0 valutazioniIl 0% ha trovato utile questo documento (0 voti)
16 visualizzazioni18 pagine
EU Data Directive - Overview II. Privacy Awareness III. Rights of Data Subject Right of Information Right of Access Right of Object Rights with Regard to Automated Individual Decisions. #is intended to pro$ide an o$er$iew o% te &uropean 'nion Data Directi$e (&'DD) re(uirements as te relate to pri$ac) and securit) o% personal data"
EU Data Directive - Overview II. Privacy Awareness III. Rights of Data Subject Right of Information Right of Access Right of Object Rights with Regard to Automated Individual Decisions. #is intended to pro$ide an o$er$iew o% te &uropean 'nion Data Directi$e (&'DD) re(uirements as te relate to pri$ac) and securit) o% personal data"
EU Data Directive - Overview II. Privacy Awareness III. Rights of Data Subject Right of Information Right of Access Right of Object Rights with Regard to Automated Individual Decisions. #is intended to pro$ide an o$er$iew o% te &uropean 'nion Data Directi$e (&'DD) re(uirements as te relate to pri$ac) and securit) o% personal data"
II. Privacy Awareness III. European Union Data Directive Work Program A. Data Quality Data Collection Data Handling B. Rights of Data Subject Right of Information Right of Access Right to Object Rights with Regard to Automated Individual Decisions . Security of Processi!g Confidentiality Implemented Safeguards hird!"arty "rocessing D. "otificatio! Supervisory Authority "ersonal Data "rotection Official E. #ra!sfer of Data to #hir$ ou!tries hird Country Review IV. Country-peci!ic "e#uirements A. United Kingdom Requirements B. India Requirements Project #eam %list members&' Project #imi!g' Date Comments Planning Fieldwork Report Issuance (Local) Report Issuance (Worldwide) Page 1 Source: ttp:!!www"knowledgeleader"com (. Euro)ea! U!io! Data Directive * +vervie, #is section is intended to pro$ide an o$er$iew o% te &uropean 'nion Data Directi$e (&'DD) re(uirements as te) relate to pri$ac) and securit) o% personal data" #is o$er$iew *egins *) descri*ing te o$erall o*+ecti$e o% te &'DD and proceeds to gi$e *ackground in%ormation surrounding te ke) points and clauses go$erning te protection o% te data" #e complete legal te,t o% te &'DD can *e %ound ere: ttp:!!www"cdt"org!pri$ac)!eudirecti$e!&'-Directi$e-"tml -lossary of #erms Perso!al Data . /n) in%ormation relating to an identi%ied or identi%ia*le person" #e data %ields comprising personal data are not e,plicitl) stated in te &'DD0 *ut include an indi$idual1s %irst name or %irst initial and last name0 Social Securit) 2um*er (or oter national identi%ier)0 dri$er1s license or state identi%ication num*er0 and account num*er or credit card num*er" Data Subject . / person wo can *e identi%ied0 directl) or indirectl)0 *) personal data" Processi!g . /n) operation or set o% operations tat is per%ormed upon personal data" o!troller . #e person0 pu*lic autorit)0 agenc)0 or oter *od) wic alone or +ointl) wit oters determines te purposes and means o% te processing o% personal data" Processor . #e person0 pu*lic autorit)0 agenc)0 or an) oter *od) tat processes personal data on *eal% o% te controller" Su)ervisory Authority . Pu*lic autorit) appointed *) te 3em*er State to *e responsi*le %or monitoring te application o% te &'DD witin te State" #hir$ ou!try . /n) countr) tat is outside o% te &uropean 'nion" +bjective a!$ Sco)e #e goal o% te &'DD is to ensure tat 3em*er States protect te %undamental rigts and %reedoms o% all people0 in particular teir rigt to pri$ac) wit respect to te processing o% data" /dditionall)0 te &'DD is designed to ensure te unrestricted %ree %low o% in%ormation *etween mem*er states tanks to te protection o% te data pro$ided *) te re(uirements o% te &'DD" #e &'DD applies to te processing o% all data0 eiter *) automatic or manual means" &,ceptions to tese re(uirements occur wen te acti$it) %alls outside te scope o% Communit) law (#itles 4 and 4I o% te #reat) on &uropean 'nion)0 te data is processed as part o% a personal or ouseold acti$it)0 or te data is related to pu*lic securit)0 de%ense0 State securit)0 and criminal law" Pri!ci)les Relati!g to Data Quality 3em*er states must ensure tat personal data