Archive

Posts Tagged ‘Directive’

Transfer mechanisms of personal data from EU to third countries

January 8, 2013 2 comments

This Article explains the concept of transferring personal data from EU to third countries, what those third countries mean, the principles for making such transfers legitimate and the derogations from these principles, and last but not least, the transfer mechanisms of personal data to third countries.

Considering the legal requirements of the Directive 95/46/EC, Article 25
the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if… the third country in question ensures an adequate level of protection…this Article provides three legal mechanisms for such transfers:

-Standard Contractual Clauses – for single Organizations or entities

Binding Corporate Rulesfor multinational Organizations or entities

-Safe Harbor Agreement principles – for Organizations or entities located in the U.S.

The Article provides Organizations or entities with all current available mechanisms for data transfer from the European Union to third countries, regardless if those Organizations are independent-single entities or multinational ones.

This Article was written by Dan Manolescu. If interested, you could read the full Article published by InfoSec Institute here.

If you would like to find out more about InfoSec, you could visit this page here.

Dan Manolescu is now a frequent contributer for InfoSec Institute.

If you have any questions please contact us at: dan@e-crimeexpert.com

Advertisements

Data Protection: one Directive and two perspectives

December 4, 2012 Leave a comment

Data Protection: the economic value and the fundamental human rights perspectives

Related to our latest Blog post on Privacy vs Data Protection, today E-Crime Expert presents a short history and rational behind the Data protection legislation in the European Union.

Did you think that the EU Data Protection legislation was drafted and proposed by the European Union’s Directorate General Justice (because of its Human Rights dimension)?Actually, it was not as the Directive 95/46/EC was drafted and proposed by the DIRECTORATE GENERAL FOR INTERNAL MARKET AND SERVICES DG MARKET.

Why? In order to find out please read bellow the rationals described in the Preamble of the Directive 95/46/EC:

The establishment and functioning of an internal market in which, in accordance with Article 7a of the European Union’s Treaty, the free movement of goods, persons, services and capital is ensured require not only that personal data should be able to flow freely from one Member State (MS) to another, but also that the fundamental rights of individuals should be safeguarded. In other words, there should be a proper balance between the free flow of personal data and the protection of fundamental human rights.

Furthermore, the economic and social integration resulting from the establishment and functioning of the internal market leads to a substantial increase in cross-border flows of personal data between all those involved in a private or public capacity in economic and social activity in the MemberStates and the exchange of personal data between undertakings in different Member States is considerable increasing. Also, the increase in scientific and technical cooperation and the new telecommunications networks in the Community necessitate and facilitate cross-border flows of personal data.

Considering the difference in levels of protection of the rights and freedoms of individuals (privacy), with regard to the processing of personal data afforded in the Member States, it could prevent the transmission of such data from the territory of one Member State to that of another Member State, which constitutes an obstacle to the pursuit of a number of economic activities at Community level, distort competition and diminishes the economic value of a such exchange of data.

Last but not least, in order to remove the obstacles for the flow of personal data, which is vital to the internal market, it is aimed to ensure that the cross-border flow of personal data is regulated in a consistent manner that is in keeping with the objective of the internal market.

Considering the above rationales as outlined in the Preamble of the Directive 95/46/EC, we can easily observe that the Data Protection legislation in the EU does not manly has a human rights dimension but an economic one as the Directive 95/46/EC was drafted and proposed by the DG Market and not by the DG Justice or DG Home, aiming to not only stop but to increase the free flow of data between the Member States by giving legal certainty to the EU citizens and providing a legal framework uniformly implemented among the MS.

The second part of this Blog Post continues with the Directive 95/46/EC human rights dimension  by explaining data protection terminology, principles, rights of data subjects and data transfer mechanisms.

 1)      data protection terminology and definitions

  • ‘personal data’ = any information relating to an identified or identifiable natural person (‘data subject’); and who can be identified:
    • directly
    • indirectly,
    • in particular by reference to an identification number
    • or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity
  • ‘processing of personal data’ = any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as: collection, 
    • recording,
    • organization,
    • storage,
    • adaptation or alteration,
    • retrieval,
    • consultation,
    • use,
    • disclosure by transmission,
    • dissemination or otherwise making available,
    • alignment or combination,
    • blocking, erasure or destruction;
  • ‘personal data filing system’ (‘filing system’) = any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis;
  • ‘controller’ = the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data;
  • ‘processor’ = a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;
  • ‘third party’ = any natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor and the persons who (e.g. subcontractor), under the direct authority of the controller or the processor, are authorized to process the data;
  • ‘recipient’ = a natural or legal person, public authority, agency or any other body to whom data are disclosed, whether a third party or not;
  • ‘the data subject’s consent’ = any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.

