Protection of Personal Data,
Historical context In 1982, Iceland signed the Council of Europe Convention nr. 108 from 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data The convention was ratified by Iceland in 1991 The first data protection act in Iceland was passed in 1981, implementing the main rules of Convention 108 The Data Protection Commission was founded on 1 January 1981
Act nr. 77/2000 -The current act on personal data protection was passed in 2000 and entered into force on 1 January It implements the rules of the European data protection directive (95/46/EC) - It applies to both the public and the private sector
Data Protection Authority The Data Protection Authority (The DPA), is an independent institution. Its´ task is to survey and decide on issues regarding personal data covers all sectors. It acts with independence in exercising its functions and its decisions cannot be referred to a higher administrative authority. Examples of its work : -Evaluations on the security and lawfulness of the processing of personal data -The passing of rules, e.g., on electrical surveillance and data subjects’ consent to the processing of personal data in scientific research projects
Organization and administration of the Data Protection Authority. The DPA has a specific board of directors and is administratively subject to the Minister of the Interior. He appoints five persons to the board. The chairman and vice-chairman are appointed without nomination and they shall be lawyers and fulfil the job requirements of district court judges. The Supreme Court of Iceland nominates one board member and the Icelandic Society for Information Processing shall nominate another and he shall be an expert in the field of computers and technology. The Minister decides the remuneration of the board members.
DPA: Number of cases (complaints, requests etc.)
DPA and the Courts According to Article 60 of the Icelandic Constitution, judges settle all disputes regarding the competence of the authorities. This means that all decisions of the Data Protection Authority can be appealed to the Courts as is the rule with decisions of administrative authorities in general. According to Icelandic legal tradition, specific provisions in this regard are not included in parliamentary legislation on administrative authorities, unless there are to be some specific rules on judicial proceedings with regard to the authority in question.
Judgements /Case law The judgement of The Supreme Court (201/2007) from 6th december Insurance company got access to health files. The data subject had not given his unambiguous consent. The processing was found legitimate by the Supreme Court for the exercise of a legal claim.
Judgements /Case law The judgement of The Supreme Court from 27 November 2003 regarding the proposed Icelandic health sector database According to this judgement, the act on the database was unconstitutional due to its vagueness on how personal data would be protected. The judgement regards, amongst other things, the rights of people related to the data subeject (father / daughter)
Scope of the Act The Scope of data protection law is connected with the consepts “personal data”, “processing”, “automated processing”, “manual processing” and “filing system” Relation data subject – controller It applies to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system. The act has a limited scope when it comes to police matters, arts, literature, and the media
Processing of personal data and freedom of expression To the extent necessary in order to achieve a balance between the right to privacy on the one hand and the freedom expression on the other, exemptions may be made from the provisions of the Act when it comes to arts, literature, and the media
Definitions, 1 Personal data Personal data: All information that can be traced to an individual* – ('data subject') taking into consideration all means likely reasonably to be used either by the controller or by any other. Data that can be traced directly or indirectly. Directly by names and surnames, identification numbers, names, etc. Indirectly by factors that on their own to not indicate the identity of a person but do so together with other factors *Living and deceased.
Definition, 2 The data subject An individual to which the personal data, which are being processed, relate to. He can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
Consent Any freely given specific and informed indication of the data subjects´ wishes by which he signifies his agreement to personal data relating to him being processed. Definition, 3 Consent
Definitions, 4 Processing Processing of personal data Broad definition: Any operation or set of operations which is performed upon personal data. F.ex. collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction
Definition, 3 Data controller: The one who determines the purpose and means of the processing of personal data Data processor: The one who processes personal data on behalf of the controller The data processor may only act on instructions from the data controller and the obligations incubent on the controller are also incubent on the processor There must be a contract between the processor and the controller
Legitimate Data processing - Art 8 & 9 - Art 8 of the Act All processing must fulfill one of the conditions of Art. 8 of Act 77/2000 Art 9 of the Act (sensitive data) If the data are sensitive – one of the conditions of Art. 9 of the Act must also be fulfilled
Legitimacy & Art 8 in the Act ; Personal data may only be processed if one of the following criteria is met: 1. The data subject has unambiguously agreed to the processing or declared his consent, 2. the processing is necessary by a contract, to which the data subject is a party, or to take measures at the request of the data subject before a contract is established
Legitimacy & Art 8 in the Act, cont. 3. the processing is necessary to fulfill a legal obligation of the controller; 4. the processing is necessary to protect vital interests of the data subject; 5. the processing is necessary for a task that is carried out in the public interest;
Legitimacy & Art 8 in the Act, cont. 6. the processing is necessary in the exercise of official authority vested in the controller or in a third party to whom data are transferred; 7. the processing is necessary for the controller, or a third party, or parties to whom data are transferred, to be able to safeguard legitimate interests, except where overridden by fundamental rights and freedom of the data subject, which shall be protected by law (balance of interests)
Sensitive data Data revealing race or ethnic origin, political opinions, religious or philosophical belief, trade-union membership, health or sexual life
Sensitive data Art 9 Processing of sensitive personal data is prohibited, unless at least one of the conditions in Article 8, Paragraph 1, has been fulfilled, and one or more of the following requirements of art 9: 1. the data subject declares his consent (unless forbidden); 2. the processing is specifically authorized by law; 3. the processing is required, by obligations in employment field; 4. the processing is necessary to protect vital interests of the data subject or of another party who is incapable of giving his consent
Sensitive data Art 9, cont. 5. For legitimate activities of non profit organization. By a trade-union or other non-profit organizations but the processing must be carried out in the course of the organization's legitimate activities and relate solely to its´ members or individuals who have been in regular contact with it. It is however prohibited to disclose such personal data to a third party without the data subject's consent 6. the processing extends only to data the data subject himself has made public 7. the processing is necessary for the establishment, exercise or defence of legal claims
Sensitive data Art 9, cont. 8. the processing is necessary because of a medical treatment or because of the routine management of health care services, provided that it is carried out by an employee of the health care services who is subject to an obligation of secrecy. 9. the processing is necessary for the purposes of statistical or scientific research, provided that the privacy of individuals is protected by means of specific and adequate safeguards.
