26 March 2014
CMS CEE Data Protection Webinar series
PART 1
Digital Passport to Data Protection
226 March 2014
Your presenters today
Bulgaria
Angelika Dimitrova
Czech Republic
Jakub Tomsej
Hungary
Dóra Petrányi
Hungary...
326 March 2014
Poland
Russia
Countries covered
Ukraine
Bulgaria
Romania
Hungary
Slovakia
Czech
Republic
426 March 2014
Introducing… our CMS CEE Guide to Data Protection
Email us for a copy
or download the guide from
our websit...
526 March 2014
Agenda
- Privacy trends
Trends in the legislation, hot topics and
regulator’s attitude
DPA registration obl...
626 March 2014
Introduction
Trends in privacy and the risk landscape
2014: privacy and data security will be “top-
of-mind...
726 March 2014
Cyber criminals hack smart fridge to
send out spam
Internet of Things will
impact law
”Big Data” gets bigge...
826 March 2014
Microsoft Working On New Tracking
Technology To Replace Cookies
More personal advertising
Finalisation of t...
926 March 2014
Trends in the legislation, hot topics and regulator’s attitude
– Bulgaria
− Last significant amendments of ...
1026 March 2014
− No significant changes of legislations
− Increasing number of investigations of the DPA, often focusing ...
1126 March 2014
Trends in the legislation, hot topics and regulator’s attitude
– Hungary
− New whistleblowing law: registr...
1226 March 2014
- Pending legislation concerning:
- Changes of status of Data Protection Officer
- Recognition of BCR’s as...
1326 March 2014
− New secondary legislation issued by local DPA (e.g. regarding the
protection of personal data in the con...
1426 March 2014
− Minor changes in privacy law since 2011
− Subcontracting is possible under the confidentiality and safet...
1526 March 2014
New privacy act:
− Sensitive data: written consent may not be necessary
− Informing 3rd party re provision...
1626 March 2014
Changes to the personal data protection act:
− changed DPA: now it is the Ombudsman instead of the State S...
1726 March 2014
Registration obligations at the DPA
Main issues
− Always consider whether it is a
notification, or approva...
1826 March 2014
Registration obligations at the DPA (1)
Bulgaria Czech Republic
Deadlines
− Processing: upon filing
− Imme...
1926 March 2014
Registration obligations at the DPA (2)
Hungary Poland
Deadlines
− Before data processing
+ 8 days from ch...
2026 March 2014
Registration obligations at the DPA (3)
Romania Russia
Deadlines
− Advisable: 30 days before
processing + ...
2126 March 2014
Registration obligations at the DPA (4)
Slovakia Ukraine
Deadlines
− Registration of each filling
system
−...
2226 March 2014
Cross-border data flows
Main issues
− Is the transferee's country a “3rd country”? (e.g. non-EEA)
− Separa...
2326 March 2014
Cross-border data flows – preconditions (1)
Czech Republic Hungary
Legal basis?
(1) Consent or (2) one of
...
2426 March 2014
Cross-border data flows – preconditions (2)
Romania Ukraine
Legal basis?
(1) Safeguards (model
clauses), (...
2526 March 2014
Cross-border data flows – preconditions (3)
Bulgaria Russia
Legal basis?
(1) Consent (2) adequate protecti...
2626 March 2014
Cross-border data flows – preconditions (4)
Poland Slovakia
Legal basis?
(1) Consent or (2) one of the
sta...
2726 March 2014
Cross border data flows:
Storm in the Safe Harbor
− Since 2000 – EC
+ US Department of Commerce
− 2013: NS...
2826 March 2014
Demystifying Cloud Computing
2926 March 2014
Demystifying Cloud Computing (1)
Issues
- Outsourcing trends today – in the cloud!
- Private, community, p...
3026 March 2014
Demystifying Cloud Computing (2)
Issues
− One project – multiple jurisdictions
− Internal data transfers
−...
3126 March 2014
Demystifying Cloud Computing (3)
Expectations from customers
− Prohibition of cloud services to government...
3226 March 2014
Demystifying Cloud Computing (4)
Expectations from customers
1. Data categorisation
2. Compliance: local l...
3326 March 2014 33
Watch out for regulatory developments, contracting
expectations and Article 29 WP’s Opinion 05/2012.
Hu...
3426 March 2014 34
Watch out for regulatory developments, contracting
expectations and Article 29 WP’s Opinion 05/2012.
Po...
3526 March 2014
Any questions? Would like to know more?
Contact us!
