2nd of April 2014
CMS CEE Data Protection Webinar series
PART 2
Digital Legal Guardians
2nd of April 2014
Your
presenters
today
Hungary
Dóra Petrányi
Hungary
Márton Domokos
Poland
Marcin Lewoszewski
Romania
Mar...
Poland
Russia
Countries covered
Ukraine
Bulgaria
Romania
Hungary
Slovakia
Czech
Republic
2nd of April 2014
Agenda
- Demystifying Big Data
- Cookie Compliance
- Rules on security breach
- Workplace Privacy
- The ...
Cyber criminals hack smart fridge to
send out spam
Internet of Things will
impact law
”Big Data” gets bigger Big data, big...
Microsoft Working On New Tracking
Technology To Replace Cookies
More personal advertising
Finalisation of the EU
Regulatio...
Demystifying Big Data
Source: IBM official website
Demystifying Big Data (1) “The next big thing”
− BIG = source, speed, volume - advanced algorithms
− New sources (e.g., we...
Demystifying Big Data (2) Data privacy issues
Accountability
Does it require consent?
Any error in
the process?
Data secur...
Demystifying Big Data (3) „Regulatory changes may
require recalibration” Big Data issues in our practice
1. Personalized r...
Cookie Compliance
Directive 2002/58/EC on Privacy
and Electronic Communications
WD 02/2013 Providing Guidance
on Obtaining Consent for Cooki...
Form Information
Exemptions? Term
Consent
Cookie Compliance (2)
Cookie Compliance (3) Verification of internal
practice
− Types of cookies?
− Purpose and technology?
− Personal data proc...
Poland: Russia: Romania: Ukraine:
Opt-in
Non specific guidance
DPA: brief privacy
information on cookie
placement is suffi...
Rules on security breach
17
Security Breach Notifications
Hungary Czech
Republic
Slovakia Bulgaria
Sector? Telcos only Telcos only Telcos only
Prov...
Workplace privacy
Workplace privacy
“Hot” data privacy topics (2)
− Russia
− Issue: Monitoring of private
correspondence on corporate
device...
Workplace privacy
“Hot” data privacy topics
Slovakia
− Emails or phone calls employees to
be informed of the extent of con...
Workplace privacy “Hot” data privacy topics:
Bring Your Own Device (BYOD) (1)
− Personal devices used for employment / pro...
Workplace privacy “Hot” data privacy topics:
Bring Your Own Device (BYOD) (2)
Hungary Czech
Republic
Romania Ukraine
Conse...
Workplace privacy
“Hot” data privacy topics:
Whistleblowing (1) – best practices
Whistleblowing
Data privacy information
N...
24
Workplace privacy
“Hot” data privacy topics:
Whistleblowing (2)
– local requirements
Is there a specific
law on
whistle...
Workplace privacy
“Hot” data privacy topics:
Whistleblowing (3)
– local requirements
Is there a specific
law on
whistleblo...
26
Workplace privacy
“Hot” data privacy topics:
Whistleblowing (4)
- new law in Hungary
− Translation and publication of t...
Workplace privacy
“Hot” data privacy topics:
Whistleblowing (5)
- new law in Hungary
Act CLXV of 2013 on Complaints and Pu...
The Draft
EU Data Protection Regulation
The draft
EU Data Protection Regulation (1)
Status and next steps
March 2014
June 2013
October
2013
Trilogue
negotiations
...
The draft
EU Data Protection Regulation (2)
− 18 months of ”intense negotiations and fierce
lobbying” - across sectors, B2...
The draft
EU Data Protection Regulation (3)
− One-stop-shop: instead of regulatory patchwork of 28
countries, will make th...
The draft
EU Data Protection Regulation (4)
− Profiling: only upon consent/contract; prohibited: only upon
sensitive data ...
The
draft
EU Data Protection
Regulation (5)
The draft
EU Data Protection Regulation (6)
adopt policies, implement measures, keep extensive
documentation, data securit...
The draft
EU Data Protection Regulation (7)
data, copy, link
Independently from the formatData Portability
Right to erasur...
Checklist (1)
(* - also to comply with DP Regulation)
− ”Data discovery” – reviewing the scope of data collected.