 2)      Principles related to data protection:

  • processed
  • fairly (data subjects informed) and
  • lawfully (based on a legal act)
  • collected for:
    • specified,
    • explicit
    • legitimate purposes
    • no further processed in a way incompatible with those purposes
  • adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;
  • accurate and, where necessary, kept up to date;
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected
  • the data subject has unambiguously given his consent
  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
  • processing is necessary for compliance with a legal obligation to which the controller is subject
  • processing is necessary in order to protect the vital interests of the data subject
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed

 3)      Information to be given to the data subjects (fair processing)

  • the identity of the controller and of his representative, if any;
  • the purposes of the processing for which the data are intended;
  • any further information such as
    • the recipients or categories of recipients of the data,
    • whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply,
    • the existence of the right of access to and the right to rectify the data concerning him

4)      Rights of data subjects:

  • Right of access
  • Right to object
  • Right to modification
  • Right to deletion

 5)      Notification

  • Those processing personal data shall provide that the controller or his representative, if any, must notify the supervisory authority (of a member states) before carrying out any wholly or partly automatic processing operation or set of such operations intended to serve a single purpose or several related purposes.

 6)      Transfer mechanisms:

  • Freely to Canada, Argentina, whole EU, etc BUT not to US (does not confer the same level of data protection as EU-because of the Patriot Act)
    • Binding Corporate Rules (for US. Set of rules agreed by the EU Commission when transferring data outside EU)
    • Safe Harbor Agreement (for US that certifies those part of this agreement comply with the EU data protection rules)

 Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog

 

Privacy versus Data Protection

November 27, 2012 6 comments

Today, E-Crime Expert presents the main similarities and differences between privacy and data protection concepts mainly from two different legislative perspectives:  Canada and the European Union (EU), and briefly from the United States (US).

Also, this blog post provides the main privacy and data protection legislative acts from Canada and EU as a useful resource for those interested or working in this field.

Last but not least, you could find bellow the full EU Data protection revision 2012 package.

I.      US versus EU versus Canada

-The United States (US) and European Union (EU) have different concepts regarding personal information and private data, such as Privacy in the US versus Data Protection in the EU.

US’s approach to privacy focuses on narrowly applicable legislation.

  • sector-based,
  • with a mix of legislation,
  • regulation and self-regulation,
  • focusing on the protection of personal information by specifically addressing a particular industry sector (i.e. medical information, online transactions, credit check, etc)
  • regulating data collected by the federal government

EU has a more comprehensive approach.

  • set of rights and principles for personal data treatment (processing),
  • without considering that the data is held in the public or private sector,
  • protects just natural persons not legal entities
  • the relation between data protection and the economic value as a proper balance between fundamental rights and free flow of information (which has economic value).
  • by granting data protection as a fundamental right, the aim is to protect the individuals but also to encourage the free flow of information, giving data subjects legal certainty and encouraging them to not negatively affect the exchange of information and data

-Canada – similar level of protection to the EU one.

  • Privacy is regulated by the government at the federal and provincial level:
    • The Privacy Act (federal level for private information held by the gov),
    • PIPEDA (federal level for private sector),
    • PIPA (provincial level for private sector, Alberta for example),
    • FOIP (provincial level for public sector, Alberta for example),
    • HIPA (federal level for health information),
    • HIA (provincial level for health information, Alberta for example)
  • The difference between Canada and EU
    • Canada’s legislation regulates both organizations and individuals privacy rights and access
    • EU’s legislation regulates the individuals’ rights (no organizations)
    • Canada gives to the individual the right to access their data or other individuals’ or organizations data along with their privacy protection right under the same Act (The Privacy Act, FOIP)
    • EU gives to the data subject the right to protection of their personal data under one single act (Directive 95) and to access data for public interest under the Transparency Regulation (1049)-no others personal data could be accessed in the private sector (just for law enforcement)
  • Canada enacted different acts for different data categories (private-PIPA, public-FOIP, health-HIA, children-Child, Youth&family enhancement act, etc)
  • EU has the same Legislative Act (e.g. Directive) but with different degrees of protection and limitations based on the data categories sensitivity (identification, medical, criminal, etc).
  • Canada sets forth a minimum time for information retention when EU sets forth a maximum time for data retention
  • in Canada information sharing is done based on Information Sharing Agreements (local, federal, international)
  • in EU the data transfer has three layers of protection for exchange locally within the same institutions, bodies, organizations, between EU member states, or internationally (with third countries).

