Topics covered by Cross-Border Publisher: Data Protection

Cross-Border Publisher: Data Protection from Clfford Chance Applied Solutions ("CCAS") consists of 78 questions sent by CCAS to Clifford Chance lawyers qualified in 17 jurisdictions. We report the jurisdictions and the questions covered in this user guide.

Jurisdictions

The jurisdictions covered are as follows: 

  • Austria,
  • Belgium,
  • Czech Republic, 
  • France,
  • Germany,
  • Hungary,
  • Ireland,
  • Italy,
  • Luxembourg,
  • Netherlands,
  • Poland,
  • Portugal,
  • Romania,
  • Slovakia,
  • Spain,
  • Sweden, and
  • the United Kingdom.

Note that currently there are not answers for each of the 78 questions in every jurisdiction. 

Questions

The questions in Cross-Border Publisher: Data Protection are as follows:

Personal data protection laws

  1. Which legislation governs the processing of personal data?
  2. What is the territorial scope of the relevant personal data protection legislation?
  3. Has the local data protection authority provided any guidance on its position on territorial scope?
  4. Are there any rules, regulations or codes of conduct on personal data protection that are specific to the financial sector?

Personal data defined

  1. What is personal data?
  2. Has the local data protection authority provided any guidance on its position on the definition of personal data?

Responsibility for personal data

  1. Who qualifies as a controller or processor of personal data?
  2. Has the local data protection authority provided any guidance on its position on who qualifies as a controller or processor?
  3. Is information relating to a business considered personal data? 
  4. Does the relevant personal data protection legislation apply to incorporated companies?

Main principles

  1. What are the main principles of personal data protection legislation?

Purpose limitation and compatibility of purpose

  1. Is the permitted collection and processing of personal data limited to certain purposes?
  2. Has the local data protection authority provided any guidance on its position on the purposes for which personal data may be processed? 
  3. Is another purpose for processing, other than the purpose for which the data was collected, only permitted if it is compatible with the original purpose?
  4. What are the criteria to determine whether a secondary purpose is compatible with the original purpose?
  5. Has the local data protection authority provided any guidance on its position on compatible purpose?
  6. Is a secondary purpose compatible if it is included in the privacy statement disclosed at the time of the collection of the personal data for the original purpose? For example, if personal data is collected for the performance of an agreement but the privacy statement permits its use for marketing purposes?

Legitimate processing

  1. What are grounds for legitimate processing of personal data?
  2. Can personal data be processed on the grounds of the legitimate interest of the controller or a third party?
  3. Has the local data protection authority provided any guidance on its position on performing a legitimate interest assessment?

Special categories of personal data

  1. When is the processing of special categories of personal data permitted?
  2. Has the local data protection authority provided any guidance on its position on the processing of special categories of personal data?

Criminal offences and convictions

  1. When is the processing of personal data relating to criminal offences and convictions permitted?
  2. Has the local data protection authority provided any guidance on its position on the processing of personal data relating to criminal offences and convictions?

Social security numbers and other national identifiers

  1. When is the processing of social security numbers or other national identifiers permitted?
  2. Are there any requirements that must be met to process social security numbers or other national identifiers, such as notification to the local authorities or obtaining the consent of the individual?
  3. Can social security numbers or other national identifiers be processed on the basis of the individual's consent?
  4. Has the local data protection authority provided any guidance on its position on the processing of social security numbers or other national identifiers?

Transparency

  1. Has the local data protection authority provided any guidance on its position on the way in which data subjects must be informed about the processing of personal data?
  2. What are the requirements of informing data subjects about the processing of their personal data?
  3. When does informing individuals on personal data processing constitute a disproportionate effort for a controller? If this requires a disproportionate effort, is a controller required to inform the data subject about the processing of personal data?

Lawful processing: consent

  1. What are the requirements of consent for the processing of personal data?
  2. Has the local data protection authority provided any guidance on its position on consent?
  3. What personal data processing activities may only be performed when the individual has given consent?

