GPG DP Etop Master

Global Practice Guide
Data Privacy
A Global Practice Guide prepared by the Lex Mundi E-Commerce Technology Outsourcing and Privacy Practice Group
This guide is part of the Lex Mundi Global Practice Guide Series which features substantive overviews of laws, practice areas, and legal and business issues in jurisdictions around the globe. View the complete series at: www.lexmundi.com/GlobalPracticeGuides.
Lex Mundi is the worlds leading network of independent law firms with in-depth experience in 100+ countries. Through close collaboration, our member firms are able to offer their clients preferred access to more than 21,000 lawyers worldwide a global resource of unmatched breadth and depth. Lex Mundi the law firms that know your markets.
www.lexmundi.com
About this Guide

This survey entitled Data Privacy was conducted in 2010 by members of the Lex Mundi E-commerce, Technology, Outsourcing and Privacy Practice Group. The guide presents overviews on general data privacy laws on personally identifiable information, personal health information, financial information and other sensitive data in different jurisdictions around the world. This multi-jurisdictional survey will be updated from time to time. For the most up to date information, please go the Lex Mundi web site (www.lexmundi.com) and access the Data Privacy survey from the Ecommerce, Technology, Outsourcing and Privacy Practice Group web page or from the Publication and Resources page. If you need assistance, please contact the Lex Mundi office 1.713.626.9393. The results of the survey are not intended to represent a comprehensive guide nor a legal advice on the matters covered by them but rather provide a general overview on the subject. They may only be used as an indication and advice should always be sought from the appropriate Lex Mundi member law firm. Please note that each response was provided on a different date, and therefore the answers to the survey refer to laws and regulations in force on that specific date.
Table of Contents
Austria ................................................................................................................................................... 1 Barbados ............................................................................................................................................... 4 Brazil ...................................................................................................................................................... 8 Bulgaria................................................................................................................................................ 13 Canada, Manitoba ................................................................................................................................ 16 Canada, Nova Scotia ........................................................................................................................... 18 Chile ..................................................................................................................................................... 20 Colombia.............................................................................................................................................. 24 Cyprus ................................................................................................................................................. 27 Dominican Republic ............................................................................................................................ 29 Estonia ................................................................................................................................................. 32 Finland ................................................................................................................................................. 36 Greece .................................................................................................................................................. 41 Hungary ............................................................................................................................................... 44 Ireland .................................................................................................................................................. 47 Italy....................................................................................................................................................... 50 Latvia ................................................................................................................................................... 53 Lithuania .............................................................................................................................................. 56 Malta..................................................................................................................................................... 59 New Zealand ........................................................................................................................................ 63 Panama ................................................................................................................................................ 67 Romania ............................................................................................................................................... 71 Russia .................................................................................................................................................. 76 Scotland ............................................................................................................................................... 84 Slovenia ............................................................................................................................................... 87 South Africa ......................................................................................................................................... 94 www.lexmundi.com
2009 Lex Mundi
Page 1
Spain .................................................................................................................................................. 101 Sweden .............................................................................................................................................. 105 Switzerland ........................................................................................................................................ 110 Thailand ............................................................................................................................................. 113 The Netherlands ................................................................................................................................ 116 United Arab Emirates ........................................................................................................................ 121
www.lexmundi.com
2009 Lex Mundi
Page 2
Data Privacy Survey
Austria
Prepared by Lex Mundi member firm CHSH Cerha Hempel Spiegelfeld Hlawati
1. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personally Identifiable Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Personally identifiable data is primarily protected under the Federal Act Concerning the Protection of Personal Data (Datenschutzgesetz 2000). A copy is available on the website of the Austrian Data Protection Commission (Datenschutzkommission): www.dsk.gv.at/site/6230/default.aspx. The Telecommunications Act (Telekommunikationgesetz) sets out the duty of secrecy regarding communications and the protection afforded to content data, as specified in 96 et seq. A copy can be downloaded from: www.rtr.at/en/tk/TKG2003/TKG_2003_eng.pdf. Criminal sanctions for violations of data protection provisions and secrecy obligations regarding communications are stipulated in the Austrian Criminal Code (Strafgesetzbuch). A copy is available online at www.ris.bka.gv.at (only in German). b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Depending on the breach, the aforementioned laws contain administrative penalties (administrative penalties of up to EUR 25,000 can be imposed under the Federal Act Concerning the Protection of Personal Data) and criminal penalties (including custodial sentences of up to one year for breaching the Federal Act Concerning the Protection of Personal Data, the Telecommunications Act or the Austrian Criminal Code). Individuals may also seek damages. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. Depending on the kind of breach, administrative penalties can be imposed by the Austrian Data Protection Commission in accordance with the Federal Act Concerning the Protection of Personal Data or by established national telecommunication authorities. Criminal penalties are imposed by a court of law. d) Any additional information that is material? 2. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personal Health Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Personal health information is deemed to be sensitive data pursuant to 4 para. 2 of the Federal Act Concerning the Protection of Personal Data (see: www.dsk.gv.at/site/6230/default.aspx). Sensitive data is defined as data relating to natural persons concerning their racial or ethnic
www.lexmundi.com
2009 Lex Mundi
Page 1
origin, political opinion, trade-union membership, religious or philosophical beliefs, and data concerning health or sex life. The DSG contains stricter rules for sensitive data, e.g. necessary approval of the Data Protection Authorities before it can be used at all and the restricted use of sensitive data. The Health Telematics Act (Gesundheitstelematikgesetz) stipulates additional data safety measures for the electronic transmission of health data. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Please see section 2a as the penalties also apply to health data. Furthermore, the Health Telematics Act stipulates an administrative penalty of up to EUR 50,000. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. Please see section 2b. The implementation of and compliance with the Health Telematics Act is governed by the Ministry for Health and Women. d) Any additional information that is material? 3. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Financial Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. The general provisions of the Federal Act Concerning the Protection of Personal Data, the Telecommunications Act and the Austrian Criminal Code apply to data concerning an individuals creditworthiness. However, according to 18 (2) 3. of the Federal Act Concerning the Protection of Personal Data, data applications whose purpose is to provide information on the creditworthiness of data subjects are subject to prior registration with the Data Protection Register. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Please see section 1b. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. Please see section 1c. d) Any additional information that is material? 4. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that is applicable to other sensitive data, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. 9 of the Federal Act Concerning the Protection of Personal Data provides regulations for the use of sensitive data and it defines when the use of sensitive data does not infringe the interests in secrecy deserving protection. Furthermore, data applications involving sensitive data may only be taken into operation after prior registration with the Data Protection Authorities ( 18 (2) of the Federal Act Concerning the Protection of Personal Data). (www.dsk.gv.at/site/6230/default.aspx) www.lexmundi.com
2009 Lex Mundi
Page 2
b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Please see section 1b. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. Please see section 1c. d) Any additional information that is material?
Contact Information
Mag. Claudia Bernhard claudia.bernhard@chsh.at Dr. Hans Kristoferitsch hans.kristoferitsch@chsh.com CHSH Cerha Hempel Spiegelfeld Hlawati Parkring 2 A-1010 Vienna, Austria Tel 43.1.514.35.0 Fax 43.1.514.35.35 www.chsh.com
This guide is part of the Lex Mundi Global Practice Guide Series which features substantive overviews of laws, practice areas, and legal and business issues in jurisdictions around the globe. View the complete series of Lex Mundi Global Practice Guides at: www.lexmundi.com/GlobalPracticeGuides
www.lexmundi.com
2009 Lex Mundi
Page 3
Data Privacy Survey
Barbados
Prepared by Lex Mundi member firm Clarke Gittens Farmer
1. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personally Identifiable Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Data privacy in Barbados is dealt with under various pieces of legislation. There is a draft Data Protection Bill that seeks to provide for the regulation of the collection, keeping, processing, use or dissemination of personal data and the protection of the privacy of individuals in relation to personal data but this has not yet been passed into law. Section 22 of the Electronic Transactions Act, Cap. 308B of the laws of Barbados (ETA), prohibits the use of information obtained under the ETA and that relates to the private affairs of a natural person without that persons consent. However, this prohibition does not apply where disclosure of information is made in certain circumstances including in connection with the investigation of any criminal offence or for the purpose of facilitating the carrying out of prescribed public functions of any person. A copy of the ETA may be found at: http://www.commerce.gov.bb/Legislation/Documents/CAP%20308B.PDF b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Section 22(5) of the ETA provides that any person who discloses any information in contravention of the section is liable on summary conviction to a fine of $10,000 or imprisonment for a term of two years or to fine of $10,000 or to both. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. Section 22(6) of the ETA provides that the Minister may make regulations prescribing the standards for the processing of personal data whether that data originates within or outside of Barbados. No regulations have been prescribed to date. d) Any additional information that is material? The ETA provides that the regulations may provide for the registration of standards by data controllers and data processors. A data controller who registers a standard must comply with the standard and any amendments made to that standard in respect of any personal data that originates from a country to which the standard applies and is collected by the data controller during the period of registration. A data controller who fails to comply with this provision is guilty of an offence and is liable to summary conviction to imprisonment for a term of six months or to a fine of $5000 or to both.
www.lexmundi.com
2009 Lex Mundi
Page 4
2. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personal Health Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. There is no legislation that provides for data privacy as regards personal health information. Generally, doctors owe a common law duty of confidentiality to their patients. The patients confidential information should not be disclosed to a third party without his consent. In the absence of consent, members of the medical profession are in breach of their duty if they disclose such information unless required to do so by due process of law. A doctor may only disclose a patients personal health information under the following circumstances: i. when giving testimony in a court of law; ii. where the patient has given express or implied consent; or iii. where it is required in the public interest. iv. A patient may give express or implied consent to the disclosure of confidential information by their doctor. However, whether consent is implied is a question of fact and the burden of proof lies on the doctor to prove that consent was given. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? N/A c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. N/A d) Any additional information that is material? N/A 3. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Financial Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. The main statutes applicable to data privacy with respect to financial information are: The Financial Institutions Act, Cap. 324A of the laws of Barbados (FIA) http://www.centralbank.org.bb/WEBCBB.nsf/web_documents/C03B815750FE1F3E042572FC001 2E992/$File/financial_institutions_act.pdf The Securities Act, Cap. 318A of the laws of Barbados (SA) http://www.seccom.com.bb/(S(wyvc3545xitiucf5l421s055)/media/documents/SecuritiesActCAP31 8A_2002.pdf The Securities Regulations, 2002 (SR)http://www.seccom.com.bb/(S(wyvc3545xitiucf5l421s055))/media/documents/SecuritiesRegulatio ns_2002.pdf and The Central Bank of Barbados Act, Cap. 323C of the laws of Barbados (CBA). http://www.centralbank.org.bb/WEBCBB.nsf/web_documents/B6F606E8405FEE63042572FA007 05583/$File/cbb_act.pdf www.lexmundi.com
2009 Lex Mundi
Page 5
The FA: Section 44 of the FA provides that subject to s. 43 (7) and s. 44(2), no statement, return or information furnished or submitted by a licensee in respect of its business shall be disclosed by the Central Bank, any officer of Central Bank or any person authorized by the Central Bank to receive such information on behalf of the Central Bank. Section 43(7) provides for the Central Bank to publish information submitted on the quarterly returns of each licensee in the Official Gazette and a daily newspaper but prohibits the publication of information in respect of the affairs of a particular customer. Section 44(2) permits the Central Bank to disclose information without the consent of a licensee to the Director of Public Prosecutions, Commissioner of Inland Revenue or the appropriate supervisory authority of financial institutions outside Barbados at the request of that authority, where there is a branch, holding company or affiliate of the licensee operating in that country. See response 3d for more on the CBA, SA andd SR. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Any person who contravenes section 18(1) of the CBA is guilty of an offence and liable to summary conviction to a fine of $500 or to imprisonment for 6 months or to both. A person who contravenes section 18(1) or (2) of the SA is guilty of an offence and liable on summary conviction to a fine of $50 000 and to imprisonment for 12 months. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The Minister of Finance and the Securities Commission are the applicable administrative authorities. d) Any additional information that is material? The CBA provides for the establishment of the Central Bank of Barbados (the Bank) and for related matters. Pursuant to section 18(1) of the CBA, no Director officer or employee of the Bank shall disclose to any person any material information relating to the affairs of the Bank or of any other bank or financial institution or other person, firm, company or organization which he acquired in the performance of his duties or the exercise of his functions, except for the purpose of the performance of his duties or the exercise of his functions or when lawfully required to do so by any court or under the provision of the law. The SA provides for the establishment of a Securities Commission and makes provision for the regulation of the securities market and the capital market, the protection of investors and related matters. Pursuant to section 8(1) of the SA, no Commissioner or other person employed or retained by the Commission shall make, use, either directly or indirectly, of any confidential information obtained as a result of his relationship with the Commission for his own benefit or advantage. Pursuant to section 8(2) confidential information may also not be disclosed unless it is in connection with the enforcement of the SA of any other law in Barbados. The SR are regulations made by the Minister of Finance in exercise of the powers conferred on him by section 126(7) of the SA. Regulation 5( c) of the SR prohibits the members of the Security Commission (the Commission), the General Manager and each officer, clerk or other persons who are employed by the Commission or who hold office or an appointment under the SA or the SR or any person to whom any authority has been delegated by the Commission from divulging or releasing, in advance or otherwise, confidential, non-public or official information to a person unless they are authorized under the SA or the SR.
www.lexmundi.com
2009 Lex Mundi
Page 6
4. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that is applicable to other sensitive data, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. There is no legislation that otherwise applies to other sensitive data. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? N/A c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. N/A d) Any additional information that is material? N/A
Contact Information
Gillian Clarke ghc@clarkes.com.bb Clarke Gittens Farmer Parker House Wildey Business Park Wildey Road St. Michael BB14006, Barbados Tel 1.246.436.6287 Fax 1.246.436.9812 www.clarkes.com.bb
www.lexmundi.com
2009 Lex Mundi
Page 7
Data Privacy Survey
Brazil
Prepared by Lex Mundi member firm Demarest e Almeida
1. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personally Identifiable Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Personally identifiable information protection is set forth on the Brazilian Federal Constitution, as well as on the Consumer Protection Code, on a more specific scope, regarding consumer relations. The Brazilian Federal Constitution establishes the sanctity of private life and intimacy, as set forth in its article 5, item X, and explicitly forbids breaking and entering in its article 5, item XI, proclaiming one's home to be a sacred asylum, except for the hypothesis of one being caught red-handed, urgent help being needed, or, during daytime, in compliance with a judicial determination. The interception of phone calls, mail and/or general data is also prohibited by the Brazilian Federal Constitution, as provided on article 5, item XII. The Consumer Protection Code, established by Law number 8078/90, stipulates, in its article 43, a series of rights and warranties for the consumer concerning personal information recorded in database and registration files. The dispositions contained on the Consumer Protection Code intend to set boundaries and limit the use of consumer personal information by the renderer of services in an attempt to balance consumer relations. Online copy of the mentioned legal provisions: http://www.planalto.gov.br/ccivil_03/constituicao/constituiao.htm http://www.planalto.gov.br/ccivil_03/LEIS/L8078.htm b) What are the penalties imposed for a breach of such law? Any criminal sanctions? The violation of one's domicile, mail or phone communication, as well as the disclosure of one's private and/or confidential information are considered crimes, set forth on articles 150, 151 and 153, respectively, of the Brazilian Penal Code. The criminal sanction stipulated for the crime of domicile violation is detention, from one to three months, or fine. If the crime is committed by a public officer, in a situation other than those authorized by law, or not in compliance with the formalities set forth by law, or with abuse of power, the criminal sanction is increased by one third. If the crime is committed during night time, at a deserted place or with the use of violence or a weapon, or by two or more people, the criminal sanction is detention, from six months to two years, in addition to the penalty concerning the use of violence. The criminal sanction stipulated for the crime of mail or phone communication violation is detention, from one to six months, or fine. If the crime causes damage to others, the criminal sanction is increased by half. If the crime is committed by an agent of the postal service or phone service provider with abuse of duty related privileges, the criminal sanction is detention, from one to three years. Disclosing, without good cause, the contents of a private document or confidential mail, being that such disclosure causes damage to others, is also a crime, for which the criminal sanction is detention, from one to six months, or fine. The Consumer Protection Code sets forth, in its articles 72 and 73, the crimes of denying a consumer access to his/hers personal data and refusing to correct inaccurate information.
www.lexmundi.com
2009 Lex Mundi
Page 8
c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. Confidentiality of personally identifiable information is protected by the Brazilian Federal Constitution and only a competent judge can enforce the applicable penalties after the conclusion of due criminal proceeding. Concerning the dispositions set forth on the Consumer Protection Code, the administrative authority is the PROCON - Grupo Executivo de Proteo ao Consumidor (Executive Group for Consumer Protection). If a judicial proceeding should be commenced to investigate the crime, only a competent judge can enforce the applicable penalties after the conclusion of due criminal proceeding. d) Any additional information that is material? None. 2. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personal Health Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Personal health information can be considered part of one's intimacy and private life, for which reason it is protected by the Brazilian Federal Constitution, as provided in its article 5, item X. The secrecy of personal health information is also set forth on the Medical Ethics Code, in its articles from 73 to 79. According to such provisions, a doctor is forbidden from disclosing information of which he/she has knowledge due to duty related privileges, except in light of legal determination, good cause or with the patient's consent. Where under aged children are concerned, the prohibition is extended to the patient's parents or legal guardians, unless the non-disclosure may cause damage to the patient. Online copy of the mentioned legal provisions: http://www.planalto.gov.br/ccivil_03/constituicao/constituiao.htm http://www.cremesp.org.br/library/modulos/legislacao/versao_impressao.php?id=8822 b) What are the penalties imposed for a breach of such law? Any criminal sanctions? The disclosure of privileged information, obtained due to professional practice, is considered a crime, set forth on article 154 of the Brazilian Penal Code. The criminal sanction stipulated for such crime is detention, from three months to one year, or fine. The health professionals that do not comply with the provisions set forth on the Medical Ethics Code, and whose actions may cause irreparable damage to a patient or to the society, may be suspended from medical practice. If a judicial proceeding should be commenced to investigate the crime, only a competent judge can enforce the applicable penalties after the conclusion of due criminal proceeding. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The confidentiality of all personally identifiable information, which encompasses personal health information, is protected by the Brazilian Federal Constitution and only a competent judge can enforce the applicable penalties after the conclusion of due criminal proceeding. Concerning the dispositions set forth on the Medical Ethics Code, the administrative authority is the Regional Council of Medicine, which, in case of failure in compliance, may commence specific administrative proceedings, which, in its turn, may lead to the suspension of such doctor's license to practice medicine. If a judicial proceeding should be commenced as a consequence of the www.lexmundi.com
2009 Lex Mundi
Page 9
administrative proceeding, only a competent judge can enforce the applicable penalties after the conclusion of due criminal proceeding. d) Any additional information that is material? None. 3. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Financial Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. The Supplementary Law number 105/10 provides for the confidentiality of financial data and operations. Such law determines that Brazilian financial institutions shall maintain the secrecy of active and passive operations and banking services. Although this is the general rule, the following conducts, among others, do not constitute a breach of the duty of confidentiality: (i) the exchange of enrollment information between financial institutions, (ii) provision of enrollment information of issuers of insufficient-founds checks or borrowers in default to the entities of credit protection, (iii) communication of the competent authorities about illegal practices, including the supply of information on transactions involving funds that are bound to any criminal wrongdoing and (iv) disclosure of information with express consent of the ones involved on the operation. In addition, this law provides for the possibility of authorized breach of bank confidentiality when there's need to verify the existence of any unlawful conduct, such as, but not limited to: terrorism, illicit trafficking of narcotic substances or similar drugs, smuggling or trafficking of fire arms or materials for their production, extortion through kidnapping, crimes against the national financial system, against the Public Administration or against tax and social security, money laundering and any crimes performed by a criminal organization. It is important to point out that this breach has to be authorized by a Judge during any sort of Police/Administrative Inquiry or Judicial Proceeding. It should be emphasized that the Brazilian Federal Constitution does not provide for a fundamental right to bank confidentiality. However, this right can be inferred from a general right to privacy and intimacy determined by the article 5, item X, of the Constitution. Online copy of the mentioned legal provisions: http://www.planalto.gov.br/ccivil/leis/LCP/Lcp105.htm b) What are the penalties imposed for a breach of such law? Any criminal sanctions? According to the article 10 of the Supplementary Law number 105/10, the breach of bank confidentiality performed outside the authorized hypotheses under this law constitutes a crime and subject those responsible for it to imprisonment from one to four years and a fine. The same article provides that the one who omits, delay or provides false information required under this Law, is subjected to the same penalties. This law also determines that the official who uses or permits the use of any information obtained as a result of a breach of confidentiality, responds personally and directly for any damages, which does not exclude the objective responsibility of the public entity, when proven that the employee was acting in accordance with official guidance. In order words, the employee and the company can be held responsible for any civil damages that resulted from the breach.
www.lexmundi.com
2009 Lex Mundi
Page 10
c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. It is important to point out that this Law is applicable to any financial institution in Brazil, which means banks of any kind, securities dealers, currency exchange and securities agencies, credit, finance and securities companies, real estate credit companies, credit card managers, leasing companies, credit unions, savings and loans associations, stock exchanges, entities of clearing and settlement and other companies that, due to the nature of the financial operations performed by them, will be considered by the National Monetary council. According to the article 10 of the Supplementary Law number 105/10, the Central Bank of Brazil and the Securities Commission have jurisdiction for enforcement of such law and they are responsible for supervising the operations and for informing the Public Prosecutor's office of any detected trace of unlawful conduct (article 9). It should be emphasized that, although these administrative authorities are entitled to enforce the Supplementary Law number 105/10, they can not perform the breach of confidentiality by themselves, because a court order is always necessary for that to happen. d) Any additional information that is material? None. 4. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that is applicable to other sensitive data, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. It is important to point out that Brazilian Legislation also protects the confidentiality of telephone and written communications. The Federal Constitution (article 5, item XII) provides that it is irrefragable the confidentiality of correspondence, telegraphic, data and telephone communications, except if there is a court order, in the cases and form provided by law, for purposes of criminal investigations and proceeding. In order to regulate this issue, there is also the Law 9296/96, which describes the proceeding that should be adopted in order to perform the breach of confidentiality in a lawful way. It should emphasized that any breach of confidentiality shall be authorized by a Court Order in order to be legal and legitimate. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? According to the Law 9296/96, it is a crime to intercept telephone or on line communication without a court order or to serve a goal which is not authorized by law. The responsible for said conduct can also be obliged to pay for civil damages cause by the unlawful action. The Brazilian Penal code also provides that it is a crime to disclose, transmit or abusively make use of telegraph, radio communication or telephone conversations between two people. The one who is found responsible for such crime can be sentenced to imprisonment from 1 to 6 months or a fine.
www.lexmundi.com
2009 Lex Mundi
Page 11
c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. These sort of confidentiality is protected by the Federal Constitution and only the Police Authority or the Public Prosecutor can request the breach during a criminal Proceeding or investigation. Therefore, there are no administrative authorities with jurisdiction for said measure. d) Any additional information that is material? None.
Contact Information
Lus Carlos Torres ltorres@demarest.com.br Juliana Latre Andrea Vainer Demarest e Almeida Av. Pedroso de Moraes, 1201 Centro Cultural Ohtake Sao Paulo 05419-001, Brazil Tel 55.11.3356.1800 Fax 55.11.3356.1700 www.demarest.com.br
www.lexmundi.com
2009 Lex Mundi
Page 12
Data Privacy Survey
Bulgaria
Prepared by Lex Mundi member firm Penkov, Markov & Partners
1. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personally Identifiable Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. The general provisions of the data privicy are in Bulgarian Law for Protection of Personal Data link: http://www.cpdp.bg/en/index.php?p=element&aid=128 Some aspects of the data privicy are detailed in; i. Rules on the activity of the commission for personal data protection and its administration - link: http://www.cpdp.bg/en/index.php?p=element&aid=36 ii. Ordinance ? 1 dated 7 February 2007 on the minimal level of technical and organizational measures and the admissible type of personal data protection - link: http://www.cpdp.bg/en/index.php?p=element&aid=37 b) What are the penalties imposed for a breach of such law? Any criminal sanctions? The penalties vary from BGN 1000 to BGN 100 000 (approximately EUR 500 to EUR 51 000) The criminal sactions are prvided by Bulgarian Criminal Code only for disclosing passwords or codes for access to a computer system or to computer data, which leads to disclosure of personal data. The sanction is deprivation of liberty of up to one year. If thah criminal offence is committed with a venal goal in mind, or where it has caused considerable damage or other grave consequences have occurred, punishment shall be deprivation of liberty of up to three years c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. Commission for Personal Data Protection d) Any additional information that is material?
2. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personal Health Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. The infomation provided for Personally Identifiable Information is also applicable b) What are the penalties imposed for a breach of such law? Any criminal sanctions? The infomation provided for Personally Identifiable Information is also applicable www.lexmundi.com
2009 Lex Mundi
Page 13
c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. Commission for Personal Data Protection Ministry of Healthcare d) Any additional information that is material? 3. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Financial Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. The general provisions regarding the private financial information are regulated by: i. Bulgarian Law for Protection of Personal Data and ii. Credit Institutions Act. link to Credit Institutions Acthttp://www.bnb.bg/bnbweb/groups/public/documents/bnb_law/laws_creditinstitutions_en.pdf b) What are the penalties imposed for a breach of such law? Any criminal sanctions? According to the provisiosn of Credit Institutions Act any person, who commits or suffers another to commit a violation of this Act or of any statutory instrument issued for the application thereof, shall be liable to a fine of BGN 1,000 to BGN 4,000, and for repeated violation - BGN 3,000 to BGN 12,000, unless the act constitutes a criminal offence. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. Bulgarian National Bank d) Any additional information that is material? 4. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that is applicable to other sensitive data, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. The infomation provided for Personally Identifiable Information is also applicable b) What are the penalties imposed for a breach of such law? Any criminal sanctions? The infomation provided for Personally Identifiable Information is also applicable c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws.
www.lexmundi.com
2009 Lex Mundi
Page 14
d) Any additional information that is material?
Contact Information
Svetoslav Dimitrov svetoslav.dimitrov@penkov-markov.eu Penkov, Markov & Partners 13B Tintyava Str., Floor 6 1113 Sofia, Bulgaria Tel 359.2.971.3935 Fax 359.2.971.1191 www.penkov-markov.eu
www.lexmundi.com
2009 Lex Mundi
Page 15
Data Privacy Survey
Canada, Manitoba
Prepared by Lex Mundi member firm Thompson Dorfman Sweatman LLP
1. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personally Identifiable Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. The Freedom of Information and Protection of Privacy Act The Personal Health Information Act http://web2.gov.mb.ca/laws/statutes/ccsm/f175e.php http://web2.gov.mb.ca/laws/statutes/ccsm/p033-5e.php b) What are the penalties imposed for a breach of such law? Any criminal sanctions? The Personal Data Act provides that the handling of personal or sensitive data in breach of the provisions of the Personal Data Act will cause the database administrator to be liable for all damages caused to the person, including monetary damages and pain and suffering (dao moral). There are no criminal sanctions established in the Personal Data Act. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The Ombudsman of Manitoba administers the legislation. That is an independent office of the Manitoba legislature (ie. not government). d) Any additional information that is material? 2. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personal Health Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. See earlier references. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Same as earlier references. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. Same as earlier references.
www.lexmundi.com
2009 Lex Mundi
Page 16
d) Any additional information that is material? 3. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Financial Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. I do not believe that there is legislation specific to financial information b) What are the penalties imposed for a breach of such law? Any criminal sanctions?
c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. d) Any additional information that is material? 4. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that is applicable to other sensitive data, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. I cannot think of other relevant legislation in this regard. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. d) Any additional information that is material?
Contact Information
Lisa Stiver ljs@tdslaw.com Thompson Dorfman Sweatman LLP 201 Portage Avenue, Suite 2200 Winnipeg, Manitoba R3B 3L3, Canada Tel 1.204.957.1930 Fax 1.204.934.0570 www.tdslaw.com
www.lexmundi.com
2009 Lex Mundi
Page 17
Data Privacy Survey
Canada, Nova Scotia