− Transp...
Checklist (2)
- Big Data - watch out for regulatory developments and the
expectations in case of contracting.
- Ensure com...
Any questions? Would like to know more?
Contact us!
Dóra Petrányi - Hungary
CEE Data Protection Lead Partner
dora.petranyi...
Thank you for your attention!
Please complete our feedback box that opens automatically when this
presentation closes.
You...
Upcoming SlideShare
Loading in...5
×

CEE CMS Data Protection webinar series - Part 2

480

Published on

This webinar aims to provide you with an overview of the various national personal data protection frameworks that exist in CEE, particularly in Bulgaria, Czech Republic, Hungary, Poland, Romania, Russia, Slovakia, and Ukraine. CMS have provided legal assistance in each of these jurisdictions for many years.

Published in: Law, Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
480
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

CEE CMS Data Protection webinar series - Part 2

  1. 1. 2nd of April 2014 CMS CEE Data Protection Webinar series PART 2 Digital Legal Guardians
  2. 2. 2nd of April 2014 Your presenters today Hungary Dóra Petrányi Hungary Márton Domokos Poland Marcin Lewoszewski Romania Marius Petroiu Russia Elena Baryshnikova Ukraine Nataliya Nakonechna Ukraine Olga Belyakova
  3. 3. Poland Russia Countries covered Ukraine Bulgaria Romania Hungary Slovakia Czech Republic
  4. 4. 2nd of April 2014 Agenda - Demystifying Big Data - Cookie Compliance - Rules on security breach - Workplace Privacy - The New EU Data Protection Regulation - Check List
  5. 5. Cyber criminals hack smart fridge to send out spam Internet of Things will impact law ”Big Data” gets bigger Big data, big legal trouble? Complex & extensive cloud computing Targeting the $100 Billion Cloud Market Mobile content revolution App Generation will lead to $77bn in revenues by 2017 Wearable technologies How Google Glass Is Redefining Tech Etiquette e-health Oral B's smart toothbrush lets dentists spy on your brushing Introduction Trends in privacy and the risk landscape
  6. 6. Microsoft Working On New Tracking Technology To Replace Cookies More personal advertising Finalisation of the EU Regulation Reding: „Full Speed on EU Data Protection Reform 2014” Strong push on compliance (whitleblowing) New Whistleblowing Law Generates New Data Privacy Issues in Hungary Fines, recovery costs and reputation Facebook-WhatsApp Risks Sparking Privacy Probes Tarns-Atlantic tensions EU data protection reform could start 'trade war' Introduction Trends in privacy and the risk landscape
  7. 7. Demystifying Big Data Source: IBM official website
  8. 8. Demystifying Big Data (1) “The next big thing” − BIG = source, speed, volume - advanced algorithms − New sources (e.g., web data, tweets, social media, email, text messages, instant messages, chat) − Unanticipated insights and low storage cost − To revolutionize business, science, research and education Legal guidance how to demonstrate legitimacy… Fraud prevention Network security Exploring consumer expectations Energy efficiency
  9. 9. Demystifying Big Data (2) Data privacy issues Accountability Does it require consent? Any error in the process? Data security measures? How to minimise the data collection? Legitimate data processing purpose? Prohibited decisions?
  10. 10. Demystifying Big Data (3) „Regulatory changes may require recalibration” Big Data issues in our practice 1. Personalized recommendations, targeted marketing and other services to identifiable users or mobile devices. 2. What is “personal data”? e.g. anonymous data, health, location 3. What shall the privacy notice contain? 4. What about reminders? 5. Get explicit opt-in or rely on implied consent? 6. Opt-out options? 7. Permitted combination of information? 8. No personalized services but still collecting data to improve algorithms? Monitoring procedures relation Big Data projects
  11. 11. Cookie Compliance
  12. 12. Directive 2002/58/EC on Privacy and Electronic Communications WD 02/2013 Providing Guidance on Obtaining Consent for Cookies Opinion 04/2012 on Cookie Consent Exemption Opinion 2/2010 on Online Behavioural Advertising „The use of e-communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information.” (Article 5 (3)) Cookie Compliance (1)
  13. 13. Form Information Exemptions? Term Consent Cookie Compliance (2)
  14. 14. Cookie Compliance (3) Verification of internal practice − Types of cookies? − Purpose and technology? − Personal data processing? How long? − Further processing (pl.: combination of data)? − Data transfer (third party cookies)? − Is it necessary to obtain prior, informed consent? − Data privacy notice? − Separate policy + link, format, positioning? − Third party agreements? (advertisement) − Data Protection Registry? − Handling users’ requests?
