers)Regulations2011;

(j) ConsumerProtectionFramework2016;

(k) TheCreditReportingAct2017;and

(l) TheNationalHealthAct2014.


Whencomparedtodevelopednations, theNigerian judiciarystruggleswiththenotionof findingabalancebetweenindividualrighttoprivacyclaimsandtheneedtoupholdorrejectsame.However,privacylawsinNigeriamaybeenforcedthroughacivilactioninaHighCourtbyrelyingonSections37and45ofthe1999Constitution.

TheNITDA is also responsible for setting up anAdministrativeRedress Panelwhose duty it is toinvestigateallegationsofbreachofprivacy,concludeitsinvestigationsanddetermine,within28days,theappropriateredress.

511


2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinNigeria?

AllcompaniesinNigeriaaresubjecttoprivacylaw.

2.2 DoesprivacylawinNigeriaapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

Only theNDPRapply tobusinessesestablished inother jurisdictions.According to theNDPR, theyapplyto:

(a) alltransactionsfortheprocessingofpersonaldata,regardlessofthemeansbywhichthedataprocessingisbeingorisintendedtobeconducted,inrespectofnaturalpersonsinNigeria,and

(b) allnaturalpersonsresidingoutsideNigeriawhoarecitizensofNigeria.


3.1 Howispersonalinformation/personaldatadefinedinNigeria?

“Personaldata”meansanyinformationrelatingtoanidentifiedoridentifiablenaturalperson(“datasubject”).

An“identifiablenaturalperson”isonewhocanbeidentified,directlyorindirectly, inparticularbyreferencetoanidentifiersuchasaname,anidentificationnumber,locationdata,anonlineidentifierortooneormorefactorsspecifictothephysical,physiological,genetic,mental,economic,culturalorsocialidentityofthatnaturalperson.Suchfactorcanbeanythingfromaname,address,aphoto,anemail address, bank details, posts on social networking websites, medical information, and otheruniqueidentifiersuchas,butnotlimitedto,MACaddress,IPaddress,IMEInumber,IMSInumber,SIMandothers.


“Sensitivepersonaldata”referstodatarelatingtoreligiousorotherbeliefs,sexualtendencies,health,race, ethnicity, political views, trades unionmembership, criminal records or any other sensitivepersonalinformation.

Thespecificobligationsaroundsensitiveinformationincludetheresponsibilityof,anddutyofcareowed by persons entrusted with such information to take extra care in order to secure suchinformation against all foreseeable hazards and breaches, such as theft, cyber attack, viral attack,dissemination,manipulationsofanykind,damagebyrain,fireorexposuretoothernaturalelements.

512



TheNDPRprovidesthat,forprocessingtobelawful,atleastoneofthefollowingmustapply:

(a) thedatasubjecthasgivenconsenttotheprocessingofhisorherpersonaldataforoneormorespecificpurposes;

(b) processingisnecessaryfortheperformanceofacontracttowhichthedatasubjectispartyorinordertotakestepsattherequestofthedatasubjectpriortoenteringintoacontract;

(c) processing is necessary for compliance with a legal obligation to which the controller issubject;

(d) processingisnecessaryinordertoprotectthevitalinterestsofthedatasubjectorofanothernaturalperson;and

(e) processingisnecessaryfortheperformanceofataskcarriedoutinthepublicinterestorintheexerciseofofficialpublicmandatevestedinthecontroller.

4 ROLES


No.TheNDPRprovidesthatEVERYdatacontrollermust:

(a) makeavailabletothegeneralpublictheirrespectivedataprotectionpolicies;

(b) designateadataprotectionofficerforthepurposeofensuringadherencetothisregulation,relevant data privacy instruments and data protection directives of the data controller,providedthatadatacontrollermayoutsourcedataprotectiontoaverifiablycompetentfirmorperson;and

(c) ensurecontinuouscapacitybuilding for theirdataprotectionofficersandthegeneralityoftheirpersonnelinvolvedinanyformdataprocessing,etc.

5 OBLIGATIONS


There are no specific requirements under the privacy laws for data protection with respect toadvertising.

513



6.1 HowisdatasecurityregulatedinNigeria?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

InNigeria,anyoneinvolvedindataprocessingorthecontrolofdatamustdevelopsecuritymeasurestoprotectdata;suchmeasuresinclude,butarenotlimitedto:

(a) protectingsystemsfromhackers,

(b) settingupfirewalls,

(c) storingdatasecurelywithaccesstospecificauthorizedindividuals,

(d) employingdataencryptiontechnologies,

(e) developing an organizational policy for handling personal data (and other sensitive orconfidentialdata),

(f) protectionofemailingsystems,and

(g) continuouscapacitybuildingforstaff.

Any person engaging a third party to process the data obtained from data subjects must ensureadherencetotheNDPRandtothemeasuresindicatedabove.

6.2 HowaredatabreachesregulatedinNigeria?Whataretherequirementsforrespondingtodatabreaches?

DatabreachesareregulatedthroughsanctionsspecifiedundertheNDPR.

Therearenospecificrequirementsforrespondingtodatabreaches.

7 INDIVIDUALRIGHTS


Individualshavethefollowingrights:

(a) rightofaccesstodataorcopiesofdata;

(b) righttorectificationofrecords;

(c) righttodeletionorrighttobeforgotten;

(d) righttorestrictprocessing;

(e) righttodataportability;

(f) righttowithdrawconsent;

(g) righttoobjecttomarketing;

(h) righttostructureddata;

(i) righttomakerequeststothedatacontrollerwithoutbeingcharged;and

(j) righttomakeacomplainttothedataprotectionauthority.

514




Nospecificregulationsexistinthisregard.


Therearenospecificregulationsinthisregard.








Therearenospecificregulationsinthisregard.AlthoughtheFederalGovernmentattempted,in2019,toregulatesocialmedia(throughtheDigitalRightsBill,theNationalCommissionfortheProhibitionofHateSpeeches(Estetc)Bill,2019andtheProtectionfromInternetFalsehoodsandManipulationsandOtherRelatedMattersBill2019),theseBillsarestillundergoingreadingattheNationalAssembly,andhavenotyetbeenpassed.


Nospecificregulationsinthisregard.

9 DATATRANSFER


The regulations on data transfer in Nigeria under the NDPR provide that the transfer to foreigncountriesorinternationalorganizationsofpersonaldataalreadybeingprocessedorforpurposesofprocessingmust be done subject to theprovisions of theNDPR, andunder the supervision of theHonorableAttorneyGeneraloftheFederation.Accordingly:

515


(a) atransferofpersonaldatatoaforeigncountryoraninternationalorganizationwillonlybeapproved by the NTDIA when the Agency is sure that the receiving country ensures anadequatelevelofprotection;

(b) theAttorneyGeneralwilltakeintoconsiderationthefollowingissues:

(i) thelegalprotectionforhumanrightsandsecurityofcitizensintheforeigncountry;

(ii) theadequateprotectionofpersonaldatathroughlegislation,existenceofcase-lawondata protection, established rules for the transfer of personal data to foreigncountries,andaviablejudicialsystemofredressfordatasubjects;

(iii) thelevelofcompliancewith,andenforcementof,dataprotectionlaws;and

(iv) theinternationalcommitmentsoftheforeigncountryorinternationalorganizationconcerned to legally binding conventions or instruments on the protection ofpersonaldata.


IntheabsenceofanydecisionbytheNTDIAortheAttorneyGeneralastotheadequacyofsafeguardsin a foreign country, a transfer or a set of transfers of personal data to a foreign country or aninternationalorganizationmaytakeplaceonlyononeofthefollowingconditions:

(a) thedatasubjecthasexplicitlyconsentedtotheproposedtransfer,afterhavingbeeninformedofthepossiblerisksofsuchtransfersforthedatasubjectduetotheabsenceofanadequacydecisionandappropriatesafeguards,andthattherearenoalternatives;

(b) thetransferisnecessaryfortheperformanceofacontractbetweenthedatasubjectandthecontroller or the implementation of pre-contractual measures taken at the data subject’srequest;

(c) the transfer isnecessary for theconclusionorperformanceofa contract concluded in theinterestofthedatasubjectbetweenthecontrollerandanothernaturalorlegalperson;

(d) thetransferisnecessaryforimportantreasonsofpublicinterest;

(e) thetransferisnecessaryfortheestablishment,exerciseordefenseoflegalclaims;and

(f) thetransferisnecessaryinordertoprotectthevitalinterestsofthedatasubjectorofotherpersons,wherethedatasubjectisphysicallyorlegallyincapableofgivingconsent.

Inanycase,thedatasubjectmustbeclearlywarnedofthespecificprinciple(s)ofdataprotectionthatarelikelytobeviolatedintheeventoftransfertoathirdcountry.ThisprovisoshallnotapplytoanyinstancewheretheDataSubjectisanswerableindulyestablishedlegalactionforanycivilorcriminalclaiminathirdcountry.

516


10 VIOLATIONS


Whereadatacontrollerhasbreachedthedataprivacyrightsofadatasubject,theNDPRspecifiesthefollowingpenalties,inadditiontoanyothercriminalliability:

(a) inthecaseofadatacontrollerdealingwithmorethan10,000datasubjects,paymentofthefineof2%ofannualgrossrevenueoftheprecedingyearorpaymentofthesumof10millionnairawhicheverisgreater;

(b) inthecaseofadatacontrollerdealingwithlessthan10,000datasubjects,paymentofthefineof1%oftheannualgrossrevenueoftheprecedingyearorpaymentofthesumof2millionnairawhicheverisgreater.


Yes.Individualsmayclaimdamagesascompensationinacivilsuit.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofNigeriawhichaffectprivacy?

No.


None.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainNigeria?

No.

12 OPINIONQUESTIONS


Noparticularchangeshaveoccurred,asaconsequenceofthefactthatprivacylawsinNigeriahavenotreallydeveloped.


Relativelythesame.


ForemostofthesechallengesisthepaceatwhichprivacylawsdevelopinNigeria.

517

518

PRIVACY LAW – NORWAY

1 PRIVACYLAW

1.1 HowisprivacyregulatedinNorway?

PrivacyisaconstitutionalrightinNorway.TheconstitutionalrighttoprivacyissimilartothatintheEuropeanConventiononHumanRights(“ECHR”)article8,whichisalsoincludedinNorwegianlaw.“Privacy”coversmorethansolelypersonaldata;coveringaspectssuchasaprohibitionondamagingothers’reputation.

Therighttoprivacymustbebalancedagainstfreedomofexpression.Thecourtsgenerallyattachgreatimportance to freedomofexpression.Thiswasrecentlyunderlined inacaseconcerningawebsitecontainingreviewsofmedicalpractitioners(thiscasemainlyconcernedlegitimateinterestsundertheEUGeneralDataProtectionRegulation(“GDPR”)article6(1)(f)).

For personal data, the Personal Data Act applies. The Personal Data Act implements the GDPR inNorway.NorwayisnotanEUMemberState,thustheGDPRdoesnotautomaticallyapply,butNorwayis obligated to implement the GDPR through the European Economic Area Agreement. There is apresumptionofconformityofNorwegiandomesticlawwithEUlaw.NorwegiannationalcourtswilltrytointerpretnationalprovisionsinsuchawaytoavoidconflictwithEUlawtotheextentpossible.

Forcommunications,theePrivacyDirectiveissubstantiallyimplementedthroughtheNorwegianActrelatingtoElectronicCommunicationsof2003.

The Norwegian Personal Data Act has several provisions in addition to the GDPR. Some of theseprovisionswillbepartoftheanswersbelow.


Asmentionedabove, themain framework consistsof theConstitution, theGDPRand theePrivacyrules.Norwayalsohassector-specificnationalcodesandregulations.

(a) Electronicmarketing: TheMarketing Act requires consent formarketing with electronicmethodsofcommunicationinthecourseoftrade,suchasemailandautomatedcalls.

(b) Employment: Anemployerisentitledtoaccesstoemployees’emailsorotherprivatefileswhen there is reason tobelieve that information in the individual’sworkemailaccount isnecessaryforoperationalpurposes.

Anemployermayalsoaccesssuchdatawhentheemployeeissuspectedofgrossbreachofduty.Therearealso importantprovisions in theWorkingEnvironmentActwhichconcernprivacy. These include surveillance of employees and specific rules for control measuresaimedatemployees.

(c) Security in public bodies: In addition, detailed security requirements are often found inregulationsandwidelyusedstandardagreementsrequiredbythegovernment.

(d) Health:Inthehealthsector,privacyisheavilyenacted.

Thislistisnotexhaustive,thereareseveralmorespecialNorwegianprivacyrules.

519



Thereareseveralsupervisoryauthoritieswhichenforceprivacyrules:

(a) theNationalCommunicationsAuthorityenforcestheElectronicCommunicationsCodewhichimplementstheePrivacyDirective;

(b) theNationalDataProtectionAuthority(“DPA”)enforcestheNorwegianPersonalDataCodewhichimplementstheGDPR;and

(c) theConsumerAuthorityistherelevantauthorityforbreachesoftheMarketingAct.

DecisionsbytheConsumerAuthoritycanbecontestedincourt.

PersonsandentitiescanbringclaimsforbreachesoftheMarketingActtocourt.InNorwegiancourtpractice,suchcasesaretypicallybroughttopreventabreach,combinedwithaclaimfordamages.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinNorway?

See the European Union chapter. The concepts of “controller” and “processor” are defined andinterpretedinaccordancewiththeGDPRinNorway.

2.2 DoesprivacylawinNorwayapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?



3.1 Howispersonalinformation/personaldatadefinedinNorway?




Whilenotformallyconsideredasspecialcategoriesofpersonaldata(intermsoftheGDPRarticle9),processingofunambiguousidentifiers,suchaspersonalidentitynumbers,isprohibited.Unambiguousidentifiersmayonlybeprocessedifthereisobjectiveneedforsecureidentification.


See theEuropeanUnionchapter. InNorway, theDPAcurrentlyseemstobespecially interested insecurityandprivacybydesignanddefault.

520


4 ROLES


SeetheEuropeanUnionchapter.Theconceptsof“controllers”and“processors”arethesame.

5 OBLIGATIONS




6.1 HowisdatasecurityregulatedinNorway?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?


IntheWorkingEnvironmentAct,andinthehealth,energyandfinancesectors,therearemorespecificcodes,regulationsandguidelinesondatasecurity.

TheNorwegianSecurityCodeisapplicabletothosesellingtopublicbodies,fordeliverieswhichmayaccessclassifiedinformationoraccesscriticalobjectsorinfrastructure.Assystemsareinterconnected,thisCodeappliesinmanycases.

AdditionalframeworkcodesondatasecurityarecurrentlybeingassessedbytheMinistryofJustice.

TheActsandcodesalsoapplytonon-personaldata.

The DPA has an ombudsman role for issues relating to personal data. It is to provide advice andinformation.Thisisdone,amongstothers,bymeansofguidelinesandinformationpublishedonitswebsite.

6.2 HowaredatabreachesregulatedinNorway?Whataretherequirementsforrespondingtodatabreaches?


521


7 INDIVIDUALRIGHTS



TheNorwegianPersonalDataCodehassomeexceptionstothedatasubject’srighttoaccess.Theseprovisionsaremainlyapplicableforpublicbodies;inrarecasesexceptionstheymayalsobeapplicableforprivatebodies.

To ensure freedom of expression, the Norwegian Personal Data Code also has exceptions to datasubjects’rights.

IntheNorwegianCopyrightAct, therearerulesrequiringconsentbeforeusingpicturesofpersonswhoarephotographed,althoughtherearesomeexceptions,mainlytoensurefreedomofexpressionandfreedomofbusiness.



Asmentionedinquestion1.2,theMarketingActrequiresconsentformostmarketingcommunicationdonebyenterprises,suchasemailandautomatedcalls.


In addition to the GDPR, the ePrivacy Directive is also substantially incorporated into Norwegianlegislation, being written into the Act relating to Electronic Communications of 2003. Consent isexplicitlyrequiredforcookies.ThewordingoftheCodeisnotunambiguousasregardstracking,otherthanthatbasedonplacinginformationontheenduserdevice.Assomepixels, inadditiontoothertechnology,placedataontheend-userdevice,suchpixelsarewithintheambitoftheCode.TrackingandSDKswhichsolelyprocesssoftwareorhardwaredata—suchasbrowserfingerprinting—isnotasclearlywithintheambitoftheCodeastraditionalcookies.However,suchtrackingandSDKswould,inmostcases,likelybesubjecttotheGDPRbecauseoftheirlevelofdetail.

TheconsentrequirementintheElectronicCommunicationsCodedeviatesfromthatintheGDPR.Thedistinction is elaborated in theAct’spreparatoryworks. In thepreparatoryworks it is stated thatgeneralinternetbrowserconsentisvalid.EventhoughtheECJhasconcludedthatactiveconsentfromthedatasubjectisrequired,theNorwegiancommunicationsauthorityseemstoconcludeotherwise.LikelyreasonsforthisdivergencearethepreparatoryworksandthatfactthatNorwayisnotanEUMemberstate.



522



SeetheEuropeanUnionchapterandquestion8.2.





Norwayhasdecidedthatdatasubjectswhoare13yearsoroldercanconsenttoinformationsocietyservices.



9 DATATRANSFER





10 VIOLATIONS



Inaddition,therearesomeruleswhicharespecifictoNorway.Ifmorethan5yearshaveelapsedafterabreachofthelaw,theDPAmaynotfinethecontrollerorprocessor,unlesstheDPAfindsthatthereisanongoingcase.Also,inadditiontofines,theDPAmayimposeliquidateddamagesforeverydaythecontrollerorprocessorfailstoactasorderedbytheDPA.



IndividualscanfileacomplaintanonymouslytotheDPA.Individualscanalsoclaimdamages—eveniftheindividualhasnotsufferedanyeconomicloss.

523


11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofNorwaywhichaffectprivacy?

Norwegiancultureisprivacy-orientedincomparisontoseveralothercultures.PostGDPR,Norwayisoneofthecountrieswiththestrictestprivacyrules.Insomecases,thepreviousruleswerestricterthantheGDPR.


TheNorwegianConsumerCouncil recently fileda complaintwith theDPAagainst severalAd-techcompanies.Inaddition,theNorwegianConsumerCouncilstatesthattheyassessseveralcurrentAd-techsolutionstobethreatstoprivacyand,inabroadersense,society.

ThelawmakersarecurrentlyassessingframeworklegislationtoensureITsecurity.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainNorway?

Fakesurveillancegearnotactuallyprocessingdataissubjecttoprivacylaw.Thus,thescopeoftheNorwegianPersonalDataActiswiderthaninothercountries.Oneofthejustificationsforthisrulemaybealongthe linesofsuchsurveillancebeinglikeBentham’s“Panopticon”: if thedatasubject’sbehavior is affected because of a false impression of being observed, this still represents aninfringementofprivacy.Inthesecases,evengivingtheimpressionofprocessingdatarequiresprivacylawcompliance.

Alsonotetheprohibitiononprocessingofunambiguousidentifiersdiscussedinquestion3.2.

12 OPINIONQUESTIONS


Theauthoritiesaremoreinterestedinallformsofdigitaltrackingthanbefore.Thisismainlytriggeredbypublicdebate.

The authorities also focus more on apps than before. This is likely propelled by several securitybreaches.

Datasubjectsarefarmoreawareoftheirprivacyrights;thisislikelybecause“GDPR”hasbeenabigbuzzwordinNorway.


Astechnologyadvances,itcouldmeanlessprivacyinpractice.Ontheotherhand,privacybydesignanddefaultisfrequentlyrequestedinpublictenders,andprivateactorsfrequentlyalsorequirethis.Consumersarealsoincreasinglyinterestedinsuchdesigns.

524


TheDPAsseemstobetighteningitsgrip,whichwilldrivecontrollersandprocessorstocomply.DPAcasesandbreachescouldalsoseriouslyharmgoodwill.

Whenspeakingofdata,authoritiesareincreasinglyassessinggiantssuchasGoogleandFacebookasrivals.OvertimethiscoulddecreaseGoogleandFacebook’sinfluence.

ThoughIamprobablyintheminorityinthinkingso,IthinkprivacyinNorway(andprobablyEurope)will be enhancedover thenext five years.Technologywill advance—but technology alreadyhasenormouspotentialforbeingintrusive.Privacyrules,ontheotherhand,aregainingfarmoretractionthanbefore.Themainquestioniswhethertheruleswillmovefromthebookstopractice.


Datadrivencompaniesprobablyfacethebiggestchallenges.Someoftheseneedtoreassesstheircorebusinessmodel.

Othercompaniesdon’tneedtoreassesstheircorebusiness,but,surprisingly,manyneedtogetafarbetteroverviewofwhatdatatheyhave;secureit;andcomplybetter.

525

526

PRIVACY LAW – PANAMA

1 PRIVACYLAW

1.1 HowisprivacyregulatedinPanama?

PrivacydatamattersinPanamaareregulatedby:

(a) thePoliticalConstitution;

(b) legalprovisionsincludedindifferentlawsandcodes;and

(c) internationalconventionsratifiedbyPanama.

PersonaldatawillberegulatedbyLawNo81ofMarch26,2019AbouttheProtectionofPersonalData("LawNo81").


(a) ThekeylawregulatingpersonaldatamattersisLawNo81,whichwillbecomeeffectiveonMarch 26, 2021. Implementing regulations are pending. This law provides definitions forconfidentialdata,sensitivedataandpersonaldata.

(b) ThePoliticalConstitutionoftheRepublicofPanamaalsocontemplatestherightofprivacyinseveralofitsprovisions.

(c) TheFamilyCodecontainstheobligationoftheStateinprovidingthenecessaryprotectionforprivacy and ratifies the norm that requests previous authorization for the revelation ofinformationofthepersons.

(d) TheJudicialCodeestablishesthatpersonalinformationmayonlybeshowntotheinterestedpartyandprohibitsthesharingofthesamewithotherpersons.

(e) TheRepublicofPanamahassubscribedtovariousInternationalConventionsinconnectionwiththerightofprivacy,includingtheInternationalCovenantonCivilandPoliticalRights.

(f) Speciallawsprovidespecialprotectiontotherightofprivacy,including,amongothers:

(i) LawNo26ofDecember17,1992,whichprotectstheidentityandinformationrelatedtopatientsinfectedwiththeHIVvirus,

(ii) Law No 13 of July 27, 1994, which was enacted to provide the necessary legalmodificationsto increasethe fightagainst thetrafficandsaleofdrugs.This lawisrestricted to theprovisionsofarticle29of theConstitution.Thus,norecordingoftelephone conversations is permitted, because it would be in violation of theconstitutionalnorm,and

(iii) LawNo11ofJanuary22,1998,whichisthefirstexampleoflegislationinconnectionwiththeregulationofinformationstoredbyelectronicmeans.


Law No 81 created a self-regulatory body—the Personal Data Protection Council—to advise theexistinggovernmentregulator,theNationalAuthorityforTransparencyandAccesstoInformation,ontheenforcementandregulationofprivatedataorpersonaldatamattersinPanama.

527


TheNationalAuthorityforTransparencyandAccesstoInformationhascreatedaspecialdepartmentauthorized toreceivecomplaints, investigateandsanctionall individuals, companiesorcustodiansresponsibleforprocessingpersonaldata.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinPanama?

AllcompaniesinPanamaaresubjecttoprivacylaw,sinceprivacyrightsareguaranteedbythePoliticalConstitution.

Asfaraspersonaldataisconcerned,anyindividualorlegalentity,publicorprivate,commercialornon-profit,thatprocessespersonaldatawillbesubjecttoLawNo81,andmustcomplywiththelawtoguaranteeitsrightsandprinciples.

2.2 DoesprivacylawinPanamaapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

ThepersonaldataprotectionprovisionsofLawNo81donotapplytocompaniesoutsideofPanama,sincethelegislatordidnotincludeobligationsforcompaniesprocessingpersonaldataoutsideofthecountry.

The provisions of Law No 81 will be applicable to foreign companies or companies owned byindividualsthatarenotinPanama,iftheprocessingofthepersonaldatatakesplaceinPanama.

TheprovisionsofLawNo81willbeapplicabletoanyindividualresponsibleforcollectingpersonaldataifheisdomiciledinPanama,orthedatabasethatcontainstheprivatedataorpersonaldataisinPanama.


3.1 Howispersonalinformation/personaldatadefinedinPanama?

Law No 81 defines "personal data" as any information regarding an individual that may identifyhim/herorcanmakehim/heridentifiable.


ByLawNo81, "sensitivedata" is "thatwhich refers to the intimacyof its owneror thatwhich, ifwrongfullyused,canleadtodiscriminationorentailagraveriskforitsowner".Thefollowingpersonaldata,amongothers,isconsideredsensitive:

(a) datathatcanrevealinformationsuchasracialorethnicorigin;

(b) religious,philosophicalandmoralconvictions;

(c) unionaffiliations;

(d) politicalopinions;

528


(e) dataconcerninghealth,lifeorsexualorientation,geneticorbiometricaldata;and

(f) datasubjecttoregulationandaimedatunequivocallyidentifyinganindividual.

In Panama, sensitive information or sensitive data may be transferred only in certain cases (seequestion9.1).


UnderLawNo81,thekeyprinciplesthatmustbefollowedinordertoprocesspersonaldataarethefollowing:

(a) TheLoyaltyPrinciple:Allthedatathatiscollectedandprocessedmustbeobtainedwithoutdeceitormisrepresentation,andwithoutusingmethodsthatarefraudulent,falseorillicit.

(b) ThePrincipleofPurposeLimitation:Thepersonaldataprocessedmustbecollectedforthelegitimatepurposesspecifiedwhenthedatawascollected.Theprivatedataorpersonaldatamaynotbeusedlaterforanotherpurposeincompatibleordifferenttothepurposeforwhichitwasinitiallyrequested,orbekeptforlongerperiodsoftimethaninitiallyauthorized.

(c) The Proportionality Principle: Only data that is appropriate, pertinent and limited to theminimumnecessaryforthepurposeforwhichitiscollected,shouldberequested.

(d) TheVeracityandExactitudePrinciple:Thepersonaldatamustbeaccurateandup-to-dateinamannerthatrespondstruthfullytothecurrentsituationoftheowner.

(e) TheDataSecurityPrinciple: Thoseresponsibleforprocessingpersonaldatamusttakethenecessarystepstoimplementsuchtechnicalandorganizationalmeasuresasarerequiredtoguaranteethesecurityofthedataundertheircare,particularlyifsuchdatacanbeconsideredsensitivedata,andmustinformtheownerofthedata,assoonaspossible,wheneverdatahasbeenextractedwithoutauthorizationorthereareindicationsthatsuggestasecuritybreachhasoccurred.

(f) The Transparency Principle: All information and communicationswith the owner of thepersonaldataconcerningitstreatmentmustbemadeusinglanguagethatissimpleandclear,andtheownermustbekeptinformedatalltimesofhis/herrightsasownerofthedata,andof thepossibility of enforcinghis/her rights to access, rectify, cancel, opposeor transporthis/herpersonaldata.

(g) TheConfidentialityPrinciple: All thosewhohavecontactwith thecollectedpersonaldatamustmaintainthesecretandconfidentialnatureofthedata,evenaftertherelationshipwiththe owner of the data, or the person or company responsible for collecting the data, hasfinished,preventingtheaccessorunauthorizeduseoftheprivatedataorpersonaldata.

(h) TheLegalityPrinciple:Inorderfortheprocessingofpersonaldatatobeconsideredlegal,thedatamustbeobtainedandprocessedeither:(i) withprevious,informedandunequivocalconsentfromtheownerofthedata;or(ii) supportedbythelaw,ie:

(1) thattheprocessingofthepersonaldataisnecessarytoexecuteacontractualobligation,providedthattheownerofthedataisapartytothecontract.

(2) that the processing of the personal data is necessary to complete a legalobligation,or

(3) thattheprocessingofpersonaldataisexpresslyauthorizedbyaspeciallaw.

529


(i) ThePortabilityPrinciple:Theownerofthedatahastherighttoobtainfromthepersonorcompanyresponsibleforprocessingthedata,acopyofhis/herdatastructuredinagenericandcommonlyusedformat.

4 ROLES


LawNo81establishestwopossiblerolesforcompanies,basedonhowtheyprocesspersonaldata:

(a) Databasecustodian:theindividualorcompanythatactsonbehalfofanindividualorcompanythatisresponsibleforprocessingthedatabysafekeepingandpreservingadatabase;and

(b) Data controller: the individual or company responsible for the decisions related to theprocessingofdataandwhodeterminestheobjectives,meansandscopeofsuchprocessing.

Theindividualorcompanyresponsiblefortheprocessingofpersonaldatacontainedinadatabasewillestablishtheprotocolsandproceduresforitsmanagementandsafetransfer,protectingtherightsoftheownersofthedata.ThesedutieswillbemonitoredandsupervisedbytheNationalAuthorityforTransparencyandAccesstoInformation.

Thedatabasecustodianmusttakeduecareofthedata,ashe/shewillbeheldjointlyresponsibleforanydamagesorharmcaused.

LawNo81doesnot includeprovisionsspecificallyaimedatregulatingobligationsandcontractualrequirements based on the roles of database custodian or data controller. The implementingregulationsshoulddealwiththesematters.

5 OBLIGATIONS


LawNo81containscertainprovisionsthatbroadlyrefertoissuessuchprivacypolicies,riskimpactassessments and record keeping, including the ones listed below. It is worth noting that theimplementingregulationsshouldintroduceprovisionsaddressingtheseandothermatters.

A “sector regulator”will determine theminimum requirements concerning the content of privacypolicies,protocols,processesandproceduresforprocessingandsafetransferofdata.

When the collection of information is made via the internet or any other digital communicationplatform,theobligationsestablishedbythelawwillbecomplementedwiththedisclosureofprivacypoliciesand/or termsapplicable to theservicesavailable. If theconsentof theowner isgiven inawrittendeclarationthatalsoreferstoothermatters,theconsentmustbepresentedinsuchawaythatitisclearlydistinguishedfromtherest,iscomprehensibleandeasilyaccessible,usingclearandsimplelanguage.

530


ThereisnospecificreferenceintheLawto“riskimpactassessments”butoperatorsthatmanagepublicnetworksorrendercommunicationservicesavailabletothepublicmustwarranttheprotectionofpersonaldatainaccordancewiththelawandtheregulationsthatimplementit.Theymustalsoadoptpropermanagementandtechnicalmeasurestopreservethesecurityintheuseofthenetworkortherenderingofservices,withtheaimofguaranteeingthelevelofpersonaldataprotectionrequiredbythis lawand its regulations, aswell as the certifications,protocols, standards, andothermeasuresestablishedbythecompetentauthorities.

Thoseresponsibleand/orcustodiansofdatabasesthattransferpersonaldatastoredindatabasestothirdpartiesmustkeeparecordofsuchtransfers,whichmustbemadeavailabletotheregulatorifrequiredtocomplywiththelaw.Foreachofthesedatabases,therecordsmustinclude:

(a) theiridentificationandthatofwhoeverisresponsibleforthem,

(b) thenatureofthestoredpersonaldata,

(c) thelegalgroundfortheirexistence,

(d) theproceduresforthecollectionandtreatmentofdata,

(e) thedestinationofthedataandtheindividualsorentitiestowhomtheycanbetransferred,

(f) thedescriptionofthegroupofindividualsthatitincludes,

(g) thesafetymeasures,theprotocolsandthetechnicaldescriptionofthedatabase,

(h) thewayandconditionsinwhichindividualscanreceiveoraccesstheirdata,

(i) theproceduresrequiredfortherectificationandupdatingofdata,and

(j) howlongthedatamaybestored,

and any change in the aforementioned; in addition, the recordsmust identify all thosewho haveaccessedthepersonaldatawithinthepreviousfifteendaysandstatehowlongeachpersonhadaccessfor.


6.1 HowisdatasecurityregulatedinPanama?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

InPanama,theindividualorcompanythatprocessespersonaldataisresponsiblefortheintegrityofthedataandmustprotectitbysettingupprotocols,processes,administrativeproceduresandsecuretransferofthedata.LawNo81providesgeneralguidelinesthatshouldbemorespecificallyaddressedintheimplementingregulationsthatarepending.

TheminimumstandardsforsecuringdataandrightsoftheownersofthepersonaldataareoverseenandsupervisedbytheNationalAuthorityforTransparencyandAccesstoInformation,togetherwiththeNationalAuthorityforGovernmentalInnovation.

531


6.2 HowaredatabreachesregulatedinPanama?Whataretherequirementsforrespondingtodatabreaches?

AccordingtoLawNo81,ifapersonoracompanythatprocessesorcontrolsprivatedataorpersonaldatasuffersasecuritybreachofthedata,itisobligatedtoinformtheauthoritiesandtheownerofthedataabout thesecuritybreach. Incaseswhere there is securitybreach inapublic communicationnetwork,theoperatorthatmanagesthenetwork,orthatprovidesthecommunicationservice,mustinformtheownerofthedataaboutthesecuritybreach.

7 INDIVIDUALRIGHTS


LawNo81expresslyindicatesthatallindividualsshallhavethefollowingrightsinconnectiontotheirpersonaldata:

(a) therighttoaccesstheirpersonaldataandtoknowtheoriginandpurposeforwhichtheyhavebeencollected;

(b) therighttorectifytheirpersonaldata;

(c) therighttocanceltheuseoftheirpersonaldata;

(d) therighttoopposetotheuseoftheirpersonaldata;

(e) therighttodataportability;and

(f) therightnottobesubjecttoadecisionbasedonlyontheautomatizedprocessingofhis/herpersonaldatathatproducesnegativelegaleffectsornegativelyaffectshis/herrights,whenthedecisionhastoassesscertainaspectsofpersonality,health,labourperformance,credit,reliability,conduct,characteristics,amongothers,exceptwhen:(i) thereisconsentoftheownerofthedata,(ii) it is required to execute or complywith a contract or legal relationship between

whoeverisresponsiblefortheprocessingofdataanditsowner,or(iii) whenitisauthorizedbyspeciallawsorfutureregulations.



InPanama,apersonorcompanythatmarketsoradvertises itsgoodsorservicesonlineviadigitalmediaorothertypesofdigitalmarketingcommunications,usingpersonaldata,mustcomplywiththerequirementsofLawNo81.Inordertocomplywiththelaw,theindividualorcompanymustobtainpriorconsentoftheownerofthepersonaldata.Toobtainlegalconsent,therequestforthepersonaldatamustspecify:

(a) thenameandanyadditionalinformationneededtoclearlyidentifytheindividualorcompanyrequestingthepersonaldata;

(b) themotiveandthepurposeforrequiringthepersonaldata;

532


(c) whatpersonaldataissubjecttotransfer;and

(d) thedurationoftimeforwhichtheindividualorcompanyisauthorizedtousethepersonaldata.


UndertheprovisionsofLawNo81,ifapersonorcompanyusestrackingtechnologiestocollectorprocesspersonaldata,itwillbesubjecttothegeneralrulesandprinciplesthatapplytotheprocessingofpersonaldata.

The individual or company that will use personal data with tracking technology must obtainunequivocalconsentfromtheownertotheprocessingofthedataandmustinformtheownerhowthedatawillbeused.Suchconsentmustbeobtainedinawaythatallowsthetraceabilityoftheconsent.


UndertheprovisionsofLawNo81,personaldatamayonlybeusedforthefixed,explicitandlawfulpurposethattheownerhasauthorized.Inviewofthis,anypersonorcompanycarryingouttargetedadvertisementsandbehavioraladvertisingusingpersonaldatamustobtainpriorconsent.


UnderLawNo81,advertisersthatintendtosharedatawiththirdpartiesmustobtainunequivocalconsentfromtheownerinordertousethepersonaldataforcustomermatching.

Consent to use the personal data for customer matching must be obtained in a way that allowstraceabilityoftheconsent.


UnderLawNo81,databrokersareresponsiblefortheprotocols,processesandproceduresnecessarytoprotect thepersonaldataunder their care.Additionally, databrokers are requiredput inplaceprotocolstosafelytransferdata.

AlldatabrokersinPanamaaresupervisedbytheNationalAuthorityforTransparencyandAccesstoInformationwiththesupportoftheNationalAuthorityforGovernmentInnovation.

Data brokers must implement theminimum requirements that must be contained in the privacypolicies,protocols,processesandprocedures forprocessingandprovidingasecure transferof thepersonaldata.


InPanama,individualsorcompaniesusingsocialmedianetworksorpublicmediacompaniesinordertoprovideservicesusingpersonaldatamustobtainpriorconsent.AllindividualsorcompaniesusingpersonaldataaresubjecttotheprovisionsofLawNo81andmustguaranteetheownerofthedatathatthedatawillbeprotected.

533



LawNo 81 does not contain provisions concerning loyalty programs and promotions, but, from aprivacyperspective,theindividualsorcompaniesprovidingtheseservicesarerequiredtofollowthegeneralrulesandregulationstolegallyprocesspersonalorprivatedata;ie,allthestandards,rules,certifications,protocols,technicalprocessesandadministrativemeasurestopreservethesecurityandprovidetheminimumlevelsofprotectionofthedata.

9 DATATRANSFER


UnderLawNo81,thetransferofpersonaldatawillrequirethefollowing:

(a) Consentfromtheownerofthepersonaldata;

(b) ThecountrytowhichthepersonaldataisgoingtobetransferredmusthaveinplaceatleasttheminimumrequirementssetforthbyPanamanianlaw;

(c) Sensitivedatacannotbetransferredunless:(i) theownerhasprovidedconsent,exceptwhenthelawdoesnotrequireit;(ii) whenitisnecessarytopreservethelifeoftheownerofthesensitivedataandhe/she

isphysicallyandmentallyincapable.Inthesecases,theguardian,executororthosewhohavethetutelagemustgivetheauthorizationforthetransferof thesensitivedataorsensitiveinformation;

(iii) When the data is necessary to recognize, exercise or defend a right in legalproceedingsandthereisauthorizationfromthecompetentcourt;or

(iv) Whentheobjectiveishistorical,statisticalorscientificinnature.Inthesecases,theappropriatemeasuresmustbeadoptedtoconcealtheidentityoftheowner.


AccordingtoLawNo81,whenthetransferofthepersonaldataiswithinthesameeconomicgroupofcompanies,thedatamustbeusedforthesamepurpose.

10 VIOLATIONS


Law No 81 authorizes the National Authority for Transparency and Access to Information to setmonetarysanctionsthatmayrangebetweenUS$1,000andUSD$10,000.

Dependingon the severityof theviolation, theNationalAuthority forTransparencyandAccess toInformationmaysanctioninfringerswithawrittenwarning,acitationbeforeNationalAuthorityforTransparencyandAccesstoInformation,afine,theclosureofthedatabaseregistration,orsuspensionanddisqualificationfromprocessingpersonaldata.

534


Thelawalsocategorizesviolationsinto:

(a) minorinfractionsorviolations;

(b) seriousinfractionsorviolations;and

(c) veryseriousinfractionsorviolations.


Article37ofLawNo81specifiesthattheindividualorcompanyresponsibleforunlawfullyprocessingof personal data is required to compensate the owner of the data for themonetary and/ormoraldamagescaused.

Acourtofjusticewillprosecuteactionsfiledagainstanindividualorcompanyforunlawfulprocessingpersonaldata.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofPanamawhichaffectprivacy?

TherearenorulesparticulartothecultureofPanamathatwillaffectprivacy.Inanycase,itisthelackofregulationthatmayinfluencehowprivacyisdealtwith.Adoptingapersonaldataprotectionlawisabigstepforward,asitsetsnewstandardsandprinciplestoguaranteetheprotectionofconfidential,sensitiveandpersonaldata.


Law No 81 has been recently enacted. It will become effective in 2021. In the meantime, thegovernmenthastoapprovetheimplementingregulations,whichwillsurelyenterintomoredetailsthanthelaw.Significantdevelopmentsarethereforeexpectedinthenexttwoyears.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainPanama?

Since LawNo 81 has been recently enacted andwill become effective in 2021, all thosewho areinvolved in the processing personal data should carefully review it to confirm that they are incompliancebeforeMarch26,2021.

12 OPINIONQUESTIONS


TheprivacylandscapeinPanamahasevolvedsignificantlyinthepastfewyears.Untilrecently,privacymatterswereonlyregulatedbyseveraldifferentlegalprovisionsscatteredbetweennationallawsandtheConstitution. Since the enactmentof LawNo81, theprivacy landscapenowhas a specific lawconcerning personal data protection. Hopefully, this will bring more attention to privacy law ingeneral,andwillhelptoorganizeandregulateitproperly.

535



WiththenewlyenactedLawNo81ofMarch29,2019becomingeffectivein2021,infiveyearsfromnowPanamawillhavedataprotectionstandardssimilartothosethathavebeeninplaceformanyyearsinothercountries.Localindividualsandcompaniescurrentlyprocessingpersonaldatawillhaveadopted the rules set out in Law No 81, and consumers will be aware of their rights. Nationalauthorities will have further developed the principles and regulations contained in this law, andspecificaspectsconcerningadvertisingandprivacylawwillbedealtwithinnewlaws.


SincetheprocessingofpersonaldatahasonlybeenrecentlyregulatedinPanamawiththeenactmentofLawNo81,individualsandcompaniesfacethechallengesthatarisefrommakingchangesnecessaryto comply with the new regulations before the law becomes effective in 2021. Taking intoconsiderationthatthislawintroducesprinciples,rights,obligationsandproceduresthatPanamanianconsumers, individuals or companies are not familiar with, it is important for all parties to besufficientlyinformedandbepreparedbyMarch29,2021tocomplywiththeprovisionsofLawNo81anditsimplementingregulations.

536

537

PRIVACY LAW – PARAGUAY

1 PRIVACYLAW

1.1 HowisprivacyregulatedinParaguay?

In Paraguay, privacy law is regulated by means of several pieces of legislation, beginning withParaguay’sConstitution,which,inArticle33,underthetitle“WithRespecttotheRightofIntimacy”,establishesthat:“personalandfamilyintimacy,aswellastherespectofprivatelife,isinviolable.Theconductorbehaviorofpeople,providedthatthisdoesnotaffectthepublicorderestablishedbythelaw, or third parties’ rights, is exempted from the public authority. The right to the protection ofintimacy,dignityandtheprivateimageofpeopleisguaranteed”.

Thereareseveralotherregulations,criminal,administrativeandcivil,relatedtotherightstoprivacyandintimacy,whichshallbereferredtoandexplainedbelow.


(a) NationalConstitution(seequestion1.1);

(b) CriminalCode,whichpunishesconduct(felonies,inmostcases)including:(i) theviolationof the intimacyof aperson, the infringementof the rights toprivate

communicationandtherightstooneownimage;(ii) the infringement of a person’s confidentiality or right to keep his/her

communications confidential, especially those via telephoneor instantmessaging;and

(iii) the violationof aperson’sprivate correspondence and the revelationof aprivatesecret.

(c) Underadifferentsection,theCriminalCodesetsoutaseriesofconducts(felonies)thatmayaffectaperson’shonor,includingslander,defamationandinsult.

(d) TheCivilCoderegulatesrightsassociatedwithaperson’snameandestablishesthatanyoneinjuredbymeansoftheunlawfuluseofitsnamehasarightofactiontostopsuchunlawfuluseandtodemanddamages.

(e) Copyrightlawprovidesthattheportraitofapersonmaynotbetradedwithouttheperson’sconsent,unlesstheuseisrelatedtoscientific,educationalorculturalobjectivesortofactsordeedsofpublicinterestthattookplaceinpublic.

(f) TrademarkLawprotectspeopleagainsttheregistrationoftheirname.

(g) LawNo1682/01“WhichRegulatesInformationconsideredPrivate”(“DataProtectionLaw”)establishesthat:(i) any person has the right to collect, store and process personal data for strictly

privateuse;(ii) public sources of information (eg, informationwith respect to a person’s identity

card number) are accessible to everyone and that every person has the right toaccessdatathatisregisteredbeforethePublicRegistry;

538


(iii) the collection, storage, processing and publication of data or personalcharacteristics for scientific and statistical purposes is legal, provided that thepersonsarenotindividualized.

(h) Moreover,theDataProtectionLawstipulatesthatpublicityorbroadcastingofsensitivedatarelatedtopersonsthatareexpresslyindividualizedormaybeindividualizedisprohibited.The Law considers that “sensitive data” is information regarding race or ethnical origin,political preferences, an individual’s state of health, religious or philosophical conviction,amongstothers.

(i) Dataregarding individualsorcorporations that reveal their financial situationorsolvencyshallbemadeavailableundercertainconditions;

(j) Law No 4868/12 “On Electronic Trade” provides that providers of electronic services(whetherprovidinggoodsandservicesviaelectronicmeans,orprovidingelectronic links,etc)may,undernocircumstances,violate themoralandtheprotectionof individualswhoareconsumersorusersandtheprotectionofpersonaldataorpersonalorfamilyintimacyrightsandtheconfidentialityofbankaccountsorregistries.

(k) The Law on Protection of Consumers, which regulates advertisement, does not have anyprovisionthatrefersexplicitlytotherightsofprivacy;however,theviolation/infringementof the rights of privacy as per the terms of the regulations mentioned above could beconsideredabusivepublicityaccordingtotheLawonConsumerProtection.

(l) Finally, the terms of the Advertising Self Regulation Code, enforced by the Center ofRegulations, Norms and Communication Studies, stipulate that “all advertising will becarriedoutwithasenseofsocialresponsibility...characterizedbyrespectforthedignityofthehumanperson,theirprivacy,thefamilynucleus....Alladvertisingactivitymustadheretomorality,goodcustomsandpublicorder.”

By which, contrario census, the unlawful publication or broadcasting of an individual’sprivatedata/informationwouldbeaviolationtothetermsofsuchSelfRegulationCode.


Privacylawisenforcedviadifferentactionsandbeforevariouscourts/authorities:

(a) Thereisaspecialconstitutionalinstitution,named“Amparo”or“Constitutionalmotion”,bywhichanypersonthat,asaresultofanillegitimateactoromission,whethercomingfromanauthority or an individual/corporation, considers himself/herself gravely affected, or inimminent risk of being affected with respect to rights or guarantees foreseen by theConstitution or by Law, and, in view of the urgency of the case, cannot remediate suchsituationbyordinarymeans,may filea constitutionalmotionbeforea competent court inordertohavethesituationreversed.Theprocedureisbrief,immediateandfree-of-charge.

(b) Lawsuitsmaybepromotedbeforethecivilcourtsorwhereapplicable,beforethecriminalcourts.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinParaguay?

AllcompanieswithintheParaguayanjurisdictionaresubjecttoprivacylaw.

539


2.2 Does privacy law in Paraguay apply to companies outside the country? If yes, are therespecific obligations for companies outside the country (eg, requiring a companyrepresentativeinthecountry)?

Yes,privacy lawisapplicabletocompaniesoutsidethecountry,providedthat theiractivityaffectsindividuals/corporations in the country. There are no specific obligations for such companies tohave,eg,representativesinParaguay;therefore,incaseofactionstakenagainstthem,thematterisresolvedunderinternationalprivatelegislation(eg,theenforcementofalocaljudgementabroad).


3.1 Howispersonalinformation/personaldatadefinedinParaguay?

Thereismorethanonedefinitionof“private”or“personal”information/datainParaguay.

TheParaguayanCriminalCodedefines“intimacy”(privatedata)astheintimatepersonalsphereofaperson’slife,speciallyrelatedtohis/herfamily,sexuallifeandstateofhealth.

TheData Protection Law does not give a precise, exact definition ofwhat is to be understood by“privateinformation”,butitsdefinitioncanbededucedfromseveralarticlestomeansensitivedataregardingexplicitlyindividualizedpersons(orpersonswhomaybeindividualized),relatedtotheirpolitical preferences, state of health, religious convictions, sexual intimacy and economical orfinancialstatus,amongstothermatters.


Allinformationthatreferstoaperson’sintimacymaybeconsidered“sensitivedata”,eg:aperson’sstate of health, his/her sexual preferences, his/her religious convictions, his/her politicalpreferences.That istosay,all informationotherthanwhat isregisteredwithinthePublicRegistry(such as a person’s name and identification card number, address, date of birth, civil status,occupationorprofessionalactivity,placeofworkandworktelephonenumber).Sensitivedatamayevenrefertoaperson’sfinancialstatus.


Above all, respect. A company should also be transparent as far as personal data information isconcernedandshouldusetheinformationinalimitedway.

In this sense, the Data Protection Law provides that, where companies that store, process andpublicize information regarding a person’s financial status, or his/her compliance with his/hereconomical/commercialobligations,thefollowingisapplicable:

(a) Some information regarding a person’s financial status may be publicized, but suchinformationneedstobeconstantlyupdated,aswellastheperson’sfulfilmentorcompliancewithhis/her commercial obligations; suchupdatingof information shouldbedonewithintwoworkingdaysfromthedatethedataismadeaccessibletothecompany,directlyorbymeansofthepartyaffected.