is processed %airl) and law%ull)5 collected %or e,plicitl) speci%ied legitimate purposes and not %urter processed5 ade(uate to meet te needs o% te processing5 and not e,cessi$e in te amount o% data collected" #e data must also *e accurate and kept up6to6date0 as well as kept in a manner tat permits te identi%ication o% indi$idual su*+ects %or no longer tan is necessar) %or te processing o% te data" Data re$ealing racial or etnic origin0 political opinions0 religious or pilosopical *elie%s0 trade6union mem*ersip0 or ealt or se, li%e is proi*ited %rom *eing processed" Rights of Data Subject Data su*+ects must *e pro$ided wit te identit) o% te controller o% te data5 te purposes o% te data processing5 te recipients or categories o% recipients o% te data5 i% replies to (uestions are o*ligator) or $oluntar)5 and te e,istence o% te rigt to access and recti%) data concerning te su*+ect" Data su*+ects Page 7 Source: ttp:!!www"knowledgeleader"com also a$e te rigt to o*+ect on compelling legitimate grounds to te processing o% personal data0 unless oterwise pro$ided *) national legislation" I% tere is a +usti%ied o*+ection0 te data ma) no longer *e used" Security of Processi!g /ppropriate tecnical and organi8ational measures must *e implemented to protect personal data against accidental or unlaw%ul destruction0 loss0 or alteration and unautori8ed disclosure or access" #ese measures sould pro$ide a le$el o% securit) appropriate to te risks represented *) te nature o% te data *eing processed" I% data processing is done *) a tird part)0 te originating part) must a$e a contract or legal act tat re(uires tat te processor acts onl) on instructions %rom te originating part)0 and meets te protection o*ligations mentioned a*o$e" "otificatio! /n) organi8ation intending to process data must in%orm te State1s legal super$isor) autorit) *e%ore te processing is *egun0 unless te t)pe o% data *eing processed is unlikel) to ad$ersel) a%%ect te rigts and %reedoms o% te data su*+ects0 or tere is a personal data protection o%%icial appointed witin te organi8ation" #is personal data protection o%%icial is responsi*le %or ensuring in an independent manner tat te internal application o% te data processing is in accordance wit te &'DD0 and is also responsi*le %or keeping a register o% te data processing operations carried out" 'pon receipt o% te noti%ication o% data processing0 te super$isor) autorit) will re$iew te processing operation to identi%) speci%ic risks related to te data processing and will e,amine tose operations prior to teir start" #ra!sfer of Data to #hir$ ou!tries #e 3em*er State sall re$iew te tird countr) to see i% te laws in tat countr) ensure an ade(uate le$el o% protection %or te personal data" Particular consideration is gi$en to te nature o% te data0 te purpose and duration o% te processing0 and te rules o% law in te tird countr)" Page 9 Source: ttp:!!www"knowledgeleader"com ((. Privacy A,are!ess #e sur$e) (uestions *elow sould *e sent to te auditee prior to commencing %ieldwork" Responses %rom tese (uestions will pro$ide te audit team wit an o$er$iew o% te auditee1s ig6le$el pri$ac) knowledge and awareness" Data Privacy A,are!ess Questio!s Res)o!se omme!ts .es "o "ot Sure 1" /re )ou %amiliar wit )our compan)1s internal pri$ac) polic): 7" /re )ou %amiliar wit te &uropean 'nion Data Directi$e: 9" Do )ou know i% tere is a local internal pri$ac) representati$e: I% so0 please pro$ide te appropriate name" ;" Wat in%ormation do )ou collect tat is considered personal data: N/A <" Is personal data stored in ! on (i% necessar)0 select more tan one): Local workstation ! personal computer =ome PC Sared network dri$e 2etwork ser$er (not in a Data Center) CD ! D4D ! Diskette =ard cop) ! printout >ackup media (e"g"0 tape0 disk0 etc") Lotus 2otes Data*ases &mail attacments ?ter: ------------ N/A @" =a$e )ou e,perienced an incident tat impacted te a$aila*ilit) or integrit) o% )our client1s data: A" /re tere speci%ic escalation procedures %or andling data loss or addressing a data securit) *reac: B" Do local teams send emails wit attacments (i"e"0 Word ! &,cel %ile) containing personall) identi%ia*le in%ormation: I% so0 please indicate ow attacments are secured" Page ; Source: ttp:!!www"knowledgeleader"com (((. Euro)ea! U!io! Data Directive * Work Program A. Data Quality EUDD Re/uireme!t Au$it #est Prelimi!ary (!formatio! Re/uests Au$it Results Data Collection 1" Data is collected %or e,plicitl) speci%ied legitimate purposes and not %urter processed" a" ?