1 Agencia Española de Protección de Datos AUDITING AND ENFORCEMENT AT THE SPANISH DPA. EXPERIENCE WITH OUTSOURCING TO COUNTRIES WITH A NON ADEQUATE LEVEL.

Slides:

Advertisements

Similar presentations

Terra Incognita Auditing for Privacy Workshop: Chairman’s Remarks

Advertisements

WTO, Trade and Environment Division

PRIVACY ASPECTS OF RE-USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR

Regional Policy EUROPEAN COMMISSION 1 EGTC regulation EGTC regulation ESF and EGTC regulations Regulation of the European Parliament and of the Council.

1 INTERNATIONAL STANDARDS on data protection & privacy Artemi Rallo Lombarte Director Agencia Española de Protección de Datos.

Principles of interaction between National Customs Agency and National Veterinary Service Anelia Angelova Head of Tariff Policy Directorate.

International Telecommuniction Regulations 1 WG-ITR Council Working Group on ITRs General Overview Alaa M. Fahmy Chairman.

International Telecommunication Union Geneva, July THE CERTIFICATION AND APPROVAL REGULATION FROM ANATEL - BRAZIL Julio Cesar Fonseca Technical.

Transborder Data Flows & Privacy Contractual clauses in the practice Tanguy Van Overstraeten Washington DC October 16, 2007.

1 Enforcement Powers of National Data Protection Authorities and Experience gained of the Data Protection Directive Safe Harbour Conference Washington.

European CommissionDirectorate-General Justice, Freedom and Security Data Protection 1 Conference on Cross Border Data Flows & Privacy October 15-16, 2007.

1 State Service of Ukraine on Personal Data Protection. Volodymyr Kozak, State Service of Ukraine on Personal Data Protection, Deputy Head, PhD Prague,

The Looming Privacy Rights Debacle How EU Data Protection Law Will Shape Future Incident Response Team Activities Around The World Thomas Daemen FIRST.

Spamming in EC Law A Constitucional Approach Manuel David Masseno Beja Polytechnic - Portugal.

2 1.Client protection principles 2.Principle #6 in practice 3.The client perspective 4.Participant feedback 5.Tools for improving practice 6.Conclusion.

1 The Data Protection Officer at work Experience, good practices and lessons learnt Pierre Vernhes – former DPO at the Council of the EU Workshop on Data.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

1 Budapest, June 14, Cross border communication among registers - Practical aspects - Yves Gonner Managing director - Trade and Companies Register.

STRATEGIC PLANNING FOR Post-Clearance Audit (PCA)

Global Marketing Overview of Supply Chain Security Assurance Certification/membership in supply chain security programs –Different programs focus on particular.

The Data Protection (Jersey) Law 2005.

Economic Commission for Europe INLAND TRANSPORT COMMITTEE Working Party on Customs Questions affecting Transport (Seventh session, Athens 22 and 23 April.

Sarah Branam Mehmet MunurDino Tsibouris

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

Europol’s tailor-made data protection framework

EU: Bilateral Agreements of Member States

EU: Bilateral Agreements of Member States. Formerly concluded international agreements of Member States with third countries Article 351 TFEU The rights.

The U.S.-E.U. Safe Harbor Framework The U.S.-E.U. Safe Harbor Framework New Developments in Data Flows, Standards, & Compliance Damon Greer U.S. Department.

Anomalous Aspects of Transfer of Personal Data from the E.U. to the U.S. Stephen R. Bell Willkie Farr & Gallagher ABA Section of International Law New.

STRATEGIC PLANNING FOR Post-Clearance Audit (PCA)

Class 13 Internet Privacy Law European Privacy.

WORLD MEETING OF CUSTOMS LAW BRUSSELS , September “ Studies on Harmonization of Customs Law and Contributions of the Academy for updating and.

HIPAA PRIVACY AND SECURITY AWARENESS.

Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.

Planning an Audit The Audit Process consists of the following phases:

The European influence on privacy law and practice Nigel Waters, Pacific Privacy Consulting International Dimension of E-commerce and Cyberspace Regulation.

Moving Forward With the African Dialogue Cross-Border Principles By Mary Gurure Manager, Legal Services and Compliance COMESA Competition Commission Lilongwe,

IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.

