EU Data Directive Workprogram

EU Data Directive Work Program
I. European Union Data Directive Overview

II. Privacy Awareness
III. European Union Data Directive Work Program
A. Data Quality
Data Collection
Data Handling
B. Rights of Data Subject
Right of Information
Right of Access
Right to Object
Rights with Regard to Automated Individual Decisions
. Security of Processi!g
Confidentiality
Implemented Safeguards
hird!"arty "rocessing
D. "otificatio!
Supervisory Authority
"ersonal Data "rotection Official
E. #ra!sfer of Data to #hir$ ou!tries
hird Country Review
IV. Country-peci!ic "e#uirements
A. United Kingdom Requirements
B. India Requirements
Project #eam %list members&'
Project #imi!g' Date Comments
Planning
Fieldwork
Report Issuance (Local)
Report Issuance (Worldwide)
Page 1
Source: ttp:!!www"knowledgeleader"com
(. Euro)ea! U!io! Data Directive * +vervie,
#is section is intended to pro$ide an o$er$iew o% te &uropean 'nion Data Directi$e (&'DD)
re(uirements as te) relate to pri$ac) and securit) o% personal data" #is o$er$iew *egins *) descri*ing
te o$erall o*+ecti$e o% te &'DD and proceeds to gi$e *ackground in%ormation surrounding te ke)
points and clauses go$erning te protection o% te data"
#e complete legal te,t o% te &'DD can *e %ound ere:
ttp:!!www"cdt"org!pri$ac)!eudirecti$e!&'-Directi$e-"tml
-lossary of #erms
Perso!al Data . /n) in%ormation relating to an identi%ied or identi%ia*le person" #e data %ields
comprising personal data are not e,plicitl) stated in te &'DD0 *ut include an indi$idual1s %irst name or
%irst initial and last name0 Social Securit) 2um*er (or oter national identi%ier)0 dri$er1s license or state
identi%ication num*er0 and account num*er or credit card num*er"
Data Subject . / person wo can *e identi%ied0 directl) or indirectl)0 *) personal data"
Processi!g . /n) operation or set o% operations tat is per%ormed upon personal data"
o!troller . #e person0 pu*lic autorit)0 agenc)0 or oter *od) wic alone or +ointl) wit oters
determines te purposes and means o% te processing o% personal data"
Processor . #e person0 pu*lic autorit)0 agenc)0 or an) oter *od) tat processes personal data on
*eal% o% te controller"
Su)ervisory Authority . Pu*lic autorit) appointed *) te 3em*er State to *e responsi*le %or
monitoring te application o% te &'DD witin te State"
#hir$ ou!try . /n) countr) tat is outside o% te &uropean 'nion"
+bjective a!$ Sco)e
#e goal o% te &'DD is to ensure tat 3em*er States protect te %undamental rigts and %reedoms o% all
people0 in particular teir rigt to pri$ac) wit respect to te processing o% data" /dditionall)0 te &'DD is
designed to ensure te unrestricted %ree %low o% in%ormation *etween mem*er states tanks to te
protection o% te data pro$ided *) te re(uirements o% te &'DD" #e &'DD applies to te processing o%
all data0 eiter *) automatic or manual means" &,ceptions to tese re(uirements occur wen te acti$it)
%alls outside te scope o% Communit) law (#itles 4 and 4I o% te #reat) on &uropean 'nion)0 te data is
processed as part o% a personal or ouseold acti$it)0 or te data is related to pu*lic securit)0 de%ense0
State securit)0 and criminal law"
Pri!ci)les Relati!g to Data Quality
3em*er states must ensure tat personal data is processed %airl) and law%ull)5 collected %or e,plicitl)
speci%ied legitimate purposes and not %urter processed5 ade(uate to meet te needs o% te processing5
and not e,cessi$e in te amount o% data collected" #e data must also *e accurate and kept up6to6date0
as well as kept in a manner tat permits te identi%ication o% indi$idual su*+ects %or no longer tan is
necessar) %or te processing o% te data" Data re$ealing racial or etnic origin0 political opinions0 religious
or pilosopical *elie%s0 trade6union mem*ersip0 or ealt or se, li%e is proi*ited %rom *eing processed"
Rights of Data Subject
Data su*+ects must *e pro$ided wit te identit) o% te controller o% te data5 te purposes o% te data
processing5 te recipients or categories o% recipients o% te data5 i% replies to (uestions are o*ligator) or
$oluntar)5 and te e,istence o% te rigt to access and recti%) data concerning te su*+ect" Data su*+ects
Page 7
also a$e te rigt to o*+ect on compelling legitimate grounds to te processing o% personal data0 unless
oterwise pro$ided *) national legislation" I% tere is a +usti%ied o*+ection0 te data ma) no longer *e used"
Security of Processi!g
/ppropriate tecnical and organi8ational measures must *e implemented to protect personal data against
accidental or unlaw%ul destruction0 loss0 or alteration and unautori8ed disclosure or access" #ese
measures sould pro$ide a le$el o% securit) appropriate to te risks represented *) te nature o% te data
*eing processed" I% data processing is done *) a tird part)0 te originating part) must a$e a contract or
legal act tat re(uires tat te processor acts onl) on instructions %rom te originating part)0 and meets
te protection o*ligations mentioned a*o$e"
"otificatio!