Dóra Petrányi - Hungary
CEE Data Protection Lead Partn...
3626 March 2014
Please complete our feedback box that opens automatically when this
presentation closes.
Do not miss PART ...
Upcoming SlideShare
Loading in …5
×

CEE CMS Data Protection webinar series - Part 1

1,174 views

Published on

This webinar aims to provide you with an overview of the various national personal data protection frameworks that exist in CEE, particularly in Bulgaria, Czech Republic, Hungary, Poland, Romania, Russia, Slovakia, and Ukraine. CMS have provided legal assistance in each of these jurisdictions for many years.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,174
On SlideShare
0
From Embeds
0
Number of Embeds
605
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

CEE CMS Data Protection webinar series - Part 1

  1. 1. 26 March 2014 CMS CEE Data Protection Webinar series PART 1 Digital Passport to Data Protection
  2. 2. 226 March 2014 Your presenters today Bulgaria Angelika Dimitrova Czech Republic Jakub Tomsej Hungary Dóra Petrányi Hungary Márton Domokos Poland Marcin Lewoszewski Russia Elena Baryshnikova
  3. 3. 326 March 2014 Poland Russia Countries covered Ukraine Bulgaria Romania Hungary Slovakia Czech Republic
  4. 4. 426 March 2014 Introducing… our CMS CEE Guide to Data Protection Email us for a copy or download the guide from our website: www.cms-cmck.com
  5. 5. 526 March 2014 Agenda - Privacy trends Trends in the legislation, hot topics and regulator’s attitude DPA registration obligations - Cross-border data flows - Demystifying Cloud Computing - Demystifying Big Data - Cookie Compliance - Security breach rules - Hot topics in workplace privacy: BYOD & whistleblowing - Impact of the EU Regulation Checklist
  6. 6. 626 March 2014 Introduction Trends in privacy and the risk landscape 2014: privacy and data security will be “top- of-mind” issues for regulators
  7. 7. 726 March 2014 Cyber criminals hack smart fridge to send out spam Internet of Things will impact law ”Big Data” gets bigger Big data, big legal trouble? Complex & extensive cloud computing Targeting the $100 Billion Cloud Market Mobile content revolution App Generation will lead to $77bn in revenues by 2017 Wearable technologies How Google Glass Is Redefining Tech Etiquette e-health Oral B's smart toothbrush lets dentists spy on your brushing Introduction Trends in privacy and the risk landscape
  8. 8. 826 March 2014 Microsoft Working On New Tracking Technology To Replace Cookies More personal advertising Finalisation of the EU Regulation Reding: „Full Speed on EU Data Protection Reform 2014” Strong push on compliance (whitleblowing) New Whistleblowing Law Generates New Data Privacy Issues in Hungary Fines, recovery costs and reputation Facebook-WhatsApp Risks Sparking Privacy Probes Trans-Atlantic tensions EU data protection reform could start 'trade war' Introduction Trends in privacy and the risk landscape
  9. 9. 926 March 2014 Trends in the legislation, hot topics and regulator’s attitude – Bulgaria − Last significant amendments of the Data Protection Act in 2011 (small changes in 2014 re Commission budget) − DPA: fines up to EUR 50,000 (x2 in case of relapse) − Processing without consent is allowed: compliance with legal obligation + legitimate interests − Transfer of data outside EEA remains a hot topic − New Ordinance on the minimal level of technical and organisational measures and allowed means for protection of personal data dated of 30.01.2013 − Increase of the No of verifications performed by the DPA
  10. 10. 1026 March 2014 − No significant changes of legislations − Increasing number of investigations of the DPA, often focusing on companies in finance, health care and technology sector Hot topics of the year: − data transfer within and outside the EU, − registration duties towards the DPA, − monitoring of employees Trends in the legislation, hot topics and regulator’s attitude – Czech Republic
  11. 11. 1126 March 2014 Trends in the legislation, hot topics and regulator’s attitude – Hungary − New whistleblowing law: registration + amendment policies − DPA guidelines re contents of data processing agreements − DPA guidelines re CCTV operation + privacy notices − DPA scrutinises privacy policies − EUR 5,000 fine: data security breach + poorly drafted processing agreement − EUR 1,500 fine: “too general” privacy notice − EUR 300 fine: no internal privacy rules for 9,000 employees − EUR 1,500 fine: no separate “opt-in” for direct marketing − EUR 5,000 fine: unlawful access to employee laptop for compliance reasons
  12. 12. 1226 March 2014 - Pending legislation concerning: - Changes of status of Data Protection Officer - Recognition of BCR’s as a legal ground to transfer data outside the EEA − DPA’s shift towards allowance of cloud computing in the public sector − DPA’s attitude to strictly control technology & organizational measures Trends in the legislation, hot topics and regulator’s attitude – Poland