540


(b) Suchcompaniescannotprovideinformationregardingdebtsthat:(i) havebecomeoverduebuthavenotbeenlegallyclaimed,wherethedebtisnomore

than90daysoverdue;(ii) that have not been legally claimed, where four years have passed since their

registration and there are no newnon-compliances or debts incurred into by thesamedebtor;or

(iii) havebeenclaimedinajudicialtrial,wheretheprosecutionhaslapsed,

amongothercircumstances.

4 ROLES


No.

5 OBLIGATIONS


According to the Law on Consumer Protection, providers of goods and/or servicesmust provideconsumers with their name and address. In addition, the Law on Electronic Trade provides thatprovidersofgoodsandservicesbyelectronicmeansorremotelymustprovide,ormakeaccessibletoconsumers, their corporate name, address, name of the company’s owners, email address andtelephonenumber.

Asforprivacypolicies,theLawonElectronicTradeestablishesthatprovidersofgoodsandservicesby means of the internet or remotely must inform consumers/users as to their privacy policyregardingtheuseoftheirpersonaldata.

Providers of internet or electronic intermediation services and providers of data hosting servicesmust keep records of the connection and traffic data generated bymeans of the communicationsestablishedduringtheprovisionofaserviceforaperiodofatleastsixmonths.Thedatatobestoredis solely for the identification of the origin of the hosted data. Companies may not use the datacollected for purposes other than those established by Law, and must adopt sufficient securitymeasurestoavoidthelossoralterationandnon-authorizedaccesstothedata.

There isnospecific requirement to registerwithaprivacyauthority,nor toconducta risk impactassessment.

541



6.1 HowisdatasecurityregulatedinParaguay?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

TherearenospecificstandardsregardingdatasecurityinParaguay.

However, the Law on Electronic Trade determines that any provider of goods or services byelectronicmeans,aswellashostingproviders,amongstothers,shallnotmakeinformationavailableoraccessibletothirdparties,exceptwherethereisajudicialorder.

PrivacyanddatasecurityarealsoprotectedataConstitutionallevel.

6.2 HowaredatabreachesregulatedinParaguay?Whataretherequirementsforrespondingtodatabreaches?

(a) Under theNationalConstitution,documentationpertaining toaperson, aswell ashis/herdata,issecured.BythewritofHabeasData,allpersonsmayaccesstheinformationanddataaboutthemselves,orabouttheirassets,thatisheldinofficialorprivateregistriesofapubliccharacter,aswellastoknowtheusemakeofthesame,andoftheirend.Theymayrequestthecompetentcourtstoupdate,rectifyordestroyanysuchdatawhichmaybeerroneousorillegitimatelyaffectshis/herrights.

(b) TheCriminalCodepunishesfeloniessuchasthatimplythe“listening,storageandrevealingto thirdpartiesofprivate communicationpertaining toaparticularperson, aswell as therevealingofsecretsthathavea‘privatecharacter’“,amongothers.

(c) Corporationsingeneral(especiallyunderthetermsoftheLawonElectronicTrade)cannotrevealaperson’spersonalinformationordata.

Themeanstorespondtosuchbreachesincludethefilingofcriminalcomplaints(ifafelonyhasbeencommitted)orlawsuitsbeforethecivilcourts.

7 INDIVIDUALRIGHTS


Allthosementionedabove:personalinformationandor/dataisnotaccessibletothirdparties,unlessrequiredbyacompetentjudge.



Mostmarketingcommunicationsarenotregulatedfromaprivacyperspective.

However, Law No 5830/17 “Which Prohibits Non-Authorized Publicity for Mobile PhoneUsers/Holders”hasrecentlyestablishedaNationalRegistrywithintheNationalOfficeofConsumerandUserProtection(“SEDECO”),inwhichconsumersandusersmayrequesttheirnamesanddatato

542


befiledinordertopreventprovidersofanykindsofgoodsorservicesfromcontactingthemontheirmobilephone.

CompaniesmustconsultthisRegistrytoverifywhetheraperson/userisregisteredonit,andrefrainfromsendinganysortofmessagestotheirmobilephoneiftheyareregisteredonthis“do-not-call”Registry.

However,communicationsbetweencompaniesandusersundertakenwhereacontracthasalreadybeenenteredintobetweenthepartiesareexemptedfromtheLaw.


Theuseofcookies,pixels,etc,isnotspecificallyaddressedbytheParaguayanlegislation.


The use of targeted advertising and behavioral advertising is not specifically addressed by theParaguayanlegislation.


Currently,therearenonoticesand/orconsentsthatadvertisersneedinordertoshareinformationregardingconsumerswiththirdpartiesforcustomermatching;however,undertheDataProtectionLaw,certaindataregardingconsumersshouldnotbesharedwiththirdpartieswithincompanies.


Therearenospecificprivacylawgoverningdatabrokers.


SocialmediaisnotyetregulatedinParaguay.


LoyaltyprogramsarenotspecificallyaddressedbytheParaguayanlegislation.Asfaraspromotionsareconcerned,theonlytypesofpromotionsregulatedarethoseconcerninggamesofchance,whichmust be registered before the National Commission of Games of Chance (“Conajzar”), subject topayment(asafee)ofapercentageoftheamountoftheprizetobegrantedtothewinner.

9 DATATRANSFER


No, except for the general landscape governing the use of a person’s private/intimate/personalinformation.

543



Noneotherthanthosementionedabove.

10 VIOLATIONS


Thepotentialpenaltiesandsanctionsforviolationsofprivacyordatasecurityregulationsareusuallyfinesandclaimsfordamages,and,insome(verygrave)cases,whereacriminalcomplainthasbeenmade,imprisonment.


Yes.Individualsmayfilecomplaintsbeforethecivilandthecriminalcourts.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofParaguaywhichaffectprivacy?

No.


Notatthemoment.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonal information/personaldatainParaguay?

No.

12 OPINIONQUESTIONS


Duringthepastfewyears,amajorregulation,theLawonElectronicTrade,hasbeenissued,whichprovidesseveralobligationsoncompanieswhosemainactivitiesconcerntheprovisionofservicesbyelectronicmeans (whetherbyprovisionof goodsbyan internetwebsite, thehostingof awebsite,etc).Inourunderstanding,thosechangeswerepropelledbytheworld’scurrentsituation,byglobaltrends,andbytheintroductionintoParaguayofmoderntechnology,especiallythedigitalsignatureandtheelectronicsignature.

Also,a“do-not-call”registryhasbeensetupwiththeobjectiveof forbiddingcompaniestocontactconsumers onmobile phoneswhere consumers have registeredwith the Registry for the specificpurposeofnotbeingcontacted(seequestion8.1).

ThosetworegulationsaregreatadvancesforParaguaywithrespecttotheprotectionofconsumers.

544



Inouropinion,Paraguaywillhave toensure its legislation isadequate tomeetworldwide trends:dataprotection,socialmediaregulationandfurtherregulationwithrespecttoadvertising.


Thechallengecompaniesmayfaceisregardingrespectforpeople’spersonaldata.Suchrespectmaynotaffectcompanies for themoment,but itwillbecomeamajor issue inyears tocome,especiallywhen dealing with companies with strict data protection regulations. And in that respect, it isimportant that companies undertake action, campaigns, risk assessments, etc, in order to bepreparedforcompliancewiththisandanynewlegislationwhichmaybepassed.

545

546

PRIVACY LAW – PERU

1 PRIVACYLAW

1.1 HowisprivacyregulatedinPeru?

Dataprivacyrightsareregulatedbylaw(seequestion1.2).


(a) LawNo29,733onPersonalDataProtection;

(b) SupremeDecreeNo003-2013-JUS,whichapprovestheRegulationsunderLawonPersonalDataProtection.


Dataprivacy lawisenforcedbytheGeneralDirectionofDataPrivacyProtectionof theMinistryofJustice(“DataPrivacyAuthority”).

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinPeru?

TheLawonPersonalDataProtectionappliestoboththepublicandprivatesectorsthattreatdataandprotectsallpersonaldataofnaturalpersons.

2.2 Doesprivacy law inPeruapply to companiesoutside the country? If yes, are there specificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

No. Peruvian law applies only to Peruvian companies, private or public, that treat data fromindividuals.


3.1 Howispersonalinformation/personaldatadefinedinPeru?

“Personaldata”isdefinedbytheLawonPersonalDataProtectionasallinformationaboutanaturalpersonthatidentifiesormakeshim/heridentifiablethroughmeansthatcanbereasonablyused.


“Sensitivedata”isdefinedbytheLawonPersonalDataProtectionasbiometricpersonaldatathatbyitselfcanidentifytheholder;anddatarelatingto:

(a) raceandethnicity;

(b) political,religious,philosophicormoralconvictionsoropinions;

547


(c) economicincome;

(d) trade-unionmembership;

(e) healthorsexuallife;or

anysimilarinformationthatmightaffectaperson’sprivacy.

3.3 Whatarethekeyprivacyprinciplesthatcompaniesneedtofollowregardingtheirprocessingofpersonalinformation/personaldata(eg,transparency,choice,andpurposelimitation)?

Personaldatamustbetreatedwithfullrespectofthefundamentalrightsofthedatasubjectandtherights conferredby theLaw.The same rule applies for itsuseby thirdparties.Personal databankcontrollersandpersonaldatabankprocessorsmustcomplywiththeeightGuidingPrinciples:

(a) legality,

(b) consent,

(c) purpose,

(d) proportionality,

(e) dataquality,

(f) security,

(g) recourse,and

(h) adequateprotection,

accordingtotheLaw.

4 ROLES


No.Theobligationsandcontractualrequirementsondatabaseownersandprocessorsarethesameforallcompanies.

5 OBLIGATIONS


Databanksmust:

(a) registertheirbanksbeforetheDataPrivacyAuthority;

(b) communicatethecross-borderdatatransferflowtotheDataPrivacyAuthority;

(c) haveanadequatelevelofsecuritytoprotectfrombreaches;

(d) usethedataonlyforwhattheyhaveinformthedatasubject;

548


(e) obtainconsentfromthedatasubjecttotreattheirdata;and

(f) posttheirtermsandconditionsandprivacypoliciesontheirwebsitessodatasubjectsareawareofthem.


6.1 HowisdatasecurityregulatedinPeru?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

DatasecurityisregulatedbytheLawonPersonalDataProtection.Personaldatabankcontrollersmustadopttechnical,organizationalandlegalmeasurestoguaranteethesecurityofpersonaldataandavoidalteration,loss,treatmentorunauthorizedaccesstoit.Thesecurityrequirementsandconditionstobe met by personal databanks are established by the National Data Protection Authority, unlessprescribedbyspecialrulescontainedinotherlaws.

Processingofdatainpersonaldatabanksthatdonotmeettheserequirementsisprohibited.

6.2 HowaredatabreachesregulatedinPeru?Whataretherequirementsforrespondingtodatabreaches?

Itisregulatedbylaw.ThereisnoobligationtonotifyabreachtothePeruvianDataPrivacyAuthority;however,itisrecommendedtonotifyaffectedindividualsinordertoavoidthemcomplainingtotheDataPrivacyAuthority.Databaseholdersanddatahandlersmustadopttechnical,organizationalandlegalmeasuresnecessarytoguaranteethesecurityofthepersonaldatatheyhold.Themeasurestakenmustensurealevelofsecurityappropriatetothenatureandpurposeofthepersonaldatainvolved.

7 INDIVIDUALRIGHTS


Datasubjectshavethe“ARCO”rights withrespecttotheirpersonalinformation/personaldata.Thesearetherightsof:

(a) Access;

(b) Rectification;

(c) Cancellation;and

(d) Opposition.



ThiskindofcommunicationsisregulatedbytheSpamLaw(LawNo28493)and,inordertocomplywiththelaw,thecommunicationmustincludetheword“advertisement”inthesubject,inorderforthedatasubjecttoidentifyitimmediatelyandbeawareofitscontent.

549



Thereisnospecificlawregulatingtrackingtechnologies;however,takingintoconsiderationtheLawonPersonalDataProtection, thedatasubjectmustgrant itsconsent tobe trackedby thedifferentonlinetechnologies,eg,cookies.


TargetedadvertisingandbehavioraladvertisingarenotspecificallyregulatedintheLawonPersonalDataProtection,northeAdvertisementLaw.Generallawwillapply,dependingonthecase.


Inordertosharedatawiththirdparties,advertisersneedtoinformthedatasubjectandreceiveanexpressconsent.




Therearenospecificprivacyrulesgoverningsocialmedia,buttheLawonPersonalDataProtectioncanapplytoprivacymattersrelatedtosocialmedia,amongotherlawsregardingthematter.


Therearenospecificprivacyrulesgoverningloyaltyprogramsandpromotions.However,thegeneralLaw on Personal Data Protection can apply to privacymatters relatedwith loyalty programs andpromotions.Inpractice,companiesoperatingthesekindsofprogramsandpromotionsmustobtainconsentfromthedatasubject inordertousehis/herpersonal informationandtosendemailsandnoticesandtouseitsconsumerhabits.Suchconsentismandatory.

9 DATATRANSFER


ThepersonaldatabankcontrollerandthepersonaldatabankprocessormaytransferpersonaldatacrossborderonlyifthedestinationcountrymaintainsanadequatelevelofprotectionaccordingtotheLawonPersonalDataProtection.Inthecasethatthedestinationcountrydoesnotprovideadequateprotection, the recipientmust guarantee that the processing of personal datawill conform to therequirementsoftheLawonPersonalDataProtection.

550



No.However,thereareexemptionsfromthegeneralrule,andguarantees(seequestion9.1)arenotrequiredinthefollowingsituations:

(a) agreementswithintheframeworkofinternationaltreatiestowhichPeruisaparty;

(b) internationaljudicialcooperation;

(c) internationalcooperationamongintelligenceagencies forthefightagainstterrorism, illicitdrug traffic, money laundering, corruption and trafficking of persons and other forms oforganizedcriminalactivity;

(d) whenthepersonaldataisnecessaryfortheexecutionofacontractualrelationshipinwhichthedatasubjectisaparty,includingwhereitisnecessaryforactivitiessuchasauthenticationofuser,improvementandsupportofservice,monitoringofqualityofservice,supportforthemaintenanceand invoicingof theaccountand thoseactivities that themanagementof thecontractualrelationshiprequires;

(e) whenrelatedtobankorstockmarkettransfers,inrelationtotherespectivetransactionsandaccordingtotheapplicablelaw;

(f) when the cross-border flow of personal data is performed for the protection, prevention,diagnosis or medical or surgical treatment of its holder, or when it is necessary for theperformance of epidemiological or similar studies, as long as adequate dissociationproceduresareapplied;and

(g) whenthedatasubjecthasgivenhis/herprevious,informed,expressandunequivocalconsent.

10 VIOLATIONS


Violationsofprivacyordatasecuritylawarepunishablebyadministrativecivilpenalties,namelyfinesrangingfrom0.5UITto100UIT(approxUS$650–US$130,000).


UndertheLawonPersonalDataProtection,anindividualcanrequestacompanytocorrect/deletetheirdata.

Individualscanfileacivilactioninthecourtsrequestingdamagesforbreachofprivacy.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofPeruwhichaffectprivacy?

No.

551



There is only one data protection Law and its Regulations. The Peruvian Law on Personal DataProtectionwasenactedinJuly2011andenteredintoforceinMay2015,soitisarelativelynewLaw.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainPeru?

Ourmainadvicetoclientsistoalways:

(a) obtainconsentfromthedatasubject;and

(b) informthedatasubjectwhyishis/herdatabeencollectedandtheintendedfinaluseofit.

12 OPINIONQUESTIONS


Asmentioned,theLawisquitenew,sotherehavenotbeentoomanychangesintheprivacylandscape.


Hopefully,privacywillbetakenmuchmoreseriously,because,atthismomentinPeru,peopleandcompanieslackknowledgeaboutprivacyrights.


Asmentionedbefore,manyPeruviancompanies lackknowledgeregardingprivacyrightsandhavecommittedbreachesbecauseofthis.Forexample,companiesmaynotknowthattheyneedtoregistertheirdatabanksbeforetheDataPrivacyAuthority(seequestion5.1).

Therefore,itisimportantthatthegovernmentinformthepeopleaboutprivacyrightsandobligations.

552

553

PRIVACY LAW – PUERTO RICO

1 PRIVACYLAW

1.1 HowisprivacyregulatedinPuertoRico?

PuertoRicocurrentlyhastwolawsrelatedtoprivacyandapendingbill.Thislegislationisdirectedatcompulsorynotificationsregardingsecuritybreachesandprivacypolicies.


Keylawsregulatingprivacyare:

(a) Citizens’InformationaboutDatabaseSecurityAct(ActNo111-2005);and

(b) PrivacyPolicyNotificationAct(ActNo39-2012).


Individualsmay file actions for civil damagesbasedon the aforementioned lawsor theCivil CodeArticle1802.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinPuertoRico?

AnycompanythatkeepsadatabasecontainingcustomerpersonalinformationissubjecttoprivacylawinPuertoRico.

2.2 Does privacy law in Puerto Rico apply to companies outside the country? If yes, are therespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

CurrentlegislationappliestoanycompanythatkeepspersonaldataofPuertoRicousers.

Therearenospecificobligationsforcompaniesoutsidethecountry.


3.1 Howispersonalinformation/personaldatadefinedinPuertoRico?

“Personal information” is “any name or number that may be used by itself, or with any otherinformation,toidentifyaspecificperson,includingname,lastname,socialsecuritynumber,dateandplaceofbirth, civil status, gender, address, email address,phonenumber,driver’s licensenumber,passportnumber,fingerprints,voicerecordings,andretinaimages.”

554



Personalinformationthatisconsideredsensitiveincludes:name,lastname,socialsecuritynumber,dateandplaceofbirth,civilstatus,gender,address,emailaddress,phonenumber,driver’s licensenumber,passportnumber,fingerprints,voicerecordings,andretinaimages.


Noticetousers.

4 ROLES


No.

5 OBLIGATIONS


Givenotice tousers regarding theprivacypolicy andany securitybreaches thatmay compromisepersonaldata.


6.1 HowisdatasecurityregulatedinPuertoRico?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

Thereisnoregulationexceptfornoticeofbreach.

6.2 HowaredatabreachesregulatedinPuertoRico?Whataretherequirementsforrespondingtodatabreaches?

Breachesmustbeinformedtousers.Usersmayfileadamagesactionifharmedbyabreach.

7 INDIVIDUALRIGHTS


N/A

555




N/A


N/A


N/A


Privacypolicymustincludethethirdpartywithwhimthedataisshared.


N/A


N/A


N/A

9 DATATRANSFER


N/A


N/A

10 VIOLATIONS


Afineofupto$5,000.

556



Actionsfordamagesmaybefiled.Injunctionsandmonetaryreliefmaybeobtained.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofPuertoRicowhichaffectprivacy?

N/A


Senatebill1231,relatedtotheprotectionofonlineprivacy,ispendingapproval.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainPuertoRico?

PuertoRico isaUS territory,whichmeansany federal lawregardingpersonaldataandprivacy isapplicable.

12 OPINIONQUESTIONS


Legislatorsaremoreawareofprivacyissuesduetotheincreaseduseandrelianceonsocialmedia.


Wedonotenvisionmanychanges.


Obtainingandmaintainingusertrustregardingtheuseandprotectionoftheirdata.

557

558

PRIVACY LAW – RUSSIA

1 PRIVACYLAW

1.1 HowisprivacyregulatedinRussia?

UnderRussianlaws,individualsenjoytherighttoprivacy,which,inparticular,includesprotectionoftheirpersonaldata.RussiandataprivacyregulationsarebasedontheStrasbourgConventionfortheProtectionofIndividualswithregardtoAutomaticProcessingofPersonalData(“Convention108”),Articles23and24oftheRussianConstitution,severalfederallawsandadministrativeregulations.


KeyRussianlawsandregulationsincludethefollowing:

(a) FederalLawdatedJuly27,2006No152-FZ“OnPersonalData”(“PersonalDataLaw”)thatisthe principal law in the area of personal data protection, which contains certain specificprovisionsgoverningprocessingofpersonaldatafordirectmarketingpurposes;

(b) FederalLawdatedJuly27,2006No149-FZ“OnInformation,InformationTechnologiesandProtection of Information” that sets out certain general principles regarding protection ofinformation,aswellasanumberofspecificrulesgoverninguseofinformationtechnologies;

(c) FederalLawdatedMarch13,2006No38-FZ“OnAdvertising”,whichistheprincipallawintheareaofadvertisingandcontainssomeprovisionsondistributionofadvertisingmaterialsviacommunicationchannels;

(d) FederalLawdatedJuly7,2003No126-FZ“OnCommunications”,whichgovernstheprovisionofcommunicationsservicesintheRussianFederationand,amongotherelements,setsouttherulesrelatingtomailingscarriedoutbycommunicationprovidersthroughcommunicationchannels,eitherforthemselvesoronbehalfoftheirpartners(contractors);and

(e) LaborCodeoftheRussianFederationdatedDecember30,2001No197-FZ,whichsetsoutanumberofspecificrequirementsrelatingtotheprocessingofemployees’personaldata.

Inadditiontotheabove,Russianstateauthoritieshaveissuedanumberofregulationsandguidelinesgoverning various aspects of personal data processing and protection, such as the processing ofpersonaldatawithoutautomatedmeans,securityrequirements,etc.Thekeyby-lawsare:

(f) “Requirements to SecurityofPersonalDataProcessed in InformationSystemsofPersonalData”approvedbytheDecreeoftheGovernmentoftheRussianFederationdatedNovember1,2012No1119;

(g) “Scope and Composition of Organizational and Technical Measures to Ensure Security ofPersonalDataProcessedinInformationSystemsofPersonalData”approvedbytheOrderoftheFederalServiceforExportandTechnicalControldatedFebruary18,2013No21;and

(h) “Scope and Composition of Organizational and Technical Measures to Ensure Security ofPersonalDataProcessedinInformationSystemsofPersonalDatawithUseofCryptographicProtection of Information Required to Complywith Personal Data Security RequirementsStated by the Government of the Russian Federationwith respect to each Security Level”approvedbytheOrderoftheFederalSecurityServicedatedJuly10,2014No378.

559



Themainregulatorsintheareaofdataprotectionare:

(a) FederalServiceforSupervisionofCommunications,InformationTechnology,andMassMedia(“Roskomnadzor”)isthesupervisoryauthorityintheareaofpersonaldataprotection(ie,thedataprotectionauthority).Itcarriesoutitsfunctionsthroughitscentralandregionaloffices,whichareresponsibleforsupervisingdatacontrollersintheirrespectiveregionsofRussia;

(b) Russian Federal Antimonopoly Service (“FAS”) is the supervisory authority in the area ofcompetitionandadvertising;

(c) Russian Federal Service for Technical and Export Control (“FSTEC”) is the authorityresponsibleforsupervisingtheprotectionofconfidential informationwithuseoftechnicaltools;and

(d) Russian Federal Security Service (“FSB”) is the authority responsible for supervising theprotectionofconfidentialinformationwithuseofencryptiontools.

SupervisoryactivitiesintheareaofpersonaldataprotectionareperformedbyRoskomnadzorbywayof scheduled inspections, unscheduled (ad hoc) inspections and themonitoring of data protectionactivitiesthroughtheInternetwithoutinteractionwithacompanywhosedataprocessingactivitiesare beingmonitored. Roskomnadzormay cooperate with the FSTEC and FSB in the course of itssupervisoryactivities.As for theFAS’supervisoryactivities in theareaofadvertising, they includeunscheduledinspectionsandmonitoring.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinRussia?

Privacy law applies to any entities, including state and municipal authorities, legal entities andindividuals that carryoutprocessingofpersonaldatabyautomatedmeans,orwithoutautomatedmeans ifsuchmanualprocessing issimilartoautomatedprocessing, ie, itenablesalgorithm-basedsearchofpersonaldatacontainedincardcataloguesorrepositories.

PrivacylawsapplytoentitieshavingphysicalpresenceinRussiaandprocessingpersonaldatathere,and also those without a physical presence in Russia, but processing personal data through thewebsitesandappswhichtargetaRussianaudience.The“targeting”testisquitebroadandinvolvesanexaminationofdiversefactors,suchastheuseoftheRussianlanguageonthewebsite,registrationofadomainnameintheRussiandomainzone,thepossibilityofchoosingRussiaasaplacefordeliveryofproducts,registrationofusersfromRussia(indicatingRussiaasaterritory),etc.TargetingcriteriaarenotformalizedundertheRussianlawssothattheyaredefinedon-a-case-by-casebasis.

2.2 DoesprivacylawinRussiaapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

Russianprivacylawappliestocompaniesoutsidethecountryandtothosewhichdonothavephysicalpresence in Russia (eg, no branch or representative office). The targeting of a Russian audiencethroughawebsiteorappwherepersonaldataisprocessedservesasacriterionastowhetherRussianlaws apply (see question 2.1). Russian laws do not set out any specific obligations for foreigncompanies,sothatthegeneralrequirementsapply.

560



3.1 Howispersonalinformation/personaldatadefinedinRussia?

“Personal data” is defined as any information relating to an identified or identifiable, directly orindirectly,individual(datasubject).ThisdefinitionisbasedonConvention108andquitesimilartotheonelaiddownundertheEUdataprotectionlaws.

In practice, the notion of personal data is construed broadly so that, along with informationtraditionallyattributedtopersonaldata(suchasname,contactdetails,etc),itmayalsoincludecertaintechnical(eg,informationprocessedwithuseofcookies)andotherdata.


BytheRussianPersonalDataLaw,“sensitivepersonaldata”isdefinedaspersonaldatarelatingtorace,nationalorigin,politicalviews,religiousandphilosophicalcommitments,intimatelifeandhealth.Inaddition,sensitivedataincludesdatarelatingtocriminalconvictions.

Asabasicrule,sensitivepersonaldata(exceptdatarelatingtocriminalconvictions)maybeprocessedonlyonthebasisofanindividual’swrittenconsent,executedinhardcopyorasadigitaldocumentsignedbyreinforceddigitalsignature(atypeofdigitalsignaturebasedonstate-certifiedcryptographicalgorithms).Inaddition,suchconsentmustcontaincertainmandatoryelementsprescribedbylaw.Exceptionsexistwhereconsentisnotrequired;however,theyareverylimitedandapplyrarely.

Thereisageneralprohibitionontheprocessingofdatarelatingtocriminalconvictions.Exceptionsareverylimitedandapplyveryrarely.

Additionally,Russianprivacylawdistinguishesaseparatecategoryofprivacy-sensitiveinformation— “biometric personal data” — which is defined as information relating to an individual’sphysiological and biological characteristics, enabling and used for the individual’s identification(eg,fingerprints, personal image, voice recording, etc). In addition, there is a draft law aimed atextending the scope of biometric data in the context of modernizing Convention 108. If adopted,biometricdatawillincludegeneticinformation.

Asfortheprocessingofsensitivedata,biometricdataprocessingmaybeperformedonlyonthebasisoftheindividual’swrittenconsent,unlesscertainexceptionsapply.

Apartfromtheabove,intermsofsecurity,theRussiandataprotectionlawsimplythatthescopeofsecuritymeasures to be implemented by the controller depends on relevant security threats, thenumber and categories of data subjects, and the typesof personaldatabeingprocessed—whereinformationsystemscontainbiometricorsensitivedata,highersecuritystandardsapply.


ThekeyprivacyprinciplesrelatingtotheprocessingofpersonaldataaresetoutbythePersonalDataLaw,andare:

561


(a) Lawfulness: the processing of personal data must be lawful. In particular, this principleimplies the need to ensure that there are legal grounds for data processing by the datacontroller.

(b) Purpose limitation: implying that processing of personal data must be limited to theachievementofaspecificlawfulpurpose,andpersonaldatamustnotbeprocessedforother,incompatible,purposes.

(c) It is prohibited to accumulate databases containing personal data processed for different,incompatible,purposes.

(d) Dataminimization:implyingthatthescopeandcontentofpersonaldatamustbelimitedtowhat is necessary to achieve the specific data processing purpose. Personal data beingcollectedandprocessedmustnotbeexcessiveforthedeclaredprocessingpurpose.

(e) Personaldatamustbekeptaccurate,completeanduptodate.Thedatacontrollermustrectifyordeletedatawhichisinaccurateorincomplete.

(f) Oncetheprocessingpurposeshavebeenachieved,personaldatamustnotbestoredinawayallowingidentificationofthedatasubject(ie, itmustbedestroyedoranonymized),unlessotherwise provided by legislation or agreement in which the data subject is a party,beneficiaryorguarantor.Oncethepurposesofprocessingareachieved,personaldatamustbedestroyedoranonymized,unlessotherwiseisprovidedbylegislation.

(g) Personal datamust be kept secure and confidential. The data controllermust ensure theimplementationoflegal,technicalandorganizationalmeasurestopreventunauthorizedoruncontrolledaccess,modification,destructionorotherunlawfuloperationsonpersonaldata.

4 ROLES


TheRussianPersonalDataLawdefinestworolesintermsofdataprocessing:

(a) Datacontroller:Anentityarrangingand/orcarryingoutprocessingofpersonaldata,aswellasdefiningthepersonaldataprocessingpurposes,thescopeofpersonaldatatobeprocessedandpersonaldataprocessingoperations;and

(b) Anentityprocessingpersonaldatauponadatacontroller’sassignment/instruction,whichissimilar to the notion of data processor under EU laws. To formalize an entity as a dataprocessor, the controller and the entity must execute a data processing agreement(assignment)specifying:(i) theprocessingpurpose,(ii) thedataprocessingmethodsandoperationsperformedbytheprocessor,(iii) theprocessor’ssecurityandconfidentialityobligation,and(iv) asetofsecuritymeasuresimplementedbytheprocessor.

The lawsdonotprovide foranydetailedguidanceonadataprocessor’s roleandobligations.TheRussianlawsimplythatthedataprocessorisnotresponsibleforrequestingtheindividual’sconsent,which must be done by the controller. The controller will be responsible to individuals for theprocessingoftheirpersonaldatabyaprocessorunderthecontroller’sinstructions.

562


5 OBLIGATIONS


Keyobligationsrequiredbyprivacylawrelatedtoadvertisingactivitiesareasfollows:

(a) Legal grounds forpersonaldataprocessing: Theremustbea legal ground forprocessingpersonal data (eg, consent, contractual necessity, legitimate interest, etc). The Russianauthorities are quite conservative in this regard, so, in practice, consent is the mostwidespreadlegalground.Moreover,insomecases,thelawdefinesanindividual’sconsentasbeingtheonlyappropriatelegalground.Forexample,anydirectmarketingcommunicationstoanindividualrequiretheindividual’sexplicit(opt-in)consent.Thelawsdonotsetoutanylegalexceptions(suchascontroller’slegitimateinterest)tothis.

(b) Privacy Policy: A data controllermust drawup a privacy policy andmake it available toindividualsconcerned, inRussian,bypublishing iton itswebsite.Theprivacypolicymustoutlineallaspectsofthedataprocessingperformedinatransparentmanner.

TheRussianPersonalDataLawsetsouttheinformationregardingpersonaldataprocessingthatmustbecommunicatedtoanindividualpriortopersonaldataprocessing,whichmustbetakenintoaccountwhendraftingaprivacypolicy.Inaddition,Roskomnadzorhasissueditsrecommendationsonthecontentofprivacypolicies.Althoughtheserecommendationsarenotlegallybinding,theydemonstratetheaspectsofprivacywhicharetakenintoaccountbytheregulatorinthisregard.

In lightoftheaboverequirementandrecommendations,aprivacypolicymustcontainthefollowingdetails:(i) datacontroller’sidentity(name,address);(ii) termsanddefinitionsusedinthedocument;(iii) explanationofthepolicy’sgoals;(iv) purposesofdataprocessing;(v) legalgroundsfordataprocessing,categoriesofdatasubjectswhosepersonaldatais

processed,andcategoriesofpersonaldatabeingprocessed;(vi) typesofprocessingoperationstobeperformedandageneraldescriptionofpersonal

dataprocessingmethods;(vii) informationontransferofpersonaldatatothethirdparties,includingcross-border

transferofpersonaldata;(viii) informationonthedataprocessorsengagedtoprocesspersonaldataonbehalfofthe

datacontroller;(ix) informationonmeasurestakentoensurethesecurityandconfidentialityofpersonal

data;(x) terms of personal data processing, including retention terms and conditions

regardingterminationofprocessing;and(xi) datasubjects’rightsandhowtheycanbeexercised.

(c) Directmarketing requirements: Directmarketing communicationswith data subjects aresubjecttotheirprioropt-inconsent(therearenoexceptionsinthisregard).

563


Each marketing communication must contain either a link allowing data subjects tounsubscribe from further receipt of such marketing communications or, alternatively,informationonhowtherecipientcanunsubscribe.Onceadatasubjectwithdrawshisconsentto marketing communications, the data controller must immediately terminate directmarketingcommunicationsandtheprocessingofpersonaldataforthispurpose.

(d) Localization of Russian citizens’ personal data: Data controllersmust ensure that certainoperationswithRussiancitizens’personaldataareperformedinadatabaselocatedinRussia.Such operations include recording, systematization, accumulation, storage, specification(update,modification),andretrieval.Afterwards,personaldatacanbe transferredoutsideRussia,subjecttocross-borderdatatransferrequirements.


6.1 HowisdatasecurityregulatedinRussia?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

Thebasic obligationof a data controller is to ensure the security and confidentiality of processedpersonaldata,whichincludesimplementationoflegal,administrativeandtechnicalsecuritymeasures.Russianlawsetsoutaverybroadlistofsecuritymeasuresthatmaybeappliedbyadatacontroller(eg,appointmentofadataprotectionofficer,datarecovery,implementationofinternalpolicies,etc).

Inadditiontothegeneralmeasuresprescribedbylaw,theRussianGovernmenthasdefinedanumberofspecificmeasuresadatacontrollermustimplement.Theextentofthesemeasureswilldependonthe types of security threat to the personal data, the number and categories of individualswhosepersonaldata isprocessed,andthetypesof theirpersonaldata.Companiesmustperformsecuritythreatmodellinginordertoidentifyandcategorizesecuritythreatsthatarelikelytoaffectadatabaseorsystemcontainingpersonaldata.Basedonsecuritythreatmodelling,acompanymustdeterminethe appropriate level of data protection and the particular set of securitymeasures thatmust beimplementedinordertosafeguardthepersonaldata.

6.2 HowaredatabreachesregulatedinRussia?Whataretherequirementsforrespondingtodatabreaches?

Among other securitymeasures, the security regulations require that the controller implements anumber of security incident detection and response measures, eg, that it defines individualsresponsible for incidentdetectionandresponse,guidesusers tonotifysuch individualsofsecurityincidentsrevealed,etc.Theextentofsuchmeasureswillbedefinedbythecontrollerbasedonthreatmodellingresults(seequestion6.1).

Asfordatabreachnotifications,thePersonalDataLawdoesnotcurrentlyrequiredatacontrollerstonotifyeithertheregulatororindividualsconcernedwhenadatabreachisrevealed.Therearecertainindustry-specific data breach notification obligations, eg, in the area of payment systems, criticalinformationinfrastructure,etc.

Meanwhile,inOctober2018,RussiasignedaProtocolamendingConvention108.WhenthisProtocolcomes into force,Russiawillhave toensure thatRussian lawssetout thedatabreachnotificationprocedure.Inthelightofthis,RoskomnadzorofficialshaveannouncedthattheyhavealreadybegunpreparationofadraftbilltoamendthePersonalDataLawaccordingly.

564


7 INDIVIDUALRIGHTS


Russianprivacylawsetsoutthefollowingrightsforindividualswithrespecttotheirpersonaldata:

(a) Towithdrawtheirconsentatanytime: Insuchcase, thedatacontrollershouldterminatepersonaldataprocessingbasedonconsentwithin30calendardays,unlessothertimeframesareagreedwiththeindividualconcernedoraresetoutinlaw.Forexample,thelawsrequirethat the data controller terminates direct marketing activities though communicationchannelsandprocessingofpersonaldataforsuchpurposesimmediatelyoncetheconsentiswithdrawn.

(b) Toaccesspersonaldata: Adatasubject isentitled torequest fromthedatacontroller theconfirmationthathispersonaldataisbeingprocessedbythatdatacontrollerandarangeofdetailsregardingsuchdataprocessingactivities(eg,categoriesofprocesseddata,purposesof processing, operations performed on data, methods of processing, information oninternationaltransfers,etc).Uponthedatasubject’srequest,heshouldbeprovidedwithacopyofhispersonaldata(eg,acopyofdocumentscontainingpersonaldata,andextractsfromautomatedinformationsystemwheredataisprocessed).

(c) To require correction of personal data which is incomplete, inaccurate, outdated ormisleading:Uponreceiptofadatasubject’srequest,thecontrollermustensurethatthereisnofurtherprocessingoruseofsuchpersonaldatauntilithasbeencorrected.

(d) Torequirethatthedatacontrollerterminatestheprocessingofhispersonaldataanddestroyspersonaldatawhichisprocessedunlawfullyorisnotneededtofulfilthedeclaredprocessingpurpose(ie,isexcessive):Personaldataspecifiedintherequestwillbeblockedbythedatacontrollerwhilethecircumstancessubjecttosuchrequestareinvestigated.

(e) Nottobesubjecttosolelyautomateddecision-makingintheabsenceofawrittenconsent:Inaddition,thedatacontrollermustexplaintotheindividualthedecision-makingprocedure,itsimplications, the individual’s rightsandhowtheycanbeexercised,aswellasenablesuchindividualtoobjecttodecisionsmade.

(f) Tolodgeacomplaintagainstadatacontrollerwithasupervisoryauthorityoracourt.



UnderRussianlaw,directmarketingcommunicationswithanindividualareonlypermittedwheretheindividualhasprovidedaprioropt-inconsenttoreceiptofmarketingcommunicationsandprocessingofpersonaldataforsuchpurpose.Noexceptionsapply.

Fromapracticalperspective,suchconsentmaybeobtainedbyuseofatick-box(digitalorhardcopy),or a “Subscribe” button, provided that such tick-box or button are separate from other consents(eg,acceptanceofTermsofUseorprocessingofpersonaldataasdescribedinthePrivacyPolicy)andthetick-boxisnotpre-ticked.Otherwise,RussianregulatorsmaynotconstruesuchconsentasavalidlegalgroundandthedatacontrollerwillbeinbreachofRussiandataprotectionandadvertisinglaws.

565


Each marketing communication must contain a link to unsubscribe from further receipt of suchmarketingcommunicationsor,alternatively,informationonhowtherecipientcanunsubscribe.

Oncethedatasubjectunsubscribes(withdrawsitsconsent)frommarketingcommunications,thedatacontrollermustterminatedirectmarketingcommunicationsandtheprocessingofpersonaldataforthispurposeimmediately—Russianlawsdonotprovideanygraceperiodinthisregard.


Russiandataprotectionlawsdonotdirectlyaddresstheissuesofuseoftrackingtechnologies.

In general, Roskomnadzor and the courts consider such activities as personal data processing. Anappropriatelegalgroundinsuchcasewillbetheindividual’sexplicitopt-inconsent(eg,bytick-boxform,banner,orpop-upwindowrequestingtheindividual’sconsentonthehomepageofthewebsite).

Useofpurelytechnicalcookies(ie,oneswhicharestrictlynecessaryforthefunctioningofthewebsite,unlikethoseallowingtargetedadvertisements,marketinganalytics,etc)isanon-regulatedarea,andnounified approachexists as regards legal grounds for theiruse. Some companies stick to a risk-orientedapproach,consideringthatconsentisnotrequired,anditispossibletorelyonotherlegalgrounds(suchaspreservingthelegitimateinterestofthedatacontrollerorcontractualnecessity).Otherstakeamoreconservativeapproach.

It isnecessary todescribe theuseof tracking technologiesand thecorrespondingdataprocessingoperationsinthedatacontroller’sprivacypolicyorinaseparatepolicy,eg,cookiepolicy.ThispolicymustbeavailableinRussian,andincludethedatacontroller’identity,explainwhatcookiesandothertechnologiesusedare,theirtypes,retentionperiodsandthepurposesforwhichtheyareused.


InRussia,targetedadvertisingandbehavioraladvertisingarenotdirectlyregulatedfromaprivacyperspective.Sincetheyimplycollectionandfurtherprocessingofindividuals’personaldata,includinguseofcookiesandothertrackingtechnologies,thegeneralrulesapply.Thismeans,inparticular,thatadatacontrollermustensurethatthereareappropriatelegalgroundsforsuchdataprocessingandmustinformthedatasubjecthowhispersonaldatamaybeprocessedintherespectivepolicy(eg,theprivacypolicy).


Thedatacontrollermustobtaintheuser’sopt-inconsentandsetoutdetailsoftheprocessinginitsprivacypolicy insuchawaythatthedatasubjectcanget informationonhowhis/herdatawillbeprocessed.


There are no special regulations in Russian legislation regarding data brokers’ activity. However,underthegeneralrules,alldataprocessingactivities,includingthoseofdatabrokers,mustbecarriedoutincompliancewiththegeneralrequirementsofthedataprotectionlaws.

566



Processingofpersonaldatainsocialmediaisbasedonthegeneralrulesandregulationsandprivacyprinciples.Termsofprocessingshallbedescribedintheprivacypolicy,whichmustbeavailableandtransparentfordatasubjects(usersofsocialmedia)andtheremustbeanappropriatelegalgroundforsuchprocessing(suchasconsent,contractualnecessity,etc.)

Additionally,whenitcomestocollectionofpersonaldatafromsocialmedia,Roskomnadzorconsidersthat this cannot be done freely by any third parties without sufficient justification to do so.Roskomnadzor’s position (upheld in court practice) implies that users make their personal dataavailable in social media profiles for specific purposes laid down by such social media Terms &ConditionsandPrivacyPolicies. So, thepurpose limitationprinciple applies andentities collectingindividuals’personaldatafromsocialmediamustensureappropriatelegalgrounds.


Russianprivacylawsdonotdirectlyregulateloyaltyprogramsandpromotions.Generalrulesapplytoloyaltyprogramsandpromotions,includingdirectmarketingrules.

9 DATATRANSFER


Russianprivacylawdoesnotprohibitpersonaldatatransfer,includingcross-border(international)data transfer. Data transfer must be formalized by a data transfer/processing agreement,demonstratingthatthepartiesprioritizecompliancewithdataprotectionlawsandimplementlegalmeasures to preserve the confidentiality and security of the personal data being transferred. Theagreementmustcontainthefollowingelements:

(a) listofprocessingoperationscarriedoutbythereceivingpartyonthepersonaldata;

(b) securityandconfidentialityobligationofthereceivingparty;

(c) purposesofthepersonaldatatransfer;and

(d) list of security measures to be implemented by the receiving party (in accordance withRussiandataprotectionlaws).

Cross-bordertransferofpersonaldata isdefinedasthetransferofpersonaldatatoaforeignthirdparty(ie,foreignindividual,legalentityorstateauthority)abroad.Keyrequirementsforcross-borderdatatransfersincludeenteringintoadataprocessingagreement(asdescribedabove)andensuringanappropriatelegalgroundtothetransfer,accordingtotheadequacyofrecipientcountry(seebelow).

Legal grounds for the cross-border transfer depend on countrywhere data is transferred. In thisregard,therearejurisdictionsprovidingadequatelevelofdatasubjects’rightsprotectionandthosewhichdonot.“Adequate”jurisdictionsarestates-partiestoConvention108(eg,EUmembers);andcountriesconsideredadequatebyRoskomnadzor(Australia,Israel,Canada,NewZealand,RepublicofKorea,Kazakhstan,Singapore,Chile,Japanetc).

567


Wherepersonaldataistransferredto“adequate”jurisdictions,thegeneralapproachtolegalgroundsapplies.Ifarecipientjurisdictionisnotconsidered“adequate”,thescopeofappropriatelegalgroundsisquitenarrow.Forexample,forconsent-baseddatatransfer,theindividual’swrittenconsent,subjecttostatutoryrequirements,isneeded.


Inadditiontothedatatransferrequirementssetoutinquestion9.1,partiesmusttakeintoaccountthedatalocalizationrequirement(seequestion5.1(d)),whereapplicable.

There arenoexemptions for intra-group transfers. Subsidiaries andaffiliates are considered thirdparties,sothegeneralrulesapply.Moreover, inpractice,shareduseofinformationsystemswithincorporate groups constitutes data transfer, whichmust be compliantwith the legal requirementsoutlinedabove.

10 VIOLATIONS


Privacy-relatedviolationsmayentailthefollowingsanctions:

(a) administrative finesofup to75,000RUR(approxUS$1,180) forpersonaldataprocessingreasons, which may be imposed repeatedly if separate administrative proceedings areinitiatedperbreach;

(b) administrative finesofupto6millionRUR(approxUS$94,100) fora firstviolationof thelocalizationrequirement,andofupto18millionRUR(approxUS$282,300)forarepeatedoffense;

(c) administrativefinesofupto500,000RUR(approxUS$7,850USD)foradvertisingreasons;

(d) restrictionofaccess(blockage)toawebsiteorapp(sothatitwillnolongerbeavailabletoRussiancitizens)incaseswherepersonaldataprocessingpracticesonsuchwebsiteorapparenotcompliantwithRussianprivacylaws;

(e) forcedsuspensionofunlawfuldataprocessingactivities;and

(f) criminal sanctions, such as imprisonment and fines, whichmay be imposed for unlawfulaccess to computer information that results in the destruction, blockage, modification orcopying of computer information, aswell as for illegal disclosure of information about anindividual’sprivatelife.Criminalliabilitymaybeimposedonlyonindividuals(ie,company’sofficials),Russianlawsdonotimposecriminalliabilityonlegalentities.


Individualsareentitledtoclaimcompensationfordamage(includingmoraldamages)causedbyillegalprocessingoftheirpersonaldatathroughthecourt.However,suchpracticeisquiterareandamountsofcompensationawardedtoindividualsarenothigh.

568


11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofRussiawhichaffectprivacy?

DataprotectionrulesinRussiaarebasedonbasicprinciplesandapproacheswhicharealsorelevantfortheEuropeanUnion(forexample,purposelimitation,dataminimization,etc).However,therearecertainspecificrestrictions,whichreflectpolicyofthestateintheareaofprivacyanddataprotection.

In particular, Russian privacy regulations reflect a general localization trend. In addition to thepersonaldatalocalizationrequirement,therearealsoseveralspecificrules,eg,requiringthatRussiantelecomprovidersprovidingcommunicationservicesunderlicenses,andmoderatorsofdisseminationofinformationontheInternet(forexample,socialmedia,messenger,etc),retainthecontentofusers’messagesandrelatedmeta-datainRussia.

The localization trend is based on certain policy considerations, such as protection of individuals’rights,effectivepreventionandinvestigationofterrorism,etc.

Onemorepeculiarity tomention is the consent-focusedapproach toappropriate legal grounds. Ingeneral, Russian regulators are quite conservative in this regard and construe alternative legalgroundsquitenarrowly.Forexample,Roskomnadzorisquiteskepticalaboutacontroller’slegitimateinterestso,inpractice,suchjustificationappliesveryrarely.


Currently there are several draft laws that are widely discussed in Russia that are aimed atmodernizing Russian data protection legislation in terms of consent requirements and datapseudonymizationandanonymization.However, it isnotyetclearwhensuchamendmentswillbeconsideredbytheRussianParliament.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainRussia?

N/A.

12 OPINIONQUESTIONS


Inthelastfewyears,companiesoperatinginRussiahavefacednewobligationsrelatedtolocalizingpersonaldatainRussia.TheofficiallyarticulatedpurposeofthisinitiativeisimprovedprotectionofdatasubjectsinRussia.Atthesametime,thesemeasureshavebecomeasignificantissueforglobalcompanies(especiallydatadrivencompanies)havingapresenceinRussiaorotherwisetargetingit.

Inaddition,intermsofenforcement,theregulatorhasshifteditsfocusoncompliancetotheonlineenvironmentandITcompanies.Thisreflectsageneraldigitalizationtrend,wherebyanindividual’sdailyactivitieshavebecome focusedononlineplatforms,so thatcommunication iscarriedoutviasocialmediaandmessages,purchasesaremadeonline,etc.

569



OnOctober10,2018,theRussianFederationsignedaprotocolmodernizingConvention108.