  15. 15. Poland: Russia: Romania: Ukraine: Opt-in Non specific guidance DPA: brief privacy information on cookie placement is sufficient No specific regulation Companies place the cookie policies on their websites to protect their interests DPA: official position is not present Opt in: No specific guidance. DPA: brief privacy information on cookie placement is sufficient No specific regulation DPA: - user’s consent on processing of his personal data using ‘cookies’ - clear privacy statement with reference to detailed privacy policy Cookie Compliance (4) CEE Overview Hungary: Slovakia: Bulgaria: Czech Republic: Opt-in Non specific guidance DPA: brief privacy information on cookie placement is sufficient Opt-in (the setting of the internet browser allowing cookies is considered as previous consent) Brief privacy information on cookie placement is sufficient No specific regulation re cookies Failure to fully implement opt-in scheme Arguable if cookies are considered as personal data or not
  16. 16. Rules on security breach
  17. 17. 17 Security Breach Notifications Hungary Czech Republic Slovakia Bulgaria Sector? Telcos only Telcos only Telcos only Providers of publicly available electronic communications services Specific rules? In line with Regulation 611/2013/EU In line with Regulation 611/2013/EU. In line with Regulation 611/2013/EU Electronic Communications Act (notification to the Data Protection Authority within 3 days vs 24 hours in the Regulation 611/2013/EU) Poland Romania Ukraine Russia Sector? Telcos only Providers of Telco services N/A N/A Specific rules? In line with Regulation 611/2013/EU Law 506/2004 on processing personal data in the Telco field N/A Amendments to the Data Protection Law providing that data processors must inform DPA on breaches are being prepared now.
  18. 18. Workplace privacy
  19. 19. Workplace privacy “Hot” data privacy topics (2) − Russia − Issue: Monitoring of private correspondence on corporate devices possible? − Internal policies and notifications on the monitoring to be signed by employees − Russia − Issue: Monitoring of private correspondence on corporate devices possible? − Internal policies and notifications on the monitoring to be signed by employees Romania − Interviews / background checks: scope needs to be limited: reasonable & necessary − New DPA rules on CCTV − Criminal Code: correspondence secrecy Romania − Interviews / background checks: scope needs to be limited: reasonable & necessary − New DPA rules on CCTV − Criminal Code: correspondence secrecy Ukraine − No specific regulation. − CCTV and access to corporate e- mail account require employee’s consent Ukraine − No specific regulation. − CCTV and access to corporate e- mail account require employee’s consent Hungary − Labour Code permits monitoring and transfer to processors − Updated employee privacy notices − New rules on CCTV use − DPA fine re employee laptop access − New whistleblowing law Hungary − Labour Code permits monitoring and transfer to processors − Updated employee privacy notices − New rules on CCTV use − DPA fine re employee laptop access − New whistleblowing law
  20. 20. Workplace privacy “Hot” data privacy topics Slovakia − Emails or phone calls employees to be informed of the extent of control methods, implementation and duration in advance. − Discussion with the employees´ representative Slovakia − Emails or phone calls employees to be informed of the extent of control methods, implementation and duration in advance. − Discussion with the employees´ representative Bulgaria − Amendment on Labour Code dated 2011 allow video surveillance for monitoring work process and observing working time. Employees shall provide their explicit consent! Bulgaria − Amendment on Labour Code dated 2011 allow video surveillance for monitoring work process and observing working time. Employees shall provide their explicit consent! − Czech Republic − New case law on monitoring: strengthening the position of employers re breach of work duties; stressing the duty of loyalty of employees. − Monitoring must not be excessive. − Czech Republic − New case law on monitoring: strengthening the position of employers re breach of work duties; stressing the duty of loyalty of employees. − Monitoring must not be excessive. Poland − No specific regulation − Good practice: information to employees about monitoring and its extent Poland − No specific regulation − Good practice: information to employees about monitoring and its extent