 II.      Privacy versus data protection

  • The concept of privacy and data protection is not the same.
  • Data protection has a privacy dimension, but it is narrower in scope than the privacy concept, “as the privacy encloses more than personal data” (i.e. private life, private home, private correspondence, etc.)
  • From a different angle, it encloses a wider area, “since personal data are protected not only to enhance the privacy of the subject, but also to guarantee other fundamental rights, such as the right to freedom of expression, or the right to know what data is gathered about you,  to have access to your data, to ask for modification or deletion of your data, etc”
    • Furthermore, data protection gives individuals the right to know
  • What personal data is collected,
  • on what legal grounds,
  • how it is used, for how long it used and kept,
  • and by whom.
    • specifically grants data subjects with the rights to access, modify,   update or ask for deletion of such data

 III.      EU legislative framework

IV.      EU Data protection revision 2012 (to reflect the new technological developments and to provide a consistent legislative framework across EU):

Click here to access the new proposed EU Data Protection regulation

  • It was proposed a Regulation versus the existing Directive. A Regulation is better, as it is immediately and more uniformly implemented into the Member States national law.
  • Data subjects
    • increasing responsibility and accountability – companies would have to notify their clients of any theft or accidental release of personal data
    • clarifying that where someone’s consent is required before a company reuses their personal data, they need to give that consent explicitly – people would also have access to their own private data and be able to transfer it to another service provider more easily
    • reinforcing the ‘right to be forgotten’ – people will be able to have their personal data deleted if a business or other organization has no legitimate reasons for keeping it
    • applying EU rules when personal data is processed outside Europe – people would be able to involve the national data protection authority in their country, even when their data is processed by a company based outside the EU
    • People will have easier access to their own data and be able to transfer personal data from one service provider to another more easily (right to data portability). This will improve competition among services
  • Good for business
    • A single set of rules would encourage a more consistent application of the law across the EU. Businesses would have clear rules on how to treat personal data
    • Companies would only have to deal with a single national data protection authority in the EU country where they have their main operations (saving businesses an estimated €2.3bn a year)
    • The obligation of appointment of a data protection officer for organizations with 250 employees and over (private sector
    • Instead of the current obligation of all companies to notify all data protection activities to data protection supervisors – a requirement that has led to unnecessary paperwork and costs businesses €130 million per year, the Regulation provides for increased responsibility and accountability for those processing personal data
    • Companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible (if feasible within 24 hours)
    • Organisations will only have to deal with a single national data protection authority in the EU country where they have their main establishment. Likewise, people can refer to the data protection authority in their country, even when their data is processed by a company based outside the EU. Wherever consent is required for data to be processed, it is clarified that it has to be given explicitly, rather than assumed
    • EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens
    • Independent national data protection authorities will be strengthened so they can better enforce the EU rules at home. They will be empowered to fine companies that violate EU data protection rules. This can lead to penalties of up to €1 million or up to 2% of the global annual turnover of a company
  • Better enforcement
    • The new rules would give national data protection authorities powers to enforce the EU rules more rigorously
    • A new Directive will apply general data protection principles and rules for police and judicial cooperation in criminal matters. The rules will apply to both domestic and cross-border transfers of data. For the new Directive click here.
  • Next steps
    • The proposals is aimed to encourage more online commerce by improving consumer trust – contributing to economic growth and job creation. The new Data protection proposed legal framework (Regulation+Directive) must be approved by the European Parliament and Council before becoming law.
  • Commission Proposals on the data protection reform: legislative texts

Source: Directorat General Justice of the European Commission

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog

EU Member States’ national Data Protection Laws

December 16, 2011 1 comment

As announced in the last blog post here, E-Crime Expert presents today the National Data Protection Legal Acts of each Member State as required by the implementation of the Directive 95/46. This could be helpful for anyone interested as there are significant differences among the Member States DP national legal frameworks, acquired during their implementation  process of  the Directive 95/46. In this regards, for a company running commercial activities in Belgium, their compliance when processing personal data in Belgium, should be subject to the Belgian DP national Law. The Directive 95/46 has no direct implication or relation to their processing operations in Belgium or in any other member States. This Directive sets forth the general European legal framework with the minimum protection requirements  for the national DP laws implemented by each member State in their own ways. Therefore, for any interested party, company or data subject, it is useful to know which DP Laws particularly applies when running businesses, doing electronic commerce or any other activities that require processing of personal data.