Prepared by Lex Mundi member firm McInnes Cooper
1. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personally Identifiable Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. The Personal Information Protection and Electronic Documents Act (http://laws.justice.gc.ca/en/P-8.6/) applies to information collected, used and disclosed in the course of commercial activities and employee information collected, used and disclosed by federal works, undertakings or businesses. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? The Personal Data Act provides that the handling of personal or sensitive data in breach of the provisions of the Personal Data Act will cause the database administrator to be liable for all damages caused to the person, including monetary damages and pain and suffering (dao moral). There are no criminal sanctions established in the Personal Data Act. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. Privacy Commissioner of Canada (http://www.priv.gc.ca) d) Any additional information that is material? Jurisdiction over privacy in Canada is split between the federal government and the provinces. Different laws apply to the public sector (government, government corporations, agencies). 2. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personal Health Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. In Nova Scotia, a range of laws such as the Hospitals Act and public health legislation apply to personal health information. The general private sector law applies to health information collected, used and disclosed by private practitioners. We anticipate a Personal Health Information Act to be introduced and passed in the coming year. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? There are no penalties under the public sector laws. In the private sector, the remedies are the same as for the general private sector privacy law.
www.lexmundi.com
2009 Lex Mundi
Page 18
c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. Protection of Privacy Review Officer. d) Any additional information that is material? 3. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Financial Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Financial information is covered by the general privacy statutes in Canada. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. d) Any additional information that is material?
4. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that is applicable to other sensitive data, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. N/A b) What are the penalties imposed for a breach of such law? Any criminal sanctions? N/A c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. d) Any additional information that is material?
Contact Information
David TS Fraser david.fraser@mcinnescooper.com McInnes Cooper 1300-1969 Upper Water Street Purdy's Wharf Tower II Halifax, Nova Scotia B3J 2V1, Canada Tel 1.902.425.6500 Fax 1.902.425.6350 www.mcinnescooper.com
www.lexmundi.com
2009 Lex Mundi
Page 19
Data Privacy Survey
Chile
Prepared by Lex Mundi member firm Claro & Cia., Abogados
1. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personally Identifiable Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. The Chilean Personal Data Protection Act (the Personal Data Act) provides for rules on the treatment of personal data in general. The Personal Data Act establishes general rules regarding treatment of personal data (any information concerning a person) and sensitive data. Any person can engage in the treatment and management of personal data, as long as it complies with the following: i. the treatment of personal data must be authorized in writing and may be revoked; ii. the identity of those retrieving personal data must be recorded; iii. all personal data a.) which storage has lost legal basis must be eliminated; b.) which is found to be mistaken, inaccurate, equivocal or incomplete must be amended, and c.) which accuracy cannot be proven or which effectiveness is doubtful must be blocked; d.)personal data must kept confidential; e.) all personal data must only be used for the purpose for which it was collected; and f.) sensitive data cannot be subject to treatment, unless expressly authorized by law, its owner, or for purposes of obtaining health benefits. No authorization is required for publicly available information of economic, financial, banking or commercial nature; information contained in lists segregating individuals on profession, education, address or date of birth; for response to commercial communications or sales, and treatment made by a company for its own use. The Chilean Labor Code requires employers to treat any private information and data of their employees confidentially. The Chilean Constitution recognizes the protection of private communication in general. This is a link to the Personal Data Act: http://www.leychile.cl/Navegar?idNorma=141599 This is a link to the Chilean Labor Code: http://www.leychile.cl/Navegar?idNorma=207436 This is a link to the Chilean Constitution: http://www.leychile.cl/Navegar?idNorma=207436 b) What are the penalties imposed for a breach of such law? Any criminal sanctions? The Personal Data Act provides that the handling of personal or sensitive data in breach of the provisions of the Personal Data Act will cause the database administrator to be liable for all
www.lexmundi.com
2009 Lex Mundi
Page 20
damages caused to the person, including monetary damages and pain and suffering (dao moral). There are no criminal sanctions established in the Personal Data Act. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. There is no specific administrative authority with jurisdiction for the enforcement of the Personal Data Act. The Personal Data Act provides for special procedures for a person to enforce her or his rights, but such procedures provide for the filing of a claim to be made at a court. The administrative authority with jurisdiction for the enforcement of labor laws is the Direction of Labor. d) Any additional information that is material? Sensitive data refers to information regarding physical or moral characteristics of a person, and facts or circumstances of such persons private life and intimacy, such as personal habits, racial background, political opinions, religious beliefs, physical and mental health and sex life. 2. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personal Health Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. The definition of sensitive information by the Personal Data Act covers personal health information. Consequently, the Personal Data Act is applicable to such information. In addition, article 127 of the Chilean Sanitary Code provides that doctors prescriptions, clinical laboratory analysis and exams, and any services related to health are reserved. This is a link to the Chilean Sanitary Code: http://www.leychile.cl/Navegar?idNorma=5595 b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Because the definition of personal health information fits in the definition of sensitive data, the sanctions set forth by the Personal Data Act are also applicable to the disclosure of personal health information in breach of the law. The Personal Data Act provides that the handling of personal or sensitive data in breach of the provisions of the Personal Data Act will cause the database administrator to be liable for all damages caused to the person, including monetary damages and pain and suffering (dao moral). The Sanitary Code provides for criminal sanctions for the breaching of any provision thereof, which would be applicable for the infringement of the article addressing the handling of personal health information. The penalties set forth by the code relate are fines of up to one thousand monthly tax units (approximately, US$70,000). Repeat offenders can be fined up to twice the maximum amount. In addition, sanitary authorities may revoke operating licenses and/or order the closing of facilities. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The administrative authorities with jurisdiction for the enforcement of the Sanitary Code are the Directors of the Services of Public Health and the Director of the Institute of Public Health of Chile. d) Any additional information that is material? www.lexmundi.com
2009 Lex Mundi
Page 21
3. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Financial Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. The Personal Data Act applies to personal financial information. In such regard, the Personal Data Act provides that those engaged in the treatment of personal data may disclose economic, financial, banking or commercial information, when such information is evidenced by protested bills of exchange, promissory notes or checks, or referred to breaches of commercial, mortgage, bank or government loans, and other obligations determined by the President of the Republic by Executive Decree. In no event, can public utility debts be disclosed. Information on a specific obligation cannot be disclosed after five years from the date in which such obligation became enforceable, nor after such obligation has been fully paid or otherwise discharged. Article 154 of the Chilean Banking Act provides the rules of secrecy for banking transactions. In addition, article one of the Chilean Bank Checking Accounts and Checks Act provides that a bank shall maintain the activity in the checking accounts and balances of its clients in strict secrecy and may only provide this information to the drawer, authorized persons or the courts. This is a link to the Chilean Banking Act: http://www.leychile.cl/Navegar?idNorma=83135 This is a link to the Chilean Bank Checking Accounts and Checks Act: http://www.leychile.cl/Navegar?idNorma=5594 b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Our answer to question 1b applies here. Notwithstanding those penalties that the Superintendence of Banks and Financial Institutions may impose pursuant to its authority, article 154 of the Chilean Banking Act provides for imprisonment to up to three years for those who breach bank secrecy laws. In addition, the Superintendence of Banks and Financial Institutions may impose fines of up to five thousand unidades de fomento (approximately, US$200,000) to those entities that infringe this provision, among other penalties. A fine of up to one thousand unidades de fomento (approximately, US$ 40,000) may be imposed to the directors and officers found responsible. These fines can be increased fivefold incase of repeated offenses. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The Superintendency of Banks and Financial Institutions is the administrative authority with jurisdiction for enforcement of the Chilean Bank Checking Accounts and Checks Act. d) Any additional information that is material?
www.lexmundi.com
2009 Lex Mundi
Page 22
4. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that is applicable to other sensitive data, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. The Data Protection Act defines sensitive data as any information regarding physical or moral characteristics of a person, and facts or circumstances of such persons private life and intimacy, such as personal habits, racial background, political opinions, religious beliefs, physical and mental health and sex life. Sensitive data cannot be subject to treatment, unless expressly authorized by law, its owner, or for purposes of obtaining health benefits. This is a link to the Personal Data Act: http://www.leychile.cl/Navegar?idNorma=141599 b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Please see our response to question 1b. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. Please see our response to question 1c. d) Any additional information that is material?
Contact Information
Jos Mara Eyzaguirre B. jmeyzaguirre@claro.cl Claro & Cia., Abogados Av. Apoquindo 3721, 14th Floor Las Condes Santiago 755 0177,Chile Tel 56.2.367.3000 Fax 56.2.367.3003 www.claro.cl
www.lexmundi.com
2009 Lex Mundi
Page 23
Data Privacy Survey
Colombia
Prepared by Lex Mundi member firm Brigard & Urrutia Abogados
1. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personally Identifiable Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. On December, 2010, Colombian Congress enacted a new general data protection law (the "New Data Protection Act" or "NDPA") which established the regulations for processing personal information. As this law regulates fundamental rights, it required the prior approval by the Constitutional Court to enter into force. Although the Courts decision is not yet public, on a recent press release the Court established that with the exception of a few articles the NDPA passed the constitutional test. http://www.oas.org/dil/Newsletter/newsletter_api_ppd_NOV-2011_Colombia_new_law.pdf b) What are the penalties imposed for a breach of such law? Any criminal sanctions? The Superintendency of Industry and Commerce (The Colombian data privacy authority) may impose the following sanctions for non-compliance of the NDPA: (i) fines up to USD 596.500, (ii) suspension of activities related to the processing and/or (iii) permanent or temporary closure of the operation. In addition, pursuant to Law 1273 of 2009, it is a crime to obtain, gather, subtract, offer, sell, exchange, send, buy, intercept, divulge, modify or use personal data () for personal purposes or of third parties, without being authorized to do so. Individuals or companies that commit this crime may be subject to fines of up to USD 220,000, and prison of 4 to 8 years. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. Superintendency of Industry and Commerce. d) Any additional information that is material? 2. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personal Health Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Although there are some specific provisions in the Colombian health care regulations regarding the processing of personal health information, as the NDPA is not yet enforceable, the rules for the processing of such information when considered personal data have been established by the judicial precedents of the Constitutional Court. The Constitutional Court has defined personal information as any information that by itself or in connection with other information may identify a particular individual. The Court has issued about 200 decisions since 1991 in connection with three fundamental rights that have direct impact on www.lexmundi.com
2009 Lex Mundi
Page 24
the protection of personal information: the habeas data right, the right to privacy, and the right to maintain a public good name. One of these decisions, decision T729 of 2002 (Decision T-729), is one of the landmark decisions in connection with the right to personal data protection. This decision sets forth the principles for the processing of personal data, of which it is important to mention the following: Freedom: Personal Data can only be processed with the free, express, informed, and prior consent of the data subject. Purpose: The Personal Data collected must have an explicit, determined and legitimate purpose. This purpose must be informed to the data subject and its Processing must be carried out within the scope of the notified purpose. Restricted circulation: The Personal Data collected may only be circulated within the parameters of the freedom and purpose principles. Therefore, the Personal Data may only circulate within the legal entity that has legitimately obtained such information and the people expressly authorized by the data subject. Any transfer to third parties, even if affiliated, must be previously authorized by the data subject. Necessity: Only the specific Personal Data that is required for the authorized purpose may be collected. Conversely, no information that is not specifically required for the authorized purpose may be collected. Veracity or quality of the data: Personal Data stored in databases must be true, complete, exact, up to date, verifiable and comprehensible. Recording of information that is partial, incomplete, fragmented or that induces to error is forbidden. Temporality: Personal Data must only be stored as long as it is useful for the authorized purpose for which it was collected. Security: Personal Information shall be handled using the necessary technical measures that guarantee its safety and integrity of the records as a whole. Confidentiality: All individuals and legal entities that intervene in the administration of Personal Data shall guarantee at all times the confidentiality of such information, even after they cease their labors. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? As the NDPA is not currently enforceable there are no specific penalties for violation of the principles set forth by the Constitutional Court. Therefore, risks must be evaluated on a case by case basis. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. Superintendency of Industry and Commerce and the Ministry of Health and Social Protection without being authorized to do so. d) Any additional information that is material? 3. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Financial Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Law 1266 of 2008 (Financial data Privacy Act). This law was originally intended to be the general legal framework applicable to the management of personal information. However, after being reviewed by the Constitutional Court (Decision C 1011 of 2008), its scope was reduced to be applicable only to financial, credit, commercial, and services information (and to information of the same characteristics coming from abroad) destined to financial risk and credit risk assessment (Financial Personal Data). The paradigm case to which Law 1266 is applied would be the data collected by financial institutions to determine whether or not they would grant a loan
www.lexmundi.com
2009 Lex Mundi
Page 25
to their clients. However, the Court has sustained that this Law 1266 applies to all data used by people other than financial institutions with the purpose of analyzing credit risk. http://www.secretariasenado.gov.co/senado/basedoc/ley/2008/ley_1266_2008.html b) What are the penalties imposed for a breach of such law? Any criminal sanctions? According to the Financial Data Privacy Act, the Superintendency of Finance may impose the following sanctions for non-compliance of the Financial Data Privacy Act: (i) fines up to USD 447.395, (ii) suspension of activities related to the data base administrator and/or (iii) permanent or temporary closure of the activities related to the management of the data base. In addition, pursuant to Law 1273 of 2009, it is a crime to obtain, gather, subtract, offer, sell, exchange, send, buy, intercept, divulge, modify or use personal data () for personal purposes or of third parties, without being authorized to do so. Individuals or companies that commit this crime may be subject to fines of up to USD 220,000, and prison of 4 to 8 years. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The Superintendency of Finance. d) Any additional information that is material? 4. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that is applicable to other sensitive data, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Pursuant to the NDPA, processing of sensitive data, understood as any data that affects the privacy of the data subject or which its unlawful use may cause that the data subject could be discriminated, is generally prohibited unless expressly authorized by law or if the data subject has granted its explicit consent for such processing. Data subject has the right to refuse providing any information regarding sensitive data. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Please see section 1b. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. d) Any additional information that is material?
Contact Information
Juliana Pulecio Velsquez jpulecio@bu.com.co Brigard & Urrutia Abogados Calle 70 A # 4 - 41 Bogota, Colombia Tel 57.1.346.20.11 Fax 57.1.310.06.09 www.bu.com.co This guide is part of the Lex Mundi Global Practice Guide Series which features substantive overviews of laws, practice areas, and legal and business issues in jurisdictions around the globe. View the complete series of Lex Mundi Global Practice Guides at: www.lexmundi.com/GlobalPracticeGuides
www.lexmundi.com
2009 Lex Mundi
Page 26
Data Privacy Survey
Cyprus
Prepared by Lex Mundi member firm Dr. K. Chrysostomides & Co LLC
1. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personally Identifiable Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. The Processing of Personal Data (Protection of the Individual) Law of 2001 (as amended) b) What are the penalties imposed for a breach of such law? Any criminal sanctions? The Personal Data Act provides that the handling of personal or sensitive data in breach of the provisions of the Personal Data Act will cause the database administrator to be liable for all damages caused to the person, including monetary damages and pain and suffering (dao moral). There are no criminal sanctions established in the Personal Data Act. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The Office of the Commissioner for Personal Data Protection. d) Any additional information that is material? The Regulation of Electronic Communications and Postal Services Law of 2004 (112(I)/2004), s.106 deals with the issue of unsolicited communications SPAM 2. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personal Health Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. The Processing of Personal Data (Protection of the Individual) Law of 2001 (as amended) b) What are the penalties imposed for a breach of such law? Any criminal sanctions? The Law provides for both criminal and administrative sanctions, including imprisonment (for a term not exceeding five years) and/or a fine not exceeding EUR 8.543,00. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The Office of the Commissioner for Personal Data Protection. d) Any additional information that is material?
www.lexmundi.com
2009 Lex Mundi
Page 27
3. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Financial Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. The Processing of Personal Data (Protection of the Individual) Law of 2001 (as amended) b) What are the penalties imposed for a breach of such law? Any criminal sanctions? The Law provides for both criminal and administrative sanctions, including imprisonment (for a term not exceeding five years) and/or a fine not exceeding EUR 8.543,00. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The Office of the Commissioner for Personal Data Protection. d) Any additional information that is material? 4. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that is applicable to other sensitive data, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. The Processing of Personal Data (Protection of the Individual) Law of 2001 (as amended) b) What are the penalties imposed for a breach of such law? Any criminal sanctions? The Law provides for both criminal and administrative sanctions, including imprisonment (for a term not exceeding five years) and/or a fine not exceeding EUR 8.543,00. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The Office of the Commissioner for Personal Data Protection. d) Any additional information that is material?
Contact Information
Alexandros Georgiades a.georgiades@chrysostomides.com.cy Dr. K. Chrysostomides & Co LLC 1, Lampousas Street 1095 Nicosia, Cyprus Tel 357.22.777000 Fax 357.22.779939 www.chrysostomides.com.cy
www.lexmundi.com
2009 Lex Mundi
Page 28
Data Privacy Survey
Dominican Republic
Prepared by Lex Mundi member firm Pellerano & Herrera
1. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personally Identifiable Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. d) Any additional information that is material? The Dominican Republic has no specific regulations protecting Personally Identifiable Information. Nonetheless, in general terms Dominican laws, and specifically the Dominican Constitution, do protect the individuals right to privacy. Article 44 provides the right to privacy of individuals, in general. It also states that any person has a right to access information and data that on such individual, and his/her assets, is found in official or private registries, as well as to know the destination of such information, with the limitations provided by law. Treatment given to personal and financial information must be given respecting the principles of quality, legality, loyalty, security and purpose. An individual may request a competent court authority to update, rectify or destroy such information that illegitimately affects such individuals rights. Although, individuals do have a right to control the accuracy of their own personal information, there is no legal provision effectively protecting them from third-party access to such information and its use and destination. The Constitution only provides a general principle that legal provisions must, when enacted, effectively protect and enforce. 2. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personal Health Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. d) Any additional information that is material? Personal Heath Information is essentially protected, by the following laws: (i) Law 55-93 on AIDS prohibits employers to obligate potential employees to get an AIDS test in order to become eligible for a job (Art. 3 of Law 55-93). Violations of Article 3 may entail the application of monetary fines on the employer and the obligation to pay the employee a years worth of salaries, plus workers compensation in case of unjustified termination of such employee. www.lexmundi.com
2009 Lex Mundi
Page 29
Article 6 of Law 55-93 also provides that information regarding a positive aids test results is strictly confidential. Although no specific sanction is provided by law, it does create a course of action for damages against individuals or corporations in breach thereof. (ii) The General Health Law No. 42-01 also provides that all individuals have the right to confidentiality of all the information related to their files and their stay in any health institution, either public or private. This confidentiality may be waived by the patient, or may be bypassed in cases where the collective need requires it, but always guaranteeing respect of the human dignity and human rights. Although there is no specific sanction applied for violation of this provision, it creates a course of action against the institutions in breach. 3. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Financial Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. d) Any additional information that is material? In the Dominican Republic, data privacy is regulated by the following legal regulations: a. The Dominican Constitution: As explained above, Article 44 provides the right to privacy of individuals, in general. b. The Penal Code of the Dominican Republic: Provides the general rule applicable to professional secrets. It provides that individuals that, due to the nature of their profession, are privy to certain information of their clients, are required to keep such information in strict confidentiality. c. The Monetary and Financial Law No. 183-02: More specifically relates to financial institutions and their operations. It provides that all transactions made by financial institutions must be confidential and information related to such transactions may only be provided to their owners or the individuals expressly authorized by such owners to receive information (Article 56 of such Law). The exceptions to this general rule are (i) information requested by a court of law for judicial processes, (ii) information required by the Tax Authorities and (iii) by the authorities in charge of fighting money laundering. d. Finally, the Law on Credit Information No. 288 of April 2005: regulates Credit Bureaus and the compilation and disposal of individual credit information. The general principle is that only those individuals or companies that have been authorized, may request financial information of an individual from a Credit Bureau. Those obtaining information without such authorization may be sanctioned by monetary fines or by penal sanctions as well. The information provided as part of a credit report cannot contain: a. Information on account balances and movements; b. Information on Certificates of Deposits of any nature or commercial paper; c. Information relating to the moral character, emotional state, or family status of an individual; d. Information on political affiliation or opinions, or religious beliefs or convictions; e. Information on the health or psychological status of a person; f. Information on the conduct, or sexual orientation or preference. The Banking Superintendency is the body in charge of applying administrative sanctions and regulating credit bureaus as well as the provision of credit information. www.lexmundi.com
2009 Lex Mundi
Page 30
4. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that is applicable to other sensitive data, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. d) Any additional information that is material? There are no further regulations on the matter in the Dominican Republic.
Contact Information
Norman De Castro n.decastro@phlaw.com Pellerano & Herrera Av. John F. Kennedy #10 Santo Domingo, Dominican Republic Tel 1.809.541.5200 Fax 1.809.567.0773 www.phlaw.com
www.lexmundi.com
2009 Lex Mundi
Page 31
Data Privacy Survey
Estonia
Prepared by Lex Mundi member firm LAWIN
1. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personally Identifiable Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Isikuandmete kaitse seadus: https://www.riigiteataja.ee/ert/act.jsp?id=12909389 Translation is available at: http://www.legaltext.ee/et/andmebaas/tekst.asp?loc=text&dok=XXXX041&keel=en&pg=1&ptyyp= RT&tyyp=X&query=isikuandmete b) What are the penalties imposed for a breach of such law? Any criminal sanctions? The Personal Data Act provides that the handling of personal or sensitive data in breach of the provisions of the Personal Data Act will cause the database administrator to be liable for all damages caused to the person, including monetary damages and pain and suffering (dao moral). There are no criminal sanctions established in the Personal Data Act. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. Andmekaitse Inspektsioon (Data Protection Inspectorate) www.aki.ee d) Any additional information that is material? 2. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personal Health Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Isikuandmete kaitse seadus - https://www.riigiteataja.ee/ert/act.jsp?id=12909389 Translation is available at: http://www.legaltext.ee/et/andmebaas/tekst.asp?loc=text&dok=XXXX041&keel=en&pg=1&ptyyp= RT&tyyp=X&query=isikuandmete Tervishoiuteenuste osutamise seadus https://www.riigiteataja.ee/ert/act.jsp?id=13264247 b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Violation of the obligation to register the processing of sensitive personal data, violation of the requirements regarding security measures to protect personal data or violation of other requirements for the processing of personal data is punishable by a fine of up to 300 fine units (at
www.lexmundi.com
2009 Lex Mundi
Page 32
the moment ca 1100 EUR) . The same act, if committed by a legal person, is punishable by a fine of up to 500 000 kroons (ca 32 000 EUR). Violation of the requirements regarding security measures to protect personal data or violation of other requirements for the processing of personal data if a precept issued to the person by the Data Protection Inspectorate for the elimination of the violation is not complied with is punishable by a fine of up to 300 fine units (at the moment ca 1100 EUR). The same act, if committed by a legal person, is punishable by a fine of up to 500 000 kroons (ca 32 000 EUR). There are also criminal sanctions: Illegal disclosure of sensitive personal data, enabling access to such data or transfer of such data for personal gain or if significant damage is caused thereby to the rights or interests of another person that are protected by law shall be punished by a pecuniary punishment or up to one year of imprisonment. Transferring or using another person's personal data with the purpose of creating untrue image of that person by representing oneself as that person if damage is caused thereby to the rights or interests of another person that are protected by law or conceal a crime (i.e identity theft) shall be punished by a pecuniary punishment or up to three years of imprisonment. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. Andmekaitse Inspektsioon (Data Protection Inspectorate) www.aki.ee County governors Terviseamet (Health Board) www.terviseamet.ee d) Any additional information that is material? Personal Health Information is regarded as sensitive personal data and all rules related to processing sensitive personal data are applied. Additional rules arise from the Health Care Services Organisation Act (Tervishoiuteenuste osutamise seadus). 3. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Financial Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Isikuandmete kaitse seadus - https://www.riigiteataja.ee/ert/act.jsp?id=12909389 Translation is available at: http://www.legaltext.ee/et/andmebaas/tekst.asp?loc=text&dok=XXXX041&keel=en&pg=1&ptyyp= RT&tyyp=X&query=isikuandmete Krediidiasutuste seadus https://www.riigiteataja.ee/ert/act.jsp?id=13278818 b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Violation of the obligation to register the processing of sensitive personal data, violation of the requirements regarding security measures to protect personal data or violation of other requirements for the processing of personal data is punishable by a fine of up to 300 fine units (at the moment ca 1100 EUR) . The same act, if committed by a legal person, is punishable by a fine of up to 500 000 kroons (ca 32 000 EUR). www.lexmundi.com
2009 Lex Mundi
Page 33
Violation of the requirements regarding security measures to protect personal data or violation of other requirements for the processing of personal data if a precept issued to the person by the Data Protection Inspectorate for the elimination of the violation is not complied with is punishable by a fine of up to 300 fine units (at the moment ca 1100 EUR). The same act, if committed by a legal person, is punishable by a fine of up to 500 000 kroons (ca 32 000 EUR). Illegal disclosure of information subject to banking secrecy is punishable by a fine of up to 300 fine units (at the moment ca 1100 EUR). The same act, if committed by a legal person, is punishable by a fine of up to 500 000 kroons (ca 32 000 EUR). There are also criminal sanctions: Illegal disclosure of sensitive personal data, enabling access to such data or transfer of such data for personal gain or if significant damage is caused thereby to the rights or interests of another person that are protected by law shall be punished by a pecuniary punishment or up to one year of imprisonment. Transferring or using another person's personal data with the purpose of creating untrue image of that person by representing oneself as that person if damage is caused thereby to the rights or interests of another person that are protected by law or conceal a crime (i.e identity theft) shall be punished by a pecuniary punishment or up to three years of imprisonment. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. Andmekaitse Inspektsioon (Data Protection Inspectorate) www.aki.ee Finantsinspektsioon (Financial Supervision Authority) www.fi.ee d) Any additional information that is material? In addition to general personal data protection rules, the credit institutions must follow rules regarding information subject to banking secrecy. 4. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that is applicable to other sensitive data, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Isikuandmete kaitse seadus - https://www.riigiteataja.ee/ert/act.jsp?id=12909389 translation is available at: http://www.legaltext.ee/et/andmebaas/tekst.asp?loc=text&dok=XXXX041&keel=en&pg=1&ptyyp= RT&tyyp=X&query=isikuandmete b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Violation of the obligation to register the processing of sensitive personal data, violation of the requirements regarding security measures to protect personal data or violation of other requirements for the processing of personal data is punishable by a fine of up to 300 fine units (at the moment ca 1100 EUR) . The same act, if committed by a legal person, is punishable by a fine of up to 500 000 kroons (ca 32 000 EUR). Violation of the requirements regarding security measures to protect personal data or violation of other requirements for the processing of personal data if a precept issued to the person by the Data Protection Inspectorate for the elimination of the violation is not complied with is punishable www.lexmundi.com
2009 Lex Mundi
Page 34
by a fine of up to 300 fine units (at the moment ca 1100 EUR). The same act, if committed by a legal person, is punishable by a fine of up to 500 000 kroons (ca 32 000 EUR). There are also criminal sanctions: Illegal disclosure of sensitive personal data, enabling access to such data or transfer of such data for personal gain or if significant damage is caused thereby to the rights or interests of another person that are protected by law shall be punished by a pecuniary punishment or up to one year of imprisonment. Transferring or using another person's personal data with the purpose of creating untrue image of that person by representing oneself as that person if damage is caused thereby to the rights or interests of another person that are protected by law or conceal a crime (i.e identity theft) shall be punished by a pecuniary punishment or up to three years of imprisonment c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. Andmekaitse Inspektsioon (Data Protection Inspectorate) www.aki.ee d) Any additional information that is material?
Contact Information
Viive Nslund viive.naslund@lawin.ee LAWIN Niguliste 4 10130 Tallinn, Estonia Tel 372.630.6460 Fax 372.630.6463 www.lawin.com
www.lexmundi.com
2009 Lex Mundi
Page 35
Data Privacy Survey
Finland
Prepared by Lex Mundi member firm Roschier, Attorneys Ltd.
1. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personally Identifiable Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Protection of personally identifiable information is based on the Constitution of Finland (731/1999), under which more detailed provisions are laid down by the Personal Data Act (523/1999), the Act on the Protection of Privacy in Working Life (759/2004) and the Act on the Protection of Privacy in Electronic Communications (516/2004). Personal data is defined as any information on a private individual which allows identification of the person, his/her family member and/or household. Personal data may be processed only with due care and to the extent necessary for a justified purpose. Also accuracy of the data must be ensured. The data subject must be given access to the data file and upon request, such data must be corrected or erased and, in certain cases, processing of data discontinued. Transfer of personal data outside of EU/EEA is allowed only if the country guarantees an adequate level of data protection. Employers are allowed to process only personal data directly necessary for the employees employment. Such necessity requirement may not be circumvented even with the employees consent. Strict rules apply also to processing of employees health data, drug use testing, camera surveillance and other technical monitoring as well as opening employees e-mail messages. In the context of electronic communications, it is important to note that all messages, identification data and location data are confidential and may be processed only upon consent of a party to the communication or if permitted by law. Subject to prior notification to the Data Protection Ombudsman (DPO), identification data may be processed to prevent or investigate misuse of communications network or leakage of trade secrets. Manual processing requires also that both the user and the DPO are reported of the incident. http://www.finlex.fi/en/laki/kaannokset/1999/en19990523.pdf http://www.finlex.fi/en/laki/kaannokset/2004/en20040516.pdf http://www.finlex.fi/en/laki/kaannokset/2004/en2004075.pdf b) What are the penalties imposed for a breach of such law? Any criminal sanctions? The Personal Data Act provides that the handling of personal or sensitive data in breach of the provisions of the Personal Data Act will cause the database administrator to be liable for all damages caused to the person, including monetary damages and pain and suffering (dao moral). There are no criminal sanctions established in the Personal Data Act.
