Tag Archives: Data Processor

Use of Google Analytics Now Lawful in Germany, Subject to Certain Guidelines

Posted on September 16, 2011 by Hunton & Williams LLP

On September 15, 2011, the data protection authority of the German federal state of Hamburg (the “DPA”) published a press release confirming that Google has significantly improved compliance with respect to the implementation of Google Analytics in Germany.  This finding is the result of two years of fruitful dialog between Google and the DPA, which was acting on behalf of the conference of German data protection authorities responsible for the private sector (the “Düsseldorfer Kreis”).

Continue reading…

Tags: , , , , , ,

Mexico Issues Privacy Regulations for Public Comment – Full Text

Posted on July 7, 2011 by Hunton & Williams LLP

On July 6, 2011, Mexico’s Secretary of Economy, in conjunction with the Federal Institute for Access to Information and Data Protection (“IFAI”), released wide-ranging privacy regulations for public comment.  The regulations establish rules and guidelines for the implementation of Mexico’s Federal Law on the Protection of Personal Data in the Possession of Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares), which became effective one year ago.  Among the topics covered are jurisdictional issues, details regarding notice and consent, the relationship between data controllers and data processors, data transfers, data security, self regulation, data subjects’ rights, automated processing and enforcement.

Access the text of the new regulations in Spanish.  View IFAI’s video press release

Access the U.S. Department of Commerce’s English translation of the regulations
 

Tags: , , ,

Polish DPA Hosts First Conference on BCRs in Warsaw

Posted on June 14, 2011 by Hunton & Williams LLP

On June 13, 2011, the Polish Data Protection Authority (Generalny Inspektor Ochrony Danych Osbowych or “GIODO”) hosted a conference in Warsaw on the use of binding corporate rules (“BCRs”) for international data transfers.  The conference was notable as the first on this topic in Poland, and was designed to introduce BCRs to a Polish audience and to promote their use.  The audience of approximately 70 people heard presentations by the Polish Inspector General for Data Protection, Wojciech Rafał Wiewiórowski, as well as representatives of the Belgian, French, Polish, Spanish and UK DPAs, and the international and Polish business communities.  Christopher Kuner, partner in the Brussels office of Hunton & Williams, spoke at the conference on a panel entitled “BCRs requirements and practical implementation.”  View the conference program.

In his presentation, Wiewiórowski explained that, although he personally looks favorably on the use of BCRs, Poland has not been able to join the Article 29 Working Party’s mutual recognition procedure due to legal impediments under Polish law.  Several of the DPAs expressed interest in exploring the use of BCRs for data processors, but indicated that a number of obstacles must be overcome before such use could be approved.  Following the workshop, on June 15, 2011, a number of DPAs met in closed session in Warsaw to work on better coordination of the mutual recognition and approval procedure.

Tags: , , , ,

European Commission Finds Israeli Data Protection Law Provides Adequate Protection

Posted on February 1, 2011 by Hunton & Williams LLP

Reporting from Israel, legal consultant Dr. Omer Tene writes:

On January 31, 2011, the European Commission formally approved Israel’s status as a country providing “adequate protection” for personal data under the European Data Protection Directive.  The decision is restricted to automated international data transfers from the EU, as well as to non-automated data transfers that are subject to further automated processing in Israel.  It will allow unrestricted transfers of personal data from the EU to Israel, for example between corporate affiliates or from European companies to data centers in Israel.