*tain and re$iew noti%ication materials gi$en to sample set o% data su*+ects prior to data collection" a" 2oti%ication materials pro$ided to sample set o% data su*+ects e,plaining te t)pe o% processing to take place" *" Con%irm tat sample set o% data su*+ects are e,plicitl) in%ormed o% te processing to *e per%ormed on teir data" *" 2oti%ication materials pro$ided to a sample set o% data su*+ects e,plaining te t)pe o% processing to take place" c" Compare in%ormation disclosed in noti%ication materials wit te actual data processing operations completed on te sample data set" &nsure tat te processing operations matc te disclosed in%ormation" c" Register o% data processing operations tat occurred wit regards to a sample data set" 7" Personal data ma) *e processed onl) i% it meets at least one o% te %ollowing re(uirements: #e data su*+ect as gi$en consent5 Processing is necessar) %or te per%ormance o% a contract or prior to entering into a contract %or te data su*+ect5 Processing is necessar) %or compliance wit a legal o*ligation o% te controller5 Processing is necessar) in order to protect te $ital interests o% te data su*+ect5 Processing is necessar) ?*tain and re$iew sample set o% data0 along wit supporting documentation0 and identi%) wic o% te si, re(uirements %or legitimate data a$e *een met" Supporting documentation %or sample set o% data sowing wic o% te si, re(uirements te data meets" Page < Source: ttp:!!www"knowledgeleader"com EUDD Re/uireme!t Au$it #est Prelimi!ary (!formatio! Re/uests Au$it Results %or te per%ormance o% a task carried out in te pu*lic interest5 Processing is necessar) %or te purposes o% te legitimate interests pursued *) te controller0 e,cept were suc interests are o$erridden *) te interests o% te rigts and %reedoms and te data su*+ect" 9" Personal data must *e ade(uate0 rele$ant0 and not e,cessi$e in relation to te purposes %or wic it is collected" a" ?*tain and re$iew sample set o% data to identi%) all data elements tat a$e *een collected" a" Sample set o% data" *" ?*tain and re$iew te data processing steps to *e completed on te sample data set as well as te intended output and results %rom te processing" Compare tese steps and results to te data collected and ensure tat all collected in%ormation is re(uired %or te processing steps" *" Description o% data processing steps and intended output or result %rom te processing operations %or te sample set o% data" ;" Personal data must not contain in%ormation re$ealing te data su*+ect1s racial or etnic origin0 political opinions0 religious or pilosopical *elie%s0 trade6union mem*ersip0 and ealt or se, li%e" ?*tain and re$iew sample set o% data to ceck %or an) in%ormation tat is proi*ited %rom *eing collected *) te &'DD" Con%irm tat personal data elements (listed to te le%t) are not present in sample data" Sample data set" Page @ Source: ttp:!!www"knowledgeleader"com EUDD Re/uireme!t Au$it #est Prelimi!ary (!formatio! Re/uests Au$it Results Data Handling <" Personal data must *e accurate and kept up6to6date" Steps must *e taken to ensure tat data wic are inaccurate or incomplete are erased or recti%ied" a" ?*tain and re$iew procedural documentation supporting te process to ceck data %or accurac) upon collection" a" Documentation surrounding data $eri%ication processes0 including work%low diagrams0 policies and procedures0 and inter$iews wit emplo)ees" *" ?*tain and re$iew procedural documentation supporting te process to receck data %or accurac) on a regular *asis" *" Documentation surrounding data $eri%ication re$iew processes0 including work%low diagrams0 policies and procedures0 and inter$iews wit emplo)ees" c" ?*tain and re$iew procedural documentation supporting te process to recti%) data inaccuracies" c" Documentation surrounding data recti%ication process0 including work%low diagrams0 policies and procedures0 and inter$iews wit emplo)ees" @" Data must *e kept in a %orm tat permits identi%ication o% data su*+ects %or no longer tan is necessar) %or te data processing" ?