Nalpeiron explains global rules for data collection and privacy

GLOBAL RULES FOR DATA COLLECTION
AND PRIVACY EXPLAINED
A GUIDE FOR USING THE NALPEIRON ANALYTICS SERVICE
NALPEIRON.COM 2/6/13 V1.1

GLOBAL RULES FOR DATA COLLECTION AND PRIVACY EXPLAINED
CONTENTS
CONTENTS...............................................................................................................................................................................1
INTRODUCTION.......................................................................................................................................................................3
Who are Nalpeiron?............................................................................................................................................................3
What is the Nalpeiron Software Analytics Service (NSA)?..................................................................................................3
Why use Nalpeiron Software Analytics in your Applications?............................................................................................3
Who should use the Nalpeiron Software Analytics Service?..............................................................................................4
Benefits of Nalpeiron Software Analytics ...........................................................................................................................4
LEGAL ISSUES WITH DATA COLLECTION AND USAGE.............................................................................................................6
QUICK START GUIDE............................................................................................................................................................7
Best Practices......................................................................................................................................................................8
AN EXAMPLE CEIP PROGRAM COLLECTION STATEMENT ...................................................................................................8
AN EXAMPLE CEIP PRIVACY STATEMENT..........................................................................................................................10
SETTING UP AND USING PRIVACY CONTROLS IN THE NALPEIRON SOFTWARE ANALYTICS SERVICE...................................12
THE BASICS OF DATA COLLECTION AND PRIVACY ................................................................................................................16
What is a data controller?.................................................................................................................................................16
What is a data processor?.................................................................................................................................................16
Is it necessary to register as a data collector or processor?.............................................................................................16
What needs to be done before data can be collected?....................................................................................................17
Are there any countries, which have especially strict data privacy rules?.......................................................................17
STARTING COLLECTION OPERATIONS...................................................................................................................................19
What type of data is regulated by law?............................................................................................................................19
How do I make a privacy policy?.......................................................................................................................................19
Do I need to obtain Consent from a subject before I collect data?..................................................................................20
What is meant by "anonymous" data?.............................................................................................................................20
What if the data is anonymous do data privacy rules still apply? ....................................................................................20
Are there any special rules concerning collecting data from internal staff as opposed to a purchaser? ........................20
If a user is beta testing software does it impact how I can collect data?.........................................................................20
Are user groups considered individuals for data privacy purposes?................................................................................21
What type of information must be provided in a Consent or privacy warning statement? ............................................21
NALPEIRON IS NOT PROVIDING A LEGAL OPINION, YOU MUST ALWAYS SEEK GUIDANCE ON LEGAL MATTERS FROM YOUR OWN LAWYERS
© 1991 - 2013 NALPEIRON, ALL RIGHTS RESERVED.

PROCESSING AND TRANSFERING DATA................................................................................................................................22
What is meant by data processing and are their rules regulating this practice? .............................................................22
Where will you be collecting data?...................................................................................................................................23
Will we need to register as a data collector?....................................................................................................................24
Will the data collected be anonymous? ...........................................................................................................................25
RULES GOVERNING THE COLLECTION AND PROCESSING OF DATA......................................................................................26
Asia....................................................................................................................................................................................26
EU Countries .....................................................................................................................................................................28
The Americas.....................................................................................................................................................................28
The Middle East ................................................................................................................................................................30
Regulation of Transfers in Countries beyond Europe to the United States..........................................................................32
Asia....................................................................................................................................................................................32
The Middle East ................................................................................................................................................................33
The Americas.....................................................................................................................................................................33
APPENDIX A...........................................................................................................................................................................35
GETTING ORGANIZED FOR DATA PROTECTION ................................................................................................................35
OBLIGATIONS ON RETENTION AND SECURITY NEED TO BE ADDRESSED .........................................................................35
SELF-HELP CHECKLIST ON DATA PROTECTION POLICY .....................................................................................................35
MAIN RESPONSIBILITIES....................................................................................................................................................36
APPENDIX B...........................................................................................................................................................................39
DATA PROTECTION CONTACT DETAILS FOR ALL MAJOR COUNTRIES ..............................................................................39
APPENDIX C...........................................................................................................................................................................49
Global Table of Data Privacy Laws ....................................................................................................................................49
Global Table of Data Privacy Bills......................................................................................................................................52

INTRODUCTION
WHO ARE NALPEIRON?
Nalpeiron Inc. is a mature profitable 21 year old, US headquartered, Company with offices in London, to support EMEA.
All our servers and infrastructure are based in the US and are maintained by US staff in private and not the public cloud.
We have been serving Software ISVs across 100 Countries with the World’s leading Hosted Licensing and Analytics
Service since 2005.
Our products exist on millions of end users (Windows, Mac and Linux) desktops and networks Worldwide. We serve and
protect some of the largest enterprise software companies as well as some of the smallest startups – all via an easy to
use cloud-based platform.
Our clients use our technology to provide improved end user experiences while protecting, licensing or analyzing their
Software in the field.
WHAT IS THE NALPEIRON SOFTWARE ANALYTICS SERVICE (NSA)?
A real-time Business Information Service for Software Analytics, Run-time Intelligence and Product Usage Insight.
Easily retrofit your Software and then capture all the critical elements of a user’s interaction and usage.
Improve Software quality, plan new features effectively, use engineering resources wisely and keep your users happy.
Real-time analytics data in useful charts, reports and dashboards. Detailed, up to the minute, Business Intelligence not
raw statistics.
WHY USE NALPEIRON SOFTWARE ANALYTICS IN YOUR APPLICATIONS?
• Fully understand your product lifecycle from download/signup all the way to end of life, passing through beta,
NFR, trials, freeware and then on to a sale and beyond
• Learn how customers discover and use product features to drive improved adoption and reduce wasted
engineering efforts across Windows, Mac and Linux platforms
• Understand how features operate in complex, real-world configurations to reduce support headaches and user
problems (analyze your data by platform, operating system, configuration, region, language, state, version, date
and build)
• Learn more about error conditions that might be caused by software defects or configuration issues to improve
customer satisfaction and software quality
• Use trigger events to drive increased trial conversions via automated marketing
• Understand how well marketing promotions are working and focus resources

WHO SHOULD USE THE NALPEIRON SOFTWARE ANALYTICS SERVICE?
• Internal teams developing Software for non-commercial use – Usage, error and adoption data can be used to
fully understand how Software is being consumed within the Organization to enable better use of resources,
reduce error rates and proactively increase Software quality along with costs savings in engineering and
increased satisfaction levels with internal Users.
• Teams at Open Source Developers – Even though Open Source vendors are not charging for their products they
still need to plan product development cycles, focus on features and usage that is adding value to users and to
track what is happening with their products in the real World. An additional benefit can be compliance to license
terms and understanding of adoption levels to help drive sales and marketing efforts.
• Outsourced Software teams developing Software for others – Software quality and early understanding of a
project’s success benefits both the provider and the client. Having detailed data also show clients that the
provider is fully in control of the lifecycle of the development environment and is proactively working to reduce
waste and to make the best products possible for the client. Also accelerated problem diagnosis and
troubleshooting resulting in shorter test schedules and higher customer satisfaction.
• Teams at Independent Software Vendors (ISVs) – A detailed understanding of usage of ISV products helps many
departments: engineering can focus resources on features that are in demand, marketing can drive improved
conversions, better use of marketing budgets and enhanced product marketing insights and sales can get
actionable leads and trends to help plan partner, region and product based sales strategy.
BENEFITS OF NALPEIRON SOFTWARE ANALYTICS
• Reduce business risk –
o Intimately understand the customer, their usage and needs
o Create the most marketable and competitive products
o Eliminate wasted engineering and marketing spend
o Go from gut feelings to hard data
• Increase revenues and profits –
o Automate the processes that drive adoption, reduce churn and focus sales effort
o Understand where to put your investment spend for maximum returns
o Drive adoption through improved engagement
o Focus marketing efforts on those that increase engagement and conversions

• Be more competitive –
o Use detailed, real-time, business information to make management decisions
o Bring together Sales, Marketing, finance and Product Management data
o Make access to usable business critical data easy for everyone, anytime, and in minutes
• Streamline engineering
o Get the facts about what users want in terms of new features and capabilities
o If you are migrating or building a SaaS app, learn the core feature set to build out
o Avoid engineering effort where it will not drive new business
o Improve software quality and make code more robust

LEGAL ISSUES WITH DATA COLLECTION AND USAGE
The law, especially international data protection law, is highly complex and it pays to understand how consumer privacy
maps against business data and then across regions and countries worldwide.
Where and how you store data is important, what type you collect and about what type of entity and also the use of
that data all come into question.
Users need to give permission in many cases and in some countries need to be given access to the data being held – all
this complexity requires thought, control and access. This is an expensive and time consuming issue that has to be
thought about in the context of the customer base you sell and their worldwide locations.
Most software Companies are now global, even tiny startups, due the ease of access to app stores, distribution systems
and the internet, therefore you need to have a system to control and manage the data and to protect it if you plan to
use any form of collection from your users.
Software Analytics Services can help once again by providing the infrastructure and options required to segment and
control the data, both from a capture and content perspective. In many cases you may wish to block data to be collected
from a region (like consumer data from Switzerland or Germany for example) or ensure the data is anonymous, but in
other areas or where you have been granted permission you will want to connect users with their usage to get the best
results.
Here are some scenarios:
• Automatic transmission of all data - useful for beta testing, NFR, resellers, affiliates or in-house corporate
applications for which users have granted consent as part of agreements they accepted prior to installing the
program.
• Automatic transmission with opt-in or a later opt-out is better for commercially available software applications to
enable informed consent and maintain a high-degree of transparency and trust with your users.
• Prompt for transmission after errors or in an environment that is not internet connected is ideal and a universally
accepted process.
• Prompt for transmission in an environment that is not internet connected, with a site to upload the data too, is great
for a collaborative effort with enterprise type customers.
• Transmit upon user request is again a way to send data about an event without user privacy issues.

