This article explores the potential application of the GDPR in running a typical Irish merger or acquisition and sets out some practical guidelines on how parties to the transaction can demonstrate compliance with the GDPR requirements.
The document provides an agenda and overview for a data protection training seminar. It discusses why data protection is important, key terms and principles of the Data Protection Act 1998 and Privacy and Electronic Communications Regulation 2003. These include the definition of personal data, the rights of individuals, and security requirements. It also offers practical tips for marketers regarding obtaining consent, using data, and regaining lost permissions. The seminar aims to help participants understand UK data protection law and its implications for their marketing activities.
Data Protection Indonesia: Basic Regulation and Technical Aspects_ErykEryk Budi Pratama
The document provides an overview of personal data protection regulations and technical aspects related to data privacy. It discusses key aspects of the draft Indonesian Personal Data Protection Bill, including rights of data owners and obligations of data controllers. It also covers technical topics like identity and access management, data loss prevention, and incident management. The presentation aims to provide a basic understanding of both regulatory requirements and technical controls for protecting personal data.
The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164.
HIPAA Security Rule list 28 adminstrative safeguards, 12 Physical safeguards, 12 technical safeguards along with specific organization and policies and procedures requirements. EHR 2.0 HIPAA security assessment services help covered entities to discover the gap areas based on the required and addressable requirements.
There are two main rules for HIPAA. One is a rule on privacy and the other on Security.
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164.
How often the security should be reviewed?
Security standard mentioned under HIPAA should be reviewed and modified as needed to continue provision of reasonable and appropriate protection of electronic protected health information.
Confidentiality
Limiting information access and disclosure to authorized users (the right people)
Integrity
Trustworthiness of information resources (no inappropriate changes)
Availability
Availability of information resources (at the right time)
http://ehr20.com/services/hipaa-security-assessment/
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
Key Discussion Pointers:
1. Introduction to Data Privacy
- What is data privacy
- Privacy laws around the globe
- DPDPA Journey
2. Understanding the New Indian DPDPA 2023
- Objectives
- Principles of DPDPA
- Applicability
- Rights & Duties of Individuals
- Principals
- Legal implications/penalties
3. A practical approach to DPDPA compliance
- Personal data Inventory
- DPIA
- Risk treatment
A Brave New World Of Data Protection. Ready? Counting down to GDPR. dan hyde
This document discusses the key requirements of the General Data Protection Regulation (GDPR) that will take effect in May 2018. It explains that GDPR will apply broadly to any company that handles personal data of Europeans, regardless of location. It outlines important concepts like data subjects, data controllers, and data processing. It also summarizes the core GDPR principles of lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; limited storage; integrity and confidentiality; and accountability. The document provides examples of lawful bases for processing personal data and notes that explicit consent is required for special categories of sensitive data.
The engaging white paper delivers the core facts you need to understand the fundamental nature of the GDPR regulations and what it means for your business and the management of its data.
The document provides an overview of the General Data Protection Regulation (GDPR). It discusses key aspects of GDPR such as what it is, who it applies to, lawful bases for processing data, data subject rights, and steps for achieving compliance. Specifically, GDPR is a new EU privacy law that gives more control to individuals over their personal data and imposes fines on companies that don't comply. It applies broadly to any organization that handles EU citizens' data.
The document provides an agenda and overview for a data protection training seminar. It discusses why data protection is important, key terms and principles of the Data Protection Act 1998 and Privacy and Electronic Communications Regulation 2003. These include the definition of personal data, the rights of individuals, and security requirements. It also offers practical tips for marketers regarding obtaining consent, using data, and regaining lost permissions. The seminar aims to help participants understand UK data protection law and its implications for their marketing activities.
Data Protection Indonesia: Basic Regulation and Technical Aspects_ErykEryk Budi Pratama
The document provides an overview of personal data protection regulations and technical aspects related to data privacy. It discusses key aspects of the draft Indonesian Personal Data Protection Bill, including rights of data owners and obligations of data controllers. It also covers technical topics like identity and access management, data loss prevention, and incident management. The presentation aims to provide a basic understanding of both regulatory requirements and technical controls for protecting personal data.