*tain and re$iew internal documentation regarding te appropriate use o% data and data retention standards" ?*tain sample set o% data and compare to internal data andling policies" &nsure te sample set o% data is in compliance wit internal policies" Internal documentation regarding te appropriate use o% data and data retention standards" Sample set o% data tat as %inised *eing processed0 as well as te process operations tat were run on te data set" Page A Source: ttp:!!www"knowledgeleader"com B. Rights of Data Subject EUDD Re/uireme!t Au$it #est Prelimi!ary (!formatio! Re/uests Au$it Results Right of Information 1" Data su*+ects must *e pro$ided0 at a minimum0 wit: #e controller1s identit)5 #e purposes o% te processing o% te data5 #e recipients or categories o% recipients o% te data5 I% replies to te (uestions are o*ligator) or $oluntar) and te possi*le conse(uences o% %ailure to repl)5 #e e,istence o% te rigt to access and recti%) data concerning te su*+ect" ?*tain and re$iew noti%ications gi$en to sample set o% data su*+ects to ensure all re(uired in%ormation is included" 2oti%ication gi$en to sample set o% data su*+ects outlining teir rigts" Right of Access 7" Data su*+ect as te rigt to te %ollowing in%ormation: Con%irmation as to weter or not data relating to te su*+ect is *eing processed5 Purposes o% te processing5 Categories o% data *eing processed5 Recipients or categories o% recipients o% te data5 Data undergoing processing as well as te source o% te data5 Logic in$ol$ed in an) automatic processing s)stem5 a" ?*tain and re$iew procedural documentation supporting te process %or data su*+ects to re(uest in%ormation a*out te data *eing processed" a" Documentation surrounding in%ormation re(uest processes0 including work%low diagrams0 policies and procedures0 and inter$iews wit emplo)ees" *" ?*tain and re$iew re(uests %or in%ormation o*tained %rom sample set o% data su*+ects" *" In%ormation re(uest tickets %rom sample set o% data su*+ects" c" ?*tain and re$iew in%ormation sent to sample set o% data su*+ects" Compare to in%ormation re(uests recei$ed %rom te data su*+ects to ensure in%ormation disclosed matces in%ormation re(uested" c" Sample set o% in%ormation packets sent to data su*+ects wo re(uested in%ormation" Page B Source: ttp:!!www"knowledgeleader"com EUDD Re/uireme!t Au$it #est Prelimi!ary (!formatio! Re/uests Au$it Results 9" Data su*+ect as te rigt %or inaccurate or incomplete data to *e recti%ied0 erased0 or *locked %rom processing" #ird parties recei$ing te data must *e noti%ied o% an) recti%ication0 erasure0 or *locking o% te data" a" ?*tain and re$iew procedural documentation supporting te process %or recti%)ing0 erasing0 or *locking inaccurate or incomplete data %rom data processing operations" a" Documentation surrounding data correction processes0 including work%low diagrams0 policies and procedures0 and inter$iews wit emplo)ees" *" ?*tain and re$iew procedural documentation supporting te process %or noti%)ing tird parties o% an) recti%ication0 erasure0 or *locking o% inaccurate or incomplete data" *" Documentation surrounding tird part) noti%ication processes0 including work%low diagrams0 policies and procedures0 and inter$iews wit emplo)ees" Right to Object ;" Data su*+ects can o*+ect to te processing o% data at an) time wit a legitimate legal concern relating to te su*+ect1s particular situation" a" ?*tain and re$iew procedural documentation supporting te process %or recei$ing and re$iewing o*+ections %rom data su*+ects" a" Documentation surrounding data su*+ect o*+ection processes0 including work%low diagrams0 policies and procedures0 and inter$iews wit emplo)ees" *" ?*tain and re$iew procedural documentation supporting te process %or remo$ing data wit o*+ections %rom data set *e%ore processing" *" Documentation surrounding data remo$al processes0 including work%low diagrams0 policies and procedures0 and inter$iews wit emplo)ees" Page C Source: ttp:!!www"knowledgeleader"com EUDD Re/uireme!t Au$it #est Prelimi!ary (!formatio! Re/uests Au$it Results <" Data su*+ects can o*+ect0 %ree o% carge0 to te processing o% personal data tat is anticipated to *e used %or direct marketing or can re(uest to *e in%ormed *e%ore data is used %or direct marketing and e,pressl) o%%ered te rigt to o*+ect" a" ?