GLOBAL RULES FOR DATA COLLECTION
AND PRIVACY EXPLAINED
A GUIDE FOR USING THE NALPEIRON ANALYTICS SERVICE
NALPEIRON.COM 2/6...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
CONTENTS
CONTENTS.....................................................
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
PROCESSING AND TRANSFERING DATA.......................................
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
INTRODUCTION
WHO ARE NALPEIRON?
Nalpeiron Inc. is a mature profitab...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
WHO SHOULD USE THE NALPEIRON SOFTWARE ANALYTICS SERVICE?
• Internal...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
• Be more competitive –
o Use detailed, real-time, business informa...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
LEGAL ISSUES WITH DATA COLLECTION AND USAGE
The law, especially int...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
QUICK START GUIDE
The first question you should ask when collecting...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
BEST PRACTICES
Even if the above is true you should always be open ...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
Our Customer Experience Improvement Program (CEIP) is a way to allo...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
AN EXAMPLE CEIP PRIVACY STATEMENT
Privacy Statement for the [Your C...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
In addition, standard computer information typically includes certa...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
SETTING UP AND USING PRIVACY CONTROLS IN THE NALPEIRON SOFTWARE ANA...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
You can simply choose one of the recommended Countries to block dat...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
CLIENT-SIDE USER OPT-IN
In most cases you need to get end users to ...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
If you place the opt-in process within your application so it’s eas...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
THE BASICS OF DATA COLLECTION AND PRIVACY
WHAT IS A DATA CONTROLLER...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
• Ireland
• Italy
• Lithuania
• Luxembourg
• Malta
• Monaco
• Nethe...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
WORLDWIDE MAP OF DATA PRIVACY PROTECTIONS
Most restricted
Restricte...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
STARTING COLLECTION OPERATIONS
WHAT TYPE OF DATA IS REGULATED BY LA...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
DO I NEED TO OBTAIN CONSENT FROM A SUBJECT BEFORE I COLLECT DATA?
M...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
ARE USER GROUPS CONSIDERED INDIVIDUALS FOR DATA PRIVACY PURPOSES?
F...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
PROCESSING AND TRANSFERING DATA
WHAT IS MEANT BY DATA PROCESSING AN...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
A Data Controller is required to have in place appropriate security...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
After examining the map above, please consult Appendix B to verify ...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
See attached Appendix C for a contact list of national data protect...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
RULES GOVERNING THE COLLECTION AND PROCESSING OF DATA
Generally the...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
None
JAPAN
Consent
When handling personal information, a business o...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
EU COUNTRIES
Consent
Obtaining Consent is required under European U...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
Canadian law contains a series of fair information processing oblig...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
Almost every US state requires notifying state residents of a secur...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
specified in the PPA, it is necessary to provide DATA SUBJECTS with...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
REGULATION OF TRANSFERS IN COUNTRIES BEYOND EUROPE TO THE UNITED ST...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
SOUTH KOREA
As a general rule, a Data Handler or an IT Service Prov...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
number, nationality, address, and date of birth. The purpose and pr...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
APPENDIX A
GETTING ORGANIZED FOR DATA PROTECTION
A quick look at so...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
Remember -you should be able to answer YES to all of the questions ...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
Rule 4: Security
• Is there a list of security provisions in place ...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
• Do we have a policy on deleting personal data as soon as the purp...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
APPENDIX B
DATA PROTECTION CONTACT DETAILS FOR ALL MAJOR COUNTRIES
...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
www.privacy.gov.au (Office of the Privacy Commissioner) - Website o...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
Czech Republic
www.uoou.cz (ÚOOÚ - Hlavní stránka) - The website of...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
• www.datenschutz-berlin.de (Berliner Beauftragter für Datenschutz ...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
Greece
www.dpa.gr (Αρχή) - Website of the hellenic data protection ...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
Latvia
www.dvi.gov.lv/eng (Data State Inspection .|. Homepage) - We...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
www.cbpweb.nl (College bescherming persoonsgegevens) - Website of t...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
• www.bern.ch/stadtverwaltung/datenschutz (Die Stadt Bern - Datensc...
GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
• http://swww.agpd.es (Agencia de Protección de Datos) - Website of...
Nalpeiron explains global rules for data collection and privacy
Nalpeiron explains global rules for data collection and privacy
Nalpeiron explains global rules for data collection and privacy
Nalpeiron explains global rules for data collection and privacy
Nalpeiron explains global rules for data collection and privacy
Nalpeiron explains global rules for data collection and privacy
Nalpeiron explains global rules for data collection and privacy
of 55

Nalpeiron explains global rules for data collection and privacy

Most software Companies are now global, even tiny start-ups, due the ease of access to app stores, distribution systems and the internet, therefore you need to have a system to control and manage the data and to protect it if you plan to use any form of collection from your users. Software Analytics Services can help by providing the infrastructure and options required to segment and control the data, both from a capture and content perspective. In many cases you may wish to block data to be collected from a region (like consumer data from Switzerland or Germany for example) or ensure the data is anonymous, but in other areas or where you have been granted permission you will want to connect users with their usage to get the best results.
Published on: Mar 3, 2016
Published in: Technology      News & Politics      
Source: www.slideshare.net


Transcripts - Nalpeiron explains global rules for data collection and privacy

  • 1. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED A GUIDE FOR USING THE NALPEIRON ANALYTICS SERVICE NALPEIRON.COM 2/6/13 V1.1
  • 2. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED CONTENTS CONTENTS...............................................................................................................................................................................1 INTRODUCTION.......................................................................................................................................................................3 Who are Nalpeiron?............................................................................................................................................................3 What is the Nalpeiron Software Analytics Service (NSA)?..................................................................................................3 Why use Nalpeiron Software Analytics in your Applications?............................................................................................3 Who should use the Nalpeiron Software Analytics Service?..............................................................................................4 Benefits of Nalpeiron Software Analytics ...........................................................................................................................4 LEGAL ISSUES WITH DATA COLLECTION AND USAGE.............................................................................................................6 QUICK START GUIDE............................................................................................................................................................7 Best Practices......................................................................................................................................................................8 AN EXAMPLE CEIP PROGRAM COLLECTION STATEMENT ...................................................................................................8 AN EXAMPLE CEIP PRIVACY STATEMENT..........................................................................................................................10 SETTING UP AND USING PRIVACY CONTROLS IN THE NALPEIRON SOFTWARE ANALYTICS SERVICE...................................12 THE BASICS OF DATA COLLECTION AND PRIVACY ................................................................................................................16 What is a data controller?.................................................................................................................................................16 What is a data processor?.................................................................................................................................................16 Is it necessary to register as a data collector or processor?.............................................................................................16 What needs to be done before data can be collected?....................................................................................................17 Are there any countries, which have especially strict data privacy rules?.......................................................................17 STARTING COLLECTION OPERATIONS...................................................................................................................................19 What type of data is regulated by law?............................................................................................................................19 How do I make a privacy policy?.......................................................................................................................................19 Do I need to obtain Consent from a subject before I collect data?..................................................................................20 What is meant by "anonymous" data?.............................................................................................................................20 What if the data is anonymous do data privacy rules still apply? ....................................................................................20 Are there any special rules concerning collecting data from internal staff as opposed to a purchaser? ........................20 If a user is beta testing software does it impact how I can collect data?.........................................................................20 Are user groups considered individuals for data privacy purposes?................................................................................21 What type of information must be provided in a Consent or privacy warning statement? ............................................21 NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 3. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED PROCESSING AND TRANSFERING DATA................................................................................................................................22 What is meant by data processing and are their rules regulating this practice? .............................................................22 Where will you be collecting data?...................................................................................................................................23 Will we need to register as a data collector?....................................................................................................................24 Will the data collected be anonymous? ...........................................................................................................................25 RULES GOVERNING THE COLLECTION AND PROCESSING OF DATA......................................................................................26 Asia....................................................................................................................................................................................26 EU Countries .....................................................................................................................................................................28 The Americas.....................................................................................................................................................................28 The Middle East ................................................................................................................................................................30 Regulation of Transfers in Countries beyond Europe to the United States..........................................................................32 Asia....................................................................................................................................................................................32 The Middle East ................................................................................................................................................................33 The Americas.....................................................................................................................................................................33 APPENDIX A...........................................................................................................................................................................35 GETTING ORGANIZED FOR DATA PROTECTION ................................................................................................................35 OBLIGATIONS ON RETENTION AND SECURITY NEED TO BE ADDRESSED .........................................................................35 SELF-HELP CHECKLIST ON DATA PROTECTION POLICY .....................................................................................................35 MAIN RESPONSIBILITIES....................................................................................................................................................36 APPENDIX B...........................................................................................................................................................................39 DATA PROTECTION CONTACT DETAILS FOR ALL MAJOR COUNTRIES ..............................................................................39 APPENDIX C...........................................................................................................................................................................49 Global Table of Data Privacy Laws ....................................................................................................................................49 Global Table of Data Privacy Bills......................................................................................................................................52 NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 4. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED INTRODUCTION WHO ARE NALPEIRON? Nalpeiron Inc. is a mature profitable 21 year old, US headquartered, Company with offices in London, to support EMEA. All our servers and infrastructure are based in the US and are maintained by US staff in private and not the public cloud. We have been serving Software ISVs across 100 Countries with the World’s leading Hosted Licensing and Analytics Service since 2005. Our products exist on millions of end users (Windows, Mac and Linux) desktops and networks Worldwide. We serve and protect some of the largest enterprise software companies as well as some of the smallest startups – all via an easy to use cloud-based platform. Our clients use our technology to provide improved end user experiences while protecting, licensing or analyzing their Software in the field. WHAT IS THE NALPEIRON SOFTWARE ANALYTICS SERVICE (NSA)? A real-time Business Information Service for Software Analytics, Run-time Intelligence and Product Usage Insight. Easily retrofit your Software and then capture all the critical elements of a user’s interaction and usage. Improve Software quality, plan new features effectively, use engineering resources wisely and keep your users happy. Real-time analytics data in useful charts, reports and dashboards. Detailed, up to the minute, Business Intelligence not raw statistics. WHY USE NALPEIRON SOFTWARE ANALYTICS IN YOUR APPLICATIONS? • Fully understand your product lifecycle from download/signup all the way to end of life, passing through beta, NFR, trials, freeware and then on to a sale and beyond • Learn how customers discover and use product features to drive improved adoption and reduce wasted engineering efforts across Windows, Mac and Linux platforms • Understand how features operate in complex, real-world configurations to reduce support headaches and user problems (analyze your data by platform, operating system, configuration, region, language, state, version, date and build) • Learn more about error conditions that might be caused by software defects or configuration issues to improve customer satisfaction and software quality • Use trigger events to drive increased trial conversions via automated marketing • Understand how well marketing promotions are working and focus resources NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 5. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED WHO SHOULD USE THE NALPEIRON SOFTWARE ANALYTICS SERVICE? • Internal teams developing Software for non-commercial use – Usage, error and adoption data can be used to fully understand how Software is being consumed within the Organization to enable better use of resources, reduce error rates and proactively increase Software quality along with costs savings in engineering and increased satisfaction levels with internal Users. • Teams at Open Source Developers – Even though Open Source vendors are not charging for their products they still need to plan product development cycles, focus on features and usage that is adding value to users and to track what is happening with their products in the real World. An additional benefit can be compliance to license terms and understanding of adoption levels to help drive sales and marketing efforts. • Outsourced Software teams developing Software for others – Software quality and early understanding of a project’s success benefits both the provider and the client. Having detailed data also show clients that the provider is fully in control of the lifecycle of the development environment and is proactively working to reduce waste and to make the best products possible for the client. Also accelerated problem diagnosis and troubleshooting resulting in shorter test schedules and higher customer satisfaction. • Teams at Independent Software Vendors (ISVs) – A detailed understanding of usage of ISV products helps many departments: engineering can focus resources on features that are in demand, marketing can drive improved conversions, better use of marketing budgets and enhanced product marketing insights and sales can get actionable leads and trends to help plan partner, region and product based sales strategy. BENEFITS OF NALPEIRON SOFTWARE ANALYTICS • Reduce business risk – o Intimately understand the customer, their usage and needs o Create the most marketable and competitive products o Eliminate wasted engineering and marketing spend o Go from gut feelings to hard data • Increase revenues and profits – o Automate the processes that drive adoption, reduce churn and focus sales effort o Understand where to put your investment spend for maximum returns o Drive adoption through improved engagement o Focus marketing efforts on those that increase engagement and conversions NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 6. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED • Be more competitive – o Use detailed, real-time, business information to make management decisions o Bring together Sales, Marketing, finance and Product Management data o Make access to usable business critical data easy for everyone, anytime, and in minutes • Streamline engineering o Get the facts about what users want in terms of new features and capabilities o If you are migrating or building a SaaS app, learn the core feature set to build out o Avoid engineering effort where it will not drive new business o Improve software quality and make code more robust NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 7. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED LEGAL ISSUES WITH DATA COLLECTION AND USAGE The law, especially international data protection law, is highly complex and it pays to understand how consumer privacy maps against business data and then across regions and countries worldwide. Where and how you store data is important, what type you collect and about what type of entity and also the use of that data all come into question. Users need to give permission in many cases and in some countries need to be given access to the data being held – all this complexity requires thought, control and access. This is an expensive and time consuming issue that has to be thought about in the context of the customer base you sell and their worldwide locations. Most software Companies are now global, even tiny startups, due the ease of access to app stores, distribution systems and the internet, therefore you need to have a system to control and manage the data and to protect it if you plan to use any form of collection from your users. Software Analytics Services can help once again by providing the infrastructure and options required to segment and control the data, both from a capture and content perspective. In many cases you may wish to block data to be collected from a region (like consumer data from Switzerland or Germany for example) or ensure the data is anonymous, but in other areas or where you have been granted permission you will want to connect users with their usage to get the best results. Here are some scenarios: • Automatic transmission of all data - useful for beta testing, NFR, resellers, affiliates or in-house corporate applications for which users have granted consent as part of agreements they accepted prior to installing the program. • Automatic transmission with opt-in or a later opt-out is better for commercially available software applications to enable informed consent and maintain a high-degree of transparency and trust with your users. • Prompt for transmission after errors or in an environment that is not internet connected is ideal and a universally accepted process. • Prompt for transmission in an environment that is not internet connected, with a site to upload the data too, is great for a collaborative effort with enterprise type customers. • Transmit upon user request is again a way to send data about an event without user privacy issues. NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 8. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED QUICK START GUIDE The first question you should ask when collecting data is this: Will the data collected be anonymous? It is important to consider what anonymous data is. Anonymous data is information where the identity of the data subject is impossible to determine. When reviewing this data ask is there any likelihood I could determine the identity of the subject from the data collected? If the answer is no, then data may processed information free of regulation because it is not ‘personal data,’ but ‘anonymous data’. A second consideration is: How is the data best anonymized? In these situation EU regulations on the subject, provide the model for best practices worldwide. Anonymization best practices are dictated as follows: Methods to anonymize personal data, particularly before publishing statistical information or research results, include: • deleting or omitting ‘identifying details’, for example names; • substituting code numbers for names or other direct identifiers (this is pseudonymization, effectively); • aggregating information, for example by age group, year, town; and barnardization or other techniques introducing statistical noise, for example differential privacy techniques with statistical databases. • or some combination of these methods. IF DATA IS GENUINELY ANONYMIZED THERE IS NO REGULATION REGARDING COLLECTING IT AND TRANSMITTING IT. IF THE ABOVE STATEMENT IS TRUE THEN IN MOST CIRCUMSTANCES YOU WILL NOT NEED TO READ THE REST OF THE DOCUMENT BEFORE STARTING YOUR ANALYTICS PROJECT. NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 9. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED BEST PRACTICES Even if the above is true you should always be open with your users about your intentions, what data you will be collecting and how you will be using and storing it. This is best done at the point of collection plus within your terms and conditions of sale and EULA. Below is quick example of the text you could use: Copyright and Trademark Adobe Inc. AN EXAMPLE CEIP PROGRAM COLLECTION STATEMENT In order to better serve our customers, and to enable our products to meet our customers ongoing and growing needs, we regularly engage in various kinds of methods to gather client feedback. We encourage our customers to participate in order to get the most out of our products and our customers’ experience with them. However, given the large scope of our customer base, it is impossible to reach out to all our customers directly. NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 10. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED Our Customer Experience Improvement Program (CEIP) is a way to allow all our customers to contribute to the features, design and development of [Your Company Name] products. This program enables our customers to provide us with various information, including information about the hardware configuration of your host computer, the features you use most (and least), and the nature of the problems you face. Based on this information, we will be able to improve the [Your Company Name] products and the features you use most often. If you choose to participate, we will be automatically collecting information about your hardware configuration and the way you use [Your Company Name] products. We will not collect any personal data, like your name, address, phone number (unless you choose to provide it), or keyboard input. Participation in the CEIP is voluntary, however, but the end results intended to provide software improvements and enhanced functionality to better meet the needs of our customers. Below are frequently asked questions about the CEIP and how it works. How does the CEIP work? If you choose to participate, by enrolling in the CEIP, [Your Company Name] will automatically begin collecting information about how you use [Your Company Name] products. Data collected from you and other participants is combined and made utilized in an anonymous manner, and is thoroughly reviewed and analyzed to help us improve [Your Company Name] products. However, you cannot review any information before it is sent. We recognize that some customers might be uncomfortable allowing the information collected by the CEIP to be sent without having an opportunity to review it fully even though the information does not contain contact information and is governed by our Customer Experience Program Privacy Statement. If you are uncomfortable with sharing this information, please choose not to participate. What does the CEIP collect? The CEIP collects only the following information: • Hardware configuration of your host computer • Software configuration of your host computer and virtual machines (the names and versions of the operating systems and software installed in them) • Xxxxxxxxxxxxxxxxxxxxxx (whatever you decided to collect) How often does CEIP send data? The CEIP sends collected information to [Your Company Name] when your PC is connected to the Internet. How does [Your Company Name] protect my privacy if I choose to participate? The CEIP does not collect any private information or information that can be used to contact you. More details on how [Your Company Name] protects your privacy are provided below. NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 11. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED AN EXAMPLE CEIP PRIVACY STATEMENT Privacy Statement for the [Your Company Name] Customer Experience Program [Your Company Name] is committed to help protect your privacy. This privacy statement explains the data collection and use practices for the [Your Company Name] Customer Experience Improvement Program (CEIP) reports that will be sent to [Your Company Name] as a result of your participating in the CEIP. This statement does not apply to other online or offline [Your Company Name] sites, products, or services. Collection and Use of Information When you participate, basic information about your computer and how you use your programs is collected and sent to [Your Company Name] on a periodic basis. However, [Your Company Name] does not store any personal information. This information will help us improve the features our customers use most often and to create solutions to common problems. Initially, the CEIP will gather the following information: 1. Host RAM size 2. Hard disk information (vendor, size, partition table) 3. CPU info 4. OS version 5. XXXXXXXXXXXXXX However, [Your Company Name] may gather additional information through the CEIP. You can always check our privacy policy, as may be updated from time to time, in order to determine what information is currently gathered by the CEIP. You can elect to participate in the CEIP when you first install an [Your Company Name] product (if the CEIP is available in connection with that product). CEIP reports generally include information about: • Configuration, such as how many processors are in your computer, what kinds of virtual machines you use, and which operating systems you install in them. • Performance and reliability, such as how quickly a program responds when you click a button, how many problems you experience with a program or a device, and how quickly information is sent or received over a network connection. • Program use, such as the features that you use and those you use the most often. NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 12. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED In addition, standard computer information typically includes certain information about your computer software and hardware, such as your IP address, operating system version, web browser version, your hardware ID (which indicates the device manufacturer, device name, and version), and your regional and language settings. This information is sent to [Your Company Name] when you are connected to the Internet. The CEIP reports do not contain any personal or contact information about you (such as your name, address, or phone number) unless you agree to provide it. [Your Company Name] uses the CEIP information to improve its software and identify trends and usage patterns. Information that is collected by or sent to [Your Company Name] may be stored and processed in the United States or any other country in which [Your Company Name] or its affiliates, subsidiaries, or agents maintain facilities, where privacy laws may not be as protective as in your home country. By participating in the CEIP, you consent to the transfer, storage, use, and disclosure of information gathered under the CEIP, as described in this Privacy Policy, in the United States or any other country selected by [Your Company Name]. [Your Company Name] may disclose this information if required to do so by law or in the good faith belief that such action is necessary to: (a) conform to the edicts of the law or comply with legal process served on [Your Company Name] or the site; (b) protect and defend the rights or property of [Your Company Name], or (c) act in urgent circumstances to protect the personal safety of [Your Company Name] employees, users of [Your Company Name] software or services, or members of the public. [Your Company Name] occasionally hires other companies to provide limited services on its behalf, such as providing customer support, processing transactions, or performing statistical analysis of reports. [Your Company Name] will provide those companies only the information they need to deliver the service. They are required to maintain the confidentiality of this information and are prohibited from using it for any other purpose. Security [Your Company Name] is committed to help protect the security of the information we collect. The CEIP uses a variety of security technologies and procedures to help protect reports from unauthorized access, use, or disclosure. Changes to this Statement [Your Company Name] may occasionally update this privacy statement. When we do, we will also revise the "last updated" date at the top of the privacy statement. We encourage you to periodically review this privacy statement to stay informed about how we are helping to protect the information we collect. NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 13. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED SETTING UP AND USING PRIVACY CONTROLS IN THE NALPEIRON SOFTWARE ANALYTICS SERVICE Nalpeiron offers a multi-layer privacy option, some server-side and the others client-side. The server-side options relate to blocking data from certain Regions or Countries where you don't want to collect any data at all, for example it can be painful with the legal position with end users in Switzerland and it's just easier to block any data from that Country rather than have to deal with the issues and hassles of that jurisdiction. This option is a top level change and will affect all the products you host with Nalpeiron. This is a huge issue and this solution makes your life nice and easy! The client-side is a user-based Opt-in process, allowing you to collect their anonymous data. This is an API you can configure and call from your application to allow users to opt-in to your program. This option is a product level change and will affect each product you host with Nalpeiron individually. A final option is user registration where the users provide details about themselves, along with the data on their usage. This is especially useful for internal users, consenting beta testers and the like. Tying a user to personally identifiable data is very useful so it's important that you get permission and also understand the legal position when doing so. See the Nalpeiron privacy and data collection white papers on the corporate site: www.nalpeiron.com SERVER-SIDE OPTIONS When you are logged into your account on the Nalpeiron Publisher Center you will see the options for making your site- wide Privacy options from the top navigation. NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 14. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED You can simply choose one of the recommended Countries to block data collection as below. Or you can set your own Country policy, it's as simple as that to stop data coming from users in certain locales you prefer to not collect data. NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 15. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED CLIENT-SIDE USER OPT-IN In most cases you need to get end users to explicitly opt in to your Customer Experience Improvement Program (CEIP) or data collection process. This ensures that they know their information is being sent, what you are going to do with it, and are comfortable with the process. How it Works When you code in the Nalpeiron library to your application, depending on the IDE and platform you are delivering to, you will display a form (dialog page) prompting them to opt in our out of your CEIP/data collection process for the first time they run your application. If they opt out then Nalpeiron will automatically disable sending of that specific users data. NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 16. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED If you place the opt-in process within your application so it’s easily accessible you will enable users to opt-in later or vice versa maintaining trust and transparency with your users. Setting up By default data is collected. You will need to call the Nalpeiron API from your program and this will set whether data is sent or not. In many cases you will be working with an OS with GUI and in this case you will want to prompt the user with a dialog to opt-in or out, a simple example is provided within the code sdk provided. NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 17. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED THE BASICS OF DATA COLLECTION AND PRIVACY WHAT IS A DATA CONTROLLER? A data controller is the individual or company who controls and is responsible for the keeping and use of personal information on computer or in structured manual files. This would include the people collecting the data. Being a data controller carries with it serious legal responsibilities, so you should be quite clear if these responsibilities apply to you or your organization. In essence, you are a data controller if you can answer YES to the following question:- • Do you keep or process any information about living people? In practice, to find out who controls the contents and use of personal information kept, you should ask the following questions:- • Who decides what personal information is going to be kept? • Who decides the use to which the information will be put? If your organization controls and is responsible for the personal data that it holds, then your organization is a data controller. If, on the other hand, you hold the personal data, but some other organization decides and is responsible for what happens to the data, then that other organization is the data controller, and your organization is a "data processor" (see below). WHAT IS A DATA PROCESSOR? As mentioned above, if you hold or process personal data, but do not exercise responsibility for or control over the personal data, then you are a "data processor". Examples of data processors include payroll companies, accountants and market research companies, all of which could hold or process personal information on behalf of someone else. IS IT NECESSARY TO REGISTER AS A DATA COLLECTOR OR PROCESSOR? In most countries, this is a requirement. Collecting data without registering with the national data privacy authorities can result in severe penalties. Here is a list of countries, which require registration. • Argentina • Austria • Belgium • Bulgaria • Chile • Cyprus • Czech Republic • Finland • France • Greece • Hungary NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 18. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED • Ireland • Italy • Lithuania • Luxembourg • Malta • Monaco • Netherlands • Norway • Poland • Portugal • Romania • Russia • Slovak Republic • Sweden • Switzerland • UK • Ukraine • Uruguay See attached Appendix B for a contact list of national data protection authorities, which will specify steps for registration WHAT NEEDS TO BE DONE BEFORE DATA CAN BE COLLECTED? First, familiarize yourself with all the rules covering data collection and processing in the area where you are conducting business. The best policy to make sure that there are no loose ends regarding data privacy practice is to review the survey contained in Appendix A. If your operation passes this review then you can assume you are starting on solid ground. ARE THERE ANY COUNTRIES, WHICH HAVE ESPECIALLY STRICT DATA PRIVACY RULES? Looking at the map contained below the countries indicated in blue and green offer the most restrictive environments. Keep in mind you should always thoroughly research the legal environment you are doing business in. In addition, laws change, some countries that may be unregulated can become highly regulated overnight. A good rule of thumb is to keep up on changes in the law and plan accordingly. NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 19. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED WORLDWIDE MAP OF DATA PRIVACY PROTECTIONS Most restricted Restricted Some restrictions Minimal restrictions Effectively no restrictions No legislation or no information Premium content Government surveillance may affect privacy Source: Forrester NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 20. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED STARTING COLLECTION OPERATIONS WHAT TYPE OF DATA IS REGULATED BY LAW? Countries with data privacy laws regulate the collection and processing of “personal data” which generally means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller; The definition is – deliberately - a very broad one. In principle, it covers any information that relates to an identifiable, living individual. However, it needs to be borne in mind that data may become personal from information that could likely come into the possession of a data controller. There are different ways in which an individual can be considered ‘identifiable’. A person’s full name is an obvious likely identifier. However, a person can also be identifiable from other information, including a combination of identification elements such as physical characteristics, pseudonyms occupation, address, identification number, IP address, and credit card number, anything that can be used to identify an individual. HOW DO I MAKE A PRIVACY POLICY? It is always good practice to have a privacy policy, which data subjects can review. The general approach to privacy policies is that they should reflect a detailed explanation of an organization’s processing of personal data and the application of data protection law to these practices. The privacy policy should be a dynamic document, regularly reviewed and updated to reflect changes in the way the organization processes personal data. A privacy policy should be built around the eight data protection principles, to ensure that all aspects of data protection are covered. You have certain key responsibilities in relation to the information which you keep on computer or in a structured manual file about individuals. These may be summarized in terms of eight "Rules" which you must follow, and which are listed below. Click on the links to see more information. YOU MUST: 1. Obtain and process the information fairly 2. Keep it only for one or more specified and lawful purposes 3. Process it only in ways compatible with the purposes for which it was given to you initially 4. Keep it safe and secure 5. Keep it accurate and up-to-date 6. Ensure that it is adequate, relevant and not excessive 7. Retain it no longer than is necessary for the specified purpose or purposes 8. Give a copy of his/her personal data to any individual, on request. NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 21. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED DO I NEED TO OBTAIN CONSENT FROM A SUBJECT BEFORE I COLLECT DATA? Most countries in the world require some form of Consent which usually involve a click through agreement notifying the subject of what is being done and their right. How thorough this Consent process must be may vary from country to country. Regardless of your location, the key test will be to demonstrate that Consent exists. However, usually when processing sensitive personal data, the level of Consent must be explicit. This means that a data subject must be aware of and understand the purposes for which his/her data are being processed. Explicit Consent need not require a data subject to sign a form in all cases. Consent can be understood to be explicit where a person volunteer’s personal data after the purposes in processing the data have been clearly explained. Thus, a clear explanation on a form, a web page, or the delivery of a script by properly trained telephone staff might be sufficient to demonstrate Consent has been explicitly given. HAS CONSENT BEEN GRANTED? Test yourself, you should be able to answer YES to the following questions:- When people are giving you information, • Do they know what information you will keep about them? • Do they know the purpose for which you keep and use it? • Do they know the people or bodies to whom you disclose or pass it? WHAT IS MEANT BY "ANONYMOUS" DATA? Anonymous data is information where the identity of the data subject is impossible to determine. When reviewing this data ask is there any likelihood I could determine the identity of the subject from the data collected? If the answer is no, then data is anonymous. If data is genuinely anonymized there is no regulation regarding collecting it and transmitting it. If the data is not anonymous then proceed to the next step. WHAT IF THE DATA IS ANONYMOUS DO DATA PRIVACY RULES STILL APPLY? Data privacy laws only apply to the collection of personal information. Anonymous data is not regulated since it is not considered personal information. ARE THERE ANY SPECIAL RULES CONCERNING COLLECTING DATA FROM INTERNAL STAFF AS OPPOSED TO A PURCHASER? There are special data collection rules in most countries regarding the collection of data from employees. This would be the only difference between a purchaser and internal staff. A purchaser would be subject to the same data collection regulations as all other subjects. IF A USER IS BETA TESTING SOFTWARE DOES IT IMPACT HOW I CAN COLLECT DATA? Whether or not information is collected through a beta testing program has no bearing on the data collectors obligations to the subject. All rules regarding the collection of data apply. NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 22. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED ARE USER GROUPS CONSIDERED INDIVIDUALS FOR DATA PRIVACY PURPOSES? For a user group best practice dictates that normal procedures for data collection would apply. The data collector would treat the user group as a group individuals who each have rights regarding data collection. If the information collected is aggregated and would not be useful to identify anyone in the group it could be viewed as anonymous data not subject to regulation, however this would depend on the manner the group is structured and the information being collected. WHAT TYPE OF INFORMATION MUST BE PROVIDED IN A CONSENT OR PRIVACY WARNING STATEMENT? Information in a Consent document or privacy warnings should include the following: Identity Identification should ideally include complete and useful contact details. Useful details would include an e- mail address and postal address that a visitor may use if he/she wishes to discuss any matters relating to the processing of personal data on your website. Purpose There can be many overt purposes for which visitors should reasonably expect their data to be used. These may include data necessary in the context of a transaction. However, it is possible that data may be processed for non-obvious purposes such as profiling or future marketing. All these purposes must be clearly referred to in the Privacy Statement. Data volunteered on that understanding are fairly obtained. If a purpose is not obvious and not referred to, then it will be difficult for you to lawfully process data for that purpose. Disclosure If you plan to release personal data to a third party (other than a person acting as your agent) this is a disclosure and must be referred to in your Privacy Statement. Right of Access Generally, subjects have a right to be given a copy of his/her personal data. If you are retaining personal data, you should refer to this Right of Access in your Privacy Statement. You should include reference to procedures to be followed. Right of rectification or erasure. A person has a right to have his/her personal data corrected, if inaccurate, or erased, if you do not have a legitimate reason for retaining the data. You cannot charge for complying with such a request and shall comply within 40 calendar days of the receipt of such a request. Your Privacy Statement should make reference to this, if you retain personal data, as well as detailing the procedures a person should follow when making such a request. Extent of data being processed. If different data are used for different purposes, this should be clearly outlined. NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 23. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED PROCESSING AND TRANSFERING DATA WHAT IS MEANT BY DATA PROCESSING AND ARE THEIR RULES REGULATING THIS PRACTICE? I AM USING A THIRD PARTY CLOUD SERVER TO STORE AND TRANSFER ARE THERE SPECIAL RULES THAT NEED TO BE FOLLOWED? The "cloud" provider will usually be acting as a data processor for you. This means that you remain responsible for how the data is processed. This must be spelled out in a contract which states that the "cloud" provider only processes your data in accordance with your instructions and takes measures to keep the data secure. You are responsible for taking "reasonable steps" to ensure compliance by the "cloud" provider. It is therefore important that you establish precisely where and how the data you provide to a cloud provider will be handled. WHAT NEEDS TO BE DONE BEFORE DATA IS TRANSFERRED TO A THIRD PARTY OR TO A DIFFERENT LOCATION? Most countries only allow transfers of data to countries which have equal or better protection to the one you collected the data in. When doing business in an EU country if personal data is to be transferred to a country outside of the EU one of the following additional conditions must apply: • Transfer is to one of the following countries/territories: Argentina, Canada, Switzerland, Israel, Guernsey, Jersey, Isle of Man, Faroe Islands then no steps need to be taken. • Transfer is to a company in the USA it must be covered by the EU-US "Safe Harbor" agreement • If none of these above apply a Consent agreement specifying transfer to a third country that does not meet the above conditions will work as well. A subject can essentially grant you an exCEIPtion around the tough EU regulations on transfer. Best practice would dictate that a well-written Consent agreement would cover all possible transfer scenarios so as to avoid any transfer related issues. ARE THERE CERTAIN COUNTRIES WHICH DATA CANNOT BE TRANSFERRED TO? The general rule is that personal data cannot be transferred to third countries unless the country ensures an adequate level of data protection. WHAT SECURITY MEASURES SHOULD I HAVE IN PLACE TO PROTECT PERSONAL DATA FROM UNAUTHORIZED ACCESS? Appropriate security measures should be in place which take account of the harm that would result from unauthorized access to the information. This should take account of available technology and the cost of installation. In addition to technical security measures, due regard should be had for physical security measures such as access control for central IT servers and local PCs. DO I NEED TO ALERT SUBJECTS IF THEIR DATA HAS BEEN COMPROMISED? NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 24. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED A Data Controller is required to have in place appropriate security measures to prevent both internal and external unauthorized access to personal data that it is responsible for. Data controllers are advised to notify affected data subjects in most such cases and also to notify the local data protection office. WHAT ARE THE CONSEQUENCES, IN GENERAL, IF WE COLLECT DATA THAT IS TARGETED WITHOUT THEIR CONSENT? The penalties range from remediation, fines or criminal penalties against those involved. WHERE WILL YOU BE COLLECTING DATA? The first step when evaluating how to proceed with data collection is to determine if the country in which you are collecting data from has data privacy laws on the books. The map below provides an approximate visual guide to countries, which have some form of data privacy. WORLDWIDE MAP OF DATA PRIVACY PROTECTIONS Most restricted Restricted Some restrictions Minimal restrictions Effectively no restrictions No legislation or no information Premium content Government surveillance may affect privacy Source: Forrester NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 25. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED After examining the map above, please consult Appendix B to verify if your country is covered or could potentially have new laws coming into effect. If your country is not listed, we can safely assume that data collection is unregulated. One important note to remember, some countries that do not have specific laws covering data privacy may have a type of right to privacy in their constitution. Generally, the constitutional right to privacy will cover extreme forms of intrusion into private details of a subject’s life, health or finances, which would result in embarrassment if publicized. However, this type of information will not be involved here. If your country does not have a law on the books, you can safely collect data based on the warnings above. If your country is listed, proceed to the next section. WILL WE NEED TO REGISTER AS A DATA COLLECTOR? The following countries require data collectors to register with a government regulator: • Argentina • Austria • Belgium • Bulgaria • Chile • Cyprus • Czech Republic • Finland • France • Greece • Hungary • Ireland • Italy • Lithuania • Luxembourg • Malta • Monaco • Netherlands • Norway • Poland • Portugal • Romania • Russia • Slovak Republic • Sweden • Switzerland • UK • Ukraine • Uruguay NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 26. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED See attached Appendix C for a contact list of national data protection authorities. WILL THE DATA COLLECTED BE ANONYMOUS? First, it is important to consider what anonymous data is. Anonymous data is information where the identity of the data subject is impossible to determine. When reviewing this data ask is there any likelihood I could determine the identity of the subject from the data collected? If the answer is no, then data may processed information free of regulation because it is not ‘personal data,’ but ‘anonymous data’. A second consideration is how is the data best anonymized. In these situation EU regulations on the subject, provide the model for best practices worldwide. Anonymization best practices are dictated as follows: Methods to anonymize personal data, particularly before publishing statistical information or research results, include: • deleting or omitting ‘identifying details’, for example names; • substituting code numbers for names or other direct identifiers (this is pseudonymization, effectively); • aggregating information, for example by age group, year, town; and • barnardization or other techniques introducing statistical noise, for example differential privacy techniques with statistical databases. • or some combination of these methods. If data is genuinely anonymized there is no regulation regarding collecting it and transmitting it. If the data is not anonymous then proceed to the next step. NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 27. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED RULES GOVERNING THE COLLECTION AND PROCESSING OF DATA Generally these rules concern procedures, which govern whether Consent is required from the subjects of data collection or if notice must be given if privacy is breached. The following list represents countries with notable regulations regarding the collection and processing of data. ASIA AUSTRALIA Consent An organization must not collect personal information unless the information is necessary for one or more of its functions or activities. At or before the time personal information is collected, or as soon as practicable afterwards, an organization must take reasonable steps to make an individual aware of: Its identity and how to contact it; Why it is collecting (or how it will use the) information about them; To whom it might give the personal information; The fact that the individual can obtain access to their personal information; Any law requiring the collection of personal information; and The main consequences (if any) for the individual if all or part of the information is not provided. This is usually done by acCEIPtance by the individual of a privacy policy prior to giving his/her information. Breach Notification An organization that breaches the Privacy Act is currently under no legal obligation (and not is it generally current practice) to report that breach to the affected individual(s) or the Australian Information Commissioner INDIA Consent A person who has obtained access to any electronic record, book, register, correspondence, information, document or other material and discloses such information without the Consent of the person concerned is in violation of law. Thus, Consent of the person concerned, while collecting the data and for processing/disclosing the same is essential. Breach Notification NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 28. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED None JAPAN Consent When handling personal information, a business operator must specify to the fullest extent possible the purpose of use of the personal information (“Purpose of Use”). Once a business operator has specified the Purpose of Use, it must not then make any changes to the said purpose, which could reasonably be considered to be beyond the scope of what is duly related to the original purpose of use. In addition, when handling personal information, a business operator shall not handle the information beyond the scope that is necessary for the achievement of the Purpose of Use without a prior Consent of the individual. In other words, the use of the information must be consistent with the stated Purpose of Use. The Purpose of Use must be made known to the individual when personal information is collected or promptly thereafter and this can be made by a public announcement (such as posting the purpose on the business operator’s website). When personal information is obtained by way of a written contract or other document (including a record made in an electronic or magnetic format, or any other method not recognizable to human senses), the business operator must expressly state the Purpose of Use prior to the collection. Breach Notification Japanese law provides that a business operator regulated by the JFSA must immediately produce a report when a leakage of personal information occurs. In addition, the business operator must promptly publicize the facts related to the leakage and the steps taken to prevent the reoccurrence of similar event. Finally, the JFSA Guidelines require that the business operator notify the individual whose information has been leaked of the leakage. SOUTH KOREA Consent If a Data Handler under PIPA or an IT Service Provider under IT Network Act intends to collect Personal Data from the data subject or IT service user, it must: (i) first notify the data subject or IT service user of the vital information stipulated under the law; and (ii) obtain data subject’s or IT service user’s prior Consent to such collection other than some exceptional cases stipulated under the law. Breach Notification In case a leak of Personal Data occurs, the Data Handler must notify data subjects without delay of the details and circumstances, and the remedial steps planned. If the number of affected data subjects exceeds 10,000, the Data Handler shall immediately report the notification to data subjects and the result of measures taken to MOPAS, KISA or the National Information Security Agency (the “NIA”). NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 29. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED EU COUNTRIES Consent Obtaining Consent is required under European Union law Data subjects must also be made aware of the purposes for which the data is collected and be allowed to access and to correct personal data. A company collecting personal data must also implement specified technical and organizational measures to protect personal data from loss, misuse and unauthorized access or disclosure. If a designee, such as an outside service bureau — called a “processor” carries out the processing of personal data, there must be a written agreement in place with the processor to process data only in accordance with instructions from the controlling company and only in accordance with the terms of European Union Law. Special reporting requirements to the proper supervisory authority within the applicable Member State must also be complied with. Breach Notification Unlike the general data privacy protections under European Union law, laws governing what to do if a breach of information occurs vary from country to country. In the EU, the Breach Notification regime has two dimensions. One concerns notifying the relevant regulator with jurisdiction over the breach, and the other concerns notifying the affected individuals. The term “data breach” is broadly construed and can include any breach of security that may lead to the accidental or unauthorized access, disclosure, or alteration of personal data. Currently, there is a general (rather than sector-specific) legal requirement to provide notification of data breaches only in a few European countries. For example, a legal obligation to notify regulators and affected individuals (under certain circumstances) of data breaches exists in Germany and Norway. In contrast, some countries, such as Austria, have a legal requirement to notify individuals but not the regulator, whereas other countries have a voluntary regime based on codes and guidelines issued by regulators, such as Denmark, Ireland, and the United Kingdom. THE AMERICAS ARGENTINA Consent The processing of personal data generally requires express Consent from the subject, which must be accompanied by appropriate information, in a prominent and express manner, explaining the nature of Consent sought. Consent must be express and informed. It should be in writing or similar form depending on the circumstances. For example, it is possible to get Consent online by clicking an appropriate icon. Breach Notification None. CANADA Consent NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 30. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED Canadian law contains a series of fair information processing obligations. The principal obligations related to processing personal information are: (i)Identifying Purposes: The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected (see Fair Processing Information below); (ii) Consent: The knowledge and Consent of the individual are required for the collection, use, or disclosure of personal information, except as otherwise authorized by law; (iii) Limited Collection: The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means; (iv) Accuracy: Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used; and (v) Safeguards: Personal information shall be protected by security safeguards appropriate to the sensitivity of the information. The way in which an organization seeks Consent may vary, depending on the circumstances and the type of information collected. An organization should generally seek express Consent when the information is likely to be considered sensitive. Implied Consent would generally be appropriate when the information is less sensitive. Consent can also be given by an authorized representative (such as a legal guardian or a person having power of attorney). Breach Notification None COLOMBIA Consent As a rule, the collection and cross-border transfer of Private and Semi-private Data can be performed only with the prior Consent of the data owner unless an exCEIPtion applies. Breach Notification Currently there are no Breach Notification regulations in Colombia. UNITED STATES Consent U.S. privacy laws and self-regulatory principals generally require pre collection notice and an opt-out for use and disclosure of regulated personal information. Opt in rules apply in special cases involving information that is considered sensitive under US law, such as for health information, personal information knowingly collected online from children, and telephone usage information. The FTC interprets as a “deceptive trade practice” failing to obtain opt in Consent if a company engages in materially different uses or discloses personal information not disclosed in the privacy policy under which personal information was collected. Breach Notification NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 31. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED Almost every US state requires notifying state residents of a security breach involving residents’ name plus a sensitive data element (typically, social security number, other government ID number, or credit card or account number in combination with any security code or password that would permit access to a financial account). A minority of states also require notification to State Attorneys General and to credit bureaus. For a summary of these laws see: http://www.ncsl.org/issues-research/telecom/security-breach-notification-laws.aspx URUGUAY Consent In order to collect the information, which is contained in the database, the data processor should obtain prior documented Consent from the individual whose information is being processed. Documented Consent is not required in the following cases: personal data obtained from public sources; personal data obtained by public bodies to comply with legal obligations; personal data limited to domicile, telephone number, ID number, nationality, tax number, corporation name; personal data obtained in base of a contractual or professional relationship, which is necessary to perform the contract or the development of the professional services to be rendered; and personal data obtained by individuals or corporations for their personal and exclusive use. The personal data processed cannot be used for purposes different from those that have justified the acquisition of the information. It is understood that legitimate reasons (i.e. reasons that are not against the law) must preexist and underlay the processing of the personal information. The Data Protection Act further establishes that once the reasons to process the personal information have disappeared, the personal information must be deleted. Breach Notification In case the data processor detects a breach of security measures, and if the consequences of the breach could substantially affect the rights of the data subject, and/or the rights of any other agent or person involved, the data processor should report the facts to the persons involved. THE MIDDLE EAST ISRAEL Consent Collection of personal data from a data subject must be accompanied by notice indicating: (i) whether delivery of the information by the data subject is voluntary or subject to a legal obligation; (ii) the purposes for which the information is collected; and (iii) any prospective transferees and the purposes of such transfer. In addition, the data subject’s Consent must be “informed” and this has been interpreted by the courts to mean DATA SUBJECTS must have all relevant information concerning the processing of their data. Hence, while not expressly NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 32. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED specified in the PPA, it is necessary to provide DATA SUBJECTS with a good understanding of which categories of personal data are being collected, used and transferred. Breach Notification Breach Notification obligations currently apply only in the financial sector under the Supervisor of Banks’ Regulation No. 357 on Information Technology Management and equivalent instructions issued by the Commissioner of Capital Markets, Insurance and Savings. WHAT STEPS MUST BE TAKEN TO TRANSFER DATA FROM ABROAD TO THE UNITED STATES? The answer to this question depends on where you are located. Transferring Data from EU Countries to the US European Union Law sets out requirements for sending personal data outside Europe. No data can leave Europe unless the transmission goes to some “third country” that “ensures an adequate level of protection.” In other words, data about European individuals can only go into countries with data protection laws that the European Commission considers adequately safeguard Europeans’ personal data. To date, the EU Commission has formally designated only Argentina, Canada, Guernsey, Isle of Man, and Switzerland as “third countries” offering this “adequate level of protection. Because Europe sees the United States as a “third country” that fails to offer an “adequate level of [data] protection,” Data transfers from Europe to the US will only be valid if the provisions of Safe Harbor have been complied with. In summary, if safe harbor measures have been handled then data can be transferred without restrictions. NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 33. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED REGULATION OF TRANSFERS IN COUNTRIES BEYOND EUROPE TO THE UNITED STATES ASIA AUSTRALIA An organization may transfer personal data to someone who is outside Australia only if: (i) the organization reasonably believes that the recipient is subject to a law, binding scheme or contract which is substantially similar in effect to Australian law; (ii) the data subject Consents to the transfer of the personal data; or (iii) the organization has taken reasonable steps to ensure that the personal data which it has transferred will be held, used or disclosed by the recipient in a manner consistent with Australian Law. The obligation placed on organizations to take reasonable steps to protect personal data from misuse, loss and unauthorized access, modification and disclosure will apply to the transfer of personal data to an overseas recipient. Organizations transferring personal data to overseas recipients will need to ensure that the personal data will continue to be secure once transferred. Once an organization transfers personal data to an organization in a foreign country, the Privacy Act will apply to the overseas organization only to the extent set out in the section entitled “What is the territorial scope of application?". INDIA The Rules provide that TRANSBORDER DATAFLOWS of sensitive personal data or information can be made to any other body corporate or a person in India or located in any other country if the same levels of data protection in India are adhered to, provided that such transfer is necessary for the performance of a lawful contract between the body corporate or any person acting on its behalf and the provider of information or such transfer has been Consented to by the provider of information. There is no restriction under the Rules regarding TRANSBORDER DATAFLOWS of information that is not sensitive personal data or information. JAPAN Personal data may not be disclosed to a third party without the prior Consent of the individual. NEW ZEALAND An agency should not disclose personal information to another entity unless the disclosure of the information is one of the purposes in connection with which the information was obtained or is directly related to the purposes in connection with which the information was obtained. Care must be taken that all safety and security precautions are met to ensure the safeguarding of that personal information to make certain that it is not misused or disclosed to any other party. NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 34. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED SOUTH KOREA As a general rule, a Data Handler or an IT Service Provider may not provide Personal Data to a third party without obtaining the prior opt-in Consent of the data subject or IT service user THE MIDDLE EAST ISRAEL Israeli law permits transfers to: (i) EU Member States; (ii) other signatories of Council of Europe Convention 108; and (iii) a country “which receives data from Member States of the European Community, under the same terms of acceptance”. This has been interpreted by the Database Registrar to apply to transfers to Safe Harbor participant companies in the US. THE AMERICAS ARGENTINA The transfer of any type of personal information to countries or international or supranational entities which do not provide adequate levels of protection is prohibited. CANADA Canadian law does not contain any specific restrictions related to cross-border data flows. However, all transfers of personal information to a third party processor, whether within Canada or cross-border, is subject to the “accountability” principle. Specifically, an organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party. COLOMBIA In addition, the cross-border transfer of data (i) requires prior Consent from the data owner and such Consent must include information as to the destination, usage and storage of data and; (ii) can only be performed after the Data Exporter, regardless of whether it is a data controller or a data processor, has confirmed that the foreign country where the data will be transferred, meets the same data privacy and protection standards as the ones provided in Colombian law. Also, Personal data can only be transferred to a third party with the previous Consent of the data subject (i.e. the individual whose data is being transferred). The previous Consent of the data subject would not be necessary when the individual’s data to be transferred is limited to: name, surname, identity card NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 35. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED number, nationality, address, and date of birth. The purpose and proper identification of the transferee must be included in the Consent communication that would be addressed to the data subject. Evidence of the data subject’s Consent must be kept in the files of the data processor. UNITED STATES No geographic transfer restrictions apply in the U.S NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 36. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED APPENDIX A GETTING ORGANIZED FOR DATA PROTECTION A quick look at some of the steps to take to comply with your Data Protection obligations: The right of access is the most important right that an individual has and you need to prepare for handling access requests. Dealing with access requests is not your only obligation. Staff should be made aware of the obligations imposed by the Data Protection Acts. To comply you should: • Ensure that the basic principles of data protection are explained to staff; • Ensure that there are regular updates to guidance material and staff training and awareness, so that data protection is a “living” process aligned to the way the organization conducts its business; • Document procedures, for example with regard to accuracy and have regular security reviews; • Allocate responsibility for compliance and set-out what in-house sanctions may be imposed if correct procedures are not followed; • Set out the circumstances in which personal data may be disclosed to third parties. Staff should be aware that from October 2007 the principles of data protection apply to manual records, including those created before July 2003. OBLIGATIONS ON RETENTION AND SECURITY NEED TO BE ADDRESSED • Adhere to the ‘need to know principle’ – only personal data necessary for the purpose should be collected and staff should only be able to access the personal data that they need to carry out their functions; • Have adequate access controls, firewalls and virus protection and do not forget manual files; • There should be retention policies for the various categories of data. The organization should provide for: • Periodic audit checks and reviews; • A procedure for complaints handling; • Plans for remedial steps if things go wrong; • Privacy /Data Protection Statements on Forms and Websites and an internal e-mail and internet use policy. SELF-HELP CHECKLIST ON DATA PROTECTION POLICY NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 37. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED Remember -you should be able to answer YES to all of the questions below. If you can, your business is in good shape from a data protection viewpoint. If you do not have a clean sheet, the checklist can help you identify the areas where you need to improve. MAIN RESPONSIBILITIES Rule 1: Fair obtaining: • At the time when we collect information about individuals, are they made aware of the uses for that information? • Are people made aware of any disclosures of their data to third parties? • Have we obtained people’s consent for any secondary uses of their personal data, which might not be obvious to them • Can we describe our data-collection practices as open, transparent and up-front? Rule 2: Purpose specification • Are we clear about the purpose (or purposes) for which we keep personal information? • Are the individuals on our database also clear about this purpose? • If we are required to register with the Data Protection Commissioner, does our register entry include a proper, comprehensive statement of our purpose? [Remember, if you are using personal data for a purpose not listed on your register entry, you may be committing an offence.] • Has responsibility been assigned for maintaining a list of all data sets and the purpose associated with each? Rule 3: Use and disclosure of information • Are there defined rules about the use and disclosure of information? • Are all staff aware of these rules? • Are the individuals aware of the uses and disclosures of their personal data? Would they be surprised if they learned about them? Consider whether the consent of the individuals should be obtained for these uses and disclosures. • If we are required to register with the Data Protection Commissioner, does our register entry include a full list of persons to whom we may need to disclose personal data?[Remember, if you disclose personal data to someone not listed on your register entry, you may be committing an offence.] NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 38. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED Rule 4: Security • Is there a list of security provisions in place for each data set? • Is someone responsible for the development and review of these provisions? • Are these provisions appropriate to the sensitivity of the personal data we keep? • Are our computers and our databases password-protected, and encrypted if appropriate? • Are our computers, servers, and files securely locked away from unauthorized people? Rule 5: Adequate, relevant and not excessive • Do we collect all the information we need to serve our purpose effectively, and to deal with individuals in a fair and comprehensive manner? • Have we checked to make sure that all the information we collect is relevant, and not excessive, for our specified purpose? • If an individual asked us to justify every piece of information we hold about him or her, could we do so? • Does a policy exist in this regard? Rule 6: Accurate and up-to-date • Do we check our data for accuracy? • Do we know how much of our personal data is time-sensitive, i.e. likely to become inaccurate over time unless it is updated? • Do we take steps to ensure our databases are kept up-to-date? Rule 7: Retention time • Is there a clear statement on how long items of information are to be retained? • Are we clear about any legal requirements on us to retain data for a certain period? • Do we regularly purge our databases of data, which we no longer need, such as data relating to former customers or staff members? NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 39. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED • Do we have a policy on deleting personal data as soon as the purpose for which we obtained the data has been completed? Rule 8: The Right of Access • Is a named individual responsible for handling access requests? • Are there clear procedures in place for dealing with such requests? • Do these procedures guarantee compliance with the Act's requirements? REGISTRATION • Are we clear about whether or not we need to be registered with the Data Protection Commissioner? • If registration is required, is the registration kept up to date? Does the registration accurately reflect our practices for handling personal data? [Remember, if your data-handling practices are out of line with the details set out in your register entry, you may be committing an offence.] • Is a named individual responsible for meeting our registration requirements? TRAINING & EDUCATION • Do we know about the levels of awareness of data protection in our organization? • Are our staff aware of their data protection responsibilities - including the need for confidentiality? • Is data protection included as part of the training program for our staff? CO-ORDINATION AND COMPLIANCE • Has a data protection coordinator and compliance person been appointed? • Are all staff aware of his or her role? • Are there mechanisms in place for formal review by the coordinator of data protection activities within our organization? NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 40. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED APPENDIX B DATA PROTECTION CONTACT DETAILS FOR ALL MAJOR COUNTRIES Austria Data Protection Council (Datenschutzrat) www.bundeskanzleramt.at/site/6417/default.aspx (Datenschutzrat : Datenschutz : Fachinhalte : Bundeskanzleramt Österreich) Web page of the data protection council (Datenschutzrat), an advisory body of the federal government (German) City of Vienna http://wien.at/english/privacy.htm - Data protection page of the city of Vienna (German, English) The city of Vienna also has a page on genealogy. Federal Ministry of the Interior www.bmi.gv.at/cms/bmi_datenschutz (BM.I Internet - Datenschutz) - Information page of the Austrian federal ministry of the interior on access rights to police databases (German) Unternehmensserviceportal https://www.usp.gv.at/Portal.Node/usp/secure/content/it_und_geistiges_eigentum/datenschutz/40992.html(USP: Datenschutz) - Information on privacy at the Austrian company information portal (Unternehmensserviceportal - USP) (German) National Data Protection Authorities Andorra www.apda.ad (Agència Andorrana de Protecció de Dades) - Website of the data protection authority of the Principality of Andorra (Catalan) Argentina www.jus.gov.ar/datos-personales.aspx (Dirección Nacional de Protección de Datos Personales - Ministerio de Justicia, Seguridad y Derechos Humanos | Presidencia de la Nación) - Website of the Argentine data protection agency, the Dirección Nacional de Protección de Datos Personales (Spanish) Australia NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 41. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED www.privacy.gov.au (Office of the Privacy Commissioner) - Website of the Australian federal privacy commissioner (English). http://www.lawlink.nsw.gov.au/privacynsw (privacy nsw - Privacy NSW : Lawlink NSW) - Website of the privacy commissioner of the Australian state of New South Wales (English). www.privacy.nt.gov.au (Office Of The Information Commissioner. Northern Territory of Australia) - Website of the information commissioner of the northern territory of Australia. www.privacy.vic.gov.au (Privacy Victoria - Home) - Website of the privacy commissioner of the Australian state of Victoria (English). www.oic.qld.gov.au (Information Commissioner - Welcome) - Website of the privacy commissioner of the Australian state of Queensland (English) Belgium www.privacycommission.be (CBPL-CPVP) - Website of the Belgian data protection agency, the Commission de la protection de la vie privée / Commissie voor de bescherming van de persoonlijke levenssfeer (French, Dutch) Bulgaria www.cpdp.bg (Комисия за защита на личните данни) - Website of the Bulgarian data protection authority (Bulgarian). Canada • www.priv.gc.ca (Privacy Commissioner of Canada / Commissaire à la protection de la vie privée du Canada) - Website of the Privacy Commissioner of Canada (English, French). • www.priv.gc.ca/resource/prov/index_e.asp (Provincial / Territorial Privacy Laws - Office of the Privacy Commissioner of Canada) - Hyperlink page with information on Canadian territorial privacy Laws, oversight offices and government organizations (English) • http://dpi.priv.gc.ca (Office of the Privacy Commissioner - Deep Packet Inspection) - Site of the privacy commissioner of Canada on Deep Packet Inspection (English) Croatia www.azop.hr (Agencija za zaštitu osobnih podataka – Home) - Website of the Croatian personal data protection agency (Croatian, English). Cyprus www.dataprotection.gov.cy (Γραφείο Επιτρόπου Προστασίας Δεδομένων Προσωπικού Χαρακτήρα - Αρχική Σελίδα) - Website of the office of the Cypriot commissioner for personal data protection (Greek, English). NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 42. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED Czech Republic www.uoou.cz (ÚOOÚ - Hlavní stránka) - The website of the Czech office for personal data protection (Czech, English). Denmark www.datatilsynet.dk (Datatilsynet: Forside) - Website of the Danish data protection agency (Danish, English). Dubai http://dp.difc.ae (DIFC | Data Protection Law) - Website of the data protection agency of Dubai (English) Estonia www.aki.ee (Andmekaitse Inspektsioon: Andmekaitse Inspektsioon) - Website of the Estonian data protection agency (Estonian, Russian, English) Finland www.tietosuoja.fi (Tietosuojavaltuutetun toimisto - Tietosuojavaltuutetun toimisto) - Website of the Finnish data protection board (Finnish, Swedish, English). ##France www.cnil.fr (CNIL - Commission nationale de l'informatique et des libertés) - Website of the French data protection agency (French, English, Spanish). Germany • www.datenschutz.de (Datenschutz - Ihr gutes Recht! - Virtuelles Datenschutzbüro, www.datenschutz.de) - The virtual data protection office, a portal site of the German data protection agencies (German). • www.bfd.bund.de (Internetauftritt des Bundesbeauftragten für den Datenschutz und die Informationsfreiheit) - Website of the German federal data protection commissioner (Bundesbeauftragter für den Datenschutz und die Informationsfreiheit) (German, English, French). • www.baden-wuerttemberg.datenschutz.de (Der Landesbeauftragte für den Datenschutz Baden-Württemberg) - Website of the data protection authority of Baden-Württemberg (German). • www.datenschutz-bayern.de (Bayerischer Landesbeauftragter fuer den Datenschutz) - Website of the Bavarian data protection authority for the public sector (German). • www.regierung.mittelfranken.bayern.de/aufg_abt/abt1/abt1dsa60.htm (Regierung von Mittelfranken) - Website of the Bavarian data protection authority for the private sector (German). NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 43. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED • www.datenschutz-berlin.de (Berliner Beauftragter für Datenschutz und Informationsfreiheit) - Website of the Berlin data protection authority with links to all other German data protection authorities and the Privacy Magazine (German). • www.lda.brandenburg.de (Die Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht Brandenburg | Startseite) - Website of the data protection authority of Brandenburg (German, English, Polish). • www.datenschutz-bremen.de (Der Landesbeauftragte für Datenschutz und Informationsfreiheit Bremen) - Website of the data protection authority of the city of Bremen (German). • http://www.datenschutz-hamburg.de/ (Der Hamburgische Datenschutzbeauftragte) - Website of the data protection authority of Hamburg (German). • www.datenschutz.hessen.de (Startseite des Hessischen Datenschutzbeauftragten) - Website of the data protection authority of the state of Hessen (German). • www.datenschutz.mvnet.de (Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Mecklenburg-Vorpommern) - Website of the data protection authority of the state of Mecklenburg-Western Pomerania (German). • www.lfd.niedersachsen.de (Der Landesbeauftragte für den Datenschutz Niedersachsen) - Website of the data protection authority of the state of Lower Saxony (German). • www.lfd.nrw.de (LfD - NRW) - Website of the data protection authority of the state of North Rhine- Westphalia (German). • "http://www.datenschutz.rlp.de/" www.datenschutz.rlp.de (Der Landesbeauftragte für den Datenschutz Rheinland-Pfalz) - Website of the data protection authority of the state of Rhineland-Palatinate (German). • http://www.lfdi.saarland.de/ (Landesbeauftragter für Datenschutz Saarland) - Public sector data protection and freedom of information in the state of Saarland (German). • www.datenschutz.sachsen.de (Der Sächsische Landtag) - Website of the data protection authority of the state of Saxony (German). • www.datenschutz.sachsen-anhalt.de (Datenschutz Sachsen-Anhalt) - Website of the data protection authority of the state of Saxony-Anhalt (German). • https://www.datenschutzzentrum.de/ (Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein) - Data protection website of Schleswig-Holstein (German). • www.thueringen.de/datenschutz (Der Thüringer Landesbeauftragte für den Datenschutz) - Website of the data protection authority of the state of Thuringia (German). NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 44. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED Greece www.dpa.gr (Αρχή) - Website of the hellenic data protection authority (Greek, English). Hong Kong www.pcpd.org.hk (Office of the Privacy Commissioner for Personal Data, Hong Kong) - Website of the Privacy Commissioner for Personal Data of Hong Kong (English, Chinese). Hungary http://abiweb.obh.hu/abi/ (ABIWEB - Az Adavédelmi Biztos honlapja) - Homepage of the Parliamentary Commissioner for Data Protection and Freedom of Information in Hungary (Hungarian, English) Iceland www.personuvernd.is (Persónuvernd. Þínar upplýsingar, þitt einkalíf.) - Website of the Icelandic data protection authority (Icelandic, English). Ireland www.dataprotection.ie (Home - Data Protection Commissioner – Ireland) - Website of the data protection commissioner of the Republic of Ireland (English, Irish). Israel http://ilita.justice.gov.il (‫תושרה‬ ‫טפשמל‬ ‫היגולונכט‬ ‫עדימו‬ - ‫)ישאר‬ - Website of the Israeli Law, Information and Technology Authority (ILITA), home to the Israeli data protection authority (Hebrew, English) Italy www.garanteprivacy.it (Garante per la protezione dei dati personali) - Website of the Italian data protection agency (Italian, English). Japan www.soumu.go.jp/english/index.html (Ministry of Public Management, Home Affairs, Posts and Telecommunications) - Website of the Japanese Ministry of Public Management, Home Affairs, Posts and Telecommunications (Japanese, English). Korea www.kisa.or.kr (한국정보보호진흥원에 오신것을 환영합니다. 음성서비스를 사용하시려면 컨트롤키와 엔터키를 누르세요) - Website of the Korea Information Security Agency (Korean, English). NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 45. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED Latvia www.dvi.gov.lv/eng (Data State Inspection .|. Homepage) - Website of the Latvian data protection agency (Latvian, Russian, English, hyperlink leads to English page). Liechtenstein www.dss.llv.li (Home - Datenschutzstelle) - Web page of the data protection authority of the principality of Liechtenstein (German-language page only, but there is an English translation of the data protection law). Lithuania www.ada.lt (Valstybinė duomenų apsaugos inspekcija) - Website of the Lithuanian data protection agency (Lithuanian, English). Luxembourg www.cnpd.lu/de (Commission nationale pour la protection des données - Startseite) - Data protection authority of Luxembourg (German, French) Malta www.dataprotection.gov.mt (Welcome to Data Protection) - Website of data protection commission of the republic of Malta (English). Former Yugoslav Republic of Macedonia http://www.dzlp.mk/index.cfm?lng=2 (Дирекција за заштита на лични податоци) - Website of data protection commission of the former Yugoslav Republic of Macedonia (Macedonian, English). Mexico www.ifai.org.mx/DatosPersonales (Protección de Datos Personales) - Website of Mexican data protection authority (Spanish, parts in English). Monaco www.ccin.mc (CCIN - Commission de contrôle des informations nominatives - Principauté de MONACO - Site officiel) - Website of data protection commission of the Principality of Monaco (French). New Zealand www.privacy.org.nz (The Office of the Privacy Commissioner, New Zealand / Homepage) - Website of the New Zealand data protection agency (English). Netherlands NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 46. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED www.cbpweb.nl (College bescherming persoonsgegevens) - Website of the Dutch data protection agency (Dutch, English). Norway www.datatilsynet.no (Forsiden - Datatilsynet - personvern og informasjonssikkerhet) - Website of the Norwegian Data Inspectorate (Norwegian, English). Poland www.giodo.gov.pl (GIODO Generalny Inspektor Ochrony Danych Osobowych) - Website of the Polish Inspector General for the Protection of Personal Data (Polish, English, French). Portugal www.cnpd.pt (Página Principal – CNPD) - Website of the Portugese data protection agency, the Comissão Nacional de Protecção de Dados (Portugese, French, English). Romania www.dataprotection.ro (ANSPDCP Dataprotection Romania) - Website of the Romanian national authority for the supervision of personal data processing (Romanian, English). Sweden www.datainspektionen.se (Datainspektionen - Vi värnar om din personliga integritet i IT-samhället) - Website of the Swedish Data Inspection Board (Swedish, English). Switzerland • www.privatim.ch (privatim - die schweizerischen Datenschutzbeauftragten) - Organisation of the Swiss cantonal data protection authorities (German, French). • www.derbeauftragte.ch (EDÖB - Der Eidgenössische Datenschutz- und Öffentlichkeitsbeauftragte (EDÖB)) - Homepage of the Swiss Federal data protection and information commissioner (German, French, Italian and English). • www.vpb.admin.ch/deutsch/cont/aut/aut_1.2.3.5.html (Dokumente der EDSK) - Documents and decisions of the Swiss data protection commission (German, French and Italian). • www.baselland.ch/Datenschutz.273496.0.html (Kanton Basel-Landschaft - Datenschutz) - Homepage of the cantonal data protection authority of Basel-Country (German). • www.jgk.be.ch/site/ds_portrait.htm (Portrait) - Homepage of the data protection agency of the canton of Berne (German). NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 47. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED • www.bern.ch/stadtverwaltung/datenschutz (Die Stadt Bern - Datenschutzbeauftragter) - Data protection page of the city of Berne (German). • www.fr.ch/sprd/de/default.asp?web=sprd&loc=de;loc=de (Fribourg: SPRD: Homepage) - Homepage of the cantonal data protection authority of Fribourg (German, French and English). • www.datenschutz.lu.ch (Datenschutzbeauftragter des Kantons Luzern) - Homepage of the cantonal data protection authority of canton of Lucerne (German). • www.ne.ch/neat/site/jsp/rubrique/rubrique.jsp?StyleType=marron&CatId=4317 (République et canton du Neuchâtel - Rubrique Protection des données) - Homepage of the data protection commissioner of the canton of Neuchâtel (French). • www.so.ch/staatskanzlei/datenschutz-oeffentlichkeitsprinzip/datenschutz.html (Beauftragter Information und Datenschutz) - Homepage of the data protection commissioner of the canton of Solothurn (German). • www.sg.ch/home/sicherheit/datenschutz.html (Datenschutz) - Homepage of the data protection commissioner of the canton of St. Gallen (German). • www.ti.ch/CAN/RPD (CAN - Responsabile protezione dei dati - Cantone Ticino) - Homepage of the data protection commissioner of the canton of Ticino (Italian). • www.vs.ch/Navig/navig.asp?MenuID=2712 (Etat du Valais) - Homepage of the data protection commissioner of the canton of Valais (French). • www.datenschutz-zug.ch (Datenschutzbeauftragter des Kantons Zug) - Homepage of the data protection commissioner of the canton of Zug (German). • www.datenschutz.ch (Datenschutzbeauftragter | Startseite) - Data protection commissioner of the canton of Zurich (German). • www.stadt-zuerich.ch/content/portal/de/index/politik_u_recht/datenschutzstelle.html (Datenschutzstelle) - Data protection commissioner of the city of Zurich (German) Slovakia www.dataprotection.gov.sk (Úrad na ochranu osobných údajov Slovenskej republiky) - Website of the Slovakian data protection authority (Slovakian, English). Slovenia www.ip-rs.si (IP-RS: Domov) - Website of the Slovenian information commissioner (Slovenian, English). Spain NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.
  • 48. GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED • http://swww.agpd.es (Agencia de Protección de Datos) - Website of the Spanish data protection agency(Spanish, some texts in English). • www.madrid.org/apdcm (La Agencia - Agencia de Protección de Datos de la Comunidad de Madrid - Comunidad de Madrid) - Website of the data protection agency of the city of Madrid (Spanish). • www.apdcat.net (Agència Catalana de Protecció de Dades) - Website of the Catalan data protection agency (Catalan, Spanish, English). • www.avpd.es (Agencia Vasca de Protección de Datos) - Website of the Basque data protection agency(Basque, Spanish). Thailand www.oic.go.th/content_eng/default_eng.asp (Office of the Official Information Commission (O.I.C.)) - English part of the website of the Information Commission of Thailand (Thai, English). United Kingdom of Great Britain and Northern Ireland • www.ico.gov.uk (Information Commissioner's Office - ICO) - Website of the British Information Commissioner (English). • www.gov.gg/ccm/navigation/home-department/data-protection-commissioner (States of Guernsey: Data Protection) - Data protection website of the Bailiwick of Guernsey Data Protection Commissioner (English). • “www.gov.im/odps":http://www.gov.im/odps/ (Welcome - Isle of Man Government Office of the Data Protection Supervisor) - Website of the data protection supervisor of the Isle of Man (English). • www.dataprotection.gov.je (Data Protection - Data Protection In Jersey) - Office of the data protection registrar of the Bailiwick of Jersey (English). • www.gra.gi/index.php?site=dataprotection (GRA - Data Protection Page) - Office of the data protection commissioner of Gibraltar (English). United States of America (USA) • https://safeharbor.export.gov/list.aspx (Safe Harbor - List) - Safe Harbor website of the US department of commerce (English). • http://www.dhs.gov/xabout/structure/editorial_0338.shtm (DHS: The Privacy Office of the U.S. Department of Homeland Security) - Website of the privacy office of the United States Department of Homeland Security (English). • www.whitehouse.gov/omb/privacy_default (Privacy Guidance) - Privacy page of the Office of Management and Budget (English). NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS © 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.

Related Documents