www.lexmundi.com
2009 Lex Mundi
Page 36
c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The authority in charge of data protection matters is the Office of the Data Protection Ombudsman, which supervises and provides guidance on processing of personal data in order to achieve the objectives of the respective legislation. However, while the supervision of compliance with the Act on Protection of Privacy in Electronic Communications is partly shared by the Office of the Data Protection Ombudsman and the Finnish Communications Regulatory Authority, the latter has the overall authority over processing of identification and location data, subscriber directories and direct marketing. Further, the Office of the Data Protection Ombudsman acts also as the decision making body with regard to any tasks set forth in the legislation. Matters of significant importance for application and/or interpretation of the data protection legislation are decided by the Data Protection Board. d) Any additional information that is material? The Act on the Openness of Government Activities (621/1999) governs public access to official documents. As a starting point, any official document is public, unless expressly provided otherwise. Accordingly, there are confidentiality obligations, which are applicable to official documents both under the Act on the Openness of Government Activities and the Personal Data Act, which governs processing of personal data by public authorities, too. Further, if a public official intentionally uses and/or discloses confidential information and/or document without authorization, he/she may be sentenced for a breach of official secrecy to a fine or to imprisonment up to two years under the Criminal Code. Finally, there are numerous other special Acts, which govern processing of and/or access to personal data. These Acts, however, are subject to the obligations set forth in the Personal Data Act and the Act on the Openness of Government Activities, which apply to processing of personal data as lex generalis. http://www.finlex.fi/en/laki/kaannokset/1999/en19990621.pdf 2. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personal Health Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Health data, including the state of health, illness or disability of a person, along with the medical treatment, is considered as sensitive data under the Personal Data Act. Also, under the Act on the Status and Rights of Patients (785/1992), any data contained in patient documents is confidential. Further, processing and/or disclosure of health data to any third party is strictly prohibited without a written consent of the patient, unless specifically permitted by law. Further, the Act on Health Care Professionals (559/1994) supplements the above obligations by providing that disclosure of any confidential patient data learned by virtue of the position may not be disclosed. Similarly, the Code of Judicial Procedure (4/1734) sets more stringent standards on health care professionals regarding disclosure of patient data as evidence. Every health care service provider must appoint a local patient ombudsman, which patients may consult for advice, if their rights with regard to protection of personal health data have been violated. In addition, according to the Act on the Electronic Processing of Customer Data in Social and Health Care Services (159/2007), every health care service provider must appoint a person responsible for data security with the focus on matters pertaining to electronic processing of patient data. Other relevant Acts concerning personal health data include the Act on the Status and Rights of Customers in Social Care (812/2000), the Act on the Nationwide Personal Data File Registers in Health Care (556/1989) and the Act on the Statistical Activity of the National Institute for Health and Welfare (409/2001) for which no translations are available. The Personal Data Act and the Act on Openness of Government Activities shall also be applied to patient documents. www.lexmundi.com
2009 Lex Mundi
Page 37
http://www.finlex.fi/en/laki/kaannokset/1992/en19920785.pdf http://www.finlex.fi/en/laki/kaannokset/1994/en19940559.pdf http://www.finlex.fi/en/laki/kaannokset/1734/en17340004.pdf b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Sanctions for breach of obligations relating to sensitive health information are set forth in the Personal Data Act, the Act on Openness of Government Activities and/or the Criminal Code as described above. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The Office of the Data Protection Ombudsman is responsible also for matters relating to personal health information and other personal data of patients. d) Any additional information that is material? When patient records are transferred from the original health care service providers to other public authorities, the status of patient records changes into other sensitive data files. Despite the general prohibition of the Personal Data Act to process sensitive data including personal health data, most public authorities fall under the exemptions set forth in the Act on the Openness of Government Activities. Thus, Finnish authorities enjoy generally relatively wide access to patient records. On the other hand, disclosure of health information is regulated very strictly in connection with insurance companies, which, under the Insurance Companies Act (521/2008, no English translation available) may not, for instance, generally disclose sensitive health information even to other group companies for the purpose of customer relationship and/or risk management and marketing. 3. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Financial Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. The Personal Data Act applies to any personal data, including financial information, if it enables identification of a person, his/her family member and/or household. The Credit Data Act (2007/527, no English translation available), in turn, governs processing of data on the solvency of individuals and companies as well as their willingness to pay. Under said Act, personal credit data means credit data of a natural person and data processed together with credit data that identifies the person and the financial competency of the person. Processing of personal credit data must be notified to the DPO in advance. Further, personal credit data may be derived from reliable sources only, unless otherwise permitted by the data subject. Personal credit data may also be disclosed only for defined purposes such as granting credit or credit monitoring. Further, credit data must be necessary to describe the financial standing of the data subject. The data subject shall also have a right to access the data file in order to check the accuracy of his/her data and request correction of false information. The Act on Credit Institutions (121/2007, no English translation available) sets forth the secrecy obligation applicable to credit institution activity, under which anybody who has obtained information on the financial position or private personal circumstances of a customer is not allowed to disclose such information without the consent of the data subject, unless permitted by law. Importantly, sensitive data as defined in the Personal Data Act, may generally not be transferred even within the group companies of the credit institution for the purpose of customer relationship and/or risk management and marketing.
www.lexmundi.com
2009 Lex Mundi
Page 38
b) What are the penalties imposed for a breach of such law? Any criminal sanctions? As described above, violation of obligations regarding financial information may be sanctioned by the personal data violation under the Personal Data Act or personal data offence under the Criminal Act. The same sanctions apply also to breach of the Credit Data Act if the credit data relates to a natural person. If the credit data pertains to a company, anyone who intentionally or grossly negligently violates obligations of the Credit Data Act in connection with processing of credit data, including transfer of false or misleading information to the Office of the Data Protection Ombudsman, can be sanctioned by credit data violation to a fine. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The Office of the Data Protection Ombudsman has authority over any matter pertaining to personal data, including financial information, to the extent it is personal data. d) Any additional information that is material? Confidentiality obligations relating to personal financial data are included in various Acts. By way of example, under the Act on the Book-Entry System (826/1991), anyone who has obtained information on the financial status of the owner of a book entry or any other person may not disclose it without the consent of said person. Further, also Insurance Companies Act (521/2008) includes several provisions regarding disclosure of customers financial data. Finally, the Act on the Public Disclosure and Confidentiality of Tax Information (1346/1999) applies to documents concerning individual taxpayers submitted to or prepared by tax administration. Under the Act, taxation documents concerning tax payers financial position or information on an identifiable tax payer are confidential, except for expressly defined public information regarding income and/or property taxation. Further, also Personal Data Act applies as lex generalis to processing of financial information under the above Acts. http://www.finlex.fi/en/laki/kaannokset/1991/en19910826.pdf http://www.finlex.fi/en/laki/kaannokset/1999/en19991346.pdf 4. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that is applicable to other sensitive data, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Sensitive personal data includes information on the data subjects race, ethnic origin, social, political or religious affiliation or trade-union membership, information on criminal history, health information, sexual preferences or use of social welfare benefits. While personal data is protected under the respective Acts, personal data which constitutes sensitive data, is subject to even stricter standard of protection. Namely, under the Personal Data Act, processing of sensitive data is prohibited unless the data subject has expressly consented to such processing, the processing is specifically authorized by statute, or the Data Protection Board has granted permission. Further, sensitive personal data must be removed from a data file immediately after the data is no longer required pursuant to grounds authorized by statute. The grounds and necessity for processing of sensitive personal data must be evaluated at least every five years. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Penalties with regard to breach of obligations in relation to other sensitive data are set forth in the Personal Data Act as described in connection with question 8 above.
www.lexmundi.com
2009 Lex Mundi
Page 39
c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The Office of the Data Protection Ombudsman has authority over any matter pertaining to personal data, including sensitive personal data. d) Any additional information that is material? The Data Protection Act includes several derogations from the prohibition to process sensitive data. Even sensitive data may be processed upon consent of the data subject, or if: the data concerns social, political or religious affiliation or trade-union membership of a person and the person has himself/herself brought such data into the public domain; processing of data is necessary for the safeguarding of a vital interest of the data subject or someone else and the data subject is incapable of giving his/her consent; processing of data is necessary for drafting or filing a lawsuit or for responding to or deciding of such a lawsuit; processing of data is based on the provisions of an act or necessary for compliance with an obligation to which the controller is subject directly by virtue of an act; data is processed for purposes of historical, scientific or statistical research; a health care unit or a health care professional processes data collected in the course of their operations and relating to the state of health, illness or handicap of the data subject or the treatment or other measures directed at the data subject, or other data which are indispensable in the treatment of the data subject; a social welfare authority or another authority, institution or private producer of social services granting social welfare benefits processes data collected in the course of their operations and relating to the social welfare needs of the data subject or the benefits, support or other social welfare assistance received by the person or otherwise indispensable for the welfare of the data subject; or the Data Protection Board has issued a permission.
Contact Information
Anna Haapanen anna.haapanen@roschier.com Roschier, Attorneys Ltd. Keskuskatu 7 A 00100 Helsinki, Finland Tel 358.20.506.6000 Fax 358.20.506.6100 www.roschier.com
www.lexmundi.com
2009 Lex Mundi
Page 40
Data Privacy Survey\
Greece
Prepared by Lex Mundi member firm Zepos & Yannopoulos
1. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personally Identifiable Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. The main data protection laws are Law 2472/1997 (re: data protection) and Law 3471/2006 (re: data protection on electronic communications). Both such laws can be found in the following website (in Greek and English version): www.dpa.gr. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? The Personal Data Act provides that the handling of personal or sensitive data in breach of the provisions of the Personal Data Act will cause the database administrator to be liable for all damages caused to the person, including monetary damages and pain and suffering (dao moral). There are no criminal sanctions established in the Personal Data Act. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The Greek regulator is the Hellenic Data Protection Authority. d) Any additional information that is material? The main Greek legislation governing data protection constitutes an implementation into the Greek law of the EC Directives 95/46/EC and 2002/58/EC. The Greek regulator, namely the Hellenic Data Protection Authority, is considered to be of the stringiest regulators in Europe, especially as regards employees data, sensitive data and data transfers outside the EU. 2. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personal Health Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. The main data privacy law applicable to health information is Law 2472/1997 (re: data protection law). Such law can be found in the following website (in Greek and English version): www.dpa.gr. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Please refer to our response under 1b above. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. Please refer to our response under 1c above.
www.lexmundi.com
2009 Lex Mundi
Page 41
d) Any additional information that is material? Under Law 2472/1997 health data are classified as sensitive data, which means that strict rules apply as regards to their processing (in principle the relevant data processing requires the granting of consent of the data subjects and the issuance of a relevant permit by the Greek regulator). 3. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Financial Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. The main data privacy law applicable to financial information is Law 2472/1997 (re: data protection law). Additionally, as regards financial information retained by credit institutions, Art. 40 of Law 3259/2004, as well as the Decisions of the Hellenic Data Protection Authority No. 24/2004 and 25/2004 are also applicable. Law 2472/1997 and the above-mentioned decisions of the Greek regulator can be found in the following website (in Greek and English version): www.dpa.gr. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Please refer to our response under 1b above. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. Please refer to our response under 1c above. d) Any additional information that is material? The Hellenic Data Protection Authority has issued several decisions relating to the processing of financial data, especially when such processing is conducted by credit institutions. In summary, strict rules apply as to the categories of personal data retained by banks, as well as to the data retention periods and the transfer of such data by banks to third parties. 4. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that is applicable to other sensitive data, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. The main data privacy law applicable to health information is Law 2472/1997 (re: data protection law). Such law can be found in the following website (in Greek and English version): www.dpa.gr. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Please refer to our response under 1b above. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. Please refer to our response under 1c above.
www.lexmundi.com
2009 Lex Mundi
Page 42
d) Any additional information that is material? Under Law 2472/1997 the processing of sensitive data requires compliance with several obligations on the part of the data controller. In principle, the lawful processing of sensitive data requires the granting of consent on the part of the data subjects and the issuance of a relevant permit by the Greek regulator.
Contact Information
Mary Deligianni m.deligianni@zeya.com Zepos & Yannopoulos 75 Katehaki & Kifissias Ave. Athens 115 25, Greece Tel 30.210.6967000 Fax 30.210.6994640 www.zeya.com
www.lexmundi.com
2009 Lex Mundi
Page 43
Data Privacy Survey
Hungary
Prepared by Lex Mundi member firm Nagy s Trcsnyi
1. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personally Identifiable Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Under Hungarian law personal data shall mean any information relating to an identified or identifiable natural person (hereinafter referred to as data subject) and any reference drawn, whether directly or indirectly, from such information. In the matter of data protection Act 1992:LXXXIII on the Protection of Personal Data and the Disclosure of Information of Public Interest (hereinafter referred to as Data Protection Act) is of fundamental importance. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? The Personal Data Act provides that the handling of personal or sensitive data in breach of the provisions of the Personal Data Act will cause the database administrator to be liable for all damages caused to the person, including monetary damages and pain and suffering (dao moral). There are no criminal sanctions established in the Personal Data Act. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The applicable administrative authority is the Hungarian Parliamentary Commissioner for Data Protection and Freedom of Information (hereinafter referred to as Commissioner). d) Any additional information that is material? Upon noticing any unlawful data processing operation, the Commissioner shall advise the data processor to cease such operation. The data processor must comply within 30 days and shall report to the Commissioner concerning the measures taken. If the controller fails to comply and cease the unlawful processing of personal data, the Commissioner may order, by resolution, that unlawfully processed data be blocked, deleted or destroyed, or the Commissioner may prohibit the unauthorized data management and/or processing operations. The controller or the data subject may request judicial review of the resolution adopted by the Commissioner within 30 days following the date of receipt.
www.lexmundi.com
2009 Lex Mundi
Page 44
2. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personal Health Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. According to Sec. 2 of the Data Protection Act any personal data concerning health shall be qualified as special or sensitive data. Such sensitive information is under a higher protection of law. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Pursuant to Sec. 117/A. (3) of the Cc. the punishment for the misdemeanor of misuse of personal data shall be imprisonment up to two years for any misuse of sensitive personal data. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. Please see under point 1c. d) Any additional information that is material? Where it serves the interest of the public, free access to particular personal data may be ordered by law as defined therein. In all other cases, free access to personal data may be provided only upon the consent of the data subject that is to be made in writing with regard to sensitive data. If there is any doubt, it is to be presumed that the data subject did not consent to allow free access. 3. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Financial Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. There are no special regulations on financial information in the Data Protection Act. However, pursuant to Sec. 81 of Act 1959:IV on the Civil Code (hereinafter referred to as Civil Code) a person who has come into the possession of a private or business secret and publishes such secret without authorization, or abuses it in any other way, shall be construed as having violated an inherent right. Business secrets comprise all of the facts, information or data pertaining to economic activities that, if published or released to or used by unauthorized persons, are likely to imperil the rightful financial interest of the owner of such secrets. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? In the scope of civil law, a person who causes damage to another person (e. g. by infringement of the business secrets thereof) shall be liable for such damage, i. e. shall indemnify the aggrieved party for material and non-material damages. Pursuant to Sec. 300 (1) of the Cc. any person who has been committed to confidentiality with respect to bank, securities, fund or insurance secrets, and who makes available any bank, securities, fund or insurance secret to an unauthorized person for financial advantage, causing pecuniary injury to others is guilty of a felony punishable by imprisonment for up to three years.
www.lexmundi.com
2009 Lex Mundi
Page 45
c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The legal institution of the above-mentioned Commissioner is closely related to data protected by the Data Protection Act thus his role regarding the protection of business secrets is less considerable in the subject matter of data privacy laws. d) Any additional information that is material? Pursuant to Sec. 19 (6) of the Data Protection Act access to business secrets in connection with access to and publication of information of public interest shall be governed by the relevant provisions of the Civil Code. 4. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that is applicable to other sensitive data, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Pursuant to Sec. 2 (2) of the Data Protection Act, sensitive data besides the above-mentioned personal data concerning health - shall mean personal data concerning racial, national or ethnic origin, political opinions and any affiliation with political parties, religious or philosophical beliefs on the one hand and data concerning addictions, sexual life or criminal record on the other hand. The reason for this distinction is that data of the first group are slightly more processable even without the consent of the data subject (e. g. for national security or law enforcement purposes). b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Please see under points 1b and 2b. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. Please see under point 1c. d) Any additional information that is material? Please see under point 2d.
Contact Information
Viktria Szilgyi szilagyi.viktoria@nt.hu Balzs Karsai karsai.balazs@nt.hu Nagy s Trcsnyi Ugocsa utca 4/B Budapest 1126, Hungary Tel 36.1.487.8700 Fax 36.1.487.8701 www.nt.hu
www.lexmundi.com
2009 Lex Mundi
Page 46
Data Privacy Survey
Ireland
Prepared by Lex Mundi member firm Arthur Cox
1. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personally Identifiable Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. The two key/principal laws are: i. The Data Protection Acts 1988 and 2003 (DPA); and ii. The European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations, 2003, as amended by the European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) (Amendment) Regulations 2008 (together the Regulations). Please see: http://www.dataprotection.ie/ViewDoc.asp?fn=%2Fdocuments%2Flegal%2FLawOnDP.htm&CatI D=7&m=l b) What are the penalties imposed for a breach of such law? Any criminal sanctions? The Personal Data Act provides that the handling of personal or sensitive data in breach of the provisions of the Personal Data Act will cause the database administrator to be liable for all damages caused to the person, including monetary damages and pain and suffering (dao moral). There are no criminal sanctions established in the Personal Data Act. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. Office of the Data Protection Commissioner d) Any additional information that is material? Please see www.dataprotection.ie 2. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personal Health Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Please see the response to question 1a. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Please see the response to question 1b.
www.lexmundi.com
2009 Lex Mundi
Page 47
c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. Please see the response to question 1c. d) Any additional information that is material? Please see the response to question 1d. The DPA provides additional safeguards in respect of the processing of sensitive personal data. Sensitive personal data is personal data relating to:racial or ethnic origin; political opinions; religions or philosophical beliefs; trade union membership; physical/mental health; sexual life; commission of offences; or criminal convictions/proceedings. 3. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Financial Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Please see the response to question 1a. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Please see the response to question 1b. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. Please see the response to question 1c. d) Any additional information that is material? Please see the response to question 1d. 4. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that is applicable to other sensitive data, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Please see the response to question 1a. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Please see the response to question 1b. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. Please see the response to question 1c.
www.lexmundi.com
2009 Lex Mundi
Page 48
d) Any additional information that is material? Please see the response to question 1d.
Contact Information
Colin Rooney colin.rooney@arthurcox.com Arthur Cox Earlsfort Centre, Earlsfort Terrace Dublin 2, Ireland Tel 353.1.618.0000 Fax 353.1.618.0618 www.arthurcox.com
www.lexmundi.com
2009 Lex Mundi
Page 49
Data Privacy Survey
Italy
Prepared by Lex Mundi member firm Chiomenti Studio Legale
1. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personally Identifiable Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. The main piece of legislation concerning data protection under Italian law is the legislative decree no. 196 of June 30, 2003 (the "Data Protection Code"). Please find herein the relevant link to the Italian Authority website: http://www.garanteprivacy.it/garante/navig/jsp/index.jsp b) What are the penalties imposed for a breach of such law? Any criminal sanctions? The Personal Data Act provides that the handling of personal or sensitive data in breach of the provisions of the Personal Data Act will cause the database administrator to be liable for all damages caused to the person, including monetary damages and pain and suffering (dao moral). There are no criminal sanctions established in the Personal Data Act. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The Data Protection Authority (Garante per la Protezione dei Dati Personali) d) Any additional information that is material? Please note that any data subjects which may have a claim for the violation of his rights under the Data Protection Code may always start an action before the judicial authority. 2. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personal Health Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Please note that in the Italian legal system personal health information are governed by the same Data Protection Code b) What are the penalties imposed for a breach of such law? Any criminal sanctions? The same penalties provided for breach of the Data Protection Code apply to this particular kind of information c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The Data Protection Authority (Garante per la Protezione dei Dati Personali)
www.lexmundi.com
2009 Lex Mundi
Page 50
d) Any additional information that is material? Please consider that this kind of personal data must be processed by applying the highest degree of diligence required for sensitive data. 3. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Financial Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Please note that the Data Protection Code governs also the processing of financial data b) What are the penalties imposed for a breach of such law? Any criminal sanctions? The penalties applied to the breach of laws governing the processing of finanancial data are the same mentioned for the other data. Please however note that certain rules by the Italian Central Bank (Banca d'Italia) may also apply. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The Data Protection Authority (Garante per la Protezione dei Dati Personali) and in some cases the Italian Central Bank (Banca d'Italia) d) Any additional information that is material? According to the section 24 of the Data Protection Code (indeed linked by the special Data Protection Authoritys decree no. 53 of October 25, 2007), no infringement of the bank secrecy duty is envisaged when relevant information is communicated by the bank in order to pursue a legitimate interest of the account holder or of a third party which is requesting the data; it is worth noting that this exemption (i) only applies in the specific cases set out by the Regulatory Data Protection Authority pursuant to law principles, and (ii) does not apply in case any fundamental rights or freedoms of the account holder are limited or constricted. 4. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that is applicable to other sensitive data, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Please refer to article 26 of the Data Protection Code b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Please make reference to our previous responses c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. Garante per la Protezione dei Dati Personali d) Any additional information that is material? According to article 4 (d) of the Data Protection Code, sensitive data are defined as personal data allowing the disclosure of racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organizations of a religious, www.lexmundi.com
2009 Lex Mundi
Page 51
philosophical, political or trade-unionist character, as well as personal data disclosing health and sex life.
Contact Information
Ida Palombella ida.palombella@chiomenti.net Filippo M. Andreani filippo.andreani@chiomenti.net Chiomenti Studio Legale Via XXIV Maggio, 43 I-00187 Rome, Italy Tel 39.06.4662.2311 Fax 39.06.4662.2600 www.chiomenti.net
www.lexmundi.com
2009 Lex Mundi
Page 52
Data Privacy Survey
Latvia
1. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personally Identifiable Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. "Fizisko personu datu aizsardzibas likums" (2000) available at: http://www.dvi.gov.lv/likumdosana/fpda/ (Latvian); or Personal Data Protection Law (2000), avilalbe at: http://www.dvi.gov.lv/eng/legislation/pdp/ (English). b) What are the penalties imposed for a breach of such law? Any criminal sanctions? The Personal Data Act provides that the handling of personal or sensitive data in breach of the provisions of the Personal Data Act will cause the database administrator to be liable for all damages caused to the person, including monetary damages and pain and suffering (dao moral). There are no criminal sanctions established in the Personal Data Act. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The competent authority is Data State Inspectorate (www.dvi.gov.lv) which controlls the compliance with Personal Data Protection Law and imposes administrative penalties. In case of criminal violations, the charges are pressed by the public prosecutors office. d) Any additional information that is material? 2. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personal Health Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Personal health information is regarded as sestitive personal data under the Personal Data Protection Law. Please see Section 1 for citation and electronic ling to the Personal Data Protection Law. Specific requirements with respect to handling of patient health information by medical institutions can be found in Cabinet of Ministers Regulations No 265 "Arstniecibas iestau mediciniskas un uzskaites dokumentacijas lietvedibas kartiba", adopted April 4th, 2006. Some further rquirements may be specified in sector specific regulations (e.g. employement laws, clinical trials). b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Since personal health information is regarded as type of personal data, the penalties for breach of personal data handling laws are the same as set out in Section 1.
www.lexmundi.com
2009 Lex Mundi
Page 53
c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. Data State Inspectorate (www.dvi.gov.lv) for administrative violations or public prosectution office in criminal cases. d) Any additional information that is material? 3. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Financial Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Financial information could be protected under various laws. For example,Credit Institions Law (1995) available at: http://www.likumi.lv/doc.php?id=37426 (Latvian) or http://www.ttc.lv/export/sites/default/docs/LRTA/Likumi/Credit_institutions.doc (English) sets forth the requirements for protection of client information in possestion of banks. The Commercial Law (2000), available at: http://www.likumi.lv/doc.php?id=5490 (Latvian) or http://www.ttc.lv/export/sites/default/docs/LRTA/Likumi/The_Commercial_Law.doc (English) allows each company to define the scope of its commercialy sensitive information. Varous instituions that receive such information, based on legal provisions, or private parties, based on contractual arrangements, are obliged to keep such information confidential. Hence, there is a mix of various legal acts that afford certain protection to certain financial information of private parties. Thus, State Revenue Service, Competition Council or any other institution that posseses certain financial information about a private party would be entitled to disclose only information that is regarded as public under legal enactments. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? The person whose financial information has not been handled with the necessary confidentiality level is always entitled to seek damages from the other party (private or public) based on legal or contractual provisions. In some cases punitive penalties may also be imposed, for example, in case of credit institutions violation of Credit Institution Law may lead to penalty up to LVL 100`000 (~ EUR 140`000). c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The affected party will seek damages through a court of law. In case punitive penaties are provided, the penatly would be imposed by the competent authority overseeing the compliance with the specific piece of legislation. In case of financial information, the competent authority to impose penalties for breach of Credit Institution Law would be the Bank of Latvia (www.bank.lv) or Finance and Capital Market Commission (www.fktk.lv). d) Any additional information that is material? 4. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that is applicable to other sensitive data, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Besides personal, health and financial information, there are few other categories of data that enjoy certain protection or are subject to specific handling requirements. One of such categories www.lexmundi.com
2009 Lex Mundi
Page 54
is state secrets. State secrets are defined and the scope of their protection is laid down in Law on Official Secrets (1996), available at: http://www.likumi.lv/doc.php?id=41058 (Latvian) or http://www.ttc.lv/export/sites/default/docs/LRTA/Likumi/On_Official_Secrets.doc (English). b) What are the penalties imposed for a breach of such law? Any criminal sanctions? If state secrets are entrusted to private parties, for example under public supply or works contracts, the secrecy obligations and sanctions would be laid down in the contractual arrangement. If a state official has disclosed a state secret, criminal saction may be imposed - up to 8 years of imprisonment or 120 minimum salaries in Latvia ( current minimum salary in Latvia is LVL 180,-) c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The competent court upon request of prosecutor or civil claim initiated by a private party. d) Any additional information that is material?
Contact Information
Sarmis Spilbergs sarmis.spilbergs@lawin.lv LAWIN Elizabetes 15 LV-1010 Riga, Latvia Tel 371.6781.4848 Fax 371.6781.4849 www.lawin.com
www.lexmundi.com
2009 Lex Mundi
Page 55
Data Privacy Survey
Lithuania
1. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personally Identifiable Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. i. The Law on Legal Protection of Personal Data http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=315633 The Administrative Law Infringement Code (only in Lithuanian) http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=373990&p_query=&p_tr2= The Criminal Code (only in Lithuanian) http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=370769&p_query=&p_tr2=
ii.
iii.
b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Fine up to 2000 LT (approx. 570 EURO). There are criminal sanctions such as fine, detention, imprisonment (up to 3 years) for breach of an individual's right to private life specified in the Criminal Code. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The State Data Protection Inspectorate d) Any additional information that is material? Ongoing considerations in the Lithuanian Parliament on the increase of administrative fines. 2. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personal Health Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. i. The Law on the Health System (only in Lithuanian) http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=319140&p_query=&p_tr2= The Law on the Healthcare Offices (only in Lithuanian) http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=312153&p_query=&p_tr2= The Law on the Rights of the Patients and Redress (only in Lithuanian) http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=360565&p_query=&p_tr2=
ii.
iii.
The Law on Legal Protection of Personal Data www.lexmundi.com