The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164.
HIPAA Security Rule list 28 adminstrative safeguards, 12 Physical safeguards, 12 technical safeguards along with specific organization and policies and procedures requirements. EHR 2.0 HIPAA security assessment services help covered entities to discover the gap areas based on the required and addressable requirements.
There are two main rules for HIPAA. One is a rule on privacy and the other on Security.
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164.
How often the security should be reviewed?
Security standard mentioned under HIPAA should be reviewed and modified as needed to continue provision of reasonable and appropriate protection of electronic protected health information.
Confidentiality
Limiting information access and disclosure to authorized users (the right people)
Integrity
Trustworthiness of information resources (no inappropriate changes)
Availability
Availability of information resources (at the right time)
http://ehr20.com/services/hipaa-security-assessment/
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
Key Discussion Pointers:
1. Introduction to Data Privacy
- What is data privacy
- Privacy laws around the globe
- DPDPA Journey
2. Understanding the New Indian DPDPA 2023
- Objectives
- Principles of DPDPA
- Applicability
- Rights & Duties of Individuals
- Principals
- Legal implications/penalties
3. A practical approach to DPDPA compliance
- Personal data Inventory
- DPIA
- Risk treatment
A Brave New World Of Data Protection. Ready? Counting down to GDPR. dan hyde
This document discusses the key requirements of the General Data Protection Regulation (GDPR) that will take effect in May 2018. It explains that GDPR will apply broadly to any company that handles personal data of Europeans, regardless of location. It outlines important concepts like data subjects, data controllers, and data processing. It also summarizes the core GDPR principles of lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; limited storage; integrity and confidentiality; and accountability. The document provides examples of lawful bases for processing personal data and notes that explicit consent is required for special categories of sensitive data.
The engaging white paper delivers the core facts you need to understand the fundamental nature of the GDPR regulations and what it means for your business and the management of its data.
The document provides an overview of the General Data Protection Regulation (GDPR). It discusses key aspects of GDPR such as what it is, who it applies to, lawful bases for processing data, data subject rights, and steps for achieving compliance. Specifically, GDPR is a new EU privacy law that gives more control to individuals over their personal data and imposes fines on companies that don't comply. It applies broadly to any organization that handles EU citizens' data.
The document provides an overview of the General Data Protection Regulation (GDPR). It discusses key aspects of GDPR such as what it is, who it applies to, lawful bases for processing data, data subject rights, and steps for achieving compliance. Specifically, GDPR is a new EU privacy law that gives more control to individuals over their personal data and imposes fines on companies that don't comply. It applies broadly to any organization that handles EU citizens' data.
The document provides a summary of the key aspects of the General Data Protection Regulation (GDPR) in 3 pages. It discusses the basic principles of GDPR, how it may impact technology systems, and software tools that can help with compliance. Some of the main topics covered include the definition of personal and sensitive data, data subject rights, privacy by design, security requirements, and obligations for controllers and processors. The summary emphasizes the need for businesses to review their data protection practices and ensure they are prepared to comply with GDPR requirements that take effect in May 2018.
The document provides a summary of the key aspects of the General Data Protection Regulation (GDPR) in 3 pages. It discusses the basic principles of GDPR, how it may impact technology systems, and software tools that can help with compliance. Some of the main topics covered include the definition of personal and sensitive data, data subject rights, privacy by design, security requirements, and obligations for controllers and processors. The summary emphasizes the need for businesses to focus on compliance given the enhanced penalties and wider scope of GDPR.
Microsoft and Tech Data’s Ultimate GPDR GlossaryTech Data
Decipher the GDPR’s complex language using Microsoft and Tech Data’s jargon-busting guide to ensure your business stays on the right side of the new law.
The General Data Protection Regulation (GDPR) is a new EU data protection law that takes effect in May 2018. It places greater obligations on organizations to protect personal data and privacy. The GDPR expands the definition of personal data, increases requirements for consent and transparency, strengthens individual rights, and imposes tougher fines for non-compliance. Businesses need to review their data protection practices, identify any risks, and make changes to policies and procedures to ensure compliance with the new law. Failure to comply could result in significant fines of up to 4% of global revenue.