  21. 21. Workplace privacy “Hot” data privacy topics: Bring Your Own Device (BYOD) (1) − Personal devices used for employment / professional purposes vs. company devices − Private and corporate data are accessed with one device − Employer expects control over the data and the device − Control = remote access + administration rights (mobile device management’ security updates, lock access, data removal) − Best practice: • BYOD guidelines / update of existing policies (acceptable use, device management) + training • Separating corporate and private data + alternatives (virtual solutions) • ICO Guidance Revise / review BYOD policies and watch out for regulatory developments
  22. 22. Workplace privacy “Hot” data privacy topics: Bring Your Own Device (BYOD) (2) Hungary Czech Republic Romania Ukraine Consent? No Yes No Yes Privacy notice? Yes Yes Internal rules regulate issues e.g. privacy, security Yes Works council involvement? Yes No Iimplemented in consultation with employees’ representatives No Poland Slovakia Bulgaria Russia Consent? Yes Yes No N/A Privacy notice? Yes Yes Yes N/A Works Council Involvement? No No No Internal rules on privacy and security may cover such use
  23. 23. Workplace privacy “Hot” data privacy topics: Whistleblowing (1) – best practices Whistleblowing Data privacy information No encouragement of anonymity Data transfer to advisors Data transfer outside the EEA Protection of whistleblowers’ identity Accounting and auditing + related matters Limited data collection and retention (2 months) Rights of the incriminated Notification to / approval by the DPA? Consequences of misuse
  24. 24. 24 Workplace privacy “Hot” data privacy topics: Whistleblowing (2) – local requirements Is there a specific law on whistleblowing hotlines? Act CLXV of 2013 on Complaints and Public Interest Disclosure Proposed only for the banking sector (pending parliament procedure) Only in the public sector (whistleblowing in general) NO Is there a specific regulatory guidance on whistleblowing hotlines? NO NO NO NO Notification to / approval by the DPA? YES In non-regulated sectors YES NO Hungary Czech Republic Romania Ukraine
  25. 25. Workplace privacy “Hot” data privacy topics: Whistleblowing (3) – local requirements Is there a specific law on whistleblowing hotlines? NO NO NO NO Is there a specific regulatory guidance on whistleblowing hotlines? NO NO NO NO Notification to / approval by the DPA? Yes (notification) YES NO YES Poland Slovakia Bulgaria Russia
  26. 26. 26 Workplace privacy “Hot” data privacy topics: Whistleblowing (4) - new law in Hungary − Translation and publication of the internal rules − Registration with the DPA − Article 29 Working Party Opinion 1/2006 − Sensitive data shall not be processed − Enhance permitted data transfers − Outside the EEA: data transfer agreement + ‘adequate protection’ − Specific deadlines for the investigation and data retention − Mandatory notifications to whistleblowers and the reported − Mandatory notification to criminal authorities Verify the operation of whistleblowing and watch out for regulatory developments
  27. 27. Workplace privacy “Hot” data privacy topics: Whistleblowing (5) - new law in Hungary Act CLXV of 2013 on Complaints and Public Interest Disclosures Translation and publication of the internal rules Registration with the DPA Sensitive data shall not be processed Works’ council consultation Mandatory notification to criminal authorities Outside the EEA: data transfer agreement + ‘adequate protection’ Specific deadlines for the investigation and data retention Enhances permitted data transfers
  28. 28. The Draft EU Data Protection Regulation
  29. 29. The draft EU Data Protection Regulation (1) Status and next steps March 2014 June 2013 October 2013 Trilogue negotiations November 2013 December 2013 January 2014 European Parliament's formal approval NSA mass surveillance activities: ”reforms vital to counter PRISM data access” (Reding) „breakthrough”: EU LIBE compromise package EC, Council and Euro MPs EC calls for Safe Harbor reforms Justice Ministers failed to agree on one-stop-shop: ”leading lawyers have public catfight” EDPS calls Germany to take the lead in negotiating New deadline: end of 2014
  30. 30. The draft EU Data Protection Regulation (2) − 18 months of ”intense negotiations and fierce lobbying” - across sectors, B2B, B2C, 100 pages, 4,000 amendments − Specific rules are not clear: further interpretation, guidance, industry-specific measures (is it really a Regulation?) − Extra-territorial effect may cause trans-Atlantic tensions − Likely to revolutionize and reshape privacy − Direct effect − ”data protection” or ”data protectionism”?