/n) organi8ation intending to process data must in%orm te State1s legal super$isor) autorit) *e%ore te
processing is *egun0 unless te t)pe o% data *eing processed is unlikel) to ad$ersel) a%%ect te rigts and
%reedoms o% te data su*+ects0 or tere is a personal data protection o%%icial appointed witin te
organi8ation" #is personal data protection o%%icial is responsi*le %or ensuring in an independent manner
tat te internal application o% te data processing is in accordance wit te &'DD0 and is also
responsi*le %or keeping a register o% te data processing operations carried out" 'pon receipt o% te
noti%ication o% data processing0 te super$isor) autorit) will re$iew te processing operation to identi%)
speci%ic risks related to te data processing and will e,amine tose operations prior to teir start"
#ra!sfer of Data to #hir$ ou!tries
#e 3em*er State sall re$iew te tird countr) to see i% te laws in tat countr) ensure an ade(uate
le$el o% protection %or te personal data" Particular consideration is gi$en to te nature o% te data0 te
purpose and duration o% te processing0 and te rules o% law in te tird countr)"
Page 9
((. Privacy A,are!ess
#e sur$e) (uestions *elow sould *e sent to te auditee prior to commencing %ieldwork" Responses
%rom tese (uestions will pro$ide te audit team wit an o$er$iew o% te auditee1s ig6le$el pri$ac)
knowledge and awareness"
Data Privacy A,are!ess Questio!s
Res)o!se
omme!ts
.es "o
"ot
Sure
1" /re )ou %amiliar wit )our compan)1s internal
pri$ac) polic):
7" /re )ou %amiliar wit te &uropean 'nion Data
Directi$e:
9" Do )ou know i% tere is a local internal pri$ac)
representati$e: I% so0 please pro$ide te appropriate
name"
;" Wat in%ormation do )ou collect tat is
considered personal data:
N/A
<" Is personal data stored in ! on (i% necessar)0
select more tan one):
Local workstation ! personal computer
=ome PC
Sared network dri$e
2etwork ser$er (not in a Data Center)
CD ! D4D ! Diskette
=ard cop) ! printout
>ackup media (e"g"0 tape0 disk0 etc")
Lotus 2otes Data*ases
&mail attacments
?ter: ------------
N/A
@" =a$e )ou e,perienced an incident tat impacted
te a$aila*ilit) or integrit) o% )our client1s data:
A" /re tere speci%ic escalation procedures %or
andling data loss or addressing a data securit)
*reac:
B" Do local teams send emails wit attacments
(i"e"0 Word ! &,cel %ile) containing personall)
identi%ia*le in%ormation: I% so0 please indicate ow
attacments are secured"
Page ;
(((. Euro)ea! U!io! Data Directive * Work Program
A. Data Quality
EUDD Re/uireme!t Au$it #est
Prelimi!ary
(!formatio!