TRANSFORMATION OF CUSTOMS LEGAL FRAMEWORK Transition period from planned to market economy Kiev, March 17th, 2011.

HIPAA BASIC TRAINING Presented by Anderson Health Information Systems, Inc.

Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.

Directorate General for Enterprise and Industry European Commission The New Legislative Framework - Market Surveillance UNECE “MARS” Group meeting Bratislava,

© World Customs Organization Customs Cooperation - Overview of Article 12 of the WTO TFA.

Workshop on Privacy of Public Figures and Freedom of Information - Skopje, 9-10 October 2012.

1 Agencia Española de Protección de Datos The Use of Contracts and BCRs to Transfer Personal Data The European Union – United States Safe Harbor framework:

1 TAIEX JHA Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014.

Data protection—training materials [Name and details of speaker]

Documents and Procedure Steps to Access EU Markets Grant Wilkinson Defra.

-1- WORKSHOP ON DATA PROTECTION AND DATA TRANSFERS TO THIRD COUNTRIES Technical and organizational security measures Skopje, 16 May - 17 May 2011 María.

Agencija za zaštitu ličnih/osobnih podataka u Bosni i Hercegovini Агенција за заштиту личних података у Босни и Херцеговини Personal Data Protection Agency.

TRANSBORDER TRANSFER OF PERSONAL DATA OUT OF THE REPUBLIC OF SERBIA Milica Basta Senior Adviser DPA Serbia Sarajevo May 2016.

© CENTER FOR INFORMATION TECHNOLOGY SERVICES UNIVERSITY OF OSLO USIT Page 1 Re: Study on the privacy issues arising with the public pan-European White.

Surveillance around the world

Preparing for a data protection audit 28 September 2017

PRESENTATION OF MONTENEGRO

Contingent Workforce: Global Privacy Laws Overview

Data Protection: EU & International

The Union’s Customs Code: the new European legal basis and its effects on international trade Roma, 7th September Cinzia Bricca Director of the Legislation.

INTERCONNECTION GUIDELINES

PRESENTATION OF MONTENEGRO

General Data Protection Regulation

Information Governance and Data Privacy: A World of Risk

EU Directive 95/46/EC (Paragraph 2) “Whereas data-processing systems are designed to serve man; whereas they must Respect their fundamental rights.

Bob Siegel President Privacy Ref, Inc.

GDPR - New Data Protection Regulation

„Trade union strategies on the use of ILS in labour law reforms”

Data transfers to non-EU countries under the new GDPR

Is Data Protection a Fundamental Right Protecting the Individual?

PRESENTATION OF MONTENEGRO

SIMPLIFIED MEASURES FOR CUSTOMER’S IDENTIFICATION

Presentation transcript:

1 Agencia Española de Protección de Datos AUDITING AND ENFORCEMENT AT THE SPANISH DPA. EXPERIENCE WITH OUTSOURCING TO COUNTRIES WITH A NON ADEQUATE LEVEL OF PROTECTION CONFERENCE ON CROSS-BORDER DATA FLOW & PRIVACY October 15 – 16, 2007 Washington, D.C., USA Workshop on The European Union's Data Protection Framework – 12 Years Later Tuesday, October 16, :45 – 12:45 am Dr. Artemi Rallo Lombarte Director, Spanish Data Protection Agency

2 Agencia Española de Protección de Datos EXPERIENCE WITH OUTSOURCING TO COUNTRIES WITH A NON ADEQUATE LEVEL OF PROTECTION Unprecedented enforcement action outside the EU: onsite inspections of data transferred to Colombia. – Performance of an ex officio sector inspection of data importers who receive previously authorized international data transfers at call centers established in third countries which do not ensure an adequate level of protection. –Purpose: verify effective compliance with the Spanish Data Protection Law at customer telephone attention centers established by companies in the telecommunications sector in and out of the national territory.

