Comparative Guides

Welcome to Mondaq Comparative Guides - your comparative global Q&A guide.

Our Comparative Guides provide an overview of some of the key points of law and practice and allow you to compare regulatory environments and laws across multiple jurisdictions.

Start by selecting your Topic of interest below. Then choose your Regions and finally refine the exact Subjects you are seeking clarity on to view detailed analysis provided by our carefully selected internationally recognised experts.

4. Results: Answers
Data Privacy
1.
Legal and enforcement framework
1.1
Which legislative and regulatory provisions govern data privacy in your jurisdiction?
Australia

Answer ... Privacy is regulated primarily by Commonwealth legislation. The Privacy Act 1988 (Cth) applies to the management of personal information (including collection, use, disclosure, security and disposal) by most Commonwealth public sector entities, including Commonwealth ministers, as well as private sector entities (including not-for-profits) with annual turnover of more than A$3 million or meeting other specified criteria (eg, health services providers or credit reporting bodies). The Privacy Act contains:

  • 13 Australian Privacy Principles (APPs);
  • a mandatory notifiable data breach scheme;
  • a regime for credit reporting; and
  • recently introduced requirements applying to the COVIDSafe app, the Australian government’s COVID-19 contact tracing app.

The My Health Records Act 2012 (Cth) created a privacy regime for the Australian government’s digital health records scheme, My Health Record. There is an additional privacy regime applicable to data that is shared under the relatively new Consumer Data Right contained in Part IVD of the Competition and Consumer Act 2010 (Cth) (CCA). The Telecommunications Act 1997 (Cth) includes additional protections for certain personal information related to telecommunications services. Other legislation applies in limited cases, such as the Data-matching Program (Assistance and Tax) Act 1990 (Cth), which applies to certain government agency data matching.

All states and territories (other than Western Australia and South Australia) have privacy legislation that applies to the handling of personal information by the relevant state or territory public sector and, in certain cases, to private sector health service providers.

For more information about this answer please contact: Angela Flannery from Holding Redlich
India

Answer ... India has no specific legislation on data protection. At present, data privacy in India is governed by the Information Technology Act, 2000 (‘IT Act’) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (‘Privacy Rules’).

For more information about this answer please contact: Probir Roy Chowdhury from J. Sagar Associates
Liechtenstein

Answer ...

  • The Data Protection Act of 4 October 2018;
  • The Data Protection Ordinance of 11 December 2018; and
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation (GDPR)).

For more information about this answer please contact: Thomas Nägele from NAGELE Attorneys at Law LLC
Luxembourg

Answer ... The EU General Data Protection Regulation (679/2016) (GDPR) has been fully and directly applicable in Luxembourg since 25 May 2018.

The Law of 1 August 2018 on the Organisation of the National Data Protection Commission and the General Data Protection Framework (‘Law of 1 August 2018’) completes the GDPR at the national level and repeals the Law of 2 August 2002 on the protection of persons with regard to the processing of personal data legislation.

The Law of 1 August 2018 on the Protection of Individuals with regard to the Processing of Personal Data in Criminal and National Security Matters (‘Law of 1 August 2018 on criminal data processing’) transposes into national law Directive (EU) 2016/680 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data.

The Law of 30 May 2005, as amended, concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (the ‘Electronic Communications Protection Law’) transposes Directive 2002/58/EC into national legislation. It governs the protection of personal data in the field of telecommunications and electronic communications, and takes recent and foreseeable developments in the field of services and technologies involving electronic communications into account.

For more information about this answer please contact: Anne Morel from Bonn Steichen & Partners
Pakistan

Answer ... At present, Pakistan has no specific law relating to data protection. However, in April 2020 the Ministry of Information Technology and Telecommunication released a consultation draft of the Pakistan Personal Data Protection Bill, 2020. After the consultation stage, the draft bill will be presented to Parliament for debate and passage. Once passed by the Parliament, the law will be promulgated by presidential assent. The answers in this Q&A are based on the provisions as currently set out in the draft bill, which are subject to change during the legislative process until the law is finally promulgated.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
Portugal

Answer ... Portugal is an EU member state. This Q&A refers to only a few of the relevant applicable legislative provisions.

The main sources of law governing data privacy in the European Union include:

  • EU regulations – legal acts that have general application, are binding in their entirety and are directly applicable in all EU countries; and
  • EU directives – legal acts which require member states to achieve a particular result without dictating the means through which that result should be achieved. Directives normally do not prescribe the exact rules to be adopted.

The main EU legislative framework comprises:

  • Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation (GDPR)); and
  • Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal data by EU institutions, bodies, offices and agencies and on the free movement of such data.

Other relevant EU statutes include:

  • Regulation (EU) 611/2013 on measures applicable to the notification of personal data breaches under Directive 2002/58/EC on privacy and electronic communications;
  • Regulation (EU) 604/2013, establishing the criteria and mechanisms for determining the member state responsible for examining an application for international protection; and
  • a number of EU directives and decisions.

The Portuguese legislation includes:

  • Act 58/2019, which enforced the GDPR; and
  • Act 59/2019 on the processing of personal data for the prevention, detection, investigation or repression of criminal offences or for the enforcement of criminal sanctions.

For more information about this answer please contact: Óscar Madureira from Rato & Cortés, Sociedade de Advogados, SP, RL
Switzerland

Answer ... In Switzerland, data privacy is regulated by the Federal Act on Data Protection of 19 June 1992 (DPA) and the Ordinance to the Federal Act on Data Protection of 14 June 1993.

Further, every Swiss canton has its own data protection laws with respect to data processing by cantonal authorities.

Switzerland is not a member of the European Union and hence does not have to comply with the EU General Data Protection Regulation (GDPR) or any other directives in this field. However, a comprehensive revision of the Data Protection Act is pending which provides for substantial alignment with the GDPR provisions.

For more information about this answer please contact: Carol S. Rothenfluh from SwissLegal
Taiwan

Answer ... In Taiwan, personal data protection is governed by:

  • the Personal Data Protection Act (PDPA);
  • the Enforcement Rules of the PDPA; and
  • other relevant regulations and rulings issued by the competent authority and the sectoral regulators.

For more information about this answer please contact: Ken-Ying Tseng from Lee And Li
Turkey

Answer ...

  • The Turkish Constitution of 1982;
  • The Law on the Protection of Personal Data (6698);
  • The Criminal Code (5237);
  • The Civil Code (4721);
  • The Labour Law (4857);
  • The Law on the Right to Access Information;
  • The Regulation on the Deletion, Destruction and Anonymisation of Personal Data;
  • The Regulation on the Data Controllers’ Registry;
  • The Regulation on the Operating Principles and Procedures of the Personal Data Protection Board;
  • The Communiqué on the Procedures and Principles of the Obligation to Inform Data Subjects; and
  • The Communiqué on the Procedures and Principles of Applications to Data Controllers.

There are also sectoral laws for banking, electronic communications, e-commerce, insurance and so on.

For more information about this answer please contact: Burak Özdağıstanli from Ozdagistanli Ekici Avukatlık Ortaklığı
UK

Answer ... The main pieces of legislation which govern data privacy in the United Kingdom are the General Data Protection Regulation (2016/679) (GDPR) and the Data Protection Act 2018 (DPA 2018).

The Privacy and Electronic Communications Regulations (PECR) address the use of personal data for electronic marketing and transpose the European ePrivacy Directive (2002/58/EC), until such time as the directly applicable proposed Regulation on Privacy and Electronic Communications is finalised.

However, as the United Kingdom left the European Union on 31 January 2020, it is currently in a transition period until 31 December 2020 and it remains to be seen how much future European legislation (including the proposed ePrivacy Regulation) will continue to apply.

Once the transition period is complete on 31 December 2020, amendments will be made by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 to allow the GDPR and the DPA 2018 to remain effective and integrate fully with UK law (UK GDPR), although there will be some immediate minor adjustments, particularly with regard to international data transfers. At the time of writing, it is unclear how much divergence the UK GDPR will have from the GDPR over time, but companies doing business in Europe and the United Kingdom will need to comply with both regimes.

The main immediate question is whether the United Kingdom will secure an adequacy ruling from the European Commission which would allow data transfers to occur from the European Union to the United Kingdom without further safeguards. This is by no means a certainty, given the small number of countries which have achieved adequacy to date and the length of time (minimum two years) it takes to secure an adequacy ruling.

The US bulk data acquisition regime resulted in the EU-US Privacy Shield being invalidated recently as part of the Schrems II decision. The United Kingdom also engages in such activities, although there are stringent safeguards, as set out in the Investigatory Powers Act 2016. It remains to be seen whether the wide-ranging powers open to UK intelligence agencies will jeopardise a future adequacy ruling by the European Commission after the end of the transition period on 31 December 2020. A recent (at the time of writing) decision by the European Court of Justice ruled that national governments cannot force internet and phone companies to store information such as location data and metadata for reasons of crime prevention or national security. This could well threaten the United Kingdom’s efforts to reach a deal with the European Union on data transfers. Even if the United Kingdom were granted adequacy status, privacy campaigners like Max Schrems may well bring a court case against it.

For more information about this answer please contact: Benjamin Ross from Bortstein Legal Group
United States

Answer ... There is no comprehensive federal law that governs data privacy in the United States. Rather, US privacy law is a complex patchwork of national and state laws and regulations that address particular issues or sectors, and some more general state laws that govern the collection, storage, safeguarding, disposal and use of personal data collected from their residents. In addition, there are many guidelines developed by governmental agencies and industry groups, which are considered to be ‘best practices’.

At the national level, the Federal Trade Commission (FTC) has broad jurisdiction over commercial entities under its authority to prevent unfair or deceptive trade practices. The FTC Act has been applied to offline and online privacy and data security policies. Under this act, the FTC may take action against organisations for:

  • failure to implement and maintain reasonable data security measures;
  • failure to comply with posted privacy policies; and
  • unauthorised disclosure of personal data.

All 50 states have also enacted unfair or deceptive acts or practices (UDAP) statutes which mirror Section 5 of the FTC Act, and under which state attorneys general can bring suit. Many also provide for a personal right of action.

The most comprehensive state data privacy legislation to date is the California Consumer Privacy Act (CCPA), which became effective on 1 January 2020. The CCPA grants consumers significant control over their personal information and imposes substantial duties on entities that collect personal information from a California resident. Nevada and Maine have also enacted consumer data privacy laws, and several other states have pending legislation.

For more information about this answer please contact: Jenny Colgate from Rothwell, Figg, Ernst & Manbeck, P.C.
1.2
Do any special regimes apply in specific sectors (eg, banking, insurance, telecommunications, healthcare, advertising) or to specific data types (eg, biometric data)?
Australia

Answer ... Part IIIA of the Privacy Act and the Privacy (Credit Reporting) Code 2014 (CR Code) impose additional obligations for the protection of credit information relating to individuals collected and used by credit reporting bodies and credit providers that apply in addition to the other Privacy Act obligations.

My Health Record is an online record of an individual’s health information created under the Australian government’s digital health records scheme. A breach of the privacy requirements of the My Health Records Act will also breach the Privacy Act.

Part IVD of the CCA provides protections for consumer data right (CDR) data and applies in addition to the Privacy Act. CDR currently applies in banking and will apply to other sectors over time.

Prudential standards issued by the Australian Prudential Regulatory Authority (APRA) impose information security and outsourcing requirements on APRA-regulated entities in the banking and insurance sectors.

Part 13 of the Telecommunications Act requires carriers and carriage service providers (CSPs) to protect the confidentiality of particular types of personal information. The information that must be protected is information that relates to the content of communications, carriage services provided and the affairs or personal particulars of persons. The Telecommunications Act and the Telecommunications (Interception and Access) Act 1979 (Cth) require carriers and CSPs (and others) to provide access to, or assistance in accessing, certain communications information, in particular cases for law enforcement and national security purposes.

Biometric information is ‘sensitive information’ and so subject to additional obligations under the Privacy Act (see question 3.1).

For more information about this answer please contact: Angela Flannery from Holding Redlich
India

Answer ... While there are no special regimes, certain sector-specific regulations and directions that govern data privacy in certain sectors. They include the following:

  • Reserve Bank of India (RBI): The RBI is India’s central banking authority. The RBI has issued directions that require all banks and payment system providers to localise payment transaction data in India. It has also issued directions that regulate how banks and non-banking financial companies (NBFCs) may safeguard customer information and the arrangements that banks and NBFCs may enter into with outsourcing partners, such as a cloud service providers or data processors.
  • Insurance Regulatory and Development Authority of India (IRDAI): The IRDAI is the principal regulator of the Indian insurance industry. In 2017 the IRDAI published regulations that govern all outsourcing arrangements entered by Indian insurers. It has also issued guidelines on the implementation of a uniform framework for cybersecurity and information protection by insurers. In 2015 the IRDAI further issued regulations requiring insurers to ensure that records of all policies issued and claims made in India are held in data centres in India only. Similarly, the IRDAI’s guidelines on information and cybersecurity for insurers require insurers to host all ‘core business records’ exclusively in India.
  • The Securities and Exchange Board of India (SEBI): SEBI is the regulator for the securities market in India. SEBI has issued various circulars and directions from time to time, to regulate information security in the securities market. Notably, SEBI issued regulations in 2015 to govern the cybersecurity and cyber resilience frameworks of stock exchanges, clearing corporations and depositories. These regulations prescribe mandatory security breach notification requirements that cover instances of data theft or breach.

For more information about this answer please contact: Probir Roy Chowdhury from J. Sagar Associates
Liechtenstein

Answer ... Special provisions exist in the following regulations, as well predominantly referring to the GDPR or the Data Protection Act:

  • the Communication Act of 17 March 2006;
  • the Media Act of 19 October 2005;
  • the Law on Banks and Investment Firms;
  • the Law on Asset Management;
  • the Ordinance on the Law on Banks and Investment Firms;
  • the Ordinance on the Law on Asset Management; and
  • amendments to the Law on the Financial Market Authority regarding aspects of data privacy deriving from the implementation of the Second Markets in Financial Instruments Directive (2014/65/EU).

For more information about this answer please contact: Thomas Nägele from NAGELE Attorneys at Law LLC
Luxembourg

Answer ... Specific sectors laws that have an impact on data protection in Luxembourg include the following:

  • Protection of privacy: Law of 11 August 1982 on the protection of privacy;
  • Employee monitoring: Articles L261-1 and L261-2 of the Labour Code on processing operations for workplace supervision purposes;
  • Passenger name records: Law of 1 August 2018 on the processing of passenger name record data in the context of the prevention and repression of terrorism and serious crime, and amending Law of 5 July 2016 on the reorganisation of the State Intelligence Service;
  • Cybercrime: Law of 18 July 2014 concerning the approval of the Convention on Cybercrime of the Council of Europe, opened for signature in Budapest on 23 November 2001;
  • Unique identifiers: Law of 18 June 2013 regarding the identification of a physical person within the national register of physical persons and identity cards;
  • Criminal records and exchange of information within the European Union: Law of 29 March 2013 concerning the organisation of criminal records and the exchange of information from criminal records between member states of the European Union; and
  • Networks and electronic communications services: Law of 27 February 2011 on electronic communications networks and services.

According to the Law of 1 August 2018 and the general data protection framework, the processing of genetic data for the purposes of the exercise of the specific rights of the controller in the field of labour law and insurance is prohibited.

For more information about this answer please contact: Anne Morel from Bonn Steichen & Partners
Pakistan

Answer ... Banking: Section 70 of the Payment Systems and Electronic Fund Transfers Act, 2007 provides that a financial institution or any other authorised party must not divulge any information relating to electronic fund transfers, affairs or accounts of its consumers.

Regulation 4.2(i) of the State Bank of Pakistan’s Regulations for Payment Card Security requires that card service providers ensure the confidentiality of consumers’ data in storage, transmission and processing.

Regulation 2.2.3(c) of the State Bank of Pakistan’s Regulations for the Security of Internet Banking requires that customer information not be transferred to an unauthorised storage or access medium.

Telecommunications: Regulation 16 of the Telecom Consumers Protection Regulations, 2009 requires that telecommunications services operators and their employees maintain the confidentiality of consumer information.

Regulation 5(2)(xxi) of the Regulations for Technical Implementation of Mobile Banking, 2016 requires that service-level agreements between third-party service providers, telecommunications operators and authorised financial institutions include a statement on online privacy, confirming that consumer information obtained as a result of mobile banking is collected, used, disclosed and retained only as committed or agreed.

Specific types of data: The draft bill recognises and provides for separate treatment of ‘sensitive personal data’ and ‘critical personal data’. ‘Biometric data’ is included within the definition of ‘sensitive personal data’. Sensitive personal data can be processed only with the explicit consent of the data subject and only for the following purposes:

  • the exercise or performance of any right or obligation which is conferred or imposed by law on the data controller in connection with employment;
  • the protection of the vital interests of the data subject or another person;
  • the protection of the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld;
  • for medical purposes, where the processing is undertaken by a healthcare professional;
  • for the purpose of, or in connection with, any legal proceedings;
  • for the purpose of obtaining legal advice while ensuring its integrity and secrecy;
  • for the purpose of establishing, exercising or defending legal rights;
  • for the administration of justice pursuant to orders of a court of competent jurisdiction; or
  • for the exercise of any functions conferred on any person by or under any written law.

‘Critical personal data’ is left to be classified by the Personal Data Protection Authority of Pakistan, with the approval of the federal government. Under Section 14 of the draft bill, critical personal data cannot be transferred outside Pakistan.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
Portugal

Answer ... Personal genetic information and health information: Act 12/2005 protects health data, both present and future, including information regarding deceased persons. This act further develops the provisions of the GDPR on the protection of sensitive personal data of a genetic or health nature. The act includes provisions on informed and purpose-specific consent, and forbids the use of genetic information for insurance-related, employment-related or adoption-related purposes. The act also includes detailed provisions on the use of DNA and other biologic material in research, with a strong emphasis on the anonymisation of data. The patenting of human genetic heritage is expressly forbidden.

Telecommunications:

The following legislation applies in the telecommunications space:

  • Act 41/2004 (consolidated by Act 46/2012), which establishes a special regime for the privacy of electronic communications. Major innovations introduced in 2012 include a compulsory duty to notify data breaches and opt-in and opt-out lists for unsolicited direct marketing messages;
  • Act 32/2008 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks;
  • Act 5/2004 on the creation of a national database of non-performer subscribers of electronic telecommunication services; and
  • Regulation (EU) 611/2013 regarding notification of personal data breaches.

Video surveillance:

The following legislation applies to video surveillance:

  • Act 34/2013 on the use of video surveillance cameras by private security companies and for self-protection;
  • Act 1/2005 on the use of video surveillance cameras by the security forces on public places; and
  • other acts on the use of electronic surveillance for road traffic purposes and inside public transportation vehicles such as taxis.

For more information about this answer please contact: Óscar Madureira from Rato & Cortés, Sociedade de Advogados, SP, RL
Switzerland

Answer ... The DPA itself contains special regulations on the processing of data that is considered to be sensitive personal data (eg, data on health – see question 3). With regard to biometric data, which does not necessarily qualify as sensitive personal data, additional provisions to the DPA – such as the Federal Act on DNA Profiling, the Ordinance on the Processing of Biometric Identification Data and the Swiss Criminal Code – may apply, depending on the purpose for which data is processed.

The Swiss banking secrecy and guidelines provide for bank-client confidentiality, which aims to safeguard financial privacy and protects all conclusions of fact, value judgements and other information (including personal evaluation results) that can be attributed to a bank client. Bank-client confidentiality therefore goes further than data protection law. Additionally, the Federal Act on Financial Services (FinSA) contains specific requirements relating to data protection for data retention and processing by financial service providers. The FinSA and the Financial Institutions Act were deliberately closely aligned with the EU Second Markets in Financial Instruments Directive by incorporating equivalent but not identical provisions into the laws.

Furthermore, Article 321 of the Swiss Criminal Code sets forth secrecy obligations, such as patient secrecy regarding health data and attorney-client privilege, which have an impact on the processing of such data.

In the telecommunications sector, specific regulations apply to data retention and processing.

Moreover, Swiss labour law provides special provisions with respect to the processing of employees’ data (see question 10).

For more information about this answer please contact: Carol S. Rothenfluh from SwissLegal
Taiwan

Answer ... Under the PDPA, each sectoral regulator is empowered to interpret PDPA-related matters governing the industry that it regulates, and to stipulate sectoral rules and regulations. The financial and healthcare industries are subject to special rules promulgated by their regulators. Biometric data is regulated as personal data and some types of biometric data (eg, data pertaining to a natural person’s genetics) are deemed ‘sensitive personal data’ and are subject to special protection.

Fingerprints – a type of biometric data – are treated differently from other data. Although fingerprints are not classified as ‘sensitive personal data’, given that they are a unique and undeniable feature through which individuals may be identified, the government has issued a ruling which provides that any use of fingerprints is subject to the data subject’s consent.

For more information about this answer please contact: Ken-Ying Tseng from Lee And Li
Turkey

Answer ... Special regimes and sectoral laws apply in the following sectors.

Banking: The personal data of all customers is protected as ‘customer secrets’. Banks are also required to retain personal data within Turkey.

The following laws apply in this sector:

  • the Banking Law (5411);
  • the Bank and Credit Cards Law (5464);
  • the Law on Payment and Security Reconciliation Systems, Payments Services and Electronic Money Institutions (6493); and
  • the Regulation on Information Systems of Banks and Electronic Banking Services, as amended on 20 June 2020.

Telecommunications: The personal data of customers is subject to protection. The content of communications and traffic data are subject to specific protection and cannot be disclosed without a court or administrative decision, unless the parties to the communication provide their consent. Traffic and location data can be transferred abroad from Turkey only with the explicit consent of the data subject.

The Electronic Communications Law (5809) applies in this sector.

E-commerce: Marketing messages are subject to an opt-in regime.

The following laws apply in this sector:

  • the Law on Regulation on Electronic Commerce (6563); and
  • the Regulation on Commercial Communication and Commercial Electronic Messages of 15 July 2015.

Insurance and health: The following laws apply in these sectors:

  • the Insurance Law (5684); and
  • the Regulation on Personal Health Records of 21 June 2019.

Special categories of personal data: The following types of personal data are defined as ‘special categories of personal data’ and are subject to additional protection:

  • race and ethnicity;
  • political, philosophical, religious and sectarian views, or similar;
  • beliefs;
  • dress and appearance;
  • association, foundation and union memberships;
  • health conditions;
  • biometric and genetic data;
  • sexual life; and
  • convictions and safety precautions, as set out in the Criminal Code.

For more information about this answer please contact: Burak Özdağıstanli from Ozdagistanli Ekici Avukatlık Ortaklığı
UK

Answer ... Financial services: A number of requirements are common to the GDPR and the financial services regulatory regime in the United Kingdom. As part of their regulatory obligations, financial services firms should establish, maintain and improve appropriate technology and cyber resilience systems and controls, including data protection.