RussianofficialshavealreadyannouncedelaborationofrespectiveamendmentstotheRussianlawsandconfirmedthattheywillmovetowardsharmonizationwiththeConvention.Prospectivechangesmayincludedatabreachnotificationobligations,definitionsofdataprocessoranddatarecipient,newtypesofsensitivedata,etc.


Fines for non-compliance with the localization requirement have recently come into force (seequestion10.1(b).Highfinesofupto18millionRUR(approxUS$282,300)areexpectedtosignificantlyaffecttheprivacylandscapeinRussia.If,previously,risksforcompaniesprocessingthepersonaldataofRussiancitizensincasesofnon-compliancewiththelocalizationrequirementwereratherremote(enforcementmeasureswerelimitedtotheblockageofthewebsite/app),nowtheymaybecomethemostimportantissueintermsofdataprotection.

OnemorechallengefacedbycompaniesdoingbusinessinRussiarelatestotheratherconservativeapproach of Russian regulators, eg, regarding appropriate legal grounds for data processing, datapseudonymizationandanonymization,etc.

Finally, data protection laws are developingworldwide. In light of this, companies and corporategroupsdoingbusinessinseveraljurisdictionsfacetheproblemofharmonizedcompliance.ThemostnoticeableissueisbalancingcompliancewiththeEU’sGDPRandtheRussianPersonalDataLaw,whichisquiteonerousbothfromlegalandbusinessperspectiveduetothedifferentlegalrequirementsandpracticalapproachestotheirimplementation.

570

571

PRIVACY LAW – SERBIA

1 PRIVACYLAW

1.1 HowisprivacyregulatedinSerbia?

Privacyisregulatedbyanumberofbindinglaws,bylawsandotherformsofregulationsadoptedonnationallevel.However,byadoptinga lexgeneralis lastyear,whichisbasedontheEU’sGDPRandPoliceDirective,SerbiamadeimportantstepsinincreasinglevelofdataprotectionandreachingEUstandards.Itisimportanttoemphasizethattheworkonprivacyregulatoryframeworkisyettobecompleted.TheSerbianLawonPersonalDataProtection(“LPDP”)statesthattheprovisionsofotherlawsrelatingtotheprocessingofpersonaldataaretobeharmonizedwiththeprovisionsofthatLawbytheendof2020,andthatthebylawsprescribedbytheLPDPmustbeadoptedbyAugust21,2019.


Thecore lawregulatingprivacyintheRepublicofSerbia isthenewly-adoptedLPDP,basedontheGDPRandPoliceDirective.Thislawregulatestherighttotheprotectionofnaturalpersonsinrelationtotheprocessingofpersonaldataandthefreeflowofsuchdata,theprinciplesofprocessing,therightsofthedatasubject,theobligationsofcontrollersandprocessorsofpersonaldata,thecodesofconductthat may be prepared by associations and other bodies representing categories of controllers orprocessors,thetransferofpersonaldatatoothersStatesandinternationalorganizations,supervisionoftheimplementationoftheLaw,remedies,liabilityandpenaltiesintheeventofaviolationoftherightsofnaturalpersons in relation to theprocessingofpersonaldata, aswell as special casesofprocessing. Additionally, it regulates the right to the protection of individuals with regard to theprocessingofpersonaldatabythecompetentauthoritiesforthepurposeofpreventing,investigatinganddetecting criminal offenses, prosecutingoffendersor committing criminal sanctions, includingpreventionandprotectionagainstthreatstopublicandnationalsecurity,aswellasthefreeflowofsuchdata.

However,thereareanumberofothersector-specificlawswhichareimportantforregulatingprivacy,suchas:

(a) Information Security Law — which regulates the use of personal data in ICT systems,measures for their protection from unauthorized access, as well as the protection of theintegrity,availability,authenticityandintegrityofthatdata;

(b) AdvertisingLaw—whichregulatesthenecessityofobtainingapriorconsentfromthepersonwhosepersonalgood,includingpersonaldata,iscontainedinanadvertisement.Namely,thelawprescribesthatincasetheadvertisementcontainsapersonalgoodonthebasisofwhichtheidentityofthepersoncanbeascertainedorrecognizedtheadvertisementmessagecannotbepublishedwithoutthepriorconsentofthepersonconcerned;

(c) LawonPublicInformationandMedia—whichregulatestheuseofpersonaldatainmedia,withspecialfocusontheuseofchildren’sdata;

(d) CriminalCode—whichprescribescriminaloffencesrelatedtotheviolationofpersonaldata,such as breach of secrecy of letters and other means of communication, unauthorizedwiretappingandrecording,unauthorizedphotography,unauthorizedpublicationanddisplayof other people’s files, portraits and footage, and unauthorized collection of personalinformation;

572


(e) LawonCivilProcedureandLawonCriminalProcedure—whichprescriberulesrelatedtotheexclusionofthepublicfromthejudicialhearinginordertoprotecttheinterestsoftheminorortheprivacyofpartiesintheproceedings;and

(f) EmploymentAct,LawonRecordsintheFieldofEmploymentandLawonCompulsorySocialSecurity—whichregulatethecollectionofdataofemployees.


(a) CommissionerforPersonalDataProtection.Themostimportantplayerfortheprivacylawenforcement is the Commissioner for Personal Data Protection (“Commissioner”), as aregulatorybody.TheCommissionerisasupervisoryauthority,whichacts,inaccordancewiththe LPDP, on the territory of the Republic of Serbia. The Commissioner supervises andenforces privacy law in accordance with its authority, promotes public awareness andunderstanding of the risks, rules, safeguards and rights in relation to the processing ofpersonal data. Additionally, the Commissioner advises the national parliament, thegovernment, andother institutions andbodies on legislative and administrativemeasuresrelatingtotheprotectionofnaturalpersons’rightsandfreedomswithregardtoprocessingthedata.Furthermore,theCommissionerinfluencestheenforcementofprivacylawthroughits authority to review and evaluate the implementation of the provisions of the law andotherwisesupervisetheprotectionofpersonaldatabyusinginspectionpowers,aswellasthroughitsauthoritytoimposeatemporaryorpermanentrestrictionontheperformanceofaprocessingoperation,includingaprohibitiononprocessing.

(b) Competentcourts.Thecourtsalsoplayacrucialroleinprivacylawenforcement.Inthecaseofadatabreach,anynaturalorlegalperson,includingadatasubject,processororcontroller,hastherighttoappealagainstalegallybindingdecisionofaCommissionerconcerningthem,or,wheretheCommissionerdoesnotrenderadecisionwithin60daysfromthedayofthereceiptofthecomplaint,toinitiateadministrativecourtproceedingsbyfilingalawsuitwiththeAdministrativeCourt.Additionally,adatasubjecthasarighttoinitiatecourtproceedingsbeforeacompetentcourtifhe/sheconsidersthatthecontrollerorprocessorhasinfringedhis/herrightswhenprocessingpersonaldata.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinSerbia?

PrivacylawinSerbiaappliestoallcompanieswhichhavetheirheadquartersintheterritoryoftheRepublicofSerbiaandprocesspersonaldataascontrollersorprocessorswithintheframeworkofactivitiescarriedoutinSerbia,regardlessofwhethertheprocessingiscarriedoutinSerbia.However,privacy law also applies to companieswhich do not have their headquarters in Serbia, butwhichprocesspersonaldataascontrollersorprocessors,iftheprocessingisrelatedto:

(a) theofferofgoodsorservicestoadatasubjectinSerbia,regardlessofwhetherthatpersonisrequiredtopaycompensationforthesegoodsorservices;or

(b) monitoringtheactivitiesofdatasubjects,iftheactivitiesarecarriedoutinSerbia.

573


2.2 DoesprivacylawinSerbiaapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

Privacy law in Serbia applies to companies outside the country in the circumstances set out inquestion2.1. In these cases, the companyoutside the country isobliged todesignate, inwriting, arepresentativeintheRepublicofSerbia,unless:

(a) processingisdoneonlyoccasionally,itdoesnotincludetoagreatextenttheprocessingofsensitivedataorpersonaldatarelatedtoconvictionsforcriminaloffensesandotheroffensesandisunlikelytocauserisktotherightsandfreedomsofindividuals,takingintoaccountthenature,circumstances,extentandpurposesofprocessing;

(b) thecontrollerorprocessorisacompetentauthority.

Thecontrollerorprocessormustauthorizetherepresentativetobeapersontowhom,inadditiontothecontrollerorprocessor,orinsteadofthem,thedatasubject,theCommissioner,asthesupervisorybody,orathirdpersonmayaddressallmattersrelatingtotheprocessingofpersonaldatainordertoensurecompliancewiththedomesticlaw.


3.1 Howispersonalinformation/personaldatadefinedinSerbia?

“Personaldata”isdefinedasanyinformationrelatingtoanidentifiedoridentifiablenaturalperson,directly or indirectly, in particular by reference to an identifier such as a name, an identificationnumber, location data, an online identifier or to one or more factors specific to the physical,physiological,genetic,mental,economic,culturalorsocialidentityofthatnaturalperson.


Accordingtothenationallaw,thefollowingcategoriesofpersonaldataareconsideredassensitive:

(a) personaldatarevealingracialorethnicorigin,politicalopinions,religiousorphilosophicalbeliefs,ortradeunionmembership,

(b) geneticdata,

(c) biometricdata,incaseswhenitisprocessedforthepurposeofuniquelyidentifyinganaturalperson

(d) dataconcerninghealthand

(e) dataconcerninganaturalperson’ssexlifeorsexualorientation.

In general, theprocessing of sensitivedata is prohibited.However, theprocessingmay takeplaceunderthefollowingconditions:

(1) Ifthedatasubjecthasgivenexplicitconsenttotheprocessingofsuchpersonaldataforoneormorespecifiedpurposes,exceptwheredomesticlawprovidethattheprohibitionofsensitivedataprocessingmaynotbeliftedbythedatasubject;

574


(2) If processing is necessary for the purposes of carrying out the obligations and exercisingspecificrightsofthecontrollerorofthedatasubjectinthefieldofemploymentandsocialsecurityandsocialprotectionlawinsofarasitisauthorizedbydomesticlaworacollectiveagreementprovidingforappropriatesafeguardsforthefundamentalrightsandtheinterestsofthedatasubject;

(3) Ifprocessingisnecessarytoprotectthevitalinterestsofthedatasubjectorofanothernaturalpersonwherethedatasubjectisphysicallyorlegallyincapableofgivingconsent;

(4) Ifprocessingiscarriedoutinthecourseofitslegitimateactivitieswithappropriatesafeguardsbyafoundation,associationoranyothernot-for-profitbodywithapolitical,philosophical,religious or trade union aim and on condition that the processing relates solely to themembersortoformermembersofthebodyortopersonswhohaveregularcontactwithitinconnectionwithitspurposesandthatthepersonaldataarenotdisclosedoutsidethatbodywithouttheconsentofthedatasubjects;

(5) Ifprocessingrelatestopersonaldatawhichismanifestlymadepublicbythedatasubject;

(6) If processing is necessary for the establishment, exercise or defense of legal claims orwhenevercourtsareactingintheirjudicialcapacity;

(7) Ifprocessingisnecessaryforreasonsofsubstantialpublicinterest,onthebasisofdomesticlawwhichmustbeproportionatetotheaimpursued,respecttheessenceoftherighttodataprotectionandprovideforsuitableandspecificmeasurestosafeguardthefundamentalrightsandtheinterestsofthedatasubject;

(8) Ifprocessing isnecessary for thepurposesofpreventiveoroccupationalmedicine, for theassessmentoftheworkingcapacityoftheemployee,medicaldiagnosis,theprovisionofhealthorsocialcareorthemanagementofhealthorsocialcaresystemsonthebasisofdomesticlaworpursuanttothecontractwithahealthprofessional,iftheprocessingisperformedbyorunder the supervision of a health professional or other person who has an obligation ofprofessionalsecrecyprescribedbylaworprofessionalrules;

(9) Ifprocessingisnecessaryforreasonsofpublicinterestintheareaofpublichealth,suchasprotectingagainstseriouscross-borderthreatstohealthorensuringhighstandardsofqualityand safety of health care and of medicinal products or medical devices, on the basis ofdomesticlawwhichprovidesforsuitableandspecificmeasurestosafeguardtherightsandfreedomsofthedatasubject,inparticularprofessionalsecrecy;or

(10) Ifprocessingisnecessaryforarchivingpurposesinthepublicinterest,scientificorhistoricalresearchpurposesorstatisticalpurposeswhichmustbeproportionatetotheaimpursued,respect the essence of the right to data protection and provide for suitable and specificmeasures to safeguard the fundamental rights and the interests of the data subject.Additionally,suchprocessingofsensitivedataforarchivingpurposesinthepublicinterest,scientific or historical research purposes or statistical purposes, must be subject toappropriatesafeguards,includingorganizationalandtechnicalmeasures,fortherightsandfreedomsofthedatasubject.

However,theseobligationsdonotapplytoprocessingcarriedoutbythecompetentauthoritiesforspecialpurposes.Forthesakeofclarity,processingcarriedoutbycompetentauthoritiesforspecialpurposes refers to processing done for the purposes of the prevention, investigation, detection orprosecutionof criminal offences or the executionof criminal penalties, including the safeguardingagainstandthepreventionofthreatstopublicandnationalsecurity.Theprocessingofsensitivedata

575


carriedoutbycompetentauthoritiesforspecialpurposesisonlypermissibleifnecessary,withtheapplicationofappropriatemeasurestoprotecttherightsofthedatasubject,inoneofthefollowingcases:(a)thecompetentauthorityisauthorizedbylawtoprocesssensitivedata;(b)theprocessingofsensitivedataisperformedinordertoprotectthevitalinterestsofthedatasubjectorothernaturalperson;or(c)processingreferstosensitivedatawhichdatasubjecthasclearlymadeavailabletothepublic.


Keyprivacyprincipleswhichneedtobefollowedbycompanieswhenprocessingpersonaldataarethefollowing:

(a) Lawfulness, fairness and transparency,meaning that companies shall process personaldatalawfully, i.e. inaccordancewithapplicablelaws,fairlyandinatransparentmannerinrelationtothedatasubject;

(b) Purposelimitation,meaningthatcompaniesshallcollectpersonaldataforspecified,explicitandlegitimatepurposesandnotfurtherprocesstheminamannerthatisincompatiblewiththosepurposes;

(c) Dataminimization,meaningthatpersonaldataprocessedbycompaniesshallbeadequate,relevant and limited to what is necessary in relation to the purposes for which they areprocessed;

(d) Accuracy,meaningthatpersonaldataprocessedbycompaniesshallbeaccurateand,wherenecessary,keptuptodate;everyreasonablestepmustbetakentoensurethatpersonaldatathatareinaccurate,havingregardtothepurposesforwhichtheyareprocessed,areerasedorrectifiedwithoutdelay;

(e) Storagelimitation,meaningthatpersonaldataprocessedbycompaniesshallbekeptinaformwhich permits identification of data subjects for no longer than is necessary for thepurposesforwhichthepersonaldataareprocessed;

(f) Integrity and confidentiality, meaning that companies shall process personal data in amannerthatensuresappropriatesecurityofthepersonaldata,includingprotectionagainstunauthorizedorunlawfulprocessingandagainstaccidentalloss,destructionordamage,usingappropriatetechnicalororganizationalmeasures.

4 ROLES


Ingeneral,thereisadifferencebetweencompanieswhichactascontrollersandtheonesthatactasprocessors:

Companiesactingascontrollers.Thesecompaniesdeterminethepurpose,andthemethodofthedata processing and shall be responsible for and be able to demonstrate compliancewith all keyprivacy principles, such as lawfulness, fairness and transparency, purpose limitation, dataminimization,etc.Thesecompaniesdecide,withinthelegalframework,whichdatawillbecollected,forwhatperioditwillbekept,whetheritwillbesharedwiththirdparties,etc.

576


Companiesactingasprocessors.Thesecompaniessimplyprocessthepersonaldataanddecidehowit is stored. Consequently, they cannot change the purpose of the processing determined by thecontroller. It should be noted that processors process data only according to the controller’srequirementssetdowninacontractorotherlegalactconcludedbetweenthecontrollerandprocessorinwriting,thatisbindingontheprocessorwithregardtothecontroller.Thiscontractmustsetoutthesubject-matteranddurationoftheprocessing,thenatureandpurposeoftheprocessing,thetypeofpersonaldataandcategoriesofdatasubjectsandtheobligationsandrightsofthecontroller.Moreprecisely,thecontractorotherlegalactmuststipulatethatthecompanyactingasprocessor:

(a) processesthepersonaldataonlyondocumentedinstructionsfromthecontroller,includingwithregardtotransfersofpersonaldatatoathirdcountryoraninternationalorganization,unlessrequiredtodosobylaw;insuchacase,theprocessormustinformthecontrollerofthat legal requirement before processing, unless that law prohibits such information onimportantgroundsofpublicinterest;

(b) ensuresthatpersonsauthorizedtoprocessthepersonaldatahavecommittedthemselvestoconfidentialityorareunderanappropriatestatutoryobligationofconfidentiality;

(c) takesallappropriatetechnicalandorganizationalmeasurestoensurealevelofsecurityfortherightsandfreedomsofnaturalpersons;

(d) respects the conditions for engaging another processor, meaning that processor cannotengageanotherprocessorwithoutthepriorspecificorgeneralwrittenauthorizationofthecontroller. In the case of general written authorization, the processor must inform thecontroller of any intended changes concerning the addition or replacement of otherprocessors,therebygivingthecontrollertheopportunitytoobjecttosuchchanges;

(e) assiststhecontrollerbyappropriatetechnicalandorganizationalmeasures,insofarasthisispossible,takingintoaccountthenatureoftheprocessing,forthefulfilmentofthecontroller’sobligationtorespondtorequestsforexercisingthedatasubject’srights;

(f) assiststhecontrollerinensuringcompliancewiththeobligationsrelatedtothesecurityofprocessing, notification of a personal data breach to the supervisory authority and datasubject,dataprotection impactassessmentandprior consultation, taking intoaccount thenatureofprocessingandtheinformationavailabletotheprocessor;

(g) atthechoiceofthecontroller,deletesorreturnsallthepersonaldatatothecontrolleraftertheendoftheprovisionofservicesrelatingtoprocessing,anddeletesexistingcopiesunlesslawrequiresstorageofthepersonaldata;and

(h) makesavailabletothecontrollerallinformationnecessarytodemonstratecompliancewithitsobligationsandallowforandcontributetoaudits,includinginspections,conductedbythecontrolleroranotherauditormandatedbythecontroller.

Theprocessorisobligedtoinformthecontrollerifanyoftheinstructionscontainedinthecontractconstitutesaninfringementofthelawregulatingdataprotection.Additionally,processorsareobligedtoinformcontrollerswhendatabreachtakesplacewithoutunduedelay.

577


5 OBLIGATIONS


Keyobligationsrequiredbyprivacylawincludethefollowing:

(a) Postingaprivacypolicy.Thereisnospecificobligationrequiredbynationallawtopostaprivacypolicyassuch.However,thereisanobligationofthecontrollertoprovidethedatasubject,atthetimewhenpersonaldataareobtained,withallofthenecessaryinformationrelated to processing, such as the identity and the contact details of the controller, thepurposesoftheprocessing,thecontactdetailsofthedataprotectionofficer,whereapplicable,etc. The information must be provided without undue delay in a concise, transparent,intelligibleandeasilyaccessibleform,usingclearandplainlanguage.

(b) Keepingrecordsofprocessingoperations.Bothcontrollerandprocessorareobliged tokeep recordsofprocessingoperations.Namely, each controller and,whereapplicable, thecontroller’srepresentative,isobligedtomaintainarecordofprocessingactivitiesunderitsresponsibility,whichmustcontainallofthefollowinginformation:(i) the name and contact details of the controller and, where applicable, the joint

controller,thecontroller’srepresentativeandthedataprotectionofficer;(ii) thepurposesoftheprocessing;(iii) adescriptionofthecategoriesofdatasubjectsandofthecategoriesofpersonaldata;(iv) thecategoriesofrecipientstowhomthepersonaldatahavebeenorwillbedisclosed

includingrecipientsinthirdcountriesorinternationalorganizations;(v) whereapplicable, transfersofpersonaldata toa thirdcountryoran international

organization, including the identification of that third country or internationalorganizationand,thedocumentationofsuitablesafeguardswhereneeded;

(vi) wherepossible, theenvisagedtime limits forerasureof thedifferentcategoriesofdata;and

(vii) where possible, a general description of the technical and organizational securitymeasuresadoptedforsecuringrightsandfreedomsofnaturalpersons.

Similarrecordsmustbekeptbyeachprocessor/processor’srepresentativewithregardtoallcategoriesofprocessingactivitiescarriedoutonbehalfofacontroller.

Theserecordsmustbeinwriting,includinginelectronicform.However,thereisanexceptiontotheobligationofkeepingrecordsofprocessingoperationsincaseswhere:(1)controllerand processor are companies or organizations with less than 250 employees, unless theprocessingcarriedoutbythemmaycauseahighrisktotherightsandfreedomsofthedatasubject, (2) processing is not occasional or (3) processing includes special categories ofpersonaldata, includingthatrelatedtocriminalconvictions,criminaloffensesandsecuritymeasures.

(c) Conductingrisk impactassessmentsandseekingpriorconsultation.Thecontroller isobliged,whereprocessingislikelytoresultinahighrisktotherightsandfreedomsofnaturalpersons, to carry out, prior to the processing, an impact assessment of the envisagedprocessing operations on the protection of personal data. A data protection risk impactassessmentisespeciallyrequiredinthecaseof:

578


(i) asystematicandextensiveevaluationofpersonalaspectsrelatingtonaturalpersonswhichisbasedonautomatedprocessing,includingprofiling,andonwhichdecisionsare based that produce legal effects concerning the natural person or similarlysignificantlyaffectthenaturalperson;

(ii) processingonalargescaleofspecialcategoriesofdataorofpersonaldatarelatingtocriminalconvictionsandoffences;or

(iii) asystematicmonitoringofapubliclyaccessibleareaonalargescale.

Iftheriskimpactassessmentindicatesthattheprocessingwouldresultinahighrisk,intheabsenceofmeasurestakenbythecontrollertomitigatetherisk,thecontrollerisobligedtoconsulttheCommissionerassupervisoryauthoritypriortoprocessing.

(d) Appointing a privacy officer. The controller/processor is obliged to designate a dataprotectionofficerinanycasewheretheprocessingiscarriedoutbyapublicauthorityorbody,except:(i) forcourtsactingintheirjudicialcapacity;(ii) where the core activities of the controller or the processor consist of processing

operationswhich,byvirtueoftheirnature,theirscopeand/ortheirpurposes,requireregularandsystematicmonitoringofdatasubjectsonalargescale;or

(iii) wherethecoreactivitiesofthecontrollerortheprocessorconsistofprocessingonalarge scale of special categories of data and personal data relating to criminalconvictionsandoffences.

Onceaprivacyofficerisappointed,thecontrollerortheprocessorisobligedtopublishthecontactdetailsofthedataprotectionofficerandcommunicatethemtotheCommissionerassupervisoryauthority.

(e) Informing data subject and Commissioner about the data breach. The controller isobligedtonotifyapersonaldatabreachtotheCommissionerasthesupervisoryauthority,withoutunduedelay,or,wherefeasible,notlaterthan72hoursafterhavingbecomeawareofit.Inaddition,whenthepersonaldatabreachislikelytoresultinahighrisktotherightsandfreedomsofnaturalpersons,thecontrollerisobligedtocommunicatesuchbreachtothedatasubjectwithoutunduedelay,exceptincasesdefinedbylaw.

Aprocessorisobligedtonotifythecontrollerwithoutunduedelayafterbecomingawareofapersonaldatabreach.


6.1 HowisdatasecurityregulatedinSerbia?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

DatasecurityisregulatedbytheLPDP,whichprescribesthat,takingintoaccountthestateoftheart,thecostsofimplementationandthenature,scope,contextandpurposesofprocessing,aswellastherisk of varying likelihood and severity for the rights and freedoms of natural persons, both thecontroller and processor must implement appropriate technical and organizational measures toensurealevelofsecurityappropriatetotherisk.Thesemeasuresinclude,interalia:

(a) thepseudonymizationandencryptionofpersonaldata,

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience ofprocessingsystemsandservices,

579


(c) theabilitytorestoretheavailabilityandaccesstopersonaldata inatimelymanner intheeventofaphysicalortechnicalincident,and

(d) aprocess for regularly testing, assessing and evaluating the effectiveness of technical andorganizationalmeasuresforensuringthesecurityoftheprocessing.

The controller and processormust take steps to ensure that any natural person acting under theauthorityofthecontrollerortheprocessorwhohasaccesstopersonaldatadoesnotprocesssuchdataexceptoninstructionsfromthecontrollerorisrequiredtodosobylaw.Furthermore,inassessingtheappropriatelevelofsecurity,theriskspresentedbyprocessing,inparticulartherisksfromaccidentalor unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal datatransmitted,storedorotherwiseprocessed,needtobetakeninaccount.

Inaddition,associationsandotherbodiesrepresentingcategoriesofcontrollersorprocessorsmaypreparecodesofconduct,oramendorextendsuchcodes,forthepurposeofspecifyingtheapplicationofthenationallawregulatingdataprotection,includingapplicationinrespectofthemeasuresaimedatensuringsecurityofprocessing.

Also,thedataprotectionofficercanplayanimportantrole,sincehe/sheinformsandgivesanopiniontotheoperatororprocessor,aswellasemployeeswhoperformprocessingoperations,ontheirlegalobligationsregardingtheprotectionofpersonaldata.

Intheend,thereisalsoanobligationofthecompanyactingascontrollertoseekpriorconsultationwith Commissioner as supervisory authority in caseswhere a data protection impact assessmentindicates that the processingwould result in a high risk in the absence ofmeasures taken by thecontrollertomitigatetherisk.TheCommissionerwillbeobligedtoissueanopinionrelatedtothisquestion.

Therearenospecificresourcesallocatedbythestate,forthepurposeofhelpingcompaniesaddresstheseobligations.

6.2 HowaredatabreachesregulatedinSerbia?Whataretherequirementsforrespondingtodatabreaches?

Ifadatabreachoccurs,thelawprescribesobligationsforbothcontrollerandprocessor.Thecontrollermust,withoutunduedelayand,wherefeasible,notlaterthan72hoursafterhavingbecomeawareofit,notifythepersonaldatabreachtotheCommissioner.Thecontrollerhastodocumentanypersonaldatabreaches,comprisingthefactsrelatingtothepersonaldatabreach,itseffectsandtheremedialactiontaken.Inaddition,whenthepersonaldatabreachislikelytoresultinahighrisktotherightsandfreedomsofnaturalpersons,thecontrollerisobligedtocommunicatethepersonaldatabreachtothedatasubjectwithoutunduedelay.

Theprocessorisobligedtoinformthecontrollerwithoutunduedelayafterbecomingawareofsuchbreach.

In cases where a data breach has taken place, the law provides various legal remedies aimed ataddressingsuchbreaches:

(a) RighttolodgeacomplaintwiththeCommissioner.AdatasubjecthasarighttolodgeacomplaintwiththeCommissioner, ifhe/sheconsidersthattheprocessingofpersonaldatarelatingtohim/herinfringesthenationallawregulatingprivacy.Lodgingacomplaintwith

580


theCommissionerdoesnotinfluencethedatasubject’srighttoinitiatecourtproceedings.TheCommissionerwillinformthecomplainantontheprogressandtheoutcomeofthecomplaintincludingthepossibilityofajudicialremedyagainsttheCommissioner’sdecision.

(b) RighttoaneffectivejudicialremedyagainstaCommissioner’sdecision.Everynaturalorlegalperson,includingthedatasubject,processorandcontroller,hastherighttoaneffectivejudicialremedyagainstalegallybindingdecisionoftheCommissionerconcerningthem,byfilingalawsuitwiththeAdministrativeCourtwithin30daysfromthedayofthereceiptoftheCommissioner’sdecision.AdatasubjectmayalsoinitiateadministrativecourtproceedingsincaseswhentheCommissionerdoesnotrenderadecisionwithin60daysfromthedayofthereceiptofthecomplaintorfailstoinformthecomplainantontheprogressandtheoutcomeof the complaint, including the possibility of a judicial remedy against Commissioner’sdecision.

(c) Righttoinitiatecourtproceedings.Adatasubjecthasarighttoinitiatecourtproceedingsbefore competent court if he/she considers that the controller or processor has infringedhis/herrightswhenprocessingthedatasubject’spersonaldata.Initiatingcourtproceedingsdoes not influence the data subject’s right to initiate other administrative or judicialproceedings.Inthelawsuit,thedatasubjectmayrequestthecourttoobligethedefendantto:

(i) giveinformationthatdatasubjectisentitledtoknow,

(ii) rectifyorerasedata,

(iii) restrictprocessing,

(iv) providedatainastructured,commonlyusedandmachine-readableformat,

(v) transferdatatoanothercontrolleror

(vi) stopdataprocessing.

Inaddition,adatasubjectmayapplytocourttodeterminethatadecisionconcerninghim/herwasmadecontrarytoprovisionsregulatingdecisionsbasedsolelyonautomatedprocessing,includingprofiling.

(d) Righttocompensation.Anypersonwhohassufferedmaterialornon-materialdamageasaresult of an infringement of the LPDP has the right to receive compensation from thecontrollerorprocessorforthedamagesuffered.Acontrollerisliableforsuchdamage,whileaprocessorisliableonlywhereithasnotcompliedwithobligationsofthelawspecificallydirectedtoprocessorsorwhereithasactedoutsideorcontrarytolawfulinstructionsofthecontroller.TheControllerorprocessormaybeexemptfromliabilityifitprovesthatitisnotinanywayresponsiblefortheeventgivingrisetothedamage.

Inadditiontolegalremedies,whenassessingdatabreaches,theLPDPprescribestheimpositionofadministrativefines,whichmust,ineachindividualcase,beeffective,proportionateanddissuasive.Beforebeingimposed,allrelevantcircumstanceofthecasemustbetakenintoaccount,includingthenature, gravity and duration of the infringement, the intentional or negligent character of theinfringement,anyactiontakenbythecontrollerorprocessortomitigatethedamagesufferedbydatasubjects,etc.

581


7 INDIVIDUALRIGHTS


Individualshavethefollowingrightswithrespecttotheirpersonaldata:(a) Righttobeinformed.Thisrightcorrelatestothecontroller’sobligationtoprovide,atthe

timewhenpersonaldata is obtained, thedata subjectwith all necessary information.Theinformationmustbeprovidedwithoutunduedelayinaconcise,transparent,intelligibleandeasilyaccessibleform,usingclearandplainlanguage.However,incaseswhererequestsfromadatasubjectaremanifestlyunfoundedorexcessive,inparticularbecauseoftheirrepetitivecharacter, the controller may either charge a reasonable fee taking into account theadministrativecostsofprovidingtheinformationorrefusetoactontherequest.Dependingwhetherprocessingiscarriedoutbycompetentauthoritiesforspecialpurposesornot,thelistofinformationwhichneedstobeprovidedtothedatasubjectwilldiffer.Whenprocessingisnotcarriedoutforspecialpurposes,theinformationwhichneedstobeprovidedincludes,interalia,thefollowing:(i) the identity and the contactdetails of the controller and,where applicable, of the

controller’srepresentative,(ii) thecontactdetailsofthedataprotectionofficer,ifsuchpersonhasbeenappointed,(iii) thepurposesoftheprocessingforwhichthepersonaldataareintendedaswellasthe

legalbasisfortheprocessing,(iv) therecipientsofthepersonaldata,ifany,(v) theperiodforwhichthepersonaldatawillbestored,orifthatisnotpossible,the

criteriausedtodeterminethatperiod,(vi) theexistenceoftherighttorequestfromthecontrolleraccesstoandrectificationor

erasureofpersonaldataorrestrictionofprocessingconcerningthedatasubjectortoobjecttoprocessingaswellastherighttodataportability,etc.

Allthisinformation,withsmallexceptions,mustalsobeprovidedwherepersonaldatahasnotbeenobtainedfromthedatasubjectdirectly.

Where processing is carried out by competent authority for special purposes (seequestion3.2),theinformationsetoutin(iii),(iv)and(v)maybelimited,ornotprovidedatall,thoughonlytotheextentandforthedurationnecessaryandproportionate.

(b) Rightofaccess.Data subjectshave right toobtain confirmation from the controller as towhetherornotpersonaldataconcerningthemisbeingprocessed,andtohaveaccesstothepersonal data and relevant information related to the processing. Depending whetherprocessingiscarriedoutbycompetentauthoritiesforspecialpurposesornot, therighttoaccesstocertaininformationrelatedtoprocessingwilldiffer.

(c) Right to rectification.This is the right of the data subject to obtain, from the controllerwithoutunduedelay,therectificationofinaccuratepersonaldataconcerninghim/her.Takinginto account the purposes of the processing, this right also includes the right of the datasubjecttohaveincompletepersonaldatacompleted,whichcouldincludetheprovisionofasupplementarystatement.

(d) Righttoerasure.Thisistherightofthedatasubjecttoobtainfromthecontrollertheerasureofpersonaldataconcerninghim/herwithoutunduedelay.Dependingwhetherprocessingiscarriedoutbycompetentauthoritiesforspecialpurposesornot,therighttoaccesstocertaininformationrelatedtoprocessingwilldiffer.

582


(e) Right to restriction of processing. The data subjects have the right to obtain from thecontroller restriction of processing. Depending whether processing is carried out bycompetentauthoritiesforspecialpurposesornot,therighttoaccesstocertaininformationrelatedtoprocessingwilldiffer.

(f) Righttodataportability.Thisrightcomprisesoftherightofthedatasubjecttoreceivethepersonaldataconcerninghim/her,whichhe/shehasprovidedtoacontroller,inastructured,commonlyusedandmachine-readable format andhave the right to transmit suchdata toanothercontrollerwithouthindrancefromthecontrollertowhichthepersonaldatahadbeenprovided,wheretheprocessingisbasedonconsentandiscarriedoutbyautomatedmeans.Inaddition,thisrightincludestherightofthedatasubjecttohavethepersonaldatadirectlytransmitted from one controller to another, where this possibility is technically feasible.However,therighttodataportabilitycannotbeenforcedwhenprocessingisnecessaryforthe performance of a task carried out in the public interest or in the exercise of officialauthorityvestedinthecontroller.Inaddition,itshallbenotedthattheenjoymentofthisrightmustnotadverselyaffecttherightsandfreedomsofothers.Thisrighttodataportabilitydoesnotapplytotheprocessingcarriedoutbycompetentauthorityforspecialpurpose.

(g) Right toobject.Asregards theright toobject, thedatasubjecthas theright toobject,ongroundsrelatingtohis/herparticularsituation,atanytimetoprocessingofpersonaldataconcerninghim/her incaseswhenprocessing iscarriedout for theperformanceofa taskcarriedoutinthepublicinterestorintheexerciseofofficialauthorityvestedinthecontroller,orwhenprocessing is carried out for the purposes of legitimate interests pursuedby thecontrollerorbyathirdparty, includingprofilingbasedonthesegrounds. Inaddition,datasubjects have right to object, on grounds relating to their particular situation,when theirpersonaldataisprocessedforscientificorhistoricalresearchpurposesorstatisticalpurposes,unlesstheprocessing isnecessaryfortheperformanceofataskcarriedout forreasonsofpublic interest. Right to object may be exercised by automated means using technicalspecificationsincaseswhenthereisauseofinformationsocietyservicesincluded.Oncethedata subject objects, the controller may no longer process the personal data unless thecontrollerdemonstratescompellinglegitimategroundsfortheprocessingwhichoverridetheinterests,rightsandfreedomsofthedatasubjectorfortheestablishment,exerciseordefenseoflegalclaims.

Whenitcomestoprocessingdonefordirectmarketingpurposes,datasubjectshavetherightto object at any time to processing of personal data concerning them for suchmarketing,whichincludesprofilingtotheextentthatitisrelatedtosuchdirectmarketing.Therighttoobject must be explicitly brought to the attention of data subject at the time of the firstcommunication with the data subject at the latest, and must be presented clearly andseparatelyfromanyotherinformation.

(h) Rightnottobesubjecttoadecisionbasedsolelyonautomatedprocessing,includingprofiling.Datasubjectshavethisrightwherethedecisionproduceslegaleffectsconcerningthemorsimilarlysignificantlyaffectsthem.Dependingonwhetherprocessingiscarriedoutbycompetentauthoritiesforspecialpurposesornot, theenjoymentofthisrightbyadatasubjectwillvary.

Datacontrollersmustfacilitatetheexerciseofdatasubjectrightsandprovideinformationonactiontakenregardingarequesttothedatasubjectwithoutunduedelay.Alltheabove-mentionedrightsmayberestrictedinsituationsenumeratedbytheLPDPiftheserestrictionsdonotaffectthesubstanceoffundamentalrightsandfreedomsandiftheyarenecessaryandproportionate.

583




Themainrequirementforprocessingofpersonaldataforthepurposeofsendingdirectmarketingcommunicationssuchaspushnotifications,emailsormobiletextmessagesisinformedconsentofthedatasubject.Thedatasubjectmustbeinformedon:

(a) allaspectsofmarketingcommunicationswhichinvolveprocessingofhis/herpersonaldata(eg,e-mailaddress,telephonenumberetc.),

(b) thescopeofthemarketingcommunication,and

(c) his/herrighttorevokeconsentandonthemeansofrevocation.

PursuanttotheAdvertisingLaw,aswellastheLPDP,consentoncegivencanberevokedbythedatasubject at any time without meeting any special requirements. Revocation of consent leads toimmediate cessationofdataprocessing for thisparticularpurpose,butnot, inanyway, impactingprocessingdonebeforethemomentofrevocationofconsent.


TheuseoftrackingtechnologiesisnotexplicitlyregulatedintheSerbianlegalsystem;therefore,thegeneralrulesoftheLPDPapply.Thismeans,practically,thatpotentialsubjectsoftrackingtechnologiesmustgivetheirconsentfortheiruseandbeinformedonallaspectsofprocessingoftheirpersonaldataviathesetrackingtechnologies.

Forexample,intermsofcookiesonaparticularwebsite,visitorsmustbeintroduced,duringtheirfirstvisittothesite,tothesite’scookiepolicyandtheirconsentregardingtheuseofcookiesinthewaydescribedinthepolicymustbegiven(usuallybyclicking“IAgree”or“EnableCookies”onthecookienotice).

Furthermore,visitorsmustalsobegivenanopportunitytoinformthemselvesonallaspectsofusageandactivation/deactivationofcookiesonthewebsite,suchas:

(a) whatarecookies?

(b) whichtypesofcookiesexist,andwhichcookiesareactiveonthesite?

(c) whattypesofdatadotheygatherexactly,andwhatistheirpurpose?

(d) howispersonaldataofvisitorsusedetc?

Visitorsmustalsobemadeawarethattheycandisablecookiesthattheydon’twanttobeactiveduringtheirstayonthewebsiteatanytime.


BehavioraladvertisingisnotexplicitlyregulatedbytheSerbianlegalsystem;therefore,thegeneralrulesoftheLPDPapply.Asfortargetedadvertising(inthecontextofdirectadvertising,ormarketing),theAdvertisingLawrequiresthepriorconsentofthetargetedsubject,whichcanberevokedatanytime.

584



In order to share datawith any third parties for the purpose of customermatching and audiencebuilding,advertisersmustcomplywiththegeneralrulesoftheLPDP.

Firstandforemost,advertisersmusthave,asa legalbasis foreveryprocessingactivity involvedincustomer matching, including data sharing for the purpose of customer matching and audiencebuilding,clearandinformedconsentobtaineddirectlyfromthedatasubjects.Thenoticeinthiscasemust, as any other standard privacy notice, present all relevant information regarding theprocessing/sharingofpersonaldataofdatasubjectsinaclearandtransparentmanner.

Datasubjectsmustalsobemadeawareofthefactthattheycanrevoketheirconsentfreely,atanytime,andwithoutmeetinganyspecialrequirements,andofthemeansofrevocation.


Therearenoparticularrulesthatgoverndatabrokers;therefore,thegeneralrulesonpersonaldataprotectionapply.


Socialmedia isnotexplicitly regulatedby theSerbian legal system, therefore thegeneral rulesonpersonaldataprotectionapply.


Inaccordancewith thegeneral rulesof theLPDP, thecompanywhich is theorganizerofa loyaltyprogram,asthedatacontroller,mustobtainpriorconsentandnotifyallusersoftheprogramonallimportantaspectsofprocessingoftheirpersonaldataforthispurpose.

Thisisusuallydoneviathecompany’sloyaltyprogramprivacynotice,whichmustcontainallrelevantinformationregardingpersonaldataprocessing,suchas:

(a) basicinformationaboutthecontroller;

(b) whichpersonaldataisbeingcollected;

(c) theexistenceofthecontroller’slegitimateinterestforprocessing(ifitexists);

(d) howisthepersonaldatacollected;

(e) whatisthelegalbasisforprocessing;

(f) whatisthepurposeofpersonaldataprocessing;

(g) howisthepersonaldatastoredandwhatdatasecuritymeasuresareimplemented;

(h) whataretherightsofdatasubjectswithregardstoprocessingoftheirpersonaldatabythecontroller,with special attention to their right of revocation of consent for personal dataprocessing;

(i) whoelsebesidesthecontrollerhasaccesstotheirpersonaldata;

(j) isthepersonaldatatransferredoutsidethecountry;

(k) forhowlongtheirpersonaldataisstoredbythecontroller;

585


(l) whatdatasecuritymeasurehavebeenimplemented;

(m) contactinformationofthecontroller’sdataprotectionofficer(“DPO”);and

(n) anyotherrelevantinformation.

Regardingpromotions,ifpersonaldataofconsumersisinvolvedinanyway,priorconsentor,insomecases,legitimateinterestofthecontrollerforitsuseisrequired,pursuanttothegeneralrulesoftheLPDP.

9 DATATRANSFER


DatatransferundertheLPDPisgovernedbyaslightlydifferentsetofrulesthenthosecontainedintheGDPR.Althoughmostessentialpartsremainthesame,therearesomespecificdifferencesthanneedtobepointedout.

Thetransfercanbedoneinthefollowingcases:

(a) Transferbasedupontheadequatelevelofprotection:Ie,incaseswherethetransferismadetooneofthestatesorinternationalorganizationswhicharemembersoftheEEA,orthatarelisted by the Serbian government as entities which provide an adequate level of dataprotection.

(b) Transferbaseduponadequatemeasuresfordataprotection:Ifthetransferisnotmadetoacountry to which (a) applies, the controller and processor are responsible for providingadequatemeasuresofdataprotectionforthattransfer.Thestatedobligationcanbefulfilledindifferentways,asstatedbylaw(eg,alegallybindingactbetweentwoauthorities,standardcontractclausesmadebyCommissioner,bindingcorporaterules,codeofconduct,etc).

(c) Transferofdatainspecialsituations:Ifitisnotpossibletofulfiltherequirementsof(a)or(b), the data transfer can be performed only in some specific cases (eg, the transfer isauthorizedbythedatasubject,thetransferisnecessaryfortheexecutionofcontractbetweenthedatasubjectandthecontroller,transferisnecessaryfortheprotectionofanimportantpublic interestprescribedby law, etc). This kindof data transfer obliges the controller toprovide specific information to the data subject, and, in some cases, to inform theCommissioneraboutthedatatransfer.

(d) Transfer of data made by the competent authorities for specific purposes: This kind oftransferisgovernedbyitsownspecificrules.Itisnot,indetail,prescribedbytheGDPR,butitis partially implemented into the LPDP from the EU Police Directive. A large number ofimportantarticlesoftheLPDP,includingthoseregardingdatatransfer,haveprescribedeithertheexceptionsto,exclusionsfrom,oracompletelynewsetofrulesgoverningthedatatransferdonebythecompetentauthoritiesforspecificpurposes.Themainproblemisthat,although“dataprocessingforspecificpurpose”isprescribed(ie,processingforthepurposeofcriminalinvestigations, public andnational safety, prosecuting of criminals, etc), it is not preciselyprescribedwhicharethecompetentauthoritiesthatareauthorizedtoperformthatkindofprocessing,andthereforethetransfer.Forthatreason,itssafetosaythatthedatatransferrequirementsandrestrictionsthatareinforceincasesofdataprocessingandtransferbythecompetentauthoritiesforspecificpurposesaredifferenttothoseinforceforotherentities.

586



Article67oftheLPDPallowscompaniestopassso-called“bindingcorporaterules”whichcanapplyinstead of the general rules of the LPDP in situationswhen personal data is transferred betweencompanieswhicharemembersofthesamegrouporaremembersofthesamemultinationalcompany.

TheCommissionerwillapprovebindingcorporateruleswithin60daysfromthedateofapplicationfortheirapprovaliftheyfulfilthefollowingconditions:

(a) they are legally binding, applicable to and enforced by each member of a multinationalcompanyorgroupofeconomicentities,includingtheiremployees;

(b) they explicitly ensure the exercise of the rights of data subjects in connection with theprocessingoftheirdata;and

(c) theymeetcertainspecifiedcriteria.

The Commissioner may further regulate the way information is exchanged between controllers,processorsandtheCommissioner.

Ifthealltheseconditionsarefulfilled,theCommissionerwillapprovebindingcorporateruleswithin60daysfromthedateofapplicationfortheirapproval.However,ifthedataprocessingisundertakenbythecompetentauthority,therulesreferredtointhisquestionwillnotapply.

10 VIOLATIONS


UndertheLPDP,controllersandprocessorscanbefinedbetween5,000–2,000,000RSD(approx40–16,900EUR)forviolationoftherulesconcerningprivacyandprocessingofpersonaldata.Finescanalsobeleviedonentrepreneurs,onresponsibleofficeholdersandonothernaturalpersonsincertaincases.

TheLawonInformationSecurityalsoprescribesthatafineofRSD50,000.00–2,000,000.00maybeimposedontheICTsystemoperatorofspecialsignificance(essentialserviceprovider,asdefinedinNISDirective) for amisdemeanor related topersonaldata, amongother things, and a responsiblepersonwithintheICTsystemoperatorofspecialimportancemayalsobefined.

Finally, the Serbian Criminal Code prescribes fines, aswell as imprisonment for up to 3 years forcriminalactsrelatedtoviolationofrulesregardingpersonalinformation,suchastheunauthorizeddisclosure of a secret, breach of secrecy of letters and other items, unauthorizedwiretapping andrecording,unauthorizedphotography,unauthorizedpublicationanddisplayofotherpeople’s files,portraitsandfootageandunauthorizedcollectionofpersonalinformation.


Adatasubjecthastheright to fileacomplaintwiththeCommissioner ifhe/sheconsidersthat theprocessingofhis/herpersonaldatahasbeencarriedoutcontrarytotheprovisionsoftheLPDP.FilingacomplaintwiththeCommissionerdoesnotaffectthisperson’srighttoinitiateotheradministrative

587


orjudicialprotectionproceedings,eg,filinglawsuitsbeforethenationalcivilcourtsandfilinglawsuitstoadministrativecourtsagainsttheCommissioner’sdecision.Thesameruleappliestoallothercasesofseekingadministrativeorjudicialprotection.

Furthermore,thedatasubject,thecontroller,theprocessor,orothernaturalorlegalpersontowhomthe Commissioner’s decision applies, may initiate an administrative dispute against that decisionwithin 30 days from the day of receiving the decision. If the Commissioner does not act on thecomplaintorfailstoactwithin60daysfromthedayoffilingthecomplaint,thedatasubjecthastherighttoinitiateanadministrativedispute.

Thedatasubjectisalsoentitledtojudicialprotectionifhe/shebelievesthattheLPDPhasbeenviolatedbythecontrollerorprocessorbytheprocessingofhis/herpersonaldata.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofSerbiawhichaffectprivacy?

TherearenorulesthatareparticulartothecultureofSerbiawhichaffectprivacy.


As the new LPDP has only recently been adopted and began to apply as from August 21, 2019,numeroustheoretical,practicalandlegalclarificationsshouldbeexpectedinthecomingperiod.

AllbylawsenvisagedbytheLPDParetobeadoptedbyMay21,2020,andtheprovisionsofotherlawsrelatingtotheprocessingofpersonaldataaretobeharmonizedwiththeprovisionsoftheLPDPbytheendof2020.

Inwhichdirectiontheseclarificationsandharmonizationwillgo,andwherewillitstart,remainstobeseen.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainSerbia?

ThenewLPDP,whichisbasedheavilyontheprovisionsoftheEU’sGDPR,prescribesmuchstrictertermsandrequirementsunderwhichpersonaldatacanbeprocessed.Theseverityofsanctionsandpenaltiesforunlawfulpersonaldataprocessinghasalsobeenincreased.