3 Agencia Española de Protección de Datos EXPERIENCE WITH OUTSOURCING TO NON ADEQUATE COUNTRIES Why we carried out an ex officio sector inspection in Colombia (I): –The amount of cross-border flow of personal data between different public and private agents established in different countries has increased in recent years. –Up to the 1st July 2007, 8,483 international data transfers were reported to the General Data Protection Registry. –The main countries of destination are the USA (87 authorizations since 2000) and, from last year, Latin American countries (Chile, Peru and Colombia) and Morocco. –The 58% of the authorizations granted by the Agency are related to multinational groups which have their parent company outside of Spain, mainly in the USA, and their activity spread through many countries (for example, one may mention global personnel management by international companies). –Up to 2004 there were no authorizations to Latin America. From 2005 uptill now, 35 transfers of data have been authorized to these countries. EXPERIENCE WITH OUTSOURCING TO COUNTRIES WITH A NON ADEQUATE LEVEL OF PROTECTION

4 Agencia Española de Protección de Datos EXPERIENCE WITH OUTSOURCING TO NON ADEQUATE COUNTRIES Why we carried out an ex officio sector inspection in Colombia (II): –Many Spanish companies adopt global sourcing to third countries, specially to Latin American countries. –Different Spanish Trade Unions, aware that data might be at risk of misuse or vulnerable to security breaches, communicate their worries to the Spanish DPA. –The Spanish DPA took the decision to audit onsite certain data importers. –It was considered necessary not only to evaluate the legal sufficiency of the guarantees provided by the applicants and their effective fulfillment, but also to analyze the transfer procedure. EXPERIENCE WITH OUTSOURCING TO COUNTRIES WITH A NON ADEQUATE LEVEL OF PROTECTION

5 Agencia Española de Protección de Datos EXPERIENCE WITH OUTSOURCING TO NON ADEQUATE COUNTRIES Selection of the sample: –Why the telecommunication sector: The Spanish DPA had received certain concern over this processing from different Spanish Trade Unions. Spanish telecom companies have global sourcing for their services in Latin America. In May 2007, the whole telecom sector had a total of 22 international transfer authorizations, representing a 15% of the whole amount of authorizations. Two operators in the telecom sector, which offer operation of the commercial telephone care services, break down care services and telemarketing, in relation to the fixed telephony and internet services, were investigated. These two operators hold a market share of 80% of the Spanish market. –Why this purpose: The 22% of these authorizations refers to customer care or telemarketing services by data importers established in Latin America (mostly in Chile, Peru and Colombia). EXPERIENCE WITH OUTSOURCING TO COUNTRIES WITH A NON ADEQUATE LEVEL OF PROTECTION

6 Agencia Española de Protección de Datos EXPERIENCE WITH OUTSOURCING TO NON ADEQUATE COUNTRIES Legal framework for transfers of personal data to third countries: –Countries considered by the European Commission to have an adequate standard of protection pursuant to Directive 95/46/CE: countries parties to the Agreement on the European Economic Area, Switzerland, Argentina, Guernsey, Isle of Mann, Canada (with regards entities subject to application of the Canadian Personal Information Protection and Electronic Document Act) and the SA (with regard to firms that have adhered to the Safe Harbor principles). –Countries which do not ensure an adequate level of protection, but which are covered by the derogations of the Article 26 Directive 95/46/CE (among others, application of treaties or conventions to which Spain is a party, to provide or request international judicial assistance, when necessary for performance of a contract between the data subject or the controller…) –Authorization by the Spanish DPA Director Third countries. Section 33.2 LOPD: Adequate guarantees: standard contractual clauses for international data transfers between data importer and exporter in order to warrant that they have complied with data protection standards which meet the requirements of the Data Protection Directive in respect of the data. EXPERIENCE WITH OUTSOURCING TO COUNTRIES WITH A NON ADEQUATE LEVEL OF PROTECTION

7 Agencia Española de Protección de Datos EXPERIENCE WITH OUTSOURCING TO NON ADEQUATE COUNTRIES Legal basis for transfers of personal data to third countries (I): –In this particular case, as the transfer of personal data took place to a country with a non adequate level of protection, as Colombia, it had to be based on the Commission Decision 2002/16/EC. Because of that, a written contract entered into between the data exporter and the data importer. –Telecom companies included these contractual clauses in contracts signed with the companies acting as the processors for Colombian technical support outsourcing. –Where data is transferred internationally, the DPA may conduct audits of the importer, using the same techniques and tools that are available for audits of the exporter in the DPAs jurisdiction. EXPERIENCE WITH OUTSOURCING TO COUNTRIES WITH A NON ADEQUATE LEVEL OF PROTECTION