Transposition of the Directive 95/46 requirements into national laws.

Here you can find the national laws of each member state:

Austria

Data Protection Act 2000, Austrian Federal Law Gazette part I No. 165/1999

Belgium

Act of 8 December 1992

Royal Decree

Bulgaria

Personal Data Protection Act

Cyprus

The Processing of Personal Data (Protection of Individuals)
Law 138(I)2001

Czech Republic

Act on Protection of Personal Data (April 2000) No. 101

Denmark

Act on Processing of Personal Data, Act No. 429, May 2000.

Estonia

Personal Data Protection Act of 2003
 

Finland

 Personal Data Act (523/1999)

Act on the amendment of the Personal Data Act (986/2000)

France

Data Protection Act of 1978 (revised in 2004)

Germany

Federal Data Protection Act of 2001

Greece

Law No.2472 on the Protection of Individuals with Regard to the Processing of Personal Data, April 1997.

Hungary

Act LXIII of 1992 on the Protection of Personal Data and the Publicity of Data of Public Interests

Ireland

Data Protection Act 1988.

Data Protection (Amendment) Act 2003.

Italy

Data Protection Code of 2003

Processing of Personal Data Act, January 1997

Latvia

Personal Data Protection Law, March 23, 2000.

Lithuania

Law on Legal Protection of Personal Data (June 1996)

Luxembourg

Law of 2 August 2002 on the Protection of Persons with Regard to the Processing of Personal Data.

Malta

Data Protection Act (Act XXVI of 2001), Amended March 22, 2002, November 15, 2002 and July 15, 2003

The Netherlands

Dutch Personal Data Protection Act 2000

Poland

Act of the Protection of Personal Data (August 1997)

Portugal

Act on the Protection of Personal Data (Law 67/98 of 26 October)

Romania

Law No. 677/2001 for the Protection of Persons concerning the Processing of Personal Data and the Free Circulation of Such Data

Slovakia

Act No. 428 of 3 July 2002 on Personal Data Protection.

Slovenia

Personal Data Protection Act , RS No. 55/99.

Spain

ORGANIC LAW 15/1999 of 13 December on the Protection of Personal Data

Sweden

Personal Data Protection Act (1998:204), October 24, 1998

United Kingdom

UK Data Protection Act 1998

Privacy and Electronic Communications (EC Directive) Regulations 2003

E-Crime Expert would like to thank you for reading this Blog and to wish you Merry Christmas and a very Happy New Year! We’ll be back in the first week of January 2012.

Till then, stay safe!

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

EU National Data Protection Authorities

December 14, 2011 1 comment

Today, E-Crime Expert presents the contact details of all the (EU) National Data Protection Authorities in order to help citizens/users know where to address and complaint in case their fundamental right to the protection of personal data it is breached. This right is granted by the Charter of Fundamental Rights of European Union. Also, the Directive 95/46 sets forth the National Data Protection Authorities to protect the right to privacy and personal data of the data subjects.

Briefly, the main roles of National DPA are:

-Investigations

-Interventions

-Hear claims and engage in legal proceedings

-Advisory

-Awareness.

Here are listed the up-to-date contact details of all EU National EU DPAs:

Austria

Österreichische Datenschutzkommission
Hohenstaufengasse 3
1010 Wien
Tel.
+43 1 531 15 25 25; Fax +43 1 531 15 26 90
e-mail:
dsk@dsk.gv.at

Belgium

Commission de la protection de la vie privée
Rue Haute 139
1000 Bruxelles
Tel. +32 2 213 8540; Fax +32 2 213 8545
e-mail:
commission@privacy.fgov.be

Bulgaria

Commission for Personal Data Protection
Mrs Veneta Shopova
15 Acad. Ivan Evstratiev Geshov Blvd.
Sofia 1431
Tel. +3592 915 3531; Fax +3592 915 3525
e-mail:
kzld@government.bg, kzld@cpdp.bg

Cyprus

Commissioner for Personal Data Protection
Mrs Panayiota Polychronidou
1 Iasonos Street,
1082 Nicosia
P.O. Box 23378, CY-1682 Nicosia
Tel. +357 22 818 456; Fax +357 22 304 565
e-mail:
commissioner@dataprotection.gov.cy

Czech Republic

The Office for Personal Data Protection
Urad pro ochranu osobnich udaju
Pplk. Sochora 27
170 00 Prague 7
Tel. +420 234 665 111; Fax +420 234 665 444
e-mail:
posta@uoou.cz