2009 Lex Mundi
Page 56
http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=315633 The Administrative Law Infringement Code (only in Lithuanian) http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=373990&p_query=&p_tr2= b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Fine up to 1000 LT (approx. 290 EURO). c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The State Medical Audit Inspectorate and The State Data Protection Inspectorate d) Any additional information that is material? In the legal acts specified in the response No. 11 is only noted that personal health information is private, however, main personal data (including personal health information) processing standards are specified in the Law on the Legal Protection of Personal Data. The Article No. 10 in the Law on the Legal Protection of Personal Data states that personal data on a persons health (its state, diagnosis, prognosis, treatment, etc.) may be processed by an authorized health care professional. A persons health shall be subject to professional secrecy under the Civil Code, laws regulating patients rights and other legal acts. Moreover, personal data processing for scientific medical research purposes shall be carried out in accordance with this and other laws. Personal data on a persons health may be processed by automatic means, also for scientific medical research purposes the data may be processed only having notified the State Data Protection Inspectorate. In this case the State Data Protection Inspectorate must carry out prior checking. The Law on the Rights of the Patients and Redress notes that information about the persons health is the confidential information, which is collected and processed only for medical purposes, and shall be carried out in accordance with law acts implementing the protection of the personal data. The healthcare institutions shall protect the persons right to personal life and share the personal only with the accordance of the patient. 3. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Financial Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. i. ii. The Law on the Lithuanian Bank (only in Lithuanian) http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=362766&p_query=&p_tr2= The Law on Legal Protection of Personal Data http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=315633 The Administrative Law Infringement Code (only in Lithuanian) http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=373990&p_query=&p_tr2=
iii. iv.
b) What are the penalties imposed for a breach of such law? Any criminal sanctions? The average fines are up to 4000 LT (approx. 1142 EURO), but the fine for the display of the bank secret is 20 000 LT (approx. 5710 EURO).
www.lexmundi.com
2009 Lex Mundi
Page 57
c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The Bank of the Republic of Lithuania and The State Data Protection Inspectorate d) Any additional information that is material? In the legal acts mentioned in the response No. 15 is noted, that the bank secret should be protected, however, main personal data (including financial information) processing standards are specified in the Law on the Legal Protection of Personal Data. The Article No. 2 in The Law on Legal Protection of Personal Data notes that personal data shall mean any information relating to a natural person, the data subject, who is identified or who can be identified directly or indirectly by reference to such data as a personal identification number or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. Therefore the financial information may be personal data as well. The financial information in some cases may be treated as the commercial secret and protected under the Civil and Criminal Codes. 4. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that is applicable to other sensitive data, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. No special law applicable. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Please refer to response 4a. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. Please refer to response 4a. d) Any additional information that is material? Please refer to response 4a.
Contact Information
Gediminas Ramanauskas gediminas.ramanauskas@lawin.lt LAWIN Jogailos 9/1 LT-01116 Vilnius, Lithuania Tel 370.5.268.18.88 Fax 370.5.212.55.91 www.lawin.com
www.lexmundi.com
2009 Lex Mundi
Page 58
Data Privacy Survey
Malta
Prepared by Lex Mundi member firm Ganado & Associates, Advocates
1. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personally Identifiable Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Data Protection Act, Chapter 440 of the Laws of Malta http://docs.justice.gov.mt/lom/legislation/english/leg/vol_13/chapt440.pdf b) What are the penalties imposed for a breach of such law? Any criminal sanctions? The Personal Data Act provides that the handling of personal or sensitive data in breach of the provisions of the Personal Data Act will cause the database administrator to be liable for all damages caused to the person, including monetary damages and pain and suffering (dao moral). There are no criminal sanctions established in the Personal Data Act. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The Data Protection Commissioner d) Any additional information that is material? Data Controllers have a number of obligations arising from the Data Protection Act (the DPA). Personal data may only be processed with the consent of the person to whom the data relates (a Data Subject). Although there is no such requirement at law, it is good practice to obtain consent in writing after informing the Data Subject of the purpose of the processing. In this regard, the Controller or any person authorised by him is required to provide the Data Subject with certain key information relating to his identity, the purposes for which data is being collected and the subject rights in relation thereto. This is normally achieved by means of an information note when the information is collected and/or by means of a broader privacy statement. Data Controllers are required to ensure that: i. personal data is processed fairly and lawfully; ii. personal data is always processed in accordance with good practice; iii. personal data is only collected for specific, explicitly stated and legitimate purposes; iv. personal data is not processed for any purpose that is incompatible with that for which the information is collected; v. personal data that is processed is adequate and relevant in relation to the purposes of the processing; vi. no more personal data is processed than is necessary having regard to the purposes of the processing; vii. personal data that is processed is correct and, if necessary, up to date;
www.lexmundi.com
2009 Lex Mundi
Page 59
viii.
ix. x. xi. xii.
all reasonable measures are taken to complete, correct, block or erase data to the extent that such data is incomplete or incorrect, having regard to the purposes for which they are processed; personal data is not kept for a period longer than is necessary, having regard to the purposes for which they are processed; appropriate security measures are in place; data is not unlawfully transferred to third countries; and The Data Protection Commissioner is notified of all processing operations.
2. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personal Health Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Data Protection Act, Chapter 440 of the Laws of Malta http://docs.justice.gov.mt/lom/legislation/english/leg/vol_13/chapt440.pdf b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Criminal Sanctions - Yes. Maximum penalty prescribed is imprisonment for six (6) months and a fine (multa) of up to 23,294 (Art. 47(1) DPA). This would catch for example transfers to third countries which are not the subject of a derogation or adequate contractual arrangements. Administrative Sanctions/Penalties - Yes. The DPC may also impose administrative fines of up to 23,294 and 2,329 per day of default in certain instances (eg. exempted transfers to third countries without notification) (e.g. Reg. 6 of SL440.03). The DPA does not stipulate a maximum administrative fee in all cases however (Art. 42(3) DPA set out that such fines shall be prescribed which they have not been in all cases). Private Rights of Action - Yes. Data subjects may claim compensation for damages suffered (Art. 46(1) DPA). c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The Data Protection Commissioner d) Any additional information that is material? Health information is classified as Sensitive Personal Data under the DPA and accordingly enjoys a protected status. The general rule is that, subject to the provisions of the DPA, no person shall process sensitive personal data. Sensitive personal data may be processed only if : i. the data subject has given his explicit consent to the processing; or ii. the data subject has made the data public. Certain exceptions apply for example where processing is necessary to protect the vital interests of the Data Subject or for employment purposes. Sensitive personal data may be processed for health and hospital care purposes, provided that it is necessary for: (a) preventive medicine and the protection of public health; (b) medical diagnosis; (c) health care or treatment; or (d) management of health and hospital care services: Provided that the data is processed by a health professional or other person subject to the obligation of professional secrecy.
www.lexmundi.com
2009 Lex Mundi
Page 60
3. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Financial Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Data Protection Act, Chapter 440 of the Laws of Malta http://docs.justice.gov.mt/lom/legislation/english/leg/vol_13/chapt440.pdf b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Criminal Sanctions - Yes. Maximum penalty prescribed is imprisonment for six (6) months and a fine (multa) of up to 23,294 (Art. 47(1) DPA). This would catch for example transfers to third countries which are not the subject of a derogation or adequate contractual arrangements. Administrative Sanctions/Penalties - Yes. The DPC may also impose administrative fines of up to 23,294 and 2,329 per day of default in certain instances (eg. exempted transfers to third countries without notification) (e.g. Reg. 6 of SL440.03). The DPA does not stipulate a maximum administrative fee in all cases however (Art. 42(3) DPA set out that such fines shall be prescribed which they have not been in all cases). Private Rights of Action - Yes. Data subjects may claim compensation for damages suffered (Art. 46(1) DPA). c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The Data Protection Commissioner d) Any additional information that is material? Financial Information would, if it relates to to an identified or identifiable natural person, be caught under term "Personal Data" consequently the duties under Section 1 would apply. 4. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that is applicable to other sensitive data, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Data Protection Act, Chapter 440 of the Laws of Malta http://docs.justice.gov.mt/lom/legislation/english/leg/vol_13/chapt440.pdf b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Criminal Sanctions - Yes. Maximum penalty prescribed is imprisonment for six (6) months and a fine (multa) of up to 23,294 (Art. 47(1) DPA). This would catch for example transfers to third countries which are not the subject of a derogation or adequate contractual arrangements. Administrative Sanctions/Penalties - Yes. The DPC may also impose administrative fines of up to 23,294 and 2,329 per day of default in certain instances (eg. exempted transfers to third countries without notification) (e.g. Reg. 6 of SL440.03). The DPA does not stipulate a maximum administrative fee in all cases however (Art. 42(3) DPA set out that such fines shall be prescribed which they have not been in all cases). Private Rights of Action - Yes. Data subjects may claim compensation for damages suffered (Art. 46(1) DPA). www.lexmundi.com
2009 Lex Mundi
Page 61
c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The Data Protection Commissioner d) Any additional information that is material? Sensitive personal data is defined in the DPA as "personal data that reveals race or ethnic origin, political opinions, religious or philosophical beliefs, membership of a trade union, health, or sex life". In relation to such data and the processing thereof, please refer to the information under Section 2. The processing of all other data which relates to identified or identifiable natural persons (see definition in Section 1) would be subject to the duties/restrictions in Section 1.
Contact Information
Paul Micallef Grimaud pmgrimaud@jmganado.com David Borg Carbott dbcarbott@jmganado.com Ganado & Associates, Advocates 171, Old Bakery Street Valletta VLT 09, Malta Tel 356.21235.406 Fax 356.21225.908 www.jmganado.com
www.lexmundi.com
2009 Lex Mundi
Page 62
Data Privacy Survey
New Zealand
Prepared by Lex Mundi member firm Simpson Grierson
1. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personally Identifiable Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. The Privacy Act 1993 (NZ) (Act) regulates the storage of all "personal information" in New Zealand (accessible at http://www.legislation.govt.nz). Personal information is broadly defined as information about an identifiable individual. The Act's primary content is 12 information privacy principles (IPPs). The IPPs govern how information can be collected, used, stored and disclosed in New Zealand. In summary, the IPPs require that: i. the data collection must be necessary for a lawful purpose; ii. the data should be collected directly from the individual; iii. the individual should be informed of the collection, its purpose, and who is holding the information; iv. the data must be collected in a legal and unobtrusive manner; v. the data must be carefully stored, checked for accuracy and must only keep it as long as necessary; vi. the individual has a right to access and correct the information; vii. the data may only be used or disclosed in accordance with the purpose for which it was collected; and viii. unique identifiers (eg a passport number) may not be used unless necessary. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? The Personal Data Act provides that the handling of personal or sensitive data in breach of the provisions of the Personal Data Act will cause the database administrator to be liable for all damages caused to the person, including monetary damages and pain and suffering (dao moral). There are no criminal sanctions established in the Personal Data Act. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The Act is administered by the Commissioner. The Commissioner's role is, among other things, to promote privacy law development in New Zealand, to enquire into possible breaches of the Act and to provide advice on its interpretation. Further information on the Commissioner can be gained at http://www.privacy.org.nz/. d) Any additional information that is material? www.lexmundi.com
2009 Lex Mundi
Page 63
The Act also provides for codes of practice to be issued under the Act, which override the principles in relation to specific industries, agencies, activities or types of personal information. The Commissioner oversees all codes issued under the Act. A breach of a code is dealt with in the same manner as a breach of an IPP. Privacy law in New Zealand is currently being reviewed by the New Zealand Law Commission. In addition, a Bill has been introduced into Parliament to address issues with cross border flow of information. However, major changes to privacy law are unlikely.
2. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personal Health Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. The Health Information Privacy Code (Health Code) is a code issued under the Act (accessbile at http://www.privacy.org.nz/health-information-privacy-code/). The code controls the use of health information collected, used, held and disclosed by health agencies, which includes all agencies that provide personal or public health or disability services, and can include related bodies such as insurers. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? A breach of a code is dealt with in the same manner as a breach of an IPP. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The code is administered by the Commissioner. d) Any additional information that is material? The Health Code is very broad and covers not only the health sector, but persons or agencies on the periphery of the sector. 3. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Financial Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. The Credit Reporting Privacy Code (Credit Code) is a code issued under the Act (accessible at http://www.privacy.org.nz/credit-reporting-privacy-code/). The Credit Code controls the use of credit information collected, held, used, and disclosed by credit reporters. A credit reporter is defined as "an agency that carries on a business of reporting to other agencies, for payment, information relevant to the assessment of the creditworthiness of individuals". www.lexmundi.com
2009 Lex Mundi
Page 64
b) What are the penalties imposed for a breach of such law? Any criminal sanctions? A breach of a code is dealt with in the same manner as a breach of an IPP. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The code is administered by the Commissioner. d) Any additional information that is material? The Credit Code is under review, and significant changes are proposed to broaden the scope of permissible credit reporting. 4. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that is applicable to other sensitive data, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Assumption: by "sensitive data" we assume that you refer to information about a person's age, sex, height, weight etc as defined in the Data Protection Act 1998 (UK). If you are using a different definition, please let us know and we will revise our survey answers. New Zealand does not have specific rules relating to sensitive data. When dealing with certain types of information (for example health information as described above), sensitive data will be covered by the appropriate code (The codes in force at any one time can be accessed at http://www.privacy.org.nz/codes-of-practice/). In addition to the above, the following privacy codes are in force: i. Justice Sector Unique Identifier Code; ii. Superannuation Schemes Unique Identifier Code; and iii. Telecommunications Information Privacy Code. If none of these codes apply, then the storage of the information will be covered directly by the Act. In addition, the Criminal Records (Clean Slate) Act 2004 (Clean Slate Act) allows information on an individual's historical convictions to be kept private. It also imposes obligations on government departments and law enforcement agencies to keep criminal conviction histories confidential. However, the information can be disclosed in certain situations, for example for the purposes of immigration/emigration, to law enforcement agencies or when applying to work with children. Section 20 of the Clean Slate Act limits the use by any person or agency of information about the criminal record of an individual if that information was disclosed under those sections, rather than voluntarily by the person involved (accessible at http://www.legislation.govt.nz). b) What are the penalties imposed for a breach of such law? Any criminal sanctions?
www.lexmundi.com
2009 Lex Mundi
Page 65
A breach of a code is dealt with in the same manner as a breach of an IPP. The Clean Slate Act contains two criminal offences: i. under section 17 it is an offence to disclose a criminal record without authority; and ii. under section 18 it is an offence to ask an individual to disregard the effects of the Clean Slate Act. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The codes are administered by the Commissioner. The Clean Slate Act is not actively administered, but breaches are prosecuted by the New Zealand Police. d) Any additional information that is material? N/A
Contact Information
Karen Ngan karen.ngan@simpsongrierson.com Simpson Grierson Level 27 Lumley Centre, 88 Shortland Street Private Bag 92518 Auckland, New Zealand 1141 Tel 64.9.358.2222 Fax 64.9.307.0331 www.simpsongrierson.com
www.lexmundi.com
2009 Lex Mundi
Page 66
Data Privacy Survey
Panama
Prepared by Lex Mundi member firm Arias, Fbrega & Fbrega
1. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personally Identifiable Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. General laws addressing protection of personally identifiable information can be found in the Constitution, the Criminal Code and the Electronic Commerce legislation: i. The concept of the personal privacy of communications and documents is provided for in the Panamanian Constitution as a fundamental right (Political Constitution, article 29). The Constitution also provides for a right of habeas data, through which a person may require that personal information or data be kept confidential (article 44). ii. The Criminal Code imposes an obligation on businesses to maintain the confidentiality of information stored in databases or elsewhere, and establishes several crimes for the misuse of such information (Criminal Code, articles 164, 283, 284, 285, 286). iii. The electronic commerce legislation also states that providers of electronic document storage must guarantee the protection, reliability and proper use of information and data stored on behalf of their customers (Law 51, July 22, 2008, article 55). In addition, a number of specific laws provide for the protection of data and personal information: i. The anti-trust and consumer protection law provides that information and data that businesses divulge to the Consumer Protection and Anti-Trust Agency as part of that agencys investigations and regulatory use cannot be disclosed without the prior consent of the business that provided the information (Law 45, October 31, 2007, article 103). ii. The tax code provides that information submitted by the taxpayer must be kept confidential. In the event that tax or judicial authorities need to review the information, they are obligated to maintain the confidentiality of that information, and to refrain from using that information for any purpose other than their investigation (Tax Code, article 722). b) What are the penalties imposed for a breach of such law? Any criminal sanctions? The Criminal Code establishes that misuse of personal information is punishable with fines equivalent to 200-500 days imprisonment (Criminal Code 164) or two to four years imprisonment (Criminal Code, articles 283 and 284). Persons who misuse information stored in public offices, public or private institutions offering services to the public, or banks, insurance companies and other financial institutions, are subject to increased penalties (Criminal Code, article 285). Violations of the electronic commerce law could result in fines ranging from US$100 to US$ 250,000 (Law 51, July 22, 2008, article 63). Violations of the anti-trust and consumer protection law are punishable with fines of up to US$ 25,000 (Law 45, October 31, 2007, article 104). Violations of the tax code are subject to criminal penalties of two to four years imprisonment (Criminal Code, articles 283,284, and 285) (See Tax Code, article 1323). www.lexmundi.com
2009 Lex Mundi
Page 67
c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. Breaches of the criminal code are overseen by the Office of the Attorney General. Electronic databases are overseen by the General Electronic Commerce Administration. Consumer protection and anti-trust issues are overseen by the Consumer Protection and AntiTrust Authority. However, more serious offenses that constitute criminal offenses are handled by the Office of the Attorney General. Violations of the tax code are overseen by the Ministry of Economy and Finance. d) Any additional information that is material? 2. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personal Health Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Law 68, November 20, 2003, article 13 states that patients have a right to confidentiality with respect to their health information. Article 14 stipulates that health centers are obligated to implement procedures and policies to guarantee this right. Article 39 establishes the obligation to maintain the confidentiality of all patient records. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? The Criminal Code establishes that misuse of personal information is punishable with fines equivalent to 200-500 days imprisonment (Criminal Code 164) or two to four years imprisonment (Criminal Code, articles 283 and 284). Persons who misuse information stored in public or private institutions offering services to the public, such as hospitals, are subject to increased penalties (Criminal Code, article 285). c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. Breaches of the criminal code are overseen by the Office of the Attorney General, with the support of the Ministry of Health. d) Any additional information that is material? 3. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Financial Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. The credit agency law establishes the requirement for various economic agents, including banks, credit reporting agencies and financial institutions to maintain the confidentiality of clients credit history (Law 24, May 22, 2002, article 6). Banking laws and regulations impose an obligation on banks to keep individual client information strictly confidential and not to disclose information regarding clients and transactions without prior client consent, except in certain circumstances, such as a request from the authorities within the course of a criminal proceeding (Executive Decree 52, April 30, 2008, article 93).
www.lexmundi.com
2009 Lex Mundi
Page 68
The trust law provides that the trustee, its representatives and employees, government authorities and anyone else involved in the trust for reasons of their profession or position are obliged to maintain the secrecy of any information related to that trust (Law 1, January 5, 1984, article 37). The insurance law provides that in the course of an investigation by the Office of the Superintendent of Insurance, no personal information related to the insured persons may be disclosed (Law 59, July 29, 1996, article 42). The credit card law provides that credit cards issuers are obligated to keep information they collect on users confidential, unless disclosure is required by law in the course of criminal investigations. (Law 81, December 31, 2009, article 56). Issuers must ensure the security of confidential information they collect, and are required to inform users within 30 days if they have any reason to suspect that this information has been accessed (article 47). The securities law provides that persons working in the securities industry, including officers and employees of the Securities Commission and investment advisers, are forbidden to disclose confidential or privileged information obtained in the course of their employment (Law Decree 1, July 8, 1999, articles 209 and 268). b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Depending on the gravity of the infraction, some violations of these laws may be subject to criminal sanctions. The Criminal Code establishes that misuse of personal information is punishable with fines equivalent to 200-500 days imprisonment (Criminal Code 164) or two to four years imprisonment (Criminal Code, articles 283 and 284). Persons who misuse information stored in public offices, public or private institutions offering services to the public, or banks, insurance companies and other financial institutions, are subject to increased penalties (Criminal Code, article 285). Breaches of the credit agency law may result in a warning for first time offenders, or fines of between US$ 1,000 and US$10,000, depending on the gravity of the offense (Law 24, May 22, 2002, article 42). Breaches of the trust law privacy provisions are punishable with up to 6 months in prison and fines of up to US$ 50,000 (Law 1, January 5, 1984, article 37). Any employee or official of the Office of the Superintendent of Insurance who releases information will be fined between US$ 100 and US$ 500 and relieved of his post immediately (Law 59, July 29, 1996, article 116). Violations of the credit card law are punishable by fines based on the amount of harm caused, or the revocation of the credit card issuers license (Law 81, December 31, 2009, article 47). The securities law provides that sharing confidential or privileged information obtained as a result of a persons employment or position is punishable by fines of between US$ 1,000 and US$ 100,000 (Law Decree 1, July 8, 1999, article 209). c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. Breaches of the criminal code are overseen by the Office of the Attorney General. Breaches of the credit agency law are overseen by the Consumer Protection and Anti-Trust Authority.
www.lexmundi.com
2009 Lex Mundi
Page 69
Breaches of the banking law and the trust law are overseen by the Office of the Superintendent of Banks. Breaches of the insurance law are overseen by the Office of the Superintendent of Insurance. Breaches of the credit card law are overseen by the Office of the Superintendent of Banks when banking institutions are concerned, and by the Consumer Protection and Anti-Trust Authority when other financial institutions are concerned. Breaches of the securities law are overseen by the National Securities Commission. d) Any additional information that is material? 4. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that is applicable to other sensitive data, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Law 51, September 18, 2009, article 10, establishes that the telecommunications industry, internet, telephone and mobile phone providers are required to keep confidential the data collected on consumers. They are also required implement any measures necessary to ensure the integrity and security of the information (article 9). However, they are also required to provide the data collect when requested by the relevant authorities (article 11). b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Breach of these laws is punishable under the criminal code (Criminal Code, article 162), which provides that if a employee of a telecommunications company improperly obtains information and shares the information or benefits from the information, he/she will be subject to two to four years imprisonment, an equivalent fine, house-arrest or community service. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. Breaches of the criminal code are overseen by the Office of the Attorney General, with the support of the National Public Services Authority. d) Any additional information that is material?
Contact Information
Carin Stelp cstelp@arifa.com Arias, Fbrega & Fbrega Plaza 2000, 16th Floor 50th Street Panama, Republic of Panama Tel 507.205.7000 Fax 507.205.7001/02 www.arifa.com/arifa/
www.lexmundi.com
2009 Lex Mundi
Page 70
Data Privacy Survey
Romania
Prepared by Lex Mundi member firm Nestor Nestor Diculescu Kingston Petersen
1. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personally Identifiable Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. The main piece of legislation in the field of data privacy in Romania is Law No. 677/2001 on the protection of individuals with regard to the processing of personal data and the free movement of such data, as amended (Law No. 677/2001), which transposes and is generally in line with Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. An English translation of Law No. 677/2001 may be accessed on the Romanian data protection authority's website at the following link: http://www.dataprotection.ro/servlet/ViewDocument?id=174 The enactment has suffered small amendments (i.e., regarding the identity and attributions of the authority competent for data protection matters, the elimination of the notification tax) since its initial publication in the Official Gazette of Romania, which are not reflected in the above translation. In addition, Law No. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector, as amended (Law No. 506/2004), which transposes Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, sets specific data protection rules on the processing of personal data in the electronic communications sector. An English translation of Law No. 506/2004 may be accessed on the Romanian data protection authority's website at the following link: http://www.dataprotection.ro/servlet/ViewDocument?id=173 . The enactment has suffered a minor amendment (i.e., regarding inter-connection) since its initial publication in the Official Gazette of Romania, which is not reflected in the above translation. Secondary legislation adopted on the basis of Law No. 677/2001 contains additional rules governing the processing of personal data b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Generally, failure to comply with the obligations under Law No. 677/2001 and Law No. 506/2004 qualifies as minor offence. Breaches of the obligations under the above-mentioned legal framework are sanctioned with administrative fines ranging from RON 500 (approx. EUR 115) to RON 50,000 (approx. EUR 11,500) under Law No. 677/2001 and RON 100,000 (approx. EUR 23,000) under Law No. 506/2004. Under Law No. 506/2004, where breaches are caused by companies with a turnover exceeding RON 5,000,000 (approx. EUR 1,150,000), the fine may amount up to 2% of the turnover in case of breach of the rules regarding electronic commercial communications and breaches of rules on subscriber directories and of those regarding the processing of location data.
www.lexmundi.com
2009 Lex Mundi
Page 71
Furthermore, the data protection authority may order the temporary or permanent cease of the processing of data conducted without the observance of all legal requirements. Data subjects may request before the competent courts of law material or moral damages for prejudices generated by the unlawful processing of their personal data. Data protection legislation does not expressly set out criminal offences, but to the extent that the breaches thereof are operated under such conditions so as to represent criminal offences, the offender shall be criminally liable. For instance, under the Criminal Code the violation of the secrecy of correspondence is qualified as a criminal offence sanctioned with imprisonment between six months and three years. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The National Authority for the Supervision of Personal Data Processing (the DPA) is the administrative authority competent to perform the supervision of data processing operations and enforce the legislation in the area of personal data processing. Additionally, under Law No. 506/2004, the National Authority for Administration and Regulation in Communications has certain special competencies with regard to the activity of suppliers of electronic communication services and communication networks. d) Any additional information that is material? The data protection legislation sets out a series of requirements to be complied with when processing personal data, including: (i) obtaining, as a rule, the data subjects consent for the processing of its data; (ii) providing to the data subject minimum standard information regarding the processing of its personal data; (iii) notifying the processing with the DPA, including any transfer operations, and, where the case, obtaining the DPAs authorization for the transfer; (iv) conditions under which (electronic) commercial communications may be performed; (v) conditions for the transfer of personal data abroad, including to countries not ensuing an adequate level of protection of personal data; (vi) minimum security requirements applicable to the processing of personal data; (vii) the rights recognized to data subjects in connection with the processing of their personal data, etc. In 2008 Romania transposed the Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC through Law No. 298/2008 regarding the retention of data generated and processed by suppliers of publicly available electronic communication services and networks and for the amendment of Law No. 506/2004 (Law No. 298/2008). However, in late 2009, the Constitutional Court of Romania declared Law No. 298/2008 unconstitutional and the law lapsed out of force. Consequently, Romania currently fails to transpose Directive 2006/42. 2. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personal Health Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. The processing of Personal Health Information is subject to the general and specific requirements set out in Law No. 677/2001 referred under the answer to question in 10 above. Specific rules on the processing of Personal Health Information are also provided in healthcare legislation, including Law No. 46/2003 on the patients rights (Law No. 46/2003), Law No. 95/2006 regarding reform in the healthcare sector (Law No. 95/2006) and Order of the Minister of Public Health No. 904/2006 regarding the approval of the Norms referring to the implementation of good practice rules in the conduct of clinical trials performed with pharmaceuticals for human use www.lexmundi.com