Operational impact of gdpr finance industries in the caribbeanEquiGov Institute
A brief outline of the challenges that could be face by financial institutions with the implementation of the GDPR and recommendations to mitigate them
GDPR most actionable cheatsheet and checklist by cyberstratgCyber StratG
1) The document provides an action plan for organizations to comply with the requirements of the General Data Protection Regulation (GDPR) by outlining key areas that need to be addressed and specific actions under each area.
2) It identifies areas like data governance, accountability, consent, records of processing, privacy by design, contracting, data breaches, and data exports that organizations need to review and update processes and documentation to meet GDPR requirements.
3) For each area, it lists articles of the GDPR that are relevant and provides a brief description of the GDPR requirements to provide guidance on the types of actions needed for compliance.
It, Legal, Marketing and sales departments are all affected by the European Union's General Data Protection Regulation (EU GDPR). EU GDPR is more than an IT governance issue, it impacts the IT architecture and the user journey of your online and offline data capture processes.
The document discusses the key aspects and requirements of the General Data Protection Regulation (GDPR). It notes that the GDPR strengthens and unifies data protection for individuals within the European Union. It applies to all companies processing personal data of EU residents, regardless of the company's location. The GDPR requires organizations to implement measures regarding data processing activities, data subject rights, security, breaches, and accountability. Non-compliance can result in significant fines of up to 4% of annual global turnover or €20 million. The GDPR has important implications for financial institutions and other organizations in how they manage personal data.
GDPR Guide: The ICO's 12 Recommended Steps To Take NowHackerOne
Recommendations from The United Kingdom's Information Commissioner's Office (ICO) to Prepare for May 2018.
The European General Data Protection Regulation, better known as GDPR, will take effect on May 25, 2018. When it does, every business, organization, or government agency that collects information on European Union (EU) citizens (in other words, just about everyone) will be forced to radically change how it manages customer data and security. If you don’t, the cost of noncompliance is significant: fines can reach up to €20M ($23.5M) or 4 percent of annual sales, whichever is higher.
Do You Have a Roadmap for EU GDPR Compliance? ArticleUlf Mattsson
GDPR is Top Priority in US
Over half of US multinationals say GDPR is their top data- protection priority according to PWC. Of the 200 respondents, 54 % reported that GDPR readiness is the highest priority on their data-privacy and security agenda. Another 38% said GDPR is one of several top priorities, while only 7% said it isn’t a top priority.
Here's a short presentation on the GDPR, first presented at the Morning Advertiser MA500 event in Edinburgh on 14th September. This is an overview regulations.
GDPR + Sales & Marketing A practical guide by Dan Smith DooghenoDaniel Smith
This document provides guidance for sales and marketing teams on complying with the General Data Protection Regulation (GDPR). It discusses how GDPR will impact various marketing and sales activities, including cold emails, event marketing, inbound marketing, and the role of salespeople. The key points are that consent is now required to process and collect personal data, companies must be able to prove consent was given, and marketing activities need to follow principles like transparency, purpose limitation, and data minimization. Fines for non-compliance can be up to 20 million euros.
This may feel like a long way off but the obligations on businesses are onerous and the time to prepare is now. The hefty fines that GDPR promises will come into force immediately so businesses are being given plenty of warning to put procedures in place to ensure they are compliant with the regulation. Read this essential guide to getting GDPR ready.
The document discusses the impact of new European Union General Data Protection Regulation (GDPR) regulations on corporate HR functions. It notes that the new regulations, effective in May 2018, will significantly impact how companies collect, store, and use personal employee data. HR departments will need to overhaul processes around data retention, security, transparency, and portability to comply. Non-compliance could result in fines of up to 20 million euros or 4% of global revenue. The document provides recommendations on how companies can assess their readiness, such as conducting privacy impact assessments and implementing centralized governance, risk and compliance solutions.
This document provides an overview of the GDPR and its implications for organizations that process personal data. It discusses key GDPR concepts like what constitutes personal data, the rights of data subjects, and the obligations of data controllers and processors. It also summarizes how GDPR compliance impacts business intelligence tools like Business Objects, and introduces 360Suite as a software solution that can help enhance Business Objects deployments and ensure they meet GDPR requirements through features like granular, incremental backups and restores of data.