Continue reading…

Tags: , , , , , , ,

German DPA States that Companies’ Website Privacy Practices Violate Data Protection Law

Posted on January 24, 2011 by Hunton & Williams LLP

On January 24, 2011, the data protection authority of the German state of Rhineland-Palatinate issued a press release regarding significant breaches of data protection law by companies that maintain websites and create user profiles. Continue reading…

Tags: , , ,

German DPAs Set Minimum Qualification and Independence Requirements for Company Data Protection Officers

Posted on December 17, 2010 by Hunton & Williams LLP

On November 25, 2010, the German data protection authorities responsible for the private sector (also known as the “Düsseldorfer Kreis”) issued a resolution on the minimum requirements for the qualifications and independence of company data protection officers (“DPOs”).  This initiative follows inspections carried out within companies that revealed a generally insufficient level of expertise among DPOs given data processing complexities and the requirements set by the Federal Data Protection Act.  The DPAs recognize that a DPO’s workload depends primarily on the size and number of data controllers the DPO supervises, industry-specific factors related to data processing and the level of protection required for the types of personal data being processed.  Changes with respect to these factors frequently increase the burden on DPOs without a compensating increase in resources needed to ensure proper oversight.

Continue reading…

Tags: , , , ,

French DPA Releases New Guidance on Outsourcing Activities

Posted on October 25, 2010 by Hunton & Williams LLP

On October 11, 2010, the French Data Protection Authority (the “CNIL”) released guidance (the “Guidance”) on data protection issues related to the outsourcing of data processing activities to non-EU countries (Les questions posées pour la protection des données personnelles par l’externalisation hors de l’Union européenne des traitements informatiques). 

The Guidance was prepared following interviews held in 2009 by the CNIL’s international affairs department with consultancy groups, law firms advising on outsourcing deals, and companies actively engaged in offshore activities.  The interviews were conducted to provide the CNIL with insight regarding the impact of data protection requirements on outsourcing activities.  The Guidance is part of a broader analysis of the concepts of data controller and data processor carried out by the Article 29 Working Party (see the Working Party’s Opinion on the concepts of controller and processor).

Continue reading…

Tags: , , , , , ,

French DPA Releases New Guidance on Personal Data Security

Posted on October 11, 2010 by Hunton & Williams LLP

On October 7, 2010, the French Data Protection Authority (the “CNIL”) released its first comprehensive handbook on the security of personal data (the “Guidance”).  The Guidance follows the CNIL’s “10 tips for the security of your information system” issued on October 12, 2009, which were based on the CNIL’s July 21, 1981 recommendations regarding security measures applicable to information systems.

The Guidance reiterates that data controllers have an obligation under French law to take “useful precautions” given the nature of the data and the risks associated with processing the data, to ensure data security and, in particular, prevent any alteration or damage, or access by non-authorized third parties (Article 34 of the French Data Protection Act).  Failure to comply with this requirement is punishable by up to five years imprisonment or a fine of €300,000.

Continue reading…

Tags: , , , , , ,

Addition to Washington Breach Law Imposes Retailer Liability in Payment Card Breaches

Posted on March 24, 2010 by Hunton & Williams LLP

Under a Washington law effective July 1, 2010, certain entities involved in payment card transactions may be liable to financial institutions for costs associated with reissuing payment cards after security breaches.  Designed to encourage the reissuance of payment cards as a means of mitigating harm caused by security breaches, Washington H.B. 1149 applies to three types of entities:  businesses, processors and vendors.  Under the law, a business is an entity that “processes more than six million credit card and debit card transactions annually, and who provides, offers, or sells goods or services to . . . residents of Washington.” A processor is any entity, other than a business, that “directly processes or transmits [payment card] account information for or on behalf of another person as part of a payment processing service.” A vendor is any “entity that manufactures and sells software or equipment that is designed to process, transmit, or store [payment card] account information or that maintains account information that it does not own.”

Continue reading…

Tags: , , , ,

Article 29 Working Party Issues Opinion on the Concepts of Controller and Processor

Posted on March 1, 2010 by Hunton & Williams LLP

On February 16, 2010, the Article 29 Working Party adopted Opinion 1/2010 (the “Opinion”) providing further clarification and guidance on the interpretation of the concepts of “data controller” and “data processor” in the context of the EU’s Data Protection Directive 95/46/EC.  The full text of the Opinion (in English) has been made public on the Dutch DPA’s website.

Continue reading…

Tags: , , ,