SlideShare ist ein Scribd-Unternehmen logo

scce-cep-2015-06-Dhont-1-04

Jan Dhont
Jan Dhont
1 von 4
Downloaden Sie, um offline zu lesen
See page 14 Meet Lynette Fons Chief Compliance Officer and member of the Mayor’s Executive Staff, City of Houston Meet Louis Perold Compliance Officer, Pretoria, South Africa See page 20 & Compliance & Ethics Professional a publication of the society of corporate compliance and ethics www.corporatecompliance.org June 2015 45 Ten outrageous bribes from around the world Nitish Singh, Brendan Keating, and Thomas Bussen 43 Don’t let ethics be left unsaid Lyndsay C. Tanner 27 Discovery in False Claims Act cases when the government declines to intervene Winston Y. Chan and Joseph Tartakovsky 37 The science art of third-party due diligence John Baird
+1 952 933 4977 or 888 277 4977  www.corporatecompliance.org  55 ComplianceEthicsProfessional  June2015 I n an economy where borders have virtually dissolved, companies increasingly need to exchange information at a global scale. Companies make personal information available across borders to manage their IT systems, centralize their human resources databases, exchange customer files, store information in shared data centers, or migrate their information systems to the cloud. However, such information transfers are subject to restrictions, which, if not observed, may expose companies to important liability risks. This article discusses these restrictions on data transfers under current European (EU) laws and explains why companies are increasingly regarding Binding Corporate Rules (BCRs) as a successful solution to managing their data privacy compliance while securing their international data flows. This article is the first of a series of four. Current options for companies in the EU to export personal information EU data privacy laws and regulations require that individuals benefit from an adequate level of data protection when their personal information is sent outside the EU. The EU Commission has, over time, issued a white list of countries that are considered to provide adequate data protection. Companies located in these countries may receive personal information from data exporters located in the EU. Examples of white listed countries are Israel, Argentina, Switzerland, and Canada. Other adequacy mechanisms allowing the export of personal information Binding Corporate Rules: From data transfer solution to privacy compliance strategy »» Exchange of information within a corporate group is subject to significant restrictions under EU laws. »» Most transfer options are onerous or come with legal uncertainty. »» Companies increasingly consider adopting Binding Corporate Rules (BCRs) to manage their data privacy compliance and secure their information exchange. »» BCRs offer flexibility and create a culture of trust within a company and vis-a-vis consumers. »» BCRs allow meaningful streamlining of privacy policies and processes throughout a global organization. by Jan Dhont, Alyssa Cervantes, and Delphine Charlot Cervantes Dhont Charlot
56   www.corporatecompliance.org  +1 952 933 4977 or 888 277 4977 ComplianceEthicsProfessional  June2015 include EU Commission model contracts, Safe Harbor certification, individuals’ consent, and specific exemptions. The EU model contracts are contracts that stipulate specific obligations for the data exporter and data importer to exchange personal information. These terms can be included in (or attached to) a service agreement, but cannot be amended if companies intend to export personal information outside the EU. Alternatively, US companies may rely on the Safe Harbor scheme, which is a self-certification solution provided by the Department of Commerce in consultation with the EU Commission. The Safe Harbor framework is an example of a framework that has been recognized by the EU Commission as providing an adequate level of protection for data transfers similar to the above mentioned white listed countries. Companies may also rely on the individuals’ consent or invoke legal exemptions to export personal information, such as the necessity to transfer personal information in light of contractual obligations in the interest of said individual. Compliance issues relating to intra-group transfers of personal information Each data transfer solution presents some advantages but also bears some limitations. Although model contracts appear at first sight to provide for an easy transfer solution, companies located in jurisdictions that have no or few developed data privacy laws may not be willing to accept their terms. Furthermore, the execution process is often onerous in practice, especially if many contract