Re/uests
Au$it
Results
Data Collection
1" Data is collected %or
e,plicitl) speci%ied legitimate
purposes and not %urter
processed"
a" ?*tain and re$iew
noti%ication materials
gi$en to sample set o%
data su*+ects prior to
data collection"
a" 2oti%ication
materials pro$ided
to sample set o%
data su*+ects
e,plaining te t)pe
o% processing to
take place"
*" Con%irm tat sample
set o% data su*+ects
are e,plicitl) in%ormed
o% te processing to
*e per%ormed on teir
data"
*" 2oti%ication
materials pro$ided
to a sample set o%
data su*+ects
e,plaining te t)pe
o% processing to
take place"
c" Compare
in%ormation disclosed
in noti%ication
materials wit te
actual data processing
operations completed
on te sample data
set" &nsure tat te
processing operations
matc te disclosed
in%ormation"
c" Register o% data
processing
operations tat
occurred wit
regards to a sample
data set"
7" Personal data ma) *e
processed onl) i% it meets at
least one o% te %ollowing
re(uirements:
#e data su*+ect as
gi$en consent5
Processing is necessar)
%or te per%ormance o% a
contract or prior to
entering into a contract %or
te data su*+ect5
%or compliance wit a legal
o*ligation o% te controller5
Processing is necessar) in
order to protect te $ital
interests o% te data
su*+ect5
?*tain and re$iew
sample set o% data0
along wit supporting
documentation0 and
identi%) wic o% te
si, re(uirements %or
legitimate data a$e
*een met"
Supporting
documentation %or
sample set o% data
sowing wic o%
te si, re(uirements
te data meets"
Page <
Prelimi!ary
(!formatio!
Re/uests
Au$it
Results
%or te per%ormance o% a
task carried out in te
pu*lic interest5
%or te purposes o% te
legitimate interests
pursued *) te controller0
e,cept were suc
interests are o$erridden *)
te interests o% te rigts
and %reedoms and te
data su*+ect"
9" Personal data must *e
ade(uate0 rele$ant0 and not
e,cessi$e in relation to te
purposes %or wic it is
collected"
sample set o% data to
identi%) all data
elements tat a$e
*een collected"
a" Sample set o%
data"
*" ?*tain and re$iew
te data processing
steps to *e completed
on te sample data
set as well as te
intended output and
results %rom te
processing" Compare
tese steps and
results to te data
collected and ensure
tat all collected
in%ormation is re(uired
%or te processing
steps"
*" Description o%
data processing
steps and intended
output or result %rom
te processing
operations %or te
sample set o% data"
;" Personal data must not
contain in%ormation re$ealing
te data su*+ect1s racial or
etnic origin0 political opinions0
religious or pilosopical
*elie%s0 trade6union
mem*ersip0 and ealt or
se, li%e"
?*tain and re$iew
sample set o% data to
ceck %or an)
in%ormation tat is
proi*ited %rom *eing
collected *) te
&'DD" Con%irm tat
personal data
elements (listed to te
le%t) are not present in
sample data"
Sample data set"
Page @
Prelimi!ary
(!formatio!
Re/uests
Au$it
Results
Data Handling
<" Personal data must *e
accurate and kept up6to6date"
Steps must *e taken to ensure
tat data wic are inaccurate
or incomplete are erased or
recti%ied"
procedural
documentation
supporting te
process to ceck data
%or accurac) upon
collection"
a" Documentation
surrounding data
$eri%ication
processes0 including
work%low diagrams0
policies and
procedures0 and
inter$iews wit
emplo)ees"
procedural
documentation
supporting te
process to receck
data %or accurac) on a
regular *asis"
*" Documentation
surrounding data
$eri%ication re$iew
work%low diagrams0
policies and
procedures0 and
inter$iews wit
emplo)ees"
c" ?*tain and re$iew
procedural
documentation
supporting te
process to recti%) data
inaccuracies"
c" Documentation
surrounding data
recti%ication process0
including work%low
diagrams0 policies
and procedures0 and
inter$iews wit
emplo)ees"
@" Data must *e kept in a %orm
tat permits identi%ication o%
data su*+ects %or no longer
tan is necessar) %or te data
processing"
?*tain and re$iew
internal
documentation
regarding te
appropriate use o%
data and data
retention standards"
?*tain sample set o%
data and compare to
internal data andling
policies" &nsure te
sample set o% data is
in compliance wit
internal policies"
Internal
documentation
regarding te
appropriate use o%
data and data
retention standards"
Sample set o% data
tat as %inised
*eing processed0 as
well as te process
operations tat were
run on te data set"
Page A
B. Rights of Data Subject
Prelimi!ary
(!formatio!