These are the slides used in the presentation I gave alongside Haydn Thomas and Andrew Cross from Lightful.
The presentation was to help charities understand the most pressing implications of GDPR as well from an operational and marketing standpoint.
You can find out more about our organisations here:
https://tech-trust.org/
https://www.lightful.com/
https://www.meetup.com/netsquaredlondon/
Cognizant business consulting the impacts of gdpraudrey miguel
GDPR will fundamentally change the approach to personal data protection in Europe beginning in May 2018. It aims to give individuals greater control over their personal data and places more responsibility on organizations to demonstrate appropriate consent and data usage. While Swiss law already protects personal data, recent updates to Switzerland's Federal Act on Data Protection are intended to closely align it with GDPR. Organizations need to start implementing programs now to assess their compliance and address new requirements around data usage, security, individual rights and oversight.
Data Privacy Compliance Navigating the Evolving Regulatory Landscape.pdfCIOWomenMagazine
In an increasingly digital world, where personal data has become a valuable commodity, data privacy compliance has emerged as a critical concern for organizations across industries.
The key points from the document are:
1. Ireland introduced formal transfer pricing legislation in 2010 that requires transactions between related parties to be conducted at arm's length prices.
2. The Irish transfer pricing rules were substantially updated in 2019 to broaden their scope of application.
3. Under the Irish rules, the taxable profits of companies must be computed based on accounting profits, subject to any adjustments required by law, including transfer pricing adjustments. Adjustments may deem transactions at undervalue to be deemed distributions for company law purposes.
The document provides an overview of the General Data Protection Regulation (GDPR). It discusses key aspects of GDPR such as what it is, who it applies to, lawful bases for processing data, data subject rights, and steps for achieving compliance. Specifically, GDPR is a new EU privacy law that gives more control to individuals over their personal data and imposes fines on companies that don't comply. It applies broadly to any organization that handles EU citizens' data.
The document provides a summary of the key aspects of the General Data Protection Regulation (GDPR) in 3 pages. It discusses the basic principles of GDPR, how it may impact technology systems, and software tools that can help with compliance. Some of the main topics covered include the definition of personal and sensitive data, data subject rights, privacy by design, security requirements, and obligations for controllers and processors. The summary emphasizes the need for businesses to review their data protection practices and ensure they are prepared to comply with GDPR requirements that take effect in May 2018.
The document provides a summary of the key aspects of the General Data Protection Regulation (GDPR) in 3 pages. It discusses the basic principles of GDPR, how it may impact technology systems, and software tools that can help with compliance. Some of the main topics covered include the definition of personal and sensitive data, data subject rights, privacy by design, security requirements, and obligations for controllers and processors. The summary emphasizes the need for businesses to focus on compliance given the enhanced penalties and wider scope of GDPR.
Microsoft and Tech Data’s Ultimate GPDR GlossaryTech Data
Decipher the GDPR’s complex language using Microsoft and Tech Data’s jargon-busting guide to ensure your business stays on the right side of the new law.
The General Data Protection Regulation (GDPR) is a new EU data protection law that takes effect in May 2018. It places greater obligations on organizations to protect personal data and privacy. The GDPR expands the definition of personal data, increases requirements for consent and transparency, strengthens individual rights, and imposes tougher fines for non-compliance. Businesses need to review their data protection practices, identify any risks, and make changes to policies and procedures to ensure compliance with the new law. Failure to comply could result in significant fines of up to 4% of global revenue.
Operational impact of gdpr finance industries in the caribbeanEquiGov Institute
A brief outline of the challenges that could be face by financial institutions with the implementation of the GDPR and recommendations to mitigate them
GDPR most actionable cheatsheet and checklist by cyberstratgCyber StratG
1) The document provides an action plan for organizations to comply with the requirements of the General Data Protection Regulation (GDPR) by outlining key areas that need to be addressed and specific actions under each area.