parties are involved at the data exporter and data importer side. In addition, companies located in the EU that use these model contracts are required to apply for a data transfer permit in some jurisdictions (e.g., Spain, Denmark, Portugal), which can be time-consuming and costly. Next, the Safe Harbor framework is only available to US organizations that import personal information from the EU. What is more, Safe Harbor has been under permanent criticism since the Snowden revelations and is subject to ongoing US-EU reform discussions. The Consortium of EU Data Privacy Authorities (WP29) has recently threatened that “[i]f the revision process currently undertaken by the EU Commission does not lead to a positive outcome, then the Safe Harbor agreement should be suspended and recalled that, in any case, data protection authorities may suspend data flows according to their national competence and EU law.”1 In turn, US service providers that rely on Safe Harbor are increasingly finding themselves stuck in deal negotiations with customers who refuse to contract with them unless they implement a different solution. Next, the Safe Harbor framework is only available to US organizations that import personal information from the EU. What is more, Safe Harbor has been under permanent criticism since the Snowden revelations and is subject to ongoing US-EU reform discussions.
+1 952 933 4977 or 888 277 4977  www.corporatecompliance.org  57 ComplianceEthicsProfessional  June2015 Consequently, obtaining direct consent from individuals may seem like the perfect option. However, obtaining an individual’s consent often comes with legal uncertainty. This is mainly due to the fact that an individual may revoke his/her consent at any time. Furthermore, in most EU countries, consent should be free and informed. But employees, for instance, will rarely be regarded as being in a position to provide free consent towards their employer. Why should companies consider BCRs? Binding Corporate Rules (BCRs) are a set of rules that set forth a data privacy regime to exchange personal information within a group of companies. They are a co-regulatory initiative developed by multinational companies (such as GE and Philips), which gained gradual support by national data privacy authorities (DPAs). They take the form of a code of conduct backed by policies, procedures, and control mechanisms, which are negotiated and approved by the national DPAs. DPAs originally were not collectively supportive of BCRs, but the political context has changed dramatically over the last years. Currently, 66 companies have obtained BCR status, and nearly as many applications are currently pending. This is primarily due to the facts that: (1) DPAs have increasingly gained experience dealing with the approval process and consider BCRs as a trustful token of privacy compliance; (2) BCRs create trust among employees and consumers; (3) BCRs allow meaningful streamlining of privacy policies and processes throughout a global organization; and (4) BCRs constitute an ideal preparation for compliance with the nearby European Data Privacy Regulation, which will constitute an overhaul of the current European data privacy framework. Are you ready for the new Data Privacy Regulation? Companies should consider rendering their information practices future-proof in view of the adoption of the Data Privacy Regulation expected by the end of this year. To become legally effective, the draft regulation still needs to be approved by the European Council. In a meeting of the Justice and Home Affairs Council in Brussels on March 13, 2015, EU Member States declared that they are ready to wrap up their first reading of the new regulation by June 2015. The use of BCRs by companies appears all the more likely as the new regulation expressly acknowledges BCRs as a valid transfer solution. In the following articles, we will address the content of the BCRs, discuss the advantages and disadvantages of the BCRs, and explain the application and approval process. ✵ 1. Letter of the WP29 to Ms. Vĕra Jourová, EU Commissioner for Justice, Consumers and Gender Equality in charge of data protection matters, February 2, 2015. Jan Dhont (J.Dhont@koanlorenz.com) is Partner and Head of the Privacy and Data Protection Practice at Koan Lorenz Law Firm, Brussels. Alyssa Cervantes (A.Cervantes@koanlorenz.com) and Delphine Charlot (D.Charlot@koanlorenz.com) are Associates in the Privacy and Data Protection Practice at Koan Lorenz Law Firm, Brussels. Companies should consider rendering their information practices future-proof in view of the adoption of the Data Privacy Regulation expected by the end of this year.