CompanieswhicharebasedinSerbiaorarebasedabroadbutconductprocessingofpersonaldatainSerbiainanywayshouldconducttheirprocessingonalawfulbasisand,ingeneral,beastransparentaspossibletowardsthedatasubjectsandauthoritiesregardingpersonaldataprocessing.

Datasubjectsshouldalsoberegularlynotifiedonanychangesinprocessingoftheirpersonaldataandbegivenfullfreedomwheneverpossibletodecidewhathappenstotheirpersonaldataandhowitisprocessed,unlessprocessingof certain typesofdata ina certainway is requiredby laworat therequestofacompetentauthority.

588


12 OPINIONQUESTIONS


Intheareaofpersonaldataprotection,theonlymajorrecentdevelopmenthasbeentheadoptionofthenewLPDP in2018.ThenewLPDPoffers freshupdatesandsolutions toexistingproblemsnotcoveredbythepreviousLawandbringstheSerbianlegalsystemonestepclosertoharmonizationwiththelegalsystemoftheEuropeanUnion.

Alsoworthyofnote,manyotherlawsadoptedinthepastfewyearshavepaidmuchcloserattentionto personal data protection in their respective areas, going so far as to prescribe special rules tostrengthenandspecifyexistingpersonaldataprotectionprocedures.

Themain reason for these changes is Serbia’s aspiration to become a full-fledgedmember of theEuropeanUnion,aswellastocreateasafer,moreregulatedandstableenvironmentfortheflowandprocessingofpersonalinformationofitscitizens.


TheSerbianprivacylandscapein5years’timewilllargelydependontheprocessofSerbia’saccessiontotheEuropeanUnion.Inaddition,duetorapidgrowthofthe“informationmarket”andtheriseofnew technologies, it is reasonable to expect that the existing LPDPwill have to be amended andsupplemented with bylaws in order to stay relevant and in touch with the coming times anddevelopments.

Furthermore,inordertoensureagreaterdegreeofdataprotection,itcanbeexpectedthatthecapacityof the Commissioner tomonitor and enforce the application of existing data protection rules andprocedureswillbebolsteredandenhancedinthecomingperiod.


ThemainchallengethatcompaniesfacecurrentlyduetotheadoptionandapplicationoftheGDPRandthe application of the new LPDP in Serbia is the harmonization of the companies’ internaldocumentation,actsandprocedures.

GiventhefactthatthenewLPDP,whichisheavilybasedontheGDPR,prescribes,indetail,numerousnewrequirements,obligationsandtermsthatmustbemetinregardstoprocessingofpersonaldata,mechanisms that are yet to be implemented and tested in practice, and much harsher fines, allcompaniesthatundertakeprocessingofpersonaldatainanywaymustrushtomakeamendmentstotheirinternaldocumentation,includingcontractswheretheseconcernpersonaldataprocessing.

Dependingonthescopeofprocessingofpersonaldataundertakenbyaparticularcompany,thiscanbeaverytime-consumingandexpensiveprocess,andevenconfusingattimes,giventhemagnitudeofchangeswhichhavebeenbroughtinatonce.

Finally, taking into account that the new LPDP has only recently been adopted, the lack ofCommissioner’s and judicial legal practice also represents a serious challenge in the new privacylandscapethatcompaniesmustnavigate.OnlywithfurtherrulingsanddecisionsintheapplicationofthenewLPDPwillcompaniesbeabletoconducttheirbusinessinlinewithdataprotectionrulesandprocedureswithgreatercertainty.

589

590

PRIVACY LAW – SINGAPORE

1 PRIVACYLAW

1.1 HowisprivacyregulatedinSingapore?

ThereisnooverarchinglegislationinSingaporewhichgovernstheregulationofprivacy.Bethatasitmay,thereare lawswhichregulate, interalia, theaccesstoandtheprocessingofpersonaldata, inadditiontosector-specificlegislation,including,butnotlimitedto,thefollowing:(a) PersonalDataProtectionAct2012(No26of2012)(“PDPA”);

(b) BankingAct(Cap.19);

(c) CentralProvidentFundAct(Cap.36);

(d) ComputerMisuseAct(Cap.50A);

(e) CybersecurityAct2018(No9of2018);

(f) ElectronicTransactionsAct(Cap.88);

(g) OfficialSecretsAct(Cap.213);

(h) SpamControlAct(Cap.311A)(“SCA”);

(i) StatisticsAct(Cap.317);

(j) StatutoryBodiesandGovernmentCompanies(ProtectionofSecrecy)Act(Cap.319);and

(k) TelecommunicationsAct(Cap.323).


See question 1.1. In addition, the main obligations that parties (including, but not limited to,advertisers)willneedtocomplywithunderthePDPAaresetoutbelow:(a) Consent: Parties may collect, use or disclose personal data for purposes for which an

individualhasgivenhis/herconsent,expressorimplied.Individualsshouldalsobeallowedto withdraw such consent, upon reasonable notice. Upon withdrawal of consent to thecollection, use or disclosure for any purpose, parties must cease such collection, use ordisclosureofthepersonaldataforsuchpurpose.

(b) Notification: The individual must be notified of the purposes for the collection, use ordisclosureofthepersonaldataonorbeforesuchcollection,useordisclosure.

(c) Purpose: Partiesmay collect, use or disclose personal data only for the purposes that areasonable person would consider appropriate in the circumstances and for which theindividualhasgivenconsent,andnotforanyotherpurposes.Partiesmaynot,asaconditionofprovidingaproductorservice,requiretheindividualtoconsenttothecollection,useordisclosureof his/herpersonal databeyondwhat is reasonable toprovide thatproduct orservice.

(d) Withdrawalofconsent: Whilenotspecifically requiredunder thePDPA, it is consideredprudentpracticetoexpresslyinformtheindividualthathe/shemaywithdrawconsenttotheuse of his/her personal data (not limited to the receiving of promotional/advertisingmaterials from the parties) and the manner in which such withdrawal should be

591


communicated to the parties. Parties are required by law to cease any collection, use ordisclosureofthepersonaldataforanypurposeforwhichconsenthasbeenwithdrawn.

(e) Sharingofpersonaldata: PartiesneedtocomplywiththePDPAregardlessofwherethepersonaldataistransferred.ThisalsoappliestopartiestransferringdataoutsideSingaporetorelatedentitieswithinagroup.Assuch,partiesshouldengagethepartiestowhichtheytransferdatainordertoprovidefortheprotectionofpersonaldataoutsideSingapore,sothatthestandardofprotectionofpersonaldataso transferred iscomparable to theprotectionunderthePDPA.

(f) Disclosure of personal data to third parties: An organization is considered a dataintermediary if it processes data on behalf of another organization. Where an individualdiscloses information to third parties by/through awebsite, if any of the parties’ relatedentities or third parties process such personal data as a data intermediary pursuant to acontractwiththethirdpartiesevidencedormadeinwriting,thepartieswillremainliablefortheprotectionandretentionofpersonaldatasodisclosed.

(g) Disclaimerof liabilityforunauthorizedaccess: UnderthePDPA,partiesarestatutorilyrequired to protect personal data in their possession or under their control by makingreasonablesecurityarrangementstopreventunauthorizedaccess,collection,use,disclosure,copying,modification,disposalorsimilarrisks.Suchliabilitycannotbewhollydisclaimedifreasonablemeasuresforprotectionofpersonaldatahavenotbeentaken.UnderthePDPA,bothpartiesandtheirofficerscanbeheldliableforanybreachoftheprovisionsofthePDPA.


ThePDPAconfersvariouspowersonthePersonalDataProtectionCommission(“PDPC”)toenforceprovisionsofthePDPA.Thesepowersmaygenerallybecategorizedasfollows:(a) Powers relating to investigation: The PDPC is empowered to determine whether an

organizationiscomplyingwiththePDPAandtodirectanorganizationthatisnotcomplyingtotaketheappropriateactiontoensureitscompliance.

(b) Powersrelatingtoreview:ThePDPCisempoweredtoreviewanorganization’sreplytoarequestmadebyanindividualauthorizedunderthePDPAandtoconfirmtheorganization’sreplyordirecttheorganizationtotakecertainactioninrelationtotheindividual’srequest.

(c) Powersrelatingtoalternativedisputeresolution: Thesepowersgenerallyrelatetothemannerinwhichacomplainantandanorganizationmayresolvethecomplaint,eg,throughmediationorothermodesofdisputesettlement.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinSingapore?

The provisions of the PDPA apply to all persons and entities, however, they do not impose anyobligationson:(a) anyindividualactinginapersonalordomesticcapacity;

(b) anyemployeeactinginthecourseofhisemploymentwithanorganization;

(c) anypublicagencyoranorganizationinthecourseofactingonbehalfofapublicagencyinrelationtothecollection,useordisclosureofthepersonaldata;or

592


(d) any other organizations or personal data, or classes of organizations or personal data,prescribedforthepurposesofthisprovision.

Further,businesscontactinformationisnotcoveredundertheprovisionsofthePDPA.

2.2 DoesprivacylawinSingaporeapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

ThedataprotectionobligationsunderthePDPAapplytoallorganizationswhichcollect,useordisclosepersonaldata inSingapore, irrespectiveofwhetherornot theyare incorporatedor formedunderSingaporelaw,andwhetherornottheyareresidentorhaveanofficeorplaceofbusinessinSingapore.

Inaddition,theDo-Not-CallrequirementsandobligationsunderthePDPAapplytoallorganizationswhichsendmarketingmessagestoaSingaporetelephonenumber.


3.1 Howispersonalinformation/personaldatadefinedinSingapore?

Section2ofthePDPAdefines“personaldata”as‘data,whethertrueornot,aboutanindividualwhocanbeidentified:

(a) fromthatdata;or

(b) fromthatdataandotherinformationtowhichtheorganizationhasorislikelytohaveaccess.’

Indeed,theterm“personaldata”isnotintendedtobenarrowlyconstruedandmaycoverdifferenttypesofdataaboutanindividualandfromwhichanindividualcanbeidentified,regardlessofsuchdatabeingtrueorfalseorwhetherthedataexistsinelectronicorotherform.


ThePDPAdoesnotexpresslydrawadistinctionbetweendifferenttypesofpersonaldata.Further,thePDPAdoesnotdefine “sensitivepersonaldata”.Be that as itmay, theAdvisoryGuidelinesonKeyConceptsinthePersonalDataProtectionActpublishedbythePDPC,recognizesthatmorestringentmeasuresmayberequiredfororganizationstomeettheirobligationsinrespectofsensitivepersonaldata.TheGuidelinesalso specify that itwouldbeanaggravating factor fororganizationshandlingsensitivepersonaldatanottohaveadequatesafeguardstoprotectsuchdatafromtheharmthatmayresultfromitsdisclosure.


Pleaserefertotheprecedingparagraphs.

593


4 ROLES


EveryorganizationisrequiredtocomplywiththeprovisionscontainedinthePDPA.Bethatasitmay,a data intermediary that processes personal data on behalf of and for the purposes of anotherorganization,willonlybesubjecttothedataprotectionprovisionsofthePDPAwhichrelatetotheprotectionandretentionofpersonaldata,andnottoanyoftheotherdataprotectionprovisions.

5 OBLIGATIONS


Organizationsarerequiredtocomplywiththefollowingobligations,interalia:

(a) consent;

(b) purposelimitation;

(c) notification;

(d) accessandcorrection;

(e) accuracy;

(f) protection;

(g) retentionlimitation;

(h) transferlimitation;and

(i) accountability(includingtheappointmentofadataprotectionofficer,andthedevelopmentandimplementationofdataprotectionpoliciesandpractices).


6.1 HowisdatasecurityregulatedinSingapore?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

Section24ofthePDPArequiresanorganizationtomakereasonablesecurityarrangementstoprotectpersonaldatainitspossessionorunderitscontrolinordertopreventunauthorizedaccess,collection,use,disclosure,copying,modification,disposaland/orsimilarrisks.Indeed,thePDPChasrecognizedthat there is no ‘one size fits all’ solution for organizations to comply with this obligation. Eachorganizationshouldconsideradoptingsecurityarrangementsthatarereasonableandappropriateinthecircumstances,eg,bearinginmindthenatureofthepersonaldata,theforminwhichthepersonaldatahasbeencollected(ie,whetherphysicalorelectronic)andthepossibleimpacttotheindividualconcernedifanunauthorizedpersonobtained,modifiedand/ordisposedofthepersonaldata.

594


Inpractice,organizationsareexpectedto:

(a) designandorganizetheirsecurityarrangementstofitthenatureofthepersonaldataheldbythemandthepossibleharmthatmightresultfromasecuritybreach;

(b) identifyreliableandwell-trainedpersonnelresponsibleforensuringinformationsecurity;

(c) implement robust policies and procedures for ensuring appropriate levels of security forpersonaldataofvaryinglevelsofsensitivity;and

(d) bepreparedandabletorespondtoinformationsecuritybreachespromptlyandeffectively.

FurtherguidancecanbeobtainedfromtheAdvisoryGuidelinesonKeyConceptsinthePersonalDataProtection Act published by the PDPC; it might be useful for organizations to undertake a riskassessmentexercisetoascertainwhethertheirinformationsecurityarrangementsareadequate.Insodoing,thefollowingfactorsmaybeconsidered:

• thesizeoftheorganizationandtheamountandtypeofpersonaldatatheyhold;

• whowithintheorganizationhasaccesstothepersonaldata;and

• whether the personal data is/will be held or used by a third party on behalf of theorganization.

6.2 HowaredatabreachesregulatedinSingapore?Whataretherequirementsforrespondingtodatabreaches?

Currently,therearenomandatorydatabreachnotificationrequirementsunderthePDPA.Bethatasitmay,thePDPCrecentlypublishedarevisedGuidetoManagingDataBreaches2.0,whichindicatesthatthePDPCintendstointroduceamandatorydatabreachnotificationrequirementunderthePDPAinthenearfuture.

UndertherevisedGuide,organizationsareexpectedtotakethefollowingstepsincasesofdatabreach:

(a) containthedatabreachtopreventfurthercompromiseofpersonaldata;

(b) assessthedatabreachbygatheringthefactsandevaluatingtherisks,includingtheharmtoaffectedindividuals.Whereassessedtobenecessary,continuingeffortsshouldbemadetopreventfurtherharmevenastheorganizationproceedstoimplementfullremedialaction;

(c) reportthedatabreachtothePDPCand/oraffectedindividuals,ifnecessary;and

(d) evaluatetheorganization’sresponsetothedatabreachincidentandconsideractionswhichcouldbe taken toprevent futuredatabreaches.Remediationeffortsmay continue to takeplaceatthisstage.

ThePDPCadvisesorganizationstoreportdatabreachestothePDPCwithin72hourswherethebreachiseitherlikelytoresultinsignificantharmorimpacttoindividuals,orisof‘significantscale’.Further,organizations are advised to assess whether a potential breach meets this reporting thresholdexpeditiously,albeitwithin30daysfromlearningofapotentialdatabreach.

595


7 INDIVIDUALRIGHTS


ThePDPArecognizes the rightsof individuals toprotection theirpersonaldata, including,butnotlimitedto,therightofaccessandcorrectionofthedata.



ThePDPCmaintainsaDoNotCallRegister.Generally,priortosendingamarketingSMStoaSingaporetelephonenumber(wherethesubscriber isan individual),anentitymustapply to theDoNotCallRegistry(“Registry”)toconfirmwhetherthenumberislistedintheRegister,unlessithasobtainedpriorclearandunambiguousconsentfromthesubscriberofthenumber.

Business-to-business (“B2B”)marketing calls, SMSs/MMSsand faxmessagesdonot fallwithin theambitof theRegistry.Hence, it ispermissible forpartiestosendB2BSMSswithout fulfillingtheserequirements, where the subscriber of the number is a corporate entity and not an individual.However,oftenthesubscribersenlistedwiththetelcosareindividualsandnotthecorporateentitieswhichemploythesubscribers.AscertainingwhethereachofthenumberstowhichtheSMSwillbesentareregisteredinthenameofanindividualoracorporateentityislikelytobecumbersome.Hence,the safe and easier alternative will be to carry out the check on the Register and/or obtainunambiguousconsentfromtheindividual,priortosendingamarketingSMS.

TheRegistryallowssubscribersofSingaporetelephonenumberstooptoutofmarketingcalls,SMSsandfaxestotheirnumbersbyregisteringinanyorallthreeDoNotCallRegisters(ie,theNoVoiceCallRegister,theNoTextMessageRegisterandtheNoFaxMessageRegister).Asmentionedabove,partiesshouldapply to theRegistry to confirmwhether thenumber is listed in the respectiveRegister. Ifpartieshaveanon-goingrelationshipwithasubscriberofaSingaporetelephonenumber(andhaveobtained clear andunambiguous consent), theymay sendmarketing SMSs to thenumberwithoutcheckingwiththeRegistry.EachexemptSMSmustcontainanopt-outfacilitythatthesubscribercanusetooptoutfromreceivingsuchanSMS.Ifasubscriberoptsout,thepartiescannolongerrelyontheexemptionandmuststopsendingfurthermarketingSMSstothenumber,within30days.

TheDo-Not-CallframeworksetoutinthePDPAcoversonlytelephonecalls,SMSs,andfaxes.Itdoesnotincludeemailsandmaildeliveredbypost.Hence,inordertocircumventtheonerousrequirementsofthePDPA,organizationscanconsidersendingemailsinsteadofSMSs(althoughthismaybeslightlylesseffectivefromthemarketingperspective).However,priortosendingmarketingemails,partiesneedtoensurethattheycomplywiththerequirementssetoutintheSCA,whichsetsoutrequirementsinrelationtothesendingofunsolicitedcommercialelectronicmessagesinbulk.TherequirementsoftheSCAcanbeconsideredtobelessonerouswhencomparedtothePDPA.

TheSCAstipulatesthatthefollowingmustbecompliedwith:

(a) thetitleinthesubjectfieldshouldnotbefalseormisleadingastothecontentofthemessage;

596


(b) theletters“<ADV>“withaspacebeforethetitleinthesubjectfield(orifthereisnosubjectfield,inthewordsfirstappearinginthemessage)shouldbesetouttoclearlytoidentifythatthemessageisanadvertisement;

(c) theheaderinformationshouldnotbefalseormisleading;and

(d) anaccurateandfunctionalemailaddressortelephonenumberbywhichthesendercanbereadilycontactedshouldbesetout.


ThePDPAalsoappliestothecollection,use,ordisclosureofpersonaldatausingcookiesandothertrackingtechnologies.TheAdvisoryGuidelinesonthePersonalDataProtectionActforSelectedTopicspublishedbythePDPCprovideasfollows:

(a) Theobligationtoobtaintheindividual’sconsentforthecollectionofhispersonaldatarestswiththeorganizationthat iscollectingsuchpersonaldata,whetherbyitselforthroughitsdataintermediaries.

(b) Whereanorganizationoperatesawebsitewhichathirdpartyusestocollectpersonaldata,andthewebsiteoperatoritselfisnotcollectingsuchpersonaldata,theobligationisonthethird-partyorganizationtoobtaintheconsentrequiredtocollectsuchpersonaldata.


ThePDPAalsoappliestotargetedadvertisingandbehavioraladvertising.Wheretargetedadvertisingandbehavioraladvertising involvethecollectionanduseofpersonaldata, the individual’sconsentmustbeobtained.


UnderthePDPA,organizationsmustnotifyan individualof thepurposesof thecollection,useanddisclosureofpersonaldata,beforecollectingthesame,andhaveobtainedconsent.Iforganizationsintendtosharepersonaldataforadifferentpurposefromtheoriginalpurposeforwhichconsenthasbeenobtained,theymustinformtheindividualsofthenewpurposeandobtainfreshconsent.


ThegeneralprinciplesenunciatedinthePDPAapplywithequaleffecttodatabrokers.


TheAdvisoryGuidelinesonthePersonalDataProtectionActforSelectedTopicspublishedbythePDPCprovidesthefollowingguidance:ThePDPAdoesnotrequireorganizationstoobtaintheconsentoftheindividual when collecting personal data that is publicly available. Examples of publicly availablesourcesarenewspapers, telephonedirectoriesandwebsites containing contentwhich is generallyavailable to thepublic.Wheresocialnetworkingsourcesarepubliclyavailable, thePDPAdoesnotprohibit organizations from collecting personal data about an individualwithout his/her consent.Please refer to the section on “The Consent Obligation” in the Key Concepts Guidelines formoreexplanationofthe‘publiclyavailabledata’exception.

597



The general principles enunciated in the PDPA apply with equal effect to loyalty programs andpromotions.

9 DATATRANSFER


Section26ofthePDPAlimitstheabilityofanorganizationtotransferpersonaldataoutsideSingapore.Specifically,Section26(1)ofthePDPAprovidesthatanorganizationmustnottransferanypersonaldatatoacountryorterritoryoutsideSingaporeexceptinaccordancewithrequirementsprescribedunder thePDPA toensure thatorganizationsprovidea standardofprotection topersonaldata sotransferredthatiscomparabletotheprotectionunderthePDPA.

Anorganizationmaytransferpersonaldataoverseasifithastakenappropriatestepstoensurethatitwillcomplywiththedataprotectionprovisionsinrespectofthetransferredpersonaldatawhilesuchpersonaldataremainsinitspossessionorunderitscontrol;andifthepersonaldataistransferredtoa recipient in a country or territory outside Singapore, that the recipient is bound by legallyenforceableobligationstoprovidetothepersonaldatatransferredastandardofprotectionthat iscomparabletothatunderthePDPA.



10 VIOLATIONS


TheGuideonActiveEnforcementpublishedbythePDPCprovidesthefollowingguidance:

(a) Asamatterofenforcementpolicy,thePDPC’sapproachisfirsttoconsiderthenatureofthebreach andwhether Directionswithout financial penalties are effective in remedying thebreach.Financialpenaltiesareintendedtoactasaformofsanctionanddeterrenceagainstnon-compliance when Directions alone do not sufficiently reflect the seriousness of thebreach.Inconsideringwhethertodirectanorganizationtopayafinancialpenalty,thePDPCwill take into account the seriousness of the incident of the breach. Generally, financialpenalties are reserved only for breacheswhich the PDPC views as particularly serious innature.Inassessingtheseriousnessofthebreach,thePDPCconsidersanumberoffactors,includingbutnotlimitedtothefollowing:

(i) impactoftheorganization’sbreach;

(ii) whethertheorganizationhadacteddeliberatelyorwillfully;

(iii) whethertheorganizationhadknownoroughttohaveknowntheriskofaseriouscontraventionandfailedtotakereasonablestepstopreventit;

598


(iv) extentofnon-complianceintermsofthePDPAobligationsthattheorganizationhadfailedtodischarge;

(v) numberofindividualswhosepersonaldatahadbeensubjectedtoharmandrisksasaresultofthebreach;

(vi) whethertheorganizationhadappointedaDPOorequivalenttoensureaccountabilitywiththePDPA;

(vii) typesofpersonaldatathatwerecompromisedorputatriskasaresultofthebreach;and

(viii) whethertheorganizationhadpreviouslybeenfoundtohavesimilarlybreachedthePDPA.

(b) ThePDPCdetermineseachcaseon itsownmeritsandcircumstances.However, thePDPCadopts an objective approach to assess the seriousness of a breachof thedataprotectionprovisionsof thePDPA,by consideringhowa reasonableorganization shouldbehave inaparticularsituation.Whereafinancialpenaltyiswarranted,thePDPCadoptsthefollowingprinciplestodeterminetheamount:(i) theamountshouldbeproportionatetotheseriousnessofthebreach;

(ii) the amount shouldprovide sufficientdeterrence against futureor continuednon-compliancebytheorganizationandothers;

(iii) theamountshouldtakeintoaccountaggravatingandmitigatingfactors,namely:• cooperativenessoftheorganizationinthecourseofinvestigations;• whetherremedialaction(s)wereimplemented;• whethertherewasvoluntarynotificationofthedatabreach;• whether the organization had engaged with the affected individuals in a

meaningful manner and had voluntarily offered a remedy, and that theindividualshadacceptedtheremedy;and

• whethertheorganizationadmittedtoliabilityforthedatabreach.


ThePDPAprovidesindividualswiththerighttocommenceaprivateactionagainstanorganizationwhere such an individual has suffered loss ordamage as a direct result of non-complianceby theorganization of the data protection provisions under the PDPA, subject, of course, to certainlimitations.Bethatasitmay,wherethePDPChasissuedadecisionunderthePDPAinrespectofsuchacontravention,therighttocommenceaprivateactionisonlyexercisableafterthedecisionissuedbythePDPCbecomesfinalandallavenuesofappealhavebeenexhausted.

TheCourtmaygrantsuchreliefasitthinksfit,including,butnotlimitedto,aninjunction,ordamages.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofSingaporewhichaffectprivacy?

No

599



Asmentionedinquestion6.2,changesareanticipatedinthenearfutureinrelationtothedatabreachnotificationrequirementsandobligations.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainSingapore?

• Itisimperativetohaveacomprehensivedataprotectionpolicyinplace.

• Appointadataprotectionofficer.

• Carryoutperiodicaudits.

12 OPINIONQUESTIONS


TheenactmentofthePDPAin2012hasusheredinmuch-neededchangestotheprivacylandscapeinSingapore.Theneedtocreateabalancebetweentheneedtoprotectindividuals’personaldataagainstorganizations’needtoobtainandprocesssuchdataforlegitimatepurposes,propelledtheabove.


TheSingaporeregimeislikelytomovetowardsaGDPR-likeregulatoryregimeoverthenextfewyears.


Thelawstrugglestokeeppacewiththeadvancementoftechnology.Similarly,companiesconstantlystruggle to keeppacewith technological advancementswhilst balancing the obligations set out inexisting legislation. Be that as it may, the PDPC has done a commendable job in educating allstakeholders,andconstantlyattemptingtodisseminateguidanceandinformationpertainingtothePDPAandtheregulatoryregime.

600

601

PRIVACY LAW – SOUTH AFRICA

1 PRIVACYLAW

1.1 HowisprivacyregulatedinSouthAfrica?

DedicateddataprotectionlegislationisnotyetinforceinSouthAfricaandthusprivacylawisdealtwithonapiecemealbasisbyvariouspiecesoflegislation.

A dedicated data protection law in the form of the Protection of Personal Information Act 2013(“POPI”)hasbeenpromulgatedbutisnotyetinforce.TheanswerstothequestionswhichfollowwillbewithreferencetothedataprotectionsystemthatwillbeputinplacebyPOPI,aswellastocurrentlegislationthatcoversthesametoalimitedextent.


(a) The Consumer Protection Act 2008 (“CPA”) contains some specific provisions relating todirectmarketingandconsumerprivacy.

(b) TheNationalCreditAct2005(“NCA”)regulatestheprivacyofcreditinformation.

(c) The Electronic Communications and Transactions Act 2002 (“ECTA”) contains certainvoluntarydataprotectionprovisionsinthecontextofelectroniccommunication.

(d) ThePromotionofAccesstoInformationAct2000(“PAIA”)regulatesaccesstoinformationheldbypublicandprivatebodies.

(e) Therighttoprivacyisalsoenshrinedinsection14oftheConstitutionoftheRepublicofSouthAfrica,1996(the“Constitution”).

(f) OncePOPIisinenforceitwillbethekeylegislationregulatingprivacytotheextentthatthereisnootherlegislationalreadyexistingwhichprovidesagreaterprotectiontoprivacythanPOPI.


POPIestablishestheofficeoftheInformationRegulator,whichwillberesponsibleforoverseeingtheprotectionofpersonalpersonallyidentifiableinformation.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinSouthAfrica?

POPIapplies to theprocessingof informationbyor fora responsibleparty (includingacompany)domiciledorestablishedinSouthAfrica.

2.2 Does privacy law in South Africa apply to companies outside the country? If yes, are therespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

POPI applies to a responsible party domiciled outside the country only if the processing usesautomatedornon-automatedmeanssituatedinSouthAfrica,unlessthosemeansareusedonlyfor

602


forwardingpersonalinformation.Whereinformationisprocessedbynon-automatedmeans,itmustformpartofafilingsystemorbeintendedtoformpartofitinorderforPOPItoapply.


3.1 Howispersonalinformation/personaldatadefinedinSouthAfrica?

“Personal Information” isdefined inPOPIas ‘informationrelating toan identifiable, living,naturalpersonandwhereitisapplicable,anidentifiableexistingjuristicperson’.


POPI provides for a category of “special personal information” that is afforded a higher degree ofprotectionbyprohibitingtheprocessingofthisinformationunlessthespecificcircumstanceslistedinPOPIarepresent.Specialpersonalinformationisinformationrelatingtothereligiousorphilosophicalbeliefs, raceor ethnicoriginor tradeunionmembership,politicalpersuasion,healthor sex lifeorbiometricinformationofadatasubject,orcriminalbehaviorofadatasubjecttotheextentthatsuchinformationrelatestotheallegedcommissionbyadatasubjectofanyoffenceoranyproceedingsinrespectofanyoffenceallegedlycommittedbyadatasubjectorthedisposalofsuchproceedings.


POPIprovidesforeightkeyinformationprocessingprinciples,whichformthecoreofthelegislation:

(a) Accountability—anobligationisplacedontheresponsiblepartytoensurethattheprinciplesforkeyinformationprocessingandallmeasuresgivingeffecttosuchprinciplesarecompliedwiththroughtheentireprocessing.

(b) Processing limitation — the processing of personal information must be lawful, andinformationmay only be processed if it is adequate, relevant and not excessive given thepurposeforwhichitisprocessed.

(c) Purpose specification— the collection of personal informationmust be for a specific andlawfulpurposerelated toa functionoractivityof theresponsiblepartyand thenecessarystepsmustbetakenbytheresponsiblepartytoensurethatthedatasubjectisawareofthepurposewhichthepersonalinformationisbeingcollectedsubjecttotheexemptionsinPOPI.

(d) Furtherprocessinglimitation—anobligationisplacedonaresponsiblepartytoensurethefurtherprocessingof information iscompatiblewith thepurpose forwhich itwas initiallycollected,usingthedeterminationcriteriaincludedinPOPI.

(e) Informationquality—theresponsiblepartymusttakethenecessarystepstoensurethatthepersonal information is complete, accurate, not misleading and updated to the extentnecessaryhavingregardtothepurposewhichthepersonalinformationiscollectedorfurtherprocessed.

(f) Openness— the responsible partymust provide the data subjectwith certain prescribedinformationsuchas thenameandaddressof theresponsibleparty, the informationbeingcollectedandwhetherthesupplyoftheinformationbytheresponsiblepartyisvoluntaryor

603


mandatory. In addition, this principle sets out that personal information may only beprocessedbyaresponsiblepartythathasnotifiedtheInformationRegulator.

(g) Security Safeguards — the responsible party must take appropriate, reasonable andorganizationalstepstoprotecttheintegrityandconfidentialityofthepersonalinformationinitspossession. Inaddition, specificobligationsareplacedonanoperatorwhenprocessinginformationonbehalfofaresponsibleparty.

(h) Data subject participation— a data subject has the right to access information held by aresponsiblepartyorwhichhasbeenmadeavailabletoathirdparty,torequestaresponsiblepartytodeleteinaccurate,irrelevantandunlawfullyobtainedinformation,andtorequestthataresponsiblepartydeleteinformationwhichtheresponsiblepartyisnolongerauthorizedtoretain.

4 ROLES


POPIdistinguishesbetweenresponsiblepartiesandoperators:

(a) A “responsible party” is ‘a public or private body or any other personwhich, alone or inconjunction with others, determines the purpose of and means for processing personalinformation’.

(b) An “operator” is ‘a personwho processes personal information for a responsible party intermsofacontractormandate,withoutcomingunderthedirectauthorityofthatparty’.

Aresponsiblepartywillbeobligedtoconcludeanoperatoragreementwithanoperatorinordertoregulatetheoperator’sprocessingofpersonalinformationfortheresponsibleparty.

5 OBLIGATIONS


WhenPOPI comes into force, a responsible partywill need toprovidedata subjectswith a noticerelatingtoitsprocessingofpersonalinformation.Generally,thiswillbeintheformofaprivacypolicythatwillbedisplayedontheresponsibleparty’swebsite.

POPIwillrequirearesponsiblepartytoappointaninformationofficer,whowillneedtoberegisteredwiththeInformationRegulator.

UnderPOPI,aresponsiblepartywillnotneedtoregisterwiththeInformationRegulatorinordertoprocess personal information. However, it will need prior authorization from the InformationRegulatorincertaininstances,forexamplewhenitintendstotransferspecialpersonalinformationorchildren’spersonalinformationtoathirdpartyinaforeigncountrythatdoesnotprovideanadequatelevelofprotectionfortheprocessingofpersonalinformation.

604



6.1 HowisdatasecurityregulatedinSouthAfrica?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

POPIrequiresaresponsiblepartytosecuretheintegrityofpersonalinformationinitspossessionbytaking appropriate, reasonable technical and organization measures to prevent any loss orunauthorized destruction, unlawful access or processing of personal information. In addition, aresponsiblepartymusttakereasonablemeasuresto:

(a) identifyallreasonablyforeseeableinternalandexternalriskstopersonalinformationinitspossessionorunderitscontrol;

(b) establishandmaintainappropriatesafeguardsagainsttherisksidentified;

(c) regularlyverifythatthesafeguardsareefficientlyimplemented;and

(d) ensurethatthesafeguardsarecontinuallyupdatedinresponsetonewrisksordeficienciesinpreviouslyimplementedsafeguards.

Lastly,aresponsiblepartyandoperatormusthaveregardtogenerallyacceptedinformationsecuritypractices and procedureswhich apply to it ormay apply to it in respect of a specific industry orprofessionalrulesandregulations.Nospecificstandardshavebeenprescribed.

6.2 HowaredatabreachesregulatedinSouthAfrica?Whataretherequirementsforrespondingtodatabreaches?

A security compromise occurs when personal information has been accessed or acquired by anyunauthorizedperson.POPIrequiresthattheresponsiblepartymustnotifytheInformationRegulatorandthedatasubjectwhenasecuritycompromisehastakenplace.

Thedatasubjectmustbenotifiedinwritingassoonasreasonablypossibleonceithasbeendiscoveredthat there isasecuritybreach, taking intoaccount the legitimateneedsof lawenforcementoranymeasuresreasonablynecessarytodeterminethescopeofthebreachandtorestoretheintegrityoftheresponsibleparty’sinformationsystem.Adelayinthenotificationofthedatasubjectmayonlyoccurif the SouthAfricanPolice Services, theNational IntelligenceAgencyor the InformationRegulatordirectsthatnotificationwillimpedeacriminalinvestigation.

7 INDIVIDUALRIGHTS


POPIaffordsthedatasubjectvariousrightsinrelationtotheprocessingoftheirpersonaldata.Theserights include the right to request the correction, destructionordeletionof the subject’s personalinformation. The data subject can request that personal data be deleted if the data is inaccurate,irrelevant,excessive,outofdate,incomplete,misleading,obtainedunlawfullyorifthedatasubjectnolongerhastheauthoritytobeinpossessionorcontrolofthepersonalinformation.

605




TheCPAandtheECTAregulatedirectmarketinginSouthAfricaonanopt-outbasis.TheCPAprovidesconsumers with the right to restrict unwanted direct marketing by requiring any person whoapproachestheconsumerforpurposesofdirectmarketing,withinareasonabletime,todesistfrominitiating any further communication. The ECTA provides that the sender of unsolicitedcommunicationsmust provide the recipientwith the option to stop such communications. At therecipient’s request, the sendermust also provide the recipient with identifying particulars of thesourcefromwhomthesenderobtainedtherecipient’spersonalinformation.

When POPI comes into force, directmarketingwill be regulated on an opt-in basis. Processing ofpersonalinformationforthepurposeofdirectmarketingwillbeprohibitedunlessthedatasubjectconsentstosuchprocessingorthedatasubjectisacustomeroftheresponsibleparty.Evenifthedatasubjectisacustomerofaresponsibleparty,theinformationmaystillonlybeprocessedinspecificcircumstancessuchaswherethepurposeofthedirectmarketingisthemarketingoftheresponsibleparty’sownsimilarproductsorservices.Inaddition,anycommunicationinitiatedforthepurposeofdirectmarketingmustcontaindetailsoftheidentityofthesenderorthepersononwhosebehalfthecommunicationhasbeensentandanaddressorothercontactdetailstowhichtherecipientmaysendarequestthatsuchcommunicationmustcease.


Tracking technologies such as cookies are not specifically regulated in SouthAfrica; however, theprinciplesofPOPIwillapplyonceitisinforce,eventhoughthisaspectisnotdirectlyaddressedbyPOPI.


ThisisnotspecificallyregulatedinSouthAfrica;however,theprinciplesofPOPIwillapplyonceitisinforce,eventhoughthisaspectisnotdirectlyaddressedbyPOPI.


ThisisnotspecificallyaddressedinPOPI.However,theresponsiblepartymustensurethatthesharingofdatamustbeinaccordancewiththeobligationsimposedbyPOPIonceitisinforce.


POPIdoesnotcontainprovisionsrelatingdirectlytodatabrokers.


Inthesamefashionasothercustomerinformation,anyandallinformationcollectedviasocialmediawillbegovernedbyPOPI.

606



LoyaltyprogramsprocessalotofinformationandthuswillalsobegovernedbyalltheprinciplesofPOPIinrespectoftheprocessingofcustomers’personalinformation.Thismayinclude,amongstotherthings,obtainingtheconsentfromthecustomertotracktheirpurchasesinordertopromoteproductsinthefuturebasedonthecustomer’sbuyingpatternsornotifyingtheclientthattheirinformationwillbeusedforthispurpose.

9 DATATRANSFER


POPIprohibitsthetransferringofdatatothirdpartiesinaforeigncountryunlessoneormoreofthefollowingcircumstancesareapparent:

(a) therecipientofsuchdataissubjecttoalaw,abindingcodeofconductoracontractwhichupholds theprinciples forreasonableprocessingof information inasimilar fashion to theinformationprinciplessetoutinPOPI;

(b) thedatasubjectconsentstothetransfer;

(c) thetransferisnecessaryfortheperformanceofacontractbetweenthedatasubjectandtheresponsibleparty,orfortheimplementationofpre-contractualmeasurestakeninresponsetothedatasubject’srequest;

(d) thetransfer isnecessaryfortheconclusionofacontract inthe interestof thedatasubjectbetweentheresponsiblepartyandthirdparty;or

(e) thetransferisforthebenefitofthedatasubjectanditisnotreasonablypracticabletoobtaintheconsentofthedatasubjecttothetransferand,ifsuchconsentcouldbeobtained,thedatasubjectwouldmostlikelygivethenecessaryconsent.


DataprotectionisstillaverynewareaofthelawinSouthAfrica.Accordingly,issueswillariseinthecourseofthedevelopmentofthislaw.

ConsideringthatPOPIprovidesforspecificcircumstancesinwhichdatamaybetransferredtoathirdpartybasedinaforeigncountry,asubsidiaryinSouthAfricamayneedtoabidebytheseprovisionswhen transferring to the holding company in another country even though the data is beingtransferredbetweengroupcompanies.

10 VIOLATIONS


ApersonconvictedofanoffenceintermsofPOPIcanbesanctionedwithafineand/orimprisonment.In a case where the offender has hindered, obstructed or unlawfully influenced the InformationRegulator,thetermofimprisonmentmaynotexceed10years.Inanycase,theimprisonmentperiod

607


maynotexceed12months.POPIalsoprovidesfortheimpositionofanadministrativefine,whichmaynotexceedZAR10million.


Adatasubjector,attherequestofthedatasubject,theInformationRegulatormayinitiateacivilactionfordamagesinacourtagainsttheresponsiblepartyforinterferencewiththeprotectionofpersonalinformationirrespectiveofintentornegligenceonthepartoftheresponsibleparty.Acourthearingsuch proceedingsmay award an amountwhich is deemed just and equitable, whichmay includepaymentofdamages,aggravateddamages,interestandcostsoflawsuit.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofSouthAfricawhichaffectprivacy?

TherearecurrentlynorulesparticulartothecultureofSouthAfricawhichaffectprivacy.


Currently,POPIisthemainfocusontheprivacysceneinSouthAfrica.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainSouthAfrica?

Inmostjurisdictions,“personalinformation”islimitedtothepersonalinformationofnaturalpersons(humans). However, POPI’s definition extends to the personal information of juristic persons(including companies). This means that responsible parties will need to comply with POPI’srequirementswhentheyprocesspersonalinformationofbothnaturalpersonsandjuristicpersons.

12 OPINIONQUESTIONS


ThepublishingofPOPI in2013markedasignificantchangeintheprivacylandscape.Priortothis,SouthAfricahadnodedicateddataprotectionlegislation.AlthoughthemajorityofPOPI’sprovisionsarenotyetinforce,companiesarefocusingontheirdataprotectioncomplianceinordertoensurethattheyarereadywhenPOPIbecomeslaw.


ItislikelythatPOPIwillbeinforcein5years’time.Organizationswillbemorefocusedonprivacycompliance,inordertoadheretoPOPI’srequirementsandalsoduetocontinuousdevelopmentsandimprovementsininformationtechnology.Datasubjectswillalsobemoreawareoftheirrightsandwillprobablybequiteactiveinenforcingthem.

608



Dataprotectionlawimposesonerousobligationsoncompanies.Thisburdenisincreasedduetothecomplexities created by information technology and the large quantity of data processed bycompanies.Thisrequirescompaniestoinvestintechnologyinfrastructureandtohumanresourcesand serviceproviders. Thismaybeparticularly burdensome for small businesses, especially sinceorganizationwillneedtomonitor,upgradeandinvestintheirtechnologyonaconstantbasisinordertoensurethattheyremaincomplaint.

609

610

PRIVACY LAW – SWITZERLAND

1 PRIVACYLAW

1.1 HowisprivacyregulatedinSwitzerland?

Switzerland’s federalstructurecharacterizestheorganizationoftheSwiss legalandcourtsystems.TheSwissFederalConstitution(“SFC”)attributesthepowerto legislate incivil law(includingcivilprocedurelaw)andcriminallaw(includingcriminalprocedurelaw)matterstotheFederation.Hence,thecorelegalrulesrelatingtoprivacylawarecodifiedinFederalstatutes.

The SFC provides a constitutional right to privacy. Article 13 SFC protects the right to privacy inpersonalorfamilylifeandinaperson’shome.Article28oftheCivilCode(“CC”)andtheSwissFederalDataProtectionAct(“FDPA”)putthisfundamentalrighttoprivacyintoconcretetermsatastatutorylevel. Data protection provisions in Federal statutes and regulations governing sector-specificprocessingofpersonaldata(eg,lawsregulatingthehealthcare,pharmaceutical,financial,energyortelecomssectors)supplementtheFDPA.

TheFDPAiscurrentlyunderrevision.Theaimoftherevisionis,primarily,toaligntheFDPA’sstandardofprotectionwiththestandardofprotectionofferedbytheEuropeanUnion’sGeneralDataProtectionRegulation(“GDPR”).Whereappropriate,theanswersbelowarebasedonthenear-finaltextoftherevisedFDPA(“rev-FDPA”).

The 26 Cantons, the federal states of the Swiss Confederation, remain competent to legislate inadministrativelawmattersandintheorganizationoftheircourtsandadministrativeauthorities.EachCanton has enacted its own data protection act. The Cantonal data protection acts govern theprocessingofpersonaldatabyCantonalpublicauthorities.TheCantons, too,arerevising (orhavealreadyrevised)theirrespectivedataprotectionacts.


TheFDPAisthekeylawregulatingprivacy.Itisanomnibuslawgoverninganyprocessing(includingcollection, recording, structuring, storage, disclosure, or other uses) of any personal data, ie, anyinformationthatdirectlyorindirectlyidentifiesanindividual.Itappliestotheprocessingofpersonaldatabybusinessesandorganizationsinallsectorsoftheeconomy.

Sector-specificdataprotectionandsecurityrequirementssetoutinlawsregulatingbusinessesandorganizationsinregulatedsectors(eg,thehealthcare,pharmaceutical,energy,telecomandfinancialsectors),providemorespecificrequirementsapplyingtotheprocessingof,eg,patientpersonaldata,bank customer data or smart meter (personal) data. Sector-specific rules typically supersede theprovisionsof theFDPA.TheOrdinanceon theFDPA(“FDPO”) isagovernmental (FederalCouncil)ordinance that regulatesmore specifically certain aspects of the FDPA, eg, specifics of notificationrequirementsortherightofaccess.

Swiss data protection law is rooted in the civil law protection of personality rights provided byArticle28oftheCC.Inessence,thedataprocessingprinciplessetoutintheFDPA(includingpurposelimitation,dataminimization,storagelimitation,transparentandfairprocessing,dataaccuracy,anddata security) provide for protection against infringements of personality rights (data privacy)through excessive use of personal data (ie, information that identifies an individual directly or

611


indirectly).Article28oftheCCremainsrelevant,fromaprivacylawperspective,wherelibel,slanderordefamationistheconcern.Furthermore,itisrelevantfortheprotectionofpersonalityrightsoflegalentities.ThecurrentFDPAalsogovernstheprocessingofpersonaldataaboutlegalentities,buttherev-FDPAwill do awaywith this particularity of Swiss data protection law. Itwill cover only theprocessingofdatathatidentifiesindividualsorrendersindividualsidentifiable.

InadditiontocriminalliabilitygovernedbytheFDPA,anumberofprovisionsoftheSwissCriminalCode(“CrC”)arerelevant inaprivacycontext.These includecriminal lawprotectionofaperson’sreputationagainstdefamation(includinglibelandslander)andcriminallawprovisionsprohibitingunauthorizedrecordingofprivateconversationsorwiretapping.

Lastly,theSwissFederalActonUnfairCompetition(“UCA”),whichprovidesarightofactionagainstthedisparagementofcompetitorsandtheirproductsorservices,mayberelevantinaprivacycontext.

ThegeneralframeworkprovidedbytheFDPA,FDPO,CC,CrCandUCAalsoappliesinanadvertisingcontext. Inaddition, thePrinciples issuedandsupervisedby theSwissCommission forFairness inCommercialCommunication,aself-regulatorybodypromotingfairtradepracticesinadvertisingandcommercialcommunication,containdataprivacy-relatedprinciples.Theystresstheimportanceofthepurposelimitationandtransparencyprinciplesinanadvertisingcontext,butdonotgobeyondwhattheFDPAandtheFDPOprovidetothatend.


TheSwissFederalDataProtectionandInformationCommissioner(“FDPIC”)enforcesthesubstantiveprovisionsoftheFDPAandtheFDPOagainstbusinessesandorganizations,aswellasagainstFederalpublicauthorities.UnderthecurrentFDPA,theFDPICmayonlyissuenon-bindingrecommendations.However, where the business, organization or Federal authority concerned does not agree toimplementtherecommendation,theFDPICmayfileacomplaintwiththeFederalAdministrativeCourtandrequestthatthecourtorderthedefendanttoimplementtherecommendation.

UnderthecurrentFDPA,theFDPICmayonlyopeninvestigationsiftheprivacyofalargenumberofpersonshasbeenormaybeinfringed.Therev-FDPAstrengthenstheFDPIC’scompetences.Oncetherev-FDPAcomesintoforceandapplicable(thisisunlikelytobebeforetheendof2020),theFDPICwillbeabletoopenaninvestigationexofficiooruponreceiptofacomplaintifthereareindicationsofaninfringementofdataprotectionobligationsundertherev-FDPA.

Undertherev-FDPA,theFDPICwillhavethepowertoissuebindingdecisions:TheFDPICmayrequiretherespectivebusinessororganizationtocorrect,suspendorceasecertainprocessingofpersonaldata, or to delete personal data entirely or partially. The FDPIC may also require the business,organizationorFederalauthorityconcerned tocomplywithspecificobligations, suchas to informindividuals,grantarightofaccess,or toperformadataprotection impactassessment(“DPIA”). IncontrasttosupervisoryauthoritiesinmostjurisdictionswheretheGDPRisenforced,theFDPICwillnot,however,havethepowertoimposeadministrativefinesonbusinessesororganizations.NorwilltheFDPIChavethepowertoissuefinesagainstindividuals.

StateprosecutorsoftheCantonsenforcecriminallawprovisionsundertheFDPAagainstliablenaturalpersons(andbusinessesundercertaincircumstances).Theywillcontinuetodosoundertherev-FDPA(seequestion10.1).Stateprosecutorsalsoenforcetheprivacylaw-relatedoffencesundertheCrCandthecriminallawprovisionsoftheUCA(seequestion1.2).

612


ThedataprotectionsupervisoryauthoritiesoftheCantonsenforcetheCantonaldataprotectionactsagainstCantonalauthoritiesoragainstbusinessororganizationsperformingtasksintheexerciseofCantonalpublicauthorityvestedinthem.