2) It identifies areas like data governance, accountability, consent, records of processing, privacy by design, contracting, data breaches, and data exports that organizations need to review and update processes and documentation to meet GDPR requirements.
3) For each area, it lists articles of the GDPR that are relevant and provides a brief description of the GDPR requirements to provide guidance on the types of actions needed for compliance.
It, Legal, Marketing and sales departments are all affected by the European Union's General Data Protection Regulation (EU GDPR). EU GDPR is more than an IT governance issue, it impacts the IT architecture and the user journey of your online and offline data capture processes.
The document discusses the key aspects and requirements of the General Data Protection Regulation (GDPR). It notes that the GDPR strengthens and unifies data protection for individuals within the European Union. It applies to all companies processing personal data of EU residents, regardless of the company's location. The GDPR requires organizations to implement measures regarding data processing activities, data subject rights, security, breaches, and accountability. Non-compliance can result in significant fines of up to 4% of annual global turnover or €20 million. The GDPR has important implications for financial institutions and other organizations in how they manage personal data.
GDPR Guide: The ICO's 12 Recommended Steps To Take NowHackerOne
Recommendations from The United Kingdom's Information Commissioner's Office (ICO) to Prepare for May 2018.
The European General Data Protection Regulation, better known as GDPR, will take effect on May 25, 2018. When it does, every business, organization, or government agency that collects information on European Union (EU) citizens (in other words, just about everyone) will be forced to radically change how it manages customer data and security. If you don’t, the cost of noncompliance is significant: fines can reach up to €20M ($23.5M) or 4 percent of annual sales, whichever is higher.
Do You Have a Roadmap for EU GDPR Compliance? ArticleUlf Mattsson
GDPR is Top Priority in US
Over half of US multinationals say GDPR is their top data- protection priority according to PWC. Of the 200 respondents, 54 % reported that GDPR readiness is the highest priority on their data-privacy and security agenda. Another 38% said GDPR is one of several top priorities, while only 7% said it isn’t a top priority.
Here's a short presentation on the GDPR, first presented at the Morning Advertiser MA500 event in Edinburgh on 14th September. This is an overview regulations.
GDPR + Sales & Marketing A practical guide by Dan Smith DooghenoDaniel Smith
This document provides guidance for sales and marketing teams on complying with the General Data Protection Regulation (GDPR). It discusses how GDPR will impact various marketing and sales activities, including cold emails, event marketing, inbound marketing, and the role of salespeople. The key points are that consent is now required to process and collect personal data, companies must be able to prove consent was given, and marketing activities need to follow principles like transparency, purpose limitation, and data minimization. Fines for non-compliance can be up to 20 million euros.
This may feel like a long way off but the obligations on businesses are onerous and the time to prepare is now. The hefty fines that GDPR promises will come into force immediately so businesses are being given plenty of warning to put procedures in place to ensure they are compliant with the regulation. Read this essential guide to getting GDPR ready.
The document discusses the impact of new European Union General Data Protection Regulation (GDPR) regulations on corporate HR functions. It notes that the new regulations, effective in May 2018, will significantly impact how companies collect, store, and use personal employee data. HR departments will need to overhaul processes around data retention, security, transparency, and portability to comply. Non-compliance could result in fines of up to 20 million euros or 4% of global revenue. The document provides recommendations on how companies can assess their readiness, such as conducting privacy impact assessments and implementing centralized governance, risk and compliance solutions.
This document provides an overview of the GDPR and its implications for organizations that process personal data. It discusses key GDPR concepts like what constitutes personal data, the rights of data subjects, and the obligations of data controllers and processors. It also summarizes how GDPR compliance impacts business intelligence tools like Business Objects, and introduces 360Suite as a software solution that can help enhance Business Objects deployments and ensure they meet GDPR requirements through features like granular, incremental backups and restores of data.
These are the slides used in the presentation I gave alongside Haydn Thomas and Andrew Cross from Lightful.
The presentation was to help charities understand the most pressing implications of GDPR as well from an operational and marketing standpoint.