Empfohlen

PL&B _UK_80
PL&B _UK_80PL&B _UK_80
PL&B _UK_80
Lyndsey Shaw
 
Data Privacy Protection & Advisory - EY India
Data Privacy Protection & Advisory - EY India Data Privacy Protection & Advisory - EY India
Data Privacy Protection & Advisory - EY India
SadanandGahivare
 
Data_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UKData_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UK
Sally Hunt
 
Your Big Data Opportunity
Your Big Data OpportunityYour Big Data Opportunity
Your Big Data Opportunity
iCrossing
 
Social Media and the Law - by Tom Cowling
Social Media and the Law - by Tom CowlingSocial Media and the Law - by Tom Cowling
Social Media and the Law - by Tom Cowling
iCrossing
 
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
TRA - Tax Representative Alliance
 
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
John Nas
 
No Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data PrivacyNo Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data Privacy
Kate Chan
 

Empfohlen

PL&B _UK_80
PL&B _UK_80PL&B _UK_80
PL&B _UK_80
Lyndsey Shaw
 
Data Privacy Protection & Advisory - EY India
Data Privacy Protection & Advisory - EY India Data Privacy Protection & Advisory - EY India
Data Privacy Protection & Advisory - EY India
SadanandGahivare
 
Data_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UKData_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UK
Sally Hunt
 
Your Big Data Opportunity
Your Big Data OpportunityYour Big Data Opportunity
Your Big Data Opportunity
iCrossing
 
Social Media and the Law - by Tom Cowling
Social Media and the Law - by Tom CowlingSocial Media and the Law - by Tom Cowling
Social Media and the Law - by Tom Cowling
iCrossing
 
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
TRA - Tax Representative Alliance
 
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
John Nas
 
No Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data PrivacyNo Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data Privacy
Kate Chan
 
Are you compliant?
Are you compliant?Are you compliant?
Are you compliant?
Gabrielė Songin
 
Board Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationBoard Priorities for GDPR Implementation
Board Priorities for GDPR Implementation
Joseph V. Moreno
 
Blake lapthorn In House Lawyer forum - 11 Sept 2012
Blake lapthorn In House Lawyer forum - 11 Sept 2012Blake lapthorn In House Lawyer forum - 11 Sept 2012
Blake lapthorn In House Lawyer forum - 11 Sept 2012
Blake Morgan
 
Cloud computing in Hungarian financial industry 2013
Cloud computing in Hungarian financial industry 2013Cloud computing in Hungarian financial industry 2013
Cloud computing in Hungarian financial industry 2013
IgorMate
 
Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?
Lumension
 
What does the Proposed EU General Data Protection Regulation (GDPR) mean for ...
What does the Proposed EU General Data Protection Regulation (GDPR) mean for ...What does the Proposed EU General Data Protection Regulation (GDPR) mean for ...
What does the Proposed EU General Data Protection Regulation (GDPR) mean for ...
TrustArc
 
[Privacy Webinar Slides] Global Enforcement Priorities
[Privacy Webinar Slides] Global Enforcement Priorities[Privacy Webinar Slides] Global Enforcement Priorities
[Privacy Webinar Slides] Global Enforcement Priorities
TrustArc
 
Lawyer in Vietnam Dr. Oliver Massmann COMPLIANCE and CLEAR CONSENT - New EU G...
Lawyer in Vietnam Dr. Oliver Massmann COMPLIANCE and CLEAR CONSENT - New EU G...Lawyer in Vietnam Dr. Oliver Massmann COMPLIANCE and CLEAR CONSENT - New EU G...
Lawyer in Vietnam Dr. Oliver Massmann COMPLIANCE and CLEAR CONSENT - New EU G...
Dr. Oliver Massmann
 
French Digital Republic Act
French Digital Republic ActFrench Digital Republic Act
French Digital Republic Act
Jan Dhont
 
Personal Data Privacy and Information Security
Personal Data Privacy and Information SecurityPersonal Data Privacy and Information Security
Personal Data Privacy and Information Security
Charles Mok
 
ESET Quick Guide to the EU General Data Protection Regulation
ESET Quick Guide to the EU General Data Protection RegulationESET Quick Guide to the EU General Data Protection Regulation
ESET Quick Guide to the EU General Data Protection Regulation
ESET
 
DMA Legal update winter 2013 - 17 december
DMA Legal update winter 2013 - 17 decemberDMA Legal update winter 2013 - 17 december
DMA Legal update winter 2013 - 17 december
Rachel Aldighieri
 
