Embed Size (px)
Citation preview
Privacy Codes of Conduct as a self-regulatory approach to cope with
restrictions on transborder data flow
Dr. Anja Miedbrodt
Exemplified with the help of the data protection policy of the DaimlerChrysler AG
CoCv1_eng 2
Current situation
Technical convergence promotes a worldwide exchange of goods and services.
Competition becomes more and more a global challenge.
Increase in possibilities of matching and processing personal data collected for various purposes.
Raise of the potential risks for a fraudulent use of personal data.
Increase of the sensitivity of consumers regarding the handling of their personal data.Development and integration of data security and data protection concepts in their products and services is crucial for global acting companies.
CoCv1_eng 3
Tendencies of the privacy legislation worldwide
Increase in enacting data protection laws worldwide, but different national legal requirements due to the lack of a globally competent legislator.
Tendency of incorporating data protection and privacy issues in laws governing electronic commerce especially in Asian countries.
Influence of the EC-Directive and national laws of Asia/Pacific and Latin-America restricting the transborder data flow.
Data protection and privacy legislation is on the way to an international law convergence.
CoCv1_eng 4
Legal situation with regard to transborder data flows A transborder transfer of personal data is only
permitted if the third country ensures an adequate level of data protection.
Requirement results from the EC-Directive on data protection and the privacy acts of Australia, Hong Kong, Taiwan, Argentina.
Currently a transfer is only permitted in the following cases:
From the EU/EEC to Hungary, Switzerland, Canada (with restrictions) .
From the EU/EEC to the US provided that the US-American company adheres to the Safe Harbor Principles and is subject to the jurisdiction of the Federal Trade Commission or another institution which effectively ensures the compliance with these principles.
CoCv1_eng 5
Legal situation with regard to transborder data flows
Exceptions from the requirement to provide an adequate level of data protection:
Unambiguous consent of the data subject;
The transfer is necessary for the performance of a contract between the data subject and the controller or for precontractual measures taken in response to the data subject’s request; or
The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party; or
CoCv1_eng 6
Legal situation with regard to transborder data flows
Exceptions from the requirement to provide an adequate level of data protection:
The transfer is necessary to protect the vital interests of the data subject.
Since each transfer has to be assessed on its own merits, the reliance on the exemptions is not sufficient for companies which transfer data worldwide for diverse purposes.
CoCv1_eng 7
Options for global acting companies
Obtain the consent to the transfer to substandard countries from the data subject.
Adduce adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights; like
Incorporate contractual clauses/model clauses.
Implement Codes of Conduct.
CoCv1_eng 8
Pros Individual solutions are possible. Efforts then if its necessary.
Cons Option not expressly provided by all nationals laws providing for restrictions on transborder data flows. Due to the different national requirements, it can be difficult to obtain a legally effective consent. Information about and consent to a transfer to a substandard country.
Consent solution
CoCv1_eng 9
Cons
A consent could be withheld or revoked, mere consideration leads to a complication of the data processing process.
In case of a transmission of employee’s data it might be necessary to participate the workers council.
Consent solution
CoCv1_eng 10
Pros
Specific solution for each specific case, consideration of peculiarities possible.
Efforts then if its necessary.
Cons
Increased expenditure for administration due to the obligation to incorporate and to update each single contract.
No contribution to increase the awareness of the concerned employees.
Notification/approval by the respective dpa required.
Contractual clauses
Contract
CoCv1_eng 11
Pros
Formally adopted by the European Commission being a sufficient safeguard for providing an adequate level of data protection.
Cons
No uniform application by the dpa’s.
Alterations have to be approved.
Contains the obligation for the data importer to cooperate with the competent supervisory authority, has to observe its decisions with regard to the data transferred.
Standard contractual clauses
CoCv1_eng 12
Pros
Possibility to make use of the tendency of law convergence and provision of a global solution.
Easy to implement, control and to update.
Low expenses for law enforcement.
Uniform procedures within the company as a marketing tool.
Cons
Approval by the respective data protection authorities required.
Codes of Conduct
CoCv1_eng 13
Cons
Current procedure to get Codes of Conduct Community-wide approved is burdensome and bureaucratic.
Several options:
Decision by the European Commission pursuant to Art. 26 para.4 of the EU Data Protection Directive.
Community-wide validity of an approval by one data protection authority, accordingly the participation of the other Member States and the Commission has to be ensured.
Codes of Conduct
CoCv1_eng 14
Codes of Conduct are the best solution to cope with the legal requirements for transborder data flow.
CoCv1_eng 15
Principles and requirements for the collection and processing of personal data.
Requirements for the transfer of personal data to thirdparties, including data exchange within the Group.
Rights of the data subject.
Requirement to maintain confidentiality.
Principles of data security.
Requirements for the involvement of third parties, includingin case of a data processing on behalf.
Responsibilities and sanctions.
Internal law enforcement.
Content of Codes of Conduct
CoCv1_eng 16
Appointment of a Chief Officer Corporate Data Protection (CPO) with worldwide responsibility that reports directly to the Board of Management.
Infrastructure of locally responsible Data protection coordinators for the different regions of the world.
Coordination of the Data protection coordinators by regular meetings conducted by the CPO.
Internal law enforcement within the DaimlerChrysler Group
![Jihad Defined and Exemplified pUpdated]](https://img.pdfslide.net/doc/110x75/577ccff61a28ab9e789107bc/jihad-defined-and-exemplified-pupdated.jpg)