Storage limitation and archiving

  1. How long may personal data be retained?
  2. Is it required for a controller to have a data retention policy?
  3. Where the purpose for processing personal data no longer exists and the statutory record retention period or statute of limitations has expired, is it permitted to retain personal data? For example, in a limited accessible archive?
  4. Has the local data protection authority provided any guidance on its position on the retention and archiving of personal data?

Security (integrity & confidentiality) and security breaches

  1. Has the local data protection authority provided any guidance on its position on the appropriate security measures to protect personal data?
  2. Is it necessary to notify the local data protection authority in the event of a personal data security breach?
  3. What are the requirements of a breach notification to the data protection authority?
  4. Is it necessary to notify the affected data subjects in the event of a personal data security breach?

Use of copies of identity cards

  1. Is it permitted to use and store copies of identity cards such as passports, national identity cards or driving licenses? For example, for know-your-client purposes?

Profiling and automated decision making

  1. What is profiling and when is it permitted?
  2. What is the local data protection authority's position on profiling?
  3. Is profiling permitted if it is based on a legitimate interest?
  4. Can a controller make decisions based solely on automated processing that have a legal or other significant effect for the individual?
  5. Has the local data protection authority provided any guidance on its position on profiling and/or automated decision making?

Use of personal data in free text fields of payment orders

  1. Can a controller process personal data that is submitted in the free text fields of payment orders?
  2. Has the local data protection authority provided any guidance on its position on the use of personal data in the free text fields of payment orders?
  3. Can a controller process special categories of personal data, personal data relating to criminal offences and convictions, and national identifiers submitted in free text fields of payment orders?

Data subjects' rights

  1. What rights are available to data subjects under your local personal data protection legislation?
  2. When can data subjects request the deletion of their personal data?
  3. Has the local data protection authority provided any guidance on its position on a data subject's right to deletion?

Anonymisation

  1. How can personal data be anonymised effectively?
  2. Has the local data protection authority provided any guidance on its position on the anonymisation of personal data?
  3. Does anonymising personal data constitute processing?
  4. May anonymised personal data be shared with third parties?
  5. May pseudonymised personal data be shared with third parties?

Sharing personal data and international transfers

  1. May companies within the same group share personal data?
  2. May personal data be shared with third parties?
  3. What are the requirements when transferring personal data outside your jurisdiction?
  4. Has the local data protection authority provided any guidance on its position on the requirements for sharing and transferring personal data within, and outside of, the jurisdiction?
  5. Has the local data protection authority approved any data transfer agreement precedents, standard data protection clauses, code of conducts or certification mechanisms to enable the transfer of personal data outside the jurisdiction?

Accountability and governance

  1. Who is the data protection authority?
  2. Are there any requirement to pay a fee, notify, or register with, the local data protection authority before processing personal data?
  3. What are the requirements applicable to the planning and implementation of personal data protection policies and processes?
  4. Has the local data protection authority provided any guidance on its position on the planning and implementation of data protection policies and processes?
  5. Is it mandatory to keep a record of processing activities and, if so, what information should be included?
  6. Is it necessary to conduct a data protection impact assessment (DPIA) before processing personal data?
  7. Has the local data protection authority provided any guidance on its position on when and how to conduct a data protection impact assessment (DPIA)?
  8. Does the local data protection authority publish a blacklist (i.e. data processing operations that require a DPIA) and/or a white list (i.e. data processing operations that do not require a DPIA)?
  9. When is it necessary to appoint a data protection officer?
  10. What are the requirements applicable to the appointment and function of data protection officers?

Sanctions and liability

  1. What are the sanctions that may be imposed by the local data protection authority under data protection laws for breach of data protection laws?
  2. Who can be held liable for breach of data protection laws?
  3. What are the data subject's remedies in the event of a breach of data protection laws?
  4. Can an individual waive their rights in respect of a breach of data protection laws?

Legal Information

Finally, a note on how you can use this user's guide. This user's guide is not to be considered legal advice and is not a substitute for advice from qualified legal counsel. The information we provide is not tailored to your individual circumstances, and you may not rely on it. Material aspects of the discussions in this user's guide may change at any time and without further notice. PartnerVine undertakes no responsibility to update the information in this user's guide.

Please enter these characters in the following text field.

The fields marked with * are required.

Related products