C!r"!r#$% Rules
Binding
-‐Overføring av personopplysninger 2l tredjestater
5. mars 2013 v/Inger Anne Folkestad Tornes og Kjell Steffner
Ov%rfør&'( #v
Typisk – Skytjenester / cloud compuCng – Interne datasystemer i internasjonale konsern, f.eks. HR
personopplysninger $&) *$)#'+%$
Utfordring i internasjonale konsern
Lovlig håndtering av
på tvers av jurisdiksjoner
personopplysninger
BCR • Konsernregler for internasjonale organisasjoner
• Muliggjør lovlig transport av data ut fra EU/EØS-‐området -‐ innenfor egen organisasjon
• Gjelder nå både for databehandlere og behandlingsansvarlige
The eighth data protection principle and international data transfers
”Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”
Frykten for Hva som skjer når
• Tredjestater er stater uten for EU/EØS, evt. ikke særskilt godkjent
• ”Safe Harbor” gjelder amerikanske selskap
• Mister personopplysninger sin beskySelse i det de forlater EU/EØS?
D#$# ,r-..%r (r%'.%'
Art. 25 Personverndirektivet
tredjestat sørger for et Clstrekkelig vernenivå – opplysningenes art, planlagte behandlings formål og varighet, opprinnelsesstat, endelig bestemmelsesstat etc. etc. etc.
E,."!r$ %r /*)&( 'år… European Data Protec6on Direc6ve (Direc6ve 95/46/EC, the “Direc6ve”)
Andorra, ArgenCna, Canada, Færøyene, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Sveits, Uruguay
Art. 26 Personverndirektivet - unntak
• Binding Corporate Rules • EU Model Contractual Clauses • Samtykke fra den registrerte…
…%))%r f.%,.. v%+ br*, #v
Binding corporate rules S$#'+#r+ #"")&0#$&!' f!r #""r!v#)
f!r $1% $r#'.f%r !f "%r.!'#) +#$#
WP133
PART 1 APPLICANT INFORMATION
• If the Group has its headquarters in the EEA the form should be filled out and submiSed by that EEA enCty.
• If the Group has its headquarters outside the EEA, then the Group should appoint a Group enCty located inside the EEA – preferably established in the country of the presumpCve lead DPA -‐ as the Group member with “delegated data protecCon responsibiliCes”. This is the enCty which should then submit the applicaCon on behalf of the Group.
Section 2: Short description of data flows
• Brief descripCon of the scope and nature of the data flows from the EEA for which approval is sought.
• Nature of the data covered by BCRs, and in parCcular, if they apply to one category of data or to more than one category (for instance human resources, customers,...).
• Do the BCRs only apply to transfers from the EEA, or do they apply to all transfers between members of the group?
• From which country most of the data are transferred outside the EEA: – Extent of the transfers within the Group that are covered by the BCRs; including a descripCon of any Group members in the EEA or outside EEA to which personal data may be transferred.
Section 3: Determination of the Lead Data Protection Authority
• LocaCon of the Group’s EEA Headquarters. • If the Group is not headquartered in the EEA, the locaCon
in the EEA of the Group enCty with delegated data protecCon responsibiliCes.
• The locaCon of the company which is best placed (in terms of management funcCon, administraCve burden, etc.) to deal with the applicaCon and to enforce the binding corporate rules in the Group.
• Country where most of the decisions in terms of the purposes and the means of the data processing are taken.
• EEA Member States from which most of the transfers outside the EEA will take place.
BINDING NATURE OF THE BCRs
• Measures or rules that are legally binding on all members of the Group Contracts between the members of the Group
• Unilateral declaraCons or undertakings made or given by the parent company which are binding on the other members of the Group
• IncorporaCon of other regulatory measures (e.g. obligaCons contained in statutory codes within a defined legal framework)
• IncorporaCon of the BCRs within the general business principles of a Group backed by appropriate policies, audits and sancCons
• members of the corporate group, as well as each employee within it, will feel compelled to comply with the internal rules
Binding upon the employees
• Work employment contract • CollecCve agreements (approved by workers commiSee/
another body) • Employees must sign or aSest to have read the BCRs or
related ethics guidelines in which the BCRs are incorporated
• BCRs have been incorporated in relevant company policies • Disciplinary sancCons for failing to comply with relevant
company policies, including dismissal for violaCon • Summary supported by extracts from policies and
procedures or confidenCality agreements as appropriate to explain how the BCRs are binding upon employees.