Re/uests
Au$it
Results
Right of Information
1" Data su*+ects must *e
pro$ided0 at a minimum0 wit:
#e controller1s identit)5
#e purposes o% te
processing o% te data5
#e recipients or
categories o% recipients o%
te data5
I% replies to te (uestions
are o*ligator) or $oluntar)
and te possi*le
conse(uences o% %ailure to
repl)5
#e e,istence o% te rigt
to access and recti%) data
concerning te su*+ect"
?*tain and re$iew
noti%ications gi$en to
sample set o% data
su*+ects to ensure all
re(uired in%ormation is
included"
2oti%ication gi$en to
sample set o% data
su*+ects outlining
teir rigts"
Right of Access
7" Data su*+ect as te rigt to
te %ollowing in%ormation:
Con%irmation as to
weter or not data
relating to te su*+ect is
*eing processed5
Purposes o% te
processing5
Categories o% data *eing
processed5
Recipients or categories o%
recipients o% te data5
Data undergoing
processing as well as te
source o% te data5
Logic in$ol$ed in an)
automatic processing
s)stem5
procedural
documentation
supporting te
process %or data
su*+ects to re(uest
in%ormation a*out te
data *eing processed"
a" Documentation
surrounding
in%ormation re(uest
work%low diagrams0
policies and
procedures0 and
inter$iews wit
emplo)ees"
re(uests %or
in%ormation o*tained
%rom sample set o%
data su*+ects"
*" In%ormation
re(uest tickets %rom
sample set o% data
su*+ects"
in%ormation sent to
sample set o% data
su*+ects" Compare to
in%ormation re(uests
recei$ed %rom te data
su*+ects to ensure
in%ormation disclosed
matces in%ormation
re(uested"
c" Sample set o%
in%ormation packets
sent to data su*+ects
wo re(uested
in%ormation"
Page B
Prelimi!ary
(!formatio!
Re/uests
Au$it
Results
9" Data su*+ect as te rigt
%or inaccurate or incomplete
data to *e recti%ied0 erased0 or
*locked %rom processing" #ird
parties recei$ing te data must
*e noti%ied o% an) recti%ication0
erasure0 or *locking o% te
data"
procedural
documentation
supporting te
process %or recti%)ing0
erasing0 or *locking
inaccurate or
incomplete data %rom
data processing
operations"
a" Documentation
surrounding data
correction
work%low diagrams0
policies and
procedures0 and
inter$iews wit
emplo)ees"
procedural
documentation
supporting te
process %or noti%)ing
tird parties o% an)
recti%ication0 erasure0
or *locking o%
inaccurate or
incomplete data"
*" Documentation
surrounding tird
part) noti%ication
work%low diagrams0
policies and
procedures0 and
inter$iews wit
emplo)ees"
Right to Object
;" Data su*+ects can o*+ect to
te processing o% data at an)
time wit a legitimate legal
concern relating to te
su*+ect1s particular situation"
procedural
documentation
supporting te
process %or recei$ing
and re$iewing
o*+ections %rom data
su*+ects"
a" Documentation
surrounding data
su*+ect o*+ection
work%low diagrams0
policies and
procedures0 and
inter$iews wit
emplo)ees"
procedural
documentation
supporting te
process %or remo$ing
data wit o*+ections
%rom data set *e%ore
processing"
*" Documentation
surrounding data
remo$al processes0
including work%low
diagrams0 policies
and procedures0 and
inter$iews wit
emplo)ees"
Page C
Prelimi!ary
(!formatio!