Furthermore, private enforcement plays a role in the enforcement of the FDPA, in particular inconnectionwithaccessrightsandotherindividualrightsofdatasubjects.Seefurtherquestion10.2.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinSwitzerland?

TheFDPAappliestotheprocessingofpersonaldatabyanybusinessororganization,regardlessofitslegalform,sizeorareaofeconomicactivity.Italsoappliestoprocessingofpersonaldatabynaturalpersonsinthecontextofbusinessactivities,butnotinthecontextofpersonalhouseholduses.

2.2 Does privacy law in Switzerland apply to companies outside the country? If yes, are therespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

TheprincipleofeffectsdeterminestheFDPA’sterritorialscope;inotherwords,theFDPAappliestothe processing of personal data that has actual or potential effects in Switzerland. This includesprocessingactivitiesthatareconductedorinitiatedoutsideofSwitzerlandbutactuallyorpotentiallyadverselyaffecttheprivacyrightsofindividualsinSwitzerland.

Accordingtoestablishedcaselaw,thisterritorialscopealreadyappliestoinvestigationproceedingsoftheFDPICunderthecurrentFDPA,andmayapply,inaccordancewiththeprincipleofeffectsunderprivate international law, inprivateenforcementactions.Therev-FDPAwillcodify theprincipleofeffectsdirectlyintherev-FDPA.

Under the rev-FDPA, controllers established outside of Switzerland will have to appoint arepresentativeinSwitzerlandundercertainconditions.Inaccordancewiththecurrentdraftoftherev-FDPA,controllerswillberequiredtoappointarepresentativeinSwitzerlandiftheyregularlyperformhigh risk and large-scale processing of personal data in connectionwith the offering of goods orservicesinSwitzerland,orinconnectionwiththemonitoringofindividuals’behaviortakingplaceinSwitzerland.


3.1 Howispersonalinformation/personaldatadefinedinSwitzerland?

TheFDPAapplies to theprocessingofpersonaldata. Itdefines“personaldata”asany informationrelating to an identified or identifiable person. This includes information that directly identifies aperson(eg,afullnameorpictureshowingaperson’sface)andinformationthatallowsidentificationindirectlybyreferencetoadditionalinformation(eg,emailaddress,telephonenumber,socialsecuritynumberorcustomernumber).

ThecurrentFDPAgovernstheprocessingofpersonaldataofbothnaturalpersonsandlegalentities.Therev-FDPAwilldoawaywiththisSwissparticularity.Itdefinespersonaldataasanyinformationrelatingtoanidentifiedoridentifiablenaturalperson.

613



TheFDPAconsidersthefollowingcategoriesofpersonaldata“sensitive”:

(a) personal data concerning religious, ideological, political or trade union-related views oractivities;

(b) personaldataconcerninghealth,theintimatesphereortheracialoriginofanindividual;

(c) personaldataconcerningsocialsecuritymeasures;and

(d) personaldataconcerningadministrativeorcriminalproceedingsandsanctions.

Thesecategoriesofpersonaldatawillcontinuetobeconsideredsensitiveundertherev-FDPA.Therev-FDPAwilladdtwonewcategories:

(e) geneticdatathatuniquelyidentifiesanindividual;and

(f) biometricdatathatuniquelyidentifiesanindividual.


Thefollowingarekeyprivacyprinciplesthatcompaniesneedtofollowregardingtheirprocessingofpersonaldata:

(a) Lawfulness;

(b) Fairnessandtransparency;

(c) Purposelimitation;

(d) Proportionality(dataminimizationandstoragelimitation);

(e) Accuracy;and

(f) Security(integrity,confidentialityandavailability).

TheseprinciplesaresetoutinFDPA(Articles4–7).Theywillremainthekeyprivacyprinciplesundertherev-FDPA.Asummaryofthesekeyprivacyprinciplesissetoutinquestion5.1.

4 ROLES


Therev-FDPAwilldistinguishcontrollersandprocessors.Similarly,thecurrentFDPAdistinguishesownersofdatafilingsystemsandthirdpartiesprocessingonbehalfoftheowner.

The term“controller” (under therev-FDPA)refers to thebusiness,organization,naturalpersonorFederal authority that determines (alone or jointly with others) the purpose and means of theprocessingofpersonaldata.

“Processors” are businesses, organizations, natural persons or Federal authorities who processpersonaldataonbehalfofthecontroller.

614


Controllerswillcontinuetobeprimarilyresponsibleforcompliancewiththerev-FDPA.Yet,incontrasttothecurrentFDPA,therev-FDPAwillalsosetoutlegalobligationsapplyingdirectlytoprocessors(includingdatasecurityobligations,restrictionsonengagingsub-processorsandtherequirementtomaintainrecordsofprocessingactivities).

Thecontroller-to-processorrelationshipneedstobegovernedbyacontract(orestablishedbylaw).The controller needs to be sure that the processor only performs processing activities that thecontrollerwouldalsobeallowedtoperform,andtoensurethattheprocessoriscapableofprovidingfor adequate data security. Further, the rev-FDPA provides that a processormay only hire a sub-processorwiththepriorconsentofthecontroller.Therev-FDPAwillnotprovidealistofminimumrequirementsthatthecontractneedstocover.ThestandardrequiredbyArticle28oftheGDPRwillsufficeforthepurposesoftherev-FDPA.

5 OBLIGATIONS


Inaccordancewiththekeyprivacyprinciples(seequestion3.3),advertisersneedtocomplywiththefollowing key obligationswhen collecting, processing, storing or otherwise usingpersonal data ascontrollersinanadvertisingcontext:

(a) Lawfulness:IncontrasttoEUlaw,underthe(rev-)FDPA,lawfulnessofprocessingdoesnotmeandeterminingalegalbasis(eg,legalobligation,contract,legitimateinterestsorconsent)forprocessing.Rather,itmeansthatbusinessesororganizationsmayonlyprocesspersonaldatathathasbeencollectedinaccordancewithotherapplicablelaws.Forexample,processingpersonal data that has been collected throughunlawful trespassing orwiretappingwouldinfringethelawfulnessprinciple.Legalbases(so-called“justifications”)arerelevantunderthe(rev-)FDPA,however,ifcontrollersintendtodisclosesensitivepersonaldatatothirdparties(includingdisclosuretoothergroupcompanies),envisageprocessingforotherpurposes,orwishtocontinueprocessingofpersonaldatadespitethedatasubject’sobjection.

(b) Fairness: Advisers may only perform such processing activities as data subjects mayreasonably expect. Furthermore, fairness means that processing must be performed asdescribedintheprivacypolicyorotherinformationondataprocessingprovidedtothedatasubjects.

(c) Transparency:Advertisershavetoconveytodatasubjectsallinformationnecessaryinordertoensuretransparentdataprocessing.Theinformationalsoneedstoenabledatasubjectstoexercise their rightsunder theFDPA.Therev-FDPAwill setout inmoredetail the typeofinformation that controllers need to convey to data subjects. At aminimum, theyneed toinformdatasubjectsabouttheidentityandcontactdetailsofthecontroller,thecontactdetailsofthedataprotectionofficer(ifany),thepurposesoftheprocessing,and(ifany)therecipientsorcategoriesofrecipientsofthepersonaldata.Further,ifthecontrollerintendstotransferpersonal data to a recipient in a country which does not offer an adequate level of dataprotection, thecontrolleralsoneeds to telldatasubjects towhichcountries thecontrollerintendstotransferpersonaldataandbasedonwhichsafeguards(eg,standardcontractualclausesortheSwiss-USPrivacyShield).Ifthecontrollerhasnotobtainedthepersonaldatadirectly from thedata subject, the controller alsoneeds to informdata subjects about thecategoriesofpersonaldatacollectedandprocessed.

615


Advertisersshouldprovidethisinformationtodatasubjectsintheirprivacypolicypostedonthewebsite and,where appropriate, refer to the privacy policy inmarketingmaterial. Asregardsadvertisingonpublishers’platforms,advertisersshouldrequirepublisherstoprovidesufficientnoticetotheiraudienceasregardstheirprocessingofpersonaldataforadvertisingpurposes,includingfortheuseofintermediaries.

(d) Purposelimitation: Advertisersmayonlyprocesspersonaldataforthespecifiedpurposesthathavebeennotifiedtoorareobvioustodatasubjects;andmayonlyprocesspersonaldatainamannercompatiblewiththosepurposes.Informationaboutthepurposesofprocessingneedstobespecific.Advertisersalsoneedtoensurethatfurtherprocessingofpersonaldatareceived from other controllers is compatible with the purposes determined andcommunicatedatthetimeofcollection.

(e) Proportionality:Theprocessingofpersonaldataneedstobeproportionate;thatis,limitedtowhat isnecessary toachieve thespecifiedpurposes, considering the typeofpersonaldataconcernedandthescopeanddurationoftheprocessing.Thedataminimizationandstoragelimitation principles are key aspects of the proportionality principle. This means thatadvertisersneedtolimitthescopeofdatacollectedandprocessedtowhatisnecessaryfortheintendedcampaigns,andtheyneedtodeletepersonaldataonceitisnolongerneededforadvertising or other legitimate purposes (such as compliance with record-keepingobligations).

(f) Accuracy:Advertisersneedtoensuretheyareonlyprocessingpersonaldatathatisaccurateandkeptup-to-date.Theymusttakeallreasonablestepstoensurethatpersonaldatathatisinaccurateorincomplete,havingregardtothepurposesforwhichitisprocessed,isdeletedorrectified.

(g) Security:Bothcontrollersand(undertherev-FDPA)processorsareunderanobligationtoensure an adequate level of data security. They need to take technical and organizationalmeasuresthatarecommensuratewiththelevelofrisksfordatasubjects.Seequestion5.2forfurtherinformationondatasecurityrequirementsunderthe(rev-)FDPA.

Thefollowingarefurtherkeyornewobligationsundertherev-FDPA:

(h) Recordsofprocessingactivities:Undertherev-FDPA,controllersandprocessorswill(eachseparately)berequiredtomaintainrecordsofprocessingactivities.Exemptionsmayapplyinrelationtolow-riskprocessingofpersonaldatabybusinesseswithlessthanfiftyemployees.TheFederalCouncilwilldraftarevisedFDPOoncetherev-FDPAisfinal.Thisordinancewilllayoutthespecificsofthisandotherexemptionsthatmayapply.

(i) Data protection impact assessment: Under the rev-FDPA, controllers will be required toperformDPIAsforintendedhigh-riskprocessingofpersonaldata.Thehighriskmayresultfromthe type, scope, circumstancesorpurposesof theprocessingor fromtheuseofnewtechnologies.ADPIAwillberequiredundertherev-FDPA,inparticular,inthecaseof:(i) processingonalargescaleofsensitivepersonaldata(seequestion3.2),or(ii) thesystematicmonitoringofpubliclyaccessibleareasonalargescale.

(j) Representative:Undertherev-FDPA,controllersestablishedoutsideSwitzerlandwillhavetoappointarepresentativeinSwitzerlandundercertaincircumstances(seequestion2.2).

Appointingadataprotectionofficer(“DPO”)isnotmandatoryforbusinessesandorganizationsundertheFDPAortherev-FDPA.Buttherev-FDPAincentivizestheappointmentofaDPO.Forexample,withaDPO’sinvolvementintheperformanceofaDPIA,acontrollermayavoidhavingtoconsulttheFDPIC

616


iftheDPIAindicatesthattheprocessingwouldresultinahighrisk.BusinesseswhichappointaDPOwillhavetopublishandprovidetotheFDPICthecontactdetailsoftheDPO.Itmayalsobeadvisableto appoint a DPO voluntarily, as compliancewith documentation and notification obligations andrespondingtodatasubjects’requestsunderthe(rev-)FDPArequirebusinesses—inpracticalterms—toestablishaninternaldataprotectionorganization.


6.1 HowisdatasecurityregulatedinSwitzerland?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

There isnouniformdatasecurity law.Anumberofsector-specific lawsandregulations(eg, intheenergy,bankingandhealthcaresectors)regulateaspectsofdataorinformationsecurity.TheFDPAandtheFDPOdefineastandardforthesecurityofpersonaldata(seequestion3.1).Controllersarerequiredtoprotecttheintegrity,confidentialityandavailabilityofpersonaldatabymeansofadequatetechnicalandorganizationalsecuritymeasures.

TheFDPOsetsoutaminimumstandard:namely,theimplementedmeasuresneedtoprotectsystemsagainsttherisksofunauthorizedoraccidentaldeletion,accidental loss,orunauthorizedalteration,copying,accesstoorotherunauthorizedprocessingofpersonaldata.Thetechnicalandorganizationalmeasuresneedtobeadequatetoaddresstheserisks.Thefollowingcriterianeedtobeconsidered:

(a) thepurpose,typeandscopeofthedataprocessing,

(b) theassessmentofpotentialrisksfordatasubjects,and

(c) thestateoftheart.

TheFDPOsetsouttypesofmeasuresthatareconsideredappropriate,includingaccesscontrol,userlogs,encryption,andprotectionagainstunauthorizedcopying,alterationordeletion.

TheFDPIC’sGuidelinesonTechnicalandOrganizationalMeasuresofAugust2015(notavailableinEnglish)areausefulresourceforcompaniestoaddressthisstandardandapplythemeasuressetforthintheFDPO.TheFDPOwillberevisedoncetherev-FDPAisfinal.

Under the rev-FDPA, both controllers and processors will be obligated to take technical andorganizationalmeasuresthatarecommensuratewiththelevelofriskfordatasubjects.

6.2 HowaredatabreachesregulatedinSwitzerland?Whataretherequirementsforrespondingtodatabreaches?

The current FDPA does not set out any data breach notification obligations. Under the rev-FDPA,controllerswillberequiredtonotifytheFDPICofpersonaldatabreachesthatmayresultinahighriskfordatasubjects.Nodeadlineisdefinedforthenotification.ControllerswillneedtonotifytheFDPICasquicklyaspossible,ie,withoutunduedelay.Intheirnotification,theywillneedtoaddressthetypeofpersonaldatabreach,itsconsequences,andthemeasurestakenorplannedtoremedythebreachandmitigaterisksfordatasubjects.

Controllers are required to notify the data subjects affected by the personal data breach if suchnotificationisnecessaryinordertoprotectthedatasubjectsoriftheFDPICsorequests.Processorswhodetectapersonaldatabreacharerequiredtonotifythecontrollerofthebreach.

617


7 INDIVIDUALRIGHTS


Individualshavearighttoaccess,rectificationordeletion,andtoreceiveacopyofthepersonaldataundergoing processing. They also have a right to object to the processing. After an objection,controllersmayonlycontinueprocessingiftheycanshowthatcontinuedprocessingisnecessaryinordertocomplywithalegalobligationlaiddowninSwisslaw,toperformacontractwiththedatasubjectorinordertopursuelegitimateinterestsofthecontrollerthataremorecompellingthanthedatasubject’sprivacyinterests.Inaddition,individualshavearighttodataportabilityundercertaincircumstances.

Theserightsofindividualsaresubjecttoconditionsandexceptions.Forexample,therightofaccessmaybelimited,deferredordeniedtotheextentnecessaryinordertoprotecttheprivacyinterestsofotherdatasubjectsorthelegitimateinterestsofthecontrollerorthirdpartiesthatoverridethedatasubject’sprivacyinterests.



Thegeneralframeworkdescribedaboveappliestomarketingcommunications,includingemail,texts,and push notifications. In addition to the data protection requirements set out in the FDPA, theprovisionsoftheUCAthatrequireanopt-inoropt-outformasscommunication(eg,newslettersorotheremailssentatoncetoaverylargenumberofrecipients)needtobecompliedwith.

TheUCArequiresanopt-inincaseswherethereisnopre-existingbusinessrelationship,andrequiresthatbusinessesoffertherecipientsaneasywaytounsubscribe(opt-out).ThePrinciplesoftheSwissCommissionforFairnessinCommercialCommunicationputthestatutoryrequirementsconcerningmarketingcommunicationinmoreconcreteterms.Theyarealsoameanstointerpretthestatutoryrequirementsinanadvertisingcontext.Forexample,continueddirectmarketingdespiteanobjectionbytherecipientconstitutesaggressive,andhenceunfair,advertisingaccordingtoPrinciple4.4.


Thereisnocookielaworsimilarlawthatgovernstheuseofcookies,pixelsorsimilar.Thegeneralframeworkdescribedaboveappliestothecollectionofpersonaldatabyuseoftrackingtechnologies.

Therev-FDPAwillstrengthentherightsofdatasubjects.Therespectiveinformationnoticeobligationsof controllerswill alsoapply to the collectionofpersonaldata through cookies,pixels and similartechnologies. Thismeans that privacy policies also need to address this aspect of data collection.Information(ie,givingnotice)issufficient.Noconsentrequirementapplies.Consentmayberequiredwheresensitivepersonaldata isdisclosedto thirdparties(includingdisclosureswithinagroupofcompanies),inwhichcaseconsenthastobeexplicit.

618



Thegeneralframeworkdescribedaboveappliestotheprocessingofpersonaldatainconnectionwithtargetedadvertisingandbehavioraladvertising.Theobligationsoftherev-FDPAconcerningprofilingrequire special attention.Explicit consentmaybe requiredbeforeusingprofiling in the contextoftargetedadvertising,particularlywhere(sensitive)personaldataisdisclosedtothirdpartiesorwheremanydatasubjectsarelikelytoobjecttoprocessingbymeansofprofiling.However,thispointwillremainunclearuntiltheFederalParliamenthasreachedanagreementonafinaltextoftherev-FDPA.


Thegeneralframeworkdescribedaboveappliestotheprocessingofpersonaldatainconnectionwithcustomermatching.AdvertiserswhouseFacebookCustomAudiencesorLiveRampneedtoensuretheircontinuedprocessingforadvertisingpurposesiscompatiblewiththepurposesspecifiedatthetimeofcollection.Advertisersmaybeconsideredjointcontrollers(togetherwithFacebook)inrelationtodatacollectioninthecontextofCustomAudiences(applicableinSwitzerlandiftheFDPICandthecourtsfollowthepracticedevelopedundertheEUGDPR).Inthatcase,theyareresponsible—jointlywith the customer-matching provider — for providing sufficient notice and, where applicable,requestingconsents.

Typically,advertiserswillrelyonnoticesprovidedand,whereapplicable,consentsrequestedbytheprovidersofcustomermatchingservices(eg,Facebook).YetthereisariskthattheFDPICorcourtsmaydeemtheinformationandconsentprovidedbytherespectiveserviceprovidertobeinsufficient.Advertisersshould,atleast,explainingeneralterms(eg,intheirwebsiteprivacypolicy)iftheyusecustomermatchingorsimilarmarketingtechnologiestotargetpotentialcustomers.




Thegeneralframeworkdescribedaboveappliestotheprocessingofpersonaldatainsocialmedia.Advertisers should informdata subjects in theirwebsite privacy policies about their socialmediamarketingactivities.


Thegeneralframeworkdescribedaboveappliestotheprocessingofpersonaldatainconnectionwithloyalty programs and promotions. The provisions of the (rev-)FDPA concerning profiling requirespecial attention. Also, the FDPIC has in the past closely scrutinized the information provided inprivacypoliciesconcerningloyaltyprograms.

619


9 DATATRANSFER


UnderthecurrentFDPA,theFDPICpublishesalistofstatesthat,accordingtotheFDPIC’sassessment,provide an adequate level of data protection. Under the rev-FDPA, the Federal Councilwill adoptadequacy decisions in relation to jurisdictions that provide an adequate level of protection. TheFederalCouncilwill(justastheFDPIChasdoneinthepast)likelyfollowtheEuropeanCommission’slead,andconsideradequate those jurisdictions inrelation towhich theEuropeanCommissionhasadoptedanadequacydecision.

Appropriatesafeguardsarerequiredinordertotransferpersonaldatatostateswithoutanadequatelevelofprotection.Appropriatesafeguardsinclude,underthe(rev-)FDPA:

(a) standardcontractualclausesissued,approvedorrecognizedbytheFDPIC;

(b) bindingcorporaterulesapprovedbytheFDPICoracompetentdataprotectionsupervisoryauthorityinastatethatprovidesadequateprotection;

(c) (subject to prior notification to the FDPIC) contractual clauses between the controller orprocessorandthecontroller,processorortherecipientofthepersonaldataabroad;and

(d) internationaltreatiestowhichSwitzerlandisapartymayserveasappropriatesafeguard.

Thesamesafeguardsmaybeusedforcross-bordertransferswithinagroupofcompanies.


Forthepurposesofthe(rev-)FDPA,companieswithinagroupofcompaniesareconsideredasthirdparties.Hence,atransfertoanothercompanywithinagroupofcompanyconstitutesadisclosuretoathirdparty.

Companies within a group of companies need to ensure they adhere to the principle of purposelimitation and tonotificationobligations, if furtherprocessingdata they receive fromother groupcompanies.Specialjustification(eg,explicitconsentoroverridinglegitimateinterests)isrequiredforthedisclosure—includingwithinagroupofcompanies—ofsensitivepersonaldata.Wherepersonaldataistransferredtoagroupcompanyinacountrywithoutadequatelevelofprotection,appropriatesafeguardsneedtobeputinplace(eg,bindingcorporaterulesorstandardcontractualclausesenteredintobythegroupcompanies).

10 VIOLATIONS


TheFDPICdoesnot(andwillnotundertherev-FDPA)havetherighttoissueadministrativefines.ThestateprosecutorsenforcethecriminallawprovisionsoftheFDPA.

Currently, the FDPA provides that private individualsmay be fined up to CHF 10,000 if they areresponsible for theviolationofspecific informationandnotificationrequirementsunder theFDPA(eg,willfullyprovidingfalseorincompleteinformationinresponsetoadatasubjectaccessrequest).

620


Undertherev-FDPA,themaximumamountofthefinewillbeCHF250,000.Therev-FDPAwillalsoextendcriminalliabilitytotheviolationofadditionaldataprotectionobligationsundertherev-FDPA,suchasfailingtoensuretherearesufficientguaranteesforinternationaldatatransfers,orfailuretocomplywithminimumdatasecurityrequirements.

Therev-FDPAwillalsointroducecriminalliabilityofbusinessesandorganizations.Theresponsibleindividuals(eg,directorsormanagers)willprimarilybeliable.However,thebusinessororganization(controller orprocessor)maybeheld liable for a fineof up toCHF50,000under the rev-FDPA ifdetermining who, in the organization, is responsible for the infringement would requiredisproportionateinvestigativeefforts.


Article28oftheCCprovidesforprivaterightsofactionagainstinfringementsofpersonalityrights.Thefollowingremediesareavailable:

(a) priorrestraintsandotherpre-publicationinjunctions,

(b) removalofanexistinginfringement(thismayincludearighttobeforgotten),

(c) adeclaratoryjudgment(iftheeffectoftheinfringementiscontinuing),and

(d) claimsforcompensatorydamages,moraldamages,anddisgorgementofprofits(Article28aoftheCC).

The FDPA provides private rights of actions against infringements of personality rights protectedundertheFDPA.Ofparticularpracticalrelevanceislitigationconcerningtheexerciseoftherightsofaccess,rectificationanddeletion.Yetdatasubjectsmayalsoclaiminfringementofkeydataprivacyprinciplessuchaspurposelimitation,dataminimizationanddatasecurity.TheremediessetoutinArticle28aoftheCCapplybyanalogytosuchclaimsbroughtunderArticle15oftheFDPA.Thiswillremainunchangedundertherev-FDPA.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofSwitzerlandwhichaffectprivacy?

No.


The FDPA is under revision. Advertisers should particularly review the requirements concerningprofiling once an agreement on the final text of the rev-FDPA has been reached. In addition toprogrammaticadvertising,otherhot topicsarevoiceand facialrecognitionandmonitoringofdatasubjects’behavioronlineorinpublicspaces,aswellasdataandcybersecurity.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainSwitzerland?

No.

621


12 OPINIONQUESTIONS


Data-drivenbusinessmodels have becomeprevalent in recent years. Consumers acknowledge thevalueof thesebusinessmodels,butarealso increasinglyconcernedabouttheirprivacy inadigitaleconomy.Inparticular,decision-makingbasedonalgorithmsandbigdataanalysiscreateaperceptionof losing control over one’s personal data. In the wake of various high-profile data breaches,information security has become an important topic. It is no longer left to the IT departments ofcompaniesandpublicinstitutions,but,rather,anongoingobligationthathasbecomepartofboardandC-levelmanagementduties. Inaddition, legislativedevelopments in theEUand inSwitzerlandhaveraisedawarenessfordataprivacybybothconsumersandcompanies.Triggeredbythesechanges,dataprivacyhasbeenestablishedasatopicofincreasingpriorityofthetopmanagementofcompaniesoverthepastfewyears.


Onthe legislative landscape,thecompletionoftherevisionoftheFDPAwill likelyfurther increaseawarenessinthenextfewyears.Also,itmaybeexpectedthatdataprotectionandsecurityprovisionsinsector-specificlawsandregulationsconcerningdatausesinhighlyregulatedsectorswillcontinuetoreceivemoreattention.

Still,internalandexternalresourcesforprivacycompliancearenotyetagiven.Companieswithdata-drivenbusinessmodelsandcompaniesandorganizations inhighlyregulatedsectorswill likelybeamongthosewhoadapttheirdataprocessingactivitiesinthewakeofregulatorychanges.

Privateenforcementremainscostlyduetolimitedpre-trialdisclosure,andbecauseopportunitiesforcollective legal action are very limited. The effectiveness of enforcement by the FDPICwill muchdependontheresourcesmadeavailabletotheFDPIC,whichhavesofarbeenratherlimited.Therev-FDPAwillempowertheFDPICtoissuebindingdecisionsandrequirecontrollersandprocessorstochange their data processing operations. Still, without the power to issue fines, and with limitedresources,theeffectsofenforcementbytheFDPIContheprivacylandscapemayremainratherlimited.Finally,stateprosecutorstendtohaveotherenforcementprioritiesandalackofsufficientdataprivacyknow-how.Enforcementofthecriminallawprovisionsoftherev-FDPA,therefore,mayremainratherlimitedtoo.


It has become increasingly challenging for businesses to complywithhighdata privacy standardswhileretainingtheircompetitiveedge.Multi-layeredgovernanceoftheprocessingofpersonaldata(by European, Federal and Cantonal laws and regulations) and multi-layered enforcement (seequestions10and12.2)complicatecompliance.

Inanadvertisingcontext,providingthenoticesandcontrolstodatasubjectsthatreviseddataprivacylawsrequire,oftenprovesdifficult.Whereadvertisersdonothaveadirectbusinessrelationshipwiththeirtargetaudience,theywillneedtorelyonpublishersandintermediariestothatend.Furthermore,thenatureoftherelationshipbetweenadvertisersandprovidersofcustomermatchingservicesorotherintermediariesasjointorseparatecontrollers,orcontroller-processorrelationships,willlikely

622


continuetobedebated.ItwillremainunresolveduntilcaselawismoredevelopedandadoptedinaSwisslawcontext.Meanwhile,data-drivenbusinesses(includingbusinessesintheonlinemediaandadvertisingindustries)willhavetodeveloptargetingmeasuresthattakeintoaccounttheconcernsofregulatorsandthepublicatlarge,eg,bydevelopingeffectiveanonymizationmeasuresandadvertisingidentifiersthatcannotbetracedtoindividuals.

623

624

PRIVACY LAW – TURKEY

1 PRIVACYLAW

1.1 HowisprivacyregulatedinTurkey?

Article 20 of the Turkish Constitution recognizes the privacy of an individual as a human right.However,themainlegislationgoverningprivacyinTurkeyistheDataProtectionLaw(“DPL”),whichcame into forceonApril7,2016.TheTurkishPenalCodealso includessomeprovisionsrelatedtocrimesconcerningpersonaldata.

TheDPL ismodelledon theEUDataProtectionDirective (95/46)but it isnota replica; therearecertaindifferences,someofwhichareimportant.However,ingeneral,theDPLisquitesimilartotheEUDirective.TheDPLalsoadoptedcertainconceptsfromtheGDPR,suchasdatabreachnotification,however,itismoresimilartotheEUDirectivethantotheGDPR.


Asmentionedabove,themainlegislationgoverningprivacyinTurkeyistheDPL.TheTurkishPenalCodealsoincludessomeprovisions,criminalizingcertainactivitiessuchasillegaltransferorcollectionofpersonaldata.

TheDataProtectionBoard(“Board”),which is theexecutivebodyof theDataProtectionAuthority(“DPA”),issuessecondarylegislationwhichdetailstheobligationssetoutundertheDPL.

Therearealsosector-specificprovisionsinthelawsandregulationsintheelectroniccommunication,finance,insuranceandcapitalmarketssectors.ThereisnoprovisionunderTurkishlawthatfocusesontheprivacyaspectsofadvertising.TheadvertisingaspectsaresubjecttothegeneralprovisionsoftheDPL.


TheDPAistheregulatorthatenforcestheDPL.TheenforcementdecisionsaremadebytheBoard,whichistheexecutivebodyoftheDPA.

Insituationswhereacomplaintisinvolved,orwheretheBoardbecomesawareofnon-compliancewiththeDPL,theBoardcanconductaninvestigationintothemattertodeterminewhetherornotthereisanysuchnon-compliance.Ifthereisnon-compliance,theBoardcanrequestthatthedatacontrollerordataprocessorcomplywithDPL.Additionally,theBoardhasbeengiventheauthoritytoimposeadministrativefinesondatacontrollersforbreachesoftheDPL.

Inadditiontoadministrativefines,non-compliancewiththeprovisionsrelatedtopersonaldatacanresultincriminalsanctions(seequestion10.1).

SinceitsestablishmentinJanuary2017,theBoardhasfollowedupandinvestigatedviolationsoftheDPL and its secondary legislation, and has rendered several decisions where it has imposedadministrativefines.

625


2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinTurkey?

Regardlessofthelegalstructure,nationalityorthedomicileofthedatacontroller,allnaturalorlegalpersonswhoprocess thepersonaldataofnaturalpersons residing inTurkey,whollyorpartlybyautomaticmeans,orbynon-automaticmeansasadatacontrollerprovidedthatitisapartofadataregistrationsystem,aresubjecttotheDPL.

2.2 DoesprivacylawinTurkeyapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

ThereisnospecificterritorialityprovisionundertheDPL.However,byconsiderationofArticle1oftheDPL,whichstatesthatthepurposeoftheDPListoprotecttheprivacyrightsofindividuals,itcanbeextrapolatedthattheDPLisapplicabletodatacontrollersbothinsideandoutsideTurkey,asthisisnecessary in order for the DPL to be able to protect the privacy rights of individuals in Turkey.Otherwise,thepurposeoftheDPLcannotbeachieved.

DatacontrollerslocatedabroadareunderanobligationtoappointarepresentativeinTurkey,whichcanbealegalentityoraTurkishcitizenresidinginTurkey.Otherthanthis,datacontrollerslocatedoutsideTurkeyareunderthesameobligationsasdatacontrollerslocatedinsideTurkey.


3.1 Howispersonalinformation/personaldatadefinedinTurkey?

UndertheDPL,“personaldata”isdefinedas“anyinformationrelatingtoanidentifiedoridentifiablenaturalperson.”


Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or otherbeliefs,appearanceanddressing,membershipofassociation,foundationortrade-union,health,sexuallife, criminal conviction and security measures, biometrics and genetics are special categories ofpersonaldata.

Processing sensitive personal data is subject to stricter conditions than processing non-sensitivepersonal data. Other than personal data relating to health and sexual life, such datamay only beprocessedeitheronthebasisofexplicitconsentorwhereprocessingisexpresslypermittedbylaw.

Personaldatarelatingtoaperson’shealthandsexuallifemayonlybeprocessedbypersonsundertheobligation of secrecy or authorized institutions and organizations, and on the basis of the explicitconsentofthedatasubject,orforthepurposesof:

(a) protectionofpublichealth,

(b) operationofpreventivemedicine,

626


(c) medicaldiagnosis,treatment,andcareservices,or

(d) planning/managementofhealthservicesanditsfinancing.

Moreover, in addition to the above, the DPL provides that, as an additional condition, sufficientmeasuresdeterminedbytheBoardmustbeadoptedfortheprocessingofsensitivepersonaldata.TheBoardhaspublishedthe“DecisionregardingtheAdequateMeasurestobetakenbyDataControllersinProcessingofPersonalDataofSensitiveNature”,underwhichithasdeterminedthetechnicalandadministrativemeasurestobetakenbydatacontrollerswhoprocesssensitivepersonaldata.


Theprinciplestobecompliedwithwhenprocessingpersonaldataare:

(a) beinginconformitywiththelawandgoodfaith;

(b) beingaccurateand,ifnecessary,uptodate;

(c) beingprocessedforspecified,explicit,andlegitimatepurposes;

(d) beingrelevant,limitedandproportionatetothepurposesforwhichthedataisprocessed;and

(e) being stored only for the time designated by relevant legislation or necessitated by thepurposeforwhichdataarecollected.

4 ROLES


Yes,theDPLassignstwodifferentrolestocompanies,basedonhowtheyprocesspersonaldata.Acompanyoranindividualcanbeadatacontrolleroradataprocessor:

(a) DataController:Thisisanaturalorlegalpersonwhichdeterminesthepurposesandmeansof the processing of personal data, and which is responsible for the establishment andmanagementofthedatafilingsystem.Thedatacontrolleristhemainresponsiblepartywithregardtodataprocessing.

(b) DataProcessor:Thisisanaturalorlegalpersonwhoprocessespersonaldatabasedontheauthoritygrantedbyandonbehalfofthedatacontroller.

TheDPLprovidesthatdatacontrollersanddataprocessorsarejointlyandseverallyresponsiblefortakingallnecessarytechnicalandadministrativesecuritymeasures.Thisobligationaimstomakedatacontrollerspayattentiontowhomtheychoosetoactastheirdataprocessors.Iftheydonotchooseadataprocessorcapableoftakingthenecessarymeasuresincaseofabreach,thedatacontrollerwillalsobeliableforthefailureofthedataprocessor.Ofcourse,thedatacontrollermayputaprovisionintheagreement tohave recourse to thedataprocessor in case thedatacontroller isobliged topaycompensationoranadministrativefine.However,itwillalwaysbethedatacontrollerwhichwillbethemainresponsiblepartyvis-à-vistheDPA.

The DPL does not include a provision that explicitly requires data controllers to enter into anagreementwiththeirdataprocessors.However,theDPAhasissuedguidelineswhereitstatesthat

627


there should be such an agreement between the data controller and the data processor as anadministrative securitymeasure. The Board has also published sample undertakings to be signedbetween data controllers and data processors. The Board published those undertakings not as amandatorygeneralformtobeusedinalltransactionsbetweendatacontrollersanddataprocessors,butonlyforcaseswhereadatatransferwillbemadeoutsideTurkey.However,thesesamplesgiveanideaastowhattheDPAconsidersimportantinanagreementbetweenadatacontrollerandadataprocessor.Basedonthesesamples,itisevidentthatthemostimportantissuefortheDPAissecurity;itwantsdataprocessorstotakeallnecessarysecuritymeasures,andforthisissuetobeincludedinagreementsbetweendatacontrollersanddataprocessors.

5 OBLIGATIONS


PersonaldatamustbeprocessedonthebasisofoneofthelegalgroundssetoutintheDPLandinaccordancewiththeprinciplessetforthundertheDPL(seequestion3.3).

Anotherimportantobligationconcernsinformingdatasubjects.Beforeprocessingpersonaldata,datacontrollersmustinformthedatasubjectsofthefollowingissueswithaprivacynotice:(a) the identity of the data controller and its representative (if the data controller is located

abroad);

(b) thepurposesforwhichpersonaldatawillbeprocessed;

(c) thepersonstowhompersonaldatamightbetransferredandthepurposesforthesame;

(d) themethodandlegalbasisofcollectionofdata;and

(e) therightsofdatasubjectssetforthundertheDPL.

Datacontrollerslocatedabroadmustappointarepresentative,whichmustbeaTurkishcitizenoralegalentitylocatedinTurkey.DatacontrollerslocatedinsideTurkeymustappointTurkishcitizensastheir contact persons. The representatives/contact persons are designed to be points of contactbetweendatacontrollersandtheDPAand/orthedatasubjects.

Data controllersmust register themselves with the Data Controllers’ Registry, which is an onlineplatformcalledVERBIS.InordertoregisterwithVERBIS,asimplifiedpersonaldatainventorymustbepreparedandsubmittedtotheonlineVERBISsystem.Thesimplifiedpersonaldatainventoryshouldincludethefollowing:(a) categoriesofpersonaldataprocessedbythedatacontroller;

(a) thepurposesofprocessingofeachpersonaldatacategory;

(b) datasubjectgroups;

(c) groupsofrecipientsofpersonaldata;

(d) whetherornottherelevantpersonaldatacategoryistransferredabroad;

(e) measurestakenforthesecurityofpersonaldata;and

(f) themaximumperiodofretention.

628


Regardingdatasecurity,byArticle12oftheDPL,thedatacontrollershouldtakeallnecessarytechnicalandorganizationalmeasurestoprovideanappropriatelevelofsecurityinordertopreventunlawfulprocessingofpersonaldata,preventunlawfulaccesstopersonaldata,andsafeguardpersonaldata.


6.1 HowisdatasecurityregulatedinTurkey?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

ThemainobligationrelatedtodatasecurityforpersonaldataissetforthunderArticle12oftheDPL(seequestion5.1).

TheDPAhaspublishedguidelinestoexplainwhatkindofsecuritymeasuresadatacontrollershouldtake.Theguidelinesprovideexamplesof:

(a) administrative security measures, such as training employees, minimizing personal data,managingtherelationshipwithdataprocessors;and

(b) technicalmeasures,suchasensuringcybersecurityandmanagingsecurityinthecloud.

6.2 HowaredatabreachesregulatedinTurkey?Whataretherequirementsforrespondingtodatabreaches?

UndertheDPL,incaseofdatabreach,thedatacontrollermustnotifythedatasubjectandtheBoardofsuchsituationassoonaspossible.TheBoardhasissuedadecisionstatingthattheterm“assoonaspossible”shallbeinterpretedas“within72hoursofthetimethedatacontrollerbecomesawareofthebreach”.

Intermsofthenotificationobligation,thereisanimportantdifferencebetweentheDPLandtheEU’sGDPR—theobligationtonotifythebreachundertheDPLisaverystraightforwardobligation;noanalysisneedstobemadeabouttheeffectofthebreachontherightsandfreedomofthedatasubjects.Ifthereisabreach,thatbreachmustbenotifiedbothtotheBoardandthedatasubjects.

7 INDIVIDUALRIGHTS


Everyone,byapplyingtothedatacontroller,hastherightto:

(a) learnwhetherornother/hispersonaldatahasbeenprocessed;

(b) requestinformationastoprocessing,ifher/hisdatahavebeenprocessed;

(c) learn the purpose of processing the personal data and whether datais being used inaccordancewiththispurpose;

(d) knowanythirdpartiesinTurkeyorabroadtowhichpersonaldatahasbeentransferred;

(e) request rectification in cases where personal data has been processed incompletely orinaccurately;

(f) requestdeletionordestructionofpersonaldatawithintheframeworkoftheconditionssetoutintheDPL;

629


(g) requestnotificationof the actions takenunder (e) and (f) above to thirdparties towhichpersonaldatahasbeentransferred;

(h) objecttooccurrenceofanyresultthatistoher/hisdetrimentbymeansofanalysisofpersonaldataexclusivelythroughautomatedsystems;and

(i) requestcompensationincaseswherehe/sheincursdamageduetotheunlawfulprocessingofhis/herpersonaldata.



Electronic marketing communications is regulated under the Law on Regulation of ElectronicCommerce.Underthislaw,electronicmarketingcommunicationmessages(suchasemails,SMS,etc)can be sent to consumers only with their permission; opt-in consent is required for suchcommunication.Therelevantelectronicmessageshouldalsoincludeanopt-outmechanismsothattheconsumercaneasilychoosenottoreceiveanyfurtherelectronicmarketingmessages.

Iftheintendedrecipientisnotaconsumerbutamerchant,thereisnoneedforanopt-inconsentforelectronic marketing communication. However, the message should still include an opt-outmechanism.

Apart from the activity of sending messages, all other processing activities for marketingcommunicationareregulatedbythegeneralprovisionsoftheDPLfromaprivacyperspective.


UnderTurkishLaw,thereisnoprovisionspecifictotheuseoftrackingtechnologies.However,usingtrackingtechnologiesshouldbeconsideredprocessingofpersonaldataunderthegeneralprovisionsoftheDPL.Undertheseprovisions,basedontheleveloftracking,theactivitywouldmostlikelyrequiretheconsentofthedatasubject.


UnderTurkishLaw,thereisnoprovisionspecifictotargeted/behavioraladvertising.Asapersonaldataprocessingactivity,targeted/behavioraladvertisingissubjecttotheprinciplesandproceduresset forthunder theDPL.Under thegeneralprovisionsof theDPL, targeted/behavioral advertisingactivitieswouldbesubjecttotheconsentofthedatasubject,astheyincludeanelementofprofiling,whichcannotbecoveredbythelegitimateinterestofthedatacontrollersinvolvedinthoseactivities.


Intheprivacynoticestheysendtotheircustomers,advertisersneedtoincludeinformationon:

(a) thethirdparties(asacategory)withwhomtheysharepersonaldata;and

(b) whytheyaresharingthatdata(ie,sothattargetedadvertisingcanbemade).

630


Inadditiontotheprivacynotice,theadvertisersneedtoobtaintheexplicitconsentoftheircustomersinordertosharesuchdatawiththosethirdparties.


No,underTurkishLaw,therearenospecificrulesgoverningdatabrokers.


Froma privacy perspective, socialmedia is regulated under the general provisions of theDPL. Inaddition,LawNo5651onthePreventiononCrimesCommittedthroughtheInternetprovidesthatanindividualcanrequesttheremovalofcontentifsuchcontentviolatesher/hisprivacy.


UnderTurkishLaw,thereisnoprovisionspecifictoloyaltyprogramsandpromotionsfromaprivacyperspective.Therefore,theseissuesareregulatedunderthegeneralprovisionsoftheDPL.ThereisadecisionoftheBoardonaloyaltyprogramofasupermarket.Inthatdecision,theprocessingofthepersonaldataofparticipantsofaloyaltyprogramwascarriedoutonthebasisoftheexplicitconsentoftheparticipants.TheBoardreviewedthevalidityoftheexplicitconsentsandstatedthattheywerevalidbecausethesupermarketdidnotforceitscustomerstoparticipateintheprogramandthatitcontinuedtosellgoodstonon-participants,albeitwithoutcertainbenefitsgrantedtoparticipants.Theexistenceofchoice,statedtheBoard,isanindicatorthatparticipantswillinglygavetheirconsentforprocessing.

9 DATATRANSFER


PersonaldatacanbetransferredtoathirdpartylocatedinsideTurkeyifthedatasubjectgivesher/hisexplicitconsent,orifthereisanotherlegalgroundforsuchtransfersetforthundertheDPL.

InordertotransferpersonaldataoutsideTurkey(eithertoathirdpartylocatedabroadortoaserverlocatedabroad,evenifitisownedbythetransferringdatacontroller),either:

(a) theexplicitconsentofthedatasubjectmustbeobtained;or

(b) oneoftheadditionallegalgroundsofdataprocessingsetforthundertheDPLmustapplytothetransferand:(i) thedestinationcountrymustbeoneofthecountriesprovidingadequateprotection;

suchcountrieswillbedeterminedbytheBoard;or

(ii) ifthedestinationcountrydoesnotprovideadequateprotection,bothofthefollowingconditionsshouldbemet:

631


(1) the data controller in Turkey and in the foreign country must provide awrittencommitment,statingthatsufficientdataprotectionwillbeprovided;and

(2) thetransfermustbeauthorizedbytheBoard.

TheBoardhasyettoissuealistofcountriesprovidingadequateprotection.Thus,transferofpersonaldatacanbemadeonlywiththeexplicitconsentofthedatasubjectorwiththepermissionoftheBoardasmentionedunder(b)(ii)(2)above.


Currently,thereisnoregulationfortransferofdatabetweengroupcompanies.However,theDPAandtheBoardarepreparingtopublishasetofrulestogovernthetransferofpersonaldatabetweengroupcompanies,whichisexpectedtobesimilartotheBindingCorporateRulesmechanismundertheGDPR.

OnepointtoconsideristhattheDPLdoesnotprovideadefinitionfora“thirdparty”;therefore,anyindividualorentity(otherthanthedatacontrollerandthedatasubject)canbeconsideredathirdparty.Thiscreatesaprobleminrelationtotransfersbetweendatacontrollersanddataprocessors,asanytransferofpersonaldatafromadatacontrollertoadataprocessorcanbeinterpretedasatransfertoathirdparty.SuchaninterpretationwouldmeanthatthetransfershouldbebasedononeofthelegalgroundsintheDPL.Itispossibletothinkthatinmostcases,suchatransferwouldfallunderthescopeofthelegalgroundoflegitimateinterest.However,suchanapproachwouldrequireaseparateanalysisforeachtransfer.

Adifferentapproachispossible,wherebythesolutiontotheproblemmentionedabovewouldliewiththe interpretationof thedefinitionof “dataprocessor”under theDPL.As thedataprocessor is anindividual or a legal entity processingpersonal data “onbehalf of” thedata controller, it couldbearguedthatthedataprocessorisnotanordinarythirdparty.Itactsundertheauthorityofthedatacontroller,makingthedataprocessorapartofthedatacontroller’sorganization.Asthetransferofpersonaldatabetweenemployeesofadatacontrollercannotbeconsideredatransfertoathirdparty(althoughthedatacontrollerandeachemployeeisaseparateentity),itmightbepossibletostatethatthetransfertoadataprocessorshouldnotbeconsideredasatransfertoathirdparty.Thisisatenuousinterpretationbut if theBoard adopts a decision in this respect, such an interpretationwould getstrongeranditschancesofholdingoutagainstthetestofacourtwouldbehigher.

10 VIOLATIONS


(a) Administrativefines(NBamountsareasatNovember2019):

(i) IfthedatacontrollerdoesnotprovidesufficientinformationtothedatasubjectastothenatureandpurposeofprocessingasrequiredbytheDPL,itwillbesubjecttoanadministrative fine between TRY 7,352 and TRY 147,058. (approx US $1,280–25,600).

(ii) Ifthedatacontrollerordataprocessordoesnottakethenecessarysafetymeasuresas required by the DPL, it will be subject to an administrative fine between TRY22,057andTRY1,470,580(approxUS$3,840–255,640).

632


(iii) IfthedatacontrollerorthedataprocessordoesnotcomplywiththedecisionsoftheBoard, it will be subject to an administrative fine between TRY 36,763 and TRY1,470,580(approxUS$6,400–255,640).

(iv) IfthedatacontrollerdoesnotregisteritselfwiththeDataControllers’Registry,itwillbesubjecttoanadministrativefinebetweenTRY29,410andTRY1,470,580(approxUS$5,110–255,640).

(b) Criminalsanctions:

(i) forunlawfullyrecordingthepersonaldataofanother,imprisonmentofbetweenoneandthreeyears;

(ii) for unlawfully transferring/acquiring another person’s personal data to/fromanotherperson,imprisonmentbetweentwoandfouryears,

(iii) fornotanonymizing,deletingordestroyingpersonaldataafterthelegallypermittedperiod,imprisonmentbetweenoneandtwoyears.


Under theDPL,data subjectshave the right to request compensation if theysufferdamagedue toprocessingoftheirpersonaldatainviolationoftheDPL.AclaimforsuchcompensationisnotmadetotheBoardbuttothecivilcourts.DatasubjectscanalsomakeacomplainttotheBoardinrelationtotheviolatingactivity,inwhichcasetheBoardwouldorderthecessationofsuchactivity.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofTurkeywhichaffectprivacy?

Theconceptofprivacy,inthesensethatitisusedintheEuropeanUnion,isrelativelynewtoTurkey,becausetheDPListhefirstgenerallegalframeworkforprivacy,anditonlycameintoforcein2016.Beforethen,mostdatacontrollersdidnothaveanynotionaboutprivacy,andtheyareslowlycomingtotermswithwhatisrequiredoftheminrelationtoprivacyissues.OneoftheresultsofthisisthatthelevelofcompliancediffersdramaticallyamongdatacontrollersinTurkey.