Spain is responsible for 80% of European Data Protection fines. (on page 3)
Spain is responsible for 80% of European Data Protection fines. (on page 3)Spain is responsible for 80% of European Data Protection fines. (on page 3)
Spain is responsible for 80% of European Data Protection fines. (on page 3)
Aurélie Pols
 
The Transatlantic Trade and Investment Partnership: The Intersection of the I...
The Transatlantic Trade and Investment Partnership: The Intersection of the I...The Transatlantic Trade and Investment Partnership: The Intersection of the I...
The Transatlantic Trade and Investment Partnership: The Intersection of the I...
Patton Boggs LLP
 
How to get started with being GDPR compliant
How to get started with being GDPR compliantHow to get started with being GDPR compliant
How to get started with being GDPR compliant
Siddharth Ram Dinesh
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Financial Poise
 
FINAL REPORT
FINAL REPORTFINAL REPORT
FINAL REPORT
Martina Lindblad
 
Draft data protection regn 2012
Draft data protection regn 2012Draft data protection regn 2012
Draft data protection regn 2012
lilianedwards
 
European Data Protection and Social Networking
European Data Protection and Social NetworkingEuropean Data Protection and Social Networking
European Data Protection and Social Networking
David Erdos
 
How will your business be affected and what you can do to stay ahead of the n...
How will your business be affected and what you can do to stay ahead of the n...How will your business be affected and what you can do to stay ahead of the n...
How will your business be affected and what you can do to stay ahead of the n...
Carrenza
 
New nonprofit presentation.
New nonprofit presentation.New nonprofit presentation.
New nonprofit presentation.
Ming Louie
 
DISEÑO ESTRUCTURADO
DISEÑO ESTRUCTURADO DISEÑO ESTRUCTURADO
DISEÑO ESTRUCTURADO
Eliezer Alas
 

Weitere ähnliche Inhalte

Was ist angesagt?

Cloud computing in Hungarian financial industry 2013
Cloud computing in Hungarian financial industry 2013Cloud computing in Hungarian financial industry 2013
Cloud computing in Hungarian financial industry 2013
IgorMate
 
Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?
Lumension
 
[Privacy Webinar Slides] Global Enforcement Priorities
[Privacy Webinar Slides] Global Enforcement Priorities[Privacy Webinar Slides] Global Enforcement Priorities
[Privacy Webinar Slides] Global Enforcement Priorities
TrustArc
 
French Digital Republic Act
French Digital Republic ActFrench Digital Republic Act
French Digital Republic Act
Jan Dhont
 
DMA Legal update winter 2013 - 17 december
DMA Legal update winter 2013 - 17 decemberDMA Legal update winter 2013 - 17 december
DMA Legal update winter 2013 - 17 december
Rachel Aldighieri
 
The Transatlantic Trade and Investment Partnership: The Intersection of the I...
The Transatlantic Trade and Investment Partnership: The Intersection of the I...The Transatlantic Trade and Investment Partnership: The Intersection of the I...
The Transatlantic Trade and Investment Partnership: The Intersection of the I...
Patton Boggs LLP
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Financial Poise
 
European Data Protection and Social Networking
European Data Protection and Social NetworkingEuropean Data Protection and Social Networking
European Data Protection and Social Networking
David Erdos
 
How will your business be affected and what you can do to stay ahead of the n...
How will your business be affected and what you can do to stay ahead of the n...How will your business be affected and what you can do to stay ahead of the n...
How will your business be affected and what you can do to stay ahead of the n...
Carrenza
 

Was ist angesagt? (20)

Are you compliant?
Are you compliant?Are you compliant?
Are you compliant?
 
Board Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationBoard Priorities for GDPR Implementation
Board Priorities for GDPR Implementation
 
Blake lapthorn In House Lawyer forum - 11 Sept 2012
Blake lapthorn In House Lawyer forum - 11 Sept 2012Blake lapthorn In House Lawyer forum - 11 Sept 2012
Blake lapthorn In House Lawyer forum - 11 Sept 2012
 
Cloud computing in Hungarian financial industry 2013
Cloud computing in Hungarian financial industry 2013Cloud computing in Hungarian financial industry 2013
Cloud computing in Hungarian financial industry 2013
 
Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?
 