*tain and re$iew internal documentation regarding te use o% personal data %or direct marketing purposes" I% te organi8ation does not use personal data %or direct marketing0 proceed to D@" I% te organi8ation does use personal data %or direct marketing0 continue wit te ne,t step" a" Internal documentation regarding te use o% personal data %or direct marketing purposes" *" ?*tain and re$iew procedural documentation supporting te process %or recei$ing and re$iewing o*+ections %rom data su*+ects" *" Documentation surrounding data su*+ect o*+ection processes0 including work%low diagrams0 policies and procedures0 and inter$iews wit emplo)ees" c" ?*tain and re$iew procedural documentation supporting te process %or noti%)ing data su*+ects prior to data *eing used %or direct marketing" c" Documentation surrounding data su*+ect noti%ication processes0 including work%low diagrams0 policies and procedures0 and inter$iews wit emplo)ees" d" ?*tain and re$iew procedural documentation supporting te process %or remo$ing data wit o*+ections %rom data set *e%ore processing" d" Documentation surrounding data remo$al processes0 including work%low diagrams0 policies and procedures0 and inter$iews wit emplo)ees" Page 1E Source: ttp:!!www"knowledgeleader"com EUDD Re/uireme!t Au$it #est Prelimi!ary (!formatio! Re/uests Au$it Results Rights with Regard to Automated Individual Decisions @" Data su*+ects a$e te rigt not to *e su*+ect to a decision tat produces legal e%%ects or signi%icantl) a%%ects te su*+ect and is *ased solel) on automatic processing o% data intended to e$aluate personal aspects relating to im!er" &,ceptions occur wen te processing is done in te course o% entering into or per%ormance o% a contract or wen te processing is autori8ed *) law" ?*tain list o% all completel) automated processes" Re$iew te automated processes0 as well as te results tat are o*tained %rom tese processes" &nsure tat te results are not used as te onl) input to make a decision a$ing a signi%icant a%%ect on te data su*+ect" List o% all completel) automated data processing operations and te t)pe o% in%ormation tat is o*tained %rom te results o% te processing" Page 11 Source: ttp:!!www"knowledgeleader"com . Security of Processi!g EUDD Re/uireme!t Au$it #est Prelimi!ary (!formatio! Re/uests Au$it Results Confdentiality 1" /n) person wo as access to personal data must not process or access it e,cept on instructions %rom te controller0 unless re(uired to do so *) law" a" ?*tain and re$iew sa%eguards in place to protect personal data %rom unautori8ed processing or access0 including logical and p)sical access and processes in place re(uiring appro$al *e%ore data processing can occur" a" Policies and procedures outlining te re(uirements %or data processing operations to occur" *" ?*tain and re$iew procedural documentation supporting te process %or controller to appro$e all processing operations tat occur" *" Documentation surrounding controller appro$al processes0 including work%low diagrams0 policies and procedures0 and inter$iews wit emplo)ees" Implemented afeguards 7" #e controller must implement appropriate tecnical and organi8ational measures to protect personal data against accidental or unlaw%ul destruction0 loss0 or alteration0 as well as unautori8ed disclosure or access" a" ?*tain and re$iew a list o% all personal data0 as well as te location were te data is stored" a" List o% all personal data0 as well as te location were te data is stored" *" ?*tain and re$iew policies and procedures %or te granting o% p)sical access to areas containing s)stems tat store personal data" Select a sample set o% clients and o*tain and re$iew te list o% personnel wit p)sical access to areas containing s)stems storing te data" Con%irm wit te appropriate *usiness owner tat all access *" Policies and procedures dealing wit p)sical access to areas containing s)stems tat store personal data" List o% personnel wit p)sical access to areas containing s)stems tat store data %or sample set o% clients" Page 17 Source: ttp:!!www"knowledgeleader"com EUDD Re/uireme!t Au$it #est Prelimi!ary (!formatio! Re/uests Au$it Results is *ased on *usiness need" c" ?