TheDPLalsohadaneffectondatasubjects;theyarebecomingmoreandmoreawareoftheirprivacyrights, and the number of complaints made to the Board rises each day. However, the depth ofknowledgeofdatasubjectsaboutprivacyisstillnothigh,andsometimesprivacynoticesmaycreatedoubts in themindsofdatasubjects insteadofeliminating them.The fact thatadatacontroller ishandlingtheirdata,howeverpropersuchhandlingmaybe,andinformingthemofsuchprocessingactivity, may create suspicions of wrongdoing on the part of some data subjects. Therefore, thewording of privacy noticesmust be prepared very carefully in order to prevent such doubts andeliminatetheriskofcomplaintstotheBoard.


TherearediscussionsonamendingsomeoftheprovisionsoftheDPLwhichhavebeenfoundtobeproblematic.Thereisnocleartimelineastowhensuchamendmentswouldbemade.

Alistofcountriesprovidingadequateprotectionisalsoamatterthathaslongbeenawaitedbydatacontrollers.However,itstillnotclearwhen,orevenwhether,suchalistwillbepublished.

633


11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainTurkey?

No.

12 OPINIONQUESTIONS


Untilrecently,therewasnogeneralprivacylegislation;therewereonlyafewprovisionsoftheTurkishCriminal Code related to personal data, and not many court decisions had been made on thoseprovisions.Therehadbeenvariousdraftsofageneralprivacylegislationinthepast,butnoneofthemhadenteredintoforcebeforetheDPL.AgenerallegislationregardingdataprotectionwasoneoftheconditionsforliftingthevisarequirementbetweentheEuropeanUnionandTurkey,andthiswasthemainmotivation behind the enactment of the DPL. Be that as itmay, the DPL has brought aboutsignificantchangesinTurkishdataprivacylandscape.Especiallysince,aftertheDPAwasestablishedandtheBoardwaselected,variousguidelinesandsecondarylegislationwereprepared.ThefactthattheDPAandtheBoardtooktheirjobsseriouslyalsoaffectedtheplayersinthemarket,andtheDPLbecameoneoftheimportantpiecesoflegislationintheTurkishlegalframework.


Bothdatacontrollersanddatasubjects,andalsotheDPAandtheBoard,willhavefarmoreexperiencewiththedifferentconceptsofprivacyinfiveyears’time,astheseconceptswillnotbenewbythen.Infiveyears,thelevelofcomplianceamongdatacontrollerswillrise,andthelevelofawarenessofdatasubjectswillincreaseinparallelwiththatrise.Consequentially,theexpertiseoftheDPAandtheBoardwillreachhigherlevels.WewillseemorecomplicatedcaseshandledbytheBoard,whichwillleadtomoredetailedandsophisticateddecisions.


TheDPLisalawmodelledontheDataProtectionDirective(95/46/EC).WhensuchDirectivecameintoforce,theinternetwasnotsuchabigpartofdailylife,andtheamountofdatacollectedbydatacontrollerswasnotashugeasitisnow.Therefore,companiesintheEuropeanUnionhadtimetoadapttheirprivacypracticetodevelopmentsinthetechnology.However,theDPLcameintoforcein2016,atimewhencompanieshadalreadybeenusedtocollectingandprocessinghighamountsofdatawithvariousprocessingactivities.IthasthereforebeenmoredifficultforTurkishcompaniestoreviewalloftheirpreviouspracticesandmaketheadaptationsrequiredbytheDPL.

634

635

PRIVACY LAW – UKRAINE

1 PRIVACYLAW

1.1 HowisprivacyregulatedinUkraine?

ThecurrentUkrainianlegislationismainlybasedontheoldDataProtectionDirective(95/46/EC),withtheadditionofcertainspecifics(eg,concerningtheUkrainiandataprotectionauthority).

LedbythecommitmentsintheAssociationAgreementwiththeEU,inOctober2017,theUkrainianParliament planned to implement the regulations of the EU General Data Protection Regulation(“GDPR”) intonational legislationby25May2018.However, this goalhas stillnotbeenachieved.There have been several unsuccessful attempts to draft an implementation bill. However, suchimplementationisexpectedtobeconductedbythenewlyelectedParliament.

ThelegalenforcementofdataprivacyrightsinUkraineisstillnotasstrongas,eg,intheEuropeanUnion.Theappetiteofdatasubjectstogotocourtisalsomuchlowerthaninothercountries.Althoughthe awareness of data privacy increases within certain industry sectors (eg, IT andtelecommunications),Ukrainianbusinessisquitereluctanttoimplementself-regulatingmechanisms.


TheConstitutionofUkrainedated28June1996establishesthefundamentalsofprivacyinUkraine.

PrivacyrightsarefurtherexpandedintheLawofUkraineOnPersonalDataProtectiondatedJune1,2010(“PrivacyAct”).ThePrivacyActistheprincipalsourceofregulationofdataprivacyissuesandcontainsthemostimportantlegalprovisionsinthissphere.Inaddition,therearenumerousapplicableby-lawsandregulations.

UkraineisalsoasignatorytotheConventionfortheProtectionofIndividualswithregardtoAutomaticProcessingofPersonalDataofJanuary28,1981.

However,thesedonotcontainspecificrulestocoverprivacyissueswithspecialfocusonadvertisingaspects.

Ukrainehasalsoadoptedseveralsector-specificlawscontainingprivacyrules(eg,theLawofUkraineOnTelecommunicationsdatedNovember18,2003,andtheLawofUkraineOnElectronicCommerce).These laws contain some limited regulation on privacy for certain types of marketing activities(eg,emailmarketing).


ThecentralcompetentDataPrivacyAuthorityofUkraineistheUkrainianParliament’sCommissionerforHumanRights(“Ombudsman”).TheOmbudsmanisinchargeofoverseeingcompliancewiththePrivacyAct.Tothisend,theOmbudsmanhaspowersincluding,interalia,toconsidercomplaintsfromdata subjects, to carry out inspections (either scheduled or unscheduled), and to imposeadministrativesanctionsontheviolators,includingfines.

636


ThesanctioningpowersoftheOmbudsmanareratherlimited.Inmostcases,theOmbudsmandecidestoissueawarningnoticetotheviolatortoceasetheviolationorrectifydefectsinprocessingpractices.Even if the Ombudsman decides to impose a fine on the violator, such fine is likely to be veryinsignificantinmonetarytermsasitislimitedbyrespectivelaws.

AviolationoftheUkrainianprivacylawsmayalsoresultincivilorevencriminalliability(inveryrarecasesrelatedtoillegalcollectionanddistributionofpersonaldata).

There are several other state bodies which have limited privacy enforcement powers in certainindustries(eg,thetelecomsregulator,consumerprotectionauthority).

Asyet,thereisnoknownenforcementpracticeoriginatedbyself-regulatorybodiesinUkraine.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinUkraine?

ThePrivacyActdoesnotcontainanyexpressprovisionsregardingitsterritorialeffect.Asageneralrule, all companies and organizations dealing with data processing activities within Ukraine aresubjecttoprivacylawsinUkraine.

2.2 DoesprivacylawinUkraineapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

ThePrivacyActdoesnotcontainaclearprovisionaddressingtheissueofjurisdiction.However,thelawsofUkrainedonotclaimtohaveanextraterritorialeffecttoothercountries.Therefore,companiesbasedoroperatingoutsideofUkrainemayonlybesubjecttotheUkrainiandataprotectionregimetotheextentthattheyprocesspersonaldatainUkraine.AnentitywithaphysicalpresenceinUkraine(throughalocalbranchoffice,withorwithoutemployees)iswithinthescopeofthePrivacyActevenifthepersonaldatathatisprocessedinUkrainerelatestoforeignindividuals.

TherearenospecificobligationsrelatingtocompaniesoutsideUkraineotherthanthenecessitytonotify the Ombudsman on the processing of so-called “extreme risks personal data” (see, further,question3.2)totheextentthatsuchprocessingaffectsUkraineinanyway.


3.1 Howispersonalinformation/personaldatadefinedinUkraine?

The Privacy Act defines “personal data” as data or an aggregate of data on an individual who isidentifiedorcanbepreciselyidentified.


ThePrivacyActnamesthefollowingtypesofpersonaldatatobesensitive:

(a) race,ethnicoriginandnationality;

(b) political,philosophicalandreligiousbeliefs;

637


(c) membershipofpoliticalpartiesandtradeunions;

(d) health;

(e) sexuallife;

(f) biometricdata;(g) geneticdata;and

(h) criminalconvictions.

Inturn,regulationsoftheOmbudsmanregardalltheaboveas“extremeriskspersonaldata”withtheadditionof:(i) anypre-trialprocedures;

(j) anyinvestigativeproceduresagainsthim/her;

(k) violenceagainsthim/her;and

(l) locationandtravelroutes.

The specific obligations regarding the processing of extreme risks personal data involve filingappropriatenotificationstotheOmbudsman.TheOmbudsmanshouldbenotifiedwithin30daysofcommencing extreme risk personal data processing. No other notifications, registrations,authorizations,etc,arecurrentlyrequiredtobemadeto/filedwiththeOmbudsman, includinganydatabreachnotificationsandcross-borderdatatransfer.Onceextremeriskpersonaldataisprocessed,itisalsonecessarytonotifytheOmbudsmanofadataprocessingdivisionortheappointmentofadataprotectionofficer.Suchnotificationcanbefiledsimultaneouslywiththenotificationofextremeriskpersonaldataprocessing.Theforegoinglocalnotificationsarenotrequiredifprocessingtheextremeriskpersonaldatafallswithinthestatutoryexemptions(eg,itisprocessedthepurposeofexecutionofcontroller’srightsandfulfilmentofthecontroller’sobligationswithinemploymentrelations).


TheprivacylawsinUkrainedonotcontaindedicatedprovisionsnamingtheprinciplesforpersonaldataprocessing.Instead,suchprinciplesaresetoutindifferentprovisions,mostlyinthePrivacyAct.Theseprinciplesincludethefollowing:

(a) transparency— meaning that personal data must be processed lawfully, fairly and in atransparentmanner;

(b) lawfulbasis forprocessing—meaningthatpersonaldatamaybeonlyprocessed if it fallswithinthegroundsforprocessingenvisagedbytheUkrainianlaws;

(c) purpose limitation— that processing of personal data be carried out only for specified,explicitandlegitimatepurposeknowntothedatasubject;

(d) data minimization — personal data must be adequate, relevant and limited to what isnecessaryinrelationtothepurposeoftheprocessing;

(e) retention(storagelimitation)—thedatashouldbekeptnolongerthanitisnecessaryforthepurposeforwhichsuchpersonaldataisbeingprocessed;

(f) data security— the entity engaged in processing data must ensure appropriate securitymeasuresareinplacetoprotectpersonaldata;and

(g) accuracy—personaldatashouldbeaccurateanduptodate.

638


4 ROLES


ThePrivacyActnamescontrollers,processorsandthirdpartiesasthemainactorsengagedinpersonaldataprocessing.Theconceptsof“controller”and“processor”inUkrainearealmostidenticaltothoseexistinginEUlegislation.

Thereisnoabsolutelyclearpositionasregardsthestatusof“thirdparties”intermsofpersonaldataprocessing.AccordingtothePrivacyAct,a“thirdparty”maybeanypersonreceivingpersonaldatafromacontrollerorprocessor.Inpractice,athirdpartyisusuallyregardedasapotentialrecipientofpersonal data provided by the data controller or data processor. A third party in receipt of therespectivedatamayacquirethestatusofaseparatedatacontrollerordataprocessor.Additionally,unlikemanyotherjurisdictions,sub-processorandjointcontrollerrolesarenotexpresslyregulatedundertheUkrainianlaw.

Ingeneral,controllersbearprimaryresponsibilityforensuringthatprocessingactivitiesarecompliantwiththeUkrainianprivacylaws.Inparticular,apartytransferringpersonaldata(ie,adataexporter)mustensurecompliancewiththeconditionsoftheestablishedregimeforpersonaldataprotection.

The controllermay include a data processor in the processing activities. However, Ukrainian lawforeseesawrittenagreementbetweenthecontrollerandtheprocessor.UnliketheGDPR,Ukrainianlawdoesnotprescribeminimumcontentandrequirementsconcerningthisagreement(incontrast,eg,toArticle28oftheGDPR).

UnderthePrivacyAct,theobligationsofcontrollersandprocessorsintermsofprocessingactivitiesarealmostthesame,apartfromsomespecificobligations,whichincludenotificationrequirementsforcontrollersorcompliancewithcontroller’sinstructionsforprocessors.

5 OBLIGATIONS


TheUkrainianprivacylawlandscapedoesnotenvisagespecificobligationsasregardsprivacyintermsofadvertising.However,generalobligationsunderprivacy lawsshouldbefollowed.Thoseinclude,amongothers:(a) Notification requirement — a legal requirement to notify the data subject in relation to

personaldatacollectiononthedayofthecollection(ifcollectedfromdatasubject)orwithin30businessdaysaftersuchcollection(inallothercases).Thedatasubjectshouldbenotifiedregarding:(i) thedatacontroller(eg,nameandregisteredaddress);(ii) (thescope(categories)ofthepersonaldatacollected;(iii) therightsofthedatasubjectunderthelaw;(iv) thepurposeofpersonaldatacollection;and(v) thirdpartiestowhomitspersonaldatacanbetransferred.

639


(b) Securityrequirement—alegalrequirementforthecontrollersandprocessorstoundertakeadequatesecuritymeasuresasregardsprocessedpersonaldata.

(c) Recording requirements— a requirement for the controllers and processors to track theoperations related topersonaldataprocessing.TheMasterTemplateof thePersonalDataProcessingProcedure(“MasterTemplate”)approvedbytheOmbudsmanstatesthatwherepersonaldataisprocessedbyanautomatedsystem,suchsystemmustautomaticallyrecordthefollowinginformationonpersonaldataprocessing:

(i) date,timeandsourceofcollectionofpersonaldataofadatasubject;

(ii) alterationofpersonaldata;

(iii) viewofpersonaldata;

(iv) anytransfer(copying)ofpersonaldataofadatasubject;

(v) dateandtimeofpersonaldatadeletionorerasing;

(vi) apersonwhomadeanyoftheaboveactions;and

(vii) purpose and reasons for alternation, view, transfer and deletion or erasure ofpersonaldata.

The described information shall be stored by the data controller/processor for one year,beginningattheendoftheyearinwhichtheprocessingofpersonaldatatookplace,unlessotherwisestipulatedbytheapplicableUkrainianlaws.

The Master Template is generally considered as not binding. However, the Procedure ofConducting Control over Compliance with the Personal Data Protection Laws by theOmbudsman mentions the Master Template as being one of the documents which theOmbudsman considers when conducting its inspections with respect to compliance withUkrainianpersonaldataprotectionlaws.Therefore,itisusuallyadvisabletogenerallycomplywiththeMasterTemplate.


6.1 HowisdatasecurityregulatedinUkraine?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

As of now, there are no laws, requirements or standards that regulate data security in Ukraine.Accordingly,thereisnosinglestandardfordatasecurity,norarethereanyrequirementsorrulesforcompaniestoimplementanysecuritystandardsforprocessingpersonaldata.

Thatsaid,somecompaniesareusinginternationalstandardstosecuredataandimplementthemintheir processes, eg, ISO 27001 Standards. In addition, they obtain ISO certifications and otherinternationalcertificationsinthefieldofinformationsecurity.

6.2 HowaredatabreachesregulatedinUkraine?Whataretherequirementsforrespondingtodatabreaches?

ContrarytotheGDPR,Ukrainiandataprotectionlawsdonotprovideanyregulationsfordatabreaches,nor any special requirements for responding to data breaches.Moreover, data controllers are notobligedtonotifydatasubjectswhereadatabreachoccurs.

640


However, although there are no legal requirements for data breach notifications, some industriesnotifyregulators(eg,telecomscompanies).

Further,theMasterTemplate(seequestion5.1)containsgeneralobligationsonthedataprotectionofficer/department to inform the management of the data controller/data processor about anyviolationdetectedof thepersonaldataprotection legislationwith thepurposeof takingnecessarymeasures.

TheMasterTemplatealsostatesthatthedataprotectionofficer/departmentmustproperlydocumentallfactsrelatingtobreachesofprocessingandprotectionofpersonaldata.

7 INDIVIDUALRIGHTS


UnderArticle8ofthePrivacyAct,datasubjectshavethefollowingrightsinUkraine:

(a) toknowaboutthesourcesofcollection,thelocationoftheirpersonaldata,thepurposeoftheprocessing,thelocationorplaceofresidenceofthecontrollerorprocessorofthepersonaldata,or togiveappropriate instructions for receiving this informationby theirauthorizedpersons,orasotherwiseprovidedbylaw;

(b) toreceiveinformationabouttheconditionsofaccesstopersonaldata,includinginformationaboutthirdpartiestowhomhis/herpersonaldataistransferred;

(c) toaccesshis/herpersonaldata;

(d) unlessotherwiseprovidedby law, to receivewithin thirty calendardays from thedateofreceiptoftherequest,areplyonwhetherhis/herpersonaldataisbeingprocessed,andtoreceivethecontentsofsuchpersonaldata;

(e) tosubmita reasonablerequest toacontrollerwithanobjection to theprocessinghis/herpersonaldata;

(f) to submit a reasonable request to change or destroy his/her personal data held by anycontrollerandprocessor,ifsuchdataisprocessedillegallyorisunreliable;

(g) to protect his/her personal data from unauthorized processing and accidental loss,destruction,damageduetointentionalconcealment,failuretoprovideoruntimelydisclosure,aswellastoprotectitagainsttheprovisionofinformationthatisinaccurateordetrimentaltothehonor,dignityandgoodwillofanindividual;

(h) tosubmitcomplaintsabouttheprocessingofpersonaldatatotheauthorityortocourt;

(i) touseremediesincaseofviolationofthelawsonpersonaldataprotection;

(j) whengivingconsent,tomakereservationsrestrictingtherighttoprocesshis/herpersonaldata;

(k) towithdrawconsenttotheprocessingofhis/herpersonaldata;

(l) tobeinformedaboutanyformofautomatedprocessingofhis/herpersonaldata;and

(m) to enjoy protection against any automated decision that may have legal implications forhim/her.

641


Althoughtheaboverightsarequiteexhaustive,currentcaselawinUkrainesuggeststhattheappetiteisquitelowforUkrainiandatasubjectstodefendtheirrightsbeforetheapplicableauthoritiesandcourts.



Ukrainian law does not define or regulate in detail themarketing communications. The followinggeneralrulesmayapply:

(a) LawofUkraineOnElectronicCommerce(the“E-commerceLaw”)

The E-commerce Law defines “commercial electronic messages” (solicitation letters) aselectronicmessagesinanyformwhichpurposeisdirectorindirectpromotionofgoods,workor services or business reputation of a personwhich conduct commercial or independentprofessionalactivity.

Commercialelectronicmessagesmaybesenttoanaddressee(eg,potentialbuyer)onlywithhis/her express consent, unless the addressee has the opportunity to unsubscribe fromfurtherreceivingsuchmessages.

Acommercialelectronicmessagemustcomplywiththefollowingrequirements:(i) itmustbeclearlyidentifiedasacommercialelectronicmessage;(ii) thepersononwhosebehalfthecommercialelectronicmessageissentmustprovide

therecipientswithdirectandeasyaccesstothedetailsoftheseller/serviceprovider;(iii) commercialelectronicmessagesregardingrebates,premiumsandprizes,etc,must

be clearly indicatedas such, and conditionsof their receipt shall be available andworded in away to avoid ambiguity aswell as complywith the advertising lawsrequirements;and

(iv) informationaboutthecostofthegoods,worksandservicesmustincludeinformationas to whether applicable taxes are included and, in the case of supply of goods,informationondeliverycosts.

The E-Commerce Law expressly prohibits the practice whereby the fact of receipt of theadvertising message by the consumer without his/her consent is used as a reason forincreasingservicefeeschargedbytelecomoperators/providers,paymentsystemoperators,hostingproviders,Internetaccessproviders,etc.

(b) LawofUkraineOnAdvertising(“AdvertisingAct”)

TheAdvertisingActestablishesspecificrequirementsregardingthepromotionofservicesviathemeansofelectroniccommunication(including,telecommunications),whicharguablyalsoincludes advertising on the internet and social media. Such advertising must contain thefollowingdetails:(i) descriptionoftheservice;(ii) servicefee;(iii) ageorotherrestrictionsforcustomers;(iv) informationabouttelephonecallcharges(paidorfreeofcharge)whenrenderingthe

service,andthepriceofaone-minutecall;and

642


(v) fullnameandaddressofserviceprovider.

Thefontsizefortheaboveinformationshouldnotbesmallerthanhalfthesizeofthefontusedforthetelephonenumberusedforrenderingtheservices.

Distributionofadvertisingviatelexorfaxisexpresslyprohibited.

TheAdvertisingActplacesadirectprohibitiononthedisseminatingofmessagesconcerningtheadvertisementofalcoholicbeveragesandtobacco,theirtrademarksandotherintellectualpropertyrightsusedfortheproductionofalcoholicbeveragesandtobaccotoanunspecifiednumberofrecipientsviapost,emailsormobilephones.

(c) CodeofMobileMarketing

Themainmobileoperatorsandmarketplayers in theUkrainianmarkethaveadopted theCodeofMobileMarketing(asanon-bindingsoftlaw),whichsetsoutprinciples,conditionsandproceduresofmobilemarketing(viaSMSandMMS).Specifically,theCodesetsouttherequirements with respect to consumer choice and registration, consumer-relatedcommunication, terminationofparticipation inamarketingevent,aswellas limitationsofactivities.


Ukrainianlawdoesnotregulatetheuseoftrackingtechnologies.

Under thegeneralrules(seequestion8.1(a)),commercialelectronicmessagesmustbesent to theaddressee (eg, potential buyer) only with his/her express consent, unless the addressee has theopportunitytounsubscribefromfurtherreceivingsuchmessages.


Ukrainedoesnothavededicatedrulesaddressing targetedadvertisingandbehavioraladvertising.Rather,thegeneralrulesoutlinedabove(seequestion8.1(a))apply.


Ukrainian law does not directly regulate issues on sharing personal data with third parties forcustomermatching.

ThePrivacyActprovidesforgeneralrulesobligatoryforeachdatacontroller.Thus,iftheadvertiseractsasadatacontroller,priorexplicitconsentonthecollectionandfurtherprocessingofpersonaldataisgenerallyrequired.Suchconsentshouldincludepermissiontotransfertheperson’spersonaldatatothirdparties.Furthermore,where,notificationoftransferisrequiredunderthedatasubject’sconsent,thePrivacyActrequiresthedatacontrollertonotifyapersonastothefactofthetransferofhis/herpersonaldatawithin10days.


Ukrainianlawdoesnotregulateactivitiesofdatabrokers.Generalrulesandregulationsapply.

643


ItshouldbenotedthatUkrainianlawlimitscertainactivitieswithpersonaldata.Inparticular,breachofprivacy(namelytheillegalcollection,storage,use,removal,distributionofconfidentialinformationaboutapersonorillegalalterationofsuchinformation)issubjecttocriminalliability(Article182ofthe Criminal Code of Ukraine). Illegal disposal or distribution of information with limited access(inparticular,which is stored on computers, automated systems, and computer networks or datastoragedevices)isalsosubjecttocriminalliability(Article361-2oftheCriminalCodeofUkraine).


Ukrainianlawdoesnotregulatethisissue.

Underthegeneralrules,advertisingontheInternet,includinginsocialmedia,isregulatedinthesamemannerasofflineadvertising. Statutory regulationcomprises specificadvertising-related lawsandgenerallegislation.Fromapracticalinterpretation,marketing/advertisinginsocialmediashouldbeinlinewiththeAdvertisingActif:

(a) the social media is located within a Ukrainian segment of the Internet (eg, registered indomain.UA);

(b) customerstargetedbysuchadvertisingarelocatedintheterritoryofUkraine;or

(c) advertisingisplacedbytechnicalmeanslocatedintheterritoryofUkraine.


Ifthedatasubject’spersonaldataiscollectedandprocessedasaconditiontoparticipateinaloyaltyprogram/promotion,itsofficialtermsmustcontainprovisionsrelatingtoobtainingexplicitconsentfromthedatasubject(itmustsetout,amongothermatters,thespecificpurposeofthepersonaldataprocessingandthescopeoftheprocessedpersonaldata).

9 DATATRANSFER


AccordingtoArticle29ofthePrivacyAct,cross-borderdatatransfersareallowedtocountriesthatprovideanadequateprotectionofpersonaldata.MembersoftheEUandEEA,aswellascountrieswhich have ratified the Convention for the Protection of Individuals with regard to AutomaticProcessingofPersonalDataareamongstthosewhichhaveanadequatelevelofprotectionofpersonaldata.Moreover,theArticleprovidesthattheCabinetofMinistersofUkraine(Ukrainiangovernment)willadoptalistofcountriesthatprovideanadequatelevelofpersonaldataprotection(thoughnosuchlisthasyetbeenadopted).

Cross-bordertransfersofpersonaldataareallowedfromUkraineunderoneofthefollowingbases:

(a) anexpressconsenttocross-bordertransfer;

(b) itisnecessarytoconcludeorperformatransactionbetweenthedatacontrollerandathirdpartyforthebenefitofthedatasubject;

(c) itisnecessarytoprotectthevitalinterestsofdatasubjects;

644


(d) itisnecessarytoprotectthepublicinterest,ortoestablish,secureandenforcelegaldemands;and

(e) the controller of personal data has provided appropriate safeguards to ensure theconfidentialityoftheprivateandfamilylifeofthedatasubject.

ItshouldbenotedthatpersonaldatamustnotbetransferredandsharedoutsideUkraineforanyotherpurposethanthatforwhichitwasinitiallycollectedandprocessed.]


Ukrainian law does not stipulate any specific requirements relating to cross-border data transferagreements,otherthanthatsuchagreementsmustbeinwriting.Moreover,inUkraine,therearenomodelcontractualclausesfordatatransferagreementsthatareofficiallyapprovedbyOmbudsman.

InApril2013,theWorkingGrouponPersonalDataProtectionattheAmericanChamberofCommerceinUkraine prepared the TemplateData TransferAgreements (“AmChamTemplate”).Whilst thesetemplatesarenotbinding,theycanbeusedasabasisfordraftinganagreementoncross-borderdatatransfer.

AstherearenoofficialmodelcontractualclausesinUkraineforcross-borderdatatransferagreements,mostcompaniesinUkrainearedevelopingtheiragreementsusingeithertheAmChamTemplateorthestandard(model)contractualclauses,whichwereadoptedbytheEuropeanCommission.

10 VIOLATIONS


TheOmbudsman,courtsandpoliceareresponsibleforenforcingtherequirementsofthePrivacyAct.According to the legislation, it can be enforced through administrative, criminal and civil actions.Therefore,itcanleadtoadministrativefines,penaltiesorsanctions,civilactions,criminalproceedingsand/orprivaterightsofaction.

ThepenaltiesinUkraineforaviolationofthePrivacyActarequite low.Practically,theworst-casescenarioisforanadministrativepenalty,wherethehighestfinecanbetheequivalentofaboutEUR1,000.Thereisariskofcriminalliability(withaworst-casescenarioofeithercorrectivelaborupto2years or with arrest for up to 6 months or with personal restraint for up to 3 years), but theenforcementpracticetodateisminimal.Todate,wearenotawareofanydecisioninUkraine,fromthecourtsorotherauthority,outliningseriouslegalconsequencesforacompanyorindividualbasedonadataprotectionviolation.

TheappetiteofdatasubjectsforfilingacourtclaimforcompensatorydamagesinUkraineisalsoverylow.

TheriskofbeingfinedbytheOmbudsmanisalsocurrentlylow.

645



UnderUkrainianlegislation,individualshaveaprivaterightofaction.IndividualsinUkrainecanapplytotheOmbudsman,policeortothecourtstoseeklegalprotectionforanyillegalprocessingoftheirpersonaldata.Moreover,inaccordancewithArticle8ofthePrivacyAct,adatasubjecthastherighttofileacomplainttotheOmbudsmanorthecourtandusetheavailablemeansoflegaldefenseincaseofviolationofdataprivacyandpersonaldataprotectionlaw.

However,thereisverylittlepublicawarenessaboutdataprivacylawsorissuesrelatedtothismatter.Therefore,veryfewclaimshavebeenbroughttocourtbyindividualsregardingtheinfringementofdataprotectionlaws.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofUkrainewhichaffectprivacy?

There areno special cultural features regardingprivacy inUkraine.Generally speaking,Ukrainiancitizensarenotveryfamiliarwiththeirrightsregardingprivacyandpersonaldata.BecausethelawsofUkrainedonotimposeanysubstantialfinesorliabilityfordatabreachesorotherprivacy-relatedinfringements,businessesimplementonlytheminimumrequirementsestablishedbythePrivacyAct.Moreover,theenforcementpracticetodateisminimalanddoesnotexplicitlyrelatetointernationalbusiness.


LedbythecommitmentsintheAssociationAgreementwiththeEUinOctober2017,theUkrainianParliamentplannedtoimplementtheGDPRintonationallegislationbyMay25,2018.However,thisgoalhasnotyetbeenmet.Therehavebeenseveralunsuccessfulattemptstodraftanimplementationbill,andnewGDPRimplementationbillsareexpectedfromthenewlyelectedParliament.InadditiontotheGDPR,theUkrainianParliamenthasplannedtoimplementthee-PrivacyDirectiveasapartoftheprocessofintegratingEUandUkrainianlegislation.

In2018,theUkrainiandataprotectionauthorityfinishedcollaboratingontheproject,theEUTwinningOmbudsman,whichwassupportedbyateamofLithuanianandAustrianpartners.TheEUTwinningOmbudsmanhasdraftedanewdraftlawofUkraine“OnProtectionofPersonalData.”However,theUkrainianParliamenthasnotyetaddressedthedraftlaw.OnNovember12,2019,theOmbudsmanestablishedaninteragencyworkinggrouponthedevelopmentoflegislativeproposalsinthefieldofpersonaldataprotection,whichwillfinalizetheworkofEUTwinningOmbudsmanandaddressthedraft lawto theUkrainianParliament.With theelectionofanewPresidentand theParliamentaryelections held in 2019, thismatter is likely to be reviewed by a new presidential administration,governmentandparliament.Currently,thepositionofthenewlyelectedPresidentonthismatterisunclear.Therefore,itisadvisabletomonitorthisissueoverthecomingyear.

Oneofthemuch-anticipateddevelopmentsintheprivacylandscapeinUkrainerelatestotheUkrainianITassociations’applicationtotheEUCommissionforanadequacydecisionunderArticle45oftheGDPRfortheUkrainianITindustryasa‘specifiedsectorwithinthirdcountry’.

646


11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainUkraine?

TheOmbudsmanandtheDepartmentofPersonalData(aspecialdivisionwithintheOmbudsman’soffice) are responsible for implementing the Ombudsman’s powers relating to personal dataprotectionandhaveseveraladditionalresponsibilities,namely:

(a) monitoringcompliancewiththeexistingdataprotectionlawsandregulations;

(b) preparation of regulatory changes, bills, and proposals for prevention of personal dataviolations;

(c) conducting scheduled and unscheduled inspections (according to the information on theOmbudsman’swebsite,thelastinspectiontookplaceinMay2019);and

(d) keepingasearchbaseofpersonaldatacontrollers.

AllotherdutiesoftheOmbudsmancanbefoundontheOmbudsman’swebsite.

However,despitetherebeingalonglistofofficialdutiesoftheOmbudsman,hisactivityinthefieldofpersonaldataisquiteweak.Atthesametime,theOmbudsmanhasbeenquiteefficientatinterpretinglaws.Forexample,theOmbudsmanhasdevelopedseveralguidelines,whichareveryimportantforbusinessandbringclarity forsomedata-related issues. Inparticular, thefollowingguidelineshavebeenapprovedbytheOmbudsman:

• ModelRulesonPersonalDataProcessing;

• Rules onExercisingControl by theUkrainianParliamentCommissioner forHumanRightsoverCompliancewithLawsonPersonalDataProtection;and

• TheProcedureofNotificationoftheUkrainianParliament’sCommissionerforHumanRightsontheProcessingofPersonalData,whichisofParticularRisktotheRightsandFreedomsofPersonalDataSubjects,ontheStructuralUnitorResponsiblePersonthatOrganizestheWorkRelatedtoProtectionofPersonalDataduringProcessingThereof.

12 OPINIONQUESTIONS


SincethePrivacyActenteredintoforcein2011,therehavebeenonlytwosignificantchangesinthesphere of privacy or personal data protection. From January 1, 2014, all functions relating to theprotection of personal data in Ukraine were transferred from the State Service of Personal DataProtectiontotheOmbudsman;andtherequirementtoregisterdatabasesthatcontainpersonaldatawascancelled.Sincethattime,datacontrollersareobligedtonotifytheOmbudsmanwhenevertheyprocessdatathatiscategorizedasextremeriskspersonaldata.


AsUkraineisaprospectivememberoftheEuropeanUnion,itisobligedtoharmonizeitslegislationwiththestandardsofEUlegislation.Therefore,weassumethatboththeGDPR,thee-PrivacyDirective,and other privacy-related legislationwill be adopted by the Ukrainian Government. Based on thecontinuous adaptation of Ukrainian legislation to EU standards, it is likely that the GDPRwill beadoptedwithinthenextfouryears.

647


Basingonthesefacts,theprivacylandscapeinUkraineisgoingtostarttochangeinthenearfuture.Infiveyears’time,theGDPRstandardswillhavebeenimplementedatStatelevel,andthusbusinessesshouldhavestartedtoimplementglobalprivacystandardsintheircompanies.


For now, there are nomajor privacy related challenges for companieswho are doing business inUkraine. Themain challenges as of now are data protection rules for processing and transferringsensitive/extremeriskspersonaldatabothinandoutsideUkraine.

Asnorelevantchangeshavebeenmadesince2014,therearenonewchallengesforthecompanies.ThechallengeswilloccuronlyaftertheGDPRandotherinternationalprivacystandardshavebeenimplementedbytheUkrainianParliament.Forthisreason,itisreasonabletomonitorthelegislativechangesinUkraineandtostartpreparingfortheexpectedchanges.

648

649

PRIVACY LAW – UNITED ARAB EMIRATES

1 PRIVACYLAW

1.1 HowisprivacyregulatedinUnitedArabEmirates?

Currently, there are no general data protection laws in the UAE, nor are there explicit laws orauthorities that deal specifically with privacy in the UAE (other than in the Dubai InternationalFinancialCentre(“DIFC”)andAbuDhabiGlobalMarket(“ADGM”)FreeZones).However,thereisanexpectationthatsuchlawswillbepassedinthenearfuture,reflectingtheglobalinterestinthisareaoflaw.

However,thereareanumberofUAELawsandlegalprovisionsofgeneralapplicationinthecontextprivacyanddataprotectionthatcanbeconsideredtoberelevanttoprotectingdatasubjectsagainstunauthorizeddisclosureofpersonaldata.Theseprovideforbothcriminalandcivilsanctionsagainstunauthorizeddisclosureofpersonaldata.

Whilethesetypesofprovisionsarenotentirelyconsistentwiththeapproachtodataprivacyissuesaddressedinmoderndataprotectionlawsinotherjurisdictions,norasextensive,theymuststillbeconsideredwhenassessing the legalbasis forprocessingpersonaldata in theUAE,andassociatedtransfersofpersonaldatatorecipientsoutsidetheUAE.


WhiletheUAEdoesnothavecomprehensivedataprotectionlegislationinthestyleoftheCaliforniaConsumerPrivacyAct(“CCPA”)orGeneralDataProtectionRegulation(“GDPR”)(otherthaninafewfreezones,including,mostnotably,theDIFCandADGM),thereareprovisionsofgeneralapplicationinrelationtotheprocessing,transferanddisclosureofpersonaldataorconfidentialinformation.Thekeylawsarethefollowing:

(a) TheUAEConstitution:Article31isconsideredtograntageneralrighttoprivacyforcitizensof theUAE, as itprovides for the right to freedomandsecrecyof communicationbypost,telegraphorothermeansofcommunicationunderlaw.

(b) FederalLawNo3of1987(“PenalCode”):Article379imposessanctionson:“Any individual who, by reason of his profession, craft, circumstance or art isentrustedwithasecretandwhodisclosesitincasesotherthanthosepermittedbythelaw,orwhousesitforhisownadvantageoranotherperson’sadvantage...unlesstheindividualtowhomthesecretpertainshasconsentedthatitbedisclosedorused.”

While there is no guidance in relation to the definition of “secret”, personal data wouldcertainlybecapableofbeingconsidereda“secret”,depending,ofcourse,onthenatureofthedataandthemannerinwhichitwasrevealed.

Inaddition,Article380(bis)adds:“Detention shall be inflicted upon whoever unrightfully copies, distributes orprovidesanotherpersonwiththecontentofaphonecallormessageorinformationordataoranyothersuchthingsthatheexaminesbyvirtueofhisprofession”.

650


(c) Federal LawNo 5 of 2012 relating to Combating Information Technology Crimes (“CyberCrimesLaw”)alsocontainsprovisionsthatarerelevanttothearea; imposingsanctionsongaining access to a website, IT system or computer network without (or in excess of)authorization,with increased sanctionswhere the access results in(amongstother things)disclosure of any data or information, especially where the information is personalinformation.Notethatitimposestheliabilityontheperpetrator—thereisnoobligationonthe entity holding the data to act in a particularmanner. The unauthorized use of any ITsystemtodiscloseconfidentialinformationobtainedduringthecourseofemploymentisalsosanctioned(see,further,question10.1).

While these types of provisions differ from the approach to data protection issues in otherjurisdictions, they should be considered when assessing the legal basis for processing personalinformation in the UAE, and associated transfers of personal data to recipients outside the UAE.Ultimately, theriskunderUAE lawtends tobemanagedbywayof suitableconsent fromthedatasubject, despite it being clear that specificwritten consent is not a strict legal requirement in allcircumstances.

In addition, a variety of laws relating to the protection of data that is held in relation to healthinsurance,patientconfidentiality,andcreditworthinesscontainspecificprovisionsrelatedtoprivacyanddataprotection.


Outside of the free zones noted above, where provisions will apply only to companies that areestablishedinthosefreezones,thereisnoregulatoryauthorityspecificallyaddressingprivacyintheUAE.Therearealsonoself-regulatorybodies.BreachofthePenalCodeorCyberCrimesLawwillgiverisetocriminalliability(andhenceapoliceprosecution).Itwouldalso(alternatively,orinaddition)allowforcivilrecoveryofdamagesunderFederalLawNo5of1985ontheCivilTransactionsLawoftheUnitedArabEmirates(“CivilCode”).TheCivilCodedoesnotspecificallyrefertothedisclosureofdataorconfidentialinformation,butitstermsinrelationtorecoveryofdamagesforactscausedbyathirdpersoncouldbeappliedinthatmanner.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinUnitedArabEmirates?

Because the law is a general law that protects data in a very generalmanner, it can apply to allcompaniesthatoperateintheUAE.

2.2 DoesprivacylawinUnitedArabEmiratesapplytocompaniesoutsidethecountry?Ifyes,arethere specific obligations for companies outside the country (eg, requiring a companyrepresentativeinthecountry)?

Thecriminallaws(PenalCodeandtheCyberCrimesLaw)willbedifficulttoenforceagainstanentityex-territorially and, indeed, theCyberCrimesLaw inparticularhas a provision that notes that, inrespectofacrimethattakesplaceoutsideoftheUAE,itwillonlyhavejurisdictionifthetargetwasaUAEgovernmententity.

651



3.1 Howispersonalinformation/personaldatadefinedinUnitedArabEmirates?

There is no definition of “personal data”. The laws variously use the terms “secret information”“private”mattersandthelike.Thereisnoguidanceastowhethertheuseofthedifferenttermswasintentional,orwhethertheyaremeanttosignifydifferenttypesofinformationordata.


Outside of the specific regulations in relation to health insurance, patient confidentiality, andcreditworthiness,therearenocategorieslisted.


Thelawdoesnotincludeprinciplessuchasthese.Themostimportantaspectforeachofthelawslistedabovewouldbetheobtainingofconsentfromthedatasubject.

4 ROLES


TheserolesarenotexpresslyassignedunderanyUAElaw.

5 OBLIGATIONS


ThesekeyobligationsarenotspecifyrequiredunderanyUAElaw.


6.1 How is data security regulated in United Arab Emirates? Is there aminimum standard forsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

ThisisnotspecificallycoveredunderanyUAElaw.

6.2 How are data breaches regulated in United Arab Emirates?What are the requirements forrespondingtodatabreaches?

ThisisnotspecifiedunderanyUAElaw.ThePenalCodedoescontainaprovisionthatrequiresareportofacrimetobemadetothepolice,althoughthisisnotalwaysdoneinpractice.

652


7 INDIVIDUALRIGHTS


Thereis,asnoted,ageneralconstitutionalrighttoprivacy.



There are restrictions relating to “spam” that can be considered. Marketing communications areregulated by the Telecommunications Regulatory Authority under its Unsolicited ElectronicCommunicationsPolicydatedDecember30,2009(“SpamPolicy”)andtheassociatedMobileSpamAnnex.

TheSpamPolicyrequiresconsentfromrecipientsintwospecificscenarios:

(a) The first is where marketing communications are to be sent by the two locally licensedtelecomsserviceproviders.

(b) Thesecond,undertheMobileSpamAnnex,referstomarketingcommunicationsthataresentbybulkSMSserviceproviderswhohavecontractedwithlicensedtelecomsserviceproviderstosendmessages.

Outsideofthesetwospecificscenarios,otherorganizationsthatsendmarketingcommunicationsarenot subject to any regulation requiring consent. The Spam Policy does require licensed telecomsservice providers to take all practicalmeasures to end the transmission of unsolicitedmarketingelectroniccommunications(beingdefinedasmarketingelectroniccommunicationssentwithouttheconsentoftherecipient).

Ultimately,obtainingtheconsentoftherecipientwouldlimitanyriskintheUAE,albeitthattheriskcanbeconsideredsmall.Asnotedabove,theSpamPolicydoesnotapplydirectlytosenderswhoarenotlocallylicensedtelecomsserviceprovidersorbulkSMSserviceprovidersundercontractwithalocallylicensedtelco.


ThisisnotspecificallyaddressedunderanyUAElaw.




ThisisnotspecificallyaddressedunderanyUAElaw.Thelawwould,asnotedabove,requireageneralconsent.

653







ThisisnotspecificallyaddressedunderanyUAElaw.Ingeneral,wefindthatmanyloyaltyprogramshaveaccumulatedlargedatabasesfromvarioussources,andcontinuetheiruseonthebasisthatthespamlawsdetailedabovearenotactivelyenforced.

9 DATATRANSFER


ThisisnotspecificallyaddressedunderanyUAElaw.ThetermsofArticle380(bis)ofthePenalCode(seequestion1.2(b))do,however,implythatconsentmaybeneededto“distributeorprovideanotherperson with … information or data or any other such things that he examines by virtue of hisprofession”.Thiswould,onanordinaryinterpretation,potentiallycoveranytransfer,whetherwithintheUAEoroutsideofit.



10 VIOLATIONS


(a) Thesecanbecriminalinnature:

(i) UnderthePenalCodeArticle379:“Anyindividualwho,byreasonofhisprofession,craft,circumstanceorartisentrustedwithasecretandwhodisclosesitincasesotherthanthosepermittedbythe law,orwhouses it forhisownadvantageoranotherperson’sadvantage,shallbepunishablebyimprisonmentforaminimumperiodofoneyearand/orbyafineofatleast20,000Dirhams,unlesstheindividualtowhomthesecretpertainshasconsentedthatitbedisclosedorused.Thepunishmentshallbe imprisonment for aperiodnot exceeding5 years if theperpetrator is apublicservantoranofficerentrustedwithapublic service towhomthesecrethasbeenconfidedduring,becauseoforbyreasonofperforminghisdutiesorservices.”In addition, Article 380 (bis) adds: “Detention shall be inflicted upon whoeverunrightfully copies, distributes or provides another person with the content of aphone call or message or information or data or any other such things that heexaminesbyvirtueofhisprofession”.

654


(ii) Article2of theCyberCrimesLawprovides thatgainingaccess toawebsite,an ITsystemorcomputernetworkwithoutauthorization(orinexcessofauthorization)ispunishable by imprisonment and/or a fine of between AED 100,000 andAED300,000.Ifsuchaccessresultsin(amongstotherthings)disclosureofanydataorinformation,thenthepunishmentshallbeimprisonmentforaperiodofatleast6monthsand/orafineofbetweenAED150,000andAED750,000,oratleast1yearand/orafineofbetweenAED250,000andAED1millionifthedisclosedinformationispersonaldata.

(iii) Article22oftheCyberCrimesLawprovidesthatunauthorizeduseofanyITsystemtodiscloseconfidentialinformationobtainedduringthecourseofemploymentshallbe punished by imprisonment for a period of at least 6months and/or a fine ofbetweenAED500,000andAED1million.

(b) Therearealsocivilactions:

(i) TheCivilCodeallows for recoveryofdamage forany tortiousact, and thiswouldincludetheharmdonebecauseofmisuseofaperson’sdata.Article282isbroadlyphrased:

“Anyharmdonetoanothershallrendertheactor,eventhoughnotapersonofdiscretion,liabletomakegoodtheharm.”

Thedatasubjecthasthreeyearstolodgeaclaim.ItisimportanttonotethattheUAEcourtsrequireabsoluteproofofdamage,andthedamagemustbeattributabletothetortiousact.Wenote that theavailabilityofcriminalsanctionsmeansthatcivilactionsarenotoftensought—weseefewsuchcasesinaction.

(ii) Inaddition,theCivilCodehasprovisionsthatapplytoemployeesinparticular.Theyare required, under Article 905 to “keep the industrial or trade secrets of theemployer, including after the termination of the contract, as required by theagreementorbycustom”.Inpractice,weseemostemployersincludingacontractualtermtoaugmentthisprovision.TheArticle is limited inscopebythe fact that theemployermustprovethedamagethatarises,asisthecaseforallactionsundertheCivilCode.

(iii) FederalLawNo18of1993ontheCommercialTransactionLawalsoprovidesthattraders may not seek to elicit secrets from their competitor’s employees (underArticle64).Article224appliesasimilarobligationonanagentactingforaprincipal.


Asindividualsareabletoreportviolationstothepolice,prosecutionswouldbeundertakenbythepoliceprosecution,ratherthanbyanindividual.Withadequateproofofdamageandthecausallinkbetweenthedamageandtheactofdisclosingtheinformationinquestion,acivilactioncouldbetakenunderUAElaw.

655


11 MISCELLANEOUS

11.1 Are there any rules that are particular to the culture ofUnitedArab Emirateswhich affectprivacy?

Therearenone.


ThereisanexpectationthatacomprehensivedataprotectionregimewillbeintroducedintheUAEintheverynearfuture.SourceshavenotedthatthecurrentdraftwillreplicatethesystemimplementedundertheGDPR,followingtheleadofothercountriesintheregion.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainUnitedArabEmirates?

Atthisstage,pendingthenewlaws,thereisnothingelsetoknow.

12 OPINIONQUESTIONS


Wehaveseensomeinterestingcasesrelatingtoprivacy,inparticularrelatingtothefailuretoobtainreleases frompeoplewho are featured in audio-visual content. This issue reflects the importanceplacedonprivacybythegovernment.However,thecasesaregenerallyrelatedtotheuseofpeople’simageswithoutconsentanddonotreflectthedataprotectionmattersthatarebeingseeninothercountriesatthistime.


Weexpectthatin5years’timetherewillmostdefinitelybeafederallawthataddressesissuesofdataprotection,andthatitwillreflectthegeneralscopeandoperationoftheGDPRprovisions.ThissortoflegislationhasalreadybeenintroducedinneighboringcountriessuchasBahrain.


Weseetheintroductionoftheanticipatednewlawsasbeingparticularlyproblematicforentitiesthathavebeenoperatingintheregionforsomeyears,astheyarenotyetaccustomedtoconsideringtheimportanceofdataprotection.Businessesthatarenotalreadyintheprocessofauditingandanalyzingtheirdataandtheiruseofdatamayfindthemselvesbeingunabletouseorkeepcertaindatathattheyhavebeenusing forsomeyears.This isparticularlychallenging for the largenumberof smallandmediumsizedcompanies(“SME”s)intheUAE.Ourrecommendationtoallcompaniesistostartthisprocessasearlyaspossible,andcertainlybeforeanylawscomeintoforce.

656

657

PRIVACY LAW – UNITED KINGDOM

1 PRIVACYLAW

1.1 HowisprivacyregulatedintheUnitedKingdom?

The primary privacy legislation in the United Kingdom is the General Data Protection Regulation(“GDPR”). As an EU regulation, it currently has direct effect in the United Kingdom, and is alsoimplementedinUKlawthroughtheUKDataProtectionAct2018(“DPA2018”).