Denmark

Datatilsynet
Borgergade 28, 5
1300 Copenhagen K
Tel. +45 33 1932 00; Fax +45 33 19 32 18
e-mail:
dt@datatilsynet.dk

Estonia

Estonian Data Protection Inspectorate
(Andmekaitse Inspektsioon)
Director General: Mr Viljar Peep (Ph.D)
Väike-Ameerika 19
10129 Tallinn
Tel.
+372 6274 135; Fax +372 6274 137
e-mail: viljar.peep@aki.ee

Finland

Office of the Data Protection
Ombudsman
P.O. Box 315
FIN-00181 Helsinki
Tel.
+358 10 3666 700; Fax +358 10 3666 735
e-mail:
tietosuoja@om.fi

France

Commission Nationale de l’Informatique et des Libertés
8 rue Vivienne, CS 30223
F-75002 Paris, Cedex 02
Tel.
+33 1 53 73 22 22; Fax +33 1 53 73 22 00

Germany

Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
Husarenstraße 30
53117 Bonn
Tel.
+49 228 997799 0 or +49 228 81995 0
Fax +49 228 997799 550 or +49 228 81995 550
e-mail: poststelle@bfdi.bund.de

Greece

Hellenic Data Protection Authority
Kifisias Av. 1-3, PC 11523
Ampelokipi Athens
Tel. +30 210 6475 600; Fax +30 210 6475 628
e-mail: contact@dpa.gr

Hungary

Data Protection Commissioner of Hungary
Parliamentary Commissioner for Data Protection and Freedom of Information: Dr András Jóri
Nádor u. 22.
1051 Budapest
Tel. +36 1 475 7186; Fax +36 1 269 3541
e-mail: adatved@obh.hu

Ireland

Data Protection Commissioner
Canal House
Station Road
Portarlington
Co. Laois
Lo-Call: 1890 25 22 31
Tel. +353 57 868 4800; Fax +353 57 868 4757
e-mail: info@dataprotection.ie

Italy

Garante per la protezione dei dati personali
Piazza di Monte Citorio, 121
00186 Roma
Tel.
+39 06 69677 1; Fax +39 06 69677 785
e-mail: garante@garanteprivacy.it

Latvia

Data State Inspectorate
Director: Ms Signe Plumina
Blaumana str. 11/13-15
1011 Riga
Tel. +371 6722 3131; Fax +371 6722 3556
e-mail: info@dvi.gov.lv

Lithuania

State Data Protection
Inspectorate Director: Mr Algirdas Kunčinas
Žygimantų str. 11-6a
011042 Vilnius
Tel. + 370 5 279 14 45; Fax +370 5 261 94 94
e-mail: ada@ada.lt

Luxembourg

Commission nationale pour la protection des données
41 avenue de la Gare
1611 Luxembourg
Tel.
+352 2610 60 1; Fax +352 2610 60 29
e-mail: info@cnpd.lu

Malta

Office of the Data Protection Commissioner
Data Protection Commissioner: Mr Joseph Ebejer
2, Airways House
High Street, Sliema SLM 1549
Tel. +356 2328 7100; Fax +356 2328 7198
e-mail: commissioner.dataprotection@gov.mt

The Netherlands

College bescherming persoonsgegevens
Dutch Data Protection Authority
Juliana van Stolberglaan 4-10
P.O. Box 93374
2509 AJ Den Haag/The Hague
Tel. +31 70 888 8500; Fax +31 70 888 8501
e-mail: info@cbpweb.nl

Poland

The Bureau of the Inspector General for the Protection of Personal Data
Inspector General for Personal Data Protection: Mr Wojciech Rafał Wiewiórowski
ul. Stawki 2
00-193 Warsaw
Tel. +48 22 860 70 81; Fax +48 22 860 70 90
e-mail: sekretariat@giodo.gov.pl

Portugal

Comissão Nacional de Protecção de Dados
R. de São.
Bento, 148-3°
1200-821 Lisboa
Tel. +351 21 392 84 00; Fax +351 21 397 68 32
e-mail: geral@cnpd.pt

Romania

The National Supervisory Authority for Personal Data Processing
President: Mrs Georgeta BASARABESCU
Str. Olari nr. 32
Sector 2, BUCUREŞTI
Cod poştal 024057
Tel. +40 21 252 5599; Fax +40 21 252 5757
e-mail: anspdcp@dataprotection.ro