*tain and re$iew network diagrams %or s)stems olding personal data to ensure te s)stems wit personal data are appropriatel) segmented and located *eind securit) de$ices0 suc as %irewalls0 and allow onl) limited access" c" 2etwork diagrams %or e$er) network segment containing personal data" d" ?*tain and re$iew policies and procedures %or te granting o% access to s)stems containing personal data" Select a sample set o% clients and o*tain and re$iew te list o% personnel wit access to te data" Con%irm wit te appropriate *usiness owner tat all access is *ased on *usiness need" d" Policies and procedures dealing wit access to s)stems containing personal data" List o% personnel wit access to sample set o% client data" e" ?*tain and re$iew organi8ational cart to identi%) pri$ac) and securit) personnel0 as well as were te) are located in te structure o% te organi8ation" e" ?rgani8ational cart" !hird"#arty #rocessing 9" Wen processing is done *) a tird6part)0 te controller must coose a processor pro$iding su%%icient guarantees o% tecnical and organi8ational measures go$erning processing to *e completed and must ensure compliance wit tose measures" a" Determine i% tird6 part) processing takes place" I% so0 o*tain and re$iew tird6part) processor applications outlining sa%eguard measures tat a$e *een implemented *) te processor" a" Sample set o% applications %rom tird6part) processors outlining sa%eguards tat a$e *een implemented" Page 19 Source: ttp:!!www"knowledgeleader"com EUDD Re/uireme!t Au$it #est Prelimi!ary (!formatio! Re/uests Au$it Results *" ?*tain and re$iew procedural documentation supporting te process to ensure tird6part) compliance wit te sa%eguards in place" *" Documentation o% te re$iew process completed %or sample set o% applicants cecking %or compliance wit implemented sa%eguards" ;" #e carr)ing out o% processing *) te tird6part) must *e managed *) a signed0 written legal contract stating: #e processor sall act onl) on instructions %rom te controller5 /ll securit) re(uirements o% te &'DD also appl) to te processor" ?*tain and re$iew sample set o% contracts wit tird6 part) processors to identi%) all re(uired in%ormation listed to te le%t" Sample set o% contracts wit tird6 part) processors" Page 1; Source: ttp:!!www"knowledgeleader"com D. "otificatio! EUDD Re/uireme!t Au$it #est Prelimi!ary (!formatio! Re/uests Au$it Results upervisory Authority 1" Controller must noti%) te super$isor) autorit) *e%ore carr)ing out an) automated or partiall) automated processing" 2oti%ication must include at least: 2ame and address o% controller5 Purpose o% te processing5 Description o% te categor) or categories o% data su*+ect and o% te data or categories o% data relating to tem5 Recipients or categories o% recipients to wom te data migt *e disclosed5 Proposed trans%ers o% data to tird countries5 Feneral description allowing a preliminar) assessment to *e made o% te appropriateness o% te securit) measures taken to protect te data" Coose sample set o% data processes and re(uest noti%ications sent to super$isor) autorit)" Re$iew noti%ications recei$ed to ensure tat all re(uired in%ormation is included and accurate" 2oti%ications to super$isor) autorit) %or sample set o% data processes" 7" #e controller is not re(uired to noti%) te super$isor) autorit) i%: #e processing operation is unlikel) to ad$ersel) a%%ect te rigts and %reedoms o% data su*+ects5 #e controller as appointed a personal data protection o%%icial" I% no e,ceptions were noted in Section D0 D10 proceed to ne,t step" I% e,ceptions were noted in Section D0 D10 determine i% te operation %alls into one o% te categories %or e,ceptions to noti%ication re(uirements" Description o% te data processing operation and intended outcome" 2ame and contact in%ormation %or te personal data protection o%%icial" Page 1< Source: ttp:!!www"knowledgeleader"com EUDD Re/uireme!t Au$it #est Prelimi!ary (!formatio! Re/uests Au$it Results #ersonal Data #rotection O$cial 9" #e personal data protection o%%icial is responsi*le %or ensuring in an independent manner tat te re(uirements o% te &'DD are *eing applied internall) as well as keeping te register o% processing operations carried out *) te controller" a" I% a personal data protection o%%icial as not *een appointed witin te organi8ation0 proceed to Section &" I% a personal data protection o%%icial as *een appointed0 re$iew te register o% processing operations and ensure tat all re(uired in%ormation (%rom Section D0 D1 a*o$e) is recorded %or a sample set o% processing operations" a" Register o% processing operations maintained *) te personal data protection o%%icial" *" ?