Data Quality Art 7 All processing must comply with the qualitity principles in art 7 -Fair, objective and legitimate -Adequate, relevant and not excessive (in relation to purpose) -Accurate and kept up to date -Kept in a form which permits identification for no longer than necessary Finality Principle Personal data must only be collected for a specified, explicit and legitimate purpose. Not further processed in a way incompatible with those purposes Those conditions – or principles – are on transparency concerning the purpose of processing, proportionality, accuracy of data, the data retention period etc.
Rights of the individual Data protection rights Information for the data subject: Must be given in a clear and understandable language Must be sufficient The data subject has right : - To access to own data -To get rectification - To object Can send complaints to the Data Protection Authority
Controller obligations The Data Controller must : - Exercise and respect of data subjects’ rights - Show confidentiality - Ensure security of the processing - Notify the data protection authority - Liability
Transfer of Data Art 29: Personal data can be transfered to the EU and EEA countries Art 30: Personal data can not be transfered to third countries (out of EU or EEA) unless special conditions are fulfilled
Transfer within EU/EEA Adequate protection Art 29 Personal data can be transfered to countries that provide adequate level of personal data protection. 1. If country complies with the European Union Directive 95/46/EC 2. If there is an adequacy decision by European Commission The DPA does list countries in an advertisement in the Law and Ministerial Gazette, based on decisions of the Commission of the European Union (Safe Harbors), when the decision has been implemented into the EEA agreement
Adequacy decisions When considering whether a country provides an adequate level of personal data following factors are taken into account: -Rules on the processing of personal data and on good business practices, and the security measures taken by the recipient -Ratification of the Council of Europe Convention No. 108 of 28 January 1981, for the Protection of Individuals with regard to Automatic Processing of Personal Data
Transfer outside EU/EEA Compulsory derogations of Art 30, Para. 1 The transfer of personal data to a country that does not provide an adequate level of personal data protection is prohibited, unless: 1. the data subject has consented to the transfer 2. it is necessary to fulfill obligations under international law or as a result of Iceland's membership of an international organization
Transfer outside EU/EEA Compulsory derogations Art 30, Para such a transfer is authorized in another legislative act, or This has to be interpreted together with point 7 on transfer that is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims In the explanatory note with point 3 it is also explained that this must be interpreted in view of (d) in Art 26 of the Directive on important public interest grounds. A legislative act allowing for the transfer of data must therefore be based on such grounds*
*In the remarks to the parliamentary bill that became the Data Protection Act, it is stated that the provisions, which this question relates to, are based on Article 26 (1d) in the Directive. This provision of the Directive allows for transfer of personal data when it is necessary or legally required on important public interest grounds, or for the establishment, exercise or defense of legal claims. In other words, the Icelandic Data Protection Act assumes that the legislator can assess whether such interests are at stake that the transfer of personal data to third countries is necessary. Such an assessment might also be made when undergoing international obligations. The aforementioned remarks in the parliamentary bill mean that legislation or international obligations according to the provisions in question must be necessary to fulfill interests according to the said provision of the Directive.
Transfer outside EU/EEA Compulsory derogations Art 30, Para the transfer is necessary to establish or fulfill a contract in the interest of the data subject, or 6. the delivery is necessary in order to protect vital interests of the data subject, or 7. the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims; or 8. the data in question are accessible to the general public
Transfer outside EU/EEA Art 30, Para. 2 Individual Authorization by DPA International instruments : - The Council of Europe Convention on Data Protection from The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data from The OECD Guidelines for the Security of Information Systems and Networks from UN General Assembly Guidelines for the Regulation of Computerized Personal Data Files from 1990 Use of Commission Model Contracts (Standard Contractual Clauses) Binding corporate rules
Thank you