There is also a tension to be navigated and documented between data protection principles such as minimisation of data and financial services regulatory requirements to retain data for specified retention periods – particularly when such financial services regulations are not European in origin.

Cookies and marketing: The PECR sit alongside the DPA 2018 and the GDPR and give individuals specific privacy rights in relation to electronic communications.

The PECR cover the following areas:

  • electronic marketing, including marketing calls, texts, emails and faxes;
  • the use of cookies and similar technologies for the purposes of tracking information about people accessing a website or other electronic service;
  • the security of public electronic communications services; and
  • the privacy of customers using communications networks or services as regards traffic and location data, itemised billing, line identification services (eg, caller identification and call return), and directory listings.

Law enforcement: Law enforcement is governed by Part III of the DPA 2018, which implemented the Law Enforcement Directive. The far-reaching nature of these provisions came as a surprise even to the UK government, when it was held that it had largely ignored the DPA 2018 when sharing data concerning the so-called ISIS Beatles (four British ISIS hostage executioners) and had so acted unlawfully. Intelligence agencies have their own more permissive bespoke regime for data processing, as set out in Part IV of the DPA 2018.

Marketing and advertising: While not a separate regime, the Data & Marketing Association has worked closely with the Information Commissioner’s Office (ICO) to produce guidance tailored to the specific needs of the UK marketing industry, covering issues such as consent, legitimate interests and profiling. The ICO has also published guidance on the subject and this should be consulted in tandem with this.

Telecommunications: The PECR – which sit alongside the DPA 2018 and the GDPR and are derived from the European ePrivacy Directive – also set out specific rules relating to electronic communications such as marketing calls, cookies, security of communications services and privacy relating to traffic, location data, itemised billing, line identification and directory listings; and give rights to affected persons and companies.

Other specific European legislation applies to the telecommunications industry. The Telecommunications Framework Directive (2002/21/EC) requires telecommunications network and service providers to take appropriate security measures to ensure the security and integrity of telecoms networks.

The Network and Information Systems Regulations 2018 implement the EU Directive on Security of Network and Information Systems. As with the Telecommunications Framework Directive, the regulations require relevant organisations to secure networks by taking technical and organisational measures appropriate to the risk. In a similar vein to the GDPR, organisations must notify a regulator without undue delay and in any event within 72 hours in respect of a significant or substantial incident. The application of these regulations is wider than just telecoms and also covers critical infrastructure in general.

The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 reflect the EU Telecoms Privacy Directive and permit monitoring of telecommunications systems for limited purposes, such as employee monitoring, provided that it is proportionate and subject to certain procedures.

There are also various pieces of UK legislation which apply to the telecommunications industry from a security and intelligence perspective. The Regulation of Investigatory Powers Act 2000 and its recent regulations govern the interception of communications, the carrying out of surveillance and gathering, and the use and disclosure of data by government agencies, including security and law enforcement services in the interests of national security, prevention of serious crime and promotion of the economic wellbeing of the United Kingdom. The Investigatory Powers Act 2016 requires communication service providers to keep a record of internet history of their subscribers for one year and available for access by public bodies on the production of a warrant or if the data sought is in relation to a ‘serious crime’. The Police Act 1997 Act outlines the requirements for the consideration and authorisation of interference in respect of property and wireless telegraphy. The Intelligence Services Act 1994 governs the issue of warrants and authorisations enabling action to be taken by the intelligence services in relation to interference with property and wireless telegraphy.

Pharmaceuticals: Pharmaceutical businesses must consider the effects of the GDPR when processing data for medical research, pharmacovigilance and clinical trials.

The GDPR allows flexibility to process personal data where necessary for scientific research purposes, but additional safeguards must be applied if anonymous data is not being used. The GDPR also provides a limited exemption from the right of erasure of personal data for scientific research purposes, but this must be applied carefully.

EU pharmacovigilance legislation requires businesses to report adverse reactions and applies ‘without prejudice’ to the data protection rules; it further notes that ‘it should be possible’ to process personal data within pharmacovigilance reporting requirements while complying with the GDPR. The GDPR introduced a new legal ground for processing special categories of personal data, which may be helpful in the context of pharmacovigilance where the processing is necessary for reasons of public interest or health, but this is subject to various conditions.

The Clinical Trials Regulation (CTR) entered into force in 2014 and is expected to become applicable in 2020; it applies to the conduct of clinical trials throughout the European Union. The European Data Protection Board (EDPB) has clarified in an opinion that both the GDPR and the CTR apply at the same time; and that while the CTR contains specific data protection provisions, it does not permit derogation from or in any way reduce the requirement to comply with the GDPR.

For more information about this answer please contact: Benjamin Ross from Bortstein Legal Group
United States

Answer ... There are a number of federal sector-specific and issue-specific privacy laws and regulations. Some of the most well-known include:

  • the Children’s Online Privacy Protection Act (COPPA), which governs the collection of information about minors under 13 years;
  • the Health Insurance Portability and Accountability Act, which governs the collection of health information by ‘covered entities’ (health plans, healthcare clearinghouses and healthcare providers) and their ‘business associates’;
  • the Gramm-Leach-Bliley Act, which governs personal information collected by banks and financial institutions;
  • the Family Educational Rights and Privacy Act, which governs student education records and student-related personally identifiable information;
  • the Fair Credit Reporting Act (FCRA), which regulates the collection and use of credit information;
  • the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act), which regulates unsolicited commercial email;
  • the Telephone Consumer Protection Act (TCPA), which regulates telemarketing through automatic telephone dialling systems and artificial pre-recorded voice technology; and
  • the Electronic Communications Privacy Act (ECPA) (also called the ‘Wiretap Act’), which regulates wire, oral, and electronic communications.

At the state level, Illinois was the first US state to regulate the collection of biometric information with its Biometric Information Privacy Act, which requires informed written consent and provides for a private right of action for any individual harmed by a violation. Several other states have since adopted biometric privacy statutes (but without a private right of action).

For more information about this answer please contact: Jenny Colgate from Rothwell, Figg, Ernst & Manbeck, P.C.
1.3
Do any bilateral and multilateral instruments on data privacy have effect in your jurisdiction?
Australia

Answer ... A well-known example of such an arrangement is the Agreement between the European Union and Australia on the Processing and Transfer of Passenger Name Record (PNR) Data by Air Carriers to the Australian Customs and Border Protection Service. This agreement authorises the transfer of PNR data to the Australian Department of Home Affairs from airlines that process PNR data in the European Union. The agreement also allows the department to provide that PNR data to other Australian and foreign government agencies, as long as safeguards in the agreement are complied with.

Australia is:

  • a signatory to the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules, which is a government-backed data privacy certification scheme that companies may join to demonstrate compliance with internationally recognised data privacy protections;
  • a participant in the Global Privacy Assembly’s Global Cross Border Enforcement Cooperation Arrangement (GCBECA), with other participants including Canada, Germany and the United Kingdom. This provides a framework for privacy regulators to work together on cross-border enforcement of privacy laws; and
  • a participant in the APEC Cross-Border Privacy Enforcement Arrangement which, like the GCBECA, provides a framework for the cross-border enforcement of privacy laws.

In 2020 the Office of the Australian Information Commissioner (OAIC) also entered into memorandums of understanding with Singapore’s Personal Data Protection Commission and with the UK Information Commissioner's Office. While each memorandum is non-binding, both provide commitments from the privacy regulators to work together in relation to data governance and cross-border movements of personal information.

For more information about this answer please contact: Angela Flannery from Holding Redlich
India

Answer ... No.

For more information about this answer please contact: Probir Roy Chowdhury from J. Sagar Associates
Liechtenstein

Answer ... Adequacy decisions of the European Commission according to Article 45 of the GDPR, concerning whether a country outside the European Union offers an adequate level of data protection. So far, the European Commission has recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States (limited to the Privacy Shield framework) as providing adequate protection. Adequacy talks are ongoing with South Korea.

The Council of Europe Convention 108/108 + for the Protection of Individuals with regard to Automatic Processing of Personal Data is also applicable; as are the Schengen Information System (SIS and (SIS II), and the SIS Supervision Coordination Group.

For more information about this answer please contact: Thomas Nägele from NAGELE Attorneys at Law LLC
Luxembourg

Answer ... The European Union has signed bilateral passenger name record (PNR) agreements with the United States, Canada and Australia. PNR data is information provided by passengers when they book tickets and when checking in for flights, as well as data collected by air carriers for their own commercial purposes. PNR data can be used by law enforcement authorities to fight serious crime and terrorism. The transfer of PNR data from the European Union to third countries can be done only through a bilateral agreement that provides for a high level of personal data protection.

The European Union has also signed a bilateral agreement with the United States regarding the transfer of financial data, called the Terrorist Finance Tracking Programme.

For more information about this answer please contact: Anne Morel from Bonn Steichen & Partners
Pakistan

Answer ... No.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
Portugal

Answer ... International instruments relating to, or with direct implications for, data privacy which are applicable in Portugal include:

  • the International Covenant on Civil and Political Rights;
  • the Charter of Fundamental Rights of the European Union;
  • the European Convention on Human Rights;
  • the Organisation for Economic Co-operation and Development Guidelines governing the protection of privacy and transborder flows of personal data;
  • Council of Europe Convention 108 (Protection of Individuals with regard to Automatic Processing of Personal Data); and
  • the United Nations Convention on the Rights of the Child.

For more information about this answer please contact: Óscar Madureira from Rato & Cortés, Sociedade de Advogados, SP, RL
Switzerland

Answer ... The Schengen Federal Data Protection Act has been in force since March 2019. The GDPR has also had an impact on the pending revisions to the DPA.

For more information about this answer please contact: Carol S. Rothenfluh from SwissLegal
Taiwan

Answer ... In December 2018 Taiwan signed up to the Cross-Border Privacy Rules (CBPR) of the Asia-Pacific Economic Cooperation (APEC) and became the seventh member of the CBPR. This means that the personal data protection statutes, systems and mechanisms adopted in Taiwan are recognised by APEC. Pursuant to the CBPR, Taiwan is in the process of establishing accountability agents in order to certify private businesses in Taiwan. Meanwhile, Taiwan is in dialogue with the European Union in relation to an adequacy decision under the General Data Protection Regulation.

For more information about this answer please contact: Ken-Ying Tseng from Lee And Li
Turkey

Answer ...

  • The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) was signed by Turkey on 28 January 1981 and was published in the Official Gazette on 17 March 2016.
  • The Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, regarding supervisory authorities and transborder data flows (Convention 181), was published in the Official Gazette on 5 May 2016.

For more information about this answer please contact: Burak Özdağıstanli from Ozdagistanli Ekici Avukatlık Ortaklığı
UK

Answer ... The Swiss-US Privacy Shield Framework provides a mechanism to comply with Swiss data protection requirements when transferring personal data from Switzerland to the United States. UK organisations can rely on this in instances where data is being controlled and/or processed in Switzerland and that data may be sub-processed and/or controlled in the United States.

The recent Schrems II decision of the Court of Justice of the European Union means that the European-US Privacy Shield Framework is no longer a valid means of transferring personal data to the United States.

Following the Schrems II decision, the Swiss Federal Data Protection and Information Commissioner (FDPIC) came to the conclusion that even if the Swiss-US Privacy Shield Framework guaranteed some rights to people in Switzerland, Privacy Shield did not offer an adequate level of protection as required by Swiss data protection law. While technically still legally valid as the FDPIC is a data protection authority and not a decision-making body, this effectively means that the Swiss-US Privacy Shield Framework will not be used any more either.

The earliest time for new Standard Contractual Clauses is the end of 2020, as announced in a meeting of the European Parliament on the future of EU-U.S. Data Flows. The announcement states that the new Standard Contractual Clauses will tackle the main legacy issues with the current set, notably addressing Article 28 of the GDPR and also allowing for transfers between an EEA processor and a non-EEA processor.

The United Kingdom having left the European Union means that the United Kingdom may become subject to other bilateral and multilateral instruments in the future, although negotiation of these will take time.

For more information about this answer please contact: Benjamin Ross from Bortstein Legal Group
United States

Answer ... For years, many US companies engaging in cross-border transfers of personal data between Europe and the United States had relied on the Safe Harbour programme, using EU-approved model contracts, or for multinationals, implementing binding corporate rules. The Safe Harbour framework was struck down by the Court of Justice of the European Union (CJEU) in October 2015 (in Schrems v Facebook, or Schrems I). A new Privacy Shield framework was released by the US Department of Commerce and the European Commission in February 2016, which was intended to create more robust, enforceable rights protecting international data transfers.

Just recently, however, in July 2020, the CJEU invalidated the EU-US Privacy Shield (in Schrems II). Given this new decision, companies involved in international data transfers should consider alternative transfer frameworks, such as standard contracting clauses and binding corporate rules.

For more information about this answer please contact: Jenny Colgate from Rothwell, Figg, Ernst & Manbeck, P.C.
1.4
Which bodies are responsible for enforcing the data privacy legislation in your jurisdiction? What powers do they have?
Australia

Answer ... The Information Commissioner, appointed under the Australian Information Commissioner Act 2010 (Cth) (AIC Act), is responsible for the enforcement of the Privacy Act, the My Health Record Act and the CDR privacy regime under the CCA. The commissioner also has regulatory responsibilities under the Crimes Act 1914 (Cth), the Data-matching Act, the National Health Act 1953 (Cth) and the Telecommunications Act. The commissioner is supported by the OAIC, which is also established under the AIC Act.

Under the Privacy Act, the commissioner (supported by the OAIC):

  • must, subject to limited exemptions, investigate Privacy Act-related complaints received from individuals; and
  • may investigate possible breaches of the Privacy Act on her own volition, under a Commissioner initiated investigation.

If the commissioner determines that a breach has occurred following an investigation, she may make certain declarations, including:

  • requiring the entity in breach to take steps to ensure that the breach is not repeated or continued; and
  • requiring the payment of compensation to affected individuals.

The commissioner may also:

  • accept court enforceable undertakings requiring compliance with the Privacy Act;
  • seek injunctions to prevent ongoing or potential breaches of the Privacy Act; and
  • seek civil penalties for serious or repeated interferences with the privacy of individuals and specified breaches of the credit reporting provisions of the Privacy Act.

Enforcement proceedings must be taken in Australia’s Federal Court or Federal Circuit Court.

The commissioner has similar powers under the My Health Records Act and Part IVD of the CCA.

For more information about this answer please contact: Angela Flannery from Holding Redlich
India

Answer ... At present, there is no specific data protection authority that is responsible for enforcing the Privacy Rules. The Ministry of Electronics and Information Technology (MeitY) operates as the nodal agency for information technology in India. However, MeitY’s role has hitherto been restricted to the formulation of policy; it has not extended to the implementation of the IT Act or the imposition of penalties.

For more information about this answer please contact: Probir Roy Chowdhury from J. Sagar Associates
Liechtenstein

Answer ... According to Article 10 of the Data Protection Act, the Data Protection Authority is responsible for supervising the processing of data by public and non-public bodies.

The authority monitors and enforces the application of this act and other data protection regulations, as well as all laws and regulations implementing the EU Data Protection Directive (2016/680). Among other things, it:

  • handles complaints lodged by a data subject, or by a body, organisation or association in accordance with Article 55 of the directive;
  • investigates, to the extent appropriate, the subject matter of the complaint; and
  • informs the complainant of the progress and the outcome of the investigation within a reasonable period – in particular, if further investigation or coordination with another supervisory authority is necessary.

It also investigates the application of the Data Protection Act and other data protection legislation, including legislation adopted to implement the Data Protection Directive, including on the basis of information received from another supervisory authority or other public authority.

Within the scope of the GDPR, the Data Protection Authority has the powers referred to in Article 58 of the GDPR.

If the Data Protection Authority concludes that there has been a breach of the data protection regulations or that there are other shortcomings regarding the processing of personal data, it will inform the competent supervisory authority.

Before exercising its powers pursuant to Articles 58(2)(b) to (g), (i) and (j) of the GDPR, the Data Protection Authority will notify the controller of its intention to do so within a reasonable period. However, the Data Protection Authority may refrain from doing so where immediate action is required due to imminent danger, reasons of public security or in the public interest, or if this would conflict with compelling public interests.

According to Article 40 of the Data Protection Act, the Data Protection Authority will impose fines pursuant to paragraph 2 for violations of the GDPR – including where the violation is determined to be negligent – according to Articles 83(4) to (6) of the GDPR.

In cases pursuant to Article 83(4) of the GDPR, fines may be imposed of up to CHF 11 million or up to 2% of total worldwide annual turnover in the preceding financial year, whichever is higher. In cases pursuant to Articles 83(5) and (6) of the GDPR, fines may be imposed of up to CHF 22 million or up to 4% of total worldwide annual turnover in the preceding financial year, whichever is higher.

For more information about this answer please contact: Thomas Nägele from NAGELE Attorneys at Law LLC
Luxembourg

Answer ... The National Commission for Data Protection (Commission Nationale pour la Protection des Données (CNPD)) is responsible for monitoring and checking that data is processed in accordance with the GDPR and the Electronic Communications Protection Law.

According to Article 58 of the GDPR, the CNPD has investigative powers, corrective powers, authorisation powers and advisory powers.

For more information about this answer please contact: Anne Morel from Bonn Steichen & Partners
Pakistan

Answer ... Within six months of the entry into force of the draft bill, the federal government will establish the Personal Data Protection Authority of Pakistan. The authority will be responsible for:

  • protecting the interests of data subjects and ensuring the protection of personal data;
  • preventing the misuse of personal data;
  • promoting awareness of data protection; and
  • entertaining complaints.

The authority will have all necessary powers to enable it to perform its functions effectively, including the power to decide on complaints and to pass any order. To this end, the authority will be deemed to be a civil court and will enjoy all powers vested in a civil court under the Code of Civil Procedure, 1908. In addition, the authority will have rule-making powers.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
Portugal

Answer ... The National Data Protection Commission (CNPD) is the Portuguese data protection authority.

The CNPD is structured as an independent body. The president and two other members of its board are elected by the national Parliament. The remaining four members of the board comprise one judge, one public prosecutor and two other individuals to be appointed by the government.

The CNPD is vested with powers of authority throughout the national territory. It is endowed with the power to supervise and monitor compliance with the GDPR, laws and regulations in the field of personal data protection, with strict respect for human rights and fundamental freedoms, as well as guarantees enshrined in the Portuguese Constitution and other applicable or relevant legislation.

In exercising its powers, the CNPD accepts complaints and supervises the processing of personal data, with the power to access premises, equipment and other resources of entities or individuals that control or process such data. It has also the power to investigate, solely or in cooperation with other European authorities, cases of non-compliance and to audit European information systems in this regard.

Offences of an administrative nature will incur fines of up to:

  • €20 million for large corporations;
  • €2 million for small and medium-sized companies;
  • 4% of total worldwide annual turnover for companies; or
  • €500,000 for individuals.

Criminal offences will be reported to the National Public Prosecutor’s Office.

For more information about this answer please contact: Óscar Madureira from Rato & Cortés, Sociedade de Advogados, SP, RL
Switzerland

Answer ... The Federal Data Protection and Information Commissioner (FDPIC) is in charge of supervising federal and private bodies and advising on data privacy law, as well as on technical aspects of data security. It maintains and publishes the Register for Data Files. In conflict situations between private bodies or between private persons and federal bodies, it can act as a mediator. It can also comment on draft federal legislation that may have an impact on data privacy. Furthermore, it interacts and cooperates with data protection authorities in Switzerland and abroad.

To accomplish its tasks, the FDPIC can investigate facts on its own initiative or at the request of a third party. Based on these investigations, it can issue recommendations. However, the FDPIC has no enforcement powers and, in particular, does not have the power to impose sanctions.

For more information about this answer please contact: Carol S. Rothenfluh from SwissLegal
Taiwan

Answer ... The National Development Council is in charge of interpreting the PDPA and facilitating internal coordination between different government agencies on relevant matters. The PDPA is enforced by the central, local, municipal, county and government authorities that regulate and supervise the business operations of non-government agencies in each industry. For example, the regulator of the financial industry, the Financial Supervisory Commission, is in charge of regulating personal data protection matters involving financial institutions, and enforces the PDPA alongside the other sectoral regulations applicable to local financial institutions.

For more information about this answer please contact: Ken-Ying Tseng from Lee And Li
Turkey

Answer ... The Turkish Data Protection Authority (DPA) is responsible for enforcing the personal data protection legislation.

The Data Protection Board is the decision-making organ of the DPA. For the purposes of this Q&A, we use the term ‘DPA’ when mentioning both the authority and the board.

The DPA can:

  • draft secondary legislation regarding data protection;
  • investigate and act on data subjects’ complaints;
  • determine sufficient measures for the processing of sensitive personal data;
  • apply administrative fines and other sanctions, such as restrictions on processing, or refer violations to criminal proceedings;
  • maintain a public register of controllers involved in processing; and
  • cooperate with international organisations on data protection matters.

For more information about this answer please contact: Burak Özdağıstanli from Ozdagistanli Ekici Avukatlık Ortaklığı
UK

Answer ... In the United Kingdom, the ICO is responsible for enforcing data privacy legislation. The purpose of this regulator (known as a supervisory authority under the GDPR) is to uphold information rights in the public interest and promote openness by public bodies and data privacy for individuals.

Under the GDPR, the ICO, as a supervisory authority, has the following investigatory powers:

  • to carry out investigations in the form of data protection audits;
  • to notify a controller or processor of an alleged infringement of the GDPR;
  • to obtain access to all personal data and information necessary for the performance of its tasks; and
  • to obtain access to any premises of the controller or processor, including accessing data processing equipment (eg, IT systems).

The GDPR also gives the ICO the following corrective powers:

  • to issue warnings/reprimands;
  • to order compliance;
  • to impose limitations or bans on processing;
  • to impose fines; and
  • to suspend data flows.

The ICO’s power to fine is set at the higher maximum and the standard maximum. The higher maximum amount is €20 million (or the equivalent in sterling) or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher. In practice, the higher maximum amount can apply to any failure to comply with any of the data protection principles or any rights that an individual may have under the GDPR, or in relation to any transfers of data to third countries.

Otherwise, if there is an infringement of other provisions, such as administrative requirements of the GDPR, the standard maximum amount will apply, which is €10 million (or the equivalent in sterling) or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher.

The ICO states that any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by the ICO.

While it is this power to fine which has attracted the most publicity, the power to suspend data flows or ban processing could effectively shut down a business.

Another power that the ICO has used is to issue a public notice of intent to fine, rather than a fine, which arguably has an equivalent effect in publicity terms. The ICO did this in July 2019 in respect of British Airways for £183 million and Marriott Hotels for £99 million. These fines are still being appealed and seem to have been delayed by agreement between the parties.

At the start of October 2020, the ICO issued for public consultation an updated version of its statutory guidance on how the ICO will exercise its data protection regulatory functions of information notices, assessment notices, enforcement notices and penalty notices, under the DPA 2018.