8 Agencia Española de Protección de Datos EXPERIENCE WITH OUTSOURCING TO NON ADEQUATE COUNTRIES Legal basis for transfers of personal data to third countries (II): –Spanish Telecom companies (controllers) outsource their customer services (or telemarketing) to other companies specialized in this area (processors) in third countries. –These processors can be: Spanish firms with branches in a third country Or, third countries companies specialized located only in these third countries. EXPERIENCE WITH OUTSOURCING TO COUNTRIES WITH A NON ADEQUATE LEVEL OF PROTECTION

9 Agencia Española de Protección de Datos EXPERIENCE WITH OUTSOURCING TO NON ADEQUATE COUNTRIES Methodology : three phases (I) The methodology used is based on identification of the purposes of the transfers and development of a plan of action in three phases. First phaseFirst phase: Physical visits in Spain to the telecom operators (controllers) in order to: Analyze and specify the services provided from companies located in Colombia. Audit the processing of personal data. Check the information accessed is adequate. Study the security measures implemented for access to the personal data. EXPERIENCE WITH OUTSOURCING TO COUNTRIES WITH A NON ADEQUATE LEVEL OF PROTECTION

10 Agencia Española de Protección de Datos EXPERIENCE WITH OUTSOURCING TO NON ADEQUATE COUNTRIES Methodology : three phases (II) econd PhaseSecond Phase: Inspections in Spain have been performed by the processor who has a head office in Spain and a branch in Colombia. Analysis of the services provided from the offices located in Spain and from those located in Colombia, as well as the data flows between both; Checking compliance of the processing performed by these entities with the purposes recorded in the service provision agreements; Studying the security measures implemented for access to the personal data. Third phaseThird phase: Visits in Colombia to processors located there, with collaboration by the telecom operator (controller). EXPERIENCE WITH OUTSOURCING TO COUNTRIES WITH A NON ADEQUATE LEVEL OF PROTECTION

11 Agencia Española de Protección de Datos EXPERIENCE WITH OUTSOURCING TO NON ADEQUATE COUNTRIES Cooperation by exporter (data controller) –Coordinating inspections –Contact point for audits –Auditing all data importers involved in Colombia 5 days of auditing in Colombia –3 inspectors + The Inspection Head Deputy Document access and examination Onsite checks of technical systems Access to and evaluation of stored information. Onsite verification of security measures EXPERIENCE WITH OUTSOURCING TO COUNTRIES WITH A NON ADEQUATE LEVEL OF PROTECTION

12 Agencia Española de Protección de Datos EXPERIENCE WITH OUTSOURCING TO NON ADEQUATE COUNTRIES Conclusions of the inspection (I) : –Findings: general compliance with technical and organizational security requirements. Processing the audited data : –The data processing matches the services specified in the contract provided in the application for the international transfer authorized by the Spanish DPA. –The personal data to which the processor companies have access is considered necessary to provide the contractual services. –Under no circumstances should there be transfer of the telecommunications files to the companies that act as a processor. EXPERIENCE WITH OUTSOURCING TO COUNTRIES WITH A NON ADEQUATE LEVEL OF PROTECTION

13 Agencia Española de Protección de Datos EXPERIENCE WITH OUTSOURCING TO NON ADEQUATE COUNTRIES Conclusions of the inspection (II) : Security measures: –Measures adopted by the controllers: The telecom operators adopted measures to protect the information contained in their files. The confidentiality of access to the information is guaranteed by setting up an encrypted channel between ends. –Measures adopted by the processors: Suppression of the peripheral devices that allow information to be extracted at all the work stations. No computer applications have been installed that provide print screen functions or document printing facilities. Identification and authentication of telephone operators located in Colombia. EXPERIENCE WITH OUTSOURCING TO COUNTRIES WITH A NON ADEQUATE LEVEL OF PROTECTION

14 Agencia Española de Protección de Datos EXPERIENCE WITH OUTSOURCING TO NON ADEQUATE COUNTRIES Recommendations: Level of security Access through networks Identification and authentication Staff duties and obligations Auditing Data access terminals Duty of confidentiality. Conclusion of a contract between data exporter and importer. Information to the Workers´ Committee of the controller telecom company. Publication in the Spanish Official Journal. EXPERIENCE WITH OUTSOURCING TO COUNTRIES WITH A NON ADEQUATE LEVEL OF PROTECTION

15 Agencia Española de Protección de Datos