What does the Proposed EU General Data Protection Regulation (GDPR) mean for ...
What does the Proposed EU General Data Protection Regulation (GDPR) mean for ...What does the Proposed EU General Data Protection Regulation (GDPR) mean for ...
What does the Proposed EU General Data Protection Regulation (GDPR) mean for ...
 
[Privacy Webinar Slides] Global Enforcement Priorities
[Privacy Webinar Slides] Global Enforcement Priorities[Privacy Webinar Slides] Global Enforcement Priorities
[Privacy Webinar Slides] Global Enforcement Priorities
 
Lawyer in Vietnam Dr. Oliver Massmann COMPLIANCE and CLEAR CONSENT - New EU G...
Lawyer in Vietnam Dr. Oliver Massmann COMPLIANCE and CLEAR CONSENT - New EU G...Lawyer in Vietnam Dr. Oliver Massmann COMPLIANCE and CLEAR CONSENT - New EU G...
Lawyer in Vietnam Dr. Oliver Massmann COMPLIANCE and CLEAR CONSENT - New EU G...
 
French Digital Republic Act
French Digital Republic ActFrench Digital Republic Act
French Digital Republic Act
 
Personal Data Privacy and Information Security
Personal Data Privacy and Information SecurityPersonal Data Privacy and Information Security
Personal Data Privacy and Information Security
 
ESET Quick Guide to the EU General Data Protection Regulation
ESET Quick Guide to the EU General Data Protection RegulationESET Quick Guide to the EU General Data Protection Regulation
ESET Quick Guide to the EU General Data Protection Regulation
 
DMA Legal update winter 2013 - 17 december
DMA Legal update winter 2013 - 17 decemberDMA Legal update winter 2013 - 17 december
DMA Legal update winter 2013 - 17 december
 
Spain is responsible for 80% of European Data Protection fines. (on page 3)
Spain is responsible for 80% of European Data Protection fines. (on page 3)Spain is responsible for 80% of European Data Protection fines. (on page 3)
Spain is responsible for 80% of European Data Protection fines. (on page 3)
 
The Transatlantic Trade and Investment Partnership: The Intersection of the I...
The Transatlantic Trade and Investment Partnership: The Intersection of the I...The Transatlantic Trade and Investment Partnership: The Intersection of the I...
The Transatlantic Trade and Investment Partnership: The Intersection of the I...
 
How to get started with being GDPR compliant
How to get started with being GDPR compliantHow to get started with being GDPR compliant
How to get started with being GDPR compliant
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
 
FINAL REPORT
FINAL REPORTFINAL REPORT
FINAL REPORT
 
Draft data protection regn 2012
Draft data protection regn 2012Draft data protection regn 2012
Draft data protection regn 2012
 
European Data Protection and Social Networking
European Data Protection and Social NetworkingEuropean Data Protection and Social Networking
European Data Protection and Social Networking
 
How will your business be affected and what you can do to stay ahead of the n...
How will your business be affected and what you can do to stay ahead of the n...How will your business be affected and what you can do to stay ahead of the n...
How will your business be affected and what you can do to stay ahead of the n...
 

Andere mochten auch

iCare 2014 Detailed_pj
iCare 2014 Detailed_pjiCare 2014 Detailed_pj
iCare 2014 Detailed_pj
Patrick Jarvis
 
Reasons to consider Binding Corporate Rules
Reasons to consider Binding Corporate RulesReasons to consider Binding Corporate Rules
Reasons to consider Binding Corporate Rules
Jan Dhont
 
2015-0318 GAC Presentation - BCR - 05052015
2015-0318 GAC Presentation - BCR - 050520152015-0318 GAC Presentation - BCR - 05052015
2015-0318 GAC Presentation - BCR - 05052015
Jan Dhont
 
Ray Glass NaviSite_DskGde_Bklet_Final
Ray Glass NaviSite_DskGde_Bklet_FinalRay Glass NaviSite_DskGde_Bklet_Final
Ray Glass NaviSite_DskGde_Bklet_Final
Ray Glass
 

Andere mochten auch (8)

New nonprofit presentation.
New nonprofit presentation.New nonprofit presentation.
New nonprofit presentation.
 