For more information about this answer please contact: Benjamin Ross from Bortstein Legal Group
United States

Answer ... The FTC is the primary enforcer of US national privacy laws. It has broad authority to bring enforcement actions against organisations that have violated consumers’ privacy rights under Section 5 of the FTC Act, as well as other federal laws (eg, COPPA, FCRA, CAN-SPAM), with the power to impose monetary penalties and to require companies to take affirmative steps to remediate unlawful behaviour. The FTC may initiate an investigation, issue a cease and desist order and file a complaint in court. The FTC also reports to Congress on privacy issues and recommends the enactment of necessary privacy legislation.

Other governmental agencies – such as the Department of Health and Human Services, the Federal Communications Commission, the Securities and Exchange Commission, the Consumer Financial Protection Bureau and the Department of Commerce – may enforce sector-specific laws within the scope of their regulatory authority.

Several federal statutes also provide for a private right of action, such as the TCPA, the FCRA the and ECPA.

Violations of the CCPA are enforceable by the California attorney general, who is authorised to impose injunctions and pursue civil penalties of up to $2,500 per violation. The CCPA also grants consumers a limited private right of action for data breaches. Like the CCPA, enforcement of the various state laws governing privacy and data protection, including state UDAP statutes, is under the purview of the state attorney general, and may or may not include a private right of action.

For more information about this answer please contact: Jenny Colgate from Rothwell, Figg, Ernst & Manbeck, P.C.
1.5
What role do industry standards or best practices play in terms of compliance and regulatory enforcement?
Australia

Answer ... The OAIC has published the Australian Privacy Principles Guidelines (‘OAIC Guidelines’) under Section 28 of the Privacy Act. The OAIC Guidelines are not legally binding, but set out best practice for compliance with the Privacy Act and the APPs. The OAIC Guidelines are widely used by regulated entities.

Under Part IIIB of the Privacy Act, the Information Commissioner may register enforceable privacy codes developed by entities (either on their own initiative or when requested by the commissioner) or by the commissioner. Codes apply in addition to the requirements of the Privacy Act and a breach of a code will also be a breach of the Privacy Act. Currently, the most significant code is the CR Code, which applies to credit providers and credit reporting bodies.

The OAIC’s Privacy Regulatory Action Policy sets out the OAIC’s approach to using privacy regulatory powers. The OAIC’s regulatory approach is to facilitate voluntary compliance with privacy obligations and to work with entities to ensure best privacy practice and prevent privacy breaches. The goal of the OAIC in taking regulatory action is to promote and ensure the protection of personal information. The OAIC will take into account a number of other factors in determining whether to take action, including:

  • to deter conduct in breach of the Privacy Act across a particular sector;
  • to address systemic issues – that is, where there are underlying problems with particular practices, procedures or systems relating to privacy compliance; and
  • instilling public confidence in the OAIC’s role as a privacy regulator.

For more information about this answer please contact: Angela Flannery from Holding Redlich
India

Answer ... As India does not have a robust legal framework for data protection, industry players – especially multinational companies – try to implement data protection policies and frameworks based on industry standards and best practices. However, such implementation is typically voluntary and not for the purposes of compliance.

For more information about this answer please contact: Probir Roy Chowdhury from J. Sagar Associates
Liechtenstein

Answer ... As data privacy is a fundamental human right according to Article 8 of the Charter of Fundamental Rights of the European Union, the Data Protection Agency fulfils its task in a serious and professional manner.

Information and counselling are core tasks of national data protection supervisory authorities, and therefore the national Data Protection Agency also fulfils these tasks – primarily, although not exclusively, through its new website, which informs citizens, companies and public and private institutions and associations on the complex subject of data protection (www.datenschutzstelle.li/)

For more information about this answer please contact: Thomas Nägele from NAGELE Attorneys at Law LLC
Luxembourg

Answer ... Industry standards and best practices play an important role in enabling individuals and entities processing personal data to better understand, apply and comply with their obligations.

For more information about this answer please contact: Anne Morel from Bonn Steichen & Partners
Pakistan

Answer ... Under Section 8 of the draft Bill, the Personal Data Protection Authority of Pakistan will prescribe standards to protect personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction. Data controllers and data processors must adhere to the standards prescribed by the authority. In terms of compliance and regulatory enforcement, the standards prescribed by the authority will prevail over industry practices. However, it is likely in prescribing the standards, the authority will take cognisance of industry-level best practices.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
Portugal

Answer ... In addition to the requirements of the GDPR, controllers may – and are encouraged to – prepare self-binding codes of conduct, extending and/or detailing specific measures to ensure a high degree of compliance with the principles of personal data protection.

To this effect, categories of controllers, represented by their associations or otherwise, may draft codes of conduct and submit them for approval.

While this is in no way compulsory, there are some key issues on which controllers might find themselves more comfortable drafting guidelines and procedures – for example, as regards:

  • the anonymisation of personal data;
  • specific safeguards when dealing with the personal data of children; and
  • procedures for out-of-court dispute resolution.

Once the code has been approved, the controllers (or processors) should adhere to it. Compliance with the code will be monitored by a body that has undergone certification to this effect by the CNPD.

Certification mechanisms and data protection marks or seals are also encouraged, to demonstrate compliance with specific aspects of the GDPR regarding safeguards and other devices for protecting the rights of data subjects.

Certification may also be useful for those controllers which are not subject to the GDPR, in the context of transfers of personal data to third countries for which there is no adequacy decision (see question 6).

For more information about this answer please contact: Óscar Madureira from Rato & Cortés, Sociedade de Advogados, SP, RL
Switzerland

Answer ... The FDPIC plays a decisive role in establishing industry standards and best practices in all areas of data protection, such as internet and computer, video surveillance, e-commerce and transborder data flows. It also provides model letters and documentation templates. Guidelines and working tools prepared by the FDPIC are not directly enforceable by the courts; however, they form a relevant basis to be considered by controllers and processors of personal data.

For more information about this answer please contact: Carol S. Rothenfluh from SwissLegal
Taiwan

Answer ... Although the government has been promoting industry standards and best practices in relation to the PDPA, it seems that these have not yet been widely adopted and private businesses do not yet appear to be compliant with such standards and practices. That said, ISO27001 has been recognised by the government as a standard for the telecommunications/IT industry and the telecommunications regulator, the National Communications Commission, has requested certain telecommunications operators to adopt ISO27001 standards.

For more information about this answer please contact: Ken-Ying Tseng from Lee And Li
Turkey

Answer ... The Law on the Protection of Personal Data came into force on 7 April 2016. It is the first comprehensive statute regarding data protection and data privacy in Turkey.

As the law and its secondary legislation may not be sufficient to cover every case, the DPA’s decisions further determine issues in the data protection and data privacy fields in Turkey. The DPA also refers to EU legislation, implementations and general principles in its decisions; and has specified that its aim is to follow best practices around the world.

For more information about this answer please contact: Burak Özdağıstanli from Ozdagistanli Ekici Avukatlık Ortaklığı
UK

Answer ... Codes of conduct: The GDPR introduced the concept of codes of conduct and certificate schemes which encourage trade associations and other representative bodies to draw up best practice guides that identify and address data protection issues that are particularly important to their members. The codes of conduct are designed to give sector-specific support in complying with the GDPR to organisations and build public trust and confidence in the sector’s ability to comply with data privacy laws.

The ICO provides support in drafting and will review any codes of conduct that are drawn up to assess whether they are appropriate tools. Codes of conduct also require a monitoring method and, for private or non-public authorities, a monitoring body to deliver them. Once the code is approved, organisations can then sign up to it and, if appropriate, establish a monitoring body to assess compliance. By signing up to a code of conduct, both controllers and processors can ensure that the GDPR is being applied effectively and by doing so, help to establish operational compliance for the sector.

These codes of conduct and certifications are clearly permissive rather than mandatory, but will be taken into consideration when the ICO is assessing an organisation for enforcement purposes. The ICO released guidance in February 2020 on codes of conduct and certification and announced that organisations can submit their proposals for scheme criteria for approval.

At the time of writing, there are no approved certificate criteria or accredited certification bodies for issuing GDPR certifications, and no codes of conduct, although the United Kingdom Accreditation Services has been permitted by the European Data Protection Board (EDPB) to accredit certification bodies to deliver GDPR schemes using ICO-approved certification criteria. However, as the ICO will no longer be a supervisory authority under the GDPR, any codes of conduct accredited by the ICO will not be accredited after the end of the Brexit transition period.

International Organisation for Standardisation (ISO): The ISO has published ISO 27701, which is a standard for demonstrating a level of data security and endeavours to work with the GDPR. Organisations can receive this as a certification if they comply with its requirements, although it is not a certification for the purpose of the GDPR, as explained above.

Regulatory guidance: Apart from guidance issued by the ICO, the EDPB (known as the Article 29 Working Party prior to the GDPR) is the independent European working party of all the European supervisory authorities, which considers issues relating to the protection of privacy and personal data and publishes extensive guidance and opinions on a variety of specific data privacy areas, from automation and profiling to how to incorporate individual rights, privacy notices and territorial scope. The ICO is no longer a member following the exit of the United Kingdom from the European Union.

For more information about this answer please contact: Benjamin Ross from Bortstein Legal Group
United States

Answer ... Due to the lack of a comprehensive federal privacy regulation, businesses tend to rely somewhat heavily on industry standards and general best practices for guidance on privacy compliance. While not enforceable by law, these self-regulatory frameworks have accountability components that are increasingly being used as a tool for enforcement by regulators. For example, the National Institute of Standards and Technology released a Privacy Framework and a Cybersecurity Framework to help organisations identify and manage privacy and data security risks. Both are well-known and widely used benchmarks of protecting personal information.

In addition, there are guidelines issued by industry groups that set the standards for a particular industry. The advertising industry, for instance, requires members of various advertising groups (eg, the Digital Advertising Alliance) to comply with the groups’ guidelines for online behavioural advertising, which requires participants to:

  • be transparent about data collection;
  • provide consumer control over data use; and
  • limit the collection of sensitive data.

As another example, the Payment Card Industry Data Security Standard sets the privacy standards for organisations that handle credit cards to increase controls around cardholder data and reduce credit card fraud.

For more information about this answer please contact: Jenny Colgate from Rothwell, Figg, Ernst & Manbeck, P.C.
2.
Scope of application
2.1
Which entities are captured by the data privacy regime in your jurisdiction?
Australia

Answer ... The Privacy Act applies to ‘APP entities’, which may be either agencies or organisations.

Agencies are Commonwealth public sector entities, including government ministers and government departments and other bodies. Certain national security and law enforcement agencies are exempt, including the Australian Security Intelligence Organisation and the Australian Signals Directorate, and some of these agencies are exempt in relation to particular types of acts or practices.

An ‘organisation’ is defined as an individual, a body corporate, a partnership, an unincorporated association or a trust – in other words, any form of private sector legal entity. This is subject to exemptions for:

  • ‘small business operators’ (ie, operating businesses with an annual turnover, including of related entities, of A$3 million or less);
  • registered political parties;
  • state or territory authorities; and
  • prescribed instrumentalities.

These exemptions are not absolute. The small business exemption will not apply in certain circumstances, including if the relevant business:

  • is a health service provider;
  • trades in personal information;
  • is a contracted service provider for the Commonwealth; or
  • is a credit reporting body.

Although the Privacy Act does not generally apply to state and territory authorities, it applies to specified New South Wales energy authorities and South Australia’s Department for Health and Wellbeing and HomeStart Finance, which are considered to be organisations.

Other privacy-related legislation applies to a more limited set of entities – for example, the My Health Records Act applies to specific healthcare providers and the Telecommunications Act privacy provisions apply only to carriers and carriage service providers (CSPs).

For more information about this answer please contact: Angela Flannery from Holding Redlich
India

Answer ... All ‘bodies corporate’ – including companies, firms and other associations of persons engaged in commercial or professional activities – are subject to the requirements and restrictions prescribed under the Privacy Rules.

For more information about this answer please contact: Probir Roy Chowdhury from J. Sagar Associates
Liechtenstein

Answer ... Public bodies that process personal data. For non-public bodies, the Data Protection Act shall apply to:

  • the processing of personal data wholly or partly by automated means; and
  • processing other than by automated means of personal data which forms part of a filing system or is intended to form part of a filing system.

Processing by a natural person in the course of a purely personal or domestic activity is exempt from the regime.

For more information about this answer please contact: Thomas Nägele from NAGELE Attorneys at Law LLC
Luxembourg

Answer ... The EU General Data Protection Regulation (GDPR) applies to the processing of personal data:

  • in the context of the activities of an establishment of a controller or a processor in the European Union, regardless of whether the processing takes place in the European Union;
  • of data subjects who are in the European Union by a controller or processor not established in the European Union, where the processing activities are related to:
    • the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the European Union; or
    • the monitoring of their behaviour as far as their behaviour takes place within the Union; or
  • by a controller not established in the European Union, but in a place where member state law applies by virtue of public international law.

For more information about this answer please contact: Anne Morel from Bonn Steichen & Partners
Pakistan

Answer ... The draft Pakistan Personal Data Protection Bill, 2020 is not ‘entity’ driven; rather, it defines and brings under its ambit the ‘data controller’ and ‘data processor’, irrespective of their legal form.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
Portugal

Answer ... The regime applies to data controllers and data processors. Natural persons, legal persons, public authorities, public bodies and agencies all fall under the regime.

For more information about this answer please contact: Óscar Madureira from Rato & Cortés, Sociedade de Advogados, SP, RL
Switzerland

Answer ... The Federal Act on Data Protection (DPA) applies to the processing of data pertaining to natural persons and legal persons by private persons (individuals and legal entities) and federal bodies. In other words, all types of companies are captured by the data protection law.

For more information about this answer please contact: Carol S. Rothenfluh from SwissLegal
Taiwan

Answer ... Under the Personal Data Protection Act (PDPA), both the government and the private sector are subject to the PDPA, including all individuals located in Taiwan. All private businesses must comply with the PDPA when dealing with personal data.

For more information about this answer please contact: Ken-Ying Tseng from Lee And Li
Turkey

Answer ... The Law on the Protection of Personal Data applies to natural persons whose personal data is processed (data subjects) and to natural or legal persons that process such data, wholly or partially, by automated means or by non-automated means, as a part of a data filing system (data controllers).

Data processors are also briefly mentioned in the law.

For more information about this answer please contact: Burak Özdağıstanli from Ozdagistanli Ekici Avukatlık Ortaklığı
UK

Answer ... As a general rule, the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018) apply to all organisations and entities that control and/or process personal data, although there are some specific exemptions which apply in certain limited circumstances. The GDPR and the DPA 2018 also do not apply to any personal or household processing of personal data that is wholly non-commercial, such as texting friends and family.

For more information about this answer please contact: Benjamin Ross from Bortstein Legal Group
United States

Answer ... While Section 5 of the Federal Trade Commission Act and state unfair or deceptive acts or practices statutes apply universally to companies and individuals doing business in the United States, the sector-specific laws apply only to those covered entities as defined by the specific statute. For instance, the Gramm-Leach-Bliley Act applies to financial institutions, such as banks, securities firms and insurance companies. The Health Insurance Portability and Accountability Act (HIPAA) applies to health plans, healthcare clearinghouses and healthcare providers that conduct certain financial and administrative transactions electronically, as well as to persons or entities that perform certain functions or activities that involve the use or disclosure of personal health information.

The more comprehensive state privacy laws (eg, the California Consumer Privacy Act (CCPA), data breach notification laws) generally apply to any business collecting personal information from or about a resident of that state, subject to the specific criteria and exceptions set forth in the state law.

For more information about this answer please contact: Jenny Colgate from Rothwell, Figg, Ernst & Manbeck, P.C.
2.2
What exemptions from the data privacy regime, if any, are available in your jurisdiction?
Australia

Answer ... Certain Commonwealth public sector entities are exempt in whole or part from the Privacy Act, as identified in question 2.1. Also, state and territory government agencies are generally exempt. Private sector businesses (including not-for-profits) are subject to the Privacy Act unless the small business exemption discussed in question 2.1.

The Privacy Act does not apply in other cases, including to:

  • acts or practices of a private sector employer where related to the employment relationship (or former relationship) and an ‘employee record’. An employee record is a record of an employee’s (or former employee’s) personal information relating to the employment relationship. This does not apply to agencies or where the employee record is used for non-employment related purposes;
  • acts or practices of individuals that are not related to the business (if any) carried on by the individual. In other words, an individual is not subject to the Privacy Act in relation to the collection, use and so on of personal information only for purposes related to his or her personal, family or household affairs; and
  • acts or practices of media organisations relating to journalism, provided that the organisation is publicly committed to published privacy standards.

Registered political parties are exempt from the Privacy Act; as are ‘political representatives’ (ie, members of Parliament and local government councillors) and their contractors and volunteers when undertaking specific political activities, including in relation to elections. However, ministers retain obligations under the Privacy Act in relation to personal information.

For more information about this answer please contact: Angela Flannery from Holding Redlich
India

Answer ... The Privacy Rules do not regulate the collection or processing of data by individuals. As discussed above, only bodies corporate are subject to the Privacy Rules. Further, although the Privacy Rules do not define or distinguish between a data controller and a data processor, the government has clarified that several obligations prescribed under the Privacy Rules do not apply to a data processor that does not collect personal information or sensitive personal data or information (SPDI) from a data subject, but merely receives such information from a data collector on a principal-to-principal basis. Among other things, a data processor is not required to:

  • obtain a data subject’s consent to receive his or her SPDI; or
  • give the data subject the ability to access and rectify his or her information.

The government has clarified that these obligations fall on the data collector only, and not the data processor.

For more information about this answer please contact: Probir Roy Chowdhury from J. Sagar Associates
Liechtenstein

Answer ... The exceptions to the scope of the General Data Protection Regulation (GDPR) are listed exhaustively in the GDPR. There is one exception for data processing by private individuals exclusively for “personal or family activities”.

For more information about this answer please contact: Thomas Nägele from NAGELE Attorneys at Law LLC
Luxembourg

Answer ... The GDPR does not apply to the processing of personal data:

  • in the course of an activity which falls outside the scope of EU law;
  • by EU member states when carrying out activities which fall within the scope of Chapter 2 of Title V of the Treaty on European Union (specific provisions on the common foreign and security policy);
  • by a natural person in the course of a purely personal or household activity; or
  • by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

For more information about this answer please contact: Anne Morel from Bonn Steichen & Partners
Pakistan

Answer ... General exemption: Personal data processed by an individual for the purposes of his or her personal, family or household affairs, including recreational purposes, is exempt from the scope of application of the draft bill.

Exemption from specific provisions: Certain processing is exempted from specified provisions of the draft bill, as follows.

Nature of processing Exempt from…
Critical personal data processed for the prevention or detection of crime or for the purpose of investigations; the apprehension or prosecution of offenders; the assessment or collection of any tax or duty; or any other imposition of a similar nature by the relevant authority. Consent; lawful purpose; provision of written notice by the data controller to the data subject; non-disclosure; compliance with the Personal Data Protection Authority of Pakistan’s prescribed standards
Data processed in relation to the physical or mental health of a data subject Consent; lawful purpose; provision of written notice by the data controller to the data subject; non-disclosure; compliance with the authority’s prescribed standards
Data processed to prepare statistics or carry out research Consent; lawful purpose; provision of written notice by the data controller to the data subject; non-disclosure; compliance with the authority’s prescribed standards
Data processed for the purposes of or in connection with any order or judgment of a court Consent; lawful purpose; provision of written notice by the data controller to the data subject; non-disclosure; compliance with the authority’s prescribed standards
Data processed for the purpose of discharging regulatory functions Consent; lawful purpose; provision of written notice by the data controller to the data subject; non-disclosure; compliance with the authority’s prescribed standards
Data processed only for journalistic, literary or artistic purposes Consent; lawful purpose; provision of written notice by the data controller to the data subject; non-disclosure; compliance with the authority’s prescribed standards; data retention requirements; data integrity and access requirements; record-keeping requirements

Further exemptions: The federal government, upon the recommendation of the Personal Data Protection Authority of Pakistan, is empowered to exempt any data controller or class of data controller from the application of any provision of the draft bill. The federal government must issue an order in this regard, to be published in the Official Gazette.

The federal government may impose any terms or conditions as it thinks fit in respect of such exemption, and can also revoke such an exemption (on the recommendation of the authority) by order published in the Official Gazette.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
Portugal

Answer ... There are a few specific exemptions from the regime.

One of these concerns the processing of personal data by an individual in the course of a strictly personal or household activity.

Some matters of overriding public interest are also covered by exemptions, such as:

  • matters of common foreign and security policy of the European Union; and
  • matters involving the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, when carried out by competent authorities.

In this regard, although this is not a true exemption, it is notable that the regime does not apply to data after it ceases to be qualified as ‘personal’ (eg, through anonymisation). But even in this case, should the data at any point become re-identifiable, the regime will once again apply.

For more information about this answer please contact: Óscar Madureira from Rato & Cortés, Sociedade de Advogados, SP, RL
Switzerland

Answer ... In accordance with Article 2(2), the DPA does not apply to:

  • personal data that is processed by a natural person exclusively for personal use and which is not disclosed to outsiders;
  • deliberations of the Federal Assembly and of parliamentary committees;
  • pending civil and criminal proceedings, international mutual assistance proceedings and proceedings under constitutional or under administrative law, with the exception of administrative proceedings of first instance;
  • public registers based on private law provisions; and
  • personal data processed by the International Committee of the Red Cross.

For more information about this answer please contact: Carol S. Rothenfluh from SwissLegal
Taiwan

Answer ... All activities involving the collection, use and processing of personal data are subject to the PDPA, except in the following situations:

  • The personal data is collected, processed or used by an individual in the course of personal or family activity; or
  • Audiovisual information is collected, processed or used in a public place or through a public activity which is not associated with any other personal data.

For more information about this answer please contact: Ken-Ying Tseng from Lee And Li
Turkey

Answer ...

  • Processing that a natural person carries out for purely personal or household activities.
  • Processing for official statistical purposes or, if the data is anonymised, for research, planning or statistical purposes.
  • Processing for artistic, literary, historic or scientific purposes, within the scope of freedom of expression, if the processing does not constitute a crime and does not violate:
    • privacy and personal rights;
    • national defence or security;
    • public security or order; or
    • economic security.
  • Processing within the scope of preventive, protective and intelligence-related activities that assigned and authorised public institutions and organisations carry out for purposes relating to:
    • national defence or security;
    • public security or order; or
    • economic safety.
  • Processing for investigations, prosecutions, criminal proceedings or execution proceedings by courts and execution bodies.

For more information about this answer please contact: Burak Özdağıstanli from Ozdagistanli Ekici Avukatlık Ortaklığı
UK

Answer ... Both the GDPR and the DPA 2018 set out limited exemptions; however, the Information Commissioner’s Office (ICO) makes it clear that these should be relied upon only in specific circumstances. Where there is reliance on an exemption, organisations should justify its usage and document it in order to show compliance.