2009 Lex Mundi
Page 72
(Order No. 904/2006), although such rules do not depart from the principles set out in Law No. 677/2001. No English versions of Law No. 46/2003 and Law No. 95/2006 are publicly available. An English translation of Order No. 905/2006 may be accessed on the National Medicines Agency web site at the following link: http://www.anm.ro/en/html/legislation_minister_orders.html b) What are the penalties imposed for a breach of such law? Any criminal sanctions? For penalties in case of breach of the requirements of Law No. 677/2001, please refer to the answer under question No. 8 above. Generally, neither Law No. 46/2003, nor Law No. 95/2006 provides specific sanctions for failure to comply with privacy requirements applicable to Personal Health Information. As an exception, Law No. 95/2006 expressly qualifies as criminal offence the disclosure by the employees of voluntary health insurance companies of the insured persons health condition in absence of the insured persons' consent. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The DPA is the administrative authority competent to perform the supervision of data processing operations and enforce the legislation in the area of personal data processing, including in what regards Personal Health Information. d) Any additional information that is material? As a rule, Personal Health Information may only be processed with the data subjects express and unambiguous consent. A limited number of exceptions to this rule are provided under Law No. 677/2001, Law No. 46/2003 and Law No. 95/2006 (e.g., when the data is necessary to accredited suppliers of medical treatment involved in the patients treatment, when it is necessary for observing the employers rights and obligations under employment law, etc.). Under certain conditions, an authorization issued by the DPA for the processing of Personal Health Information may be necessary. Generally, the transfer of Personal Health Information abroad is only allowed with the data subjects express and unambiguous consent. If the transfer is made to countries not ensuring an adequate level of protection of personal data and the transfer is not grounded on a data transfer agreement based on the standard contractual clauses approved by the European Commission the data subjects express written consent is necessary. 3. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Financial Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. The processing of Financial Information is subject to the general and specific requirements set out in Law No. 677/2001 referred under the answer to question in 10 above. In addition thereto, specific requirements on confidentiality of Financial Information are provided in the financial legislation, particularly Government Emergency Ordinance No. 99/2006 regarding credit institutions and the adequacy of the capital (GEO No. 99/2006) and Regulation of the National Bank of Romania No. 6/2006 regarding the issuance of electronic payment instruments and the relations between the participants to transactions with such instruments (NBR Regulation No. 6/2006). No English versions of GEO No. 99/2006 and NBR Regulation No. 6/2006 are publicly available.
www.lexmundi.com
2009 Lex Mundi
Page 73
b) What are the penalties imposed for a breach of such law? Any criminal sanctions? For penalties in case of breach of the requirements of Law No. 677/2001, please refer to the answer under question 8 above. Although GEO No. 99/2006 does not provide specific sanction for failure to comply with the confidentiality requirement, it may be deemed that the general sanctions for failure to comply with the all requirements thereof apply, i.e., written warning, fine between 0,05% and 1% of the credit institutions share capital or withdrawal of the operating authorization. Similarly, although NBR Regulation No. 6/2006 does not provide specific sanction for failure to comply with the confidentiality requirement, it may be deemed that the general sanctions for failure to comply with the all requirements thereof apply, i.e., written warning, fine between RON 500 (approx. EUR 120) and RON 5,000 (approx. EUR 1,200) or, in case on nonbanking financial institutions fine between 0,01 and 0,5% of the share capital, partial or total suspension of the authorization for a period up to 90 days or withdrawal of the authorization (in case of non-banking financial institutions fines to its administrators, temporary suspension or prohibition of carrying out activities, winding-up of the companys activity). Furthermore, although no information regarding relevant practice in this sense is publicly available, breach of the confidentiality obligation applicable to credit institutions may be qualified as disclosure of professional secret, which is qualified under the Romanian Criminal Code as criminal offence sanctioned with imprisonment between three months and two years or fine. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The DPA is the administrative authority competent to perform the supervision of data processing operations and enforce the legislation in the area of personal data processing, including in what regards Financial Information. The National Bank of Romania is the authority competent to apply the specific sanctions provided by the financial legislation. d) Any additional information that is material? As a rule, under Romanian data privacy legislation Financial Information is not deemed as sensitive data. Under the specific financial legislation, credit institutions and non-banking financial institutions are under the obligation of ensuring the confidentiality of the personal data of their clients in observance of the general data privacy and banking secrecy requirements. 4. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that is applicable to other sensitive data, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. The processing of sensitive data is subject to the general and specific requirements set out in Law No. 677/2001 referred under the answer to question 1d above. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Please refer to the answer under question 1b above. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The DPA is the administrative authority competent to perform the supervision of data processing operations and enforce the legislation in the area of personal data processing, including in what regards sensitive data www.lexmundi.com
2009 Lex Mundi
Page 74
d) Any additional information that is material? Law No. 677/2001 sets rules on the conditions under which sensitive data may be processed. Generally, sensitive data may only be processed (i) with the data subjects consent; (ii) where the processing is necessary to the data controller for observing its rights and obligations under labor legislation; (iii) where the processing is necessary for the protection of the data subjects or other persons life and/ or health and the data subject is physically or legally incapable of giving its consent; (iv) where the data are manifestly made public by the data subject; (v) where the processing is necessary for the acknowledgement, exercise or defense of a rights before the courts of law; (vi) when expressly provided by law for the purpose of protecting an important public interest, on the condition that the processing is made in observance of the data subjects rights and the other safeguards provided by law; (vii) where the processing concerns data intimately linked to the data subjects quality as public figure or to the public character of the acts in which the data subject is involved. Depending on the category of sensitive data processed, additional exceptions or restrictions may apply. Generally, the transfer of sensitive data abroad is only allowed with the data subjects express and unambiguous consent. If the transfer is made to countries not ensuring an adequate level of protection of personal data and the transfer is not grounded on a data transfer agreement based on the standard contractual clauses approved by the European Commission the data subjects express written consent is necessary.
Contact Information
Roxana Ionescu roxana.ionescu@nndkp.ro Ovidiu Balaceanu ovidiu.balaceanu@nndkp.ro Nestor Nestor Diculescu Kingston Petersen Bucharest Business Park, Entrance A, 4th floor 1A Bucuresti-Ploiesti National Road 1st District Bucharest 013681, Romania Tel 40.21.201.1200 Fax 40.21.201.1210 www.nndkp.ro
www.lexmundi.com
2009 Lex Mundi
Page 75
Data Privacy Survey
Russia
Prepared by Lex Mundi member firm Egorov Puginsky Afanasiev & Partners
1. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personally Identifiable Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. i. The Federal law of the Russian Federation On Personal Data as of 27.07.2006 No. 152-FZ regulates the issues of personal data processing: the main principles and requirements of personal data processing, the rights of personal data subject; the duties of personal data operator, issues of control over personal data processing. Link: http://www.medialaw.ru/e_pages/laws/russian/personal-data-en.htm (without any amendments made to this Federal law later). The Federal law of the Russian Federation Labour Code of the Russian Federation as of 30.12.2001 No. 197-FZ the Chapter 14 of this Code is dedicated specifically for the protection of employees personal data. Link: http://www.ilo.org/dyn/natlex/docs/WEBTEXT/60535/65252/E01RUS01.htm (without the amendments made by the Federal law as of 30.06.2006 No. 90-FZ). The Federal law of the Russian Federation On information, information technologies and the protection of information as of 27.07.2006 No. 149-FZ regulates relationships concerning the exercise of right to search, receive, transfer, produce and distribute the information, the application of information technologies and the protection of information. Art. 9 Item 8 establishes that it is prohibited to demand from a person to provide privacy information and to receive such information beyond the will of a person. The regulations on ensuring the security of personal data within its processing in information systems of personal data (Decision of Government of the Russian Federation as of 17.11.2007 No. 781). The requirements for tangible media of biometrical personal data and for technologies of storage of such personal data outside the informational systems of personal data ( Decision of Government of the Russian Federation as of 06.07.2008 No. 512). The regulations on particularities of processing of personal data without use of automatic means (Decision of Government of the Russian Federation as of 15.09.2008 No. 687).
ii.
iii.
iv.
v.
vi.
b) What are the penalties imposed for a breach of such law? Any criminal sanctions? i. Civil liability in the form of damages and compensation of moral harm can be imposed (Art. 15 and 151 of the Civil Code as of 30.11.1994). Criminal liability is established in the Criminal Code as of 13.06.1996 for: a) illegal collection and dissemination of private data without the consent of the person or public dissemination of these data (Art. 137); b) violation of the secrecy of communication (Art. 138); c) disclosure of adoption secret (Art. 155); d) illegal receipt and disclosure of Page 76
2009 Lex Mundi
ii.
www.lexmundi.com
information classified as a commercial, tax or bank secret (Art. 183); e) unlawful access to computer information (Art. 272). The penalties are: a) fine up to 300 000 Rubles or in the amount of salary or other income of a convict for the period up to 2 years; b) compulsory community work for the term of 120-240 hours; c) correctional work for the term up to 2 years; d) deprivation of right to hold certain positions or perform certain activity for the term from 2 to 5 years; e) arrest for the term up to 6 months; f) imprisonment for the term up to 10 years; g) imprisonment for the term up to 4 years with deprivation of right to hold certain positions or perform certain activity for the term up to 5 years. iii. Administrative sanctions are established in the Code on administrative offences as of 30.12.2001 for: a) refusal to provide information (Art. 5.39); b) violation the procedure established by law for collection, keeping, use or dissemination of personal data (Art. 13.11); c) violation of rules on protection of information (Art. 13.12); d) disclosure of limited access information (Art. 13.14). The penalties are: a) warning; b) fine (up to 20 000 Rubles) with seizure of uncertified means of information protection or without such seizure; c) administrative suspension of activity for the term up to 90 days. Disciplinary sanctions are established in Art. 192 Labour Code as of 30.12.2001. The penalties are: a) warning; b) reprimand; c) dismissal on relevant grounds.
iv.
c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. i. Federal Service for Supervision in the Sphere of Communications, Information Technologies and Mass Communication (Roscomnadzor) and of its regional offices throughout the Russian Federation; Federal Service for Technical and Export Control (FSTEK) and of its regional offices throughout the Russian Federation; Federal Security Service (FSB) and of its regional offices throughout the Russian Federation; Prosecutor Generals Office of the Russian Federation.
ii. iii.
iv.
d) Any additional information that is material? The following three requirements are established for data processing: 1) a consent of data subject; 2) guarantee of data confidentiality; 3) notification to Roscomnadzor before starting data processing. Consent in written form is required for processing of special categories of personal data, biometrical data and cross-border delivery of personal data. 2. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personal Health Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. i. The Federal law of the Russian Federation On Personal Data as of 27.07.2006 No. 152-FZ regulates the issues of personal data processing: the main principles and requirements of personal data processing, the rights of personal data subject, the duties of personal data operator, etc. Link: http://www.medialaw.ru/e_pages/laws/russian/personal-data-en.htm (without any amendments made to this Federal law later).
www.lexmundi.com
2009 Lex Mundi
Page 77
ii.
The Federal law of the Russian Federation Labour Code of the Russian Federation as of 30.12.2001 No. 197-FZ the Chapter 14 of this Code is dedicated specifically for the protection of employees personal data. Link: http://www.ilo.org/dyn/natlex/docs/WEBTEXT/60535/65252/E01RUS01.htm (without the amendments made to this Federal law by Federal law as of 30.06.2006 No. 90-FZ). The Law of the Russian Federation On medical insurance of citizens in the Russian Federation as of 28.06.1991 No. 1499-1 Art. 12 provides that compulsory medical insurance funds keep databases and other resources in the sphere of compulsory medical insurance of citizens. Link to online copy in Russian: http://base.consultant.ru/cons/cgi/online.cgi?req=doc;base=LAW;n=89957;div=LAW;mb= LAW;opt=1;ts=8ECE7730FA8F237DEF4857F8BE9B6A1C Fundamentals of legislation of the Russian Federation on protection of citizens health as of 22.07.1993 No. 5487-1 regulates the rights of a patient to receive information about his or her health, medical procedures and includes a regime of confidentiality of such personal medical information (Art. 30, 31, 35, 49, 61). Link to online copy in Russian: http://base.consultant.ru/cons/cgi/online.cgi?req=doc;base=LAW;n=90012;div=LAW;mb= LAW;opt=1;ts=5B6EA0C99E7CB37D1DF3A604CCC7FEFF The requirements to tangible media of biometrical personal data and to technologies of storage of such personal data outside the informational systems of personal data (Decision of Government of the Russian Federation as of 06.07.2008 No. 512).
iii.
iv.
v.
b) What are the penalties imposed for a breach of such law? Any criminal sanctions? i. ii. Civil liability as reimbursement of damages and compensation of moral harm can be imposed (Art. 15 and 151 of the Civil Code of the Russian Federation). Criminal liability is established in the Criminal Code of the Russian Federation as of 13.06.1996 for: a) illegal collection and dissemination of privacy data without consent of a person or public dissemination of these data (Art. 137); b) unlawful access to computer information (Art. 272). The possible penalties are: a) fine up to 300 000 Rubles or in the amount of salary or other income of convict for the period up to 2 years; b) compulsory community work (for the term of 120-240 hours); c) correctional work (for the term up to 2 years); d) arrest (for the term up to 6 months); e) imprisonment for the term up to 5 years, f) imprisonment for the term up to 4 years with deprivation of right to take certain positions or perform certain activity for the term up to 5 years. Administrative sanctions are established in the Code of the Russian Federation on administrative offences as of 30.12.2001 for: a) refusal to provide information to a citizen or legal entity (Art. 5.39); b) violation the procedure established by law for collection, keeping, use or dissemination of information about citizens (personal data) (Art. 13.11); c) violation of the rules on protection of information (Art. 13.12); d) disclosure of limited access information (Art. 13.14). The possible penalties are: a) warning; b) fine (up to 20 000 Rubles) with seizure of uncertified means of information protection or without such seizure; c) administrative suspension of activity for the term up to 90 days. Disciplinary sanctions are established in Art. 192 Labour Code of the Russian Federation as of 30.12.2001. The possible penalties are: a) warning; b) reprimand; c) dismissal based on the relevant grounds. Page 78
2009 Lex Mundi
iii.
iv.
v.
www.lexmundi.com
c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. i. ii. Federal Service for Supervision in the Sphere of Communications, Information Technologies and Mass Communication (Roscomnadzor) and regional offices throughout the Russian Federation; Prosecutor Generals Office of the Russian Federation.
d) Any additional information that is material? Since personal health information is related to special categories of personal data under Federal law of the Russian Federation On Personal Data as of 27.07.2006 No. 152-FZ written consent of the data subject must be provided for processing of such information. Processing of personal health data is permitted without the consent of data subject provided that the processing of data is necessary for protection of life, health and other vital interests or life of data subject or other persons and obtaining of consent is impossible. 3. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Financial Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. i. Federal law of the Russian Federation On commercial confidentiality as of 29.07.2004 No. 98-FZ - regulates the establishment, amendment and termination of the regime of commercial confidentiality with respect to information constituting trade (commercial) secret (know-how). Civil Code of the Russian Federation (Part four) as of 18.12.2006 No. 230-FZ Chapter 75 Right to know-how contains a definition of know-how, establishes ways of right transfer, liability for violation of right to know-how, etc. Tax Code of the Russian Federation as of 31.07.1998 No. 146-FZ Art. 102 Tax secret provides that any information regarding a taxpayer received by a tax authority, the bodies of internal affairs, the body of a state non-budgetary fund or a customs authority shall be considered confidential with several exceptions. Link: http://www.russian-tax-code.com/ (without the amendments made by the Federal law as of 05.04.2004 No. 16-FZ). Federal law of the Russian Federation On banks and banking activity as of 02.12.1990 No. 395-1 Art. 26 Bank secret provides that credit organisations and its employees, The Bank of Russia, deposit insurance agencies shall guarantee the secrecy of transactions, of accounts and deposits of their clients and correspondents. Civil Code of the Russian Federation (Part two) as of 26.01.1996 No. 14-FZ Art. 857 provides that the bank shall guarantee the secrecy of a bank account and a bank deposit, operations with the account and information about clients. Link: http://russian-civilcode.com/PartII/ (without the amendments made by the Federal law as of 29.12.2004 No. 189-FZ). Federal law of the Russian Federation On auditing activity as of 30.12.2008 No. 307-FZ Art. 9 stipulates that auditors secret is any information and documents received and (or) prepared by an audit organisation or its employees and also by an individual auditor and his employees while they provide the services.
ii.
iii.
iv.
v.
vi.
www.lexmundi.com
2009 Lex Mundi
Page 79
b) What are the penalties imposed for a breach of such law? Any criminal sanctions? i. Civil liability in the form of damages is established by: a) Art. 15 of Civil code of the Russian Federation (regarding the auditors secret); b) Art. 857 Part 3 (for breach of bank secret); c) Art. 1472 Part 1 (for breach of the commercial confidentiality/confidentiality of know-how). Administrative sanctions are provided in Art. 13.14 of Code of the Russian Federation on administrative offences for disclosure of limited access information (bank, tax and auditors secret). The penalty is a fine in the amount from 500 to 1000 Rubles (for citizens) or in the amount from 4000 to 5000 Rubles (for officials). Criminal liability is provided in Art. 183 of Criminal code of the Russian Federation for illegal collection, disclosure or use of data constituting commercial, tax or bank secret. The penalties are: a) fine up 200 000 Rubles or in the amount of salary or other income of a convict for the period up to 18 months with deprivation of right to take certain positions or perform certain activity for the term up to 3 years, b) imprisonment for the term up to 10 years. Audit organisations can be subject to the following disciplinary penalties: a) issuing an order whereby the audit organisation is obligated to eliminate the discovered violations; b) issuing a warning in writing for violation of obligatory provisions; c) issuing a binding order to the self-regulating organisation of auditors (SRO) in which the audit organisation is member for suspension of the audit organisation's membership in the SRO; d) issuing a binding order to the SRO in which the audit organisation is member for expulsion of the audit organisation from the SRO (Art. 20 Part 6 of Federal law of the Russian Federation On auditing activity as of 30.12.2008 No. 307-FZ). The discipline penalties can be applied also directly by SRO Art. 20 Part 1 of the same Federal law supplements the specified list by fine and other penalties established by SRO in internal documents.
ii.
iii.
iv.
c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. i. ii. Prosecutor Generals Office of the Russian Federation; Ministry of Finance of the Russian Federation (for Federal law of the Russian Federation On auditing activity); the Bank of Russia (for Federal law of the Russian Federation On banks and banking activity); Federal Tax Service of the Russian Federation and its local authorities (for Tax code of the Russian Federation).
iii. iv.
d) Any additional information that is material? According to Art. 5 Item 11 of the Federal law of the Russian Federation On commercial confidentiality as of 29.07.2004 No. 98-FZ the regime of commercial confidentiality can not be established in relation to information which should be disclosed or access to which can not be limited under Russian legislation. Thus if these requirements are provided in relation to financial data such data could not be confidential. Particularly the obligation of information disclosure (including financial data) is imposed on: 1) credit organizations (Art. 8, 23.5 of Federal law of the Russian Federation On banks and banking activity as of 02.12.1990 No. 395-1); 2) limited liability companies (Art. 6, 20, 49 of Federal law of www.lexmundi.com
2009 Lex Mundi
Page 80
the Russian Federation On limited liability companies as of 08.02.1998 No. 14-FZ); c) joint stock companies (Art. 92 of Federal law of the Russian Federation On joint stock companies as of 26.12.1995 No. 208-FZ). 4. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that is applicable to other sensitive data, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. i. Fundamentals of legislation of the Russian Federation on the notaries as of 11.02.1993 No. 4462-1 Art. 5, 16, 28 regulates the confidentiality issues in connection with the notarial actions. Federal law of the Russian Federation On attorneys activity and the Bar in the Russian Federation as of 31.05.2002 No. 63-FZ - Art. 8 Attorney-client confidentiality privilege provides that any information relating to the provision of legal assistance by an attorney to a client shall be deemed an attorneys secret. Attorney shall not be summoned and interrogated as a witness about the circumstances that became known to him from the client. The Law of the Russian Federation On mass media as of 27.12.1991 No. 2124-1 Art. 41, 49 regulate the issue of confidential information in the sphere of mass media: editorial office or journalist shall not disclose information or its source that was provided as confidential. Family code of the Russian Federation as of 29.12.1995 No. 223-FZ all persons and state bodies or officials which are aware of child adoption must keep the secrecy of adoption (Art. 135, 139). Federal laws of the Russian Federation On communications as of 07.07.2003 No. 126FZ and On postal communications as of 17.07.1999 No. 176-FZ Art. 63 and 15 accordingly regulate the issue of the secret of communications: the confidentiality of any communication in Russia is guaranteed. Federal law of the Russian Federation On the freedom of conscience and religious associations as of 26.09.1997 No. 125-FZ Art. 3 is dedicated to the confession privilege. Civil code of the Russian Federation (Part two) as of 26.01.1996 No. 14-FZ Art. 946 The secrecy of insurance provides that the insurer shall have no right to disclose information about the insurant which he obtained as a result of his professional activity. Link: http://russian-civil-code.com/PartII/ (without amendments made by the Federal law as of 29.12.2004 No.189-FZ).
ii.
iii.
iv.
v.
vi.
vii.
b) What are the penalties imposed for a breach of such law? Any criminal sanctions? i. Civil liability in the form of damages and compensation of moral harm can be imposed (Art. 15 and 151 of the Civil Code as of 30.11.1994). Disciplinary penalties can also be applied a) a warning; b) reprimand; c) dismissal based on the relevant grounds (Art. 192 Labour Code). Administrative sanctions are established in the Code of the Russian Federation on administrative offences for: a) violation the procedure established by law for collection, keeping, use or dissemination of (personal data) (Art. 13.11); b) violation of the rules on protection of information (Art. 13.12); c) disclosure of limited access information (Art. Page 81
2009 Lex Mundi
ii. iii.
www.lexmundi.com
13.14). The penalties are: a) warning; b) fine (up to 20 000 Rubles) with seizure of uncertified means of information protection or without such seizure; c) administrative suspension of activity for the term up to 90 days. iv. Criminal liability is established in the Criminal Code of the Russian Federation for: a) illegal collection and dissemination of privacy data without consent of a person or public dissemination of these data (Art. 137); b) violation of the secrecy of communication (Art. 138); c) disclosure of adoption secret (Art. 155); d) illegal receipt and disclosure of information classified as a commercial, tax or bank secret (Art. 183); e) unlawful access to computer information (Art. 272). The penalties are: a) fine from 100 000 to 300 000 Rubles or in the amount of salary or other income of a convict for the period up to 2 years; b) compulsory community work (for the term of 120-240 hours); c) correctional work (for the term up to 2 years); d) deprivation of right to take certain positions or perform certain activity (for the term from 2 to 5 years); e) arrest (for the term up to 6 months); f) imprisonment for the term up to 10 years; g) imprisonment for the term up to 4 years with deprivation of right to hold certain positions or perform certain activity for the term up to 5 years.
c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. i. ii. Prosecutor Generals Office of the Russian Federation; Ministry of Justice of the Russian Federation, its regional offices throughout the Russian Federation and notarial chambers (for Fundamentals of legislation of the Russian Federation on the notaries); Federal Service for Supervision in the Sphere of Communications, Information Technologies and Mass Communication/Roscomnadzor and regional offices throughout the Russian Federation (for the Law of the Russian Federation On mass media and Federal laws of the Russian Federation On communications and On postal communications).
iii.
d) Any additional information that is material? There are several cases when the obligations to keep the secrecy can be removed according to the court decision: i. the court can discharge a notary from the obligation to maintain confidentiality if criminal proceedings have been initiated against the notary in connection with the performance of notarial action; ii. the court also can demand from editorial office to disclose the sources of confidential information and the name of the person who has provided information with the proviso of non-disclosure of his name; postal correspondence and their enclosures can be inspected and other limitations on confidential communications can be permitted under a court decision.
iii.
But there are also several cases when confidentiality cannot be compromised under any demand: 1) a clergymen has a right to refuse to testify about the circumstances that have become known to him from confession (the confidentiality of confession privilege); 2) an attorney cannot be summoned and interrogated as a witness about the circumstances that have become known to him in connection with a request for legal assistance or in connection with the provision thereof (attorney-client confidentiality privilege).
Contact Information
www.lexmundi.com
2009 Lex Mundi
Page 82
Aigul Zhumanova Aigul_Zhumanova@epam.ru
Egorov Puginsky Afanasiev & Partners 40/5 Bol. Ordynka Moscow 119017, Russia Tel 7.495.935.8010 Fax 7.495.935.8011 www.epam.ru
www.lexmundi.com
2009 Lex Mundi
Page 83
Data Privacy Survey
Scotland
Prepared by Lex Mundi member firm Maclay Murray & Spens
1. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personally Identifiable Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Data Protection Act 1998: http://www.statutelaw.gov.uk/content.aspx?LegType=All+Primary&PageNumber=1&BrowseLetter =D&NavFrom=1&activeTextDocId=3190610&parentActiveTextDocId=3190610&showAllAttributes =0&hideCommentary=0&showProsp=0&suppressWarning=1 b) What are the penalties imposed for a breach of such law? Any criminal sanctions? A new clause 55A of the Data Protection Act 1998 (the Act) was introduced via the Criminal Justice and Immigration Act 2008 and took effect in April 2010. This clause increased the potential civil financial penalties which could be imposed under the Act from 5000 to 500,000. Fines are imposed by the Information Commissioners Office (ICO"), which is the independent body tasked with enforcing and overseeing the Data Protection Act. The ICO can impose fines if it is satisfied there has been a serious breach of one or more of the data protection principles and that the breach was likely to cause substantial damage or distress. There are various criminal offences created under the Act, with the main ones being: i. committing persistent breaches of the Act; ii. failing to notify the ICO that the processing of personal information is being carried out or failing to properly notify changes to an existing notification; and iii. knowingly or recklessly obtaining, disclosing or procuring the disclosure of personal information without the consent of the data controller, or attempting to sell such personal information. Criminal offences under the Act, these are prosecuted in Scotland by the Procurator Fiscal or the Crown Office, unlike in England and Wales where prosecutions are brought by the ICO. The specific sanctions available depend on where the offence is prosecuted. If prosecuted at Sheriff Court level the maximum fine for an offence under the Act is 5000, but if prosecuted at the High Court of Justiciary there is no limit on the level of fine which can be imposed, but to date this power has not been implemented. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The Information Commissioners Office
www.lexmundi.com
2009 Lex Mundi
Page 84
d) Any additional information that is material? The Information Commissioners Office has issued guidance on the use of its increased fining powers and has indicated that it intends to use monetary penalties both as a sanction and a deterrent against those who deliberately or negligently disregard the law. 2. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personal Health Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Data Protection Act 1998 b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Penalties are the same as stated above at 1b. While the Act imposes stricter obligations on the use of sensitive personal information which is defined (at section 2) to include information on a persons physical or mental health or condition, there are no offences under the Act which are specific to the misuse of such information or any other type of sensitive personal information. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The Information Commissioners Office d) Any additional information that is material? 3. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Financial Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Data Protection Act 1998 While there are complex laws relating to the regulation of financial services in the UK and under these the Financial Services Authority has extensive enforcement powers which can be used inter alia, in relation to breaches of security which can include personal data, the principal legislation in relation to the use or misuse of financial personal information will still principally be the Data Protection Act. This is of course assuming that the financial information concerned falls within the definition of personal information under that Act - i.e. it is data which relates to a living individual who can be identified from it, or can be identified from it and form other information in the possession, or likely to be come into the possession, of the data controller. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? As per answer 1b above. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws.
www.lexmundi.com
2009 Lex Mundi
Page 85
d) Any additional information that is material? Information Commissioners Office 4. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that is applicable to other sensitive data, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Data Protection Act 1998 b) What are the penalties imposed for a breach of such law? Any criminal sanctions? As per answer 1b above. While the Data Protection Act imposes stricter obligations on the use of sensitive personal information than it does for non-sensitive personal information, there are no offences under the Act which are specific to the misuse of sensitive personal information. As with any breach of the Act, the issue of how seriously the breach will be viewed will depend on the particular circumstances involved. The specific type of personal information concerned (whether it is sensitive or otherwise) will only be one factor to be considered. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. Information Commissioners Office d) Any additional information that is material?
Contact Information
Andy Harris Andy.Harris@mms.co.uk Maclay Murray & Spens 1 George Square Glasgow G2 1AL, Scotland Tel 44.141.248.5011 Fax 44.141.248.5819 www.mms.co.uk
www.lexmundi.com
2009 Lex Mundi
Page 86
Data Privacy Survey
Slovenia
Odvetniki elih & Partnerji
1. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personally Identifiable Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. In Slovenia, personally identifiable information are considered personal data. Protection of personal data is in general governed by the Personal Data Protection Act (Official Gazette of the Republic of Slovenia no. 86/2004 as amended, hereinafter the PDPA). The Slovene wording of the PDPA (official consolidated text) is available at: http://www.uradni-list.si/1/objava.jsp?urlid=200794&stevilka=4690 The English wording of the PDPA (unofficial translation) is available at: http://www.ip-rs.si/index.php?id=339 The PDPA defines personal data (irrespective of the form in which it is expressed) as any data relating to an individual who can be identified or identifiable. The individual is identifiable if it can be identified, directly or indirectly, in particular by reference to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity, where the method of identification does not incur large costs or require disproportionate effort or use of time (Indent 1, Par. 1 of Article 6 of the PDPA in connection with Indent 2 of the respective Article). b) What are the penalties imposed for a breach of such law? Any criminal sanctions? A violation of the PDPA may lead to a monetary fine in the range of EUR 4,170 to 12,510 for a legal entity, individual entrepreneur or individual (independently performing an activity) and EUR 830 to 2,080 for a responsible person of a legal entity or individual entrepreneur (Article 91 of the PDPA). In addition, the Information Commissionaire may adopt certain inspections measures such as order the: i. remedy of the irregularities determined by the Information Commissionaire in accordance with its terms and conditions; ii. prohibition of processing of personal data by persons failing to implement the personal data protection measures; iii. prohibition of processing of personal data; iv. prohibition of transfer of personal data to third countries; v. other measures determined by the law governing inspection supervision and the law governing the administrative procedure (Article 54 of the PDPA). The Slovenian Criminal Code (Official Gazette of Republic of Slovenia, No. 55/2008 as amended) determines that whoever uses personal data, processed in accordance with the law, for the purpose other than for which they were obtained, or without obtaining a personal consent of the individual to whom the personal data relate, shall be punished by a fine or sentenced to imprisonment for not more than one year. The same sanctions are envisaged with respect to a criminal offence of breaking into a computer filing system with a purpose to obtain personal data. Moreover, the Criminal Code determines that publishing personal data of a victim of a criminal offence, a victim of breach of rights and liberties or a protected witnesses is also a criminal www.lexmundi.com
2009 Lex Mundi
Page 87
offence for which a perpetrator shall be sentenced to imprisonment for not more than three years (Article 143 of the Criminal Code). The unofficial consolidated text of the Criminal Code (only in Slovene) is available at: http://www.dz-rs.si/index.php?id=101&sm=k&q=Kazenski+zakonik&mandate=1&unid=UPB|1B04368E4254FD4BC1257 c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. Pursuant to Article 2 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia no. 113/05 as amended) the Information Commissioner is the supervisory authority, competent for (among others) inspection supervision over the implementation of the Information Commissioner Act and other regulations, governing protection or processing of personal data or the transfer of personal data from Slovenia (including the PDPA), as well as carrying out other duties, defined by these regulations. The Information Commissioner is also a violations body, competent for supervision over the Information Commissioner Act and the PDPA (Article 2 of the Information Commissioner Act). d) Any additional information that is material? The PDPA envisages stricter requirements for processing and protection of sensitive personal data, i.e. data on racial, national or ethnic origin, political, religious or philosophical beliefs, tradeunion membership, health status, sexual life as well as the information on entry in or removal from a criminal record or a minor offence records. Please see our response to question no. 22 for details. 2. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personal Health Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. The privacy of personal health information is in Slovenia governed by the following laws: i. the PDPA; The Slovene wording of the PDPA (official consolidated text) is available at: http://www.uradni-list.si/1/objava.jsp?urlid=200794&stevilka=4690 The English wording of the PDPA (unofficial translation) is available at: http://www.ip-rs.si/index.php?id=339 ii. the Patients Rights Act (Official Gazette of the Republic of Slovenia no. 15/08; hereinafter the PRA); and The Slovene wording of the PRA is available at: http://www.uradnilist.si/1/objava.jsp?urlid=200815&stevilka=455 the Health Services Act (Official Gazette of the Republic of Slovenia no. 23/05 official consolidated text no.2 as amended, hereinafter the HSA); The Slovene wording of the HSA and its amendments are available at: http://zakonodaja.gov.si/rpsi/r04/predpis_ZAKO214.html
iii.
To access the wording of the PRA, the HSA and their amendments, please click: i. for the wording of the acts as they were adopted - the link in section Naslov; and ii. for amendments of the respective acts - links in section Spremembe.
The English wording of the respective acts is not available yet.
www.lexmundi.com
2009 Lex Mundi
Page 88
Please see our response to question 2d as well as our responses to questions in Section 4 for more detailed information on the provisions of the aforementioned acts relating to the protection of personal health information. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Considering that the provisions of the PDPA apply with respect to processing of health related personal data, the penal provisions of the respective act apply as well. Please see our response to question no. 8 above for detailed information in this respect. The PRA also contain penal provision. Namely, a violation of the obligation to investigate an unauthorized transfer and processing of patients personal data or to inform a patient, a representative of patients rights and the Information Commissionaire on this, may lead to a monetary fine in the range between EUR 400 to 4,100 for a legal entity providing health care services. The responsible person of such legal entity may be fined with a monetary fine in the range of EUR 100 to 1,000. Lower monetary fines for the aforementioned offence are determined for concessionary health care service providers; they may be fined with a monetary fine in the range of EUR 400 to 2,100 (Article 87 of the PRA). Pursuant to Article 89 of the HSA a violation of the obligation to treat the information on medical condition of a patient as a professional secret may lead to a monetary fine in the range between EUR 400 to 40,000 for a health care services provider and EUR 40 to 1,000 for a responsible person of a health care services provider. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The Ministry of Heath has the supervisory authority over the implementation of the provisions of the PRA (Article 85 of the PRA) as well as over the implementation of the provisions of the HSA (Article 80 of the HSA). With respect to the supervision of the implementation of the provisions of the PDPA, the Information Commissionaire has the jurisdiction to supervise the implementation the PDPA. Please see our response to question no. 9 for more detailed information on the jurisdiction of the Information Commissionaire. d) Any additional information that is material? According to Article 44 of the PRA a patient has the right to the confidentiality of his/her personal data, including the information on visits to the doctor and medical treatment. Health care and allied professionals have to treat personal data of patients in accordance with the principle of confidentiality and provisions of the PDPA. In general, consent of the patient is required to process his/her (health related) personal data. However, the PRA determines the following exemptions when the consent of the patient of not required: i. if for the purpose of epidemiological and other surveys, education, medical publications or other purposes the identity of a person is not identifiable; ii. if for the purpose of monitoring the quality and safety of medical care the identity of a person is not identifiable; iii. if the law requires that a medical condition is reported; iv. if for the needs of a medical treatment personal data are transferred to other health care service provider; v. if thus determined by the law. According to Article 46 of the PRA health care service providers are with respect to an unauthorized transfer and processing of patients personal data obliged to (i) investigate potential liability of health care and allied professionals; and (ii) inform a patient, representative of patients rights and the Information Commissionaire on this. www.lexmundi.com
2009 Lex Mundi
Page 89
Pursuant to Article 51 of the HSA health care and allied professionals have to treat the information on medical condition of a patient (including the information on cause and other circumstances for such condition) as a professional secret. The respective information should not be disclosed to any third party, the public or published in way that would enable the identification of the individual to whom the data relates to. Provision with similar content is also contained in the PRA. Pursuant to Article 6 of the PDPA personal health information are (also) considered sensitive personal data. Please see our 3. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Financial Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. The privacy of financial information is in Slovenia governed by the following laws: i. the PDPA; The Slovene wording of the PDPA (official consolidated text) is available at: http://www.uradni-list.si/1/objava.jsp?urlid=200794&stevilka=4690 The English wording of the PDPA (unofficial translation) is available at: http://www.ip-rs.si/index.php?id=339 ii. the Banking Act (Official Gazette of the Republic of Slovenia No. 131/06 as amended, hereinafter the Banking Act); The Slovene wording of the Banking Act and its amendments are available at: http://zakonodaja.gov.si/rpsi/r00/predpis_ZAKO4300.html To access the wording of the respective act or its amendments, please click: a. for the wording of the act as it was adopted - the link in section Naslov; and b. for amendments of the respective act - links in section Spremembe. The English wording of the Banking Act and its amendments (unofficial translation) are available at: http://www.bsi.si/en/laws-and-regulations.asp?MapaId=84 iii. the Insurance Act (Official Gazette of the Republic of Slovenia no. 109/06 official consolidated text no. 2, as amended, hereinafter the Insurance Act); The Slovene wording of the Insurance Act and its amendments are available at: http://zakonodaja.gov.si/rpsi/r06/predpis_ZAKO1636.html To access the wording of the respective act or its amendments, please click: a. for the wording of the act as it was adopted - the link in section Naslov; and b. for amendments of the respective act - links in section Spremembe. The English wording of the Insurance Act and its amendments (unofficial translation) is available at: http://www.mf.gov.si/slov/fin_sist/predpisi_zavarovalnistvo.htm b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Considering that provisions of the PDPA apply with respect to processing of financial information relating to an individual who can be identified or identifiable financial, the penal provisions of the PDPA apply as well. Please see our response to question no. 8 for detailed information in this respect.
www.lexmundi.com
2009 Lex Mundi
Page 90
The Banking Act and the Insurance Act also contain penal provisions with respect to the violation of the obligation to treat client information as confidential. The Banking Act determines the following monetary fines for violation of the obligation to treat client information as confidential: i. a monetary fine in the range of EUR 80,000 to 370,000 for a bank; ii. a monetary fine in the range of EUR 2,500 to 12,000 for a responsible person of a bank; and iii. a monetary fine in the range of EUR 400 to 3,000 for a member of a management of a bank, banks shareholder or employee of a bank. The Insurance Act determines the following monetary fines for violation of the obligation to treat client information as confidential: i. a monetary fine in the range of EUR 13,900 to 125,000 for an insurance company; ii. a monetary fine in the range of EUR 400 to 4,100 for a responsible person of an insurance company; and iii. a monetary fine in the range of EUR 125 to 1,250 for a member of a management of an insurance company, insurance companys shareholder or employee of an insurance company. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. With respect to the supervision of the implementation of the provisions of the PDPA, the Information Commissionaire has the jurisdiction to supervise the implementation the PDPA. Please see our response to question no. 9 for more detailes. Pursuant to the Insurance Act the Insurance Supervision Agency (in Slovenian Agencija za zavarovalni nadzor) has the supervisory authority over the implementation of the Insurance Act (Article 172 of the Insurance Act). According to the Banking Act, the Bank of Slovenia (in Slovenian Banka Slovenije) has the supervisory authority over the implementation of the Banking Act (Article 217 of the Banking Act). d) Any additional information that is material? Pursuant to the Banking Act a bank must treat as confidential and protect all information, facts and circumstances about its clients notwithstanding the manner in which the respective information has been obtained (Article 214 of the Banking Act). Members of the management of the bank, banks shareholders and banks employees that have access to the aforementioned information on the banks clients must not communicate this information to a third party, use it or enable a third party to use it. Provision with similar content is also contained in Article 153 of the Insurance Act. 4. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that is applicable to other sensitive data, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Pursuant to the PDPA a data on racial, national or ethnic origin, political, religious or philosophical beliefs, trade-union membership, health status, sexual life as well as the information on entry in or removal from a criminal record or a minor offence records are considered sensitive personal data. Provided that the use of biometric characteristics in connection with any of the aforementioned data makes it possible to identify an individual, such biometric characteristics would also be considered sensitive personal data. The protection of personal data (including sensitive personal data) is in general governed by the PDPA. The Slovene wording of the PDPA (official consolidated text) is available at: http://www.uradni-list.si/1/objava.jsp?urlid=200794&stevilka=4690 www.lexmundi.com
2009 Lex Mundi
Page 91
The English wording of the PDPA (unofficial translation) is available at: http://www.ip-rs.si/index.php?id=339 With respect to the protection of health related data, which is also considered sensitive personal data, please also see our responses to questions in Section 3 of this survey. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? The PDPA does not determine any different (stricter) sanctions for processing sensitive personal data in contravention of the PDPA. Thus, the sanctions described in our response to question no. 8 apply to processing sensitive personal data in contravention of the PDPA. With respect to the criminal sanctions relating to sensitive personal data, the provisions of the Slovenian Criminal Code described in our response to question no. 8 apply. Please see our response to question no. 8 for details. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. With respect to the supervision of the implementation of the provisions of the PDPA, the Information Commissionaire has the jurisdiction to supervise the implementation the PDPA. Please see our response to question no. 9 for more detailed information on the jurisdiction of the Information Commissionaire. The Information Commissioner is also a violations body, competent for supervision over the Information Commissioner Act and the PDPA. d) Any additional information that is material? Pursuant to Article 13 of the PDPA sensitive personal data may only be processed in the following cases: i. if the individual has given explicit personal consent for this, such consent as a rule being in writing, and in the public sector provided by the law; ii. if processing is necessary to fulfil the obligations of a data controller in the area of employment; iii. if the processing is necessarily required to protect the life or body of an individual to whom the personal data relate, or of another person, if the individual to whom the personal data relate is incapable (physically or contractually incapable) of giving his consent pursuant to indent 1 above; iv. if they are processed for the purposes of lawful activities by institutions, societies, associations, religious communities, trade unions or other non-profit organisations with political, philosophical, religious or trade-union aim (such processing issubject to several conditions); v. if the individual to whom the sensitive personal data relate publicly announces them without any evident or explicit purpose of restricting their use; vi. if processed by health care and allied professionals in accordance with the law for the purposes of protecting the health of the public and individuals and the management or operation of health services; vii. if this is necessary in order to assert or oppose a legal claim; viii. if so provided by another law to implement the public interest. Sensitive personal data must during processing be specially marked and protected so that access to them by unauthorised persons is prevented. This does not apply to cases descibed in Indent v. of the previous paragraph. www.lexmundi.com
2009 Lex Mundi
Page 92
If sensitive personal data are transmitted through telecommunications networks, it is deemed that they as suitably protected if sent with the use of cryptographic methods and electronic signatures so that their illegibility or non-recognition is ensured during such transmission.
Contact Information
Barbara Balantic barbara.balantic@selih.si Odvetniki elih & Partnerji Komenskega ulica 36 1000 Ljubljana, Slovenia Tel 386.1.300.76.50 Fax 386.1.433.70.98 www.selih.si/eng/
www.lexmundi.com
2009 Lex Mundi
Page 93
Data Privacy Survey
South Africa
Prepared by Lex Mundi member firm Bowman Gilfillan
1. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personally Identifiable Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Personally Identifiable Information is currently protected by the common law and the Constitutional right to privacy. Legislation similar to the Data Protection Act 1998 and European Union Data Protection Directive 95/46/EC of 1995 is being considered and the Protection of Personal Information Bill has been published to this effect. It is widely regarded that the Bill, once enacted, will amount to a codification of our common law and the Constitutional right to privacy as interpreted by the courts. For ease of reference, we refer to the Bill as POPIA in this survey. i. ii. Section 14 of the Constitution of the Republic of South Africa, 1996 http://www.info.gov.za/documents/constitution/1996/a108-96.pdf Protection of Personal Information Bill B9 -2009 http://www.pmg.org.za/files/bills/090825b9-09.pdf
b) What are the penalties imposed for a breach of such law? Any criminal sanctions? i. Currently, the penalty for breaching the right to privacy is civil damages and compensation. When POPIA comes into effect, the following actions will constitute offences: obstruction or unlawful influence of the Regulator; a breach by the persons acting on behalf of the Regulator of the duty of confidentiality; failure to comply with an enforcement notice; and making false statements. Persons convicted of an offence will be liable, in the case of obstruction of the Regulators duties, for up to 10 years imprisonment or a fine, or both, and in any other case, imprisonment for up to 12 months or a fine, or both. When POPIA is in effect, where there has been a breach of POPIA, the data subject (or the Regulator acting on behalf of the data subject) will also be entitled to claim damages. What amounts will ultimately be allowed remains to be seen. However, the court would be entitled to make the following awards: payment of damages as compensation for patrimonial and non-patrimonial loss; aggravated damages as determined by the court; interest; and legal fees.
ii.
iii.
iv.
www.lexmundi.com
2009 Lex Mundi
Page 94
c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. i. There is currently no authority overseeing the protection of personal information. There is also currently no obligation to notify any authority about the processing of personal information. When POPIA comes into effect, the Information Protection Regulator will be established and a responsible party will be required to notify the Regulator of its processing and related activities.
ii.
d) Any additional information that is material? i. In terms of POPIA, personal information will be widely defined to include any information attaching to a data subject. It will therefore include information such as the individuals race, sex, gender, age and language; identifying symbols such as the individuals telephone number or identity number; the individuals blood type and address; and information related to the individuals employment, commercial and financial history. Processing will also be widely defined to cover all conceivable processing activities. Currently, personal information may be processed with the data subjects consent or if it is necessary for a particular legitimate purpose. These principles have been carried over to POPIA and in accordance with the position in other jurisdictions the processing of personal information will be based on 8 information principles. These principles are as follows: Accountability; Purpose specification; Processing limitation; Further processing limitation; Information quality; Openness; Security safeguards; and Data subject participation. ii. A separate chapter will regulate the processing of special personal information. Special personal information includes the following: information about a data subjects religious or personal beliefs, race or ethnic origin, trade union membership, political opinions, health, sexual life and criminal behaviour.
2. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personal Health Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Personal health information is currently protected by the common law right to privacy, section 14 of the Constitution and the Rules of Medical Ethics. When POPIA comes into effect, personal health information will be protected by the provisions regulating special personal information. i. ii. Section 14 of the Constitution of the Republic of South Africa, 1996 http://www.info.gov.za/documents/constitution/1996/a108-96.pdf Protection of Personal Information Bill B9 -2009 http://www.pmg.org.za/files/bills/090825b9-09.pdf Page 95
2009 Lex Mundi
www.lexmundi.com
b) What are the penalties imposed for a breach of such law? Any criminal sanctions? i. Currently, the penalty for breaching the right to privacy is civil damages and compensation. When POPIA comes into effect and a responsible party fails to comply with an enforcement notice relating to personal health information, such failure will constitute a criminal offence. Similarly, if a person acting on behalf of the Regulator acts in breach of the duty of confidentiality regarding personal health information, such breach will constitute a criminal offence. Persons convicted of an offence will be liable, in the case of obstruction of the Regulators duties, for up to 10 years imprisonment or a fine, or both, and in any other case, imprisonment for up to 12 months or a fine, or both. When POPIA comes into effect, where there has been a breach of POPIA, the data subject (or the Regulator acting on behalf of the data subject) will also be entitled to claim damages. What amounts will ultimately be allowed remains to be seen. However, the court would be entitled to make the following awards: payment of damages as compensation for patrimonial and non-patrimonial loss; aggravated damages as determined by the court; interest; and legal fees.
ii.
iii.
iv.
c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. i. There is currently no authority overseeing the protection of personal information. There is also currently no obligation to notify any authority about the processing of personal information. When POPIA comes into effect, the Information Protection Regulator will be established and a responsible party will be required to notify the Regulator of its processing and related activities.
ii.
d) Any additional information that is material? i. When POPIA comes into effect explicit consent from the data subject will be required when processing information regarding an individuals health. POPIA, however, provides an exemption to this general rule in respect of a data subjects health or sexual life, namely where the processing is done by: Medical professionals, healthcare institutions or facilities or social services, if processing is necessary for the proper treatment and care of the data subject or the administration of the institution or professional practice concerned. Insurance companies, medical aid scheme administrators and managed healthcare organisations, if the processing is necessary for assessing the risk to be insured by the insurance company or covered by the medical aid scheme and the data subject has not objected to the processing; or the performance of an insurance or medical aid agreement, or the enforcement of any contractual rights and obligations. Schools, if the processing is necessary to provide special support for pupils or making special arrangements in connection with their health or sexual life. Institutions of probation, child protection or guardianship, if the processing is necessary for the performance of their legal duties. The Minister of Correctional Services, if the processing is necessary in connection with the implementation of prison sentences or detention measures. Page 96
2009 Lex Mundi
www.lexmundi.com
Administrative bodies, pension funds, employers or institutions working for them, if processing is necessary for the implementation of the provisions of laws, pension regulations or collective agreements.
ii. iii.
Health information must be treated confidentially unless the responsible party is required by law or in connection with duties to communicate the information. Personal information concerning inherited characteristics may not be processed unless a serious medical interest prevails or it is necessary for scientific research or statistics.
3. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Financial Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Currently, this information is protected by the common law right to privacy, section 14 of the Constitution and the National Credit Act 34 of 2005. When POPIA comes into effect, financial information will also be protected by POPIA as financial history of a data subject will form part of the definition of personal information. i. Section 14 of the Constitution of the Republic of South Africa, 1996 http://www.info.gov.za/documents/constitution/1996/a108-96.pdf Protection of Personal Information Bill B9 -2009 http://www.pmg.org.za/files/bills/090825b9-09.pdf
ii.
b) What are the penalties imposed for a breach of such law? Any criminal sanctions? i. ii. Currently, the penalty for breaching the right to privacy is civil damages and compensation. When POPIA comes into effect, the following actions will constitute offences: obstruction or unlawful influence of the Regulator; a breach by the persons acting on behalf of the Regulator of the duty of confidentiality; failure to comply with an enforcement notice; and making false statements. Persons convicted of an offence are liable, in the case of obstruction of the Regulators duties, for up to 10 years imprisonment or a fine, or both, and in any other case, imprisonment for up to 12 months or a fine, or both. Where there has been a breach of POPIA, the data subject (or the Regulator acting on behalf of the data subject) may claim damages. What amounts will ultimately be allowed remains to be seen. However, the court would be entitled to make the following awards: payment of damages as compensation for patrimonial and non-patrimonial loss; aggravated damages as determined by the court; interest; and legal fees.
iii.
iv.
www.lexmundi.com
2009 Lex Mundi
Page 97
c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. i. In terms of the National Credit Act 34 of 2005, all credit providers and credit bureaux must register with the National Credit Regulator, who will receive information about credit agreements with credit providers. Credit bureaux are obliged to verify the accuracy of any consumer credit information that is reported to it by its clients. All confidential consumer information held by credit providers is protected as personal information may only be used for legal purposes and may only be released in certain circumstances, i.e. in terms of a court order. When POPIA comes into effect, the Information Protection Regulator will be established and a responsible party will be required to notify the Regulator of its processing and related activities.
ii.
d) Any additional information that is material? When POPIA comes into effect, information about a data subject's credit history will form part of the definition of "special personal information" and will be subject to the provisions applicable to this category of information. 4. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that is applicable to other sensitive data, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Currently, other sensitive data are regulated by the common law right to privacy, section 14 of the Constitution and various applicable laws. For example, information as regards a data subjects race may be subject to the Employment Equity Act 55 of 1998 (the EEA) and the Promotion of Equality and Prevention of Unfair Discrimination Act 4 of 2000 (PEPUDA); and information related to a persons trade union membership are subject to the Labour Relations Act 66 of 1995 and EEA. When POPIA comes into effect, the following categories of information will be regarded as special personal information: information about a data subjects religious or personal beliefs, race or ethnic origin, trade union membership, political opinions, health, sexual life and criminal behaviour. i. ii. Section 14 of the Constitution of the Republic of South Africa, 1996 http://www.info.gov.za/documents/constitution/1996/a108-96.pdf 19.2 Protection of Personal Information Bill B9 -2009 http://www.pmg.org.za/files/bills/090825b9-09.pdf
b) What are the penalties imposed for a breach of such law? Any criminal sanctions? i. Currently, the penalty for breaching the right to privacy is civil damages and compensation. When POPIA comes into effect and a responsible party fails to comply with an enforcement notice relating to personal health information, such failure will constitute a criminal offence.
ii.
www.lexmundi.com
2009 Lex Mundi
Page 98
iii.
Persons convicted of an offence will be liable, in the case of obstruction of the Regulators duties, for up to 10 years imprisonment or a fine, or both, and in any other case, imprisonment for up to 12 months or a fine, or both. When POPIA comes into effect, where there has been a breach of POPIA, the data subject (or the Regulator acting on behalf of the data subject) will be entitled to claim damages. What amounts will ultimately be allowed remains to be seen. However, the court would be entitled to make the following awards: payment of damages as compensation for patrimonial and non-patrimonial loss; aggravated damages as determined by the court; interest; and legal fees.
iv.
c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. i. There is currently no authority overseeing the protection of personal information. There is also currently no obligation to notify any authority about the processing of personal information. When POPIA comes into effect, the Information Protection Regulator will be established and a responsible party will be required to notify the Regulator of its processing and related activities. Where information about a person's race or trade union membership us used in a manner which results in unfair discrimination, the individual may sue the employer in the Labour Court in this basis in terms of the Employment Equity Act and/or the Labour Relations Act. "Designated employers" as defined in the Employment Equity Act are obliged to put in place employment equity plans and take affirmative action measures in order to ensure that people from designated groups (i.e. black people, women and people with disabilities) are equitably represented in all occupational categories and levels, It is therefore permissible to process information about race for these purposes. In addition, designated employers are obliged to submit regular reports as regards the progress made towards employment equity to the Deaprtment of Labour. The Department of Labour is furthermore empowered to assess an employer's progress towards employment equity and to this end information in relation to race, gender and disability status may be processed.
ii.
iii.
iv.
d) Any additional information that is material? i. Explicit consent from the data subject is required when processing special personal information, i.e. information regarding an individuals religious or philosophical beliefs, race, political persuasion, sex life, health, trade union membership or criminal record. The consent must be specific, voluntary and informed. Processing of special personal information is prohibited unless the internal requirements in POPIA in respect of the relevant category are met, or the processing is carried out in one of the following circumstances: the processing is carried out with parental consent where the data subject is a child subject to parental control; the processing is necessary for the establishment, exercise or defence of a right or obligation in law; the processing is necessary to comply with an obligation of international public law; Page 99
2009 Lex Mundi
ii.
www.lexmundi.com
the processing is carried out with the consent of the data subject; the Regulator has granted authority for processing in the public interest and appropriate measures have been put in place; or the information has deliberately been made public by the data subject.
Contact Information
Talita Laubscher talita@bowman.co.za Monique Jefferson m.jefferson@bowman.co.za Bowman Gilfillan 165 West Street Sandton, Johannesburg, South Africa Tel 27.11.669.9000 Fax 27.11.669.9001 www.bowman.co.za
www.lexmundi.com
2009 Lex Mundi
Page 100
Data Privacy Survey
Spain
Prepared by Lex Mundi member firm Ura Menndez
1. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personally Identifiable Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. The Charter of Fundamental Rights of the European Union, which has full legal effect with the entry into force of the Treaty of Lisbon on 1 December 2009. Basic Law 15/1999 on the Protection of Personal Data: (https://www.agpd.es/portalweb/english_resources/regulations/common/pdfs/Ley_Orgaica_1599_ingles.pdf) and Royal Decree 1720/2007: (https://www.agpd.es/portalweb/english_resources/regulations/common/pdfs/reglamentolopd_en. pdf) provide the core legislative framework. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Non-compliance with the Basic Law 15/1999 may result in the imposition of fines ranging from EUR 600 to EUR 600,000 per infringement, depending on their seriousness. Civil compensation can be claimed for damages caused by the infringement of data protection rules. The Spanish Criminal Code sets out fines as well as the possibility of imprisonment for criminal offences relating to personal data. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The Spanish Data Protection Supervisory Authority (www.agpd.es) is the governmental authority responsible for monitoring the application of Basic Law 15/1999. d) Any additional information that is material? 2. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personal Health Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. The Charter of Fundamental Rights of the European Union, which has full legal effect with the entry into force of the Treaty of Lisbon on 1 December 2009. Basic Law 15/1999 on the Protection of Personal Data: (https://www.agpd.es/portalweb/english_resources/regulations/common/pdfs/Ley_Orgaica_1599_ingles.pdf) and Royal Decree 1720/2007:
www.lexmundi.com
2009 Lex Mundi
Page 101