QUICK START GUIDE
The first question you should ask when collecting data is this:
Will the data collected be anonymous?
It is important to consider what anonymous data is. Anonymous data is information where the identity of the data
subject is impossible to determine.
When reviewing this data ask is there any likelihood I could determine the identity of the subject from the data
collected? If the answer is no, then data may processed information free of regulation because it is not ‘personal data,’
but ‘anonymous data’.
A second consideration is: How is the data best anonymized?
In these situation EU regulations on the subject, provide the model for best practices worldwide.
Anonymization best practices are dictated as follows:
Methods to anonymize personal data, particularly before publishing statistical information or research results, include:
• deleting or omitting ‘identifying details’, for example names;
• substituting code numbers for names or other direct identifiers (this is pseudonymization, effectively);
• aggregating information, for example by age group, year, town; and barnardization or other techniques
introducing statistical noise, for example differential privacy techniques with statistical databases.
• or some combination of these methods.
IF DATA IS GENUINELY ANONYMIZED THERE IS NO REGULATION
REGARDING COLLECTING IT AND TRANSMITTING IT.
IF THE ABOVE STATEMENT IS TRUE THEN IN MOST CIRCUMSTANCES YOU WILL NOT NEED TO READ THE
REST OF THE DOCUMENT BEFORE STARTING YOUR ANALYTICS PROJECT.

BEST PRACTICES
Even if the above is true you should always be open with your users about your intentions, what data you will be
collecting and how you will be using and storing it. This is best done at the point of collection plus within your terms and
conditions of sale and EULA.
Below is quick example of the text you could use:
Copyright and Trademark Adobe Inc.
AN EXAMPLE CEIP PROGRAM COLLECTION STATEMENT
In order to better serve our customers, and to enable our products to meet our customers ongoing and growing needs,
we regularly engage in various kinds of methods to gather client feedback. We encourage our customers to participate
in order to get the most out of our products and our customers’ experience with them. However, given the large scope
of our customer base, it is impossible to reach out to all our customers directly.

Our Customer Experience Improvement Program (CEIP) is a way to allow all our customers to contribute to the features,
design and development of [Your Company Name] products. This program enables our customers to provide us with
various information, including information about the hardware configuration of your host computer, the features you
use most (and least), and the nature of the problems you face. Based on this information, we will be able to improve the
[Your Company Name] products and the features you use most often.
If you choose to participate, we will be automatically collecting information about your hardware configuration and the
way you use [Your Company Name] products. We will not collect any personal data, like your name, address, phone
number (unless you choose to provide it), or keyboard input. Participation in the CEIP is voluntary, however, but the
end results intended to provide software improvements and enhanced functionality to better meet the needs of our
customers.
Below are frequently asked questions about the CEIP and how it works.
How does the CEIP work?
If you choose to participate, by enrolling in the CEIP, [Your Company Name] will automatically begin collecting
information about how you use [Your Company Name] products. Data collected from you and other participants is
combined and made utilized in an anonymous manner, and is thoroughly reviewed and analyzed to help us improve
[Your Company Name] products. However, you cannot review any information before it is sent. We recognize that
some customers might be uncomfortable allowing the information collected by the CEIP to be sent without having an
opportunity to review it fully even though the information does not contain contact information and is governed by our
Customer Experience Program Privacy Statement. If you are uncomfortable with sharing this information, please choose
not to participate.
What does the CEIP collect?
The CEIP collects only the following information:
• Hardware configuration of your host computer
• Software configuration of your host computer and virtual machines (the names and versions of the operating
systems and software installed in them)
• Xxxxxxxxxxxxxxxxxxxxxx (whatever you decided to collect)
How often does CEIP send data?
The CEIP sends collected information to [Your Company Name] when your PC is connected to the Internet.
How does [Your Company Name] protect my privacy if I choose to participate?
The CEIP does not collect any private information or information that can be used to contact you. More details on how
[Your Company Name] protects your privacy are provided below.

AN EXAMPLE CEIP PRIVACY STATEMENT
Privacy Statement for the [Your Company Name] Customer Experience Program
[Your Company Name] is committed to help protect your privacy. This privacy statement explains the data collection and
use practices for the [Your Company Name] Customer Experience Improvement Program (CEIP) reports that will be sent
to [Your Company Name] as a result of your participating in the CEIP. This statement does not apply to other online or
offline [Your Company Name] sites, products, or services.
Collection and Use of Information
When you participate, basic information about your computer and how you use your programs is collected and sent to
[Your Company Name] on a periodic basis. However, [Your Company Name] does not store any personal information.
This information will help us improve the features our customers use most often and to create solutions to common
problems. Initially, the CEIP will gather the following information:
1. Host RAM size
2. Hard disk information (vendor, size, partition table)
3. CPU info
4. OS version
5. XXXXXXXXXXXXXX
However, [Your Company Name] may gather additional information through the CEIP. You can always check our privacy
policy, as may be updated from time to time, in order to determine what information is currently gathered by the CEIP.
You can elect to participate in the CEIP when you first install an [Your Company Name] product (if the CEIP is available in
connection with that product).
CEIP reports generally include information about:
• Configuration, such as how many processors are in your computer, what kinds of virtual machines you use, and
which operating systems you install in them.
• Performance and reliability, such as how quickly a program responds when you click a button, how many
problems you experience with a program or a device, and how quickly information is sent or received over a
network connection.
• Program use, such as the features that you use and those you use the most often.

In addition, standard computer information typically includes certain information about your computer software and
hardware, such as your IP address, operating system version, web browser version, your hardware ID (which indicates
the device manufacturer, device name, and version), and your regional and language settings.
This information is sent to [Your Company Name] when you are connected to the Internet. The CEIP reports do not
contain any personal or contact information about you (such as your name, address, or phone number) unless you agree
to provide it. [Your Company Name] uses the CEIP information to improve its software and identify trends and usage
patterns.
Information that is collected by or sent to [Your Company Name] may be stored and processed in the United States or
any other country in which [Your Company Name] or its affiliates, subsidiaries, or agents maintain facilities, where
privacy laws may not be as protective as in your home country. By participating in the CEIP, you consent to the transfer,
storage, use, and disclosure of information gathered under the CEIP, as described in this Privacy Policy, in the United
States or any other country selected by [Your Company Name]. [Your Company Name] may disclose this information if
required to do so by law or in the good faith belief that such action is necessary to: (a) conform to the edicts of the law
or comply with legal process served on [Your Company Name] or the site; (b) protect and defend the rights or property
of [Your Company Name], or (c) act in urgent circumstances to protect the personal safety of [Your Company Name]
employees, users of [Your Company Name] software or services, or members of the public. [Your Company Name]
occasionally hires other companies to provide limited services on its behalf, such as providing customer support,
processing transactions, or performing statistical analysis of reports. [Your Company Name] will provide those
companies only the information they need to deliver the service. They are required to maintain the confidentiality of
this information and are prohibited from using it for any other purpose.
Security
[Your Company Name] is committed to help protect the security of the information we collect. The CEIP uses a variety of
security technologies and procedures to help protect reports from unauthorized access, use, or disclosure.
Changes to this Statement
[Your Company Name] may occasionally update this privacy statement. When we do, we will also revise the "last
updated" date at the top of the privacy statement. We encourage you to periodically review this privacy statement to
stay informed about how we are helping to protect the information we collect.