GDPR exemptions: The GDPR makes it possible for exemptions to be put in place by countries, including for reasons of national security, defence or public security, prevention of crime, judicial independence, breaches of ethics for regulated professions, protection of the data subject or the enforcement of civil law claims.

There are also a number of specific situations which may allow organisations to deviate from the GDPR, including:

  • freedom of expression and information;
  • public access to official documents;
  • processing of national identification numbers;
  • achievement of purposes in the public interest, scientific or historical research purposes or statistical purposes;
  • obligations of secrecy; and
  • processing of personal data by churches and religious associations.

DPA 2018 exemptions: The DPA 2018 allows organisations in certain circumstances to deviate from data privacy regulations, including:

  • crime, law and public protection, including taxation, legal professional privilege and the right against self-incrimination, disclosure that is prohibited or restricted by existing rules, immigration, audit, functions designed to protect the public and functions of the Bank of England;
  • regulation, Parliament and the judiciary, including regulatory functions relating to legal services, the health service and children’s services, parliamentary privilege, judicial appointments, independence and proceedings and crown honours, dignities and appointments;
  • journalism, research and archiving, including academia, art and literature, research and statistics and archiving in the public interest;
  • health, social work, education and child abuse, including health, education or social work data processed by a court or in an individual’s best interests, to prevent serious harm or when restricting a right of access;
  • finance, management and negotiations, including processing in relation to corporate finance, management forecasts and negotiations;
  • references and exams, including confidential references, exam scripts and exam marks; and
  • subject access requests, including information about other people for the protection of the rights of others.

For more information about this answer please contact: Benjamin Ross from Bortstein Legal Group
United States

Answer ... Because privacy law in the United States is a patchwork of hundreds of state and federal laws, specific statues must be consulted to determine exemptions.

A business may be exempt from compliance with a privacy law if it does not meet the criteria set forth in the statute. For instance, under the CCPA, a business may be exempt from the duties set forth in the law if it meets one or more of the following criteria:

  • It has a gross revenue of less than $25 million per year;
  • It annually buys, receives, sells or shares the personal information of fewer than 50,000 consumers, households or devices for commercial purposes; or
  • It derives less than 50% of its annual revenues from selling consumers’ personal information.

Many states also have exemptions for data that is regulated by certain federal laws – for example, HIPAA-based exemptions are very common.

Depending on the statute, a business may also be exempt if the personal data collected, used or otherwise processed is de-identified or aggregated. Most statutes and the guidelines issued by the Federal Trade Commission also provide exemptions from privacy requirements for law enforcement purposes.

For more information about this answer please contact: Jenny Colgate from Rothwell, Figg, Ernst & Manbeck, P.C.
2.3
Does the data privacy regime have extra-territorial application?
Australia

Answer ... The Privacy Act, and codes registered thereunder, have extraterritorial operation (section 5B), as follows:

  • acts or practices of agencies, wherever performed; and
  • acts or practices of organisations, where an Australian link exists. An ‘Australian link’ exists where an organisation is:
    • an Australian citizen or permanent resident;
    • a partnership or trust established in Australia;
    • a body corporate incorporated in Australia; or
    • an unincorporated entity with central management and control in Australia.
  • If this requirement is not satisfied, then an act or practice of an organisation done or engaged in outside Australia will have an Australian link if both:
    • the organisation “carries on business” in Australia; and
    • the relevant personal information was collected or held by the organisation in Australia, either before or at the time of the act or practice.

Australian Information Commissioner v Facebook Inc (No 2) [2020] FCA 1307 considered the requirements for an Australian link in the context of the Information Commissioner’s case against Facebook Ireland and Facebook Inc arising from the Cambridge Analytica scandal. Although only a decision on an interlocutory application, where the commissioner needed only to establish a prima facie case, the Federal Court judge hearing the case found that Facebook Inc, even though it did not provide the Facebook app to Australian users, carried on business in Australia through services provided to Facebook Ireland in Australia and collected and held personal information in Australia, as it installed and operated cookies on Facebook and provided caching servers in Australia.

For more information about this answer please contact: Angela Flannery from Holding Redlich
India

Answer ... The IT Act has extra-territorial applicability in certain cases. As per Section 75, the provisions of the IT Act extend to any offence or contravention committed outside India by any person, irrespective of his or her nationality, if the act or conduct constituting the offence or contravention involves a computer or computer system located in India. Therefore, in the context of data protection, the provisions of the IT Act and Privacy Rules will apply if the collection or processing of personal information or SPDI involves a computer or computer system located in India.

For more information about this answer please contact: Probir Roy Chowdhury from J. Sagar Associates
Liechtenstein

Answer ... Circumstances might arise where extra-terrestrial application of the GDPR in conjunction with the Data Protection Act is possible. As regards the territorial scope of the GDPR (Article 3), which includes the possibility of extra-territorial effect or application, the European Data Protection Board has published Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) Version 2.0 of 12 November 2019.

For more information about this answer please contact: Thomas Nägele from NAGELE Attorneys at Law LLC
Luxembourg

Answer ... See question 2.1.

For more information about this answer please contact: Anne Morel from Bonn Steichen & Partners
Pakistan

Answer ... Section 3 of the Pakistan Personal Data Protection Bill, 2020 provides that the bill will have extra-territorial application and a data controller or data processor which is not registered/established in Pakistan is to nominate a representative in Pakistan.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
Portugal

Answer ... Yes. First, the regime applies directly throughout the European Union. Under Article 3 of the General Data Protection Regulation, the regime applies to the processing of personal data in the context of the activities of a controller or a processor in the European Union, even where the processing takes place outside the European Union.

It also applies to the processing of personal data of EU data subjects by a controller or processor which is not established in the European Union, whenever such processing relates to the offering of goods or services to such EU data subjects or to the monitoring of their behaviour, insofar as this takes place within the European Union.

It also applies to the processing of personal data by a controller not established in the European Union, but in a place where member state law applies by virtue of public international law.

For more information about this answer please contact: Óscar Madureira from Rato & Cortés, Sociedade de Advogados, SP, RL
Switzerland

Answer ... Due to the principle of territoriality, the data protection legislation is generally applicable to situations that take place in Switzerland. Therefore, the processing of data as the main factor to determine the geographical scope must take place locally. An extra-territorial application may occur, for example, in the case of outsourcing to a foreign company. In addition, the principle of impact must be observed if circumstances abroad have an impact on Switzerland, such as through websites that can be accessed for business transactions in Switzerland.

For more information about this answer please contact: Carol S. Rothenfluh from SwissLegal
Taiwan

Answer ... The current text of the PDPA does not explicitly provide for the extra-territorial application of the PDPA to offshore entities, although some of its provisions would seem to suggest such an application. The current position of the National Development Council (NDC) is that the PDPA does not have extra-territorial application.

Meanwhile, the NDC is contemplating amending the PDPA to further align it with the General Data Protection Regulation; whether the amendments will include an extra-territorial application clause remains a topic to be considered and discussed in Taiwan.

For more information about this answer please contact: Ken-Ying Tseng from Lee And Li
Turkey

Answer ... The Law on the Protection of Personal Data contains no provisions on territorial scope, but it is accepted that the law has extra-territorial application. Additionally, the Regulation on the Data Controllers’ Registry of 30 December 2017 defines a ‘foreign controller’ as a data controller that is not established in Turkey.

Therefore, the law has extra-territorial application for data controllers that collect data in Turkey or process data that has been collected in Turkey.

For more information about this answer please contact: Burak Özdağıstanli from Ozdagistanli Ekici Avukatlık Ortaklığı
UK

Answer ... The GDPR has extra-territorial application – it is intended to protect the personal data of people located in the European Union and therefore as a general rule applies to organisations that handle such data regardless of where they are based or where the processing takes place. The GDPR is also intended to hold organisations in the European Union to the same standards when handling personal data of people anywhere in the world, when such data is handled in the context of the organisations’ establishments in the European Union.

The GDPR covers both organisations based in the European Union and those outside if the organisation offers goods or services to people located in the European Union or monitors the online behaviour of people located in the European Union. Importantly, this territorial scope test is not one of nationality, residency or tax status, as is the case with other legislation.

The UK GDPR has similar extra-territorial scope, which means that organisations both inside and outside the United Kingdom will find themselves subject to the UK GDPR as well as the GDPR if they process personal data of people located in the United Kingdom or offer goods or services to or monitor behaviour of people located in the United Kingdom.

For more information about this answer please contact: Benjamin Ross from Bortstein Legal Group
United States

Answer ... US privacy laws are enforced only by the US and state courts and agencies, so the jurisdictional scope is limited to the United States and its territories. However, some of the state privacy laws, such as the CCPA, may apply to residents of the state even when the resident is not physically present in that state (eg, on vacation or temporarily travelling in another area of the United States).

For more information about this answer please contact: Jenny Colgate from Rothwell, Figg, Ernst & Manbeck, P.C.
3.
Definitions
3.1
How are the following terms (or equivalents) defined in your jurisdiction? (a) Data processing; (b) Data processor; (c) Data controller; (d) Data subject; (e) Personal data; (f) Sensitive personal data; and (g) Consent.
Australia

Answer ... (a),(b),(c) There is no concept of “data processing” under the Privacy Act. The Privacy Act regulates the collection, holding, use, disclosure and destruction or de-identification of personal information. Each – APP entity that undertakes any of these activities is regulated in the same way. As a consequence, there is no concept of “data processor” or “data controller” under the Privacy Act.

(d) There is no concept of “data subject” under the Privacy Act. The Privacy Act applies to personal information of living natural persons.

(e) There is no definition of “personal data” in the Privacy Act. Instead “personal information” is information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether or not the information is true or recorded in a material form.

(f) There is no definition of “sensitive personal data” in the Privacy Act. Instead “sensitive information” is a subset of personal information and includes:

  1. information or an opinion about a person’s race, political stance, religion, trade union and other professional memberships, sexual preferences and criminal record provided this is also personal information;
  2. health and genetic information about a person; and
  3. biometric information used for verification or identification and biometric templates of a person.

(g) In the Privacy Act “consent” is defined to mean express or implied consent. The Office of the Australian Information Commissioner (OAIC) Guidelines require that an individual is adequately informed before giving consent, that consent is voluntary, current and specific and that the individual has the capacity to understand and communicate his or her consent. Consent is required only in limited cases under the Privacy Act, such as for the collection and use of sensitive information.

For more information about this answer please contact: Angela Flannery from Holding Redlich
India

Answer ... (a) Data processing

The IT Act and the Privacy Rules do not define ‘data processing’.

(b) Data processor

The IT Act and the Privacy Rules do not define ‘data processor’. However, the government distinguishes between:

  • an entity that merely processes personal information and sensitive personal data or information (SPDI) on behalf of another body corporate, on the one hand; and
  • an entity that actually collects personal information and SPDI from a data subject, on the other.

Please see question 2.2 for more details.

(c) Data controller

The IT Act and the Privacy Rules do not define ‘data controller’. However, the government distinguishes between:

  • an entity that merely processes personal information and sensitive personal data or information (SPDI) on behalf of another body corporate, on the one hand; and
  • an entity that actually collects personal information and SPDI from a data subject, on the other.

Please see question 2.2 for more details

(d) Data subject

The IT Act and the Privacy Rules do not define ‘data subject’. Instead, the Privacy Rules refer to the concept of ‘provider of information’. A ‘provider of information’ is a natural person who provides sensitive personal data or information to a body corporate.

(e) Personal data

The Privacy Rules define ‘personal data’ or ‘personal information’ as any information that relates to a natural person and that either directly or indirectly, in combination with other information available or likely to be available to a body corporate, is capable of identifying that person.

(f) Sensitive personal data

The Privacy Rules define ‘sensitive personal data or information’ (SPDI) as personal information relating to a data subject’s:

  • password;
  • financial information, such as bank account, credit card, debit card or other payment instrument details;
  • physical, physiological and mental health conditions;
  • sexual orientation;
  • medical records and history; or
  • biometric information.

(g) Consent

There is no specific definition of ‘consent’ under the IT Act and Privacy Rules.

For more information about this answer please contact: Probir Roy Chowdhury from J. Sagar Associates
Liechtenstein

Answer ... (a) Data processing

The gathering, processing or use of personal data by a processor in accordance with the instructions of the controller based on a contract.

(b) Data processor

Pursuant to Article 4 of the General Data Protection Regulation, a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

(c) Data controller

A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by EU or member state law, the controller or the specific criteria for its nomination may be provided for by EU or member state law.

(d) Data subject

An identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly – in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

(e) Personal data

Any information relating to an identified or identifiable natural person.

(f) Sensitive personal data

Personal data revealing an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership; genetic data; biometric data for the purpose of uniquely identifying a natural person; data concerning health; and data concerning a natural person’s sex life or sexual orientation.

For more information about this answer please contact: Thomas Nägele from NAGELE Attorneys at Law LLC
Luxembourg

Answer ... (a) Data processing

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

(b) Data processor

A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

(c) Data controller

A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by EU or member state law, the controller or the specific criteria for its nomination may be provided for by EU or member state law.

(d) Data subject

An identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

(e) Personal data

Any information relating to an identified or identifiable natural person.

(f) Sensitive personal data

Personal data regarding racial or ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, data concerning health, sex life or sexual orientation, genetic data and biometric data.

(g) Consent

Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him/her.

For more information about this answer please contact: Anne Morel from Bonn Steichen & Partners
Pakistan

Answer ... (a) Data processing

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

(b) Data processor

A natural or legal person, or the government, which alone or in conjunction with others processes data on behalf of the data controller.

(c) Data controller

A natural or legal person, or the government, which either alone or jointly with others has the authority to make a decision on the collection, obtaining, usage or disclosure of personal data.

(d) Data subject

A natural person who is the subject of the personal data.

(e) Personal data

Any information that relates directly or indirectly to a data subject who is identified or identifiable from that information, or from that and other information in the possession of a data controller, including any sensitive personal data. Anonymised, encrypted or pseudonymised data which is incapable of identifying an individual is not personal data.

(f) Sensitive personal data

This includes:

  • data relating to access control (username and/or password);
  • financial information such as details of bank accounts, credit cards, debit cards or other payment instruments;
  • passport information;
  • biometric data;
  • information on the data subject’s physical, psychological or mental health conditions;
  • medical records;
  • details pertaining to an individual’s ethnicity or religious beliefs; and
  • any other information for the purposes of the Pakistan Personal Data Protection Bill, 2020 and rules issued thereunder.

(g) Consent

Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, through a statement or a clear affirmative action, signifies agreement to the collection, obtaining and processing of his or her personal data.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
Portugal

Answer ... (a) Data processing

Any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

(b) Data processor

A natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.

(c) Data controller

A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by EU or member state law, the controller or the specific criteria for its nomination may be provided for by EU or member state law.

(d) Data subject

An identifiable natural person who can be identified, directly or indirectly – in particular, by reference to an identifier such as a name, an identification number, location data or online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

(e) Personal data

Any information relating to an identified or identifiable natural person (‘data subject’).

(f) Sensitive personal data

Personal data that reveals a data subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying that person, data concerning his or her health or data concerning his or her sex life or sexual orientation.

(g) Consent

Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, through a statement or a clear affirmative action, signifies agreement to the processing of his or her personal data.

For more information about this answer please contact: Óscar Madureira from Rato & Cortés, Sociedade de Advogados, SP, RL
Switzerland

Answer ... (a) Data processing

Any operation with personal data, irrespective of the means applied and the procedure, and in particular the collection, storage, use, revision, disclosure, archiving or destruction of data.

(b) Data processor

The DPA does not explicitly use this term and accordingly, there is no statutory definition. The Federal Data Protection and Information Commissioner (FDPIC) defines a ‘data processor’ or ‘data importer’ as a natural or legal person, public authority, agency or any other body (established in another country) that agrees to receive personal data from the ‘data exporter’/‘data controller’ for the purpose of processing such data on behalf of the latter after the transfer in accordance with its instructions.

(c) Data controller

The DPA does not explicitly use this term and accordingly, there is no statutory definition. The FDPIC defines a ‘data controller’ or ‘data exporter’ as a natural or legal person, public authority, agency or any other body established in Switzerland which, individually or together with others, determines the purpose and means of the processing of personal data and which transfers such data for the purpose of its processing on their behalf.

(d) Data subject

A natural or legal persons whose data is processed.

(e) Personal data

All information relating to an identified or identifiable person.

(f) Sensitive personal data

Data relating to:

  • religious, ideological, political or trade union-related views or activities;
  • health, one’s intimate life or racial origin;
  • social security measures; and
  • administrative or criminal proceedings and sanctions.

(g) Consent

Consent must be given voluntarily, based on the provision of adequate information. Additionally, consent must be given expressly in the case of processing of sensitive personal data or personality profiles

For more information about this answer please contact: Carol S. Rothenfluh from SwissLegal
Taiwan

Answer ... (a) Data processing

The term ‘processing’ under the Personal Data Protection Act (PDPA) covers two activities: ‘processing’ and ‘use’. Under the PDPA, ‘processing’ refers to the act of recording, inputting, storing, compiling/editing, correcting, duplicating, retrieving, deleting, outputting, connecting or internally transferring data for the purpose of establishing or using a personal data file. ‘Use’ refers to the act of using personal data through any method other than processing.

(b) Data processor

The PDPA does not specifically adopt any of the terms used in European countries – such as ‘data controller’, ‘data processor’ or ‘data owner’ – to refer to the relevant parties involved in personal data-related activity, although these concepts are embedded in the PDPA. Under the PDPA, a ‘data processor’ is a person or entity that is retained by another to perform data processing activities.

(c) Data controller

Again, the PDPA does not explicitly adopt this term in its text; it simply subjects ‘government agencies’ and ‘non-government agencies’ to two different sets of rules in regard to personal data related activities.

(d) Data subject

Under the PDPA, the term ‘data subject’ refers to an individual whose personal data is collected, processed or used.

(e) Personal data

The PDPA defines ‘personal data’ as a natural person’s name, date of birth, identity card number, passport number, features, fingerprints, marital status, family information, education background, occupation, medical records, healthcare data, genetic data, details of his or her sex life, records of physical examination, criminal records, contact information, financial conditions, data concerning his or her social activities and any other information that may be used to directly or indirectly identify that person.

(f) Sensitive personal data

Personal data pertaining to an individual’s medical records, healthcare, genetics, sex life, physical examination and criminal records is categorised as ‘sensitive personal data’ and is subject to special protection.

(g) Consent

Pursuant to the PDPA, consent must be informed and express, with only one exception. This applies where, at the time the data is collected, the data subject is advised of the notification matters required under the PDPA and surrenders his or her data to the data controller without objection after being duly informed.

For more information about this answer please contact: Ken-Ying Tseng from Lee And Li
Turkey

Answer ... (a) Data processing

Any operation which is performed on personal data, wholly or partially by automated means or non-automated means, which forms part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorisation or restriction.

(b) Data processor

A natural or legal person that processes personal data on behalf of the data controller and with its authorisation.

(c) Data controller

A natural or legal person that determines the purposes and means of the data processing and is responsible for the establishment and management of the data filing system.

(d) Data subject

A natural person whose personal data is processed.

(e) Personal data

Any information relating to an identified or identifiable natural person.

(f) Sensitive personal data

Known as ‘special categories of personal data’ in Turkey: that is, personal data relating to an individual’s race, ethnic origin, political opinions, philosophical beliefs, religious or other beliefs, appearance, membership of associations, foundations or trade unions, health, sexual life, criminal convictions or security measures; and biometric and genetic data.

(g) Consent

Consent in Turkey is ‘explicit’ when it is freely given, specific and informed consent.

For more information about this answer please contact: Burak Özdağıstanli from Ozdagistanli Ekici Avukatlık Ortaklığı
UK

Answer ... (a) Data processing

‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Article 4(2) of the General Data Protection Regulation (GDPR)).

(b) Data processor

‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Article 4(8) of the GDPR).

(c) Data controller

‘Controller’ means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by EU or member state law, the controller or the specific criteria for its nomination may be provided for by EU or member state law (Article 4(7) of the GDPR).

(d) Data subject

‘Data subject’ means an identifiable natural person.

(e) Personal data

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier – such as a name, an identification number, location data or an online identifier – or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Article 4(1) of the GDPR).

(f) Sensitive personal data

Under the GDPR, special categories of data are subject to a higher threshold for protection. Article 9(1) of the GDPR defines ‘special category data’ as the following:

  • personal data revealing racial or ethnic origin;
  • personal data revealing political opinions;
  • personal data revealing religious or philosophical beliefs;
  • personal data revealing trade union membership;
  • genetic data;
  • biometric data (where used for identification purposes);
  • data concerning health;
  • data concerning a person’s sex life; and
  • data concerning a person’s sexual orientation.

(g) Consent

The ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her (Article 4(11) of the GDPR).

For more information about this answer please contact: Benjamin Ross from Bortstein Legal Group
United States

Answer ... As the protections afforded by state statutes vary from one state to another, there is no uniform set of definitions across all states or all regulations. Under the California Consumer Privacy Act (CCPA), the most comprehensive state privacy law which has served as a model for other state privacy laws, the terms are defined as follows.

(a) Data processing

Under the CCPA, ‘processing’: Any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means.

(b) Data processor

Under the CCPA, a ‘service provider’: Any for-profit entity that processes personal information on behalf of a covered business.

(c) Data controller

Under the CCPA, a covered ‘business’: Any for-profit entity that:

  • does business in California;
  • collects (or has collected on its behalf) personal information of California residents and determines the purposes and means of the processing of that personal information; and
  • meets certain thresholds of gross revenue or amount of personal information collected.

(d) Data subject

Under the CCPA, ‘consumer’: All California residents, even if they are temporarily outside of the state (eg, on vacation). This definition does not cover visitors to California.

(e) Personal data

Under the CCPA, ‘personal information’: Information that identifies, relates to, describes or is reasonably capable of being associated with a particular consumer or household, including (but not limited to):

  • personal identifiers (eg, name, postal address, email address, online IP address, social security number);
  • internet activity information; and
  • employment, educational and commercial information.

(f) Sensitive personal data

The CCPA does not distinguish sensitive personal data from personal information. The protection of specific classes of sensitive personal information (eg, health data, financial data and data of children) is governed by sector-specific state and federal laws.

(g) Consent

‘Consent’ is not defined under the CCPA and requires further guidance from the attorney general.

For more information about this answer please contact: Jenny Colgate from Rothwell, Figg, Ernst & Manbeck, P.C.
3.2
What other key terms are relevant in the data privacy context in your jurisdiction?
Australia

Answer ... The application of the Privacy Act is triggered when an APP entity first ‘collects’ personal information, irrespective of how personal information is collected (or the purpose of the collection). ‘Collect’ means collect for inclusion in a record (whether a paper or electronic record) or a generally available publication (eg, a magazine or newspaper).