Re/uests
Au$it
Results
<" Data su*+ects can o*+ect0
%ree o% carge0 to te
processing o% personal data
tat is anticipated to *e used
%or direct marketing or can
re(uest to *e in%ormed *e%ore
data is used %or direct
marketing and e,pressl)
o%%ered te rigt to o*+ect"
internal
documentation
regarding te use o%
personal data %or
direct marketing
purposes"
I% te organi8ation
does not use personal
data %or direct
marketing0 proceed to
D@"
I% te organi8ation
does use personal
data %or direct
marketing0 continue
wit te ne,t step"
a" Internal
documentation
regarding te use o%
personal data %or
direct marketing
purposes"
procedural
documentation
supporting te
process %or recei$ing
and re$iewing
o*+ections %rom data
su*+ects"
*" Documentation
surrounding data
su*+ect o*+ection
work%low diagrams0
policies and
procedures0 and
inter$iews wit
emplo)ees"
procedural
documentation
supporting te
process %or noti%)ing
data su*+ects prior to
data *eing used %or
direct marketing"
c" Documentation
surrounding data
su*+ect noti%ication
work%low diagrams0
policies and
procedures0 and
inter$iews wit
emplo)ees"
d" ?*tain and re$iew
procedural
documentation
supporting te
process %or remo$ing
data wit o*+ections
%rom data set *e%ore
processing"
d" Documentation
surrounding data
remo$al processes0
including work%low
diagrams0 policies
and procedures0 and
inter$iews wit
emplo)ees"
Page 1E
Prelimi!ary
(!formatio!
Re/uests
Au$it
Results
Rights with Regard to Automated Individual Decisions
@" Data su*+ects a$e te rigt
not to *e su*+ect to a decision
tat produces legal e%%ects or
signi%icantl) a%%ects te su*+ect
and is *ased solel) on
automatic processing o% data
intended to e$aluate personal
aspects relating to im!er"
&,ceptions occur wen te
processing is done in te
course o% entering into or
per%ormance o% a contract or
wen te processing is
autori8ed *) law"
?*tain list o% all
completel) automated
processes" Re$iew te
automated processes0
as well as te results
tat are o*tained %rom
tese processes"
&nsure tat te results
are not used as te
onl) input to make a
decision a$ing a
signi%icant a%%ect on
te data su*+ect"
List o% all completel)
automated data
processing
operations and te
t)pe o% in%ormation
tat is o*tained %rom
te results o% te
processing"
Page 11
. Security of Processi!g
Prelimi!ary
(!formatio!
Re/uests
Au$it
Results
Confdentiality
1" /n) person wo as access
to personal data must not
process or access it e,cept on
instructions %rom te controller0
unless re(uired to do so *)
law"
sa%eguards in place to
protect personal data
%rom unautori8ed
processing or access0
including logical and
p)sical access and
processes in place
re(uiring appro$al
*e%ore data
processing can occur"
a" Policies and
procedures outlining
te re(uirements %or
data processing
operations to occur"
procedural
documentation
supporting te
process %or controller
to appro$e all
processing operations
tat occur"
*" Documentation
surrounding
controller appro$al
work%low diagrams0
policies and
procedures0 and
inter$iews wit
emplo)ees"
Implemented afeguards
7" #e controller must
implement appropriate
tecnical and organi8ational
measures to protect personal
data against accidental or
unlaw%ul destruction0 loss0 or
alteration0 as well as
unautori8ed disclosure or
access"
a" ?*tain and re$iew a
list o% all personal
data0 as well as te
location were te
data is stored"
a" List o% all personal
data0 as well as te
location were te
data is stored"
policies and
procedures %or te
granting o% p)sical
access to areas
containing s)stems
tat store personal
data"
Select a sample set o%
clients and o*tain and
re$iew te list o%
personnel wit
p)sical access to
areas containing
s)stems storing te
data" Con%irm wit te
appropriate *usiness
owner tat all access
*" Policies and
procedures dealing
wit p)sical access
to areas containing
s)stems tat store
personal data"
List o% personnel
wit p)sical access
to areas containing
s)stems tat store
data %or sample set
o% clients"
Page 17
Prelimi!ary
(!formatio!