You can find out more about our organisations here:
https://tech-trust.org/
https://www.lightful.com/
https://www.meetup.com/netsquaredlondon/
Cognizant business consulting the impacts of gdpraudrey miguel
GDPR will fundamentally change the approach to personal data protection in Europe beginning in May 2018. It aims to give individuals greater control over their personal data and places more responsibility on organizations to demonstrate appropriate consent and data usage. While Swiss law already protects personal data, recent updates to Switzerland's Federal Act on Data Protection are intended to closely align it with GDPR. Organizations need to start implementing programs now to assess their compliance and address new requirements around data usage, security, individual rights and oversight.
Data Privacy Compliance Navigating the Evolving Regulatory Landscape.pdfCIOWomenMagazine
In an increasingly digital world, where personal data has become a valuable commodity, data privacy compliance has emerged as a critical concern for organizations across industries.
Similar to Common Data Protection Issues in Managing M&A Deals (20)
The key points from the document are:
1. Ireland introduced formal transfer pricing legislation in 2010 that requires transactions between related parties to be conducted at arm's length prices.
2. The Irish transfer pricing rules were substantially updated in 2019 to broaden their scope of application.
3. Under the Irish rules, the taxable profits of companies must be computed based on accounting profits, subject to any adjustments required by law, including transfer pricing adjustments. Adjustments may deem transactions at undervalue to be deemed distributions for company law purposes.
Lexology Getting the Deal Through Air Transport 2020Matheson Law Firm
Finance and Capital Markets partners Rory McPhilips and Stuart Kennedy and senior associate, Stephen Gardiner co-author the Ireland chapter of Getting the Deal Through Air Transport 2020.
Corporate M&A partners Brian McCloskey and Fergus Bolster co-author the Ireland chapter of the International Comparative Legal Guide to Mergers and Acquisitions..
Stuart Kennedy, partner, authors The Assumption of Jurisdiction by the Irish Courts in Cases Involving the Registrar of the International chapter of the Cape Town Convention Journal.
Registry
1. Ireland taxes individuals based on their residence and domicile status. Resident and domiciled individuals are taxed on worldwide income and capital gains. Resident but non-domiciled individuals are taxed on Irish-source income and foreign income remitted to Ireland.
2. Ireland has gift, estate, and wealth transfer taxes called Capital Acquisitions Tax (CAT) imposed on beneficiaries. Rates are 33% but certain transfers like between spouses are exempt.
3. Other relevant taxes include income tax, capital gains tax, universal social charge, value-added tax, stamp duties, and a domicile levy for high-earning non-domiciled individuals.
International Comparative Legal Guide to Private Equity 2019Matheson Law Firm
Corporate partner, Brian McCloskey and Tax partner, Aidan Fahy co-author the Ireland chapter of the International Comparative Legal Guide to Private Equity 2019.
Commercial Litigation and Dispute Resolution partner, April McClements and senior associate, Aoife McCluskey co-author the Ireland chapter of the Class Actions Law Review, 3rd Edition.
Commercial Litigation and Dispute Resolution partner, Julie Murphy O'Connor and senior associate, Kevin Gahan co-author the Ireland chapter of the Insolvency Review, 7th Edition.
International Comparative Legal Guide to Business Crime 2020Matheson Law Firm
Commercial Litigation and Dispute Resolution partners Karen Reynolds and Claire McLoughlin co-author the Ireland chapter of the International Comparative Legal Guide to Business Crime.
This document provides information about transfer pricing rules and regulations in Ireland. It discusses the primary Irish transfer pricing legislation, the government agency responsible for enforcement, the role of the OECD Transfer Pricing Guidelines, the types of transactions covered by the rules, and Ireland's adherence to the arm's length principle. It also addresses Ireland's implementation of the OECD's base erosion and profit shifting (BEPS) project and its effects on the applicable transfer pricing rules.
Finance and Capital Market partners Rory McPhillips and Stuart Kennedy and senior associate, Stephen Gardiner co-author the Ireland chapter of GTDT Air Transport 2020.
Getting the Deal Through: Insurance Litigation 2019Matheson Law Firm
Litigation partners, Sharon Daly and April McClements and senior associate, Aoife McCluskey author the Ireland chapter of Getting the Deal Through 2019.