To be ‘de-identified’, information must be modified so that it no longer identifies a person or is reasonably likely to identify them. Additional protections may be required to prevent re-identification.

‘Disclosure’ is not defined in the Privacy Act. The OAIC interprets this in the OAIC Guidelines to mean providing access or visibility to an external person where the subsequent handling of the personal information is outside the discloser’s control.

To ‘hold’ means to possess or control a record (either physical or electronic) that contains personal information. ‘Control’ refers to the right or power to deal with the record.

‘Purpose’ limits the use and disclosure by an APP entity of personal information. An APP entity must disclose its ‘primary purpose’ – typically in its privacy policy or otherwise – at the time of collection. APP entities may also use and disclose personal information for ‘secondary purposes’. For example, if, notwithstanding that an individual was not informed of a purpose, he or she would reasonably expect the information to be used or disclosed for a particular purpose that is related (or for sensitive information, directly related) to the primary purpose, this will be a permitted secondary purpose.

For more information about this answer please contact: Angela Flannery from Holding Redlich
India

Answer ... As per the Information Technology (Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 issued under the IT Act, a ‘cyber incident’ is any real or suspected adverse event in relation to cybersecurity that violates an explicitly or implicitly applicable security policy, resulting in unauthorised access, denial of service or disruption, unauthorised use of a computer resource for the processing or storage of information or unauthorised changes to data or information.

For more information about this answer please contact: Probir Roy Chowdhury from J. Sagar Associates
Liechtenstein

Answer ... N/A.

For more information about this answer please contact: Thomas Nägele from NAGELE Attorneys at Law LLC
Luxembourg

Answer ... The terms are defined as in the EU General Data Protection Regulation. There are no other key relevant terms in our jurisdiction.

For more information about this answer please contact: Anne Morel from Bonn Steichen & Partners
Pakistan

Answer ... Third party: Any person other than:

  • a data subject;
  • a relevant person in relation to a data subject;
  • a data controller;
  • a data processor; or
  • a person authorised in writing by the data controller to process personal data under the direct control of the data controller.

Relevant person:

  • In the case of a data subject who is below the age of 18, the parent or a guardian appointed by a court of competent jurisdiction;
  • In the case of a data subject who is incapable of managing his or her own affairs, a person who is appointed by a court to manage those affairs; or
  • A person authorised by the data subject to make a data access and/or data correction request.

Vital interests: Matters relating to the life, death or security of a data subject.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
Portugal

Answer ... Other key terms, as defined by the General Data Protection Regulation, include the following:

  • ‘Profiling: Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person – in particular, to analyse or predict aspects concerning his or her performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
  • ‘Recipient’: A natural or legal person, public authority, agency or another body to which personal data is disclosed, whether a third party or not; some exceptions apply.
  • ‘Third party’: A natural or legal person, public authority, agency or body other than the data subject, controller, processor or persons under the direct authority of the controller or processor which is authorised to process personal data.
  • ‘Personal data breach’: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
  • ‘Cross-border processing’: The processing of personal data which takes place in the context of the activities of establishments in more than one member state of a controller or processor in the European Union, where the controller or processor is established in more than one member state; or the processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the European Union, but which substantially affects or is likely to substantially affect data subjects in more than one member state.

For more information about this answer please contact: Óscar Madureira from Rato & Cortés, Sociedade de Advogados, SP, RL
Switzerland

Answer ... ‘Personality profile’: A collection of data that permits the assessment of essential characteristics of the personality of a natural person.

‘Data file’: Any set of personal data that is structured in such a way that the data is accessible by the data subject.

For more information about this answer please contact: Carol S. Rothenfluh from SwissLegal
Taiwan

Answer ... The PDPA does not include the term ‘data controller’, referring only to ‘government agencies’ and ‘non-government agencies’. In this Q&A, unless otherwise specified, the term ‘data controller’ refers to ‘non-government agencies’ only.

For more information about this answer please contact: Ken-Ying Tseng from Lee And Li
Turkey

Answer ...

  • Registry of Data Controllers Information System (VERBIS): The information system through which data controllers submit their applications and conduct other relevant actions in relation to the registry.
  • Contact person: A natural person (Turkish citizen) who is designated at the time of registration with VERBIS by the data controller for the purpose of communicating with the Data Protection Authority.
  • Personal data processing inventory: An inventory created and maintained by the data controller on the personal data processing activities that it conducts, including information on:
    • the purposes of the data processing;
    • the data categories;
    • the recipient groups;
    • the groups of data subjects;
    • the storage period;
    • any transfers of personal data to foreign countries; and
    • the precautions taken in respect of data security.
  • Data controller representative: A legal entity which is based in Turkey or a natural person who is a Turkish citizen that is authorised to represent the foreign data controller in Turkey.

For more information about this answer please contact: Burak Özdağıstanli from Ozdagistanli Ekici Avukatlık Ortaklığı
UK

Answer ... The GDPR also defines the following terms which form an important part of the UK data privacy regime:

  • ‘Personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
  • ‘Joint controller’ refers to two or more controllers that jointly determine the purposes and means of processing.
  • ‘Pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
  • ‘Biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.
  • ‘Genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which gives unique information about the physiology or health of that natural person and which results, in particular, from an analysis of a biological sample from the natural person in question.
  • ‘Profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person – in particular, to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

For more information about this answer please contact: Benjamin Ross from Bortstein Legal Group
United States

Answer ... Under the CCPA, consumers have the right to opt-out of the sale of their personal information. A ‘sale’ or ‘selling’ is broadly defined as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration”.

‘Aggregate consumer information’, ‘de-identified’, ‘probabilistic identifier’, ‘pseudonymise’ and ‘pseudonymisation’ are all defined terms under the CCPA, relating to the degree to which data can identify a person.

‘Biometric information’ is expansively defined in the CCPA as “an individuals’ physiological, biological or behavioural characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity”. Listed examples include:

  • imagery of the iris, retina, fingerprint, face, hand, palm or vein patterns;
  • voice recordings;
  • keystroke patterns or rhythms;
  • gait patterns or rhythms; and
  • sleep, health or exercise data that contains identifying information.

For more information about this answer please contact: Jenny Colgate from Rothwell, Figg, Ernst & Manbeck, P.C.
4.
Registration
4.1
Is registration of data controllers and processors mandatory in your jurisdiction? What are the consequences of failure to register?
Australia

Answer ... There is no requirement for any entity to register under the Privacy Act.

For more information about this answer please contact: Angela Flannery from Holding Redlich
India

Answer ... No, the IT Act and Privacy Rules do not require data collectors or data processors to be registered in India.

For more information about this answer please contact: Probir Roy Chowdhury from J. Sagar Associates
Liechtenstein

Answer ... No.

For more information about this answer please contact: Thomas Nägele from NAGELE Attorneys at Law LLC
Luxembourg

Answer ... There is no registration requirement in Luxembourg, as the EU General Data Protection Regulation (GDPR) does not require notifications or registrations before processing data.

For more information about this answer please contact: Anne Morel from Bonn Steichen & Partners
Pakistan

Answer ... Sections 34(2)(e) and (f) of the Pakistan Personal Data Protection Bill, 2020 empower the Personal Data Protection Authority of Pakistan to devise and formulate a registration and licensing mechanism/framework for data controllers and data processors. The details regarding who must be registered, the registration process and the consequences of failure to register will be dealt with under a framework devised by the Personal Data Protection Authority of Pakistan after its establishment.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
Portugal

Answer ... The registration of data controllers is no longer required under the General Data Protection Regulation.

For more information about this answer please contact: Óscar Madureira from Rato & Cortés, Sociedade de Advogados, SP, RL
Switzerland

Answer ... In Switzerland, there is no registration of data controllers and processors. Notwithstanding the foregoing, the Federal Data Protection and Information Commissioner maintains a register of data files (see question 3.2(b)). Companies must declare their data files if they regularly process sensitive personal data or personality profiles; or if they regularly disclose personal data to third parties.

For more information about this answer please contact: Carol S. Rothenfluh from SwissLegal
Taiwan

Answer ... There is no registration system under the Personal Data Protection Act.

For more information about this answer please contact: Ken-Ying Tseng from Lee And Li
Turkey

Answer ... Data controllers (both Turkish and foreign) must register with the Registry of Data Controllers Information System (VERBIS) by 30 September 2020. An administrative fine of between TRY 36,000 and TRY 1.8 million (approximately €4,400 to €220,122) will be imposed on anyone that fails to register with or notify VERBIS where required to do so.

Further, an additional administrative fine of up to TRY 1.8 million may also be applied where the Data Protection Authority (DPA) decides to restrict the data processing activities of the data controller in Turkey.

For more information about this answer please contact: Burak Özdağıstanli from Ozdagistanli Ekici Avukatlık Ortaklığı
UK

Answer ... Individuals and/or organisations that determine the purpose for which personal data is processed (controllers) must pay a data protection fee to the Information Commissioner’s Office (ICO), unless they are exempt. Organisations that fail to register can face a maximum fine, at the time of writing of £4,350. The ICO can send notices of its intent to fine organisations unless they pay.

For more information about this answer please contact: Benjamin Ross from Bortstein Legal Group
United States

Answer ... There are no US privacy laws that require data controller and processor registration. Some states have started to require data brokers to register with the state, upon which the state makes the registry available to the public via a website. Vermont started this trend with the passage of H 764; and was later followed by California, which adopted legislation (AB 1202) supplemental to the California Consumer Privacy Act (CCPA) requiring the registration of data brokers. It is expected that more states will likely implement data broker registries in the future.

In Vermont, failure to register and make the required disclosures may result in fines of $50 for each day the data broker fails to register, up to a maximum of $10,000 per year. In California, there are also penalties for failing to register, including a civil penalty of $100 per day of non-registration, and expenses incurred by the attorney general in investigating and prosecuting an action for failure to register.

For more information about this answer please contact: Jenny Colgate from Rothwell, Figg, Ernst & Manbeck, P.C.
4.2
What is the process for registration?
Australia

Answer ... Not applicable.

For more information about this answer please contact: Angela Flannery from Holding Redlich
India

Answer ... Not applicable.

For more information about this answer please contact: Probir Roy Chowdhury from J. Sagar Associates
Liechtenstein

Answer ... N/A.

For more information about this answer please contact: Thomas Nägele from NAGELE Attorneys at Law LLC
Luxembourg

Answer ... This is not applicable in Luxembourg.

For more information about this answer please contact: Anne Morel from Bonn Steichen & Partners
Pakistan

Answer ... Not yet established.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
Portugal

Answer ... Not applicable; see question 4.1.

For more information about this answer please contact: Óscar Madureira from Rato & Cortés, Sociedade de Advogados, SP, RL
Switzerland

Answer ... Data files must be registered prior to their operational use and each controller of a data file must update this information on an ongoing basis.

For more information about this answer please contact: Carol S. Rothenfluh from SwissLegal
Taiwan

Answer ... N/A.

For more information about this answer please contact: Ken-Ying Tseng from Lee And Li
Turkey

Answer ... Natural or legal persons who process personal data must register with VERBIS before commencing data processing activities. The deadline for registration (for those that already are processing personal data in Turkey) is 30 September 2020.

The process is different for foreign controllers and Turkish controllers.

Foreign controllers: Generally, before processing personal data, foreign private sector controllers must:

  • appoint a Turkish natural or legal person as data controller representative. The appointment decision must be signed by an authorised individual of the controller, notarised and apostilled, and sent to the local representative;
  • appoint an individual to act as a contact person with the DPA;
  • prepare a data processing inventory; and
  • register with VERBIS.

Only local representatives can register on behalf of foreign controllers. The registration is completed online by the local representative and the following information must be provided:

  • identification information, including the name and address of the controller and its representative;
  • the purpose of the personal data processing;
  • a data processing inventory, including the applicable data subject groups and personal data categories;
  • any third parties or groups of recipients to which the personal data may be transferred, including details of any cross-border data transfers;
  • a description of the safety and security measures taken; and
  • the maximum term for processing personal data, which must correspond to the purpose for which the data is being processed.

Turkish controllers: Generally, before processing personal data, Turkish controllers must:

  • appoint an individual to act as a ‘contact person’ with the DPA;
  • prepare a data processing inventory; and
  • register with VERBIS.

The following Turkish controllers are exempt from registration:

  • controllers that employ fewer than 50 employees and have an annual balance sheet of less than TRY 25 million, unless their main business relies on processing sensitive personal data (eg, doctors, hospitals);
  • public notaries;
  • political parties;
  • lawyers;
  • accountants;
  • customs advisers;
  • mediators; and
  • non-profit organisations such as associations, foundations and unions, if they process personal data that is:
    • appropriate for their purpose;
    • limited to their field of activity; and
    • only for their own employees, members and donors.

For more information about this answer please contact: Burak Özdağıstanli from Ozdagistanli Ekici Avukatlık Ortaklığı
UK

Answer ... Organisations that are controllers register online via the ICO website and registration must be renewed annually. Below is the list of tiers at the time of writing that an organisation can fall under, due to its turnover and number of staff, which determines the registration fee and the associated fee:

  • Tier 1 – micro-organisations with a maximum turnover of £632,000 or no more than 10 members of staff: £40
  • Tier 2 – small and medium-sized enterprises with a maximum turnover of £36 million or no more than 250 members of staff: £60
  • Tier 3 – large organisations which do not meet the criteria of Tier 1 or 2: £2,900.

There is a £5 discount for payments made by direct debit.

The ICO’s website should be consulted for the latest tariffs.

For more information about this answer please contact: Benjamin Ross from Bortstein Legal Group
United States

Answer ... To register in either Vermont or California, data brokers must provide their name, primary email, and physical and website addresses. Additionally, in California, data brokers may provide “any additional information or explanation the data broker chooses to provide concerning its data collection practices”. In Vermont, data brokers must also specify whether they permit consumers to opt out of:

  • the data broker’s collection of brokered personal information;
  • its databases; or
  • certain sales of data.

The following details must further be included:

  • the method for requesting opt-out;
  • if the opt-out applies to only certain activities or sales, which ones; and
  • whether the data broker permits a consumer to authorise a third party to perform the opt-out on the consumer’s behalf.

In California, the CCPA right to opt out of the sale of personal information applies to data brokers. Thus, data brokers must:

  • contact consumers directly to provide notice that the data broker sells personal information and to provide the right to opt-out; or
  • both:
    • confirm that the source from which the data broker obtained the personal information provided the consumer with a notice at the point of collection; and
    • obtain signed attestation from the source describing and including an example of the notice that the source provided to the consumer.

If proceeding under the second limb above, the data broker must retain the signed attestation for a period of two years and provide it to the consumer upon request.

There is a fee for registering as a data broker in both states. The fee is $100 in Vermont and $360 in California.

For more information about this answer please contact: Jenny Colgate from Rothwell, Figg, Ernst & Manbeck, P.C.
4.3
Is registered information publicly accessible?
Australia

Answer ... Not applicable.

For more information about this answer please contact: Angela Flannery from Holding Redlich
India

Answer ... Not applicable.

For more information about this answer please contact: Probir Roy Chowdhury from J. Sagar Associates
Liechtenstein

Answer ... N/A.

For more information about this answer please contact: Thomas Nägele from NAGELE Attorneys at Law LLC
Luxembourg

Answer ... This is not applicable in Luxembourg.

For more information about this answer please contact: Anne Morel from Bonn Steichen & Partners
Pakistan

Answer ... Not as yet.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
Portugal

Answer ... The original public record of controllers has been discontinued. However, historical data is still available online and searchable by name of the controller.

For more information about this answer please contact: Óscar Madureira from Rato & Cortés, Sociedade de Advogados, SP, RL
Switzerland

Answer ... Yes, the register of data files is accessible online at www.datareg.admin.ch.

For more information about this answer please contact: Carol S. Rothenfluh from SwissLegal
Taiwan

Answer ... N/A.

For more information about this answer please contact: Ken-Ying Tseng from Lee And Li
Turkey

Answer ... VERBIS is maintained publicly. The following data can be reviewed by the public:

  • the full name/trade name, address and, where applicable, REM address of the data controller, the data controller’s representative, if any, and the contact person;
  • the designated purposes for which the personal data may be processed;
  • the groups of data subjects and the data categories of such persons;
  • the recipients and recipient groups to which the personal data may be transferred;
  • the personal data which may be transferred to foreign countries;
  • the date of registration with VERBIS and the date on which the validity of such registration expires;
  • the precautions taken in respect of personal data security; and
  • the maximum timeframe required to achieve the purpose for which the personal data is being processed.

For more information about this answer please contact: Burak Özdağıstanli from Ozdagistanli Ekici Avukatlık Ortaklığı
UK

Answer ... The registered information is publicly accessible via the ICO website at https://ico.org.uk/ESDWebPages/Search.

For more information about this answer please contact: Benjamin Ross from Bortstein Legal Group
United States

Answer ... Yes.

For more information about this answer please contact: Jenny Colgate from Rothwell, Figg, Ernst & Manbeck, P.C.
5.
Data processing
5.1
What lawful bases for processing personal data are recognised in your jurisdiction? Do these vary depending on the type of data being processed?
Australia

Answer ... An agency (regulated Commonwealth public entity) may collect personal information that is not sensitive information if the information is reasonably necessary for, or directly related to, its functions or activities (Australian Privacy Principle (APP) 3.1). Personal information that is not sensitive information may be collected by private sector APP entities only if it is reasonably necessary for the entity’s functions or activities (APP 3.2).

In the case of all APP entities, consent must be obtained from the relevant individual to collect sensitive information (APP 3.3) other than in limited cases, such as where required by law.

To be ‘directly related to’ an agency’s functions or activities, there must be a clear and direct connection with the relevant function or activity. The Office of the Australian Information Commissioner (OAIC) Guidelines state that the term ‘reasonably necessary’ must be determined objectively, so that if reasonable alternatives are available such as the use of de-identified information, that test will not be satisfied. Further, in the view of the OAIC, it is not sufficient if the collection is simply helpful in some way or convenient.

Personal information may generally be used and disclosed only for the purposes for which it was collected, which will typically be set out in the APP entity’s privacy policy or disclosed at the time of collection (referred to as the ‘primary purpose’). The OAIC Guidelines note that context will help in identifying the primary purpose of collection of personal information. Use and disclosure for secondary purposes are permitted in limited circumstances (see question 3.2).

For more information about this answer please contact: Angela Flannery from Holding Redlich
India

Answer ... The IT Act and Privacy Rules do not prescribe any lawful bases for processing ordinary personal data. At present, such information may be freely collected and processed. However, a data collector may collect and process a data subject’s sensitive personal data or information (SPDI) only if:

  • the SPDI is collected for a lawful purpose connected with a function or activity of the data collector; and
  • the collection of the SPDI is considered necessary for that purpose.

For more information about this answer please contact: Probir Roy Chowdhury from J. Sagar Associates
Liechtenstein

Answer ... The law provides six legal bases for processing:

  • consent;
  • performance of a contract;
  • a legitimate interest;
  • a vital interest;
  • a legal requirement; and
  • a public interest.

At least one of these must apply whenever personal data is processed. No single basis is ‘better’ or more important than the others – the basis which is most appropriate to use will depend on the purpose and relationship with the individual.

For more information about this answer please contact: Thomas Nägele from NAGELE Attorneys at Law LLC
Luxembourg

Answer ... All the lawful bases provided for by the EU General Data Protection Regulation (GDPR) are recognised in Luxembourg. Therefore, the processing of personal data shall be lawful only if and to the extent that at least one of the following applies:

  • The data subject has consented to the processing of his or her personal data for one or more specific purposes;
  • Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • Processing is necessary for compliance with a legal obligation to which the controller is subject;
  • Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
  • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Sensitive data is subject to enhanced protection and its processing is, in principle, prohibited. Nevertheless, the prohibition does not apply if one of the following applies:

  • The data subject has given explicit consent to the processing of the personal data for one or more specified purposes;
  • The processing is necessary for a legal obligation in the field of employment, social security or social protection law;
  • The processing is necessary to protect the vital interests of the data subject or another person where the data subject is unable to give consent;
  • The processing is carried out by a non-profit-seeking body and relates to members of that body or persons who have regular contact;
  • The processing relates to data made public by the data subject;
  • The processing is necessary for legal claims;
  • The processing is necessary for reasons of substantial public interest;
  • The processing is necessary for healthcare reasons
  • The processing is necessary for public health reasons; or
  • The processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) of the GDPR shall be carried out only under the control of official authority or when the processing is authorised by EU or member state law providing for appropriate safeguards for the rights and freedoms of data subjects.

For more information about this answer please contact: Anne Morel from Bonn Steichen & Partners
Pakistan

Answer ... 5. Data processing

5.1 What lawful bases for processing personal data are recognised in your jurisdiction? Do these vary depending on the type of data being processed?

The lawful basis for processing personal data is as follows:

  • The data is processed for a lawful purpose directly related to an activity of the data controller;
  • The processing of the personal data is necessary for or directly related to that purpose; and
  • The personal data is adequate, but not excessive in relation to that purpose.

The lawful basis for processing sensitive personal data is listed under question 1.2.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
Portugal

Answer ... In general, the primary requirement for the lawful processing of personal data is the consent of the data subject. Consent is the golden rule of personal data processing; but there are instances in which it becomes either not feasible or not required, such as the following:

  • If the data subject is unable to provide consent and the processing is necessary to protect his or her vital interests (eg, to save his or her life), the data may be lawfully processed without consent.
  • Public authorities, when legitimately exercising their powers, may lawfully carry out tasks involving the processing of personal data without the data subject’s consent.
  • Processing carried out to comply with a legal obligation is lawful.
  • The processing of personal data carried out in the performance of a contract to which the data subject is a party is also lawful.
  • If the processing of personal data is required to protect the legitimate interests of the controller (or even of a third party), the lawfulness of that processing depends on an assessment of whether those interests override the interests or fundamental rights of the data subject. In practice, this may be difficult to determine and should be considered only where there is clear and strong evidence in favour of the processing.

Stricter regimes apply in relation to the lawful processing of sensitive personal data and personal data relating to criminal convictions and offences.

For more information about this answer please contact: Óscar Madureira from Rato & Cortés, Sociedade de Advogados, SP, RL
Switzerland

Answer ... In Switzerland, the meaning of the principle of legality is different for federal bodies and private persons. In the public law sector, the legality of state action is the basic principle and therefore the processing of personal data always requires a legal basis.

With respect to data processing by private persons, the legal situation is more differentiated. Data processing by private persons does not per se constitute a breach of the privacy rights of the data subjects concerned. Consequently, data processing requires a justification – that is, the consent of the data subject, a legal basis or an overriding private or public interest – only if it unlawfully breaches the privacy of the data subject (Article 12(1) in relation to Article 13 of the Federal Act on Data Protection (DPA)). As a general rule, no justification for processing personal data is required if the data subject has made the data generally available and has not expressly restricted the data processing (Article 12(3) of the DPA).