*tain and re$iew procedural documentation supporting te process o% noti%)ing te personal data protection o%%icial o% all processing operations" *" Documentation surrounding te personal data protection o%%icial noti%ication process0 including work%low diagrams0 policies and procedures0 and inter$iews wit te personal data protection o%%icial" Page 1@ Source: ttp:!!www"knowledgeleader"com E. #ra!sfer of Data to #hir$ ou!tries EUDD Re/uireme!t Au$it #est Prelimi!ary (!formatio! Re/uests Au$it Results !hird Country Review 1" 3em*er States assure tat te trans%er o% data to a tird countr) occurs onl) i% te tird countr) in (uestion ensures an ade(uate le$el o% protection o% te data" ?*tain list o% tird countries were data as *een sent %or processing and compare te list o% tese countries to te list o% countries appro$ed *) te &'DD Commission as pro$iding an ade(uate le$el o% protection" List o% all tird countries tat a$e recei$ed data %or %urter processing" Page 1A Source: ttp:!!www"knowledgeleader"com
(0. ou!try1S)ecific Re/uireme!ts A. United Kingdom Requirements #e 'nited Gingdom as te Data Protection /ct o% 1CCB to go$ern te re(uirements o% companies to protect data" 3an) o% te sections in te Data Protection /ct tie in closel) wit te &uropean 'nion Data Directi$e0 *ut a$ing te re(uirements in a separate 'nited Gingdom act means tat companies can *e eld accounta*le on two le$els" #e ma+or re(uirements o% te Data Protection /ct are outlined *elow" Data Quality Incorrect data can *e recti%ied or remo$ed *) court ruling a%ter data su*+ect as appealed to te court" Rights of Data Subject Rigt to *e in%ormed i% personal data *eing processed: o Rigt to *e gi$en description o% te data *eing used0 te source o% te data0 te purposes o% te processing0 te recipient or categories o% recipient o% te data0 and te logic o% an) automatic processing operations5 o Compan) re(uired to disclose tis in%ormation onl) i% data su*+ect re(uests te in%ormation in writing and pa)s an) applica*le %ees" Can re(uest in writing tat data not *e used i% it te processing is likel) to cause unwarranted arm" Can o*+ect to data *eing used %or direct marketing purposes0 or can ask to *e noti%ied prior to data *eing used %or direct marketing and a$e te e,plicit option to opt out" Can re(uest in writing tat te controller not do an) automatic processing tat ma) produce signi%icant e%%ects0 including producing results regarding personal (ualities" I% data su*+ect su%%ers damage due to te contra$ention o% te re(uirements o% te act0 te data su*+ect is entitled to compensation %rom te responsi*le part)" "otificatio! Controller must noti%) Commissioner o% all data processing and include all applica*le details o% te processing as well as te steps tat a$e *een taken to protect te data" B. India Requirements #ere are currentl) no Indian pri$ac) laws in place regulating te responsi*ilities o% companies to protect personal data" #e 2ational /ssociation o% So%tware and Ser$ice Companies (2/SSC?3) is working wit te go$ernment on te de$elopment o% a pri$ac) law0 *ut it as not )et *een completed or implemented" 3an) indi$idual companies a$e de$eloped internal pri$ac) policies to compl) wit '"S" and &' regulations0 *ut tese internal policies do not old tem legall) accounta*le %or $iolations" 3an) companies sending data to India include data protection stipulations in te contract language0 wile oter companies do not store personall) identi%ia*le in%ormation in India0 *ut rater store it at te source and allow te Indian processors to access te data" Page 1B Source: ttp:!!www"knowledgeleader"com