Ireland introduced formal transfer pricing legislation in 2010 that broadly applies the arm's length principle to transactions between related parties, requiring the substitution of an arm's length amount for the actual consideration in computing taxable profits. The legislation applies equally to domestic and international transactions but does not apply to small and medium-sized enterprises. An adjustment to the accounting profits for tax purposes under the transfer pricing rules could also result in a deemed distribution under company law if the transaction was undertaken at an undervalue.
A Critical Study of ICC Prosecutor's Move on GAZA WarNilendra Kumar
ICC Prosecutor Karim Khan's proposal to its judges seeking permission to prosecute Israeli leaders and Hamas commanders for crimes against the law of war has serious ramifications and calls deep scrutiny.
सुप्रीम कोर्ट ने यह भी माना था कि मजिस्ट्रेट का यह कर्तव्य है कि वह सुनिश्चित करे कि अधिकारी पीएमएलए के तहत निर्धारित प्रक्रिया के साथ-साथ संवैधानिक सुरक्षा उपायों का भी उचित रूप से पालन करें।
The presentation deals with the concept of Right to Default Bail laid down under Section 167 of the Code of Criminal Procedure 1973 and Section 187 of Bharatiya Nagarik Suraksha Sanhita 2023.
Business law for the students of undergraduate level. The presentation contains the summary of all the chapters under the syllabus of State University, Contract Act, Sale of Goods Act, Negotiable Instrument Act, Partnership Act, Limited Liability Act, Consumer Protection Act.
Common Data Protection Issues in Managing M&A Deals
1. Data Protection Issues in Managing M&A Deals
What is Personal Data?
Personal data means any information that can be used on its own or in combination with other
information to directly or indirectly identify a specific person (the “Data Subject”). Examples of
Personal data include (but are not limited to) a person’s name, their employment ID number, their
image or online identifiers from which they can be identified (such as an IP address).
In order to process personal data one must have a lawful basis to do so. Processing includes storing,
collecting, retrieving, using, combining, erasing and destroying personal data. There are a number of
lawful bases available. The consent of the data subject is a very common lawful basis on which to rely,
although that will rarely be a practical approach in the context of organising a merger or acquisition.
The GDPR provides additional protection for ‘special categories’ of personal data, for example
personal data revealing racial or ethnic origin, trade union membership or data concerning health.
Processing of special category data is prohibited except in limited circumstances. These
circumstances include where processing is necessary for the purposes of carrying out the obligations
and exercising specific rights of the controller as employer, where there is a legal ground to do so
under EU or Member State law or whether the Data Subject explicitly consents to the processing of
his/her special category data.
Processing Personal Data in an M&A Transaction
Parties to an M&A transaction and their advisors will exchange information on a target business
directly or through a virtual data room (“VDR”).
This exchange facilitates the due diligence process and the
information disclosed is often utilised at the disclosure
stage of transaction. Typical examples of personal data
disclosed in a VDR include the following:
Employment contracts or documents listing
employees and any additional personal details
(such as salary, medical conditions etc., driver
licence information etc.).
Supplier contracts or customer contracts which
include individuals’ names, addresses, bank
account/credit card information and signatures in
these contracts.
Key contact lists.
This exchange of personal data falls within the definition of
‘processing’ for GDPR purposes.
Lawful bases for processing
personal data:
the consent of the individual
performance of a contract
compliance with a legal or
regulatory obligation
necessary to protect the vital
interests of a person
necessary for the
performance of a task carried
out in the public interest
in the legitimate interests of
company/organisation
(except where those
interests are overridden by
the interests or rights and
freedoms of the data subject)
2. 2
Processor v Controller Roles in M&A
A ‘controller’ is a person, company, or other body which decides the purposes and means of
processing personal data. In an M&A context this is most likely to be the seller or the target entity
itself.
A ‘processor’ is a person, company or other body which processes personal data on behalf of the
controller. In the M&A context, the VDR provider is most likely a processor as they are merely hosting
data on behalf of the controller. An advisor (including a law firm or corporate finance advisor) may
also be acting as a processor to the extent that they are merely hosting or making personal data
available to the other parties. It is possible for a party to be acting separately as both a processor and
a controller depending on their role.