On the other hand, justification is required if:

  • the data processing violates one of the general data protection principles of the DPA outlined in question 5.2;
  • the personal data is processed against the data subject’s express will; or
  • sensitive personal data or personality profiles are disclosed to third parties for such third parties’ own purposes (Article 12(2) of the DPA).

For more information about this answer please contact: Carol S. Rothenfluh from SwissLegal
Taiwan

Answer ... While under EU law, the term ‘data processing’ covers all types of activities that a data controller conducts using the data that it collects, under Taiwan law, ‘data processing’ refers to only some of those activities. For most activities, the term ‘use of personal data’ is used instead. The legal requirements under the Personal Data Protection Act (PDPA) are as follows.

Collection of personal data: Pursuant to the PDPA, a non-government agency must have a specific purpose for collecting personal data and one of the following legal grounds must apply:

  • The processing is specifically permitted by law;
  • The non-government agency and the data subject have entered into or are negotiating a contract;
  • The data is already in the public domain due to disclosure by the data subject or in a legitimate manner;
  • The processing is necessary for an academic research institution to gather statistics or conduct academic research in the public interest, provided that any information sufficient to identify the data subject has been removed;
  • The consent of the data subject has been obtained;
  • The processing is necessary in the public interest;
  • The data has been collected from a source that is accessible to the collector, unless the interests of the data subject take precedence over those of the collector; or
  • The processing will not harm the data subject's rights or benefits.

Use of personal data: A non-government agency must use personal data within the scope of the specific purpose for which it was collected. If the data is used for some other purpose, one of the following conditions must be met:

  • The additional use is pursuant to a specific provision set forth under the law;
  • The additional use is necessary to promote a public interest;
  • The additional use is necessary to prevent a risk to the life, body, freedom or property of the data subject;
  • The additional use is necessary to prevent material harm to the rights or benefits of third parties;
  • The additional use is necessary for an academic research institution to gather statistics or conduct academic research in the public interest, provided that any information sufficient to identify the data subject has been removed;
  • The consent of the data subject has been obtained; or
  • The additional use will benefit the data subject.

Collection and use of sensitive personal data: Pursuant to Article 6 of the PDPA, sensitive personal data – that is, any personal data concerning medical records, medical treatment, genetic information, sexual activity, health examinations or criminal records – may be collected, processed or used only in the following situations:

  • The collection and use is specifically stipulated by law;
  • The information is necessary for a government agency to perform its legal duties or for a non-government agency to fulfil its legal obligations, and proper security measures are adopted prior or subsequent to such collection, processing or use;
  • The data subject has made such information public or the information has been publicised legally;
  • The information is necessary to collate statistics or conduct other academic research, or is collected, processed or used by a government agency or an academic research institution for the purpose of medical treatment, public health or crime prevention, as long as the information does not lead to the identification of a specific person after its processing by the provider or its disclosure by the collector;
  • The information is necessary to assist a government agency in performing its legal duties or a non-government agency in fulfilling its legal obligations, and proper security measures are adopted prior or subsequent to such collection, processing or use; or
  • The data subject has freely consented in writing and the use of such information does not exceed the necessary scope of the specific purpose, and no other restrictions under any other statute apply.

For more information about this answer please contact: Ken-Ying Tseng from Lee And Li
Turkey

Answer ...

  • The data subject has explicitly consented.
  • The data processing is expressly provided for by law.
  • The data processing is required for the protection of the life or physical integrity of the data subject, or of any other person who is unable to give his or her consent due to physical disability, or whose consent is not deemed legally valid.
  • The data processing is necessary to execute a contract between the parties, provided that it is directly related to the establishment or performance of that contract.
  • The data processing is required to comply with a legal obligation to which the data controller is subject.
  • The personal data has been made public by the data subject himself or herself.
  • The data processing is required for the establishment, exercise or protection of any right.
  • The data processing is required for legitimate interests pursued by the data controller, provided that this does not violate the fundamental rights and freedoms of the data subject.

In principle, special categories of personal data may be processed only with the explicit consent of the data subject.

With the exception of data concerning health and sexual life, special categories of personal data may also be processed without seeking the explicit consent of the data subject in the cases provided for by law.

Data concerning health and sexual life may be processed without the explicit consent of the data subject only by persons who are subject to a secrecy obligation or competent public institutions and organisations, for the purposes of the protection of public health, the operation of preventive medicine, medical diagnosis, treatment and nursing services, or the planning, management or financing of healthcare services.

For more information about this answer please contact: Burak Özdağıstanli from Ozdagistanli Ekici Avukatlık Ortaklığı
UK

Answer ... There are six lawful bases for processing personal data, set out in Article 6 of the General Data Protection Regulation (GDPR). At least one of these must apply whenever personal data is being processed:

  • Consent: The data subject has given clear unambiguous consent to allow the processing of personal data for a specific purpose.
  • Contract: The processing of the personal data is a necessary part of a contract with an individual or forms part of the specific steps before entering into a contract.
  • Legal obligation: The processing is necessary to comply with the law (this does not include contractual obligations).
  • Vital interests: The processing is necessary in order to protect someone’s life.
  • Public task: The processing is necessary to perform a task in the public interest or for official functions, and the task or function in question has a clear basis in law.
  • Legitimate interests: The processing is necessary for legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests (this does not apply if a public authority is processing data to perform official tasks).

Special category data: The GDPR differentiates between personal data and special categories of data. Special category data is any personal data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (where used for identification purposes), data concerning health, data concerning a person’s sex life and data concerning a person’s sexual orientation. Processing criminal offence data, while not special category data, is also subject to a higher threshold under the Data Protection Act 2018 (DPA 2018).

Organisations are prohibited from processing special category data, even if they have one of the Article 6 bases, unless it falls under an exception in Article 9 of the GDPR. The first five of the conditions for processing are provided solely in Article 9. The other five require authorisation or a basis in UK law, which means there are additional conditions set out in the DPA 2018 which should be considered.

Article 9 lists the exceptions for processing special category data:

  • explicit consent;
  • employment, social security and social protection (if authorised by law);
  • vital interests;
  • not-for-profit bodies;
  • made public by the data subject;
  • legal claims or judicial acts;
  • reasons of substantial public interest (with a basis in law);
  • health or social care (with a basis in law);
  • public health (with a basis in law); and
  • archiving, research and statistics (with a basis in law).

Clause 10 of the DPA 2018 deals with the processing of criminal convictions and requires an additional ground to be able to carry out the processing, as set out in Part 1, 2 or 3 of Schedule 1 of the DPA 2018. It is also usually necessary to have an appropriate policy document and a record of processing to record this. Some example of grounds that may apply to processing criminal offence data are:

  • prevention or detection of unlawful acts;
  • prevention of the public against dishonesty;
  • regulatory requirements relating to unlawful acts and dishonesty;
  • prevention of fraud; or
  • suspicion of terrorist financing or money laundering.

For more information about this answer please contact: Benjamin Ross from Bortstein Legal Group
United States

Answer ... There are a handful of privacy laws under which the processing of personal data is prohibited without a user’s consent. For example, the Children’s Online Privacy Protection Act (COPAA) prohibits entities from processing personal data of children under 13 years old without verifiable parental consent. Also, some state biometric privacy laws prohibit the processing of biometric information without consent (eg, the Illinois Biometric Information Privacy Act).

More typical in the United States are privacy laws that prohibit the sharing or sale of personal information without a user’s consent. For example:

  • several states have financial privacy laws which require that individuals opt in to allow financial institutions to share non-public personal information with third parties;
  • a number of states require consent to disclose genetic information;
  • the Family Educational Rights and Privacy Act requires student or parent signature for schools to disclose personally identifiable information of students; and
  • several states have privacy laws prohibiting internet service providers from disclosing customer information absent express permission.

Further, the California Consumer Privacy Act (CCPA) provides consumers with the right to ‘opt out’ of the sale or sharing of the personal information.

Under the CCPA, businesses also have the right to refuse a data subject request and to continue processing the personal data if the business has a legitimate business purpose for doing so, such as:

  • completing a transaction for which the personal information was collected;
  • providing goods or services requested by the consumer; or
  • otherwise performing a contract between the business and the consumer.

In the online context, the use of strictly necessary cookies, such as those required to make websites function, is also considered lawful and does not require consumer consent.

For more information about this answer please contact: Jenny Colgate from Rothwell, Figg, Ernst & Manbeck, P.C.
5.2
What key principles apply (eg, notice) when processing personal data in your jurisdiction? Do these vary depending on the type of data being processed? Or on whether it is outsourced?
Australia

Answer ... Each APP entity that collects, holds, uses, discloses or destroys/de-identifies personal information, under any type of arrangement, is subject to the Privacy Act.

The purposes for which personal information may be collected, used and disclosed are specified in question 5.1. Other key principles that apply to collection, holding, use, disclosure and destruction/de-identification include the following:

  • Personal information may be collected only by lawful and fair means (APP 3.5) and collected directly from the relevant individual, unless a limited exemption applies (for private sector APP entities, only if it is unreasonable or impracticable to collect the personal information directly) (APP 3.6).
  • APP entities must take reasonable steps to notify individuals of the collection of personal information and related matters (APP 5).
  • If offshore disclosure of personal information occurs, the APP entity is responsible for breaches of the APPs by the recipient unless certain exemptions apply (see question 6.2).
  • APP entities must take reasonable steps to ensure that personal information which is collected, used and disclosed is accurate, complete and up to date (APP 10). When an APP entity uses or discloses personal information, it must take reasonable steps to ensure that this is relevant (APP 10.2).
  • APP entities must take reasonable steps to protect personal information, including from misuse and unauthorised disclosure (APP 11.1).
  • Where an APP entity no longer needs personal information, unless it is required to retain it by law or in other limited cases, it must take reasonable steps to destroy or de-identify it (APP 11.2).

For more information about this answer please contact: Angela Flannery from Holding Redlich
India

Answer ... Under the IT Act and Privacy Rules, the disclosures, actions and compliances applicable to the data collector will vary, depending on the nature of information it collects, stores, processes and/or transfers.

Collection: When collecting personal information or SPDI from a data subject, the data collector must take reasonable steps to ensure that the data subject has knowledge of:

  • the fact that the information is being collected;
  • the purpose for which the information is being collected;
  • the intended recipients of the information; and
  • the name and address of agency that is collecting the information and the agency that will retain the information.

Additionally, to collect SPDI, the data collector must obtain the prior written or electronic consent of the data subject. Notably, no such consent is required for the collection of ordinary personal data (which does not contain or consist of SPDI).

Grievance officer: A data collector must appoint a ‘grievance officer’ and publish his or her name and contact details on its website. The grievance officer will be responsible for the redressal of grievances with respect to the processing of a data subject’s personal information.

Restrictions on use: A data collector must use personal information and SPDI only for the purpose for which it was collected.

Review and opt-out: The Privacy Rules require data collectors to allow data subjects to:

  • review the information they provide and ensure that any personal information or SPDI found to be inaccurate or deficient is corrected or amended as feasible; and/or
  • withdraw consent to use the information (where applicable).

Privacy policy: A data collector must have in place a privacy policy for the handling of personal information. The privacy policy must provide clear and easily accessible statements of the data collector’s practices and policies. It must disclose:

  • the types of data collected by the data collector;
  • the purpose for the collection and processing;
  • the circumstances for the disclosure of such information; and
  • the security practices and procedures implemented by the data collector.

The data collector must ensure that this policy is available for review by data subjects and is published on its website.

For more information about this answer please contact: Probir Roy Chowdhury from J. Sagar Associates
Liechtenstein

Answer ... The General Data Protection Regulation (GDPR) sets out seven key principles:

  • lawfulness, fairness and transparency;
  • purpose limitation;
  • data minimisation;
  • accuracy;
  • storage limitation;
  • integrity and confidentiality (security); and
  • accountability.

For more information about this answer please contact: Thomas Nägele from NAGELE Attorneys at Law LLC
Luxembourg

Answer ... Any processing of personal data must comply with the six data protection principles provided for by the GDPR personal data must be:

  • processed fairly, lawfully and transparently (lawfulness, fairness and transparency);
  • collected for specific, explicit and legitimate purposes and not processed in a manner that is incompatible with those purposes (purpose limitation);
  • adequate, relevant and limited to what is necessary in relation to the purposes for which those data are processed (data minimisation);
  • accurate and, where necessary, up to date (accuracy);
  • kept in an identifiable form for no longer than necessary (storage limitation); and
  • kept secure (integrity and confidentiality).

In addition to the six data protection principles, the GDPR introduces the principle of accountability according to which the controller shall be responsible for and be able to demonstrate compliance with all the above-mentioned principles.

Sensitive data is subject to enhanced protection (see question 5.1).

These principles apply even if the processing of personal data is outsourced.

For more information about this answer please contact: Anne Morel from Bonn Steichen & Partners
Pakistan

Answer ... The following key principles apply:

  • Notice to data subject: Written notice provided by the data controller to the data subject about the collection and processing of his or her personal data.
  • Non-disclosure of personal data: No unauthorised disclosure.
  • Meeting the data security requirements: Compliance with the prescribed security standards to protect the data.
  • Data retention requirements: Not to keep data for longer than is required.
  • Data integrity and access: To ensure that data is accurate and that the data subject is given access to his or her data.
  • Record keeping: The retention of records on any application, notice, request or other information relating to personal data that it has processed or is processing.

In certain circumstances the processing of personal data is exempt from the scope of application of these key principles (see question 2.2).

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
Portugal

Answer ... Besides lawfulness (see question 5.1), the other core principles of personal data processing are fairness and transparency. These principles translate into a number of explicit rights of data subjects (see question 7).

Fair processing implies that the controller has a duty to make the data subjects aware of any and all potential risks to their privacy involved in the processing. It makes the controller responsible for ensuring, to the fullest extent possible, that data subjects will not be surprised by any unforeseen effects of the processing.

Transparency requires the controller to provide data subjects with details of the following in advance of the data processing:

  • the purposes of the processing;
  • the controller’s identity and address;
  • the data subjects’ rights to access their data; and
  • all other rights in connection with the processing.

This information must be provided in clear, easily understandable language; and an accessible channel of communication must be provided for data subjects to contact the controller with regard to the processing of their data.

A number of other principles are also recognised:

  • Purpose limitation: The purpose of the processing must be defined before the start of the processing and no further processing of data is allowed for any other purpose that is not fully compatible with the original purpose.
  • Minimal processing: The processing of personal data must be:
    • necessary – that is, it must be pursued only where the purpose cannot be achieved by other, less invasive means; and
    • proportionate to the purpose and kept to the minimum level of interference with the data subjects’ rights and interests.
  • Accuracy of data: The controller must ensure that the data is accurate and up to date. The controller must provide effective means to correct or erase any inaccuracies, as appropriate.
  • Storage limitation: Personal data must not be kept for longer than strictly needed for the purposes of the processing and must be either deleted or anonymised as soon as it has served those purposes.
  • Security of data: The controller must ensure the security and confidentiality of personal data by means of technical and organisational measures to that effect.
  • Accountability: The controller is fully responsible for actively ensuring compliance with all principles and rules with regard to the protection of personal data.

For more information about this answer please contact: Óscar Madureira from Rato & Cortés, Sociedade de Advogados, SP, RL
Switzerland

Answer ... The DPA provides for the following key principles:

  • Transparency: The collection of personal data, and in particular the purpose of its processing, must be evident to the data subject.
  • Lawful basis: Personal data must be processed lawfully.
  • Principle of good faith and proportionality: Data processing must be carried out in good faith and must be proportionate.
  • Purpose limitation: Personal data may be processed only for the purpose indicated at the time of collection, which is evident from the circumstances or which is provided for by law.

In general, there is no obligation of automatic notification for data processing under the DPA. However, if particularly sensitive personal data or personality profiles are processed by the controller of the data file, the data subject must be notified in advance (Article 14 of the DPA). These notification requirements also apply where data is outsourced to third parties for processing.

In any case, the data subject generally has the right to request information about the processing of his or her personal data, and may inspect and correct false, incomplete or erroneous data. This right may be restricted only if there is an overriding public or private interest in doing so.

With respect to the outsourcing of data, the DPA states the following requirements:

  • Data must be outsourced on a contractual or a legal basis.
  • The data must be processed only in the manner permitted for the instructing party itself.
  • The transfer of data to third parties must not be prohibited by a statutory or contractual duty of confidentiality. The instructing party must ensure that the third party guarantees data security. Hence, the data controller is responsible for ensuring the security of the data and must prohibit unauthorised access.

Furthermore, the third parties must observe the key principles as set forth above.

Even the transfer of data to another legal entity in the same group of companies is considered a transfer to a third party.

For more information about this answer please contact: Carol S. Rothenfluh from SwissLegal
Taiwan

Answer ... Pursuant to the PDPA, where a non-government agency collects personal data (whether sensitive or not) from data subjects directly, it must inform the data subjects of the following information at the time of collection:

  • who is collecting the personal data;
  • the purpose(s) for which the data is being collected;
  • the types of personal data to be collected;
  • for how long, where, by whom and in what manner the data will be used;
  • the rights that the data subject may exercise in relation to his or her personal data and how he or she can exercise them; and
  • how the data subject’s rights or interests will be affected if he or she chooses not to provide the data.

A data processor is not subject to these notification obligations.

For more information about this answer please contact: Ken-Ying Tseng from Lee And Li
Turkey

Answer ...

  • The processing must be lawful and fair.
  • The data must be accurate and kept up to date where necessary.
  • The data must be processed for specified, explicit and legitimate purposes.
  • The processing must be relevant, limited and proportionate to the purposes for which the data is being processed.
  • The data must be stored for the period specified by relevant legislation or required by the purpose for which the personal data is being processed.

These principles are valid for all types of personal data and for all data controllers that are within the scope of the Law on the Protection of Personal Data.

For more information about this answer please contact: Burak Özdağıstanli from Ozdagistanli Ekici Avukatlık Ortaklığı
UK

Answer ... The GDPR establishes six data protection principles that all organisation must observe when dealing with personal data, as follows:

  • Lawfulness, fairness, and transparency: The processing of any personal data should be lawful and fair. Transparency requires that individuals whose data is being collected, used or processed in any way know the extent of this. This requirement also necessitates that information relating to the processing of those personal data can be easily understood and accessed.
  • Purpose limitation: Personal data should be collected for a specific, explicit and legitimate purpose, and this should be determined clearly at the point of collection. Furthermore, information may not be further processed in a manner that is incompatible with the initial purpose. However, further processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes is not considered to be incompatible with the initial purposes.
  • Data minimisation: The processing of personal data should be limited to what is necessary in relation to the purpose for which it is processed. Part of fulfilling this is by ensuring that there was no other way of fulfilling the purpose for which the personal data was processed, and that the period for which the personal data is stored is limited to a strict minimum.
  • Accuracy: Controllers must ensure that personal data is accurate and kept up to date if necessary; and take every reasonable step to satisfy that the personal data if inaccurate, depending on the reason they are processed, are erased or rectified without delay. Controllers also have an important role in recording how the information was collected/received and the source of that information.
  • Storage limitation: Personal data collected that allows data subjects to be identified should be kept only for as long as necessary. Careful attention should be paid such that data controllers are not keeping personal data longer than is required, as dictated by the purpose. Controllers should periodically review the personal data they hold to ensure that they are not holding on to more personal data information than is necessary.
  • Integrity and confidentiality: Personal data should be processed in a manner that is appropriately safeguarded against unauthorised or unlawful access to or use of personal data. Organisations should ensure there are appropriate technical and organisational measures to ensure to assist with this an any other accidental loss or destructions.
  • Accountability: Controllers must take responsibility for their processing of personal data and how they comply with the GDPR, and be able to demonstrate (through appropriate records and measures) their compliance, in particular to the ICO.

The threshold for compliance with each of the principles is heightened when dealing with special categories of data.

For more information about this answer please contact: Benjamin Ross from Bortstein Legal Group
United States

Answer ... Notice and consent are the key principles that apply when processing personal data in the United States, and these vary depending on the type of data being processed.

Many federal privacy laws are focused (at least in part) on providing transparency via a privacy policy, in which an entity is supposed to explain to the consumer what personal information it is collecting and what its privacy practices are. These laws typically depend on the type of data being processed, as the federal laws are industry specific and there is no general privacy law in the United States. For example:

  • the Health Insurance Portability and Accountability Act applies to health information processed by specific ‘covered entities’ (eg, healthcare providers, health plans and healthcare clearinghouses), and their ‘business associates’ (entities that help covered entities to carry out their healthcare activities);
  • the Gramm-Leach-Bliley Act applies to ‘financial institutions’; and
  • the COPAA applies to entities collecting information about, or targeting, children under 13 years of age.

The CCPA requires both:

  • a privacy policy setting forth the personal information categories that the business collects and the intended purposes for each category of personal information; and
  • short-form notices “at or before the point of collection” revealing the categories of information being collected and the intended purposes (eg, pop-ups, cookie banners).

Other state statutes also require disclosure of a privacy policy.

Some statutes require informed consent to collect, use or sell or share personal information. However, consent is the exception rather than the rule.

For more information about this answer please contact: Jenny Colgate from Rothwell, Figg, Ernst & Manbeck, P.C.
5.3
What other requirements, restrictions and best practices should be considered when processing personal data in your jurisdiction?
Australia

Answer ... Each APP entity must maintain a privacy policy that sets out, among other things, the types of personal information it collects and holds and the purposes for which it collects, holds, uses and discloses that information (APPs 1.3 and 1.4). The privacy policy must be made available free of charge and in an appropriate form, which is typically satisfied by making the policy available on the APP entity’s website (APP 1.5).

In addition, either before or at the time personal information is collected or as soon as practicable thereafter, an APP entity must take reasonable steps to notify the relevant individual of (or to otherwise ensure that he or she is aware of) the details of the collecting APP entity and, among other things, the purposes for the collection and the persons to which the information would usually be disclosed, including whether cross-border disclosure is likely (APP 5).

The OAIC Guidelines state that the ‘reasonable steps’ required to notify or ensure awareness will depend on, among other circumstances:

  • the sensitivity of the personal information;
  • adverse consequences from collection;
  • special needs of the relevant individual; and
  • practicability (including time and cost).

The circumstances in which it may not be necessary to take any steps include where:

  • the individual is otherwise aware of the collection, why the personal information is being collected and the other relevant matters; or
  • if the information is collected from a third party, the APP entity will continue to hold, but may not actively use or disclose, that personal information.

For more information about this answer please contact: Angela Flannery from Holding Redlich
India

Answer ... When a data collector is processing personal information, it should provide detailed disclosures on the mechanisms used for data processing. For instance, the data collector may consider outlining whether the processing is done manually or whether the process is automated. The data collector may also consider maintaining detailed records of the third parties with which data is shared with for the purpose of processing and activities involved during processing.