Slovakia

Office for Personal Data Protection of the SR
President: Mr Gyula Veszelei
Odborárske námestie č. 3
817 60, Bratislava
Tel. + 421 2 5023 9418; Fax + 421 2 5023 9441
e-mail: statny.dozor@pdp.gov.sk or gyula.veszelei@pdp.gov.sk

Slovenia

Information Commissioner
Ms Natasa Pirc Musar
Vošnjakova 1
1000 Ljubljana
Tel.
+386 1 230 9730; Fax +386 1 230 9778
e-mail:
gp.ip@ip-rs.si

Spain

Agencia de Protección de Datos
C/Jorge Juan, 6
28001 Madrid
Tel. +34 91399 6200; Fax +34 91455 5699
e-mail:
internacional@agpd.es

Sweden

Datainspektionen
Drottninggatan 29
5th Floor
Box 8114
104 20 Stockholm
Tel. +46 8 657 6100; Fax +46 8 652 8652
e-mail:
datainspektionen@datainspektionen.se

United Kingdom

The Office of the Information Commissioner Executive Department
Mr Christopher Graham
Water Lane, Wycliffe House
Wilmslow – Cheshire SK9 5AF
Tel. +44 1 625 54 57 00

Stay posted as the next blog  post will bring you the individual EU National Data Protection legal act that transpose the Directive 95/46 into National Law.

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

Do you have any complaint? Did you know where to address in case of DP breach?

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

Data protection glossary (part 3)

December 12, 2011 Leave a comment

This is the last post of a series brought you by E-Crime Expert, that aims to make the readers and data subject familiar to the most common terminology in order to better understand and protect their personal data and privacy.

You could read the first post here and the second post here.

(R) Reliability (Information Security)

Reliability is the property of consistent intended behavior and results.

Residual Risk (Information Security)

Residual risks are the risks that remain after risk treatment or, in other words, after protective measures were introduced.

Right of rectification

Anyone can have incorrect data relating to him rectified free of charge, and have other data erased if they are irrelevant, incomplete or prohibited, or have the use of those data prohibited. If the controller does not react, the data subject may address the Commission, which will attempt to mediate. The data subject may also submit a complaint to the judicial police.

Right to object

You may always object to the use of your data, provided that you have serious reasons for this. You cannot object to a data processing operation that is required by a law or a regulatory provision, or that is necessary to perform a contract you have entered into. However, you always have the right to object to the illegitimate use of your data and can always object free of charge and without justification if your data are processed for direct marketing purposes.

To object you have to send a dated and signed request, including a document proving your identity (for example a copy of your identity card) to the controller by letter or by fax (a request by e-mail is only accepted with an electronic signature). The request can also be submitted on the spot. The controller then has one month to reply. If he fails to do so or if his reply is not convincing, you can address the Commission, which will try to mediate. You can also take your case to court.

Risk (Information Security)

A risk is the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization (for example a virus deleting a file). It is measured in terms of a combination of the probability of an event and its consequence.

A risk is characterized by two factors: the probability that an incident will occur and the gravity of the potential direct consequences and the indirect impact.

The risk can also depend on time: the situation can become worse after an incident if adjusting measures are not taken in time (for instance a software glitch infecting a database, spyware retrieving passwords, encrypted codes or pin numbers). That way, an innocent incident can have disastrous consequences.

Risk Management (Information Security)

Risk management identifies the most important risks and distinguishes between the risks that have to be taken care of and acceptable risks. It uses security resources that deal with the dangers for personal data according to a scale of priorities. The risk management process constitutes a cycle that is repeated depending on the particular characteristics of the systems and the identified risks. Risk management results in final processes and an updated security policy, and often also in adaptations to the organization and its procedures in order to better take into account possible new risks, as well as the measures that have been taken.

(S) Safe Harbor Principles

In consultation with the European Commission, the American Department of Commerce elaborated the Safe Harbor Principles, intended to facilitate the transfer of personal data from the European Union to theUnited States. If companies make a statement to the American Department of Commerce agreeing with these principles and declaring they are prepared to respect them (meaning, among other things, that the American Federal Trade Commission can check whether theyr respect these principles), they are considered as companies ensuring adequate safeguards for data protection.

Security measures (Information Security)

Security measures, also called “protective measures” or “security controls”, are procedures or decisions that limit risks. Security measures can be effective in several ways: by lessening possible dangers, correcting vulnerabilities or limiting the possible direct consequences or indirect impact. It is also possible to work with time: if incidents are traced better and sooner, action can be taken before the situation gets any worse.