Binding corporate rules F!r+%)%'% v%+ å &/")%/%'$%r%
& !r(#'&.#.2!'%'
Hva er essensen?
• Transportere data friS innen egen organisasjon
• Organisasjonen blir en trygg havn med Clstrekkelig vernenivå
• Markedsmessig fortrinn å ha sterk databeskySelse og personvern-‐compliance
Personvern- L&$$ !/
prinsippene
personvernprinsippene
1. Samtykke eller annet reSslig grunnlag 2. Proporsjonalitet 3. Formålsbestemthet 4. Relevans og minimalitet 5. Fullstendighet og kvalitet 6. Informasjon og innsyn 7. Informasjonssikkerhet 8. Særlig strenge regler ved behandling av
sensiCve personopplysninger 9. Anonymitet og sporfri ferdsel
Grunnleggende personvernprinsipper ReSmessig og rererdig behandling • All behandling av personopplysninger krever reSslig grunnlag, og den behandlingsansvarlige skal ta
Clbørlig hensyn Cl den registrertes beresgede personverninteresser. SensiCve personopplysninger er underlagt strengere vern enn alminnelige personopplysninger.
Brukermedvirkning og kontroll • Den behandlingsansvarlige skal gjøre behandlingen transparent og forståelig for den registrerte, slik at
denne gjøres i stand Cl å overskue behandlingens konsekvenser og er i stand Cl å ivareta sine personverninteresser.
Formålsbestemthet • Den behandlingsansvarlige skal før innsamling og behandling av personopplysninger angi et klart og
uSrykkelig formål med behandlingen. Opplysningene skal ikke senere benySes for uforenlige formål. Minimalitet • Personopplysninger bare skal innhentes, lagres og behandles i den grad de er nødvendige for å oppnå
formålet med behandlingen av opplysningene. Datakvalitet • Personopplysninger skal ha Clstrekkelig kvalitet i forhold Cl det formålet de skal anvendes Cl. DeSe
innebærer blant annet at opplysningene skal være Clstrekkelig oppdaterte, presise og relevante seS opp mot formålet med behandlingen.
Informasjonssikkerhet • Den behandlingsansvarlige (og databehandleren) skal sørge for ClfredssCllende informasjonssikkerhet
med hensyn Cl konfidensialitet, integritet og Clgjengelighet ved behandling av personopplysninger.
NOU 2009:1
EU directive / OECD principles
1. No2ce—data subjects should be given noCce when their data is being collected;
2. Purpose—data should only be used for the purpose stated and not for any other purposes;
3. Consent—data should not be disclosed without the data subject’s consent;
4. Security—collected data should be kept secure from any potenCal abuses;
5. Disclosure—data subjects should be informed as to who is collecCng their data;
6. Access—data subjects should be allowed to access their data and make correcCons to any inaccurate data; and
7. Accountability—data subjects should have a method available to them to hold data collectors accountable for following the above principles.
International Safe Harbor Privacy Principles
1. No2ce -‐ Individuals must be informed that their data is being collected and about how it will be used.
2. Choice -‐ Individuals must have the ability to opt out of the collecCon and forward transfer of the data to third parCes.
3. Onward Transfer -‐ Transfers of data to third parCes may only occur to other organizaCons that follow adequate data protecCon principles.
4. Security -‐ Reasonable efforts must be made to prevent loss of collected informaCon.
5. Data Integrity -‐ Data must be relevant and reliable for the purpose it was collected for.
6. Access -‐ Individuals must be able to access informaCon held about them, and correct or delete it if it is inaccurate.
7. Enforcement -‐ There must be effecCve means of enforcing these rules.x
Inger Anne Folkestad Tornes Kjell Steffner
• Advokat, partner • Særskilt bransjekompetanse
innen IKT • God forståelse for teknologi,
prosjektmetodikk og strategi • Jobber med kontraktsrett,
forhandlinger, offentlige anskaffelser og personvern
• Tlf. 905 11 901 [email protected]
• Advokatfullmektig • Rådgivning for IKT-sektoren • Jobber med kontraktsrett,
personvern og e-handel, samt offentlige anskaffelser
• Tlf. 970 99 524 [email protected]
LYNX advokaQirma DA Hieronymus Heyerdahls gate 1 N-‐0160 Oslo hSp://lynxlaw.no/