DISEÑO ESTRUCTURADO
DISEÑO ESTRUCTURADO DISEÑO ESTRUCTURADO
DISEÑO ESTRUCTURADO
 
iCare 2014 Detailed_pj
iCare 2014 Detailed_pjiCare 2014 Detailed_pj
iCare 2014 Detailed_pj
 
Presentación digital Eliezer Alas
Presentación digital Eliezer AlasPresentación digital Eliezer Alas
Presentación digital Eliezer Alas
 
Reasons to consider Binding Corporate Rules
Reasons to consider Binding Corporate RulesReasons to consider Binding Corporate Rules
Reasons to consider Binding Corporate Rules
 
2015-0318 GAC Presentation - BCR - 05052015
2015-0318 GAC Presentation - BCR - 050520152015-0318 GAC Presentation - BCR - 05052015
2015-0318 GAC Presentation - BCR - 05052015
 
Aprendizaje y razonamiento eliezer alas
Aprendizaje y razonamiento eliezer alasAprendizaje y razonamiento eliezer alas
Aprendizaje y razonamiento eliezer alas
 
Ray Glass NaviSite_DskGde_Bklet_Final
Ray Glass NaviSite_DskGde_Bklet_FinalRay Glass NaviSite_DskGde_Bklet_Final
Ray Glass NaviSite_DskGde_Bklet_Final
 

Ähnlich wie scce-cep-2015-06-Dhont-1-04

delphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-maskingdelphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-masking
Jes Breslaw
 
Understanding Binding Corporate Rules
Understanding Binding Corporate RulesUnderstanding Binding Corporate Rules
Understanding Binding Corporate Rules
Jan Dhont
 
Running Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docx
Running Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docxRunning Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docx
Running Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docx
todd581
 
Running Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docx
Running Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docxRunning Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docx
Running Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docx
glendar3
 

Ähnlich wie scce-cep-2015-06-Dhont-1-04 (20)

Companies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next stepsCompanies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next steps
 
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
 
PECB Webinar: The End of Safe Harbour! What happens Next?
PECB Webinar: The End of Safe Harbour! What happens Next?PECB Webinar: The End of Safe Harbour! What happens Next?
PECB Webinar: The End of Safe Harbour! What happens Next?
 
delphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-maskingdelphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-masking
 
Understanding Binding Corporate Rules
Understanding Binding Corporate RulesUnderstanding Binding Corporate Rules
Understanding Binding Corporate Rules
 
[REPORT PREVIEW] GDPR Beyond May 25, 2018
[REPORT PREVIEW] GDPR Beyond May 25, 2018[REPORT PREVIEW] GDPR Beyond May 25, 2018
[REPORT PREVIEW] GDPR Beyond May 25, 2018
 
2017 10 26 webinar - gdpr final
2017 10 26 webinar - gdpr final2017 10 26 webinar - gdpr final
2017 10 26 webinar - gdpr final
 
Cognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdprCognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdpr
 
GDPR: how IT works
GDPR: how IT worksGDPR: how IT works
GDPR: how IT works
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessGeneral Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
 
Privacy Year In Preview
Privacy Year In PreviewPrivacy Year In Preview
Privacy Year In Preview
 
Rollits Education Focus Summer 2017
Rollits Education Focus Summer 2017Rollits Education Focus Summer 2017
Rollits Education Focus Summer 2017
 
28014_EY Safe Harbor_UK
28014_EY Safe Harbor_UK28014_EY Safe Harbor_UK
28014_EY Safe Harbor_UK
 
Fasten Your Belts for #GDPR
Fasten Your Belts for #GDPRFasten Your Belts for #GDPR
Fasten Your Belts for #GDPR
 
Fasten Your Belts for GDPR
Fasten Your Belts for GDPRFasten Your Belts for GDPR
Fasten Your Belts for GDPR
 
ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...
 