For more information about this answer please contact: Probir Roy Chowdhury from J. Sagar Associates
Liechtenstein
No answer submitted for this question.
Luxembourg

Answer ... The Law of 1 August 2018 on the Organisation of the National Data Protection Commission and the general data protection framework introduces provisions regarding certain specific processing situations, in particular with respect to:

  • the processing of personal data for the sole purpose of journalism, university research, art or literature. The Law of 1 August 2018 provides that the processing is not subject to:
    • the prohibition of processing special categories of personal data;
    • the limitation to process public judicial data;
    • the rules applicable to transfers to third countries;
    • the obligation to provide certain information to the concerned persons; and
    • the obligation to give access to data subjects in certain circumstances;
  • the processing of personal data for scientific or historical research or statistical purposes. The Law of 1 August 2018 provides that the rights of access, rectification, limitation and objection of the data subject may be limited to the extent that such rights would make impossible or seriously impede the accomplishment of the specific concerned purposes, provided that certain appropriate measures are implemented;
  • the processing of genetic data for the purpose of exercising the rights of the controller in the field of labour and insurance law. Such processing is prohibited according to the Law of 1 August 2018; and
  • the processing of personal data for monitoring purposes in the context of employment (see question 10.2)

For more information about this answer please contact: Anne Morel from Bonn Steichen & Partners
Pakistan

Answer ... The draft Pakistan Personal Data Protection Bill, 2020 includes only the requirements set out in questions 5.1 and 5.2. Once the law has been promulgated and enforced, the Personal Data Protection Authority of Pakistan, under its rule-making powers, will issue a compliance framework.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
Portugal

Answer ... As noted in question 4.1, registration is no longer required under the General Data Protection Regulation.

The former general obligation to notify the supervisory authorities of the processing of personal data created a significant administrative and financial burden, and did not in all cases help to improve the protection of personal data. It was thus abolished and replaced with other mechanisms which focus on likely high risks to the rights and freedoms of natural persons.

One such mechanism is the data protection impact assessment: where a certain type of processing is likely to present a high risk to the rights and freedoms of natural persons, the controller must, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

The assessment must include at least:

  • a systematic description of the envisaged processing operations and the purposes of the processing;
  • an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  • an assessment of the risks presented to the rights and freedoms of data subjects; and
  • the measures envisaged to address those risks, including safeguards, security measures and mechanisms to ensure the protection of personal data.

If the assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate that risk, the controller must consult the National Data Protection Commission (CNPD) regarding the compliance of the processing with the data protection regime.

In enforcing its opinion on non-compliance, the CNPD may use all its powers.

The controller must appoint a data protection officer in the following circumstances:

  • where the processing is carried out by a public authority; or
  • in the private sector:
    • where the processing is carried out by a controller whose core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale; or
    • where the core activities of the controller or the processor consist of processing on a large scale of special categories of personal data and data relating to criminal convictions and offences (see question 8.1).

He or she must be someone with expert knowledge of data protection laws and practices. His or her role is to assist the controller or processor to monitor internal compliance with the regime.

Data protection officers, whether or not directly employed by the controller, should be in a position to perform their duties and tasks in an independent manner.

For more information about this answer please contact: Óscar Madureira from Rato & Cortés, Sociedade de Advogados, SP, RL
Switzerland

Answer ... The data processor and controller are advised to monitor the processing of personal data. If irregularities or non-compliance with data protection regulations is detected, corrective measures must be implemented. Furthermore, it is recommended to maintain a list of all data files.

For more information about this answer please contact: Carol S. Rothenfluh from SwissLegal
Taiwan

Answer ... In addition to the requirements outlined in questions 5.1 and 5.2, businesses must also comply with the following statutory requirements:

  • adopting proper security measures to protect the personal data that they hold (see question 9.1);
  • complying with the additional marketing restrictions under the PDPA (see question 11.3); and
  • respecting the data subject’s rights (see question 7.1).

The most important best practices are to have a statutory ground for collection and to use the data only within the scope of the specific purpose at the time of collection. Otherwise, additional consent will be required.

For more information about this answer please contact: Ken-Ying Tseng from Lee And Li
Turkey

Answer ... Data controllers have the following obligations under the Law on the Protection of Personal Data:

  • to process personal data in accordance with the principles of the law (see question 5.2);
  • to process personal data in accordance with a legal justification (see question 5.1);
  • to inform data subjects before the collection of personal data. The privacy notices prepared for this purpose must specify the following:
    • the identity of the data controller and its representative, if any;
    • the purpose for which the personal data is being processed;
    • to whom and for what purposes the processed personal data may be transferred;
    • the method and legal basis for the collection of personal data; and
    • the data subjects’ rights;
  • to register with the Registry of Data Controllers Information System (see question 4);
  • to prepare a data processing inventory that contains the following information, based on processing activity:
    • the purpose of the data processing;
    • the legal basis for the data processing;
    • the categories of data subjects;
    • the categories of data;
    • the groups of recipients;
    • any data transfers abroad;
    • the period of retention;
    • technical precautions; and
    • administrative precautions;
  • to inform on international transfers (please see question 6.2);
  • to respond to the requests of data subjects (please see question 7);
  • to secure personal data (please see question 9);
  • to notify data breaches (please see question 9); and
  • to prepare a data retention and destruction policy.

Data controllers must prepare a policy that stipulates the retention term for personal data. The policy must also include the types and methods used for the deletion, anonymisation and destruction of personal data. This policy must also stipulate a periodic destruction term (which cannot be longer than six months). Personal data must be deleted, anonymised or destroyed pursuant to the policy.

For more information about this answer please contact: Burak Özdağıstanli from Ozdagistanli Ekici Avukatlık Ortaklığı
UK

Answer ... Documentation and accountability: The GDPR requires that controllers and processors document their processing activities as a means of illustrating compliance with data privacy requirements. This can also help organisations to monitor and improve their data governance, and be a first step to responding to any request or investigation by the ICO. The key documentation requirements are as follows:

  • privacy notices to data subjects as required by the GDPR;
  • a data protection policy explaining how the organisation processes personal data;
  • an appropriate policy document as required by the DPA 2018;
  • a record of processing as required by the GDPR, which must be produced to the ICO upon demand;
  • data protection impact assessments for higher risk processing;
  • legitimate interest assessments when relying on legitimate interests as a lawful basis; and
  • training materials and records of training.

For more information about this answer please contact: Benjamin Ross from Bortstein Legal Group
United States

Answer ... While the CCPA is a state privacy statute, it is treated by many as a ‘de facto’ national standard because it broadly applies to all sites and services that collect personal information on California residents. At the very least, it is considered ‘best practice’. As such, at least the following privacy policy requirements of CCPA should be considered by every entity processing personal data in the United States:

  • Update your privacy policy at least every 12 months;
  • Identify the rights individuals have with respect to their data (eg, erasure, copy, change/update, stop or limit use);
  • Provide a description of the information collected;
  • Provide lists of information sold or shared and, separately, disclosed for a business purpose;
  • Provide a statement of non-discrimination of those who exercise CCPA rights;
  • Provide information on opting out of sale of personal information (as well as a ‘Do Not Sell My Personal Information’ site); and
  • Provide at least two forms of contact for individuals to submit requests (including at least a toll-free number or an email address if the business is online only).

In the United States, it is very risky to have a privacy policy that does not accurately describe the information you collect and what you do with it. The Federal Trade Commission (FTC) and state attorneys general have broad jurisdiction to enforce privacy violations, such as an entity processing personal data beyond what is disclosed in the privacy policy, under Section 5 of the FTC Act and under state unfair or deceptive acts or practices statutes. Moreover, entities resolving these investigations typically pay large fines and enter into contracts (called ‘consent decrees’) with the FTC or the offices of state attorneys general, breach of which results in even bigger fines. Thus, honesty, accuracy and regular updates are best practices for staying out of trouble with your US privacy policy.

For more information about this answer please contact: Jenny Colgate from Rothwell, Figg, Ernst & Manbeck, P.C.
6.
Data transfers
6.1
What requirements and restrictions apply to the transfer of data to third parties?
Australia

Answer ... Disclosure is interpreted by the Office of the Australian Information Commissioner (OAIC) to mean any positive act of disclosure, as well as accidental or unauthorised disclosure, such as when an email containing personal information is sent to the incorrect recipient. The key requirement is that further use be outside the control of the discloser.

Personal information may be used or disclosed only for the purposes for which it was collected or for permitted secondary purposes (APP 6). The OAIC Guidelines provide that, in describing to individuals the purposes for which personal information is collected, and therefore the primary purposes for which it may be used or disclosed, APP entities must not frame these purposes too broadly, such as ‘for carrying on [APP entity’s] business’. Whether a description is too broad will depend on all relevant circumstances. The OAIC has also stated that APP entities need not include in such descriptions ordinary internal business purposes, such as billing. Therefore, if an APP entity proposed to disclose personal information to a third party that provided its ordinary course business services, this would not need to be disclosed.

Other than where disclosure is made to offshore recipients, which is discussed in question 6.2, an APP entity is not liable for the acts or practices of a person to which that APP entity discloses any personal information, even though that APP entity may have liability in relation to the disclosure itself, if it is not for a permitted primary or secondary purpose.

For more information about this answer please contact: Angela Flannery from Holding Redlich
India

Answer ... The Privacy Rules permit personal information to be freely transferred to third-party recipients within and outside India. Sensitive personal data or information (SPDI), on the other hand, may be transferred only if:

  • the transfer:
    • is necessary for the performance of a lawful contract between the data controller and the data subject; or
    • has been expressly consented to by the data subject; and
  • the transferee provides the same or a greater level of data protection than what is provided by the transferor.

For more information about this answer please contact: Probir Roy Chowdhury from J. Sagar Associates
Liechtenstein

Answer ... As per the General Data Protection Regulation (GDPR), a ‘third party’ is a natural or legal person, public authority, agency or body other than the data subject, controller, processor or persons that, under the direct authority of the controller or processor, are authorised to process personal data.

The third party will be considered a recipient once personal data is disclosed to it; and the legitimate interests of third parties can also be used as a legal basis to justify the processing of personal data by the controller where relevant.

A company may rely on legitimate interests to disclose personal data to a third party. These might include its own interests, the interests of the third party or both.

For more information about this answer please contact: Thomas Nägele from NAGELE Attorneys at Law LLC
Luxembourg

Answer ... A third party may process the data on behalf of the data controller. In such case, the controller must choose a processor providing sufficient guarantees in respect of the technical security measures and organisational measures governing the processing to be implemented, and must ensure compliance with those measures.

In accordance with Articles 28, Section 3 and 28, Section 9 of the EU General Data Protection Regulation (GDPR), the data processing by a third party must be governed by a contract or legal act binding the processor to the controller, which sets out:

  • the subject matter and duration of the processing;
  • the nature and purpose of the processing;
  • the type of personal data and categories of data subjects;
  • the obligations and rights of the controller; and
  • confirmation in particular that:
    • the data processor shall process only on instructions from the data controller; and
    • the data processor is subject to the same obligations as its own subcontractors.

For more information about this answer please contact: Anne Morel from Bonn Steichen & Partners
Pakistan

Answer ... Section 12 of the draft Pakistan Personal Data Protection Bill, 2020 requires that personal data not be transferred to any unauthorised person or system.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
Portugal

Answer ... Under the current legal framework, data processors and other persons who process personal data under the direct authority of a data controller or processor are not considered third parties.

The transfer of personal data to third parties constitutes, in itself, a form of personal data processing. This may either be included in the original processing or constitute further processing. In the former case, all details regarding the third party, the transfer of the data and the purposes of the transfer must be included in the information provided to the data subject by the controller.

In the case of further processing, this is not permitted unless it is treated as a new type of processing, subject to all requirements that apply to original processing.

Where personal data is intended to be transferred to a third country, specific requirements and restrictions apply (see question 6.2).

For more information about this answer please contact: Óscar Madureira from Rato & Cortés, Sociedade de Advogados, SP, RL
Switzerland

Answer ... Yes, under the conditions set forth in question 5.4.

For more information about this answer please contact: Carol S. Rothenfluh from SwissLegal
Taiwan

Answer ... Data may be transferred to a third party as long as a non-government agency has obtained consent from the data subject for the transfer or the transfer is otherwise permitted under Article 20 of the Personal Data Protection Act (PDPA). The recipient of the data must also have its own legal ground as set forth under Article 19 of the PDPA in order to legally collect the personal data.

For more information about this answer please contact: Ken-Ying Tseng from Lee And Li
Turkey

Answer ... Personal data can be transferred to third parties within Turkey on any of the legal bases in the Law on the Protection of Personal Data, as stated in question 5.1.

For more information about this answer please contact: Burak Özdağıstanli from Ozdagistanli Ekici Avukatlık Ortaklığı
UK

Answer ... Contractual requirements for controllers and processors: Whenever a controller uses a processor, there is a requirement that a written agreement be in place. This is so that a controller can satisfy itself that the processor implements appropriate safeguards to protect personal data, as required by the General Data Protection Regulation (GDPR).

The contract should set out the following processing details:

  • the subject matter of the processing;
  • the duration of the processing;
  • the nature and purpose of the processing;
  • the type of personal data involved;
  • the categories of data subject; and
  • the controller’s obligations and rights.

The processor agreement between a controller and a processor must also include the following obligations that are prescribed by Article 28 of the GDPR. These are usually heavily negotiated and a processor’s perspective on compliance will come from a very different perspective to a controller’s view, with many different commercial nuances reflected in their respective drafts. The obligations to address in a processor agreement as follows:

  • Unless required by law, the processor must act only on the controller’s documented instructions, including regarding the transfer of data to countries outside the European Economic Area (EEA).
  • The processor must ensure that the individuals processing the data are bound by confidentiality.
  • The processor must take suitable steps to ensure the security of processing.
  • Sub-processors can only be engaged by the processor with the controller’s prior authorisation and under a written contract which flows down the same data protection obligations and the processor must retain liability for its sub-processors.
  • The processor must take appropriate measures to help the controller respond to requests from individuals to exercise their rights.
  • Based on the nature of processing and the information available, the processor must assist the controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments.
  • At the controller’s choice, the processor must delete or return all personal data to the controller at the end of the contract; and unless the law requires its storage, the processor must also delete existing personal data.
  • The processor must submit to audits and inspections by the controller and its auditors. The processor must also give the controller whatever information it needs to demonstrate that it can meet its data privacy obligations.

Requirements for controllers: Whenever a controller shares data with another controller, it is either as joint controllers engaging in a shared endeavour or independent controllers processing the same personal data for difference purposes.

The GDPR requires that certain issues be dealt with between joint controllers, which may be by a contract or a joint privacy notice, particularly as regards which controller is responsible for issuing the privacy notice and responding to data subject requests.

There is no requirement for independent controllers to address particular points in a contract, but it is good practice to do so, to address compliance with data protection law, notification of personal data breaches and cooperation for the purposes of responding to the Information Commissioner’s Office (ICO) and data subject requests.

For more information about this answer please contact: Benjamin Ross from Bortstein Legal Group
United States

Answer ... A number of privacy laws in the United States prohibit the sharing or sale of personal information absent a user’s consent. These are discussed in question 5. Further, the California Consumer Privacy Act provides consumers with the right to opt out of the sale or sharing of their personal information, and requires that sites and services provide a ‘Do Not Sell My Personal Information’ button or link.

Additionally, a number of laws mandate that entities provide policy policies (see question 5), and entities are bound by the representations they make in their privacy policies.

In addition, US ‘wiretap’ laws (including the Electronic Communications Privacy Act) have been interpreted broadly by the courts in some jurisdictions, such that they have been held to apply in instances where plug-ins or cookies cause a user’s computer to send information back to a website regarding the user’s browsing history. As such, it is important that plug-in and cookie notices are detailed and accurate, and that consent is obtained.

Web scraping is another area being litigated in the courts. The Supreme Court is currently considering whether to grant cert in hiQ Labs, Inc v LinkedIn Corp, 938 F 3d 985 (9th Cir 2019), which concerns the scope of the Computer Fraud and Abuse Act (CFAA). In the underlying case, the web scraper was determined not to be liable under the CFAA because LinkedIn’s website is publicly accessible. There are numerous other claims under which web scrapers are also sued – for example:

  • breach of contract;
  • copyright infringement;
  • common law misappropriation;
  • unfair competition;
  • trespass and conversion;
  • Digital Millennium Copyright Act anti-circumvention provisions;
  • Section 5 of the Federal Trade Commission Act; and
  • state unfair or deceptive acts or practices laws.

For more information about this answer please contact: Jenny Colgate from Rothwell, Figg, Ernst & Manbeck, P.C.
6.2
What requirements and restrictions apply to the transfer of data abroad? Do these vary depending on the destination?
Australia

Answer ... If an APP entity discloses personal information to a person outside Australia which is not bound by the Australian Privacy Principles (APPs), it must take reasonable steps to ensure that the offshore recipient does not breach, and will be liable for that offshore recipient’s breaches of, the APPs (other than APP 1) in relation to that information, unless an exemption applies (APP 8.1).

The most relevant exemptions are as follows:

  • The APP entity reasonably believes that the offshore recipient is subject to laws or a binding scheme similar to the APPs and the relevant individual(s) are entitled seek recourse under such law or scheme (APP 8.2(a)); or
  • The relevant individual(s) expressly agree that the APP entity need not take steps to ensure compliance with the APPs by the offshore recipient (APP 8.2(b)).

In a practical sense, this means that APP entities have lesser obligations where the offshore recipient is subject to the laws or binding rules of a jurisdiction that provide safeguards at least equivalent to the Privacy Act.

The reasonable steps required to ensure that an offshore recipient does not breach the APPs are typically to impose contractual obligations on that entity and to actively monitor and enforce compliance with those obligations.

In mid-2020 the Privacy Act was amended to include provisions regulating the collection, use and disclosure of information collected via the Australian government’s COVIDSafe app. That information is deemed to be personal information and any disclosure of that information outside Australia is an offence.

For more information about this answer please contact: Angela Flannery from Holding Redlich
India

Answer ... Subject to the restrictions in relation to transfer of SPDI (discussed in question 6.1), there are no further obligations that apply to the transfer of data abroad.

For more information about this answer please contact: Probir Roy Chowdhury from J. Sagar Associates
Liechtenstein

Answer ... The GDPR restricts the transfer of personal data to countries outside the European Economic Area, and international organisations. These restrictions apply to all transfers, no matter what the size of the transfer or how often transfers are carried out.

The European Commission has the power to determine, on the basis of Article 45 of the GDPR, whether a country outside the European Union offers an adequate level of data protection.

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay as providing adequate protection. Adequacy talks are ongoing with South Korea.

Under Article 26 of the Data Protection Directive, member states may authorise a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25(2) where the chief processor adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights; such safeguards may in particular result from appropriate contractual clauses.

For more information about this answer please contact: Thomas Nägele from NAGELE Attorneys at Law LLC
Luxembourg

Answer ... Personal data may be transferred freely between the countries inside the European Economic Area, provided that the processing complies with the general principles of the GDPR (eg, lawfulness of processing, compatibility of the communication of data to a third party with the initial processing activity, information to the data subjects).

Data may only be transferred to companies located in a country which provides an adequate level of protection. A transfer of personal data to a third country or an international organisation may take place where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question, ensures an adequate level of protection. Such a transfer shall not require any specific authorisation. To date, the following countries have, after confirmation of the European Commission, an adequate level of protection: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States (limited to the Privacy Shield Framework). Adequacy talks are also ongoing with South Korea.

In the absence of a decision from the European Commission, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

Without requiring any specific authorisation from a supervisory authority (the National Commission for Data Protection), the abovementioned appropriate safeguards may be provided for by:

  • a legally binding and enforceable instrument between public authorities or bodies;
  • binding corporate rules;
  • standard data protection clauses adopted by the commission;
  • standard data protection clauses (ad hoc clauses) adopted by a supervisory authority and approved by the commission;
  • an approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights; or
  • an approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.

Subject to the authorisation from the competent supervisory authority, the appropriate safeguards may also be provided for, in particular, by:

  • contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or
  • provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.

In the absence of an adequacy decision or of appropriate safeguards, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:

  • The data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
  • The transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;
  • The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
  • The transfer is necessary for important reasons of public interest;
  • The transfer is necessary for the establishment, exercise or defence of legal claims;
  • The transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
  • The transfer is necessary for important reasons of public interest;
  • The transfer is necessary for the establishment, exercise or defence of legal claims;
  • The transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; or
  • The transfer is made from a register which, according to EU or member state law, is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by EU or member state law for consultation are fulfilled in the particular case.

For more information about this answer please contact: Anne Morel from Bonn Steichen & Partners
Pakistan

Answer ... The draft Pakistan Personal Data Protection Bill, 2020 sets out the following requirements and restrictions on the transfer of personal data outside Pakistan:

  • Critical personal data shall be processed only in a server or data centre located in Pakistan.
  • The country to which personal data is being transferred must offer protection that is at least equivalent to the protection provided under the draft bill (equal protection principle).
  • The federal government may notify certain categories of personal data (except for sensitive personal data) to which the equal protection principle does not apply, on the grounds of necessity or the strategic interests of the state.
  • The transfer of personal data outside Pakistan must follow a framework to be devised by the Personal Data Protection Authority of Pakistan.
  • The authority will devise a mechanism for the retention of copies of any personal data in Pakistan which is transferred outside Pakistan.

Under the draft bill, the same data transfer requirements apply irrespective of the destination. This might be addressed by the authority when devising the framework for the transfer of data outside Pakistan.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
Portugal

Answer ... There are no additional requirements or restrictions for the transfer of personal data within the European Union.

If the destination is outside the European Union (including international organisations), the critical issue is to assess whether, in the jurisdiction of destination, the level of protection conferred on personal data is deemed adequate.

The transfer can take place only if the controller and the processor comply with the requirements for such transfers, including further onward transfers to other third countries.

The key concept is the ‘adequate level of protection’ ensured at the destination. The European Commission is empowered to decide whether a jurisdiction provides an adequate level of protection for the purposes of the transfer of personal data. Such decisions have been made for a few countries, such as Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.

Until quite recently, such a decision was also in force for the United States (limited to the Privacy Shield framework). However, the Court of Justice of the European Union (CJEU), in Schrems II (16 July 2020), invalidated Decision 2016/1250 on the adequacy of the protection provided by the Privacy Shield framework. The Privacy Shield framework relies on a system of self-certification by which US organisations commit to a set of privacy principles issued by the US Department of Commerce. While the CJEU considered that Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries is valid, this is nevertheless a game-changer in the field of EU-US data transfers.

Where an adequacy decision does not exist, transfers to third countries may be performed only on the basis of appropriate safeguards, either provided by legally binding instruments (including binding corporate rules) or stipulated in contractual clauses, but in this case subject to the authorisation of the CNPD.

Following the invalidation of the Privacy Shield framework, EU-US data transfers may be carried out only on the basis of appropriate safeguards.