  13. 13. 1326 March 2014 − New secondary legislation issued by local DPA (e.g. regarding the protection of personal data in the context of the usage of video surveillance) − Transfer of data outside EEA remains a hot topic − DPA new trend – more investigations, higher fines (highest Ron 20,000 or Eur 4500), more involvement (new and active DPA Chairman); − DPA investigations – direct marketing, un-authorized video surveillance, failure to safeguard personal data; − Increased awareness of DP rules among companies (i.e. increased no. of notifications to local DPA) Trends in the legislation, hot topics and regulator’s attitude – Romania
  14. 14. 1426 March 2014 − Minor changes in privacy law since 2011 − Subcontracting is possible under the confidentiality and safety conditions − Decree on measures for personal data protection (01.11. 2012) − Recommendations on depersonalization of personal data (05.09.2013) − Drafts on significant increase of fines are elaborated − Lack of legislation on cloud − Lack of legislative provisions on cross border data transfer Trends in the legislation, hot topics and regulator’s attitude – Russia
  15. 15. 1526 March 2014 New privacy act: − Sensitive data: written consent may not be necessary − Informing 3rd party re provision of incomplete or outdated data, − Familiarize employees processing personal data with their duties + keep record of that − New conditions for the DPO authorization including testing. − New conditions for the data transfer to 3rd countries without adequate level of protection. DPA consent may not be necessary. Trends in the legislation, hot topics and regulator’s attitude – Slovakia
  16. 16. 1626 March 2014 Changes to the personal data protection act: − changed DPA: now it is the Ombudsman instead of the State Service of the Personal Data Protection (though the latter remains existent) − cancelled data base registration requirement − introduced requirement to notify the Ombudsmen of processing of the ‘high risk data’ (sensitive) personal data Trends in the legislation, hot topics and regulator’s attitude – Ukraine Changes to the secondary legislation: − introduced new standard procedure for personal data processing − introduced procedure for the regular and ad-hoc inspections over the compliance of the personal data protection laws
  17. 17. 1726 March 2014 Registration obligations at the DPA Main issues − Always consider whether it is a notification, or approval. − Make sure that the deadlines are kept. − Usually free of charge with standard registration forms. − Renewal / modification obligations? − Certain data processing operations may not be exempted! − Consequences of non-compliance (e.g. fines)? Make sure that you fulfilled all registration obligations.
  18. 18. 1826 March 2014 Registration obligations at the DPA (1) Bulgaria Czech Republic Deadlines − Processing: upon filing − Immediate notification to the DPA re any change, or within 7 days after entry into force if required by law − DPA deadline:14 days − Before data processing + any change immediately − DPA deadline within 30 days (in practice: 5-10 days) Exemptions − Registry: intended by law for public information, with free access − Transfer abroad: notification (EEA); + authorization (transfer outside EEA, depending on countries) − Data processing is a statutory duty, e.g. employee data, „customer data” etc. − Required: employee data transfers, whistleblowing hotlines, CCTV, marketing
  19. 19. 1926 March 2014 Registration obligations at the DPA (2) Hungary Poland Deadlines − Before data processing + 8 days from changes − 8 days (no response: processing can start) − Before data processing + 30 days from change − Sensitive data: registration obligatory before processing − Forms: information on processors and 3rd country transfers Exemptions − Employees + “customers” (direct collection + info on purpose, scope, retention, transfers) − No exemption: not strictly employment-related employee data, whistleblowing hotlines, CCTV (client space / external operator) − Many exemptions (e.g. employees, invoicing) − No exemption: whistleblowing hotlines, CCTV
  20. 20. 2026 March 2014 Registration obligations at the DPA (3) Romania Russia Deadlines − Advisable: 30 days before processing + 5 days from any change − For each new purpose − DPA deadline: 5 days( no response: processing can start) − Before data processing − DPA deadline: 30 days, publishing in on-line register (no response: processing can start) Exemptions − Expressly provided by law (e.g. employees) − Transfer abroad: notification (EEA); + authorization (transfer outside EEA, depending on countries) − Only names and surnames are processed − Employee data (if not beyond employment), − Counterpart under contracts (or beneficiary) − One-time entry to premises, etc.
  21. 21. 2126 March 2014 Registration obligations at the DPA (4) Slovakia Ukraine Deadlines − Registration of each filling system − Start after the notification − Sensitive data to 3rd country: start after DPA resolution) − DPA deadline – 30 days − Special registration - 60 days −Notification to the Ombudsman of processing of the ‘high-risk’ (sensitive) data: - 30 days after the processing started - 30 days after the person/division responsible for the data processing is appointed - 10 days after any changes to the earlier notified data occurred or processing of the sensitive data was stopped Exemptions - If DPO is appointed (mandatory in case of more than 20 employees processing personal data) If the data is processed : − to be included in the open public registries; − by NGOs or similar organisations, relates to their members and is not transferred without their consent; − by data controllers to realise their legitimate rights and duties in the domain of employment relationship
  22. 22. 2226 March 2014 Cross-border data flows Main issues − Is the transferee's country a “3rd country”? (e.g. non-EEA) − Separate consent? Any other legal basis? (e.g. legitimate interests, contracting, legal obligations)? − Is it necessary to ensure “adequate protection”? EC Model Clauses, Binding Corporate Rules, or other protections recognised in the transferor’s jurisdiction? − Intra-company transfers may also be subject to consent! − Is it necessary to provide specific privacy information (e.g. lack of “adequate protection”) before the transfer? − Does it require notification to / approval by the DPA? Make sure that you fulfilled all data transfer preconditions.
  23. 23. 2326 March 2014 Cross-border data flows – preconditions (1) Czech Republic Hungary Legal basis? (1) Consent or (2) one of the statutory reasons (e.g. “legitimate interest“) (1) Consent or (2) no consent but “legitimate interest” + safeguards Prior notification to / authorisation by the DPA? In some cases yes Yes Safeguards - EC Model Clauses? Yes Yes Safeguards - BCRs Yes No Safeguards – other? Yes No Specific privacy information? General information duty applies Lack of adequate protection outside the EEA – for employees
  24. 24. 2426 March 2014 Cross-border data flows – preconditions (2) Romania Ukraine Legal basis? (1) Safeguards (model clauses), (2) consent (in writing, if sensitive data), (3) other grounds (e.g. transfer - necessary for contract performance) (1) Consent or (2) other legitimate grounds + adequate protection Prior notification to / authorisation by the DPA? Yes No Safeguards - EC Model Clauses? Yes N/A Safeguards - BCRs No No Safeguards – other? No Model data transfer agreement developed by DPA (if signed, grants ‘adequate protection’) Specific privacy information? No EEA countries assumed to grant adequate protection
  25. 25. 2526 March 2014 Cross-border data flows – preconditions (3) Bulgaria Russia Legal basis? (1) Consent (2) adequate protection (3) model clauses (4) prior authorisation of the DPA (5) other grounds (e.g. transfer - necessary for contract performance) (1) Consent or (2) no consent in the cases expressly provided by the legislation Prior notification to / authorisation by the DPA? Yes Yes Safeguards - EC Model Clauses? Yes No Safeguards - BCRs No No Safeguards – other? No No Specific privacy information? Quite restrictive approach for non EEA-countries Transfer to the states not ensuring the ‘adequate protection’ requires written consent
  26. 26. 2626 March 2014 Cross-border data flows – preconditions (4) Poland Slovakia Legal basis? (1) Consent or (2) one of the statutory reasons (e.g. agreement) (1) Consent or (2) no consent but “legitimate exceptions” (3) safeguards Prior notification to / authorisation by the DPA? In some cases yes In some cases yes Safeguards - EC Model Clauses? Yes DPA authorisation Yes Safeguards - BCRs Yes DPA authorisation Yes Safeguards – other? tech & org standards as in Poland No, only general safety measures Specific privacy information? Yes, general information duty
  27. 27. 2726 March 2014 Cross border data flows: Storm in the Safe Harbor − Since 2000 – EC + US Department of Commerce − 2013: NSA ”revelations” − EC: 13 recommendations to improve Safe Harbor − LIBE: 8 January, 2014 calls for immediate suspension − Law enforcement settlements filed by the FTC − New EU Regulation: „sunset” − Dealing with foreign judicial and regulatory requests (FCPA, Patriot Act, e-discovery) • EU Working Document 1/2009 on pre-trial discovery for cross border civil litigation • “Sedona Conference International Principles on Discovery, Disclosure and Data Protection”
  28. 28. 2826 March 2014 Demystifying Cloud Computing
  29. 29. 2926 March 2014 Demystifying Cloud Computing (1) Issues - Outsourcing trends today – in the cloud! - Private, community, public, hybrid - Infrastructure / Software / Platform as a Service − Flexible consumptions, dynamic nature − EC's new strategy for ”Unleashing the potential of cloud computing” − European Cloud Partnership
  30. 30. 3026 March 2014 Demystifying Cloud Computing (2) Issues − One project – multiple jurisdictions − Internal data transfers − Who is the controller? − Who is the processor? − Non-negotiable general terms − Unwanted governmental access (Patriot Act) − Guidances: WP 29 05/2012 + national sector specific
  31. 31. 3126 March 2014 Demystifying Cloud Computing (3) Expectations from customers − Prohibition of cloud services to government entities − Transferring employee e-mail management to Google − Cloud contract negotiation + FSA regulatory issues: a major CEE financial institution goes into the cloud − Operating a cross-border virtual data room in the cloud − Processing of health service customer data via SaaS − Moving workplace applications + emails to Microsoft 365 − Data sharing between logistics competitors in a cloud − Our involvement in „EC Expert Group on Cloud Computing Contracts” and „European Study Cloud Computing SLAs” The customer (data controller) wants to maintain ”control”!
  32. 32. 3226 March 2014 Demystifying Cloud Computing (4) Expectations from customers 1. Data categorisation 2. Compliance: local laws + industry regulations 3. Security requirements + breach notification (timing) 4. Cooperation re security breaches 5. Specify: locations 6. Specify: sub-processor chain (back-to-back) The contracting practice is becoming more client-friendly! 7. No onerous unilateral amendments 8. Objective and measurable SLAs + business continuity 9. Penalties, insurance, bank guarantee 10. Reasonable limitation of liability (data loss) + Force Majeure 11. Termination rights & no ”lock-in” & data portability 12. Deletion policy
  33. 33. 3326 March 2014 33 Watch out for regulatory developments, contracting expectations and Article 29 WP’s Opinion 05/2012. Hungary: Czech Republic: Bulgaria: Ukraine: −FSA: cloud = outsourcing – specific rules apply in financial services; processing financial secrets in the cloud not recommended −DPA: processing sensitive data in the cloud: not recommended −DPA has a more flexible approach. It is recommended to consider the cloud provider as the data processor −No specific rules for cloud service providers existing −No specific regulation: general requirements to personal and other restricted data protection apply; processing of the bank and insurance secrets in the cloud not recommended Demystifying Cloud Computing (5) Specific issues – CEE overview
  34. 34. 3426 March 2014 34 Watch out for regulatory developments, contracting expectations and Article 29 WP’s Opinion 05/2012. Poland: Slovakia: Romania: Russia: −DPA: more allowed, even public sector − Cloud service provider = data processor −Limitations re sensitive information (healthcare/ finance) - It is recommended to consider the cloud provider as the data processor − Specific rules in financial services (e.g. in insurance, outsourcing of IT administration - notification of CSA (local insurance regulator); outsourcing contract needs to observe certain pre-requisites provided by law −State standard for cloud services is being developed by the state authorities Demystifying Cloud Computing (6) Specific issues – CEE overview
  35. 35. 3526 March 2014 Any questions? Would like to know more? Contact us! Dóra Petrányi - Hungary CEE Data Protection Lead Partner dora.petranyi@cms-cmck.com +36 1 483 4820 Márton Domokos – Hungary marton.domokos@cms-cmck.com +36 1 483 4824 Angelika Dimitrova – Bulgaria angelika.dimitrova@cms-cmck.com +359 2 923 4851 Jakub Tomsej – Czech Republic jakub.tomsej@cms-cmck.com +420 2 210 98 808 Marcin Lewoszewski – Poland marcin.lewoszewski@cms-cmck.com +48 22 520 5525 Elena Baryshnikova - Russia elena.baryshnikova@cmslegal.ru +7 495 786 40 99
  36. 36. 3626 March 2014 Please complete our feedback box that opens automatically when this presentation closes. Do not miss PART 2. – Your digital legal guardians - 02 April 2014 – Demystifying Big Data – "The next BIG thing" – How is it collected? – Data Privacy Issues – Identification and mitigation of risks – Regulatory changes may require recalibration - BIG data issues in our practice – Cookie Compliance - Current issues & detailed CEE overview – Security Breach notifications – Current issues & detailed CEE overview – Workplace privacy - "Hot" data privacy topics – detailed CEE overview – Whistleblowing and BYOD – The new EU Data Protection Regulation: its impact on your practice, current status and next steps

×