Sensitive data

Certain personal data are more sensitive than others. An individual’s name and address are rather innocent data, but this does not hold true for his political opinions, sexual preferences or judicial past. The Privacy Law regulates registration and use of those sensitive data more strictly in comparison with other personal data.

Sensitive data relate to race, political opinions, religious or philosophical beliefs, trade union membership, health, sex life, suspicions, persecutions and criminal or administrative convictions. In principle, processing such data is prohibited.

Standard Contractual Clauses

For persons wishing to transfer data outside the European Community, the European Commission has elaborated standard contractual clauses, which allow for a data transfer meeting the European legal conditions for data protection (article 25 ff of Directive 95/46/EC). In other words, the parties signing these contracts are considered as parties ensuring adequate safeguards for the protection of privacy.

(T) Threat (Information Security)

A threat is any unexpected event that can damage one of the enterprise’s assets and therefore prejudice personal data protection.

There are environmental threats (fire), technical threats (system failures) or human threats.
Human threats can be accidental (mistakes, forgetfulness, unadapted procedures) or intentional (harmful intent, intrusion, theft), internal (dissemination of information) or external (espionage).

(U) Unambiguous, free and informed consent

Consent is understood:

  • to have been freely given. In other words, the data subject was not pressurised to say “yes”;
  • to be specific, meaning that the consent relates to a well-defined processing operation;
  • to be informed. The data subject has received all useful information about the planned processing.

It is not necessary for the consent to be given in writing, but oral consent does create problems with the burden of proof in case of difficulties.

(V) Vulnerability (Information Security)

Vulnerability is the weakest link of an asset or a group of assets that can be exploited by one or more imminent dangers (developer’s mistake, wrong installation). In most cases vulnerability is due to the fact that an asset is not sufficiently protected, rather than to the asset itself.

Vulnerability in itself is not harmful to the organization. Only when an imminent danger can accidentally use the vulnerability and possible special circumstances, a damaging incident can occur.

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

Are you used to this terminology? Do you find it useful?

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

Data protection glossary (part 2)

December 9, 2011 1 comment

After over a month when E-Crime Expert presented the most important Case Law and Rulings on the applicability of both Directive 95/46 (private sector) and Regulation 45/2001 (public sector) to the processing of personal data, today’s post will bring more useful information: A Glossary of the most common terms from the Directive 95/46.

The information will be delivered during three blog posts and  aims to make the readers and data subject aware of the most common terminology in order to better understand and protect their personal data and privacy.

You could read the first post here.

(F) Further processing

A further processing operation, as defined in the implementing decree of 13 February 2001, involves personal data initially collected for an explicit purpose and re-used at a later time for historical, statistical or scientific purposes that are incompatible with the initial purpose. In other words, these processing operations constitute a specific form of secondary data collection.

(I) Impact (Information Security)

The consequences of an incident on one or more assets constitute the impact (for instance personal data who are no longer accurate).

In information security usually a difference is made between direct consequences (damage to the information system, such as file modifications, changes in the accessibility of confidential data or an inappropriate system shutdown) and the indirect impact (the damage the organization or third parties have incurred, such as abuse of confidential information, wrong decisions as a result of incorrect data).

There is not always an immediate relation between an incident’s direct consequences and its indirect impact on an organization or on third parties: the loss of fundamental data can have enormous consequences for the person involved whereas a system that was erased completely can already be restored with a good back-up.

Incident (Information Security)

An incident is an unexpected or unwanted event that can have serious consequences.
An information security incident is any unexpected event that might cause a compromise of an organization’s activities or information security (system malfunction or overload, human error, software or hardware malfunction). An incident in itself is not good nor bad.

Integrity (Information Security)

Integrity covers two different aspects: information integrity, and system and process integrity.
Information integrity means that information cannot be changed or destroyed intentionally or unintentionally.
System or process integrity means that the desired function is fully achieved according to expectations. Without an authorized intervention it is not possible to make intentional or unintentional changes.

Intermediary organization

An intermediary organization is defined as any natural person, legal person, un-associated organization or public authority encoding personal data, other than the controller of the processing of non-encoded data.

(L) Legitimate interest

An interest is called legitimate when the controller’s interest in processing the data overrides the registered person’s interest in not processing the data. In case of doubt, the Commission or a judge will decide whose interest has the highest priority.