A party who is acting as a bidder may also be the controller of the personal data processed where
they process it for their own purposes (i.e. determining whether or not to buy the target company).
Any party which accesses a VDR containing personal data is going to be either a processor or a
controller of data and should consider their obligations under data protection law.
The Seller’s Obligations as Controller
The determination as to whether a party is a controller or a processor is ultimately one of fact. Let us
assume that in a typical transaction, the seller is the controller of the personal data which is made
available in the VDR.
This being the case, the seller will need to satisfy itself that it can meet a number of GDPR
requirements.
In the first instance, it will need to consider the transparency
obligations of the GDPR. In a typical transaction, the most
common type of personal data in the VDR will relate to the
employees of the target company. In order to share this data
with third parties via a VDR, the employees should be on notice
of the possibility that this might happen. This is commonly
addressed (for example) in an employee facing privacy
statement.
In addition to the above, the seller would need to consider
whether it can meet the requirement of having an appropriate
lawful basis for making this data available for review by third
parties (as set out above).
If the seller cannot meet the transparency requirements, or
cannot confidently rely on an appropriate lawful basis for making
the data available, there are other options open to it. For
example, steps could be taken to effectively anonymise the data
in advance of sharing. The removal of personal identifiers should
Tips for anonymising
Personal Data:
redaction of special
category personal data
and personal data
using sample form
contracts (instead of
disclosing each original
contract)
compiling summaries or
aggregating information
relating to personal data
so that Data Subjects
are not identifiable
3. 3
not, for the most part, impact on a buyer’s ability to carry out due diligence on the data set. This
anonymization process also has the benefit of adhering to the general data minimisation principles
which are enshrined in the GDPR.
However, the commercial realities of a transaction may make full anonymisation difficult to achieve.
From an efficiency and cost perspective the parties may consider that anonymising a large
unstructured dataset is not achievable and the buyer may require certain due diligence information
which, even if anonymised, will potentially render the data subject identifiable (for example the salary
information about senior executives).
Even if efforts are made to remove all direct or obvious identifiers, such that individuals are not
‘identified’ in the data, the data will still amount to personal data if it is possible to link any Data
Subjects to information in the dataset. Account should be taken of all the means likely reasonably to
be used, either by the controller or by another person, to identify the Data Subject.
Security and Confidentiality
In addition to the above, the seller (as controller) will have a separate obligation to ensure that any
personal data shared is kept securely and maintained in
confidence.
It is of utmost importance to exercise caution when
appointing a party to establish and run a VDR. The VDR
provider will need to be able to secure the data and maintain
its confidentiality.
Each party who has access to the data should be bound by
confidentiality obligations, for example, a non-disclosure
agreement (“NDA”). Parties should consider explicitly
incorporating GDPR protections in the NDA. This is important
to mitigate the risk to the seller, as controller. It gives the
seller an ability to sue the recipient of the disclosed
information where a data protection breach or issue arises as
a result of acts or omissions of the buyer/recipient and
additional control over the personal data it discloses.
There are a number of other, practical ways the security and
confidentiality of the personal data in a VDR can be
maintained. For example access to the VDR should require login/password details (in the usual way)
and the ability for the seller to be able to monitor the data being accessed. A seller may also direct that
downloading and printing of information with personal data is restricted.
Post-transaction Actions
Where an acquisition of a business results in a change to the identity of the controller (this might
particularly be the case in an asset sale rather than a share sale), the new controller should take steps
post-transaction to notify the data subjects of the change.
NDA could include the
following obligations:
comply with relevant data
protection and privacy laws
take security measures to
guard against data
breaches and notify the
buyer if there is a data
breach
restrict/prohibit onward
transfers and processing of
personal data outside the
EEA
4. 4
Conclusion
Awareness of data protection obligations has increased dramatically in recent years. Breaches of the
GDPR can carry significant downside for companies (including the potential for administrative fines
and regulatory investigations). All the parties to an M&A transaction, including their advisors, would
do well to be cognisant of their own obligations towards data subjects in structuring the M&A
transaction process.