  31. 31. The draft EU Data Protection Regulation (3) − One-stop-shop: instead of regulatory patchwork of 28 countries, will make the life of company groups easier BUT: what is the ”main establishment”? competence of local DPAs will also remain - More consumer rights & DPA Power: Fine up to EUR 100 million 5% of yearly worldwide turnover) − Less administration: no more Data Protection Registry BUT consultation obligation − Explicit consent: Not required: contracting, compliance, legitimate interests BUT: ”significant imbalance” test
  32. 32. The draft EU Data Protection Regulation (4) − Profiling: only upon consent/contract; prohibited: only upon sensitive data - may affect Big Data - Data transfers outside the EU: More practical (e.g.: „Binding Corporate Rules”, „European Data Protection Seal”), BUT restricts ”frequent or massive” transfers + regulatory requests. − Data Protection Officer: mandatory: for companies processing data more than 5,000 individuals/year; independent, 2-4 years − Privacy Notices: More detailed than now + standardised format using icons
  33. 33. The draft EU Data Protection Regulation (5)
  34. 34. The draft EU Data Protection Regulation (6) adopt policies, implement measures, keep extensive documentation, data security requirements, perform privacy impact assessments, comply with prior authorisation / consultation by DPA, designate a Data Protection Officer, bi-annual update of policies Risk assessment: e.g. data amount type, automatics, industry (e-health!) ”to the entire lifecycle management of data” bi-annual update Accountability Data privacy impact assessment
  35. 35. The draft EU Data Protection Regulation (7) data, copy, link Independently from the formatData Portability Right to erasure Data breach notification in all industries – to regulator: immediately; to customers: only in serious cases Documentation + database Privacy By Design Privacy by Design / Default
  36. 36. Checklist (1) (* - also to comply with DP Regulation) − ”Data discovery” – reviewing the scope of data collected. − Transparent / accessible policies and governance framework.* − Documentation of data flows and processes.* − Drafting / reviewing agreements, consents, NDAs and confidentiality provisions re data processing and data transfer. − Revise / review DPA notifications. − ”Traditional” outsourcing. Make sure you are compliant with ”traditional” issues and watch out for the new trends and new issues… − New models of outsourcing – the Cloud. Watch out for regulatory developments and the expectations in case of contracting.
  37. 37. Checklist (2) - Big Data - watch out for regulatory developments and the expectations in case of contracting. - Ensure compliance in „usual” workplace privacy topics. - Revise / review BYOD and social media policies. - Verify whistleblowing hotlines, especially in Hungary. - Reviewing access rights procedures. - Data breach notifications: implementing internal rules. - Data portability: identify security issues re transmission / access.
  38. 38. Any questions? Would like to know more? Contact us! Dóra Petrányi - Hungary CEE Data Protection Lead Partner dora.petranyi@cms-cmck.com +36 1 483 4820 Márton Domokos – Hungary marton.domokos@cms-cmck.com +36 1 483 4824 Marcin Lewoszewski – Poland marcin.lewoszewski@cms-cmck.com +48 22 520 5525 Marius Petroiu – Romania marius.petroiu@cms-cmck.com +40 21 407 3 889 Elena Baryshnikova - Russia elena.baryshnikova@cmslegal.ru +7 495 786 40 99 Nataliya Nakonechna – Ukraine nataliya.nakonechna@cms-cmck.com +380 44 391 7 729 Olga Belyakova – Ukranie olga.belyakova@cms-cmck.com +380 44 391 7 727
  39. 39. Thank you for your attention! Please complete our feedback box that opens automatically when this presentation closes. You can download our CMS CEE Guide to Data Protection & webinar materials from our website www.cms-cmck.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×