SETTING UP AND USING PRIVACY CONTROLS IN THE NALPEIRON SOFTWARE ANALYTICS SERVICE
Nalpeiron offers a multi-layer privacy option, some server-side and the others client-side.
The server-side options relate to blocking data from certain Regions or Countries where you don't want to collect any
data at all, for example it can be painful with the legal position with end users in Switzerland and it's just easier to block
any data from that Country rather than have to deal with the issues and hassles of that jurisdiction. This option is a top
level change and will affect all the products you host with Nalpeiron.
This is a huge issue and this solution makes your life nice and easy!
The client-side is a user-based Opt-in process, allowing you to collect their anonymous data. This is an API you can
configure and call from your application to allow users to opt-in to your program. This option is a product level change
and will affect each product you host with Nalpeiron individually.
A final option is user registration where the users provide details about themselves, along with the data on their usage.
This is especially useful for internal users, consenting beta testers and the like. Tying a user to personally identifiable
data is very useful so it's important that you get permission and also understand the legal position when doing so.
See the Nalpeiron privacy and data collection white papers on the corporate site: www.nalpeiron.com
SERVER-SIDE OPTIONS
When you are logged into your account on the Nalpeiron Publisher Center you will see the options for making your site-
wide Privacy options from the top navigation.

You can simply choose one of the recommended Countries to block data collection as below.
Or you can set your own Country policy, it's as simple as that to stop data coming from users in certain locales you
prefer to not collect data.

CLIENT-SIDE USER OPT-IN
In most cases you need to get end users to explicitly opt in to your Customer Experience Improvement Program (CEIP) or
data collection process. This ensures that they know their information is being sent, what you are going to do with it,
and are comfortable with the process.
How it Works
When you code in the Nalpeiron library to your application, depending on the IDE and platform you are delivering to,
you will display a form (dialog page) prompting them to opt in our out of your CEIP/data collection process for the first
time they run your application. If they opt out then Nalpeiron will automatically disable sending of that specific users
data.

If you place the opt-in process within your application so it’s easily accessible you will enable users to opt-in later or vice
versa maintaining trust and transparency with your users.
Setting up
By default data is collected. You will need to call the Nalpeiron API from your program and this will set whether data is
sent or not. In many cases you will be working with an OS with GUI and in this case you will want to prompt the user
with a dialog to opt-in or out, a simple example is provided within the code sdk provided.

THE BASICS OF DATA COLLECTION AND PRIVACY
WHAT IS A DATA CONTROLLER?
A data controller is the individual or company who controls and is responsible for the keeping and use of personal
information on computer or in structured manual files. This would include the people collecting the data. Being a data
controller carries with it serious legal responsibilities, so you should be quite clear if these responsibilities apply to you or
your organization.
In essence, you are a data controller if you can answer YES to the following question:-
• Do you keep or process any information about living people?
In practice, to find out who controls the contents and use of personal information kept, you should ask the following
questions:-
• Who decides what personal information is going to be kept?
• Who decides the use to which the information will be put?
If your organization controls and is responsible for the personal data that it holds, then your organization is a data
controller. If, on the other hand, you hold the personal data, but some other organization decides and is responsible for
what happens to the data, then that other organization is the data controller, and your organization is a "data processor"
(see below).
WHAT IS A DATA PROCESSOR?
As mentioned above, if you hold or process personal data, but do not exercise responsibility for or control over the
personal data, then you are a "data processor". Examples of data processors include payroll companies, accountants and
market research companies, all of which could hold or process personal information on behalf of someone else.
IS IT NECESSARY TO REGISTER AS A DATA COLLECTOR OR PROCESSOR?
In most countries, this is a requirement. Collecting data without registering with the national data privacy authorities
can result in severe penalties. Here is a list of countries, which require registration.
• Argentina
• Austria
• Belgium
• Bulgaria
• Chile
• Cyprus
• Czech Republic
• Finland
• France
• Greece
• Hungary

• Ireland
• Italy
• Lithuania
• Luxembourg
• Malta
• Monaco
• Netherlands
• Norway
• Poland
• Portugal
• Romania
• Russia
• Slovak Republic
• Sweden
• Switzerland
• UK
• Ukraine
• Uruguay
See attached Appendix B for a contact list of national data protection authorities, which will specify steps for registration
WHAT NEEDS TO BE DONE BEFORE DATA CAN BE COLLECTED?
First, familiarize yourself with all the rules covering data collection and processing in the area where you are conducting
business. The best policy to make sure that there are no loose ends regarding data privacy practice is to review the survey
contained in Appendix A. If your operation passes this review then you can assume you are starting on solid ground.
ARE THERE ANY COUNTRIES, WHICH HAVE ESPECIALLY STRICT DATA PRIVACY RULES?
Looking at the map contained below the countries indicated in blue and green offer the most restrictive environments.
Keep in mind you should always thoroughly research the legal environment you are doing business in. In addition, laws
change, some countries that may be unregulated can become highly regulated overnight. A good rule of thumb is to keep
up on changes in the law and plan accordingly.

WORLDWIDE MAP OF DATA PRIVACY PROTECTIONS
Most restricted
Restricted
Some restrictions
Minimal restrictions
Effectively no restrictions
No legislation or no information
Premium content
Government surveillance may affect privacy
Source: Forrester

STARTING COLLECTION OPERATIONS
WHAT TYPE OF DATA IS REGULATED BY LAW?
Countries with data privacy laws regulate the collection and processing of “personal data” which generally means data
relating to a living individual who is or can be identified either from the data or from the data in conjunction with other
information that is in, or is likely to come into, the possession of the data controller; The definition is – deliberately - a
very broad one. In principle, it covers any information that relates to an identifiable, living individual. However, it needs
to be borne in mind that data may become personal from information that could likely come into the possession of a data
controller. There are different ways in which an individual can be considered ‘identifiable’. A person’s full name is an
obvious likely identifier. However, a person can also be identifiable from other information, including a combination of
identification elements such as physical characteristics, pseudonyms occupation, address, identification number, IP
address, and credit card number, anything that can be used to identify an individual.
HOW DO I MAKE A PRIVACY POLICY?
It is always good practice to have a privacy policy, which data subjects can review. The general approach to privacy policies
is that they should reflect a detailed explanation of an organization’s processing of personal data and the application of
data protection law to these practices. The privacy policy should be a dynamic document, regularly reviewed and updated
to reflect changes in the way the organization processes personal data. A privacy policy should be built around the eight
data protection principles, to ensure that all aspects of data protection are covered. You have certain key
responsibilities in relation to the information which you keep on computer or in a structured manual file about individuals.
These may be summarized in terms of eight "Rules" which you must follow, and which are listed below. Click on the links
to see more information.
YOU MUST:
1. Obtain and process the information fairly
2. Keep it only for one or more specified and lawful purposes
3. Process it only in ways compatible with the purposes for which it was given to you initially
4. Keep it safe and secure
5. Keep it accurate and up-to-date
6. Ensure that it is adequate, relevant and not excessive
7. Retain it no longer than is necessary for the specified purpose or purposes
8. Give a copy of his/her personal data to any individual, on request.

DO I NEED TO OBTAIN CONSENT FROM A SUBJECT BEFORE I COLLECT DATA?
Most countries in the world require some form of Consent which usually involve a click through agreement notifying the
subject of what is being done and their right. How thorough this Consent process must be may vary from country to
country. Regardless of your location, the key test will be to demonstrate that Consent exists. However, usually when
processing sensitive personal data, the level of Consent must be explicit. This means that a data subject must be aware of
and understand the purposes for which his/her data are being processed. Explicit Consent need not require a data subject
to sign a form in all cases. Consent can be understood to be explicit where a person volunteer’s personal data after the
purposes in processing the data have been clearly explained. Thus, a clear explanation on a form, a web page, or the
delivery of a script by properly trained telephone staff might be sufficient to demonstrate Consent has been explicitly
given.
HAS CONSENT BEEN GRANTED?
Test yourself, you should be able to answer YES to the following questions:-
When people are giving you information,
• Do they know what information you will keep about them?
• Do they know the purpose for which you keep and use it?
• Do they know the people or bodies to whom you disclose or pass it?
WHAT IS MEANT BY "ANONYMOUS" DATA?
Anonymous data is information where the identity of the data subject is impossible to determine. When reviewing this
data ask is there any likelihood I could determine the identity of the subject from the data collected? If the answer is no,
then data is anonymous. If data is genuinely anonymized there is no regulation regarding collecting it and transmitting it.
If the data is not anonymous then proceed to the next step.
WHAT IF THE DATA IS ANONYMOUS DO DATA PRIVACY RULES STILL APPLY?
Data privacy laws only apply to the collection of personal information. Anonymous data is not regulated since it is not
considered personal information.
ARE THERE ANY SPECIAL RULES CONCERNING COLLECTING DATA FROM INTERNAL STAFF AS OPPOSED TO
A PURCHASER?
There are special data collection rules in most countries regarding the collection of data from employees. This would be
the only difference between a purchaser and internal staff. A purchaser would be subject to the same data collection
regulations as all other subjects.
IF A USER IS BETA TESTING SOFTWARE DOES IT IMPACT HOW I CAN COLLECT DATA?
Whether or not information is collected through a beta testing program has no bearing on the data collectors
obligations to the subject. All rules regarding the collection of data apply.

ARE USER GROUPS CONSIDERED INDIVIDUALS FOR DATA PRIVACY PURPOSES?
For a user group best practice dictates that normal procedures for data collection would apply. The data collector would
treat the user group as a group individuals who each have rights regarding data collection. If the information collected is
aggregated and would not be useful to identify anyone in the group it could be viewed as anonymous data not subject to
regulation, however this would depend on the manner the group is structured and the information being collected.
WHAT TYPE OF INFORMATION MUST BE PROVIDED IN A CONSENT OR PRIVACY WARNING STATEMENT?
Information in a Consent document or privacy warnings should include the following:
Identity
Identification should ideally include complete and useful contact details. Useful details would include an e- mail address
and postal address that a visitor may use if he/she wishes to discuss any matters relating to the processing of personal
data on your website.
Purpose
There can be many overt purposes for which visitors should reasonably expect their data to be used. These may include
data necessary in the context of a transaction. However, it is possible that data may be processed for non-obvious
purposes such as profiling or future marketing. All these purposes must be clearly referred to in the Privacy Statement.
Data volunteered on that understanding are fairly obtained. If a purpose is not obvious and not referred to, then it will be
difficult for you to lawfully process data for that purpose.
Disclosure
If you plan to release personal data to a third party (other than a person acting as your agent) this is a disclosure and
must be referred to in your Privacy Statement.
Right of Access
Generally, subjects have a right to be given a copy of his/her personal data. If you are retaining personal data, you
should refer to this Right of Access in your Privacy Statement. You should include reference to procedures to be
followed.
Right of rectification or erasure.
A person has a right to have his/her personal data corrected, if inaccurate, or erased, if you do not have a legitimate
reason for retaining the data. You cannot charge for complying with such a request and shall comply within 40 calendar
days of the receipt of such a request. Your Privacy Statement should make reference to this, if you retain personal data,
as well as detailing the procedures a person should follow when making such a request.
Extent of data being processed.
If different data are used for different purposes, this should be clearly outlined.

PROCESSING AND TRANSFERING DATA
WHAT IS MEANT BY DATA PROCESSING AND ARE THEIR RULES REGULATING THIS PRACTICE?
I AM USING A THIRD PARTY CLOUD SERVER TO STORE AND TRANSFER ARE THERE SPECIAL RULES THAT NEED
TO BE FOLLOWED?
The "cloud" provider will usually be acting as a data processor for you. This means that you remain responsible for how
the data is processed. This must be spelled out in a contract which states that the "cloud" provider only processes your
data in accordance with your instructions and takes measures to keep the data secure. You are responsible for taking
"reasonable steps" to ensure compliance by the "cloud" provider. It is therefore important that you establish precisely
where and how the data you provide to a cloud provider will be handled.
WHAT NEEDS TO BE DONE BEFORE DATA IS TRANSFERRED TO A THIRD PARTY OR TO A DIFFERENT LOCATION?
Most countries only allow transfers of data to countries which have equal or better protection to the one you collected
the data in. When doing business in an EU country if personal data is to be transferred to a country outside of the EU
one of the following additional conditions must apply:
• Transfer is to one of the following countries/territories: Argentina, Canada, Switzerland, Israel, Guernsey, Jersey,
Isle of Man, Faroe Islands then no steps need to be taken.
• Transfer is to a company in the USA it must be covered by the EU-US "Safe Harbor" agreement
• If none of these above apply a Consent agreement specifying transfer to a third country that does not meet the
above conditions will work as well. A subject can essentially grant you an exCEIPtion around the tough EU
regulations on transfer.
Best practice would dictate that a well-written Consent agreement would cover all possible transfer scenarios so as to
avoid any transfer related issues.
ARE THERE CERTAIN COUNTRIES WHICH DATA CANNOT BE TRANSFERRED TO?
The general rule is that personal data cannot be transferred to third countries unless the country ensures an adequate
level of data protection.
WHAT SECURITY MEASURES SHOULD I HAVE IN PLACE TO PROTECT PERSONAL DATA FROM UNAUTHORIZED
ACCESS?
Appropriate security measures should be in place which take account of the harm that would result from unauthorized
access to the information. This should take account of available technology and the cost of installation. In addition to
technical security measures, due regard should be had for physical security measures such as access control for central
IT servers and local PCs.
DO I NEED TO ALERT SUBJECTS IF THEIR DATA HAS BEEN COMPROMISED?

A Data Controller is required to have in place appropriate security measures to prevent both internal and external
unauthorized access to personal data that it is responsible for. Data controllers are advised to notify affected data subjects
in most such cases and also to notify the local data protection office.
WHAT ARE THE CONSEQUENCES, IN GENERAL, IF WE COLLECT DATA THAT IS TARGETED WITHOUT THEIR
CONSENT?
The penalties range from remediation, fines or criminal penalties against those involved.
WHERE WILL YOU BE COLLECTING DATA?
The first step when evaluating how to proceed with data collection is to determine if the country in which you are
collecting data from has data privacy laws on the books. The map below provides an approximate visual guide to
countries, which have some form of data privacy.
WORLDWIDE MAP OF DATA PRIVACY PROTECTIONS
Most restricted
Restricted
Some restrictions
Minimal restrictions
Effectively no restrictions
No legislation or no information
Premium content
Government surveillance may affect privacy
Source: Forrester

After examining the map above, please consult Appendix B to verify if your country is covered or could potentially
have new laws coming into effect. If your country is not listed, we can safely assume that data collection is
unregulated. One important note to remember, some countries that do not have specific laws covering data
privacy may have a type of right to privacy in their constitution. Generally, the constitutional right to privacy will
cover extreme forms of intrusion into private details of a subject’s life, health or finances, which would result in
embarrassment if publicized. However, this type of information will not be involved here.
If your country does not have a law on the books, you can safely collect data based on the warnings above. If
your country is listed, proceed to the next section.
WILL WE NEED TO REGISTER AS A DATA COLLECTOR?
The following countries require data collectors to register with a government regulator:
• Argentina
• Austria
• Belgium
• Bulgaria
• Chile
• Cyprus
• Czech Republic
• Finland
• France
• Greece
• Hungary
• Ireland
• Italy
• Lithuania
• Luxembourg
• Malta
• Monaco
• Netherlands
• Norway
• Poland
• Portugal
• Romania
• Russia
• Slovak Republic
• Sweden
• Switzerland
• UK
• Ukraine
• Uruguay

See attached Appendix C for a contact list of national data protection authorities.
WILL THE DATA COLLECTED BE ANONYMOUS?
First, it is important to consider what anonymous data is. Anonymous data is information where the identity of the
data subject is impossible to determine. When reviewing this data ask is there any likelihood I could determine the
identity of the subject from the data collected? If the answer is no, then data may processed information free of
regulation because it is not ‘personal data,’ but ‘anonymous data’.
A second consideration is how is the data best anonymized.
In these situation EU regulations on the subject, provide the model for best practices worldwide. Anonymization
best practices are dictated as follows:
Methods to anonymize personal data, particularly before publishing statistical information or research results,
include:
• deleting or omitting ‘identifying details’, for example names;
• substituting code numbers for names or other direct identifiers (this is pseudonymization, effectively);
• aggregating information, for example by age group, year, town; and
• barnardization or other techniques introducing statistical noise, for example differential privacy techniques with
statistical databases.
• or some combination of these methods.
If data is genuinely anonymized there is no regulation regarding collecting it and transmitting it.
If the data is not anonymous then proceed to the next step.

RULES GOVERNING THE COLLECTION AND PROCESSING OF DATA
Generally these rules concern procedures, which govern whether Consent is required from the subjects of data collection
or if notice must be given if privacy is breached. The following list represents countries with notable regulations regarding
the collection and processing of data.
ASIA
AUSTRALIA
Consent
An organization must not collect personal information unless the information is necessary for one or more of its
functions or activities. At or before the time personal information is collected, or as soon as practicable afterwards,
an organization must take reasonable steps to make an individual aware of:
Its identity and how to contact it;
Why it is collecting (or how it will use the) information about them;
To whom it might give the personal information;
The fact that the individual can obtain access to their personal information;
Any law requiring the collection of personal information; and
The main consequences (if any) for the individual if all or part of the information is not provided.
This is usually done by acCEIPtance by the individual of a privacy policy prior to giving his/her information.
Breach Notification
An organization that breaches the Privacy Act is currently under no legal obligation (and not is it generally current
practice) to report that breach to the affected individual(s) or the Australian Information Commissioner
INDIA
Consent
A person who has obtained access to any electronic record, book, register, correspondence, information,
document or other material and discloses such information without the Consent of the person concerned is in
violation of law. Thus, Consent of the person concerned, while collecting the data and for processing/disclosing
the same is essential.
Breach Notification

None
JAPAN
Consent
When handling personal information, a business operator must specify to the fullest extent possible the purpose
of use of the personal information (“Purpose of Use”). Once a business operator has specified the Purpose of Use,
it must not then make any changes to the said purpose, which could reasonably be considered to be beyond the
scope of what is duly related to the original purpose of use. In addition, when handling personal information, a
business operator shall not handle the information beyond the scope that is necessary for the achievement of the
Purpose of Use without a prior Consent of the individual. In other words, the use of the information must be
consistent with the stated Purpose of Use. The Purpose of Use must be made known to the individual when
personal information is collected or promptly thereafter and this can be made by a public announcement (such as
posting the purpose on the business operator’s website). When personal information is obtained by way of a
written contract or other document (including a record made in an electronic or magnetic format, or any other
method not recognizable to human senses), the business operator must expressly state the Purpose of Use prior
to the collection.
Breach Notification
Japanese law provides that a business operator regulated by the JFSA must immediately produce a report when a
leakage of personal information occurs. In addition, the business operator must promptly publicize the facts
related to the leakage and the steps taken to prevent the reoccurrence of similar event. Finally, the JFSA Guidelines
require that the business operator notify the individual whose information has been leaked of the leakage.
SOUTH KOREA
Consent
If a Data Handler under PIPA or an IT Service Provider under IT Network Act intends to collect Personal Data from
the data subject or IT service user, it must: (i) first notify the data subject or IT service user of the vital information
stipulated under the law; and (ii) obtain data subject’s or IT service user’s prior Consent to such collection other
than some exceptional cases stipulated under the law.
Breach Notification
In case a leak of Personal Data occurs, the Data Handler must notify data subjects without delay of the details and
circumstances, and the remedial steps planned. If the number of affected data subjects exceeds 10,000, the Data
Handler shall immediately report the notification to data subjects and the result of measures taken to MOPAS,
KISA or the National Information Security Agency (the “NIA”).

EU COUNTRIES
Consent
Obtaining Consent is required under European Union law Data subjects must also be made aware of the purposes
for which the data is collected and be allowed to access and to correct personal data. A company collecting
personal data must also implement specified technical and organizational measures to protect personal data from
loss, misuse and unauthorized access or disclosure. If a designee, such as an outside service bureau — called a
“processor” carries out the processing of personal data, there must be a written agreement in place with the
processor to process data only in accordance with instructions from the controlling company and only in
accordance with the terms of European Union Law. Special reporting requirements to the proper supervisory
authority within the applicable Member State must also be complied with.
Breach Notification
Unlike the general data privacy protections under European Union law, laws governing what to do if a breach of
information occurs vary from country to country. In the EU, the Breach Notification regime has two dimensions.
One concerns notifying the relevant regulator with jurisdiction over the breach, and the other concerns notifying
the affected individuals. The term “data breach” is broadly construed and can include any breach of security that
may lead to the accidental or unauthorized access, disclosure, or alteration of personal data. Currently, there is a
general (rather than sector-specific) legal requirement to provide notification of data breaches only in a few
European countries. For example, a legal obligation to notify regulators and affected individuals (under certain
circumstances) of data breaches exists in Germany and Norway. In contrast, some countries, such as Austria, have
a legal requirement to notify individuals but not the regulator, whereas other countries have a voluntary regime
based on codes and guidelines issued by regulators, such as Denmark, Ireland, and the United Kingdom.
THE AMERICAS
ARGENTINA
Consent
The processing of personal data generally requires express Consent from the subject, which must be
accompanied by appropriate information, in a prominent and express manner, explaining the nature of Consent
sought. Consent must be express and informed. It should be in writing or similar form depending on the
circumstances. For example, it is possible to get Consent online by clicking an appropriate icon.
Breach Notification
None.
CANADA
Consent

Canadian law contains a series of fair information processing obligations. The principal obligations related to
processing personal information are: (i)Identifying Purposes: The purposes for which personal information is
collected shall be identified by the organization at or before the time the information is collected (see Fair
Processing Information below); (ii) Consent: The knowledge and Consent of the individual are required for the
collection, use, or disclosure of personal information, except as otherwise authorized by law; (iii) Limited
Collection: The collection of personal information shall be limited to that which is necessary for the purposes
identified by the organization. Information shall be collected by fair and lawful means; (iv) Accuracy: Personal
information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be
used; and (v) Safeguards: Personal information shall be protected by security safeguards appropriate to the
sensitivity of the information. The way in which an organization seeks Consent may vary, depending on the
circumstances and the type of information collected. An organization should generally seek express Consent
when the information is likely to be considered sensitive. Implied Consent would generally be appropriate when
the information is less sensitive. Consent can also be given by an authorized representative (such as a legal
guardian or a person having power of attorney).
Breach Notification
None
COLOMBIA
Consent
As a rule, the collection and cross-border transfer of Private and Semi-private Data can be performed only with
the prior Consent of the data owner unless an exCEIPtion applies.
Breach Notification
Currently there are no Breach Notification regulations in Colombia.
UNITED STATES
Consent
U.S. privacy laws and self-regulatory principals generally require pre collection notice and an opt-out for use and
disclosure of regulated personal information. Opt in rules apply in special cases involving information that is
considered sensitive under US law, such as for health information, personal information knowingly collected
online from children, and telephone usage information. The FTC interprets as a “deceptive trade practice” failing
to obtain opt in Consent if a company engages in materially different uses or discloses personal information not
disclosed in the privacy policy under which personal information was collected.
Breach Notification

Almost every US state requires notifying state residents of a security breach involving residents’ name plus a
sensitive data element (typically, social security number, other government ID number, or credit card or account
number in combination with any security code or password that would permit access to a financial account). A
minority of states also require notification to State Attorneys General and to credit bureaus. For a summary of
these laws see: http://www.ncsl.org/issues-research/telecom/security-breach-notification-laws.aspx
URUGUAY
Consent
In order to collect the information, which is contained in the database, the data processor should obtain prior
documented Consent from the individual whose information is being processed. Documented Consent is not
required in the following cases: personal data obtained from public sources; personal data obtained by public
bodies to comply with legal obligations; personal data limited to domicile, telephone number, ID number,
nationality, tax number, corporation name; personal data obtained in base of a contractual or professional
relationship, which is necessary to perform the contract or the development of the professional services to be
rendered; and personal data obtained by individuals or corporations for their personal and exclusive use. The
personal data processed cannot be used for purposes different from those that have justified the acquisition of
the information. It is understood that legitimate reasons (i.e. reasons that are not against the law) must preexist
and underlay the processing of the personal information. The Data Protection Act further establishes that once
the reasons to process the personal information have disappeared, the personal information must be deleted.
Breach Notification
In case the data processor detects a breach of security measures, and if the consequences of the breach could
substantially affect the rights of the data subject, and/or the rights of any other agent or person involved, the data
processor should report the facts to the persons involved.
THE MIDDLE EAST
ISRAEL
Consent
Collection of personal data from a data subject must be accompanied by notice indicating: (i) whether delivery of
the information by the data subject is voluntary or subject to a legal obligation; (ii) the purposes for which the
information is collected; and (iii) any prospective transferees and the purposes of such transfer. In addition,
the data subject’s Consent must be “informed” and this has been interpreted by the courts to mean DATA
SUBJECTS must have all relevant information concerning the processing of their data. Hence, while not expressly

specified in the PPA, it is necessary to provide DATA SUBJECTS with a good understanding of which categories of
personal data are being collected, used and transferred.
Breach Notification
Breach Notification obligations currently apply only in the financial sector under the Supervisor of Banks’
Regulation No. 357 on Information Technology Management and equivalent instructions issued by the
Commissioner of Capital Markets, Insurance and Savings.
WHAT STEPS MUST BE TAKEN TO TRANSFER DATA FROM ABROAD TO THE UNITED STATES?
The answer to this question depends on where you are located.
Transferring Data from EU Countries to the US
European Union Law sets out requirements for sending personal data outside Europe. No data can leave Europe
unless the transmission goes to some “third country” that “ensures an adequate level of protection.” In other
words, data about European individuals can only go into countries with data protection laws that the European
Commission considers adequately safeguard Europeans’ personal data. To date, the EU Commission has formally
designated only Argentina, Canada, Guernsey, Isle of Man, and Switzerland as “third countries” offering this
“adequate level of protection. Because Europe sees the United States as a “third country” that fails to offer an
“adequate level of [data] protection,” Data transfers from Europe to the US will only be valid if the provisions of
Safe Harbor have been complied with. In summary, if safe harbor measures have been handled then data can be
transferred without restrictions.

REGULATION OF TRANSFERS IN COUNTRIES BEYOND EUROPE TO THE UNITED STATES
ASIA
AUSTRALIA
An organization may transfer personal data to someone who is outside Australia only if: (i) the organization
reasonably believes that the recipient is subject to a law, binding scheme or contract which is substantially similar
in effect to Australian law; (ii) the data subject Consents to the transfer of the personal data; or (iii) the
organization has taken reasonable steps to ensure that the personal data which it has transferred will be held,
used or disclosed by the recipient in a manner consistent with Australian Law. The obligation placed on
organizations to take reasonable steps to protect personal data from misuse, loss and unauthorized access,
modification and disclosure will apply to the transfer of personal data to an overseas recipient. Organizations
transferring personal data to overseas recipients will need to ensure that the personal data will continue to be
secure once transferred. Once an organization transfers personal data to an organization in a foreign country, the
Privacy Act will apply to the overseas organization only to the extent set out in the section entitled “What is the
territorial scope of application?".
INDIA
The Rules provide that TRANSBORDER DATAFLOWS of sensitive personal data or information can be made to any
other body corporate or a person in India or located in any other country if the same levels of data protection in
India are adhered to, provided that such transfer is necessary for the performance of a lawful contract between
the body corporate or any person acting on its behalf and the provider of information or such transfer has been
Consented to by the provider of information. There is no restriction under the Rules regarding TRANSBORDER
DATAFLOWS of information that is not sensitive personal data or information.
JAPAN
Personal data may not be disclosed to a third party without the prior Consent of the individual.
NEW ZEALAND
An agency should not disclose personal information to another entity unless the disclosure of
the information is one of the purposes in connection with which the information was obtained
or is directly related to the purposes in connection with which the information was obtained.
Care must be taken that all safety and security precautions are met to ensure the safeguarding of
that personal information to make certain that it is not misused or disclosed to any other party.

SOUTH KOREA
As a general rule, a Data Handler or an IT Service Provider may not provide Personal Data to a third party without
obtaining the prior opt-in Consent of the data subject or IT service user
THE MIDDLE EAST
ISRAEL
Israeli law permits transfers to: (i) EU Member States; (ii) other signatories of Council of Europe Convention 108;
and (iii) a country “which receives data from Member States of the European Community, under the same terms
of acceptance”. This has been interpreted by the Database Registrar to apply to transfers to Safe Harbor
participant companies in the US.
THE AMERICAS
ARGENTINA
The transfer of any type of personal information to countries or international or supranational entities which do
not provide adequate levels of protection is prohibited.
CANADA
Canadian law does not contain any specific restrictions related to cross-border data flows. However, all transfers
of personal information to a third party processor, whether within Canada or cross-border, is subject to the
“accountability” principle. Specifically, an organization is responsible for personal information in its possession or
custody, including information that has been transferred to a third party for processing. The organization shall use
contractual or other means to provide a comparable level of protection while the information is being processed
by a third party.
COLOMBIA
In addition, the cross-border transfer of data (i) requires prior Consent from the data owner and such Consent
must include information as to the destination, usage and storage of data and; (ii) can only be performed after
the Data Exporter, regardless of whether it is a data controller or a data processor, has confirmed that the foreign
country where the data will be transferred, meets the same data privacy and protection standards as the ones
provided in Colombian law. Also, Personal data can only be transferred to a third party with the previous Consent
of the data subject (i.e. the individual whose data is being transferred). The previous Consent of the data subject
would not be necessary when the individual’s data to be transferred is limited to: name, surname, identity card

number, nationality, address, and date of birth. The purpose and proper identification of the transferee must be
included in the Consent communication that would be addressed to the data subject. Evidence of the data
subject’s Consent must be kept in the files of the data processor.
UNITED STATES
No geographic transfer restrictions apply in the U.S

APPENDIX A
GETTING ORGANIZED FOR DATA PROTECTION
A quick look at some of the steps to take to comply with your Data Protection obligations:
The right of access is the most important right that an individual has and you need to prepare for handling access
requests. Dealing with access requests is not your only obligation. Staff should be made aware of the obligations
imposed by the Data Protection Acts. To comply you should:
• Ensure that the basic principles of data protection are explained to staff;
• Ensure that there are regular updates to guidance material and staff training and awareness, so that data protection is
a “living” process aligned to the way the organization conducts its business;
• Document procedures, for example with regard to accuracy and have regular security reviews;
• Allocate responsibility for compliance and set-out what in-house sanctions may be imposed if correct procedures are
not followed;
• Set out the circumstances in which personal data may be disclosed to third parties.
Staff should be aware that from October 2007 the principles of data protection apply to manual records, including those
created before July 2003.
OBLIGATIONS ON RETENTION AND SECURITY NEED TO BE ADDRESSED
• Adhere to the ‘need to know principle’ – only personal data necessary for the purpose should be collected and staff
should only be able to access the personal data that they need to carry out their functions;
• Have adequate access controls, firewalls and virus protection and do not forget manual files;
• There should be retention policies for the various categories of data.
The organization should provide for:
• Periodic audit checks and reviews;
• A procedure for complaints handling;
• Plans for remedial steps if things go wrong;
• Privacy /Data Protection Statements on Forms and Websites and an internal e-mail and internet use policy.
SELF-HELP CHECKLIST ON DATA PROTECTION POLICY

Remember -you should be able to answer YES to all of the questions below. If you can, your business is in good shape
from a data protection viewpoint. If you do not have a clean sheet, the checklist can help you identify the areas where
you need to improve.
MAIN RESPONSIBILITIES
Rule 1: Fair obtaining:
• At the time when we collect information about individuals, are they made aware of the uses for that
information?
• Are people made aware of any disclosures of their data to third parties?
• Have we obtained people’s consent for any secondary uses of their personal data, which might not be obvious
to them
• Can we describe our data-collection practices as open, transparent and up-front?
Rule 2: Purpose specification
• Are we clear about the purpose (or purposes) for which we keep personal information?
• Are the individuals on our database also clear about this purpose?
• If we are required to register with the Data Protection Commissioner, does our register entry include a proper,
comprehensive statement of our purpose? [Remember, if you are using personal data for a purpose not listed on
your register entry, you may be committing an offence.]
• Has responsibility been assigned for maintaining a list of all data sets and the purpose associated with each?
Rule 3: Use and disclosure of information
• Are there defined rules about the use and disclosure of information?
• Are all staff aware of these rules?
• Are the individuals aware of the uses and disclosures of their personal data? Would they be surprised if they
learned about them? Consider whether the consent of the individuals should be obtained for these uses and
disclosures.
• If we are required to register with the Data Protection Commissioner, does our register entry include a full list of
persons to whom we may need to disclose personal data?[Remember, if you disclose personal data to someone
not listed on your register entry, you may be committing an offence.]

Rule 4: Security
• Is there a list of security provisions in place for each data set?
• Is someone responsible for the development and review of these provisions?
• Are these provisions appropriate to the sensitivity of the personal data we keep?
• Are our computers and our databases password-protected, and encrypted if appropriate?
• Are our computers, servers, and files securely locked away from unauthorized people?
Rule 5: Adequate, relevant and not excessive
• Do we collect all the information we need to serve our purpose effectively, and to deal with individuals in a fair
and comprehensive manner?
• Have we checked to make sure that all the information we collect is relevant, and not excessive, for our
specified purpose?
• If an individual asked us to justify every piece of information we hold about him or her, could we do so?
• Does a policy exist in this regard?
Rule 6: Accurate and up-to-date
• Do we check our data for accuracy?
• Do we know how much of our personal data is time-sensitive, i.e. likely to become inaccurate over time unless it
is updated?
• Do we take steps to ensure our databases are kept up-to-date?
Rule 7: Retention time
• Is there a clear statement on how long items of information are to be retained?
• Are we clear about any legal requirements on us to retain data for a certain period?
• Do we regularly purge our databases of data, which we no longer need, such as data relating to former
customers or staff members?

• Do we have a policy on deleting personal data as soon as the purpose for which we obtained the data has been
completed?
Rule 8: The Right of Access
• Is a named individual responsible for handling access requests?
• Are there clear procedures in place for dealing with such requests?
• Do these procedures guarantee compliance with the Act's requirements?
REGISTRATION
• Are we clear about whether or not we need to be registered with the Data Protection Commissioner?
• If registration is required, is the registration kept up to date? Does the registration accurately reflect our
practices for handling personal data? [Remember, if your data-handling practices are out of line with the details
set out in your register entry, you may be committing an offence.]
• Is a named individual responsible for meeting our registration requirements?
TRAINING & EDUCATION
• Do we know about the levels of awareness of data protection in our organization?
• Are our staff aware of their data protection responsibilities - including the need for confidentiality?
• Is data protection included as part of the training program for our staff?
CO-ORDINATION AND COMPLIANCE
• Has a data protection coordinator and compliance person been appointed?
• Are all staff aware of his or her role?
• Are there mechanisms in place for formal review by the coordinator of data protection activities within our
organization?

APPENDIX B
DATA PROTECTION CONTACT DETAILS FOR ALL MAJOR COUNTRIES
Austria
Data Protection Council (Datenschutzrat)
www.bundeskanzleramt.at/site/6417/default.aspx (Datenschutzrat : Datenschutz : Fachinhalte : Bundeskanzleramt
Österreich) Web page of the data protection council (Datenschutzrat), an advisory body of the federal government
(German)
City of Vienna
http://wien.at/english/privacy.htm - Data protection page of the city of Vienna (German, English)
The city of Vienna also has a page on genealogy.
Federal Ministry of the Interior
www.bmi.gv.at/cms/bmi_datenschutz (BM.I Internet - Datenschutz) - Information page of the Austrian federal ministry
of the interior on access rights to police databases (German)
Unternehmensserviceportal
https://www.usp.gv.at/Portal.Node/usp/secure/content/it_und_geistiges_eigentum/datenschutz/40992.html(USP:
Datenschutz) - Information on privacy at the Austrian company information portal (Unternehmensserviceportal - USP)
(German)
National Data Protection Authorities
Andorra
www.apda.ad (Agència Andorrana de Protecció de Dades) - Website of the data protection authority of the Principality
of Andorra (Catalan)
Argentina
www.jus.gov.ar/datos-personales.aspx (Dirección Nacional de Protección de Datos Personales - Ministerio de Justicia,
Seguridad y Derechos Humanos | Presidencia de la Nación) - Website of the Argentine data protection agency,
the Dirección Nacional de Protección de Datos Personales (Spanish)
Australia

www.privacy.gov.au (Office of the Privacy Commissioner) - Website of the Australian federal privacy commissioner
(English).
http://www.lawlink.nsw.gov.au/privacynsw (privacy nsw - Privacy NSW : Lawlink NSW) - Website of the privacy
commissioner of the Australian state of New South Wales (English).
www.privacy.nt.gov.au (Office Of The Information Commissioner. Northern Territory of Australia) - Website of the
information commissioner of the northern territory of Australia.
www.privacy.vic.gov.au (Privacy Victoria - Home) - Website of the privacy commissioner of the Australian state of
Victoria (English).
www.oic.qld.gov.au (Information Commissioner - Welcome) - Website of the privacy commissioner of the
Australian state of Queensland (English)
Belgium
www.privacycommission.be (CBPL-CPVP) - Website of the Belgian data protection agency, the Commission de la
protection de la vie privée / Commissie voor de bescherming van de persoonlijke levenssfeer (French, Dutch)
Bulgaria
www.cpdp.bg (Комисия за защита на личните данни) - Website of the Bulgarian data protection authority (Bulgarian).
Canada
• www.priv.gc.ca (Privacy Commissioner of Canada / Commissaire à la protection de la vie privée du Canada) -
Website of the Privacy Commissioner of Canada (English, French).
• www.priv.gc.ca/resource/prov/index_e.asp (Provincial / Territorial Privacy Laws - Office of the Privacy
Commissioner of Canada) - Hyperlink page with information on Canadian territorial privacy Laws, oversight
offices and government organizations (English)
• http://dpi.priv.gc.ca (Office of the Privacy Commissioner - Deep Packet Inspection) - Site of the privacy
commissioner of Canada on Deep Packet Inspection (English)
Croatia
www.azop.hr (Agencija za zaštitu osobnih podataka – Home) - Website of the Croatian personal data protection agency
(Croatian, English).
Cyprus
www.dataprotection.gov.cy (Γραφείο Επιτρόπου Προστασίας Δεδομένων Προσωπικού Χαρακτήρα - Αρχική Σελίδα) -
Website of the office of the Cypriot commissioner for personal data protection (Greek, English).

Czech Republic
www.uoou.cz (ÚOOÚ - Hlavní stránka) - The website of the Czech office for personal data protection (Czech, English).
Denmark
www.datatilsynet.dk (Datatilsynet: Forside) - Website of the Danish data protection agency (Danish, English).
Dubai
http://dp.difc.ae (DIFC | Data Protection Law) - Website of the data protection agency of Dubai (English)
Estonia
www.aki.ee (Andmekaitse Inspektsioon: Andmekaitse Inspektsioon) - Website of the Estonian data protection agency
(Estonian, Russian, English)
Finland
www.tietosuoja.fi (Tietosuojavaltuutetun toimisto - Tietosuojavaltuutetun toimisto) - Website of the Finnish data
protection board (Finnish, Swedish, English).
##France
www.cnil.fr (CNIL - Commission nationale de l'informatique et des libertés) - Website of the French data protection
agency (French, English, Spanish).
Germany
• www.datenschutz.de (Datenschutz - Ihr gutes Recht! - Virtuelles Datenschutzbüro, www.datenschutz.de) - The
virtual data protection office, a portal site of the German data protection agencies (German).
• www.bfd.bund.de (Internetauftritt des Bundesbeauftragten für den Datenschutz und die Informationsfreiheit) -
Website of the German federal data protection commissioner (Bundesbeauftragter für den Datenschutz und
die Informationsfreiheit) (German, English, French).
• www.baden-wuerttemberg.datenschutz.de (Der Landesbeauftragte für den Datenschutz Baden-Württemberg) -
Website of the data protection authority of Baden-Württemberg (German).
• www.datenschutz-bayern.de (Bayerischer Landesbeauftragter fuer den Datenschutz) - Website of the Bavarian
data protection authority for the public sector (German).
• www.regierung.mittelfranken.bayern.de/aufg_abt/abt1/abt1dsa60.htm (Regierung von Mittelfranken) -
Website of the Bavarian data protection authority for the private sector (German).

• www.datenschutz-berlin.de (Berliner Beauftragter für Datenschutz und Informationsfreiheit) - Website of the
Berlin data protection authority with links to all other German data protection authorities and the Privacy
Magazine (German).
• www.lda.brandenburg.de (Die Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht
Brandenburg | Startseite) - Website of the data protection authority of Brandenburg (German, English, Polish).
• www.datenschutz-bremen.de (Der Landesbeauftragte für Datenschutz und Informationsfreiheit Bremen) -
Website of the data protection authority of the city of Bremen (German).
• http://www.datenschutz-hamburg.de/ (Der Hamburgische Datenschutzbeauftragte) - Website of the data
protection authority of Hamburg (German).
• www.datenschutz.hessen.de (Startseite des Hessischen Datenschutzbeauftragten) - Website of the data
protection authority of the state of Hessen (German).
• www.datenschutz.mvnet.de (Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit
Mecklenburg-Vorpommern) - Website of the data protection authority of the state of Mecklenburg-Western
Pomerania (German).
• www.lfd.niedersachsen.de (Der Landesbeauftragte für den Datenschutz Niedersachsen) - Website of the data
protection authority of the state of Lower Saxony (German).
• www.lfd.nrw.de (LfD - NRW) - Website of the data protection authority of the state of North Rhine-
Westphalia (German).
• "http://www.datenschutz.rlp.de/" www.datenschutz.rlp.de (Der Landesbeauftragte für den Datenschutz
Rheinland-Pfalz) - Website of the data protection authority of the state of Rhineland-Palatinate (German).
• http://www.lfdi.saarland.de/ (Landesbeauftragter für Datenschutz Saarland) - Public sector data protection and
freedom of information in the state of Saarland (German).
• www.datenschutz.sachsen.de (Der Sächsische Landtag) - Website of the data protection authority of the state
of Saxony (German).
• www.datenschutz.sachsen-anhalt.de (Datenschutz Sachsen-Anhalt) - Website of the data protection authority of
the state of Saxony-Anhalt (German).
• https://www.datenschutzzentrum.de/ (Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein) -
Data protection website of Schleswig-Holstein (German).
• www.thueringen.de/datenschutz (Der Thüringer Landesbeauftragte für den Datenschutz) - Website of the data
protection authority of the state of Thuringia (German).

Greece
www.dpa.gr (Αρχή) - Website of the hellenic data protection authority (Greek, English).
Hong Kong
www.pcpd.org.hk (Office of the Privacy Commissioner for Personal Data, Hong Kong) - Website of the Privacy
Commissioner for Personal Data of Hong Kong (English, Chinese).
Hungary
http://abiweb.obh.hu/abi/ (ABIWEB - Az Adavédelmi Biztos honlapja) - Homepage of the Parliamentary Commissioner
for Data Protection and Freedom of Information in Hungary (Hungarian, English)
Iceland
www.personuvernd.is (Persónuvernd. Þínar upplýsingar, þitt einkalíf.) - Website of the Icelandic data protection
authority (Icelandic, English).
Ireland
www.dataprotection.ie (Home - Data Protection Commissioner – Ireland) - Website of the data protection commissioner
of the Republic of Ireland (English, Irish).
Israel
http://ilita.justice.gov.il (‫תושרה‬ ‫טפשמל‬ ‫היגולונכט‬ ‫עדימו‬ - ‫)ישאר‬ - Website of the Israeli Law, Information and Technology
Authority (ILITA), home to the Israeli data protection authority (Hebrew, English)
Italy
www.garanteprivacy.it (Garante per la protezione dei dati personali) - Website of the Italian data protection agency
(Italian, English).
Japan
www.soumu.go.jp/english/index.html (Ministry of Public Management, Home Affairs, Posts and Telecommunications) -
Website of the Japanese Ministry of Public Management, Home Affairs, Posts and Telecommunications (Japanese,
English).
Korea
www.kisa.or.kr (한국정보보호진흥원에 오신것을 환영합니다. 음성서비스를 사용하시려면 컨트롤키와 엔터키를
누르세요) - Website of the Korea Information Security Agency (Korean, English).

Latvia
www.dvi.gov.lv/eng (Data State Inspection .|. Homepage) - Website of the Latvian data protection agency (Latvian,
Russian, English, hyperlink leads to English page).
Liechtenstein
www.dss.llv.li (Home - Datenschutzstelle) - Web page of the data protection authority of the principality of Liechtenstein
(German-language page only, but there is an English translation of the data protection law).
Lithuania
www.ada.lt (Valstybinė duomenų apsaugos inspekcija) - Website of the Lithuanian data protection agency (Lithuanian,
English).
Luxembourg
www.cnpd.lu/de (Commission nationale pour la protection des données - Startseite) - Data protection authority of
Luxembourg (German, French)
Malta
www.dataprotection.gov.mt (Welcome to Data Protection) - Website of data protection commission of the republic of
Malta (English).
Former Yugoslav Republic of Macedonia
http://www.dzlp.mk/index.cfm?lng=2 (Дирекција за заштита на лични податоци) - Website of data protection
commission of the former Yugoslav Republic of Macedonia (Macedonian, English).
Mexico
www.ifai.org.mx/DatosPersonales (Protección de Datos Personales) - Website of Mexican data protection authority
(Spanish, parts in English).
Monaco
www.ccin.mc (CCIN - Commission de contrôle des informations nominatives - Principauté de MONACO - Site officiel) -
Website of data protection commission of the Principality of Monaco (French).
New Zealand
www.privacy.org.nz (The Office of the Privacy Commissioner, New Zealand / Homepage) - Website of the New Zealand
data protection agency (English).
Netherlands

www.cbpweb.nl (College bescherming persoonsgegevens) - Website of the Dutch data protection agency (Dutch,
English).
Norway
www.datatilsynet.no (Forsiden - Datatilsynet - personvern og informasjonssikkerhet) - Website of the Norwegian Data
Inspectorate (Norwegian, English).
Poland
www.giodo.gov.pl (GIODO Generalny Inspektor Ochrony Danych Osobowych) - Website of the Polish Inspector General
for the Protection of Personal Data (Polish, English, French).
Portugal
www.cnpd.pt (Página Principal – CNPD) - Website of the Portugese data protection agency, the Comissão Nacional de
Protecção de Dados (Portugese, French, English).
Romania
www.dataprotection.ro (ANSPDCP Dataprotection Romania) - Website of the Romanian national authority for the
supervision of personal data processing (Romanian, English).
Sweden
www.datainspektionen.se (Datainspektionen - Vi värnar om din personliga integritet i IT-samhället) - Website of the
Swedish Data Inspection Board (Swedish, English).
Switzerland
• www.privatim.ch (privatim - die schweizerischen Datenschutzbeauftragten) - Organisation of the Swiss cantonal
data protection authorities (German, French).
• www.derbeauftragte.ch (EDÖB - Der Eidgenössische Datenschutz- und Öffentlichkeitsbeauftragte (EDÖB)) -
Homepage of the Swiss Federal data protection and information commissioner (German, French, Italian and
English).
• www.vpb.admin.ch/deutsch/cont/aut/aut_1.2.3.5.html (Dokumente der EDSK) - Documents and decisions of
the Swiss data protection commission (German, French and Italian).
• www.baselland.ch/Datenschutz.273496.0.html (Kanton Basel-Landschaft - Datenschutz) - Homepage of the
cantonal data protection authority of Basel-Country (German).
• www.jgk.be.ch/site/ds_portrait.htm (Portrait) - Homepage of the data protection agency of the canton of
Berne (German).

• www.bern.ch/stadtverwaltung/datenschutz (Die Stadt Bern - Datenschutzbeauftragter) - Data protection page
of the city of Berne (German).
• www.fr.ch/sprd/de/default.asp?web=sprd&loc=de;loc=de (Fribourg: SPRD: Homepage) - Homepage of the
cantonal data protection authority of Fribourg (German, French and English).
• www.datenschutz.lu.ch (Datenschutzbeauftragter des Kantons Luzern) - Homepage of the cantonal data
protection authority of canton of Lucerne (German).
• www.ne.ch/neat/site/jsp/rubrique/rubrique.jsp?StyleType=marron&CatId=4317 (République et canton du
Neuchâtel - Rubrique Protection des données) - Homepage of the data protection commissioner of the canton
of Neuchâtel (French).
• www.so.ch/staatskanzlei/datenschutz-oeffentlichkeitsprinzip/datenschutz.html (Beauftragter Information und
Datenschutz) - Homepage of the data protection commissioner of the canton of Solothurn (German).
• www.sg.ch/home/sicherheit/datenschutz.html (Datenschutz) - Homepage of the data protection commissioner
of the canton of St. Gallen (German).
• www.ti.ch/CAN/RPD (CAN - Responsabile protezione dei dati - Cantone Ticino) - Homepage of the data
protection commissioner of the canton of Ticino (Italian).
• www.vs.ch/Navig/navig.asp?MenuID=2712 (Etat du Valais) - Homepage of the data protection commissioner of
the canton of Valais (French).
• www.datenschutz-zug.ch (Datenschutzbeauftragter des Kantons Zug) - Homepage of the data protection
commissioner of the canton of Zug (German).
• www.datenschutz.ch (Datenschutzbeauftragter | Startseite) - Data protection commissioner of the canton of
Zurich (German).
• www.stadt-zuerich.ch/content/portal/de/index/politik_u_recht/datenschutzstelle.html (Datenschutzstelle) -
Data protection commissioner of the city of Zurich (German)
Slovakia
www.dataprotection.gov.sk (Úrad na ochranu osobných údajov Slovenskej republiky) - Website of the Slovakian data
protection authority (Slovakian, English).
Slovenia
www.ip-rs.si (IP-RS: Domov) - Website of the Slovenian information commissioner (Slovenian, English).
Spain

• http://swww.agpd.es (Agencia de Protección de Datos) - Website of the Spanish data protection
agency(Spanish, some texts in English).
• www.madrid.org/apdcm (La Agencia - Agencia de Protección de Datos de la Comunidad de Madrid - Comunidad
de Madrid) - Website of the data protection agency of the city of Madrid (Spanish).
• www.apdcat.net (Agència Catalana de Protecció de Dades) - Website of the Catalan data protection
agency (Catalan, Spanish, English).
• www.avpd.es (Agencia Vasca de Protección de Datos) - Website of the Basque data protection agency(Basque,
Spanish).
Thailand
www.oic.go.th/content_eng/default_eng.asp (Office of the Official Information Commission (O.I.C.)) - English part of the
website of the Information Commission of Thailand (Thai, English).
United Kingdom of Great Britain and Northern Ireland
• www.ico.gov.uk (Information Commissioner's Office - ICO) - Website of the British Information
Commissioner (English).
• www.gov.gg/ccm/navigation/home-department/data-protection-commissioner (States of Guernsey: Data
Protection) - Data protection website of the Bailiwick of Guernsey Data Protection Commissioner (English).
• “www.gov.im/odps":http://www.gov.im/odps/ (Welcome - Isle of Man Government Office of the Data
Protection Supervisor) - Website of the data protection supervisor of the Isle of Man (English).
• www.dataprotection.gov.je (Data Protection - Data Protection In Jersey) - Office of the data protection registrar
of the Bailiwick of Jersey (English).
• www.gra.gi/index.php?site=dataprotection (GRA - Data Protection Page) - Office of the data protection
commissioner of Gibraltar (English).
United States of America (USA)
• https://safeharbor.export.gov/list.aspx (Safe Harbor - List) - Safe Harbor website of the US department of
commerce (English).
• http://www.dhs.gov/xabout/structure/editorial_0338.shtm (DHS: The Privacy Office of the U.S. Department of
Homeland Security) - Website of the privacy office of the United States Department of Homeland
Security (English).
• www.whitehouse.gov/omb/privacy_default (Privacy Guidance) - Privacy page of the Office of Management and
Budget (English).

Nalpeiron explains global rules for data collection and privacy

Nalpeiron explains global rules for data collection and privacy

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (8)

Ähnlich wie Nalpeiron explains global rules for data collection and privacy

Ähnlich wie Nalpeiron explains global rules for data collection and privacy (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Nalpeiron explains global rules for data collection and privacy