Re/uests
Au$it
Results
is *ased on *usiness
need"
network diagrams %or
s)stems olding
personal data to
ensure te s)stems
wit personal data are
appropriatel)
segmented and
located *eind
securit) de$ices0 suc
as %irewalls0 and allow
onl) limited access"
c" 2etwork diagrams
%or e$er) network
segment containing
personal data"
d" ?*tain and re$iew
policies and
procedures %or te
granting o% access to
s)stems containing
personal data"
Select a sample set o%
clients and o*tain and
re$iew te list o%
personnel wit access
to te data" Con%irm
wit te appropriate
*usiness owner tat
all access is *ased on
*usiness need"
d" Policies and
procedures dealing
wit access to
s)stems containing
personal data"
List o% personnel
wit access to
sample set o% client
data"
e" ?*tain and re$iew
organi8ational cart to
identi%) pri$ac) and
securit) personnel0 as
well as were te) are
located in te
structure o% te
organi8ation"
e" ?rgani8ational
cart"
!hird"#arty #rocessing
9" Wen processing is done *)
a tird6part)0 te controller
must coose a processor
pro$iding su%%icient guarantees
o% tecnical and organi8ational
measures go$erning
processing to *e completed
and must ensure compliance
wit tose measures"
a" Determine i% tird6
part) processing takes
place" I% so0 o*tain and
re$iew tird6part)
processor applications
outlining sa%eguard
measures tat a$e
*een implemented *)
te processor"
a" Sample set o%
applications %rom
tird6part)
processors outlining
sa%eguards tat
a$e *een
implemented"
Page 19
Prelimi!ary
(!formatio!
Re/uests
Au$it
Results
procedural
documentation
supporting te
process to ensure
tird6part) compliance
wit te sa%eguards in
place"
*" Documentation o%
te re$iew process
completed %or
sample set o%
applicants cecking
%or compliance wit
implemented
sa%eguards"
;" #e carr)ing out o%
processing *) te tird6part)
must *e managed *) a signed0
written legal contract stating:
#e processor sall act
onl) on instructions %rom
te controller5
/ll securit) re(uirements
o% te &'DD also appl) to
te processor"
?*tain and re$iew
sample set o%
contracts wit tird6
part) processors to
identi%) all re(uired
in%ormation listed to
te le%t"
Sample set o%
contracts wit tird6
part) processors"
Page 1;
D. "otificatio!
Prelimi!ary
(!formatio!
Re/uests
Au$it
Results
upervisory Authority
1" Controller must noti%) te
super$isor) autorit) *e%ore
carr)ing out an) automated or
partiall) automated processing"
2oti%ication must include at
least:
2ame and address o%
controller5
Purpose o% te processing5
Description o% te categor)
or categories o% data
su*+ect and o% te data or
categories o% data relating
to tem5
Recipients or categories o%
recipients to wom te
data migt *e disclosed5
Proposed trans%ers o% data
to tird countries5
Feneral description
allowing a preliminar)
assessment to *e made o%
te appropriateness o% te
securit) measures taken to
protect te data"
Coose sample set
o% data processes
and re(uest
noti%ications sent to
super$isor)
autorit)" Re$iew
noti%ications
recei$ed to ensure
tat all re(uired
in%ormation is
included and
accurate"
2oti%ications to
super$isor) autorit)
%or sample set o% data
processes"
7" #e controller is not re(uired
to noti%) te super$isor)
autorit) i%:
#e processing operation
is unlikel) to ad$ersel)
a%%ect te rigts and
%reedoms o% data su*+ects5
#e controller as
appointed a personal data
protection o%%icial"
I% no e,ceptions
were noted in
Section D0 D10
proceed to ne,t
step"
I% e,ceptions were
noted in Section D0
D10 determine i% te
operation %alls into
one o% te
categories %or
e,ceptions to
noti%ication
re(uirements"
Description o% te
data processing
operation and
intended outcome"
2ame and contact
in%ormation %or te
personal data
Page 1<
Prelimi!ary
(!formatio!