(M) Management System (Information Security)

There are several models for management systems regarding information security (ISMS – Information Security Management System). The best-known system is based on a PDCA structure (Plan-Do-Check-Act) and permanently improves security. This permanent improvement is linked to changing factors, for example modifications in the organization and related risks, changes in the information system, technological novelties, both for operational systems and security rules.

Manual filing system

A manual filing system is a structured set of personal data that are accessible according to certain criteria, the yellow pages on paper for example.

(N) Non-repudiation (Information Security)

Non-repudiation is the ability to prove that an operation or event has taken place, so that it cannot be repudiated later. For e-mails, for example, non-repudiation is used to guarantee that the recipient cannot deny that he received the message, and that the sender cannot deny that he sent is.

Notification

A notification is an action carried out by the controller to inform the Commission that he will be processing data. A notification is not intended to request permission or authorization, but only to notify a processing operation. The notification mainly consists of a description of the data processing operation.

(O) Opt in

In this system, you give somebody your prior consent to send you commercial messages. The opt-in system is valid for all forms of communication and allows you to give your free, specific and informed consent, as required by the Privacy Law.
The opt-in system is mainly used when somebody regularly wants to send a massive number of e-mails, for example a newsletter, electronic magazines, promotional offers. You can register by filling in your e-mail address on a specific online form. The idea behind the opt in is to know in advance exactly what you are registering for, so that there are no unpleasant surprises afterwards.

Opt out

As opposed to opt in, the opt-out system allows you to object to any data processing operation with a view to direct marketing, as required by the Privacy Law.
This involves receiving an unwanted message containing the possibility to unsubscribe in order to stop receiving messages. This system is only authorised provided that the sender obtained your (e-mail) address directly from you while purchasing a product or service from him, that this (e-mail) address is only used to offer similar products or services the sender delivers himself, and that you are given the possibility to object easily and free of charge when you give the sender your e-mail address. In addition to this system, the direct marketing sector has organized the Robinson lists.

(P) Personal data

Personal data reveal information about an identified or identifiable natural person (called the “data subject” in the Privacy Law). In other words, personal data are all data allowing for the identification of an individual.

Personal data include an individual’s name, a picture, a phone number, even a professional phone number, a code, a bank account number, an e-mail address, a fingerprint, …

They do not only include data having to do with individuals’ privacy, but also data having to do with an individual’s professional or public life.

Only data about a natural (physical) person are taken into account, excluding data about a legal person or an association (civil or commercial corporations or non-profit organizations).

Processing personal data

Processing personal data is defined as any operation or set of operations performed on personal data. These operations are extremely varied and relate, among others, to the collection, storage, use, modification, disclosure of the data.

A few examples:

  • a hotel offering the possibility of online bookings processes data when registering the customer’s name, the dates of his stay and his credit card number.
  • a municipality transmitting the names of persons requesting a building permit to a contractor who wants to send them publicity, also processes data.

The law applies as soon as the data are processed, even partially, using automatic means. Automatic means include all information technologies, computer technology, telematics, telecommunication networks (the Internet).

For example, the Privacy Law is applied to:

  • a company’s computerized database containing customer or supplier data;
  • the electronic list of transactions on a bank account;
  • the computerized file of a company’s members of staff or of the children enrolled in a school;
  • etc.

The Privacy Law also applies, however, as soon as one processing operation is carried out using automatic means. For example:

  • a temporary employment agency keeping applicants’ hand-written curricula vitae but sending them to employers by fax, has to observe the rules in the Privacy Law for all operations it performs on the curricula vitae (such as storing, filing or sending them).

If data are not processed using automatic means (for example on paper or on microfiche) the Law still has to be observed if the data are included or will be included in a manual filing system that can be accessed according to specific criteria (for example people’s names in alphabetical order).

Processor

This is any natural person, legal person, un-associated organization or public authority processing data on behalf of the controller, not including individuals who are under the direct authority of the controller and who have been authorized to process the data).

Public register

The public register is a list of notifications of personal data processing operations notified to the Commission. Anyone can consult this list, for example via the Internet.

Purposes: historical, statistical or scientific

  • historical research involves the processing of personal data with a view to the analysis of an earlier event or in order to make that analysis possible. This is possibly but not necessarily also a processing operation with a scientific purpose (in other words, a genealogist can appeal to this provision);
  • statistical purposes are achieved through any action with a view to collecting and processing personal data when this is necessary for statistical surveys or to produce a statistical result;
  • scientific research involves establishing patterns, rules of conduct and causal relations exceeding all individuals they relate to.

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

Are you used to this terminology? Do you find it useful?

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

%d bloggers like this: