This webinar aims to provide you with an overview of the various national personal data protection frameworks that exist in CEE, particularly in Bulgaria, Czech Republic, Hungary, Poland, Romania, Russia, Slovakia, and Ukraine. CMS have provided legal assistance in each of these jurisdictions for many years.
1. 26 March 2014
CMS CEE Data Protection Webinar series
PART 1
Digital Passport to Data Protection
2. 226 March 2014
Your presenters today
Bulgaria
Angelika Dimitrova
Czech Republic
Jakub Tomsej
Hungary
Dóra Petrányi
Hungary
Márton Domokos
Poland
Marcin Lewoszewski
Russia
Elena Baryshnikova
4. 426 March 2014
Introducing… our CMS CEE Guide to Data Protection
Email us for a copy
or download the guide from
our website:
www.cms-cmck.com
5. 526 March 2014
Agenda
- Privacy trends
Trends in the legislation, hot topics and
regulator’s attitude
DPA registration obligations
- Cross-border data flows
- Demystifying Cloud Computing
- Demystifying Big Data
- Cookie Compliance
- Security breach rules
- Hot topics in workplace
privacy: BYOD &
whistleblowing
- Impact of the
EU Regulation Checklist
6. 626 March 2014
Introduction
Trends in privacy and the risk landscape
2014: privacy and data security will be “top-
of-mind” issues for regulators
7. 726 March 2014
Cyber criminals hack smart fridge to
send out spam
Internet of Things will
impact law
”Big Data” gets bigger Big data, big legal trouble?
Complex & extensive
cloud computing
Targeting the
$100 Billion Cloud Market
Mobile content revolution
App Generation will lead to
$77bn in revenues by 2017
Wearable technologies
How Google Glass Is Redefining
Tech Etiquette
e-health
Oral B's smart toothbrush lets
dentists spy on your brushing
Introduction
Trends in privacy and the risk landscape
8. 826 March 2014
Microsoft Working On New Tracking
Technology To Replace Cookies
More personal advertising
Finalisation of the EU
Regulation
Reding: „Full Speed on EU Data
Protection Reform 2014”
Strong push on
compliance
(whitleblowing)
New Whistleblowing Law Generates
New Data Privacy Issues in Hungary
Fines, recovery costs and
reputation
Facebook-WhatsApp Risks
Sparking Privacy Probes
Trans-Atlantic tensions
EU data protection reform could
start 'trade war'
Introduction
Trends in privacy and the risk landscape
9. 926 March 2014
Trends in the legislation, hot topics and regulator’s attitude
– Bulgaria
− Last significant amendments of the Data Protection Act in 2011
(small changes in 2014 re Commission budget)
− DPA: fines up to EUR 50,000 (x2 in case of relapse)
− Processing without consent is allowed: compliance with legal
obligation + legitimate interests
− Transfer of data outside EEA remains a hot topic
− New Ordinance on the minimal level of technical and organisational
measures and allowed means for protection of personal data dated
of 30.01.2013
− Increase of the No of verifications performed by the DPA
10. 1026 March 2014
− No significant changes of legislations
− Increasing number of investigations of the DPA, often focusing on
companies in finance, health care and technology sector
Hot topics of the year:
− data transfer within and outside the EU,
− registration duties towards the DPA,
− monitoring of employees
Trends in the legislation, hot topics and regulator’s attitude
– Czech Republic
11. 1126 March 2014
Trends in the legislation, hot topics and regulator’s attitude
– Hungary
− New whistleblowing law: registration + amendment policies
− DPA guidelines re contents of data processing agreements
− DPA guidelines re CCTV operation + privacy notices
− DPA scrutinises privacy policies
− EUR 5,000 fine: data security breach + poorly drafted processing
agreement
− EUR 1,500 fine: “too general” privacy notice
− EUR 300 fine: no internal privacy rules for 9,000 employees
− EUR 1,500 fine: no separate “opt-in” for direct marketing
− EUR 5,000 fine: unlawful access to employee laptop for compliance
reasons
12. 1226 March 2014
- Pending legislation concerning:
- Changes of status of Data Protection Officer
- Recognition of BCR’s as a legal ground to transfer data outside the
EEA
− DPA’s shift towards allowance of cloud computing in the public
sector
− DPA’s attitude to strictly control technology & organizational
measures
Trends in the legislation, hot topics and regulator’s attitude
– Poland
13. 1326 March 2014
− New secondary legislation issued by local DPA (e.g. regarding the
protection of personal data in the context of the usage of video
surveillance)
− Transfer of data outside EEA remains a hot topic
− DPA new trend – more investigations, higher fines (highest Ron 20,000
or Eur 4500), more involvement (new and active DPA Chairman);
− DPA investigations – direct marketing, un-authorized video surveillance,
failure to safeguard personal data;
− Increased awareness of DP rules among companies (i.e. increased no.
of notifications to local DPA)
Trends in the legislation, hot topics and regulator’s attitude
– Romania
14. 1426 March 2014
− Minor changes in privacy law since 2011
− Subcontracting is possible under the confidentiality and safety
conditions
− Decree on measures for personal data protection (01.11. 2012)
− Recommendations on depersonalization of personal data
(05.09.2013)
− Drafts on significant increase of fines are elaborated
− Lack of legislation on cloud
− Lack of legislative provisions on cross border data transfer
Trends in the legislation, hot topics and regulator’s attitude
– Russia
15. 1526 March 2014
New privacy act:
− Sensitive data: written consent may not be necessary
− Informing 3rd party re provision of incomplete or outdated data,
− Familiarize employees processing personal data with their duties +
keep record of that
− New conditions for the DPO authorization including testing.
− New conditions for the data transfer to 3rd countries without
adequate level of protection. DPA consent may not be necessary.
Trends in the legislation, hot topics and regulator’s attitude
– Slovakia
16. 1626 March 2014
Changes to the personal data protection act:
− changed DPA: now it is the Ombudsman instead of the State Service of
the Personal Data Protection (though the latter remains existent)
− cancelled data base registration requirement
− introduced requirement to notify the Ombudsmen of processing of the
‘high risk data’ (sensitive) personal data
Trends in the legislation, hot topics and regulator’s attitude
– Ukraine
Changes to the secondary legislation:
− introduced new standard procedure for personal data processing
− introduced procedure for the regular and ad-hoc inspections over the
compliance of the personal data protection laws
17. 1726 March 2014
Registration obligations at the DPA
Main issues
− Always consider whether it is a
notification, or approval.
− Make sure that the deadlines are
kept.
− Usually free of charge with standard
registration forms.
− Renewal / modification obligations?
− Certain data processing operations
may not be exempted!
− Consequences of non-compliance
(e.g. fines)?
Make sure that you fulfilled all registration obligations.
18. 1826 March 2014
Registration obligations at the DPA (1)
Bulgaria Czech Republic
Deadlines
− Processing: upon filing
− Immediate notification to
the DPA re any change,
or within 7 days after
entry into force if required
by law
− DPA deadline:14 days
− Before data processing + any
change immediately
− DPA deadline within 30 days
(in practice: 5-10 days)
Exemptions
− Registry: intended by law
for public information,
with free access
− Transfer abroad:
notification (EEA); +
authorization (transfer
outside EEA, depending
on countries)
− Data processing is a statutory
duty, e.g. employee data,
„customer data” etc.
− Required: employee data
transfers, whistleblowing
hotlines, CCTV, marketing
19. 1926 March 2014
Registration obligations at the DPA (2)
Hungary Poland
Deadlines
− Before data processing
+ 8 days from changes
− 8 days (no response:
processing can start)
− Before data processing +
30 days from change
− Sensitive data: registration
obligatory before
processing
− Forms: information on
processors and 3rd country
transfers
Exemptions
− Employees + “customers”
(direct collection + info on
purpose, scope, retention,
transfers)
− No exemption: not strictly
employment-related
employee data,
whistleblowing hotlines,
CCTV (client space /
external operator)
− Many exemptions (e.g.
employees, invoicing)
− No exemption:
whistleblowing hotlines,
CCTV
20. 2026 March 2014
Registration obligations at the DPA (3)
Romania Russia
Deadlines
− Advisable: 30 days before
processing + 5 days from any
change
− For each new purpose
− DPA deadline: 5 days( no
response: processing can
start)
− Before data processing
− DPA deadline: 30 days,
publishing in on-line register
(no response: processing can
start)
Exemptions
− Expressly provided by law
(e.g. employees)
− Transfer abroad: notification
(EEA); + authorization
(transfer outside EEA,
depending on countries)
− Only names and surnames
are processed
− Employee data (if not beyond
employment),
− Counterpart under contracts
(or beneficiary)
− One-time entry to premises,
etc.
21. 2126 March 2014
Registration obligations at the DPA (4)
Slovakia Ukraine
Deadlines
− Registration of each filling
system
− Start after the notification
− Sensitive data to 3rd country:
start after DPA resolution)
− DPA deadline – 30 days
− Special registration - 60 days
−Notification to the Ombudsman of
processing of the ‘high-risk’
(sensitive) data:
- 30 days after the processing started
- 30 days after the person/division
responsible for the data processing is
appointed
- 10 days after any changes to the
earlier notified data occurred or
processing of the sensitive data was
stopped
Exemptions
- If DPO is appointed (mandatory
in case of more than 20
employees processing personal
data)
If the data is processed :
− to be included in the open public
registries;
− by NGOs or similar organisations,
relates to their members and is not
transferred without their consent;
− by data controllers to realise their
legitimate rights and duties in the
domain of employment relationship
22. 2226 March 2014
Cross-border data flows
Main issues
− Is the transferee's country a “3rd country”? (e.g. non-EEA)
− Separate consent? Any other legal basis? (e.g. legitimate interests,
contracting, legal obligations)?
− Is it necessary to ensure “adequate protection”? EC Model Clauses,
Binding Corporate Rules, or other protections recognised in the
transferor’s jurisdiction?
− Intra-company transfers may also be subject to consent!
− Is it necessary to provide specific privacy information (e.g. lack of
“adequate protection”) before the transfer?
− Does it require notification to / approval by the DPA?
Make sure that you fulfilled all data transfer
preconditions.
23. 2326 March 2014
Cross-border data flows – preconditions (1)
Czech Republic Hungary
Legal basis?
(1) Consent or (2) one of
the statutory reasons (e.g.
“legitimate interest“)
(1) Consent or (2) no consent
but “legitimate interest” +
safeguards
Prior notification to /
authorisation by the DPA?
In some cases yes Yes
Safeguards - EC Model
Clauses?
Yes Yes
Safeguards - BCRs Yes No
Safeguards – other? Yes No
Specific privacy
information?
General information duty
applies
Lack of adequate protection
outside the EEA – for
employees
24. 2426 March 2014
Cross-border data flows – preconditions (2)
Romania Ukraine
Legal basis?
(1) Safeguards (model
clauses), (2) consent (in
writing, if sensitive data), (3)
other grounds (e.g. transfer
- necessary for contract
performance)
(1) Consent or
(2) other legitimate grounds
+ adequate protection
Prior notification to /
authorisation by the DPA?
Yes No
Safeguards - EC Model
Clauses?
Yes N/A
Safeguards - BCRs No No
Safeguards – other? No
Model data transfer agreement
developed by DPA (if signed,
grants ‘adequate protection’)
Specific privacy information? No
EEA countries assumed to
grant adequate protection
25. 2526 March 2014
Cross-border data flows – preconditions (3)
Bulgaria Russia
Legal basis?
(1) Consent (2) adequate protection
(3) model clauses (4) prior
authorisation of the DPA (5) other
grounds (e.g. transfer - necessary for
contract performance)
(1) Consent or (2) no consent
in the cases expressly
provided by the legislation
Prior notification to /
authorisation by the DPA?
Yes Yes
Safeguards - EC Model
Clauses?
Yes
No
Safeguards - BCRs No
No
Safeguards – other? No
No
Specific privacy information?
Quite restrictive approach
for non EEA-countries
Transfer to the states not
ensuring the ‘adequate
protection’ requires
written consent
26. 2626 March 2014
Cross-border data flows – preconditions (4)
Poland Slovakia
Legal basis?
(1) Consent or (2) one of the
statutory reasons (e.g.
agreement)
(1) Consent or (2) no consent
but “legitimate exceptions”
(3) safeguards
Prior notification to /
authorisation by the DPA?
In some cases yes In some cases yes
Safeguards - EC Model
Clauses?
Yes
DPA authorisation
Yes
Safeguards - BCRs
Yes
DPA authorisation
Yes
Safeguards – other?
tech & org standards as in
Poland
No, only general safety
measures
Specific privacy information? Yes, general information duty
27. 2726 March 2014
Cross border data flows:
Storm in the Safe Harbor
− Since 2000 – EC
+ US Department of Commerce
− 2013: NSA ”revelations”
− EC: 13 recommendations to improve Safe Harbor
− LIBE: 8 January, 2014 calls for immediate suspension
− Law enforcement settlements filed by the FTC
− New EU Regulation: „sunset”
− Dealing with foreign judicial and regulatory requests (FCPA, Patriot
Act, e-discovery)
• EU Working Document 1/2009 on pre-trial discovery for cross border
civil litigation
• “Sedona Conference International Principles on Discovery, Disclosure
and Data Protection”
29. 2926 March 2014
Demystifying Cloud Computing (1)
Issues
- Outsourcing trends today – in the cloud!
- Private, community, public, hybrid
- Infrastructure / Software / Platform as a Service
− Flexible consumptions, dynamic nature
− EC's new strategy for ”Unleashing the potential
of cloud computing”
− European Cloud Partnership
30. 3026 March 2014
Demystifying Cloud Computing (2)
Issues
− One project – multiple jurisdictions
− Internal data transfers
− Who is the controller?
− Who is the processor?
− Non-negotiable general terms
− Unwanted governmental access (Patriot Act)
− Guidances: WP 29 05/2012 + national sector specific
31. 3126 March 2014
Demystifying Cloud Computing (3)
Expectations from customers
− Prohibition of cloud services to government entities
− Transferring employee e-mail management to Google
− Cloud contract negotiation + FSA regulatory issues: a
major CEE financial institution goes into the cloud
− Operating a cross-border virtual data room in the cloud
− Processing of health service customer data via SaaS
− Moving workplace applications + emails to Microsoft 365
− Data sharing between logistics competitors in a cloud
− Our involvement in „EC Expert Group on Cloud Computing
Contracts” and „European Study Cloud Computing SLAs”
The customer (data controller) wants to maintain ”control”!
32. 3226 March 2014
Demystifying Cloud Computing (4)
Expectations from customers
1. Data categorisation
2. Compliance: local laws + industry regulations
3. Security requirements + breach notification (timing)
4. Cooperation re security breaches
5. Specify: locations
6. Specify: sub-processor chain (back-to-back)
The contracting practice is becoming more client-friendly!
7. No onerous unilateral amendments
8. Objective and measurable SLAs + business continuity
9. Penalties, insurance, bank guarantee
10. Reasonable limitation of liability (data loss) + Force Majeure
11. Termination rights & no ”lock-in” & data portability
12. Deletion policy
33. 3326 March 2014 33
Watch out for regulatory developments, contracting
expectations and Article 29 WP’s Opinion 05/2012.
Hungary: Czech Republic: Bulgaria: Ukraine:
−FSA: cloud =
outsourcing –
specific rules apply
in financial
services;
processing financial
secrets in the cloud
not recommended
−DPA: processing
sensitive data in the
cloud: not
recommended
−DPA has a more
flexible approach. It
is recommended to
consider the cloud
provider as the data
processor
−No specific rules
for cloud service
providers existing
−No specific
regulation: general
requirements to
personal and other
restricted data
protection apply;
processing of the
bank and insurance
secrets in the cloud
not recommended
Demystifying Cloud Computing (5)
Specific issues – CEE overview
34. 3426 March 2014 34
Watch out for regulatory developments, contracting
expectations and Article 29 WP’s Opinion 05/2012.
Poland: Slovakia: Romania: Russia:
−DPA: more
allowed, even
public sector
− Cloud service
provider = data
processor
−Limitations re
sensitive
information
(healthcare/
finance)
- It is recommended
to consider the
cloud provider as
the data processor
− Specific rules in
financial services (e.g.
in insurance,
outsourcing of IT
administration -
notification of CSA
(local insurance
regulator);
outsourcing contract
needs to observe
certain pre-requisites
provided by law
−State standard for
cloud services is
being developed by
the state authorities
Demystifying Cloud Computing (6)
Specific issues – CEE overview
35. 3526 March 2014
Any questions? Would like to know more?
Contact us!
Dóra Petrányi - Hungary
CEE Data Protection Lead Partner
dora.petranyi@cms-cmck.com
+36 1 483 4820
Márton Domokos – Hungary
marton.domokos@cms-cmck.com
+36 1 483 4824
Angelika Dimitrova – Bulgaria
angelika.dimitrova@cms-cmck.com
+359 2 923 4851
Jakub Tomsej – Czech Republic
jakub.tomsej@cms-cmck.com
+420 2 210 98 808
Marcin Lewoszewski – Poland
marcin.lewoszewski@cms-cmck.com
+48 22 520 5525
Elena Baryshnikova - Russia
elena.baryshnikova@cmslegal.ru
+7 495 786 40 99
36. 3626 March 2014
Please complete our feedback box that opens automatically when this
presentation closes.
Do not miss PART 2. – Your digital legal guardians - 02 April 2014
– Demystifying Big Data –
"The next BIG thing"
– How is it collected?
– Data Privacy Issues
– Identification and mitigation of risks
– Regulatory changes may require
recalibration - BIG data issues
in our practice
– Cookie Compliance - Current issues
& detailed CEE overview
– Security Breach notifications –
Current issues & detailed CEE
overview
– Workplace privacy - "Hot" data
privacy topics –
detailed CEE overview
– Whistleblowing and BYOD
– The new EU Data Protection
Regulation: its impact on your
practice, current status and next steps