(https://www.agpd.es/portalweb/english_resources/regulations/common/pdfs/reglamentolopd_en. pdf) provide the core legislative framework. Health-related laws may also have data protection implications (such as specific data retention periods, specific codification processes, specific rules on the rigths of access to rleatives of a patient, etc.). b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Non-compliance with the Basic Law 15/1999 may result in the imposition of fines ranging from EUR 600 to EUR 600,000 per infringement, depending on their seriousness. Civil compensation can be claimed for damages caused by the infringement of data protection rules. The Spanish Criminal Code sets out fines as well as the possibility of imprisonment for criminal offences relating to personal data. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The Spanish Data Protection Supervisory Authority (www.agpd.es) is the governmental authority responsible for monitoring the application of Basic Law 15/1999. d) Any additional information that is material? The protection of health-related personal data is specifically reinforced, in particular, regarding the processing legitimate grounds (restricted to the data subject's explicit consent or a specific authorization under Spanish law) as well as the security measures to be implemented. 3. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Financial Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. The Charter of Fundamental Rights of the European Union, which has full legal effect with the entry into force of the Treaty of Lisbon on 1 December 2009. Basic Law 15/1999 on the Protection of Personal Data: (https://www.agpd.es/portalweb/english_resources/regulations/common/pdfs/Ley_Orgaica_1599_ingles.pdf) and Royal Decree 1720/2007: (https://www.agpd.es/portalweb/english_resources/regulations/common/pdfs/reglamentolopd_en. pdf) provide the core legislative framework. Financial related laws may also have data protection implications (in particular regarding the legitimate processing grounds). b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Non-compliance with the Basic Law 15/1999 may result in the imposition of fines ranging from EUR 600 to EUR 600,000 per infringement, depending on their seriousness. Civil compensation can be claimed for damages caused by the infringement of data protection rules.
www.lexmundi.com
2009 Lex Mundi
Page 102
The Spanish Criminal Code sets out fines as well as the possibility of imprisonment for criminal offences relating to personal data. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The Spanish Data Protection Supervisory Authority (www.agpd.es) is the governmental authority responsible for monitoring the application of Basic Law 15/1999. d) Any additional information that is material? Specific security measures apply to financial personal data. 4. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that is applicable to other sensitive data, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. The Charter of Fundamental Rights of the European Union, which has full legal effect with the entry into force of the Treaty of Lisbon on 1 December 2009. Basic Law 15/1999 on the Protection of Personal Data: (https://www.agpd.es/portalweb/english_resources/regulations/common/pdfs/Ley_Orgaica_1599_ingles.pdf) and Royal Decree 1720/2007: (https://www.agpd.es/portalweb/english_resources/regulations/common/pdfs/reglamentolopd_en. pdf) provide the core legislative framework. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Non-compliance with the Basic Law 15/1999 may result in the imposition of fines ranging from EUR 600 to EUR 600,000 per infringement, depending on their seriousness. Civil compensation can be claimed for damages caused by the infringement of data protection rules. The Spanish Criminal Code sets out fines as well as the possibility of imprisonment for criminal offences relating to personal data. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The Spanish Data Protection Supervisory Authority (www.agpd.es) is the governmental authority responsible for monitoring the application of Basic Law 15/1999.
www.lexmundi.com
2009 Lex Mundi
Page 103
d) Any additional information that is material? The protection of sensitive personal data is specifically reinforced, in particular, regarding the processing legitimate grounds (restricted to the data subject's explicit consent or a specific authorization under Spanish law) as well as the security measures to be implemented.
Contact Information
Cecilia Alvarez Rigaudias cecilia.alvarez@uria.com Ura Menndez Calle Principe de Vergara, 187 Plaza de Rodrigo Ura 28002 Madrid, Spain Tel 34.91.586.04.00 Fax 34.91.586.04.03 www.uria.com
www.lexmundi.com
2009 Lex Mundi
Page 104
Data Privacy Survey
Sweden
Prepared by Lex Mundi member firm Advokatfirman Vinge KB
1. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personally Identifiable Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Sweden has a Personal Data Act (Sw: Personuppgiftslagen) the purpose of which is to protect people against violation of their personal privacy by processing of personal data. Personal data shall only be collected for specific, explicitly stated and justified purposes and shall not be processed for any purpose that is incompatible with the purpose for which the information is collected. Any processing of personal data must be adequate and relevant in relation to the purposes of the processing and no more personal data shall be processed than is necessary having regard to the purposes of the processing. Personal data may only be processed if the registered person has given his/her consent to the processing or if the processing is necessary in order to fulfill specific purposes as provided by the legislation. If another statute or enactment contains provisions that deviate from the Personal Data Act, those provisions shall apply. The Swedish Personal Data Act is based on Directive 95/46/EC which aims to prevent the violation of personal privacy in the processing of personal data. The Swedish Personal Data Ordinance (Sw: Datainspektionen) provides supplementary regulations concerning such processing of personal data as is subject to the Personal Data Act. http://www.sweden.gov.se/content/1/c6/01/55/42/b451922d.pdf http://www.sweden.gov.se/content/1/c6/02/56/33/ed5aaf53.pdf b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Damages The controller of personal data shall compensate the registered person for damage caused as a consequence of the violation of personal privacy by the processing of personal data in contravention of the Personal Data Act. The liability to pay compensation may, to the extent that it is reasonable, be adjusted if the person providing personal data proves that the error was not caused by him or her. Fine and imprisonment
www.lexmundi.com
2009 Lex Mundi
Page 105
Any person who intentionally or negligently (a) provides erroneous information in information to registered persons as prescribed by the Personal Data Act, or in the notification to the supervisory authority or to the supervisory authority when the authority requests information, (b) processes personal data in contravention of the Personal Data Act, (c) transfers personal data to a third country in contravention the Personal Data Act, or (d) fails to give notice to the supervisory authority before processing of personal data or in accordance with specific regulations, shall be sentenced to a fine or imprisonment of a maximum of six months or, if the offence is grave, to imprisonment for a maximum term of two years. A custodial sentence shall not be imposed in petty cases. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. A court of general jurisdiction adjudicates claims for damages and penalties due to processing of personal data in contravention of the Personal Data Act. The Data Inspection Board is the supervisory authority under the Personal Data Act. The supervisory authority is entitled to request and obtain access to the personal data that is processed and information concerning documentation of the processing of personal data as well as the security of this processing and is also entitled to gain access to those premises linked to the processing of personal data. If the supervisory authority concludes that personal data is processed or may be processed in an unlawful manner, the authority shall endeavour to attain rectification by issuing a reminder or by initiating a similar procedure. In the event rectification is not otherwise possible or if the matter is urgent, the authority may prohibit, subject to a default fine, the controller of personal data from continuing processing of the personal data in any manner other than the storage thereof. The supervisory authority may apply to the county administrative court in the county where the authority is situated for the deletion of personal data processed in an unlawful manner. d) Any additional information that is material? It is prohibited to, without explicit consent, process personal data that reveals a persons race or ethnic origin, political opinions, religious or philosophical beliefs, or membership of a trade union. It is also prohibited to, without explicit consent, process personal data which relates to a persons health or sex life. The aforementioned information is designated as sensitive personal data. Sensitive personal data may be processed without explicit consent in special cases, e.g. for health and hospital care purposes. It is prohibited for any party other than public authorities to process personal data concerning criminal offences, judgments in criminal cases, coercive penal procedural measures or deprivation of liberty. According to the Personal Data Act it is generally prohibited to without consent transfer personal data that is undergoing processing to a state that is not a member state of the European Union or part of the European Economic Area unless the third country has an adequate level of protection for personal data. The provision also applies to transfer of personal data for processing in a third country. In addition to the previously stated it is permitted to transfer personal data to a third country even if consent is not at hand if the transfer is necessary in order to fulfill specific purposes as provided by the legislation. 2. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personal Health Information, and any material obligations. www.lexmundi.com
2009 Lex Mundi
Page 106
a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. The Swedish Personal Data (Patients) Act (2008:355) applies to the processing of personal data within the medical and healthcare service. The Act contains provisions concerning, inter alia, the processing of personal data within the medical and healthcare service; the obligation to maintain case records and the contents and the handling thereof; internal confidentiality; disclosure of personal data; and coherent case records. According to the general rule, the processing of personal data which is permitted under the Personal Data (Patients) Act may be carried out even if the concerned patient objects thereto. This provision is contrary to the general rule contained in the Personal Data Act which provides that personal data may only be processed if the registered person has given his/her consent to the processing. http://62.95.69.3/SFSdoc/08/080355.PDF (in Swedish) The Personal Data Act (see Section 1) is secondarily applicable to personal health information. This is so-called sensitive personal data that may be processed in special cases, e.g. for health and hospital care purposes. Provisions governing confidentiality are contained in the Professional Healthcare and Hospital Care Act (1998:531). http://www.notisum.se/rnp/sls/lag/19980531.htm (in Swedish) There are also confidentiality provisions concerning the public healthcare sector in the Secrecy (Disclosure of Public Records) Act (2009:400). http://www.notisum.se/rnp/sls/sfs/20090400.PDF (in Swedish) b) What are the penalties imposed for a breach of such law? Any criminal sanctions? The provisions of the Personal Data Act in respect of damages, fine, and imprisonment apply to processing of personal data under the Personal Data (Patients) Act. See answer 1b. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. See answer 1c. d) Any additional information that is material? An authority within the public healthcare sector must, in certain circumstances, disclose personal data from case records and other documents. The circumstances in which such data must be disclosed are contained in the Secrecy (Disclosure of Public Records) Act (see the answer in 2a above). The Personal Data (Patients) Act (2008:355) entered into force on 1 July 2008 and thereupon repealed the Patient Journals Act and the Healthcare (Patient Register) Act. 3. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Financial Information, and any material obligations. www.lexmundi.com
2009 Lex Mundi
Page 107
a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. The Personal Data Act (see Section 1) is applicable to financial information that relates to an individual. In addition to the provisions in the Personal Data Act, there are specific provisions regarding the secrecy of customer information in the Banking and Financing Business Act (2004:297) http://www.notisum.se/rnp/sls/lag/20040297.htm (in Swedish) and the Securities Markets Act (2007:528) http://www.notisum.se/rnp/sls/lag/20070528.htm (in Swedish) b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Violations of the secrecy rules regarding financial information may be subject to criminal law for investment firms but not for credit institutions. Violation of the secrecy rules may be subject to civil law remedies. Claims for damages under civil law rules are handled by the district court (the courts of first instance). c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The Swedish Financial Supervisory Authority is the government authority which supervises the activities of credit institutions. d) Any additional information that is material? The secrecy provisions state that information concerning the relationship between credit institutions and their customers may not be disclosed unless such disclosure is considered to be authorized. Disclosure of information may be permitted where a customer consents to the disclosure. In some cases, credit institutions may have a legal obligations to disclose certain information about their customers e.g. to the tax authorities, the police and the enforcement service authority. 4. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that is applicable to other sensitive data, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. The Electronic Communications Act (2003:389) applies to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks. http://www.notisum.se/rnp/sls/lag/20030389.htm (in Swedish) b) What are the penalties imposed for a breach of such law? Any criminal sanctions? The provisions of the Personal Data Act in respect of damages apply to processing of personal data under the Electronic Communications Act. See answer 1b. Violations of the certain provisions in the Electronic Communications Act may be subject to criminal law.
www.lexmundi.com
2009 Lex Mundi
Page 108
c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The Swedish Post and Telecom Agency is the supervisory authority under the Electronic Communications Act. d) Any additional information that is material? Traffic data relating to subscribers and users processed and stored by a provider must be erased or made anonymous when they are no longer needed for the purpose of transmission of a communication. While traffic data necessary for the purpose of subscriber billing and interconnection payments may be processed, such processing is permissible only up to the end of the period during which the bill may be lawfully challenged, or payment may be pursued. Where the subscriber or user to whom the data relate has given consent, traffic data may be processed for marketing electronic communications services or for the provision of other services by providers, to the extent and for the time necessary for the provision of the service. Location data other than traffic data relating to users or subscribers may only be processed when they are made anonymous, or with the consent of the users or subscribers to the extent and duration necessary for the provision of a service. There are also specific provisions regarding security and confidentiality in the Electronic Communications Act.
Contact Information
Lisa Askbrink lisa.askbrink@vinge.se Nicklas Thorgerzon nicklas.thorgerzon@vinge.se Advokatfirman Vinge KB Smlandsgatan 20 PO Box 1703 S-111 87 Stockholm, Sweden Tel 46.10.614.30.00 Fax 46.10.614.31.90 www.vinge.com
www.lexmundi.com
2009 Lex Mundi
Page 109
Data Privacy Survey Switzerland Prepared by Lex Mundi member firm Pestalozzi
1. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personally Identifiable Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. http://www.edoeb.admin.ch/org/00828/index.html?lang=en b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Yes, there are criminal sanctions. E.g. anyone deliberately failing to comply with the informa-tion obligation with regard to collections of data espe-cially worthy of protection can be punished by fine.The fine amounts to CHF 10,000. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The Federal Data Protection and Information Commissioner (FDPIC) d) Any additional information that is material? The Swiss Data Protection Act applies to individuals and legal entities. Moreover, although Switzerland does not belong to the EU, its Data Protection Act is considered to be equivalent to the EU laws/directives. All stages of data acquisition and processing must primarily take place lawfully,comply with the principles of good faith and propor-tionality, and the purpose of the data processing must be recognis-able to the persons concerned, in that this is stated during acquisition, is evident from the circumstances or is prescribed by law. In addition, the data collected must be correct and be secure against unauthorized processing. Personal data must not be disclosed abroad if the per-sonal integrity of the persons concerned would thereby be seriously harmed. A serious violation of personal integrity is assumed if there is no legislation ensuring appropriate protection in the country where the data are disclosed. This assumption can only be refuted if at least one of the minimum condi-tions stipulated in Art. 6 para. 2 lit. a to lit. g DSG is present. The possibility of justifying the admissibility of the international data transfer with the general grounds for justification (according to Art. 13 DSG) is not, however, available. It can be stated as a rule of thumb that all those countries, which have either ratified the ETS 108 agreement or have implemented the EU data protection directive comply with Swiss legislation. In addition, the EDB has prepared a non-binding list of those countries whose data protection legislation should ensure appropriate protection.
www.lexmundi.com
2009 Lex Mundi
Page 110
2. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personal Health Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. http://www.edoeb.admin.ch/org/00828/index.html?lang=en Personal health information is considered to be sensitive personal data which is subject to more strict rules than "common" personal data. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? The same as under section 1b above. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The same as under section 1c above. d) Any additional information that is material? The processing of sensitive personal data requires the explicit consent of the data subject. Moreover, the data subjects must be actively informed about procurement of sensitive personal data: They must be informed of the holder of the data collection, the purpose of the data acquisition and the categories of any data recipients. Collections of sensitive personal data must be registered with the authorized federal officer for data and publicity (EDB), even if the persons concerned are aware of the processing. Excluded from this are data collections by companies, which have appointed an internal, but still an independent officer responsible for data protection. 3. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Financial Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. http://www.edoeb.admin.ch/org/00828/index.html?lang=en Financial information is considered to be "common" personal data and is not subject to more stricter rules like sensitive personal data is. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? The same as under section 1b above. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The same as under section 1c above. d) Any additional information that is material? The same as under section 1d above. www.lexmundi.com
2009 Lex Mundi
Page 111
4. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that is applicable to other sensitive data, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. http://www.edoeb.admin.ch/org/00828/index.html?lang=en Other sensitive personal data is e.g. personality profiles which are subject to the same rules as sensitive personal data. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? The same as under section 1b above. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The same as under section 1c above. d) Any additional information that is material? The same as under section 2d above.
Contact Information
Clara-Ann Gordon clara-ann.gordon@pestalozzilaw.com Pestalozzi Loewenstrasse 1 CH-8001 Zurich, Switzerland Tel 41.44.217.91.11 Fax 41.44.217.92.17 www.pestalozzilaw.com
www.lexmundi.com
2009 Lex Mundi
Page 112
Data Privacy Survey
Thailand
Prepared by Lex Mundi member firm Tilleke & Gibbins
1. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personally Identifiable Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Constitution (2007) Sections 28 & 35 Official Information Act (1997) Personal Data Protection Act (not yet enacted) b) What are the penalties imposed for a breach of such law? Any criminal sanctions? The constitution does not contain specific penalties for breach of these sections; the matter would need to be argued in court. Penalties for breach of the Official Information Act include fines and/or prison time. Penalties for breach of the Personal Data Protection Act, if enacted, would include fines and/or prison time. One could also bring an action to seek compensation for actual damages, if he/she experienced loss or damage from such breach. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. Office of the Official Information Commission With respect to the Personal Data Protection Act, this will depend on the actual form of the Act, when and if it is enacted. d) Any additional information that is material? There are a variety of industry-specific regulations applied to personal data in the context of those industries. For example, telecommunications licensees are subject to specific regulations relating to personal data of their service users. Also, there are specific requirements that relate to personal data under laws relevant to financial institutions and credit bureaus. 2. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personal Health Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Constitution (2007) Sections 28 & 35 www.lexmundi.com
2009 Lex Mundi
Page 113
National Health Act 2007 b) What are the penalties imposed for a breach of such law? Any criminal sanctions? The constitution does not contain specific penalties for breach of these sections; the matter would need to be argued in court. Penalties for breach of the privacy provisions of the National Health Act include fines and/or prison time. One could also bring an action to seek compensation for actual damages, if he/she experienced loss or damage from such breach. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. Ministry of Public Health d) Any additional information that is material? This is an area where there is likely to be some development in the near future. As Thailand's electronic medical records system is being deployed, some focus is being given to privacy and access, as well as patients' rights in respect of the content such records. In this regard, significant changes can be expected. 3. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Financial Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Constitution (2007) Sections 28 & 35 Financial Institutions Act (2008) Credit Information Business Act (2002) b) What are the penalties imposed for a breach of such law? Any criminal sanctions? The constitution does not contain specific penalties for breach of these sections; the matter would need to be argued in court. Penalties for breach of the privacy provisions of the Financial Institutions Act or the Credit Information Business Act include fines and/or prison time. One could also bring an action to seek compensation for actual damages, if he/she experienced loss or damage from such breach. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. Ministry of Finance
www.lexmundi.com
2009 Lex Mundi
Page 114
d) Any additional information that is material? The relevant provisions are not necessarily effective with respect to any situation in which financial information is involved. In tis regard, care should be taken to note who the privacy provisions actually bind. 4. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that is applicable to other sensitive data, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Constitution (2007) Sections 28 & 35 Personal Data Protection Act (not yet enacted) b) What are the penalties imposed for a breach of such law? Any criminal sanctions? The Constitution does not contain specific penalties for breach of these provisions; the matter would need to be argued in court. Penalties for breach of the Personal Data Protection Act, if enanced, would include fines and/or prison time. One could also bring an action to seek compensation for actual damages, if he/she experienced loss or damage from such breach. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. There is no specific administrative authority that has jurisdiction for enforcement of any of these laws. d) Any additional information that is material? There are also several industry-specific laws or regulations applied to sensitive information in the context of those industries. For example, telecommunications licensees are subject to specific regulations relating to personal data of their service users. Also, there are specific requirements that relate to sensitive information under laws relevant to financial institutions and credit bureaus.
Contact Information
David Duncan david.d@tillekeandgibbins.com Tilleke & Gibbins Supalai Grand Tower, 26th Floor 1011 Rama 3 Road,Chongnonsi, Yannawa Bangkok 10120, Thailand Tel 66.2653.5555 Fax 66.2653.5678 www.tilleke.com
www.lexmundi.com
2009 Lex Mundi
Page 115
Data Privacy Survey
The Netherlands
Prepared by Lex Mundi member firm Houthoff Buruma
1. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personally Identifiable Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. In the Netherlands the processing of personally identifiable information (hereinafter "per-sonal data") is governed primary by the Dutch Data Protection Act (hereinafter "DPA") (Wet bescherming persoonsgegevens). The DPA is an implementation of the European Privacy Directive 95/46/EC. The DPA provides that personal data may be collected and processed for specific, ex-plicitly defined and legitimate purposes. Any further processing of those data may - in principle - only take place for purposes which are compatible with the purposes for which the personal data was initially collected. The DPA requires the processing of personal data to be transparent, which implies that data subjects should be informed of the processing of their personal data. An unofficial translation to English of the DPA can be found at: http://www.dutchdpa.nl/downloads_wetten/wbp.pdf b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Administrative enforcement: The Dutch Data Protection Authority (hereafter "Authority") has the power to conduct investigations regarding compliance with the DPA on its own initiative and on the requests of interested parties such as data subjects. In case the Authority is of the opinion that the DPA is violated, it can force compliance under forfeiture of an administrative penalty. In addition, the Authority can impose a fine of EUR 4,000 in case the data controller has violated his duty to notify to the Authority that he is processing personal data. Civil enforcement: In the event the personal data of a data subject are processed in violation of the DPA, the data subject can instigate civil proceedings against the party processes its data. The data subject can for instance request an injunction or claim compensation for its damages. Criminal enforcement: Criminal enforcement measures can be imposed for (i) the violation to notify the fully or partly automated processing of personal data pursuant to article 27 DPA, (ii) the transfer of personal data outside the EU to a country without an adequate level of protection (article 78 section 2 DPA) and (iii) the failure of a non-EU company which processes date within the scope of the DPA to appoint a representative in the Netherlands (article 4 section 3 DPA).
www.lexmundi.com
2009 Lex Mundi
Page 116
c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The Authority has been appointed as the supervisory authority with respect to the DPA. d) Any additional information that is material? In addition to the procedures referred to under 2, the Authority is entitled to start an in-vestigation to establish compliance with the DPA at its discretion. The Authority tends to publish the results of its investigation relating to violation of the DPA on its website (www.cpbweb.nl). The negative publicity which follows from such publication may result in reputational damages. 2. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personal Health Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. The DPA contains special rules relating to the processing of personal health information. Personal data concerning a person's health is considered to be so-called sensitive personal data. According to article 16 DPA it is prohibited to process special personal data except as otherwise provided in the articles 21 and 23 DPA. According to article 21 DPA a controller is only allowed to process personal data con-cerning a person's health in limited cases. For example, this is allowed if and to the ex-tent that this is necessary for the execution of a health insurance agreement. If the legal exceptions as given by article 21 DPA do not apply, there are also general exceptions (article 23 DPA), such as explicit consent of the data subject, or the data concerned have been made public by the data subject in an evident manner. Furthermore, the prohibition of article 16 DPA also does not apply if the processing of personal data is necessary for the establishment, exercise or defense of a right in law, is necessary to comply with an obligation of international public law or is necessary with a view to an important public interest. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Reference is made to the anwer to question 1b. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. Reference is made to the anwer to question 1c. d) Any additional information that is material? The processing of sensitive (health) data is subject to close scrutiny by the Authority. For instance, recently the Authority investigated the information security of a number of Dutch hospitals on its own initiative.
www.lexmundi.com
2009 Lex Mundi
Page 117
3. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Financial Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. In the Netherlands the processing of personal data included in financial information is governed by the DPA. The processing of financial information is also governed by certain provisions from the Act on Financial Supervision (hereinafter "AFS") (Wet op het financieel toezicht), which is further specified in a number of decrees. Links to relevant legislation in English (unofficial) can be found at: http://www.minfin.nl/english/Subjects/Financial_markets/Financial_supervision/Publications The AFS regulates the financial sector in the Netherlands in general, and is not particularly meant to address privacy obligations. It does however regulate the conduct of financial firms in general and covers the conduct with respect to handling of information, including personal data. The AFS contains a general obligation for financial firms to have a sound and controlled business organization and to operate its business in a sound and controlled way (article 4:11, 4:14 AFS). These general obligations may be used by supervisory authorities to ensure proper behavior with respect to data protection. Section 1:89 AFS provides that the supervisory authorities must keep all information (including personal data) confidential, unless there is a statutory basis for disclosure of such information. Section 20 of the Decree on Prudential Rules pursuant to the AFS and Section 31b of the Decree on the Supervision of the Conduct of Financial Enterprises (Supervision Decree) pursuant to the AFS impose a specific duty on certain financial firms to have procedures and internal measures to safeguard the processing of automatically saved information, which may include personal data. Sections 33 and 35 of the Supervision Decree provide for a duty for certain financial services firms to store data about their clients (which includes personal data) for at least 5 years. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? For personal data included in financial information, reference is made to the answer to question 1b. Furthermore, the AFS can be enforced through both administrative and criminal law. Most offences, however, are enforced with administrative sanctions. The most important administrative sanctions include an administrative fine and an order with or without a penalty for noncompliance. Fines may vary from EUR 10.000 to EUR 4.000.000 (or even more if the offender gains a larger amount with his offence), but will have to take into account the specific circumstances of the offence. A combination of criminal and administrative prosecution is generally not allowed. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. For personal data included in financial information, reference is made to the answer to question 1c. Furthermore, the AFS is supervised and enforced by two administrative authorities, be-ing the Dutch Central Bank (de Nederlandsche Bank) and the Authority for the Financial Markets (Autoriteit Financile Markten). Criminal sanctions may be imposed for the viola-tion of certain www.lexmundi.com
2009 Lex Mundi
Page 118
sections of the AFS. Criminal prosecution is a task of the public prosecutor (Openbaar Ministerie) and criminal sanctions are eventually imposed by judges. Criminal prosecution for violations of the AFS, however, does not appear very often. d) Any additional information that is material? Pursuant to article 25 DPA it is possible to specify the standards of the DPA in codes of conduct. If the rules contained in a certain code of conduct properly implement the DPA (or other legal provisions on the processing of personal data) the Authority gives its ap-proval to that code of conduct. Acting in accordance with the approved code of conduct implies that the party concerned is acting in accordance with the DPA. In the Netherlands financial institutions are bound by Code of Conduct for Processing Personal Data Financial Institutions (hereinafter "Code of Conduct") (Gedragscode Verwerking Persoonsgegevens Financile Instellingen). The Code of Conduct is ap-proved by the Authority. If a party concerned has the opinion that a financial institution acts in breach of the Code of Conduct, it can turn itself to the Financial Services Complaints Board (Stichting Klachteninstituut Financiele Dienstverlening). In certain cases, dependent on the content of the complaint, the party concerned can also file a complaint directly to the Authority or with the competent court. 4. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that is applicable to other sensitive data, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. According to article 16 DPA it is prohibited to process personal data concerning a per-son's religion or philosophy of life, race, political persuasion, health and sexual life, or personal data concerning trade union membership, except as otherwise provided in the DPA. The exceptions to the abovementioned prohibition given by the DPA either apply to a specific category (for example just given for the category of personal data concerning a person's criminal behavior) or are general exceptions. The general exceptions (article 23 DPA) include explicit consent of the data subject, or when the data concerned have been made public by the data subject itself in an evident manner. Furthermore, the prohibition of article 16 DPA also does not apply if the processing of personal data is necessary for the establishment, exercise or defense of a right in law, is necessary to comply with an obligation of international public law or is necessary in view of an important public inter-est. This prohibition also applies to personal data concerning a person's criminal behavior, or unlawful or objectionable conduct connected with a ban imposed with regard to such conduct. If the legal exceptions given by the DPA do not apply, the processing of special personal data is a violation of the DPA. b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Reference is made to the answer to question 1b. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. Reference is made to the answer to question 1c.
www.lexmundi.com
2009 Lex Mundi
Page 119
d) Any additional information that is material? Reference is made to the answer to question 2d.
Contact Information
Thomas de Weerd t.de.weerd@houthoff.com Houthoff Buruma Gustav Mahlerplein 50 1082 MA Amsterdam P.O. Box 75505 1070 AM Amsterdam Tel 31.20.605.60.00 Fax 31.20.605.67.00 www.houthoff.com
www.lexmundi.com
2009 Lex Mundi
Page 120
Data Privacy Survey
United Arab Emirates