GDPR for Dummies
GDPR for DummiesGDPR for Dummies
GDPR for Dummies
 
Running Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docx
Running Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docxRunning Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docx
Running Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docx
 
Running Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docx
Running Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docxRunning Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docx
Running Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docx
 
Infographic : What's going to change with the GDPR (2018)
Infographic : What's going to change with the GDPR (2018)Infographic : What's going to change with the GDPR (2018)
Infographic : What's going to change with the GDPR (2018)
 

scce-cep-2015-06-Dhont-1-04

  • 1. See page 14 Meet Lynette Fons Chief Compliance Officer and member of the Mayor’s Executive Staff, City of Houston Meet Louis Perold Compliance Officer, Pretoria, South Africa See page 20 & Compliance & Ethics Professional a publication of the society of corporate compliance and ethics www.corporatecompliance.org June 2015 45 Ten outrageous bribes from around the world Nitish Singh, Brendan Keating, and Thomas Bussen 43 Don’t let ethics be left unsaid Lyndsay C. Tanner 27 Discovery in False Claims Act cases when the government declines to intervene Winston Y. Chan and Joseph Tartakovsky 37 The science art of third-party due diligence John Baird
  • 2. +1 952 933 4977 or 888 277 4977  www.corporatecompliance.org  55 ComplianceEthicsProfessional  June2015 I n an economy where borders have virtually dissolved, companies increasingly need to exchange information at a global scale. Companies make personal information available across borders to manage their IT systems, centralize their human resources databases, exchange customer files, store information in shared data centers, or migrate their information systems to the cloud. However, such information transfers are subject to restrictions, which, if not observed, may expose companies to important liability risks. This article discusses these restrictions on data transfers under current European (EU) laws and explains why companies are increasingly regarding Binding Corporate Rules (BCRs) as a successful solution to managing their data privacy compliance while securing their international data flows. This article is the first of a series of four. Current options for companies in the EU to export personal information EU data privacy laws and regulations require that individuals benefit from an adequate level of data protection when their personal information is sent outside the EU. The EU Commission has, over time, issued a white list of countries that are considered to provide adequate data protection. Companies located in these countries may receive personal information from data exporters located in the EU. Examples of white listed countries are Israel, Argentina, Switzerland, and Canada. Other adequacy mechanisms allowing the export of personal information Binding Corporate Rules: From data transfer solution to privacy compliance strategy »» Exchange of information within a corporate group is subject to significant restrictions under EU laws. »» Most transfer options are onerous or come with legal uncertainty. »» Companies increasingly consider adopting Binding Corporate Rules (BCRs) to manage their data privacy compliance and secure their information exchange. »» BCRs offer flexibility and create a culture of trust within a company and vis-a-vis consumers. »» BCRs allow meaningful streamlining of privacy policies and processes throughout a global organization. by Jan Dhont, Alyssa Cervantes, and Delphine Charlot Cervantes Dhont Charlot
  • 3. 56   www.corporatecompliance.org  +1 952 933 4977 or 888 277 4977 ComplianceEthicsProfessional  June2015 include EU Commission model contracts, Safe Harbor certification, individuals’ consent, and specific exemptions. The EU model contracts are contracts that stipulate specific obligations for the data exporter and data importer to exchange personal information. These terms can be included in (or attached to) a service agreement, but cannot be amended if companies intend to export personal information outside the EU. Alternatively, US companies may rely on the Safe Harbor scheme, which is a self-certification solution provided by the Department of Commerce in consultation with the EU Commission. The Safe Harbor framework is an example of a framework that has been recognized by the EU Commission as providing an adequate level of protection for data transfers similar to the above mentioned white listed countries. Companies may also rely on the individuals’ consent or invoke legal exemptions to export personal information, such as the necessity to transfer personal information in light of contractual obligations in the interest of said individual. Compliance issues relating to intra-group transfers of personal information Each data transfer solution