The UK government has issued the Data Protection, Privacy and Electronic Communications(Amendmentsetc)(EUExit)Regulations2019whichamendtheDPA2018sothatitwillworkinaUKcontextaftertheUnitedKingdomleavestheEuropeanUnion(“Brexit”).Inpracticetherewillthereforebe little change to the core data protection principles, rights and obligations found in the GDPRimmediatelyafterBrexit.

ThePrivacyandElectronicCommunications(ECDirective)Regulations2003(“PECR”) implementsDirective 2002/58/EC (the “ePrivacy Directive”) in UK law (see the European Union chapter).Currently, a draft of an ePrivacy Regulation (“ePR”) is being considered as a replacement for theePrivacyDirective.Onceinforce,itwillbedirectlyapplicableintheMemberStates.However,ifthisisfinalizedafterBrexit(andafteranytransitionperiod)theePRwillnotautomaticallyformpartofUKlaw(subjecttoanyagreementbetweentheEuropeanUnionandtheUKgovernment).Howthelawinthisareawillevolveisthereforeunclearatthetimeofwriting.

AlthoughthisnotefocusesontheGDPRandPECR,Englishlawhasalsodevelopedthetortofmisuseof private information, which has enabled it to give effect to its obligations under the EuropeanConventiononHumanRights.


TheprimarylawsarethosesetoutintheGDPR—pleaseseetheEuropeanUnionchapter.

TheGDPRregulatesallaspectsoftheprocessingofpersonaldata,fromitscollection,toitstreatment,securityandstorage,throughtodeletion.Thus,italsocoverstherequirementsregardingtheuseofpersonaldataforadvertisingpurposes, informationobligationsoftheadvertiser,aswellascertainrightsofthedatasubject.

TheDPA2018has supplemented theGDPR in areaswhichprovided fornationalderogations. Forexample,it:

(a) stipulatesadditionalconditionsandsafeguardsforprocessingspecialcategoryandcriminaloffensedatainanumberofscenarios(seequestion3.2);and

(b) addsexemptionstovariouspartsoftheGDPR,includinginrelationtodatasubjects’rights,andthetransparencyobligationsinArticles13and14(theseincludewheretheinformationissubjecttolegalprofessionalprivilege,isnecessaryforestablishingordefendinglegalrights,orforvarious“publicinterest”reasons).

Inaddition,thePECRsitalongsidetheGDPRandprovideforspecificrulesthatapplyinrelationtoelectroniccommunications.Theserulesapplyirrespectiveofwhetherpersonaldataisprocessedforthe purposes of the electronic communication. For more information about the PECR, please seequestion8.

658



TheInformationCommissioner’sOffice(“ICO”)isthesupervisoryauthorityfortheUnitedKingdom.Itenforcesbreachesofprivacylegislationthroughregulatoryaction,aswellasissuingitsownguidelineson how to comply with the GDPR in practice. The ICO has investigatory and corrective powers,includingthepowertoimposeafineinrespectofviolationsoftheGDPR.Atpresent,regulatoryaction(inparticularfines)isthemainconcernformostbusinesseswhenthinkingaboutGDPRcompliance.

Nevertheless,itisalsopossibletobringclaimsforbreachoftheGDPRintheUnitedKingdom’scivilcourts—thisisthemechanismbywhichindividualdatasubjectsareabletoobtainfinancialredress.Whilstsuchclaimshavebeenrelativelyrare,theprospectoflitigationbylargegroupsofclaimantsfollowingarecentdecisionoftheCourtofAppealwilllikelymakethemafarbiggerconcernfordatacontrollers going forward. These claims are of particular relevance for controllers processing thepersonaldataoflargenumbersofdatasubjects.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawintheUnitedKingdom?

SeetheEuropeanUnionchapterforinformationonthematerialscopeoftheGDPR.

2.2 DoesprivacylawintheUnitedKingdomapplytocompaniesoutsidethecountry?Ifyes,arethere specific obligations for companies outside the country (eg, requiring a companyrepresentativeinthecountry)?

SeetheEuropeanUnionchapterforinformationontheterritorialscopeoftheGDPR.


3.1 Howispersonalinformation/personaldatadefinedintheUnitedKingdom?

SeetheEuropeanUnionchapterfortheGDPRdefinitionof“personaldata”,whichistheapplicabledefinitionintheUK.


See the European Union chapter for what data is considered “special” under the GDPR— this isapplicable in theUK, albeit that theUKopted fora lowerage for children togive their consent inrelationtoinformationsocietyservices:13years.

PleasenotethattheDPA2018imposesadditionalconditionsandsafeguardswhenprocessingspecialcategory and criminal offense data. These include, but are not limited to,where the processing isnecessaryforthepurposesof:

(a) performingorexercisingobligationsorrightswhichareimposedorconferredbylawonthecontrollerorthedatasubjectinconnectionwithemployment;

(b) healthorsocialcarepurposes;

659


(c) theadministrationofjustice;

(d) thepreventionordetectionofunlawfulacts;or

(e) certainprotectivefunctions,includingprotectingmembersofthepublicagainstdishonesty,malpractice, unfitness or incompetence, ormismanagement (these provisions are usedbyregulatorybodies—forexamplethoseregulatingtheprofessions—toinvestigatefitnesstopractice).



4 ROLES



5 OBLIGATIONS



Inaddition,theICOhasproduceditsownguidanceonmanyofthesetopics(eg,onthetransparencyrequirementsunderArticles13and14;howtomaintainanArticle30record;whentoconductadataprotectionimpactassessment(“DPIA”);howtodealwithdatabreaches;andcomplianceinrelationtodirect marketing and the use of cookies). This guidance provides an additional insight into whatcontrollersmustdoinpracticetocomplywiththeGDPRandPECR.


6.1 How is data security regulated in the United Kingdom? Is there a minimum standard forsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?


6.2 How are data breaches regulated in the United Kingdom? What are the requirements forrespondingtodatabreaches?


TheICOhasproducedadditionalguidanceondatabreachrequirements,includingwhenabreachmaybenotifiableunderArticle33,whenindividualsshouldbeinformedunderArticle34andwhattodowherethedatacontrollerhasonlypartialinformationaboutthebreachavailable.

660


7 INDIVIDUALRIGHTS



ItisworthnotingthatrequestsunderArticle15(datasubjectaccessrequests)aremorecommonintheUnitedKingdomthanmanyotherjurisdictionsandtherighttoobtaincopiesofthepersonaldataistakenseriouslybytheICO.

In the United Kingdom, Article 15 requests are commonly used to try to obtain documents as aprecursortolitigation,orasapressuretacticinthecaseofpre-actiondisputes.However,controllersshouldbewaryaboutignoringsuchrequests.Caselawisclearthatthesepurposesdonotrendertherequestinvalid.




Inaddition,thePECRsitalongsidethoseprivacylawobligationsandprovideforspecificrulesthatapplyinrelationtoelectroniccommunications.Theserulesapply,irrespectiveofwhetherpersonaldataisprocessedforthepurposesoftheelectroniccommunication.

Amongstotherthings,thePECRprohibitpersonsfromsending(orinstigatinganotherpersontosend)unsolicitedcommunicationstoindividualsubscribersviaelectronicmail,wherethecommunicationsaremadeforthepurposeofdirectmarketing.Theprohibitionappliesunlesstheorganization:

(a) hasobtainedconsent(whichmustbeofa“GDPRstandard”)fromtherecipient;or

(b) is able to rely on what is known colloquially as the “soft opt-in” or “existing customer”exemption(whichisoutsidethescopeofthischapter).

The communication itself doesnot need to contain any “marketingmaterial”. Theprohibitionwillapply where the purpose of the communication is to undertake direct marketing. As such, anorganizationwillbreachthePECRifitsendsanelectronicmailtoarecipientwhichaskstherecipientto confirm whether or not they want to receive direct marketing communications from theorganization.

Thewords“electronicmail”areinterpretedbroadlybytheICO,althoughthelimitsofthesewordshavenot been fully tested in English Courts. These words clearly include traditional emails and textmessages.However,theICOhasrecentlyexpressedtheview(initsdirectmarketingcodeofpractice—stillindraftatthetimeofwriting)that“electronicmail”includesothertypesofcommunicationsthatcanbestoredelectronically, includingpushnotificationsandprivatemessagessenttoasocialmediainbox.

661


Theprohibitiononlyconcerns“individualsubscribers”andnot“corporatesubscribers”.Broadly,thisisunderstoodtomeanthatB2Bcommunicationsarenotcaughtbytheprohibition;butcareneedstobetaken,becausesomebusinesses(inparticularsoletradersandsomepartnerships)aretreatedasindividualsubscribers.

Finally,thePECRalsoregulateotherformsofcommunications,includingliveandautomatedtelephonecallsandfacsimile,althoughtheseformsofcommunicationsareoutsidethescopeofthischapter.


SeetheEuropeanUnionchapter.Bywayofclarification,wherecookiesandsimilartechnologiesstoreinformation or access information stored on user devices, the PECR requires user consent to beobtained. This is a separate requirement to having anArticle 6 lawful basis for any processing ofpersonaldatabysuchtechnologies.



Atthetimeofwriting,targetedandbehavioraladvertisingactivities—whichinvolvethewidespreadcollection,useandsharingofpersonaldataamongstmanydifferent“adtech”serviceprovidersthatsitbetweenadvertisersandonlinepublishers—arebeingscrutinizedbytheICO.Theseactivitieshavealsobeen the subject of complaints to the ICO fromvariousprivacy activists,who regard themasconstitutinganindustry-widedatabreachwhichexposesdatasubjectstoallegedmassprofilingandtheriskofmanipulationanddiscrimination.

InJune2019,theICOissuedaprogressreportsettingoutitsinitialconcernsabouttheuseofpersonaldataintheadtechsector—whichwasdescribedas“immatureinitsunderstandingofdataprotectionrequirements”—inparticularwhenitcomestorealtimebidding(“RTB”).TheICOgaveindustrysixmonths to improve itsdataprotectionpractices. If youwould like to readmoreabout this report,pleasevisithttps://www.lewissilkin.com/en/news/ico-update-report-into-ad-tech-and-rtb.

In January2020, the ICOannounced that,while ithasobserved improvement fromsome industryactors,it“willcontinuetoinvestigateRTB”andthat“itmaybenecessarytotakeformalregulatoryaction”. This announcement did not, however, satisfy the complainants referred to above, whoselawyer alleged that “the ICO has failed to take direct enforcement action needed to remedy thesebreaches”andcalledfor“properjudicialoversight”oftheICO.

Itremainstobeseenwhat,ifany,formalregulatoryactionwillbetakenbytheICO,butweexpectthistocontinuetobeanareaof focus fortheforeseeable future.Attimeofwriting, the latest ICOblogsuggestsregulatoryactionisimminent.

662




Inaddition, theICOhasrecently issuedadraftdirectmarketingcodeofpractice,whichstatesthatconsentisusuallythemostappropriatelawfulbasisfortheuseof“customaudience”advertising.TheICOhasnotruledoutrelianceonlegitimateinterestsforsuchactivitiesbut,intheICO’sview,theseactivitiesarenotinthe“reasonableexpectations”ofdatasubjectsand,therefore,organizationsmayfinditdifficultproperlytoestablishlegitimateinterestsasalawfulbasisforsuchprocessing.



Inaddition,theICO’srecentlyissueddraftdirectmarketingcodeofpracticecautionsorganizationsto“beverycarefulaboutusing”directmarketinglistsofferedforsale,rentorlicensebydatabrokersandotherorganizations.Inparticular,careisneededasregardsensuringthatadequatetransparencyhasbeenprovidedtodatasubjects(aboutthecollection,sharinganduseoftheirpersonaldata),andthatthereisalawfulbasisforthesharingandsubsequentprocessingofthepersonaldatacontainedinthelist.

Therefore, while data broking activities are not specifically regulated from a data protectionperspective,theyareaspecificformofactivitythattheICOisconcernedaboutinthecontextofdataprotectionobligationsowedmoregenerally(undertheGDPRandPECR).



In addition, given the propensity for social media to be used to direct targeted or behavioraladvertisingtoindividuals,includingbytheuseofsocialmediaoperatedtrackingtechnologies(suchas“plug-ins”)seealsotheresponsetoquestions8.2and8.3.

Moreover,theICO’srecentdraftdirectmarketingcodeofpracticeidentifiestheuseofsocialmediaforthepurposesofdirectmarketingasbeinganareaoffocusinthecontextofdataprotectionobligationsowedmoregenerally(undertheGDPRandPECR).Inparticular,theICOhasindicatedthatconsentwillusuallyberequiredtoundertake“customaudience”advertising,andthatdirectmarketingsenttoanindividual’ssocialmediainboxconstitutesmarketingvia“electronicmail”(seequestion8.1).



Again,however, loyaltyschemesfeatureanumberoftimesintheICO’srecentlyissueddraftdirectmarketingcodeofpractice.TheprofilingofpersonaldatacollectedviatheuseofloyaltyschemesisregardedbytheICOasaprocessingactivitythat is“likelytoresult inahighrisk”todatasubjects,triggeringtheGDPRrequirementtoundertakeaDPIA.

663


Inaddition,wheresuchprofiling is“privacy intrusive”ormayresult in“significantrisks”toadatasubject,whichwouldincludediscriminatingagainstthedatasubjectbycausingthemtopayahigherpriceforaproductorservice,suchprocessingwillnotbe“inanindividual’sreasonableexpectations”and,assuch,cannotbeundertakenonthebasisoftheorganization’slegitimateinterests(consentwillberequired).

9 DATATRANSFER





Inaddition,asaresultofitsexitfromtheEuropeanUnion,theUnitedKingdomwillbecomea“thirdcountry” insofar as the European Union is concerned. Consequently, following the expiry of the“transitionperiod”(currentlysettotakeplaceonDecember31,2020),transfersofpersonaldatafromtheEuropeanEconomicArea(“EEA”)totheUnitedKingdomwillbetreatedthesameastransfersofpersonaldatafromtheEuropeanUniontoothernon-EUterritories.Unlesssuchtransfersareexempt,theywill only be lawful if theUnitedKingdom achieves an adequacy decision from the EuropeanCommissionor(absentsuchadecision)appropriatesafeguards(eg,standardcontractualclauses)areinplaceinrespectofthetransfer.

There have been conflicting reports over the likelihood that the United Kingdomwill be grantedadequacy status.Ultimately, the decision is a political one, andwill likely formpart of the overallnegotiation of the future relationship between the United Kingdom and the European Union. Atpresent, there is littlereasontoassumethatadequacystatuswillbedenied.Organizationsshould,however,continuetomonitorandbepreparedtoimplementappropriatesafeguardsshouldtheneedarise.

Finally,transfersofpersonaldataintheoppositedirection—ie,fromtheUnitedKingdomtotheEEA—arenotexpectedtobeaffectedinasimilarway.TheUKgovernmenthastakenapragmaticapproachby indicating that it will not treat any such transfers as being restricted and that no additionalsafeguardswillbenecessary(though,again,thisisapoliticalmatterandissubjecttochange).Onasimilarnote,adequacydecisionsandsafeguardsthatcanbereliedontotransferpersonaldataoutsidethe EEA (eg, standard contractual clauses and Privacy Shield certifications) are expected to be“adopted”by theUnitedKingdom,so that theycanbereliedonto transferpersonaldata fromtheUnitedKingdomtonon-EEAterritories.

664


10 VIOLATIONS





11 MISCELLANEOUS

11.1 Are there any rules that are particular to the culture of the United Kingdom which affectprivacy?

None.


The ICO is currently investigating theadtech industry in respectof its compliancewith theGDPR.Pleaseseefurtherquestion8.

Inaddition,thedraftePRisalsoahottopic.PleaseseetheEuropeanUnionchapter.

Finally,theUnitedKingdom’swithdrawalfromtheEuropeanUnion(“Brexit”)hasthepotentialtohaveasignificantimpactondataprotection,inparticularinrespectofthetransfersofpersonaldatafromtheEEAtotheUnitedKingdom(whichmaybecome“restrictedtransfers”).However,fewfarreachingconsequencesareexpectedduringtheimplementationperiod(whichwilllastuntilatleastDecember31, 2020). If you would like to read more about Brexit’s impact on data protection, please visithttps://www.lewissilkin.com/en/campaigns/brexit/data-privacy.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainUnitedKingdom?

Noneinparticular.

12 OPINIONQUESTIONS



Onetrendthatwehaveobservedisagreaterpropensityforindividualsto“weaponize”theirprivacyrights,andtobringcivilclaimsinsmallclaimscourtsforpurported(andrelativelyminor)violationsofdataprotectionandePrivacylaw,inparticularinrespectofdirectmarketingactivities.

665






From a local perspective, although the GDPR purports to harmonize EU data protection laws,companiesoperatingacrossborderswill faceuncertaintiesasnationalsupervisoryauthoritiesandcourts interpret the GDPR’s requirements. Although the United Kingdom has committed tomaintainingaparallelregimeinthewakeofBrexit,itremainstobeseenwhetherthiswillholdtrue,especially as the United Kingdom is unlikely to recognize decisions of the Court of Justice of theEuropeanUnionasbeingbindingonit.Inanyevent,itwilltakesomeyearsfortheseuncertaintiestosubside.

Wealsoenvisagethatdata transfermechanisms—inparticularStandardContractualClausesandPrivacyShield(boththeEU-USandUK-USversion)—willcomeunderfurtherattackfromprivacyactivists.

666

667

PRIVACY LAW – UNITED STATES OF AMERICA

1 PRIVACYLAW

1.1 HowisprivacyregulatedintheUnitedStates?

USprivacyisregulatedthroughapatchworkoffederal,stateandsector-specificprivacylawsandself-regulation.ThereisnosinglecomprehensivedataprivacyframeworksimilartoEurope’sGeneralDataProtectionRegulation(“GDPR”).CaliforniarecentlyenactedtheCaliforniaConsumerPrivacyActof2018(“CCPA”),whichiscurrentlythemostcomprehensiveprivacylawintheUS.


Belowaresomekeyprivacylawsrelevanttoadvertisingpractices:

(a) FederalLaw

(i) FederalTradeCommissionAct(“FTCAct”):TheFTCActprohibitsunfairordeceptiveactsorpracticesinoraffectingcommerce.TheFTCActwasnotspecificallydesignedtoregulateprivacy;however,theFederalTradeCommission(“FTC”)hasbroughtawide range of privacy and data security related enforcement actions againstcompaniesbasedonallegedviolationsoftheFTCAct.

(ii) Children’s Online Privacy Protection Act (“COPPA”): COPPA regulates the onlinecollectionofinformationfromchildren,andisperhapsthemostimportantUSprivacylaw for the advertising industry. The law prohibits companies from knowinglycollectingpersonalinformationfromchildrenunder13withoutverifiableparentalconsentunlessanexceptionapplies.

(iii) Controlling the Assault of Non-Solicited Pornography and Marketing Act (“CAN-SPAM”): CAN-SPAM regulates the use of commercial emails. The law requirescompaniestoallowindividualstoopt-outofreceivingmarketingemails,amongotherthings.

(iv) Telephone Consumer Protection Act (“TCPA”) and Telemarketing and ConsumerFraudandAbusePreventionAct:Theselawsregulatetelemarketingactivities,suchas telephone calls and text messages. Notably, TCPA prohibits companies frommakingcallsorsendingtextswithoutpriorexpressconsent.

(v) VideoPrivacyProtectionAct(“VPPA”):VPPAregulatesinformationthatidentifiesanindividualashavingrequestedorobtainedspecificvideomaterialsorservices.Thelawprohibitscompaniesfromknowinglydisclosingsuchinformationwithoutpriorconsent,andisrelevanttovideostreamingandonlineintegrations.

(vi) HealthInsurancePortabilityandAccountabilityAct(“HIPAA”):HIPAAregulatestheuseanddisclosureofprotectedhealthinformationbyhealthcareproviders,healthplans,andhealthcareclearinghouses,aswellascompaniesthatperformservicesonbehalfoftheseentities,suchasadvertisingagencies.

(vii) FairCreditReportingAct(“FCRA”):FCRAregulatescompaniesthatcompileandsellreportsregardingconsumereligibilityforcertainbenefitsandtransactions,aswellascompaniesthatusethosereports.AdvertisersarguablycouldbecomesubjecttoFCRAdependingontheiruseofthird-partydata.

668


(viii) Gramm-Leach-BlileyAct (“GLBA”): GLBA regulates the use of nonpublic personalinformationcollectedbyfinancialinstitutionsinconnectionwithprovidingfinancialproducts or services, aswell as companies that receive such information, such asadvertisingagencies.

(ix) Family Educational Rights and Privacy Act (“FERPA”): FERPA regulates theprocessingofstudentinformation.

(b) StateandMunicipalLaw

(i) CaliforniaLaw:CalifornialeadstheUSinsettingdataprivacyandsecuritystandards,andhasinspiredsimilarornearidenticallegislationinotherstates.

(1) California Online Privacy Protection Act (“CalOPPA”): Considered thenation’sfirstonlineprivacylaw,CalOPPArequiresbusinessesthatcollectthepersonal information of California residents fromwebsites, apps, or otheronlineservicestopostandhonortheirprivacypolicies.

(2) California Consumer Privacy Act (“CCPA”): The CCPA is California’s newcomprehensiveprivacy law that imposes robust obligationsonbusinessesthatprocessthepersonal informationofCaliforniaresidents,andprovidesCaliforniaresidentswiththerightstoknow,delete,andopt-outofthesaleoftheir personal information to third parties. The law also regulates serviceproviders and other third parties that receive personal information frombusinesses.

(3) California“ShinetheLight”:Thislawrequiresbusinessestodisclosecertaininformation regarding how they share personal information of Californiaresidentswith third parties for those third parties’ own directmarketingpurposes.

(4) PrivacyRightsforCaliforniaMinorsintheDigitalWorldAct(“EraserLaw”):Thislawrequiresbusinessestopermitminorswhohaveanonlineaccountwith the business to remove from public view content posted by themthroughtheiraccount.

(5) SongBeverlyCreditCardAct:Thislawregulatesthecollectionofpersonalidentificationinformationinconnectionwithcreditcardtransactions.

(6) StudentOnlinePersonalInformationProtectionAct:Thislawprohibitsthesharingofcertainstudentinformationfortargetedadvertisingpurposes.

(ii) NevadaSaleLaw:ThislawgivesNevadaresidentstherighttoopt-outofthesaleoftheircoveredinformation.

(iii) Data Broker Laws: Vermont and California have laws requiring data brokers toregisterwiththestateonanannualbasis.

(iv) BiometricPrivacyLaws: Several statesandmunicipalitieshavebiometricprivacylaws,themostnotableofwhichistheIllinoisBiometricPrivacyAct(“BIPA”).BIPAprohibits companies from collecting or using biometric informationwithout priorconsent.

(v) ConsumerProtectionLaws: All50stateshave lawsanalogoustotheFTCActthatprohibitunfairordeceptiveactsorpractices.

669


(vi) OtherSectoralLaws: Manystatesandmunicipalitieshave lawsgoverningspecifictypesofinformationsuchasvideo,health,financial,andstudentinformation.

(vii) StateDataBreachLaws:All50statesandUSterritorieshavedatabreachnotificationlaws.

(c) Self-Regulation

(i) Interest-Based Advertising: The FTC and advertising trade groups, including theDigitalAdvertisingAlliance(“DAA”)andNetworkAdvertisingInitiative(“NAI”),havedevelopedself-regulatoryprinciplesregardingbehavioraladvertising.

(ii) Children: The Children’s Advertising Review Unit (“CARU”) has developed self-regulatoryguidelinesaddressingchildren’sadvertisingandthecollectionanduseofinformationfromchildren.

Pleaseseesubsequentresponsesforadditionalinformationoncertainofthesekeylaws.


(a) FederalRegulators:TheFTCisviewedasthechieffederalagencyonprivacy.TheFTChasbrought a wide range of privacy and data security related enforcement actions againstcompaniesbasedonallegedviolationsof Section5of theFTCAct, including for failure tocomplywithpostedprivacypolicies,giveconsumersadequatenoticeandchoiceovertheirinformation,andmaintainreasonablesecuritytoprotectinformation.TheFTCdoesnothavejurisdiction over certain commercial activities, including with respect to banks, commoncarriers(eg,telecommunicationscompanies),andnon-profits.

Inaddition,thereareanumberofsectoral-specificenforcementauthorities.Forexample,theDepartmentofHealthandHumanServices(“HHS”)primarilyenforcesviolationsofHIPAA,theConsumerFinancialProtectionBureau(“CFPB”)primarilyenforcesviolationsofGLBA,and the Federal Communications Commission (“FCC”) primarily enforces violations of theCommunicationsAct.

(b) StateRegulators:StateAttorneysGeneralaretheprimaryenforcementauthoritiesatthestatelevel.Stateandmunicipalagenciesmayalsoenforceviolationsoflaw.

(c) Self-RegulatoryBodies:Self-regulationisnotbindinglegalauthority.However,violationsofself-regulationmay result in a revocationofmembershipor the applicable self-regulatorybodyreferringtheallegedviolatortotheFTCorapplicableStateAttorneyGeneral.TheBetterBusinessBureau(“BBB”)isparticularlynotablesinceitenforcesviolationsoftheDAAself-regulatoryprinciples.

(d) PrivateRightofAction:Individualsmaybringlawsuitsagainstcompaniesforallegedprivacyviolations. Many privacy laws include an express private right of action and allow forindividualstobringaclassactiononbehalfofnumerousaffectedindividuals.Lawsuitsaremost successful where the law provides for statutory damages that do not require theindividualtodemonstrateactualharm.TCPA,VPPA,BIPA,andthedatabreachprovisionsoftheCCPAallprovideforstatutorydamages.

670


2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawintheUnitedStates?

Nearly any company that collects information fromor aboutUS residentswill be subject, in somecapacity, to the patchwork of federal, state, and sector-specific privacy laws and self-regulation.Companies need to consider amultitude of factors to determinewhich privacy laws apply. Thesefactorsinclude,amongotherthings,thesectorinwhichacompanyoperates(suchashealthcare),thetypesofinformationcollectedbythecompany,thejurisdictionsinwhichthecompanyoperates,thelocationorresidenceoftheindividualsfromoraboutwhominformationiscollected,andthemannerinwhich information is used and shared by the company. Companies engaged in advertising andmarketingpracticesshouldparticularlyevaluateCOPPA,CAN-SPAM,TCPA,CCPA,databreachlaws,andself-regulatoryguidelines.

2.2 DoesprivacylawintheUnitedStatesapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

Yes,acompanynotlocatedintheUSmaybesubjecttoUSprivacylaw.DeterminingtheextraterritorialjurisdictionofUSprivacylawisafact-specificinquiry.Forexample,USprivacylawmayapplytoacompanythatconductsbusinessintheUS,directsitsproductsorservicestotheUS,ownsorlicensesinformationofUSresidents,orotherwisehasanexuswiththeUS,evenifthecompanydoesnothavephysicaloperationsintheUS.

Asaspecificexample,theCCPAregulatesbusinesses.UndertheCCPA,a“business”isdefinedasafor-profitentitythatcollectspersonalinformationfromCaliforniaresidents,determinesthepurposesandmeansofprocessing,doesbusinessinthestateofCalifornia,andmeetsoneofthefollowingthresholds:

(a) annualgrossrevenuethatexceeds$25million;

(b) annually buys, receives, shares, or sells the personal information of more than 50,000Californiaresidents,households,ordevicesforcommercialpurposes;or

(c) derives 50% or more of annual revenues from selling California residents’ personalinformation.

The phrase “does business in the state of California” is very broad, and arguably could subjectcompaniesbasedoutsidetheUStotheCalifornialaw.


3.1 Howispersonalinformation/personaldatadefinedintheUnitedStates?

TheUSdoesnothaveauniformdefinitionof“personalinformation”.Eachfederalandstateprivacylawhasitsowndefinition,andthedataelementscapturedbythedefinitionvarygreatlydependingonthelaw.However,USprivacylawisquicklymovingtowardbroadGDPR-likedefinitions.UndertheCCPA, “personal information” is defined as information that identifies, relates to, describes, isreasonablycapableofbeingassociatedwith,orcouldreasonablybelinked,directlyorindirectly,withaparticularconsumerorhousehold.Thismeansthatinformationthathistoricallyhasbeentreatedaspersonallyidentifiable(suchasnames,emailaddresses,andphonenumbers)aswellasinformationthat historically has not been treated as personally identifiable (such as IP addresses, Ad Ids, andgeolocationdata)allmayfallwithinthedefinitionofpersonalinformation,andbesubjecttoprivacyobligations.

671



TheUSdoesnothaveauniformdefinitionof “sensitive information”.However, theFTCandotherregulators have defined “sensitive information” to include children’s information, video viewinginformation,healthinformation,financialinformation,socialsecuritynumbers,biometricinformation,andpreciselocationdata(eg,lat/long).Thesecategoriesofsensitiveinformationgenerallyalignwithsector-specific privacy laws, including COPPA, VPPA, HIPAA, GLBA, and BIPA, as well as the self-regulatoryguidelinesfromtheDAAandNAI.Asageneralrule,thecollectionofsensitiveinformationrequiresopt-inconsent.

As an important note, COPPA’s definition of “personal information” is very broad, and includespersistentidentifiers(suchasIPaddressesandAdIds).Companiesthatdealwithchildren’spersonalinformation (including where collected through online tracking technologies) should carefullyevaluateCOPPA’srestrictionsandobligations.


TheFTChasidentifiedfivefairinformationpracticeprinciples:

(a) Notice and Awareness: consumers should be given notice of a company’s informationpracticesbeforeinformationiscollectedfromthem;

(b) ChoiceandConsent:consumersshouldbegivencontroloverhowtheirinformationisused.UnderUSlaw,mostchoiceisopt-out;

(c) AccessandParticipation:consumersshouldhavetheabilitytoaccesstheirinformationandhavetheinformationcorrected;

(d) IntegrityandSecurity:informationcollectedshouldbeaccurateandsecure.;and

(e) EnforcementandRedress:consumersshouldbeabletoenforcenoncompliance.

These core principles are a baseline, and subsequent federal and state laws, and self-regulatoryguidelineshavegreatlyexpandedupontheprinciples.Asanunofficialprivacyprinciple,companiesshould also evaluatewhether theirpracticespass the reasonable expectation test. Inotherwords,wouldareasonableindividualexpectthecompanytousetheirinformationinthewaycontemplatedbythecompany?Iftheansweris“no”orthepracticecouldbeviewedas“creepy,”thenthecompanyshouldre-evaluatethepractice,asthepracticecouldbedeemedunfairordeceptive.

4 ROLES


TheUSdoesnothaveauniformmeansofassigningrolestocompaniesbasedonhowtheyprocessinformation. However, for many privacy laws, the company that controls the decision-makingconcerningtheinformation,orisregulatedbytheapplicablelaw,isresponsibleforensuringbothitandanyrecipientsoftheinformationcomplywiththelaw.Belowaretwoexamplesofrolesassignedbyspecificprivacylaws:

672


(a) UndertheCCPA,acompanymaytakeononeormoreofthreeroles:acompanyisa:(i) “business”ifitmeetsthedefinitionsetoutinquestion2.2above;(ii) “serviceprovider”ifitprocessesCaliforniaresidentpersonalinformationonbehalf

of thebusinesspursuant toa restrictivewrittencontractandonly fora “businesspurpose”;or

(iii) “thirdparty”ifitisneitherthebusinessnoraserviceprovider.

The majority of the obligations under the CCPA apply to businesses. However, serviceproviders share certain obligations, such as helping businesses effectuate the rights ofCaliforniaresidents.Thecontractandrelationshipbetweenabusinessandserviceprovideris particularly important because if the contract or relationship does not align with therequirements of the CCPA, the service provider could be deemed a third party.Where abusinesssellspersonalinformationtoanotherbusinessorathirdparty,Californiaresidentshavetherighttoopt-outofthesaleoftheirpersonalinformation.Whilemanybusinessesmaynotsellinformationinthetraditionalsense,theterm“sale”isbroadlydefinedundertheCCPA,and this opt-out right arguably extends to disclosures of information in connection withtargetedorbehavioraladvertising.Pleaseseequestion8.3formoreinformation.

(b) UnderHIPAA,theregulatedcompanyiscalleda“coveredentity.”Coveredentitiesarelimitedinscope,andonlyincludehealthcareproviders,healthplans,andhealthcareclearinghouses.However,wherethecoveredentitydisclosesprotectedhealthinformationtoacompanythatperformsservicesonitsbehalf,whichiscalleda“businessassociate,”thepartiesmustenterinto a business associate agreement designed to protect the information. Evenwithout acontract,thebusinessassociateissubjecttoHIPAAobligations.CertaintypesofadvertisingandmarketingmayberestrictedorentirelyprohibitedbyHIPAA.

5 OBLIGATIONS


Belowaresomekeyobligationsrequiredbyprivacylawsrelevanttoadvertisingpractices:

(a) PrivacyPolicy:Companiesmustpostandmakereadilyavailableaprivacypolicythatclearlydiscloses their actual privacy practices, including the types of information collected, thepurposes andmanner inwhich such information is used anddisclosed, the types of thirdpartiestowhomsuchinformationisdisclosed,andtheircontactinformation.Ifacompanymakesmaterialchanges to itsprivacypolicy, thecompanymustprovideadditionalnotice.CalOPPA,CCPA,andotherprivacylawssetoutspecificdisclosureobligations.

(b) Contracts:Forcertaintypesofinformation,companiesmustenterintocontractswiththeirclientsand/orserviceprovidersgoverningprocessingoftheinformation.

(c) Choice:Companiesmustgiveindividualschoicewithrespecttotheirdatapractices,especiallyinconnectionwithsecondaryusepurposessuchasadvertisingandmarketing.

(d) Rights: In some jurisdictions, such as California, or with respect to certain types ofinformation, companies must give individuals certain rights over processing of theinformation.

673


(e) Security: Companies must implement and maintain reasonable measures to secureinformation.Intheeventofadatabreach,companiesmayberequiredtonotifyapplicableregulatorsandindividuals,andprovidecreditoridentityreportingservices.

(f) Training: In some jurisdictions, such as California, or with respect to certain types ofinformation,companiesmusttrainemployeesregardingprocessingofinformation.


6.1 HowisdatasecurityregulatedintheUnitedStates?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

(a) Federal Law: The FTC has brought data security related enforcement actions againstcompaniesbasedonallegedviolationsoftheFTCAct.WhiletheFTChasnotissuedformaldatasecurityregulationsrelatedtoitsSection5authority,companiesshouldlooktocease-and-desistorders,decisions,andreports issuedbytheFTCforguidanceonwhatsecurity-relatedbusinesspracticesmaysubjectcompaniestoFTCenforcement.Inaddition,requirementsfordatasecurityvarybysector.UndertheHIPAASecurityRule,thehealth care sector is required to implement appropriate administrative, physical, andtechnicalsafeguardstoensurethesecurityofelectronicprotectedhealthinformation.UndertheGLBASafeguardsRule,thefinancialsectorisrequiredtoprotectthesecurityofnonpublicpersonalinformationwithadministrative,technical,andphysicalsafeguards.UnderFERPA,schools that receive federal funds are required to use reasonable methods to ensureappropriateaccesstoeducationalrecords.

(b) StateandMunicipalLaw:Ahandfulofstateshavestatutesthatimposespecificrequirementsrelatedtodatasecurity.Forexample,MassachusettsandNewYorkrequirecompaniesthatholdinformationaboutstateresidentstohaveacomprehensivedatasecurityprogram.Manyotherstates,suchasCalifornia,havestatutesthatgenerallyrequirecompaniestoimplementandmaintainreasonablesecurityproceduresandpracticesappropriatetothenatureoftheinformation.“Reasonablesecurity”isnotalegallydefinedterm,andcompaniesshouldlooktoFTC,StateAttorneyGeneral,andindustrydefinitionsoftheterminorders,guidance,andreportstohelpaddresscompliance.

(c) Self-Regulation:Datasecurityisself-regulatedincertainindustries.Someindustrypoliciesaremandatory,whileothersarevoluntary.Notably,thePaymentCardIndustryDataSecurityStandard (“PCI-DSS”) is an industry-set standard that establishes mandatory securityrequirements for organizations accepting or processing payment transactions. PCI-DSSobligationsarealsocodifiedbyNevadalaw.

6.2 How are data breaches regulated in the United States? What are the requirements forrespondingtodatabreaches?

(a) Federal Law: The US does not have a single comprehensive data breach law. Breachnotificationrequirementsareimposedprimarilyatthestatelevel,asdiscussedbelow.Certain sectors have their own data breach requirements. Under the Health InformationTechnologyforEconomicandClinicalHealthAct(“HITECH”),whichispartofHIPAA,coveredentitiesmustnotifyaffectedindividuals,theHHS,andpotentiallymediaoutletsfollowingabreach.UnderGLBA,afinancialinstitutionmustnotifyaffectedcustomersassoonaspossibleafterdeterminingnonpublicpersonal informationhasbeen,orwillbe,misused.UndertheCustomerProprietaryNetworkInformation(“CPNI”)rule,telecommunicationscarriersmustnotifylawenforcementandconsumersfollowingasecuritybreach.

674


(b) StateandMunicipalLaw:Eachofthe50states,theDistrictofColumbia,PuertoRico,USVirginIslands, and Guam have adopted data breach notification laws. The unauthorized accessand/oracquisitionofstatutorilydefinedpersonalinformationwilltriggerstatedatabreachnotificationrequirements.Thespecificdefinitionsandreportingrequirementsvarybystate.Personalinformationprotectedbysuchlawsgenerallyincludes,ataminimum,anindividual’snamecombinedwithasocialsecuritynumber,driver’slicensenumber,orfinancialaccountnumberincombinationwithapasswordthatwouldpermitaccesstotheaccount.Manystateshaveexpandedthedefinitiontoincludeelementssuchusernameandpasswordforanonlineaccount,medical information,biometric information,mother’smaidenname,andpassport.Statestypicallyrequirewrittennoticetobeprovidedwithoutdelayandwithin30,45,or60days to all affected individuals, and in some cases to government entities and consumerreporting agencies. Some states require companies to provide credit or identity reportingservicestoaffectedindividuals.

Asrequirementsfordatabreachnotificationvaryandmisrepresentationsinnoticesmayleadtofurtherliability,companiesexperiencingadatabreachshouldseeklegaladviceassoonaspossible.

(c) Self-Regulation:Someindustrystandards,suchasPCI-DSS,includedatabreachnotificationobligations.

7 INDIVIDUALRIGHTS


TheUSdoesnothaveasinglecomprehensiveprivacylawthatprovidesindividualswithrightsovertheirinformation.Instead,individuals’rightsdependontheirstatusundercertainfederalandstatelaws. For example, under COPPA, parents have the right to review and delete their children’sinformation. Under CAN-SPAM and TCPA, individuals have the right to exercise choice over theirreceipt of certain types of communications. Other applicable federal and state laws may provideindividualswithadditionalrights.

California is the first state to provide individuals with GDPR-like rights over their personalinformation.UndertheCCPA,Californiaresidentshavetherightstoknow,delete,andopt-outofthesale of their personal information. In addition, California residents have the right not to receivediscriminatorytreatmentforexercisinganyoftheirrights,andmaydesignateanauthorizedagenttosubmit requests on their behalf. Other states are considering similar laws designed to give stateresidentsrightsovertheirinformation.



Marketingcommunicationsareprimarilyregulatedasfollows,althoughadditionallawsandindustrystandardsmayapply:

(a) Emails:CAN-SPAMregulatesthesendingofcommercialemails,andgivesindividualstherighttoopt-outofreceivingmarketingemails,amongotherthings.CAN-SPAMdoesnotincludeanexpressprivaterightofaction.

675


(b) Texts:TCPAregulatesthemakingofcallsorsendingoftexts.UnlikeCAN-SPAM,TCPAgivesindividualstherighttoopt-intoreceivingcallsortexts,andprovidessignificantpenaltiesforviolations.Anindividualmaysueonbehalfofmanyindividualsforstatutorydamagesofupto$500foreachviolation(orupto$1,500foreachwilfulviolation)ofTCPA.Asanexample,ifacompanysends10,000textswithoutpriorexpressconsent,thecompanycouldbesuedfor$15million.Companiesshouldexercisecautionwhenengaginginphoneortextcampaigns.

(c) PushNotifications:PushnotificationsarenotregulatedbyeitherCAN-SPAMorTCPA.

Itisimportanttonotethatmarketingcommunicationsofteninvolvetheuseoftrackingtechnologies.For example, pixels may be embedded in a marketing email. Please see question 8.2 for moreinformationontrackingtechnologies.


Trackingtechnologiesareprimarilyregulatedasfollows:

(a) FTC and Consumer Protection Laws: There is no federal law that specifically regulatestracking technologies. However, the FTC has brought privacy and data security relatedenforcementactionsagainstcompaniesbasedonunfairordeceptiveactsorpracticeswithrespecttotheuseoftrackingtechnologies.TheFTChastakenthepositionthatacompany’suseoftrackingtechnologiesrequiresnoticetoindividualsofthetrackingtechnologies,choiceto control such tracking, andmaintenanceof reasonable security toavoidunexpectedandunauthorizeduseofinformationcollectedthroughthetrackingtechnologies.

TheFTCgenerallyhasindicatedthatchoicemeansopportunitytoopt-out.Forthecollectionofmoresensitivecategoriesof information,suchasvideoviewinginformationandpreciselocationdata,theFTChasindicatedthatchoicerequiresopt-inconsent.Inaddition,theuseoftrackingtechnologiesfortargetedadvertisingisheldtoahigherstandardthantheuseofsuchtechnologiesforotherpurposes,suchasanalytics.Acompany’suseoftrackingtechnologiesinawaythatanindividualwouldnotreasonablyexpect,suchasusingtrackingtechnologiestocollectpreciselocationdatainaflashlightapp,couldconstituteanunfairordeceptiveactorpractice.

SimilartotheFTC,StateAttorneysGeneralandotherstateregulatorshavebroughtactionsbasedonunfairordeceptiveactsorpracticeswithrespecttotheuseoftrackingtechnologies,andhaveissuedguidanceonthetopic.

(b) California:Californiaspecificallyregulatestrackingtechnologies.UnderCalOPPA,abusinessmustdiscloseanythird-partytrackingonitswebsiteand,ifthebusinesstracksacrosssitesand over time, how the business responds to Do Not Track signals. CalOPPA does notspecificallyrequireabusinesstorespondtoDoNotTracksignals;however,theCCPAincludesprovisionsthatarguablynowrequireabusinesstorespondtosuchsignals.

(c) Sector-SpecificLaws:Certainsector-specificlawsfundamentallyimpacttheuseoftrackingtechnologies. For example, COPPA’s prohibition on the collection of personal information(which isdefined to includepersistent identifiers aswell as a child’s voice) fromchildrenunder13maycompletelyrestricttheuseofcertaintrackingtechnologiesonwebsites,apps,voiceplatforms,andotheronlineservicesdirectedtowardchildren.Similarly,usingtrackingtechnologiestocollectprotectedhealthinformationcouldbeentirelyprohibitedbyHIPAA.

676


(d) Self-Regulation: The DAA and NAI have established self-regulatory principles regardingbehavioraladvertising.Theprinciplesrequirethatanycompanythatengagesinbehavioraladvertising(includingthroughtrackingtechnologies)provide:(i) noticeofitspractices:(ii) enhancednoticeatorpriortothetimeofcollection;(iii) choicetoopt-outof(orforcertaintypesofdataopt-into)behavioraladvertising;and(iv) reasonablesecuritytoprotecttheinformation.

Tohelpindustrycomply,theDAAandNAIhavecreatedmechanismsthatallowindividualstoopt-outofreceivingtargetedadsfromtheirparticipants.TheBBBenforcesviolationsoftheDAAself-regulatoryprinciples.

The InteractiveAdvertisingBureau (“IAB”) recentlydeveloped a framework and technicalspecificationsdesigned tohelpbusinesses address theirDoNot Sell obligationsunder theCCPA.ThisframeworkdiffersfromtheDAAandNAIopt-outsbecauseitaimstorestricttheuse of information passed through tracking technologies, not just the display of targetedadvertising.

Manyopt-outsfortrackingtechnologiesrelyoncookies,andcompaniesshouldunderstand(anddisclosetoindividuals)thatopt-outsarelimitedbasedontheunderlyingtechnology.Forexample, a cookie-based opt-out only limits information related to a specific browser ordevice,andnotacrossmanydevices.Additionally,companiesshouldunderstandthattheseself-regulatoryframeworksarenotsafeharborsanddonotensurecompliancewiththelaw.


Similar to tracking technologies, targeted and behavioral advertising are regulated through acombination of consumer protection laws, California law, sector-specific laws, and self-regulation.Pleaseseequestion8.2formoreinformation.

TheCCPAwillhaveafundamental impactontargetedandbehavioraladvertising.UndertheCCPA,Californiaresidentshavetherighttoopt-outof(or,inlimitedcircumstances,opt-into)thesaleoftheirpersonal information to thirdparties.WhenaCalifornia residentoptsout, thebusinessmust stopsellingthepersonalinformation,andnotifyallthirdpartiestowhomitsoldtheinformationafteritreceived the request. The businessmustwait at least 12months before requesting the Californiaresidenttooptbackin.

Businessesshouldpayattentiontotheterm“sale”,asthattermisnotdefinedinthetraditionalsense.UndertheCCPA,a“sale”meanstherenting,releasing,disclosing,makingavailable,ortransferringofpersonal information by a business to another business or third party for monetary or valuableconsideration. The California Attorney General’s Office has indicated that targeted and behavioraladvertising are sales. Assuming the Attorney General’s interpretation holds, businesses may berequiredtostopsharing,fortargetedorbehavioraladvertisingpurposes,thepersonalinformationofanyCaliforniaresidentwhohasoptedoutofthesaleoftheirpersonalinformation.Becausetargetedadvertising and behavioral advertising depend on the sharing of device identifiers and similarinformation throughout theecosystem, theAttorneyGeneral’s interpretation threatensadvertisingrevenue models that rely on real time bidding and related technologies. This interpretation alsocreates complexity for advertiser-agency relationshipswhere an agency is prohibited from sellingpersonalinformationbutalsoinstructedtoengageinmediabuysthatinvolvetargetedandbehavioraladvertising.Theadvertisingindustryisworkingonpotentialtechnologicalandcontractualsolutionstoaddresstheseissues,althoughthereisnoconsensusatthistime.

677



Similartotrackingtechnologies,customermatchingisregulatedthroughacombinationofconsumerprotectionlaws,Californialaw,sector-specific laws,andself-regulation.Advertisersshouldprovidenoticeintheirprivacypoliciesoftheiruseofcustomermatching,andwaysforindividualstoexercisechoice.Pleaseseequestion8.2formoreinformation.

Inaddition,thereareseveralimportantconsiderationsforcustomermatching:

(a) Anonymous Data: Advertisers often claim the information they provide for matchingpurposesisnotpersonalinformationbecauseitisanonymousorhashed.Becareful,becauseUSprivacylawbroadlydefines“personalinformation”toincludeinformationthatadvertisershistoricallyhaveconsideredtobeanonymousordeidentified.Forexample,hashedidentifiersuploadedtoFacebookorcollectedthroughpixelsonawebsiteorad,ormatchedIDsreceivedfromLiveRamp,arguablyarepersonalinformationundertheCCPA.

(b) Source of theData: Advertisers should consider how they obtained the information theyprovide for matching purposes. First-party data (such as data received directly by anadvertiser through itswebsite) and third-party data (such as data purchased from a databroker) carry different obligations. If the information is third-party data, the advertiserarguablycouldbedeemedadatabroker(seequestion8.5below).Further,anadvertiser’scustomer-relationshipmanagement(“CRM”)dataisnotnecessarilyallfirst-partydatasubjectto the same law, as the advertiser may combine information from various sources in itsdatabase.Forexample,ifanadvertiserisafinancialinstitution,theinformationitcollectsinthecontextofaloanapplicationcouldbesubjecttoGLBA,whiletheinformationitcollectsthroughitswebsitecouldbesubjecttotheCCPA.Sharingofcertaintypesofinformationinconnectionwithcustomermatchingmayrequireopt-inconsent,orberestricted,orentirelyprohibitedbylaw.

(c) Receipt of the Data: Advertisers should considerwhether theywill receive any personalinformationbackinconnectionwiththecustomermatching,andwhatlegalandcontractualrestrictionswillbeplacedaroundtheinformation.


Thereisnofederalprivacylawspecificallyregulatingdatabrokers,althoughtheFTChasrepeatedlyvoicedconcernaboutdatabrokers,andcertainlaws(suchasFCRA)mayimpactdatabrokers.