Prepared by Lex Mundi member firm Afridi & Angell
1. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personally Identifiable Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Data privacy laws exist in the Dubai International Financial Center, but not elsewhere in the U.A.E. The citations to the DIFC materials are as follows: Data Protection Law of 2007 (DIFC Law No. 1 of 2007): http://dp.difc.ae/legislation/dp_protection/ Data Protection Regulations 2007: http://dp.difc.ae/legislation/dp_regulations/ b) What are the penalties imposed for a breach of such law? Any criminal sanctions? According to Article 26 of the Data Protection Law, the Commissioner of Data Protection may require a Data Controller to give specified information, or produce specific documents in relation to the Processing of Personal Data. If the Data Controller failed to comply with the requirements pursuant to this Article, the Commissioner may impose a fine. Under Article 32, the Commissioner can issue a direction, if he was satisfied that a Data Controller has contravened or is contravening the Law or Regulation, requiring the latter to do or refrain from doing any act or thing within specific time, and/or to refrain him from Processing the Personal Data for a purpose or in a manner specified in the direction. However, if the Data Controller fails to comply with the direction may be subject to fines and be liable for compensation. Article 35 states that a Data Subject, who suffers damages due to a Data Controller contravention of the Data Protection Law or the Regulation, is entitled to compensation from the Data Controller. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The Office of the Data Protection Commissioner has the authority to administer the DIFC Data Protection Law and any legislation made for the purpose of this Law, in accordance to the legal and procedural framework created by the Law, which ensures that all personal data in the DIFC is treated fairly, lawfully and securely when it is stored, processed, used, disseminated or disclosed.
www.lexmundi.com
2009 Lex Mundi
Page 121
d) Any additional information that is material? The law applies only within the jurisdiction of the DIFC, and is based largely on EU law and international standards (in particular the EU data protection directives and the guidelines of the Organization for Economic Cooperation and Development).
2. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Personal Health Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Data Protection Law of 2007 (DIFC Law No. 1 of 2007): http://dp.difc.ae/legislation/dp_protection/ Data Protection Regulations 2007: http://dp.difc.ae/legislation/dp_regulations/ b) What are the penalties imposed for a breach of such law? Any criminal sanctions? According to Article 26 of the Data Protection Law, the Commissioner of Data Protection may require a Data Controller to give specified information, or produce specific documents in relation to the Processing of Personal Data. If the Data Controller failed to comply with the requirements pursuant to this Article, the Commissioner may impose a fine. Under Article 32, the Commissioner can issue a direction, if he was satisfied that a Data Controller has contravened or is contravening the Law or Regulation, requiring the latter to do or refrain from doing any act or thing within specific time, and/or to refrain him from Processing the Personal Data for a purpose or in a manner specified in the direction. However, if the Data Controller fails to comply with the direction may be subject to fines and be liable for compensation. Article 35 states that a Data Subject, who suffers damages due to a Data Controller contravention of the Data Protection Law or the Regulation, is entitled to compensation from the Data Controller. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The Office of the Data Protection Commissioner has the authority to administer the DIFC Data Protection Law and any legislation made for the purpose of this Law. d) Any additional information that is material? Under Article 9(1), Personal Data may be processed only if: the data subject has given his or her written consent, it is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract, it is necessary for compliance with any legal obligation to which the data controller is subject, it is necessary in order to protect the vital interests of the data subject, it is necessary for the performance of a task carried out in the interests of the DIFC, the Dubai Financial Services Authority, the DIFC Court or in the exercise of the commissioner's functions or powers vested in the data controller or in a third party to which the personal data is disclosed, or it is necessary for the purposes of the legitimate interests pursued by the data controller or by the third party to which the personal data is disclosed, except where such interests are overridden by compelling legitimate interests of the data subject relating to his or her particular situation. www.lexmundi.com
2009 Lex Mundi
Page 122
3. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that are applicable to Financial Information, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Data Protection Law of 2007 (DIFC Law No. 1 of 2007): http://dp.difc.ae/legislation/dp_protection/ Data Protection Regulations 2007: http://dp.difc.ae/legislation/dp_regulations/ b) What are the penalties imposed for a breach of such law? Any criminal sanctions? According to Article 26 of the Data Protection Law, the Commissioner of Data Protection may require a Data Controller to give specified information, or produce specific documents in relation to the Processing of Personal Data. If the Data Controller failed to comply with the requirements pursuant to this Article, the Commissioner may impose a fine. Under Article 32, the Commissioner can issue a direction, if he was satisfied that a Data Controller has contravened or is contravening the Law or Regulation, requiring the latter to do or refrain from doing any act or thing within specific time, and/or to refrain him from Processing the Personal Data for a purpose or in a manner specified in the direction. However, if the Data Controller fails to comply with the direction may be subject to fines and be liable for compensation. Article 35 states that a Data Subject, who suffers damages due to a Data Controller contravention of the Data Protection Law or the Regulation, is entitled to compensation from the Data Controller. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The Office of the Data Protection Commissioner has the authority to administer the DIFC Data Protection Law and any legislation made for the purpose of this Law. d) Any additional information that is material? DIFC Authority issued the Data Protection Schedule of Fines that would be imposed pursuant to Article 27(2) of the Law. The fines value depends on the nature of administrative offence. The maximum fine imposed in case of any failure to register with the Office of DP Commissioner is $25,000, while it is $5,000 in case of failure to notify Commissioner of any amendments in personal data operations. However, the fine imposed is $20,000 if companies transferring personal data outside the DIFC did not obtain a permit from the Commissioner of Data Protection, and when the Commissioner is provided with false or misleading information. On the other hand, the fine might be up to $15,000, if a Data Controller fails to comply with a direction from the Commissioner.
www.lexmundi.com
2009 Lex Mundi
Page 123
4. Provide a brief description of the subject matter of data privacy laws in your jurisdiction that is applicable to other sensitive data, and any material obligations. a) What is the cite to such laws? Provide a link, if available, to an online copy of such law. Data Protection Law of 2007 (DIFC Law No. 1 of 2007): http://dp.difc.ae/legislation/dp_protection/ Data Protection Regulations 2007: http://dp.difc.ae/legislation/dp_regulations/ b) What are the penalties imposed for a breach of such law? Any criminal sanctions? Article 35 states that a Data Subject, who suffers damages due to a Data Controller contravention of the Data Protection Law or the Regulation, is entitled to compensation from the Data Controller. According to the Data Protection Schedule of Fines, companies processing sensitive personal data without obtaining permits from the Commissioner of Data Protection may be subject to a fine of up to $10,000. c) Identity the applicable administrative authority with jurisdiction for enforcement of such laws. The Office of the Data Protection Commissioner has the authority to administer the DIFC Data Protection Law and any legislation made for the purpose of this Law. d) Any additional information that is material? Sensitive Personal Data, defined in Article 3 of the Schedule to the Data Protection Law, are the personal data revealing or concerning (directly or indirectly) racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, tradeunion membership and health or sex life.
Contact Information
Charles Laubach claubach@afridi-angell.com Afridi & Angell Emirates Towers Offices - Level 35 Sheikh Zayed Road Dubai, United Arab Emirates Tel 971.4.330.3900 Fax 971.4.330.3800 www.afridi-angell.com
www.lexmundi.com
2009 Lex Mundi
Page 124

GPG DP Etop Master

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

GPG DP Etop Master

Uploaded by

Copyright:

Available Formats

Global Practice Guide

About this Guide

Data Privacy Survey

Data Privacy Survey

Data Privacy Survey

Data Privacy Survey

d) Any additional information that is material?

Data Privacy Survey

Data Privacy Survey

Canada, Nova Scotia

Data Privacy Survey

Data Privacy Survey

Data Privacy Survey

Data Privacy Survey

Data Privacy Survey

Data Privacy Survey

Data Privacy Survey\

Data Privacy Survey

Data Privacy Survey

Data Privacy Survey

Data Privacy Survey

Data Privacy Survey

The Law on Legal Protection of Personal Data www.lexmundi.com

Data Privacy Survey

ix. x. xi. xii.

Data Privacy Survey

Data Privacy Survey

Data Privacy Survey

Data Privacy Survey

Aigul Zhumanova Aigul_Zhumanova@epam.ru

Data Privacy Survey

Data Privacy Survey

The English wording of the respective acts is not available yet.

Data Privacy Survey

Data Privacy Survey

Data Privacy Survey

Data Privacy Survey

Data Privacy Survey

Data Privacy Survey

United Arab Emirates

You might also like