presents some advantages but also bears some limitations. Although model contracts appear at first sight to provide for an easy transfer solution, companies located in jurisdictions that have no or few developed data privacy laws may not be willing to accept their terms. Furthermore, the execution process is often onerous in practice, especially if many contract parties are involved at the data exporter and data importer side. In addition, companies located in the EU that use these model contracts are required to apply for a data transfer permit in some jurisdictions (e.g., Spain, Denmark, Portugal), which can be time-consuming and costly. Next, the Safe Harbor framework is only available to US organizations that import personal information from the EU. What is more, Safe Harbor has been under permanent criticism since the Snowden revelations and is subject to ongoing US-EU reform discussions. The Consortium of EU Data Privacy Authorities (WP29) has recently threatened that “[i]f the revision process currently undertaken by the EU Commission does not lead to a positive outcome, then the Safe Harbor agreement should be suspended and recalled that, in any case, data protection authorities may suspend data flows according to their national competence and EU law.”1 In turn, US service providers that rely on Safe Harbor are increasingly finding themselves stuck in deal negotiations with customers who refuse to contract with them unless they implement a different solution. Next, the Safe Harbor framework is only available to US organizations that import personal information from the EU. What is more, Safe Harbor has been under permanent criticism since the Snowden revelations and is subject to ongoing US-EU reform discussions.
  • 4. +1 952 933 4977 or 888 277 4977  www.corporatecompliance.org  57 ComplianceEthicsProfessional  June2015 Consequently, obtaining direct consent from individuals may seem like the perfect option. However, obtaining an individual’s consent often comes with legal uncertainty. This is mainly due to the fact that an individual may revoke his/her consent at any time. Furthermore, in most EU countries, consent should be free and informed. But employees, for instance, will rarely be regarded as being in a position to provide free consent towards their employer. Why should companies consider BCRs? Binding Corporate Rules (BCRs) are a set of rules that set forth a data privacy regime to exchange personal information within a group of companies. They are a co-regulatory initiative developed by multinational companies (such as GE and Philips), which gained gradual support by national data privacy authorities (DPAs). They take the form of a code of conduct backed by policies, procedures, and control mechanisms, which are negotiated and approved by the national DPAs. DPAs originally were not collectively supportive of BCRs, but the political context has changed dramatically over the last years. Currently, 66 companies have obtained BCR status, and nearly as many applications are currently pending. This is primarily due to the facts that: (1) DPAs have increasingly gained experience dealing with the approval process and consider BCRs as a trustful token of privacy compliance; (2) BCRs create trust among employees and consumers; (3) BCRs allow meaningful streamlining of privacy policies and processes throughout a global organization; and (4) BCRs constitute an ideal preparation for compliance with the nearby European Data Privacy Regulation, which will constitute an overhaul of the current European data privacy framework. Are you ready for the new Data Privacy Regulation? Companies should consider rendering their information practices future-proof in view of the adoption of the Data Privacy Regulation expected by the end of this year. To become legally effective, the draft regulation still needs to be approved by the European Council. In a meeting of the Justice and Home Affairs Council in Brussels on March 13, 2015, EU Member States declared that they are ready to wrap up their first reading of the new regulation by June 2015. The use of BCRs by companies appears all the more likely as the new regulation expressly acknowledges BCRs as a valid transfer solution. In the following articles, we will address the content of the BCRs, discuss the advantages and disadvantages of the BCRs, and explain the application and approval process. ✵ 1. Letter of the WP29 to Ms. Vĕra Jourová, EU Commissioner for Justice, Consumers and Gender Equality in charge of data protection matters, February 2, 2015. Jan Dhont (J.Dhont@koanlorenz.com) is Partner and Head of the Privacy and Data Protection Practice at Koan Lorenz Law Firm, Brussels. Alyssa Cervantes (A.Cervantes@koanlorenz.com) and Delphine Charlot (D.Charlot@koanlorenz.com) are Associates in the Privacy and Data Protection Practice at Koan Lorenz Law Firm, Brussels. Companies should consider rendering their information practices future-proof in view of the adoption of the Data Privacy Regulation expected by the end of this year.