VermontandCaliforniaeachhavelawsthatrequiredatabrokerstoregisterwiththestateonanannualbasis,andthatimposeadditionalobligationsonsuchcompanies.“Databrokers”aregenerallydefinedascompaniesthatobtaininformationaboutanindividualfromasourceotherthantheindividualandsellorlicensethatinformationtothirdparties.Databrokersthatfailtoregisterorcomplywiththelaw face penalties. Advertisers that do not traditionally act as data brokers should evaluate theapplicabilityofthedatabrokerrequirements;thereceiptandtransmissionofthird-partydatacouldarguablymaketheadvertiseradatabroker.


Socialmediaisregulatedthroughacombinationoftheprivacylawssetoutinquestion1.2.Whereacompanycollectspersonalinformationthroughasocialmediaplatform(includingonthecompany’sbrandpage,throughachatbot,orpubliclyavailableontheplatform),suchcollectionisgovernedby

678


thecompany’sprivacypolicy,aswellasthetermsandpoliciesoftherelevantsocialmediaplatform.Itis important to note that information collected through a social media platform is generally notconsideredpublicly-availableinformation.Companiesshouldcarefullyreviewsocialmediaplatformtermsbeforecollectinganyinformationfromtheplatform.


Loyaltyprogramsandpromotionsareregulatedthroughacombinationoftheprivacylawssetoutinquestion1.2.Participantsshouldbeprovidedwithnoticeofhowtheir information isprocessed inconnectionwiththeloyaltyprogramorpromotion(suchasthroughalinktothecompany’sprivacypolicy when the participant first enters the program or promotion), and should be required toaffirmativelyopt-intotheprogramorpromotion.

TheCCPAincludesspecificprovisionsregardingfinancialincentivesthatmayimpactloyaltyprogramsand promotions. Among the various obligations, a business must provide specific notice of anyfinancial incentives itoffers inexchangeforpersonal information,andobtainopt-inconsenttothefinancialincentive.

9 DATATRANSFER


USprivacylawsdonotspecificallyrestrictthetransferofpersonalinformationoutsidethecountry.However, transfers may be restricted based on statements in an applicable privacy policy or bycontract.Further,companiesreceivingpersonaldatafromtheEuropeanEconomicArea,Switzerland,ortheUnitedKingdommayregisterwiththeDepartmentofCommercetoreceivethepersonaldatapursuanttoPrivacyShield.PleaseseetheEuropeanUnionchapterformoreinformation.


Companiesshouldconsiderwhetherthereareanycontractualrestrictionsaroundthedatatransfer,andensuretherecipientcompanymaintainsreasonablesecuritymeasurestoprotecttheinformation.Adatabreachbytherecipientcompanycouldresultinsignificantliability.

10 VIOLATIONS


TherearetwocategoriesofpenaltiesforviolationsofprivacyordatasecuritylawsintheUS:penaltiessoughtbyregulatorsandpenaltiessoughtbyindividualsthroughprivaterightsofaction.Pleaseseequestion10.2forinformationonpenaltiessoughtbyindividuals.Asforpenaltiessoughtbyregulators:

(a) Federal:TheFTCmaybringanactionagainstacompanyforviolationsoftheFTCAct.TheFTCmayseekremediesincludingcease-and-desistorders,disgorgement,restitution,andcivilpenalties. However, the FTC typically cannot seek civil penalties for first-time privacy orsecurityoffenses.TheFTCgenerallycanseekcivilpenaltiesonlywhenthereisaviolationofaseparatestatutethatestablishescivilpenalties,suchasCOPPAorFCRA.Whenacompanyisalready subject to an FTC cease-and-desist order, violations of the order may result insignificantcivilpenalties.

679


Incontrast,sectorallawtypicallyallowsformonetarypenaltiesforfirst-timeoffenses.CFPB,HHS,andFCChaveallimposedpenaltiesforprivacyanddatasecurityviolationsoncompaniessubjecttotheirjurisdictions.

(b) State: In most states, the State Attorney General has broad authority over consumerprotectionandmayseekbothcivilpenaltiesandinjunctivereliefforprivacyanddatasecurityviolationsunderconsumerprotectionstatutesanddatabreachlaws.Whilenon-profitsarenotwithin theFTC’s jurisdiction,penalties fornon-profitsareoftenapplicableat thestatelevel.

(c) Self-Regulatory:Violationsofself-regulationmayresultinarevocationofmembershiportheapplicableself-regulatorybodyreferringtheallegedviolatortotheFTCorapplicableStateAttorneyGeneral.


Yes, individuals in all states have private rights of action based on tort law. Most states allowindividualstosueunderfourprimarytorttheories:(a) intrusionuponseclusion/solitude;(b) publicdisclosureofprivatefacts;

(c) appropriation;and(d) falselight.

The most common remedies in privacy tort cases are monetary damages and injunctive relief.Individualsmayalsosuebasedontheoriesofbreachofcontractornegligence.SomeindividualshavebroughtactionsforviolationofconsumerprotectionlawsbasedonviolationsofCOPPAandotherlawsthatdonotprovideanexpressprivaterightofaction.

Many state privacy and data security laws include an express private right of action. Althoughindividualsmaysueundersuchaprivaterightofaction,theyoftenhavedifficultlyestablishingactualdamages.Forexample,whereanindividualisinvolvedinadatabreach,thatindividualmaynotbeabletodemonstratethatthespecificdatabreachdirectlydamagedtheindividual’scredit.Therefore,certainprivacyanddatasecuritylawsincludestatutorydamages,meaningthatindividualsdonotneedtoestablishactualdamages,butratherthattheactivitytookplace.TCPA,VPPA,BIPA,andthedatabreachprovisionsoftheCCPAallprovideforstatutorydamages.Companiesinvolvedincallortextmessage campaigns, the processing of video viewing information or biometric information, or thecollectionofinformationfromCaliforniaresidentsshouldbeextradiligentinevaluatingtherisks.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofUnitedStateswhichaffectprivacy?

The First Amendment to the US Constitution reflects the importance that US citizens place oninformation dissemination, which can create tensions with privacy. In the US, First Amendmentprotectionsextendtobothindividualsandcompanies,allofwhomaregrantedtherighttofreedomofspeech. In contrast, theUSConstitutiondoesnot include an explicit right to privacy, although theFourthAmendmentandcaselawhavealludedtosucharight.Also,anumberofstateshavecodifiedaright to privacy. This tension between the right to freedomof speech and privacy has resulted innumerouscaseswhereaplaintiff assertsa right toprivacywhile thedefendant relieson theFirstAmendment.WhiletheFirstAmendmentisnotacompletedefense,unlikeotherjurisdictions,therighttofreedomofspeechisgenerallyconsideredmoreimportantthantherighttoprivacy.

680



TheCCPAisthefirstGDPR-likeprivacylawintheUS,andotherstatesareexpectedtofollowwiththeirowncomprehensiveprivacylaws.Absentachangeinthefederallegislativelandscape,privacylawinthe US may become similar to data breach law, with companies needing to comply with over50differentprivacylaws.Inaddition,theproponentsoftheCCPAhaveputforthanewinitiativecalledthe California Privacy Rights Act (“CPRA”), which would add new obligations for companies thatprocesspersonal informationofCaliforniaresidents.TheCPRAisset tobeontheNovember2020electionballotforCalifornia.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldataintheUnitedStates?

TheUSmaybeviewedasmorelitigiousthanotherjurisdictions,inpartduetotheexistenceofclassactions.Aclassactionisalawsuitfiledagainstadefendantbyagroupofindividuals.Inareasofprivacylawwhere private rights of action provide for statutory damages, attorneys actively pursue classactions.

12 OPINIONQUESTIONS


PrivacyawarenessandconcernintheUShassignificantlyincreasedoverthepastfewyears,whichhasled to changes in behavior and increased regulation. This can be attributed to several significantevents:

(a) First, inSeptember2017,Equifaxexperiencedadatabreachthataffectedover147millionpeople.

(b) Second, inMarch2018,UScitizensbecameaware thatapoliticaldataanalysis firmcalledCambridgeAnalytica improperly obtained the information of over 87million people fromFacebook’splatformforpurposesofinfluencingvoterbehaviorandelections.

(c) Third, in May 2018, the GDPR took effect, which provided rights to individuals locatedthousandsofmilesawaybutnottothoseinthebackyardofSilicon-Valleybasedtechnologycompanies.

Throughacombinationoftheseevents,UScitizensrealizedthedangersassociatedwith“BigData”andthelackoftransparencyandchoiceovertheuseoftheirinformation.Asaresult,anumberofstates,including California, have since enacted or considered laws intended to provide individuals withgreatertransparencyandchoiceovertheuseoftheirinformation.


Most individuals in theUSwillhaveprivacyrightswithin5years.Basedonthecurrent legislativelandscape, privacy law will be governed at the state level, and each state will have its owncomprehensiveprivacylaw.ThereisapossibilitythattheUSwillpassacomprehensivefederalprivacylaw,but,asatthetimeofwriting,itisunlikelythatthelawwillpreemptorbemorestringentthanstatelaw.

681



Thecurrentpatchworkofprivacylawrequirescompaniestocomplywithnumerouslaws,manyofwhich conflict or are ambiguous. Further, the ad tech industry is rapidly changing due to therestrictions imposed on the processing of personal information. Google and other web browserprovidersareseverelylimitingtrackingtechnologiesthatallowforthecollectionandsharingofthird-partydata,andcompanieswillneedtorelymoreonfirst-partydatafortheiradvertisinginitiatives.Limitingaccesstothird-partydatamaystrengthenlargepublisherswhileweakeningsmallplayersandcompaniesthathavefewtouchpointswithindividuals.

682

683

PRIVACY LAW – URUGUAY

1 PRIVACYLAW

1.1 HowisprivacyregulatedinUruguay?

DataprotectioninUruguayisregulatedthroughdifferentinstruments.

(a) Firstly, the following articles of the Constitution have been interpreted as granting aconstitutionalstandingtotherighttoprivacy,asarightthatisinherenttothehumanperson:(i) Article72,whichprovides that “theenumerationof rights,duties andprotections

establishedintheConstitution,doesnotexcludeotherrightsthatareinherenttothehumanpersonalityorarederivedfromtherepublicanformofgovernment”;and

(ii) Article332,whichstatesthat“theapplicationofthepreceptsofthisConstitutionthatacknowledge individuals’ rights, as well as those awarding rights and imposingobligations on public authorities, shall not be impeded by the lack of pertinentregulations,butrather thiswillbesubstituted throughrecourse to theunderlyingbases of similar laws, to the general principles of law and generally accepteddoctrines”.

(b) Secondly, there are also some particular laws and decrees that regulate privacy (seequestion1.2).

(c) Finally,someoftheopinionsissuedbytheUruguayandataprotectionregulator,UDPR,arealsoapplicable,suchastheguidelinesfortheuseofvideosurveillance,dronesorcookies,ortheguidelinesfordatadissociation.


ThekeyregulationsonpersonaldataprotectioninUruguayarethefollowing:

(a) LawNo18,331ontheProtectionofPersonalDataandHabeasDataAction(the“Law”)anditsRegulatoryDecreeNo414/009;

(b) LawNo19,670onRenderingofAccountsandBalancingofBudgetExecutionoftheExercise2017anditsRegulatoryDecreeNo64/020;

(c) RegulatoryDecreeNo396/003regardingelectronicmedicalrecord;and

(d) RegulatoryDecreeNo664/008,whichcreatestheregistryofdatabases.

Therearenospecialregulationsondataprotectionaspectsforadvertisingactivities.


Uruguay’s data protection regulator is the Regulatory and Personal Data Control Unit (UnidadReguladoraydeControldeDatosPersonales,“UDPR”).UDPRisanautonomousentityoftheAgencyforthe Development of Electronic Government and the Information-Based Society (Agencia para elDesarrollo del Gobierno de Gestión Electrónica y la Sociedad de la Información y del Conocimiento,“AGESIC”).

Therearecurrentlynoself-regulatorybodiesonthematter.

684


2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinUruguay?

AllcompaniesthatmeettherequirementsfortheapplicationoftheLawmaybesubjectto it,bothregarding the obligations it imposes and rights it grants. Please note that legal entities may beconsidered “data subjects”, and thus their personal data is also protected under the Law, whereappropriate.

2.2 DoesprivacylawinUruguayapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

TheLawappliestocompaniesnotestablishedinUruguayinthefollowingcases:

(a) the data processing activities are targeted at offering goods or services to Uruguayaninhabitantsorareintendedtoanalyzetheirbehavior;

(b) theLawistheapplicablelawunderanagreementorunderinternationalpublicrules;or

(c) theprocessingactivitiesarecarriedoutbymeanslocatedinUruguay,unlessthesemeansareonlyusedfortransitandthedatacontrollerappointsalocalresponsibleperson.

TherearenoobligationsstatedintheLawparticulartocompaniesoutsideUruguay.


3.1 Howispersonalinformation/personaldatadefinedinUruguay?

“Personal data” is defined as information of any kind relating to natural persons or legal entities,determinedordeterminable.

Pleasenotethat,inorderforapieceofinformationnottobeconsideredpersonaldata,UDPRconsidersthatitmustbeirreversiblydissociated.


“Sensitivedata”includespersonaldatarevealingracialorethnicorigin,politicalpreferences,religiousormoralbeliefs,tradeunionmembership,andinformationrelatingtohealthorsexlife.

TheLawprovidesamore restrictive regime for the treatmentof thiskindofdata, establishinganobligationtoobtainthedatasubject’sexpresswrittenconsent.

Inaddition,amongotherhypotheses,processingsensitivedataasitsmainbusinessisoneofthecasesunderwhichacompanymustappointadataprotectionofficerbeforeUDPR.Also,processingsensitivedataasitsmainbusiness,orthepermanentorregularprocessingofspeciallyprotecteddata(whichincludessensitivedata),mayalsoimplythenecessityofcarryingoutaprivacyimpactassessment.

685



AccordingtotheLaw,datacontrollers,andallthoseprocessingpersonaldataofthirdparties,mustcomplywiththefollowingprinciples:

(a) Legality:DatacontrollershavetheobligationtoregisteradatabasebeforeUDPRinorderforittobelawful.Inaddition,adatabasecannothavepurposesthatinfringehumanrightsorarecontrarytolaworpublicmorals.

(b) Veracity:Personaldatathatiscollectedhastobetruthful,adequate,fair,andnotexcessiveinrelationtothepurposeforwhichitwasobtained.Thecollectionofpersonaldatamaynotbedone by unfair, fraudulent, or abusive means, extortion or in a manner contrary to theprovisionsofUDPR.

(c) Purpose Limitation: Personal data must not be used for purposes that are different orinconsistentwiththosethatledtotheircollection.Whenthedataisnolongernecessaryorrelevantforthepurposeforwhichitwascollected,itmustberemoved.TheUDPRallowscertainexceptionstothelimitationonretention,suchaswhenthedatahasvalueforhistorical,statistical,orscientificreasons.

(d) PriorConsent:Asageneralrule,theprocessingofpersonaldataispermittedonlyifthedatasubject has given his/her free, prior, explicit and informed consent, which must bedocumented.Therearecertainexceptionstotheprinciple,suchas:(i) when the data comes from public sources of information, such as registries or

publicationsinmassmedia;(ii) when thedata is collected for theperformanceof functionsof the governmentor

underalegalobligation;(iii) for listingsofnaturalpersons, those thatare limited tonames, identitydocument,

nationality,address,anddateofbirthregardingnaturalpersons,or, in thecaseoflegal entities, limited to corporate name, brand name, tax identification number,address,phonenumber,andidentityofthepeopleincharge;

(iv) whenthedataderivesfromacontractual,scientificorprofessionalrelationshipofthedatasubject,andisnecessaryforitsdevelopmentorexecution;or

(v) whenthetreatmentiscarriedoutbyanaturalpersonforhis/herownpersonalanddomesticuse.

(e) DataSecurity:Thedatacontrolleroruserofthedatabasemusttakethenecessarystepstoensure the security and confidentiality of the personal data, and prevent alteration, loss,consultationorunauthorizedprocessing.

(f) Non-Disclosure:Personsandorganizationsthatholdpersonaldatamustkeepitconfidential,anduseitexclusivelyfortheoperationsoftheirnormalactivity.Allotherdisseminationofthedatatothirdpartiesisprohibited.

(g) Responsibility:ThedatacontrollerandthedataprocessorareresponsiblefortheviolationofanyprovisionoftheLaw.Thus,interestedpartieswhohavesuffereddamageasaconsequenceoftheprocessingoftheirpersonaldatamayrequesttherelevantredress.

686


Inaddition,incompliancewithaproactiveresponsibility,theLawalsostatesthatbothdatacontrollersanddataprocessorsmusttakealltheappropriatetechnicalandorganizationalmeasures(privacybydesignandbydefault,privacyimpactassessment,amongothers)inordertoguaranteeanadequateprocessingofthepersonaldata,aswellastodemonstrateitseffectiveimplementation.

Inaddition,althoughtherearenospecificprovisionstothateffectintheLaw,whencarryingoutdataprocessing activities, note that transparency and data minimization are also recommended. Theadoptedmeasuresmustbedocumentedandperiodicallyreviewed,andtheireffectivenessneedstobeassessed.Somerequisitesonthisdocumentationofthemeasuresmustalsobemet.

4 ROLES


TheLawdistinguishesbetweendatacontrollersanddataprocessors:

(a) Datacontrollersaredefinedasthenaturalpersonorlegalentity,publicorprivate,whoownsthedatabaseorwhodecidesonthepurpose,content,anduseofthedatatreatment.

(b) Dataprocessorsaredefinedasthenaturalpersonorlegalentity,publicorprivate,whoaloneortogetherwithothers,processespersonaldataonbehalfofadatacontroller.

Therearesomedifferencesbetweentheobligationsofacontrollerandprocessor.Forinstance,itisthe controller who has the obligation to register databases before UDPR in compliance with theprincipleoflegality,nottheprocessor.However,ingeneralterms,theobligationsprovidedintheLawextendtobothdatacontrollersandprocessors.

Regarding contractual requirements, note that, although the use of data processing agreements ishighlyrecommendedinordertoformalizetheobligationsandresponsibilitiesofeachparty(especiallyin order to complywith the principle of proactive responsibility), in Uruguay there is no specificobligationtodoso.Thus,therearenoparticularcontractualrequirementstobeincludedbyadataprocessororadatacontroller.

5 OBLIGATIONS


ThekeyobligationsundertheLawarethefollowing:

(a) registeringthedatabasesbeforeUDPR;

(b) complyingwiththeprinciplesstatedintheLaw(seequestion3.3);

(c) respondingasrequiredtodatasubjectswhentheyexerciseanyoftheirrightsundertheLaw(seequestion7.1);

(d) whenprocessingpersonal information formarketingor advertising communications, onlyusingpersonaldatathatisavailableinpublicsources,orhasbeenprovidedbythedatasubjectorobtainedwithhis/herconsent;

687


(e) informingdatasubjectsabouttheirrighttorequesttheblockorremovalof theirpersonalinformationfrommarketingandadvertisinglistings;

(f) appointingadataprotectionofficerbeforeUDPR,whentheentityprocessessensitivedataasitsmainbusiness,orprocesseslargevolumesofdata(meaningpersonaldataofmorethan35,000datasubjects).Themainfunctionsofadataprotectionofficerare:(i) toadviseonthedesignandapplianceofprivacypolicies,(ii) tooverseethefulfilmentofthedataprotectionframework,(iii) torecommendanymeasurementstocomplywiththeinternationalframeworkand

standardsregardingprivacy,and(iv) toactasapointofcontactbetweenitsentityandUDPR;

(g) carryingoutprivacyimpactassessmentsinthosecasesrequiredbytheLaworwhenUDPRdeemsitconvenient;

(h) implementingprivacybydesignandbydefaultmeasures;

(i) whenprocessingpersonaldatathroughawebsite,makingtheprivacypolicyaboutthedataprocessingavailable;

(j) whenadatabreachoccurs,initiatingthenecessaryprocedurestominimizetheimpactofsaidincidentswithinthefirst24hoursofverification;and

(k) notifyingdatasecuritiesbreachestoUDPRwithin72hoursandalsotothedatasubjects.


6.1 HowisdatasecurityregulatedinUruguay?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

Undertheprincipleofdatasecurity(seequestion3.3),thedatacontrolleroruserofthedatabasemusttakethenecessarystepstoensurethesecurityandconfidentialityofthepersonaldata.Suchmeasuresmustpreventthealteration,loss,consultationorunauthorizedprocessingofthedata,aswellasdetectanyredirectionofinformation,intentionalornot,whethertheriskscomefromhumanactionorfromthetechnicalmeansused.

No particular measures are required. However, AGESIC recommends the implementation of theISO/IECstandardsregardinginformationsecurity.Tothatend,asetofguidelinesfortheenforcementof the Law according to the ISO/IEC standards has been developed for organizations to use asrecommendations to comply with the Law. In addition, Decree No 64/020 states that theimplementationofnationalandinternationalstandardsondatasecuritywillbewellbeappreciated,suchastheFrameworkforCybersecuritypreparedbytheAgencyfortheDevelopmentofElectronicGovernmentandtheInformation-BasedSociety(“AGESIC”)(ofwhichUDPRisadecentralizedbody).

Theadoptedmeasuresmustbedocumentedandperiodicallyreviewed,andtheireffectivenessmustbeanalyzed.Thedocumentationmustcomplywithcertainrequisites,suchasincludethemeansandpurposeofthedataprocessing,amongothers.ThedocumentsshouldbeavailableonrequestofUDPR.

688


6.2 HowaredatabreachesregulatedinUruguay?Whataretherequirements forrespondingtodatabreaches?

AccordingtotheLaw,adatasecuritybreachmustbereportedimmediately, indetail,bybothdatacontrollersanddataprocessors,assoonastheybecomeawareofthebreach.

TheLawstatesthattheconceptof“securitybreach”includes,amongothers,breachesthatcausethedisclosure, destruction, loss or accidental or unlawful alterationof personal data, or unauthorizedcommunicationoraccesstosuchdata.Incaseabreachoccurs,thenecessaryproceduresinordertominimizetheimpactmustbetakenwithinthefirst24hoursafterbecomingawareoftheincident.Inaddition,anotificationmustbeaddressedtoUDPRwithin72hoursandtoallaffecteddatasubjects,andmustincludedetailsaboutthebreachandthemeasurestaken.TheLawprovidesthatUDPRwillcoordinatethecourseofactiontobetakenwiththeNationalCentreforResponsetoComputerSecurityIncidentsofUruguay(“CERTUy”).

Incaseadataprocessorbecomesawareofadatabreach,he/shemustimmediatelyinformthedatacontrollerofthesituation.Thecontrollerwillthennotifythosedatasubjectswhoserightshavebeensignificantlyaffected.

7 INDIVIDUALRIGHTS


Data subjects have the following rights regarding their personal data, though subject to certainconditions:(a) therighttoaccess;

(b) therighttosuppress(delete);(c) therighttoupdate;

(d) therighttorectify;(e) therighttoinclude;and(f) therighttoinformation.

Amongotheraspects,pleasenotethatthedatacontrollermustrespondtotherequestofadatasubjectwithinfivebusinessdays.Otherwise,thedatasubjectmaystartanactioninhabeasdata.



The Law states that, in the collection of addresses, the distribution of documents, advertising,commercialprospecting,saleorothersimilaractivities,personaldatacanbeusedthatissuitabletoestablishspecificprofileswithpromotional,businessoradvertisingpurposes;orthathelpsdetermineconsumer habits. This is provided that the personal information appears on publicly accessibledocumentsorisprovidedbythedatasubjectsthemselvesorobtainedwiththeirconsent.

TheLawalsostatesthatadatasubjectmayexercisetherightofaccessfreeofchargeandmay,atanytime,requesttheremovalorblockingofhis/herdatafromthedatabases.

689



TheLawdoesnotspecificallyrefertotrackingtechnologies.

However,ontheonehand,aslongasthetechnologiesprocesspersonalinformation,theLawanditsprovisionswillapply.

Ontheotherhand,inOctober2018,UDPRissuedsomeguidelinesfortheuseofcookiesanddrones:

(a) In general terms, the guidelineson theuseof cookies state that theprinciples recognizedunder the Law apply when implementing cookies, as does the data subjects’ right toinformation.According to theguidelines, incompliancewith theright to information,datasubjectsmustpreviouslyauthorizetheplacementofcookies,whichmustalsobelimitedtothepurposedulyinformedtothedatasubject.

(b) Theguidelinesontheuseofdronesstatethattheentityresponsiblefortheuseofthedronemustbedefined,andthatsuchresponsibleentitymusttakethenecessarymeasuresinordertocomplywithdataprotectionregulationandguaranteeconfidentialityandthesecurityofthedata.Theguidelinesalsoprovidethatthepurposelimitationprinciplemustbeconsidered,underwhichthepersonaldatacannotbeusedfordifferentorincompatiblepurposestothoseforwhichitwascollected.



Alsonotethatitmaybenecessarytocarryoutaprivacyimpactassessmentwhenthedataprocessingimpliestheevaluationofpersonalaspectsofthedatasubjects,withthepurposeofcreatingorusingpersonalprofiles,particularlythroughtheanalysisorpredictionofaspectsrelatedtotheirpreferencesorpersonalinterests,amongothers.


TheLawstatesthatthecommunicationofpersonaldatatoathirdpartycanonlybedoneforpurposesdirectlyrelatedtothelegitimateinterestofthesenderandrecipient,andonlywiththepriorconsentofthedatasubject.

Regardingconsent, theLawprovides that thedatasubjectmustbe informedof thepurposeof thecommunicationandtheidentityoftherecipient,ortheelementsthatallowforsuchidentification,aswellasoftheactivitiesdevelopedbytherecipient.Italsostatesthatconsentisrevocable.

Bywayofreference,notethatwhenreferringtoconsentfordataprocessing,DecreeNo414/009statesthatthedatasubjectmustbeprovidedwithasimple,clearandfreeofchargewaytogiveorrefusetheirconsent.Inthatregard,itisunderstoodthattheobligationofobtainingtheconsentisfulfilledwhenthedatasubjectisgiventhepossibilitytochoosebetweentwoclearlyidentifiedoptions,whichcannotbepremarked,whetherinfavororagainst.

Finally, note thatprior consent for communicatingpersonaldata isnotnecessary in the followingcases:

690


(a) whenprovidedbyalawofgeneralinterest;

(b) whenconsentisnotrequiredfordataprocessing;

(c) regardinghealthdata,whenthecommunicationisnecessaryforhealthoremergencyreasons,orforcarryingoutepidemiologicalstudies,aslongasthedatasubjects’identityispreservedbyusingadequatedissociationmechanismswhenapplicable;or

(d) whenthepersonaldataisdissociated,sothedatasubjectsarenotidentifiable.


InUruguaytherearenoparticularprivacyrulesgoverningdatabrokers.


InUruguaytherearenoparticulardataprivacyrulesgoverningsocialmedia.


There are no particular data protection provisions regulating loyalty programs and promotions.However, the Law will apply in cases where personal data is processed in such programs orpromotions.

Alsonotethat,byResolutionNo64/2013ofUDPR,everywebsitethatcarriesoutdataprocessinginUruguay(suchaswhentheenrolmenttoaloyaltyprogramorpromotionisdonethroughawebsite)mustpublishtheconditionsrelatedtosuchprocessing,inaccordancewiththeLaw.

9 DATATRANSFER


TheLawstatesthatcrossborderpersonaldatatransferstocountriesorinternationalorganizationsthat do not provide adequate levels of protection, according to the standards of international orregionallaw,areprohibited.

By Resolution No 4/2019 of UDPR, the countries that do provide adequate levels are the UnitedKingdom,thoseoftheEuropeanUnion,andthosetowhichtheEuropeanCommissionhasgrantedthe“adequacynote”,namely:Switzerland,privatesectorofCanada,Guernsey,IsleofMan,Jersey,FaeroeIslands,Argentina,Andorra,Israel,JapanandNewZealand.(Pleasenotethat,in2012,UruguaywasgrantedtheadequacynoteforinternationaltransferpurposesbytheEuropeanCommission,aslocalregulationhasbeendeemedalignedwithEuropeanregulatorystandards.)

Inaddition,byResolutionNo4/2019,UDPRalsoconsidersdatatransferstocompanieslocatedintheUnitedStatesthathaveadheredtothePrivacyShieldAgreementtobelawful.

Finally, crossborderdata transferscarriedoutwithinamultinationalcompany,betweenaffiliates,betweensubsidiaries,andbetweenthemallandtheirparentcompany,areconsideredlawfulaslongasacodeofconductofprofessionalpracticeonthematterispreviouslyregisteredbeforeUDPR.

691



Some other limitations on the processing of data outside Uruguay may apply, depending on theindustryinwhichthedatacontrollerisoperating.Forinstance,institutionsregulatedbyUruguayanCentral Bank (“UCB”) may require the prior authorization of UCB. Among other aspects to beconsideredinsuchcasesiswhetherthedataprocessingabroadisconsideredsubstantialornot.

10 VIOLATIONS


UDPRmayimposethefollowingpunitivemeasures:

(a) noticeofviolation;(b) warning(whentheinfringementismildandthecontrollerhasnopreviousrecordofanyother

infringement);(c) fine(whentheinfringementismildbutthereispreviousrecordofotherinfringements,or

whenevertheinfringementissevereorverysevere);

(d) suspensionofthedatabaseconcerned(whentheinfringementisverysevere);and(e) closingofthedatabaseconcerned(whentheinfringementisverysevere).

The sanctions of suspension and closing of databases are appliedwhen a fine is not adequate toaddressverysevereviolationsoftheLaw.

In general, though,UDPRdoesnot, inpractice, have apolicy of active control; it acts upon claimssubmittedbydatasubjects.


TheLawestablishes that data subjectsmaybring an action for theprotectionof personal data orhabeasdataagainstanydatacontrollerofapublicorprivatedatabase,incaseswhen:(a) the data subject has requested access to their personal information and such accesswas

denied,orwasnotprovidedbythedatacontrollerinthetimeframeandmannerestablishedbytheLaw,or

(b) when,adatasubjecthavingrequestedthattheirinformationbecorrected,updated,removed,ordeleted,suchrequestwasnotcompliedwithwithinthetimeframeestablishedbytheLaw.

Theactionofhabeasdatamaybeexercisedbythedatasubjectsconcernedortheirrepresentatives(guardiansorcurators),and,incaseofdeceasedpersons,bytheirheirs.Inthecaseoflegalpersons,theactionisbroughtbytheirownersortrusteesappointedforthispurpose.

AlthoughitisnotexpresslystatedintheLaw,datasubjectscanalsosubmitcivilactionsregardingdataprivacy.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofUruguaywhichaffectprivacy?

No,wedonotvisualizeparticularrulesthataffectprivacywhichareparticulartolocalculture.

692



ThebillofalawofurgentconsiderationthatincludeschangesindifferentareaswillbediscussedinCongressinthenearfuture.Amongothermodifications,thebillincludesaregulationontherighttobeforgotten.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainUruguay?

The Law also grants data subjects the right not to be subjected to a decision which will have ameaningful legal effect upon them, if the decision is based on data processing, automated or not,intendedtoevaluatecertainaspectsoftheirpersonality,theirjobperformance,credibility,reliability,orconduct,amongothermatters.Inotherwords,anindividualhastherighttoknowthereasoningbehindadecisionthatmaysignificantlyaffecthim/her.Adatasubjectmaychallengeadministrativeactsordecisionsinvolvingapersonalevaluationofhis/herbehavior,thesolerationaleofwhichistheprocessingofpersonaldatathatprovidesadefinitionofhis/hercharacteristicsorpersonality.

12 OPINIONQUESTIONS


Localdataprotectionregulationhasbecomestricter,following,ingeneralterms,theEUmodelwhichis usually the compass that guides Uruguay on privacy matters. This has prompted Uruguay tointroduce certain requisites for dataprocessing evenbefore theyhavebeen introduced inEurope(suchastheobligationforconsenttobeunequivocal,whichinUruguayhasbeeninforcesince2009).

WealsonotethatdatasubjectshavebecomemoreawareoftheirrightsundertheLaw,aswellastheobligationsofthedatacontrollers/processors.

Finally,wehavenoticedthatdatasubjectssometimeusetheLawforpurposesotherthanthoseforwhichtheLawwasconceived(forinstance,datasubjectssometimessubmitaclaimrequestingthedeletionoftheirpersonaldatafromadatabaseinordertoaccomplishtheterminationofacontract).


Weforeseethatinthenext5yearscompliancewithlocalregulationwillcontinuetoincrease,aswilldatasubjects’claimsbeforeUDPR.WealsoexpectthatUDPRwillinitiatemoreexofficioinvestigations.


Themajor challenge for companies is to align their commercial processes related to the value ofinformation,withtheprovisionsandguaranteesofdataprotectionregulation.Oneofthemaintaskstobedonewillbetomakeprivacyimpactassessments,anticipatingtherisksofthedataprocessing,andimplementingsecuritymeasuresandmechanismstoshowcompliancetoUDPR.

693

694

PRIVACY LAW – VENEZUELA

1 PRIVACYLAW

1.1 HowisprivacyregulatedinVenezuela?

Regulationsaredispersed,andthereisnospecificlawdealingwiththissubject;however,therightofprivacyandpersonaldataprotectionhasconstitutionalrange.TheVenezuelanConstitution,drawnupin1999,wasamongthefirstintheregiontoadoptthehabeasdatamechanism.


Thefollowingarerelevant:

(a) ConstitutionoftheBolivarianRepublicofVenezuela;

(b) CriminalCode;

(c) CivilCode;

(d) LawoftheSupremeCourtofJustice;and

(e) SpecialLawofCybercrimes.

However,thesolidprinciplesestablishedintheConstitutionhavenotbeendevelopedinsubsequentandspecificlaws.

TheVenezuelanConstitutioncontainsseveralprovisionsaimedatguaranteeingtheprotectionof,andrespect for, theright toprivacy.Additionally,underVenezuela’sConstitution,ratifiedtreatieshaveconstitutionalrank.

Article 48 of Venezuela’s Constitution provides: “The secrecy and inviolability of privatecommunicationsinallformsareguaranteed.Thesamemaynotbeinterferedwithexceptbyorderofacompetentcourt,withobservanceofapplicableprovisionsoflawandpreservingthesecrecyoftheprivateissuesunrelatedtothepertinentproceedings.”

Article60states:“Everypersonisentitledtoprotectionofhisorherhonor,privatelife,intimacy,self-image,confidentialityandreputation.Theuseofelectronicinformationshallberestrictedbylawinordertoguaranteethepersonalandfamilyprivacyandhonorofcitizensandthefullexerciseoftheirrights.”


Thereisnospecificadministrativeentityinchargeofprivacymatters.

Mostprivacycasesaredecidedincourtandthecourtswilldetermineanyapplicableprecautionarymeasures,dependingonthespecificcase.

AnotheragencywithpossiblejurisdictionintheadministrativefieldisSUNDDE(thisagencymostlydealswithfairpriceissues,butalsowithafewconsumerprotectionmatters).

695


2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinVenezuela?

AllentitiesconductingactivitiesinVenezuelaaresubjecttotheconstitutionalprinciples.

2.2 DoesprivacylawinVenezuelaapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

Yes,basedontheconstitutionalrangeoftheserights,theyapplytocompaniesoutsidethecountry,providedthatVenezuelanpersonsorentitiesdomiciledinthecountryareaffected.

Whereveran initiative,whethercommercialornot, isaddressedatVenezuelanresidents, the localcourts/agenciescanclaimjurisdiction,andso itwouldbeadvisabletohavea localentityactingasrepresentativeoftheentityresponsiblefortheinitiative.


3.1 Howispersonalinformation/personaldatadefinedinVenezuela?

“Personalinformation/data”isallinformationaboutanyindividualand/orhis/herassets.


Thereisnofurtherdevelopmentoftherightssetoutintheconstitution,whichisthereasonwhyallcases must be reviewed on their own available facts. The authorities will have a wide level ofinterpretativediscretionwhendeterminingwhethercertaininformation/dataaboutanyindividualissensitive,andthussubjecttospecialprotection.


Keyprivacyprinciplesare:

(a) gainingpriorconsent;

(b) availabilityofapplicabledocumentsinSpanish;and

(c) cleardisclosureofthepurposeandextentoftheuseofthedata.

4 ROLES


No.

696


5 OBLIGATIONS


Whenitcomestoadvertising,allresponsibleentitiesmustbesureto:

(a) obtainexpressconsentfromtheindividualswhowillbepartoftheactivity;and

(b) postaprivacypolicyinSpanish.

Whenitcomestodealingwithunderagepersons,specialandmandatoryprocessesmustbefollowed.


6.1 HowisdatasecurityregulatedinVenezuela?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

TheSpecialLawofCybercrimesestablishesasetofsanctions(prisontermofbetweentwoandsixyearsplusmonetary sanctions) for thosewhobreach IT systems, enablingunauthorizedaccess topersonaldata.

6.2 HowaredatabreachesregulatedinVenezuela?Whataretherequirementsforrespondingtodatabreaches?

Seequestion6.1.Thereisnoregulationcoveringhowtorespondtosuchincidents.

7 INDIVIDUALRIGHTS


Article60oftheNationalConstitutionstates:“Everypersonisentitledtoprotectionofhisorherhonor,privatelife,intimacy,self-image,confidentialityandreputation.Theuseofelectronicinformationshallberestrictedbylawinordertoguaranteethepersonalandfamilyprivacyandhonorofcitizensandthefullexerciseoftheirrights.”



TheVenezuelanlawonconsumerprotectionwasrevokedin2015,andcurrentlegislationdoesnotcovercybersecurityfromaconsumerrightsperspective.


Notapplicable.

697



Notregulated.


Priorconsentandfulldisclosureisneeded.


No.


Useofsocialmediaisonlyrelevanttothecurrentgovernment,whenittouchessensitiveissuesforthegovernment/officers.


Onceagain, express consent for theuseofpersonaldatamustbeobtained, includingapproval forsharingsuchdatawiththirdparties.

9 DATATRANSFER


Inspiteofalackofspecificregulation,giventhatdataprotectioncouldbeinterpretedasafundamentalpersonalright,wewouldadviseentitiestoobtainexpressconsentfromindividualsregardingthesekindoftransactions.


No.

10 VIOLATIONS


Violationsofprivacyordatasecuritylawarepunishablewithprisonsentencesofbetweentwoandsevenyears,dependingonthecircumstances,plusmonetarysanctions.


Yes. Remedies for individuals range from injunctions and suspension of the infringement, up tomonetarycompensationformoraldamages.

698


11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofVenezuelawhichaffectprivacy?

No.


Thereisextremesensitivityfromgovernmentofficersforanymatterthatcouldbeinterpretedasaviolationofnationalsovereignty;andhumor,whenlinkedtolocalevents,maybeinterpretedbythemascriticism.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainVenezuela?

No.

12 OPINIONQUESTIONS


Venezuela has entered the international political agenda for the wrong reasons, and tolerance inVenezuelaforcriticismisclosetonone.Diplomaticrelationshipswithseveralgovernments,includingtheUSA,areatahistoriclow,and,forthisreason,extremeprudenceisadvised.However,formallyspeaking,whilelegislationdoesnotcoverthemajorityoftopicsofinterestrelatedtodataprivacy,thefactthatitisrecognisedasaconstitutionalrightcanneverbeignored.


Acompletereshapeoflegaltopicsofglobalinterestisexpectedifapoliticaltransitionbegins.


Uncertainty,duetothelackofregulationonmostoftherelevantissuesassociatedwithdataprivacy,leavinggovernmentofficers/judiciarywithawidediscretionastointerpretation.

699

700

PRIVACY LAW – ZIMBABWE

1 PRIVACYLAW

1.1 HowisprivacyregulatedinZimbabwe?

TheConstitutionmakesprovision for theprotectionofprivacy insectionsonRight toPrivacyandAccesstoInformation.

The Access to Information and Protection of Privacy Actwas enacted by Parliament to dealwithprotection of individuals through prevention of unauthorized collection, use, or disclosure ofinformation by government public bodies and agencies, and gives rights to individuals to accessinformationcollected,heldand/ormaintainedbygovernment.PrivateentitiesarenotregulatedbythisAct.

Althoughthegovernmenthasannounceditsintentiontoenactlegislationtoimplementtherighttoprivacy, specifically by introduction of aData ProtectionBill, no such legislation has to date beenenacted.Intheabsenceoflegislation,individualsmustrelyuponvariousotherlawsandthecommonlawtoenforcetheirrights toprivacyanddataprotection inthecourtsagainstprivateentitiesandindividuals.


Although the Constitution explicitly recognizes the right to privacy, the only specific law enactedrelatedtoprivacyistheAccesstoInformationActwhich,aspreviouslynoted,doesnotapplytoprivateentities and individuals. The missing link is the requisite legislation for the provision in theConstitutionofZimbabwewhichguaranteesprotection.TheConstitutionprovidesthateverypersonhas the right to privacy, which includes the right, inter alia, not to have the privacy of theircommunicationsinfringed.

Other laws, however, do refer to the protection of privacy and information as a function of otheractivities,ortheprotectionofspecifictypesofrights,suchas:theCourtsandAdjudicatingAuthorities(PublicityRestrictions)Act,theCensusandStatisticsAct,BankingAct,NationalRegistrationAct,andtherecentlyenactedConsumerProtectionAct.

Thereisnoself-regulatoryframework.


Enforcementofrightsisthroughlawsrelatedtospecificactivitiesorthecommonlaw,ifapplicable,inthecourts.Therearenoself-regulatorybodies.

2 SCOPE

2.1 WhichcompaniesaresubjecttoprivacylawinZimbabwe?

TheAccesstoInformationActonlycoverspublicbodies;andotherActswhichcoverspecificactivitiesarealsoaimedatgovernmententities,withexceptionofconsumerprotection,bankingandhealthcareinstitutions,whicharespecificallyrequiredtoavoiddisclosureofsensitiveinformation.

701


Thereisnospecificlawonprivacyanddataprotectionwhichimposesobligationsonprivateentitiesandindividuals.TheproposedDataProtectionlegislationhasnotyetbeenconsideredbyParliament.Thereare,however,lawswhichprovideforlimitedprivacyanddataprotection,regulatingcompaniesinthefinancialsectors(BankingAct)andretailersofgoodsandservices(ConsumerProtectionAct).

2.2 DoesprivacylawinZimbabweapplytocompaniesoutsidethecountry?Ifyes,aretherespecificobligationsforcompaniesoutsidethecountry(eg,requiringacompanyrepresentativeinthecountry)?

PrivacylawinZimbabwedoesnotapplytocompaniesoutsidethecountry.


3.1 Howispersonalinformation/personaldatadefinedinZimbabwe?

The Access to Information Act, which specifically only applies to government agencies, defines“personalinformation”asrecordedinformationincluding:

(a) person’sname,addressortelephonenumber;

(b) race,nationalorethnicorigin,colour,religiousorpoliticalbeliefsorassociations;

(c) age,sex,sexualorientation,maritalstatusorfamilystatus;

(d) identifyingnumber,symbolorotherparticularsassignedtothatperson;

(e) fingerprints,bloodtypeorinheritablecharacteristics;

(f) informationaboutaperson’shealthcarehistory,physicalormentaldisability;

(g) informationabouteducational,financial,criminaloremploymenthistory;

(h) anyoneelse’sopinionsabouttheindividual;and

(i) theindividual’spersonalviewsoropinions.


Personal information and data related to children, health conditions and financial status areconsideredsensitive.


Keyprivacyprinciplesthatcompaniesneedtofolloware:

(a) avoiddisclosureofsensitiveinformationrelatedtohealthconditions,childrenandfinancialstatus;

(b) where personal data is necessary to know, or limited disclosure required, seek advancewrittenconsent.

702


4 ROLES


There are no specific privacy laws governing companies’ processing and use of personalinformation/personaldata.There are some laws requiring confidentiality of personal information,eg,ConsumerProtectionAct,BankingAct,LabourAct,etc.

5 OBLIGATIONS


Therearenoprivacylawsimposingobligationsonprivateentitiesrelatedtothepostingofaprivacypolicy,keepingrecordsofprocessingoperations,etc.


6.1 HowisdatasecurityregulatedinZimbabwe?Isthereaminimumstandardforsecuringdata?Ifso,arethereanyresourcestohelpcompaniesaddressthisstandard?

There are no data or privacy laws governing private entitieswhich regulate or imposeminimumstandardsforsecuringdata,etc.

6.2 HowaredatabreachesregulatedinZimbabwe?Whataretherequirementsforrespondingtodatabreaches?

Thereiscurrentlynospecificlegislationwhichprovidesaremedytocounterdatabreaches.

7 INDIVIDUALRIGHTS


Individualsenjoyprivacyrightswithrespecttotheirpersonalinformation/privatedataintermsoftheConstitution,variouslawssuchasConsumerProtectionLaw,BankingLaw,LabourLaw,aswellasthe common law. The rights may, however, be curtailed for a number of reasons, including lawenforcement,nationalsecurityandrelatedpurposes.

703




TheprivacyofindividualsremainsatstakeinZimbabwe,asmarketingcommunicationsarecirculatedwithout their approval. Through mobile communication providers, companies have a habit ofcirculatingadvertsinvitingmobileuserstoparticipateingamingAppsfromaslittleas50c/dayand/orencouragingtheconsumertosubscribeonitswebsite.


There is currently no law which addresses tracking technologies, although the recently enactedConsumerProtectionActmaybeinterpretedasaffordingprotectiontoconsumersinthisarea.


There is currently no law which addresses targeted and behavioral advertising from a privacyperspective.


UnderthenewlyenactedConsumerProtectionAct,noticeandconsentarerequiredinordertosharedatawiththirdpartiesforcustomermatching,butthereisnospecifictypeorformatspecified.


No.Therearenospecificprivacyrulesgoverningdatabrokers.


Fromaprivacyperspective,socialmediaisnotcurrentlyregulated.


Loyaltyprogramsandpromotionsarenotcurrentlyregulated.

9 DATATRANSFER


Thesamerestrictionsrelatedtoconfidentialitywillapply.


Thesamerestrictionsrelatedtoconfidentialitywillapply.

704


10 VIOLATIONS


Penaltiesand/orsanctions,aswellasdamages,willbedeterminedbythespecificlawunderwhichtheviolationorbreachofprivacyoccurred;andmaybedetermined/imposedthrougharbitrationoracourtoflaw.


Dependinguponthecircumstances,theremaybeaprivaterightofactionincourt;anddamagesaswellasaninterdictmaybegranted.

11 MISCELLANEOUS

11.1 ArethereanyrulesthatareparticulartothecultureofZimbabwewhichaffectprivacy?

No.


TherecentlyenactedConsumerProtectionActandtheproposedDataProtectionBill.

11.3 Is there any other information not covered in this chapter that companies need to know,includinggeneraladviceorcautionsaroundprocessingpersonalinformation/personaldatainZimbabwe?

No.

12 OPINIONQUESTIONS


Greaterawarenessofthevalueanduseofdata,mainlyduetoincreaseduseofsocialmediaandmobileapplicationsforsalesandmarketing.


The global trend requires electronic commerce for economies to keep afloat. There will be largeamounts of personal data being used by the government and private sector, not onlywithin, butoutsideZimbabwe.Casesofidentitytheftandfraudaresettobeontheriseaspersonalinformationbecomeseasytoaccess,resultinginthenecessityforregulatorycontrolsandrestrictionsonaccessanduse.


Increasingregulationswillrequireconsiderablefinancialresourcesandadministrativetime.Itwillbedifficult for businesses, particularly those which are newly established, to be able to afford theadditionalcostsandsustainaviablebusiness.

705


In June 2014, the African Union, to which Zimbabwe is a Member, adopted the African UnionConventiononCyberSecurityandPersonalDataProtection.ChapterIIoftheConventionsetsouttheprinciplesandrightswhichtheMemberStatesagreetoimplementwithintheirjurisdictions.

InAugust2016,theCabinetofthegovernmentofZimbabweapprovedtheRevisedNationalPolicyforInformation Communication Technology (“ICT Policy”). According to the approved ICT Policy, theestablishmentofaninstitutionalframeworkforenactinglegislationdealingspecificallywithdigitaldata protection and cybersecurity matters is anticipated. In 2018, the Data Protection Bill wasannouncedaspartofthelegislativeagenda.However,ithasnot,todate,beenpresentedtoParliamentofZimbabwe.

706

707

708

709

710

711

712

28 Liberty Street, 35th Floor, New York, NY 10005

Tel: 212.705.4895 | Fax: 347.438.2185 | Email: [email protected]

www.galalaw.com

713