Re/uests
Au$it
Results
#ersonal Data #rotection O$cial
9" #e personal data protection
o%%icial is responsi*le %or
ensuring in an independent
manner tat te re(uirements
o% te &'DD are *eing applied
internall) as well as keeping
te register o% processing
operations carried out *) te
controller"
a" I% a personal data
protection o%%icial
as not *een
appointed witin te
organi8ation0
proceed to Section
&"
I% a personal data
protection o%%icial
as *een appointed0
re$iew te register o%
processing
operations and
ensure tat all
re(uired in%ormation
(%rom Section D0 D1
a*o$e) is recorded
%or a sample set o%
processing
operations"
a" Register o%
processing
operations
maintained *) te
personal data
procedural
documentation
supporting te
process o% noti%)ing
te personal data
protection o%%icial o%
all processing
operations"
*" Documentation
surrounding te
personal data
protection o%%icial
noti%ication process0
including work%low
diagrams0 policies
and procedures0 and
inter$iews wit te
personal data
Page 1@
E. #ra!sfer of Data to #hir$ ou!tries
Prelimi!ary
(!formatio!
Re/uests
Au$it
Results
!hird Country Review
1" 3em*er States assure tat
te trans%er o% data to a tird
countr) occurs onl) i% te tird
countr) in (uestion ensures an
ade(uate le$el o% protection o%
te data"
?*tain list o% tird
countries were data
as *een sent %or
processing and
compare te list o%
tese countries to te
list o% countries
appro$ed *) te
&'DD Commission
as pro$iding an
ade(uate le$el o%
protection"
List o% all tird
countries tat a$e
recei$ed data %or
%urter processing"
Page 1A

(0. ou!try1S)ecific Re/uireme!ts
A. United Kingdom Requirements
#e 'nited Gingdom as te Data Protection /ct o% 1CCB to go$ern te re(uirements o%
companies to protect data" 3an) o% te sections in te Data Protection /ct tie in closel) wit te
&uropean 'nion Data Directi$e0 *ut a$ing te re(uirements in a separate 'nited Gingdom act
means tat companies can *e eld accounta*le on two le$els" #e ma+or re(uirements o% te
Data Protection /ct are outlined *elow"
Data Quality
Incorrect data can *e recti%ied or remo$ed *) court ruling a%ter data su*+ect as appealed to
te court"
Rights of Data Subject
Rigt to *e in%ormed i% personal data *eing processed:
o Rigt to *e gi$en description o% te data *eing used0 te source o% te data0 te
purposes o% te processing0 te recipient or categories o% recipient o% te data0 and
te logic o% an) automatic processing operations5
o Compan) re(uired to disclose tis in%ormation onl) i% data su*+ect re(uests te
in%ormation in writing and pa)s an) applica*le %ees"
Can re(uest in writing tat data not *e used i% it te processing is likel) to cause unwarranted
arm"
Can o*+ect to data *eing used %or direct marketing purposes0 or can ask to *e noti%ied prior to
data *eing used %or direct marketing and a$e te e,plicit option to opt out"
Can re(uest in writing tat te controller not do an) automatic processing tat ma) produce
signi%icant e%%ects0 including producing results regarding personal (ualities"
I% data su*+ect su%%ers damage due to te contra$ention o% te re(uirements o% te act0 te
data su*+ect is entitled to compensation %rom te responsi*le part)"
"otificatio!
Controller must noti%) Commissioner o% all data processing and include all applica*le details
o% te processing as well as te steps tat a$e *een taken to protect te data"
B. India Requirements
#ere are currentl) no Indian pri$ac) laws in place regulating te responsi*ilities o% companies to
protect personal data" #e 2ational /ssociation o% So%tware and Ser$ice Companies (2/SSC?3)
is working wit te go$ernment on te de$elopment o% a pri$ac) law0 *ut it as not )et *een
completed or implemented" 3an) indi$idual companies a$e de$eloped internal pri$ac) policies
to compl) wit '"S" and &' regulations0 *ut tese internal policies do not old tem legall)
accounta*le %or $iolations"
3an) companies sending data to India include data protection stipulations in te contract
language0 wile oter companies do not store personall) identi%ia*le in%ormation in India0 *ut
rater store it at te source and allow te Indian processors to access te data"
Page 1B

EU Data Directive Workprogram

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

EU Data Directive Workprogram

Caricato da

Copyright:

Formati disponibili

EU Data Directive Work Program

I. European Union Data Directive Overview

Potrebbero piacerti anche