For more information about this answer please contact: Óscar Madureira from Rato & Cortés, Sociedade de Advogados, SP, RL
Switzerland

Answer ... Article 6 of the Federal Act on Data Protection (DPA) stipulates that personal data may not be disclosed abroad if the privacy of the data subject would be seriously endangered thereby, in particular due to the absence of legislation that guarantees adequate protection. Accordingly, either adequate protection must be guaranteed in the country of destination or other safeguards must be in place to protect the data subject’s privacy, such as:

  • contractual clauses;
  • consent of the data subject; and
  • implementation of binding corporate rules in a group of companies in which data is transferred.

The transfer of data abroad includes access to data from abroad if the data remains stored in the country of origin. The Federal Data Protection and Information Commissioner maintains a list of the countries which, in its view, ensure adequate data protection. This non-binding list is publicly available. All European countries governed by the General Data Protection Regulation guarantee more than adequate protection and therefore the transfer of data to such countries is of no concern.

For more information about this answer please contact: Carol S. Rothenfluh from SwissLegal
Taiwan

Answer ... Currently, personal data may be freely transferred outside of Taiwan, unless the government otherwise issues an order or ruling that prohibits or restricts such a transfer. Thus far, the only government ruling restricting the transfer of personal data has been issued by the National Communications Commission, which prohibits telecommunications operators and broadcasting companies from storing subscriber data in China.

The National Development Council (NDC) is contemplating amending the PDPA in the near future. One of the issues that the NDC is considering is whether to change the current rules on the international transfer of personal data and adopt rules similar to those of the General Data Protection Regulation. If this happens, companies would be prohibited from freely transferring personal data outside Taiwan unless the destination jurisdiction provided adequate protection of personal data or certain conditions were met.

For more information about this answer please contact: Ken-Ying Tseng from Lee And Li
Turkey

Answer ... Turkey has a strict regime which applies to the transfer of personal data abroad. The use of data processors abroad or of systems that are located abroad is also regarded as the transfer of personal data abroad by the Data Protection Authority (DPA).

Personal data can be transferred abroad based on any of the following grounds:

  • the explicit consent of the data subject;
  • any of the statutory justifications in the Law on the Protection of Personal Data, provided that the recipient is located in a country which is included on the safe countries list to be published by the DPA;
  • any of the statutory justifications set out in the law, provided that Chubb Turkey and the recipient sign an undertaking to protect the personal data and the DPA approves such transfer; and
  • binding corporate rules (BCRs) (for transfers among group companies).

For more information about this answer please contact: Burak Özdağıstanli from Ozdagistanli Ekici Avukatlık Ortaklığı
UK

Answer ... Under the UK data protection regime there are several ways that data can be transferred abroad:

Article 45 of the GDPR – transfers on the basis of an adequacy decision: There are a number of countries outside the European Economic Area on which the European Commission has passed an adequacy decision, meaning that the European Commission is satisfied that these third countries or international organisations have adequate level of data protection and transfers can be made to these countries or international organisations. Countries for which adequacy decisions have been issued include Andorra, Argentina, Canada, Guernsey, Jersey and the Isle of Man, Switzerland, Israel, the Faroe Islands, New Zealand, Uruguay and Japan.

The UK government has confirmed that countries deemed adequate by the European Commission will continue to be adequate for transfers from the United Kingdom under the UK GDPR after the end of the transition period following the exit of the United Kingdom from the European Union.

The main immediate question is whether the United Kingdom will secure an adequacy ruling by the European Commission which would allow data transfers to occur from the European Union to the United Kingdom without further safeguards. This is by no means a certainty, given the small number of countries which have achieved adequacy to date and the length of time (minimum two years) it takes to secure an adequacy decision.

The US bulk data acquisition regime resulted in the EU-US Privacy Shield being invalidated recently as part of the Schrems II decision. The United Kingdom also engages in such activity, although there are stringent safeguards, as set out in the Investigatory Powers Act 2016. It remains to be seen whether the wide-ranging powers open to UK intelligence agencies will jeopardise a future adequacy ruling by the European Commission after the end of the transition period on 31 December 2020.

Transfers subject to appropriate safeguards: If a country is not subject to an adequacy decision, then the GDPR requires that an organisation use one of the following safeguards.

Standard contractual clauses: This is the most common and widely used alternative legal basis to an adequacy decision. These are model clauses which have been approved by the European Commission and allow personal data to be transferred when embedded within a contract. The clauses impose contractual obligations on both the data exporter and the data importer and state the rights of the individuals whose personal data is transferred. Data subjects can directly enforce those rights against the data importer and the data exporter. There are different variants for transfers between a controller and a processor and between a controller and a controller. The European Commission has advised the European Data Protection Board (EDPB) that it is looking to update the existing standard contractual clauses are based on EU Directive 95/46/EC, which pre-dated the GDPR. Until then, UK and EU-based data controllers can still enter into these model clauses.

The earliest time for new Standard Contractual Clauses is the end of 2020, as announced in a meeting of the European Parliament on the future of EU-U.S. Data Flows. The announcement states that the new Standard Contractual Clauses will tackle the main legacy issues with the current set, notably addressing Article 28 of the GDPR and also allowing for transfers between an EEA processor and a non-EEA processor. This will likely lead to further complications when negotiating data protection agreements.

Applying the standard contractual clauses in an effective way is not always easy, as the standard contractual clauses pre-date the extra-territorial effect of the GDPR and do not cater well for non-linear data flows or chains of sub-processors.

The situation is complicated further after the end of the transition period following the exit of the United Kingdom from the European Union, as if the United Kingdom does not secure an adequacy ruling, it will be considered a third country and standard contractual clauses would need to be entered into in order to cover transfers from Europe to the United Kingdom.

Binding corporate rules (BCRs): These are legally binding codes of conduct operating within multinational group companies and apply in instances of transfers of personal data from one group entity based in the EEA to another group entity outside the EEA. The group may be a group of undertakings or a corporate group – for example, franchises or joint ventures. The terms within BCRs are approved by the competent data protection authority, which is the ICO in the United Kingdom. Two types of BCRs can be approved:

  • BCRs for controllers, which are used by the group entity to transfer data that it has responsibility for, such as employee or supplier data; and
  • BCRs for processors which are used by entities acting as processors for other controllers and are normally added as an addendum to the service level agreement or processor contract.

Article 47 of the GDPR goes into further detail in relation to BCRs.

Again, this is complicated by the exit of the United Kingdom from the European Union, as multinational companies whose BCRs were approved by the ICO will have to switch to a new lead authority in the European Union, meaning very long backlogs.

Approved codes of conduct: Restricted transfers can be made if the receiver has signed up to a code of conduct, which has been approved by the ICO. The GDPR endorses the use of approved codes of conduct to demonstrate compliance with its requirements. The code of conduct must include safeguards to protect the rights of individuals whose personal data is transferred and which can be directly enforced. This is a new option under the GDPR and as at the time of writing there have not yet been any approved codes of conduct.

Contractual clauses authorised by the ICO: Restricted transfers can be made if the receiver has entered into a bespoke contract governing a specific restricted transfer which has been individually authorised by the ICO. Where the United Kingdom is the exporter of data, the ICO will have had to have approved the contract. At present the ICO is not authorising any such bespoke contracts until guidance has been produced by the EDPB.

A legally binding and enforceable instrument between public authorities or bodies: Restricted transfer between two public authorities or bodies using a legal instrument provides ‘appropriate safeguards’ for the rights of the individuals whose personal data is being transferred, and is legally binding and enforceable. The ‘appropriate safeguards’ must include enforceable rights and effective remedies for the individuals whose personal data is transferred. If a public authority or body does not have the power to enter into legally binding and enforceable instruments, it may consider an administrative arrangement which includes enforceable and effective individual rights.

Approved certification mechanisms: Restricted transfers can be made if the receiver has certification under a scheme approved by the ICO. The certification scheme must include appropriate safeguards to protect the rights of individuals whose personal data is being transferred and which can be directly enforced. The GDPR also endorses the use of approved certification mechanisms to demonstrate compliance with its requirements. This option is newly introduced by the GDPR and at the time of writing no approved certification schemes are as yet in use.

Article 49 – Derogations for specific situations: Derogations under Article 49 provide exemptions from the general principle that personal data may be transferred to a third country only if an adequate level of protection is provided for in that third country. A data exporter should first try to do so through one of the approved mechanisms; it is only when there is no appropriate mechanism that the Article 49 derogations may be relied upon. These derogations or exceptions allow transfers in specific situations, such as:

  • based on consent;
  • for the performance or conclusion of a contract;
  • for the exercise of legal claims;
  • to protect the vital interests of the data subject where he or she cannot give consent; or
  • for important reasons of public interest.

The EDPB has documented guidance on these derogations, which should be consulted before seeking to rely on these, as they apply only in very limited scenarios.

For more information about this answer please contact: Benjamin Ross from Bortstein Legal Group
United States

Answer ... There are no US privacy laws that apply to the transfer of data abroad. However, there are international laws that apply to the transfer of data abroad. For example, the EU General Data Protection Regulation prohibits cross-border data transfers except where one of three exceptions applies:

  • an adequacy decision;
  • appropriate safeguards; or
  • derogations.

In the United States, the European Commission made a partial finding of adequacy about the United States for personal data transfers covered by the EU-US Privacy Shield framework, and there were 5,300-plus participants in the framework. But in Schrems II, the adequacy decision was invalidated on grounds that US digital surveillance policies and practices – including the Foreign Intelligence Surveillance Act and Executive Order 12,333 (sanctioning bulk data collections) – are inconsistent with European fundamental rights giving citizens the rights to privacy and data protection.

‘Appropriate safeguards’ include standard contractual clauses and binding corporate rules, among other things. For companies that are subject to surveillance by law enforcement, however, these mechanisms may no longer be valid, pursuant to the same reasoning relied on in the Schrems II decision.

The last category, derogations, include things such as consent or occasional transfers that are necessary to perform or enter into a contract. This last category is not intended to be relied upon for consistent transfers because, for example, the consent requirements are difficult to meet and consent can be withdrawn at any time; and the ‘necessary’ exception does not permit consistent transfers and requires that the transfer be required to perform the core purpose of the contract.

For more information about this answer please contact: Jenny Colgate from Rothwell, Figg, Ernst & Manbeck, P.C.
6.3
What other requirements, restrictions and best practices should be considered when transferring personal data, both within your jurisdiction and abroad?
Australia

Answer ... Although an APP entity will not be directly liable for breaches of the Privacy Act by a third party to which it discloses information where that third party is located in Australia (and the disclosure is for a permitted purpose), best practice dictates that the transferring APP entity should undertake due diligence to ensure that the third party will handle the personal information in accordance with the Privacy Act, and may also require that the APP entity imposes contractual obligations on such third parties to handle the personal information appropriately (and takes reasonable steps to monitor compliance with those obligations).

APP entities should consider the manner in which disclosures occur. Where, for example, personal information is transferred via the Internet, it would be appropriate to ensure that, at a minimum, the personal information is encrypted before that disclosure occurs, to prevent unauthorised interception during transfer.

There is a key legislative development that should also be considered in this context, which is the new CDR, as contained in Part IVD of the Competition and Consumer Act. This regime empowers an individual to direct a business in a sector subject to the regime to transfer his or her information to an authorised third party to enable the relevant individual to obtain alternative goods or services. CDR currently applies only in the banking sector, but will be implemented in other sectors as well. CDR has strict requirements for transferring CDR data (which is personal information when related to individuals), which may set benchmarks for other personal information disclosures.

For more information about this answer please contact: Angela Flannery from Holding Redlich
India

Answer ... There are no other restrictions or requirements imposed under Indian law when transferring personal information within or outside India. However, it is now fairly standard for medium and large corporations, and particularly multinational companies, to execute inter-company (or intra-group) data processing agreements and data transfer agreements when transferring or disclosing personal information to each other. Such agreements usually prescribe the minimum information security standards and safeguards that a transferee or processor must implement.

For more information about this answer please contact: Probir Roy Chowdhury from J. Sagar Associates
Liechtenstein
No answer submitted for this question.
Luxembourg

Answer ... There are no other requirements or restrictions than those set out in the GDPR.

It is also recommended to follow the different guidelines relating to the transfer of personal data issued by the European Data Protection Board and available on its website.

For more information about this answer please contact: Anne Morel from Bonn Steichen & Partners
Pakistan

Answer ... The draft Pakistan Personal Data Protection Bill, 2020 includes only the requirements set out in questions 6.1 and 6.2. Once the law has been promulgated and enforced, the Personal Data Protection Authority of Pakistan, under its rule-making powers, will issue a framework setting out further requirements.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
Portugal

Answer ... Controllers must be especially aware that their duties and responsibilities are not waived whenever they transfer personal data to another controller. On the contrary, these duties are increased, with the burden of due diligence in ensuring that the recipient of the personal data complies with all requirements of the regime.

Examples of such due diligence include the duty to ensure that any rectification or deletion of personal data required to keep the data accurate is equally and timely performed by the recipient, where necessary.

Most importantly, as noted above for transfers to third countries, the controller and the processor must ensure that the recipient complies with the data protection requirements, including further onward transfers to other third countries.

For more information about this answer please contact: Óscar Madureira from Rato & Cortés, Sociedade de Advogados, SP, RL
Switzerland

Answer ... A legal basis or a reasonable close connection is required to transfer data, and the general principles of data processing remain applicable (eg, transparency, purpose limitation, data minimisation, proportionality). Article 6 of the DPA stipulates the following legal bases for the transfer of data abroad:

  • The processing is directly connected with the conclusion or the performance of a contract, and the personal data is that of a contractual party;
  • Disclosure is essential in the specific case in order either to safeguard an overriding public interest or for the establishment, exercise or enforcement of legal claims before the courts;
  • Disclosure is required in the specific case in order to protect the life or the physical integrity of the data subject; or
  • The data subject has made the data generally accessible and has not expressly prohibited its processing.

For more information about this answer please contact: Carol S. Rothenfluh from SwissLegal
Taiwan

Answer ... Although the PDPA allows for international data transfers to almost all countries in the world, the data controller in Taiwan must still conduct the transfer based on one of the legal grounds as set forth under the PDPA. Before conducting the international transfer, a review of the relevant legal grounds should be conducted to ensure that the transfer is legal under the PDPA.

For more information about this answer please contact: Ken-Ying Tseng from Lee And Li
Turkey

Answer ... In practice, obtaining the explicit consent of the data subject seems to be the only viable option to transfer personal data abroad, the DPA has not yet published a safe countries list or announced the approval of any BCRs or transfer requests.

For more information about this answer please contact: Burak Özdağıstanli from Ozdagistanli Ekici Avukatlık Ortaklığı
UK

Answer ... When transferring data both nationally and internationally, measures should be carefully considered and implemented to reduce any risk to personal data. Pseudonymisation and encryption are both effective ways of ensuring that the data does not fall into the wrong hands and if it does so, the personal data may still be adequately protected.

Pseudonymisation replaces identifying information with artificial identifiers in order to mask the data. Although this is a key feature in protecting data and has been emphasised in the GDPR, this alone does not prevent unauthorised access. It is for this reason that the GDPR also mentions encryption, which –although similar to pseudonymisation, in that it replaces identifiers – it also ensures that only authorised users can have access to data sets with the right encryption key.

For more information about this answer please contact: Benjamin Ross from Bortstein Legal Group
United States

Answer ... Some best practices when transferring personal data include the following:

  • Provide notice to the end user of the information being transferred and the reason for the transfer;
  • Obtain consent from the end user to the transfer (or alternatively, at least provide the right to opt out);
  • Enter into a contract with the third party with which the data is being shared, setting forth restrictions on the security, use and further sharing of the personal information, and maintain a level of control over the shared information; and
  • Ensure that the transfer of personal data is done securely.

If you are an entity engaged in data transfers with the European Union, it is advisable to take a close look at your policies and practices regarding responding to requests for information from US law enforcement, including:

  • the number of requests you have received;
  • the number of user accounts involved and how many of the users were EU data subjects;
  • the basis for the requests (and whether the basis allows for a right to a remedy in the event that their rights were violated); and
  • whether an EU data subject has ever contended that his or her rights had been violated as a result of your sharing of information with law enforcement.

The more information that you have to show that you have not provided information to US law enforcement pursuant to surveillance requests that do not offer EU data subjects a remedy in the event their rights are violated, the safer the footing you should be on going forward with respect to EU-US data transfers pursuant to, for example, standard contractual clauses.

For more information about this answer please contact: Jenny Colgate from Rothwell, Figg, Ernst & Manbeck, P.C.
7.
Rights of data subjects
7.1
What rights do data subjects enjoy with regard to the processing of their personal data? Do any exemptions apply?
Australia

Answer ... Consent is generally not required under the Privacy Act for the collection, use and disclosure of an individual’s personal information, other than sensitive information.

This does not mean that individuals do not have rights under the Privacy Act in relation to the collection, use and disclosure of their information. The following in particular should be noted:

  • Personal information is generally required to be collected directly from the individual (APP 3.1). Therefore, an individual has a choice as to whether to provide that information.
  • Collection must be by lawful and fair means (APP 3.5). For example, an APP entity cannot seek to collect personal information by deception or from an individual who is impaired, such as where the person is in shock.
  • Individuals may require access to, and correction of, their personal information held by an APP entity (APP 12); though – unlike in jurisdictions such as the European Union – the Privacy Act does not include a right to be forgotten.
  • Individuals may complain if their personal information is used or disclosed for a purpose other than for which it was collected or for a permitted secondary purpose (Part V of the Privacy Act).

There are limited cases where personal information may be collected, used and disclosed outside of the general rules otherwise applicable under the Privacy Act. These apply when a “permitted general situation”, such as taking action regarding unlawful activities or mitigating a serious threat to life, or a “permitted health situation”, such as related to certain research purposes, exists.

For more information about this answer please contact: Angela Flannery from Holding Redlich
India

Answer ... Data subjects enjoy the following rights under Indian law with respect to the processing of their personal information:

  • Access and review: The data collector must permit a data subject (if requested) to access and review the information shared by him or her, and to correct or update any inaccurate or incorrect information;
  • Opt-out of sharing sensitive personal data or information (SPDI): The data collector must provide a data subject with the option not to provide any SPDI sought to be collected; and
  • Withdrawal of consent: The Privacy Rules also allow a data subject to withdraw the consent previously provided to the data collector.

For more information about this answer please contact: Probir Roy Chowdhury from J. Sagar Associates
Liechtenstein

Answer ... Under the Data Protection Act, data subjects have the following rights with regard to their personal information:

  • the right to be informed about the collection and the use of their personal data;
  • the right to access personal data and supplementary information;
  • the right to have inaccurate personal data rectified or completed;
  • the right to erasure (to be forgotten) in certain circumstances;
  • the right to restrict processing in certain circumstances;
  • the right to data portability, which allows the data subject to obtain and reuse his or her personal data for his or her own purposes across different services;
  • the right to object to processing in certain circumstances;
  • rights in relation to automated decision making and profiling;
  • the right to withdraw consent at any time (where relevant); and
  • the right to complain.

For more information about this answer please contact: Thomas Nägele from NAGELE Attorneys at Law LLC
Luxembourg

Answer ... Data subjects have the following rights:

  • Right to information: The data subject has the right to be informed about the collection and use of his or her personal data.
  • Right of access: The data subject has the right to get access to his or her personal data and receive a copy of his or her personal information.
  • Right to rectification: He or she has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.
  • Right to erasure: He or she has the right to request the erasure of his or her personal data when the retention is no longer justified.
  • Right to restriction of processing: He or she has the right to obtain from the controller restriction of processing under certain conditions.
  • Right to data portability: He or she has the right to receive, free of charge, his or her personal data that he or she has provided to a controller, in a structured, commonly used and machine-readable format, and has the right to transmit those data to another controller.
  • Right to object: He or she has the right to object at any time on compelling legitimate grounds relating to his or her particular situation to the processing of data relating to him or her. This right also exists on request in the case of processing for the purposes of direct marketing.
  • Right to contest a decision based solely on automated processing.

Data subject rights are not absolute and may in certain situations be limited where necessary and appropriate to safeguard, as far as relevant:

  • national security;
  • defence;
  • public security;
  • the prevention, investigation, detection and/or prosecution of criminal offences or the execution of criminal penalties;
  • other important objectives of general public interest of the European Union or of a member state;
  • the protection of judicial independence and judicial proceedings;
  • the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
  • a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in certain cases referred to above;*
  • the protection of the data subject, or the rights and freedoms of others; or
  • the enforcement of civil law matters.

* This limitation only applies in certain cases listed above (i.e., national security, defence, public security, the prevention, investigation, detection and/or prosecution of criminal offences or the execution of criminal penalties, other important objectives of general public interest of the European Union or of a member state, the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions.)

For more information about this answer please contact: Anne Morel from Bonn Steichen & Partners
Pakistan

Answer ... The draft Pakistan Personal Data Protection Bill, 2020 confers the following rights on the data subjects:

  • the right to access personal data;
  • the right to correct personal data;
  • the right to withdraw consent;
  • the right to prevent processing that is likely to cause damage or distress; and
  • the right to erasure.

There are no exemptions to these rights. However, the draft bill specifies instances in which a data controller may refuse to comply with a request by data subject to have these rights, as follows.

Right to access personal data:

  • The data controller is not provided with such information as it may reasonably require.
  • The data controller cannot comply with the data access request without disclosing personal data relating to another individual who can be identified from that information.
  • Another data controller controls the processing of the personal data to which the data access request relates in such a way as to prohibit the data controller from complying with the data request, whether in full or in part.
  • The provision of access may constitute a violation of an order of a court.
  • The provision of access may disclose confidential information relating to business of the data controller.
  • The requested access is regulated by another law.

Right to correct personal data:

  • The data controller is not provided with such information as it may reasonably require.
  • The data controller is not provided with such information as it may reasonably require to ascertain the way in which the personal data to which the data correction request relates is inaccurate, incomplete, misleading or out of date.
  • The data controller is not satisfied that the personal data to which the data correction request relates is inaccurate, incomplete, misleading or out of date.
  • The data controller is not satisfied that the correction which is the subject of the data correction request is accurate, complete, not misleading or up to date.
  • Another data controller controls the processing of the personal data to which the data correction request relates in such a way as to prohibit the data controller from complying with the data correction request, whether in full or in part.

Right to prevent processing that is likely to cause damage or distress:

  • The data subject has given his or her consent.
  • The processing of personal data is necessary:
    • to perform a contract to which the data subject is a party;
    • to take steps at the request of the data subject with a view to entering into a contract;
    • to comply with any legal obligation to which the data controller is subject, other than an obligation imposed by contract; or
    • to protect the vital interests of the data subject.
  • Such other cases as may be prescribed by the federal government upon recommendations of the Personal Data Protection Authority of Pakistan through publication in the Official Gazette.

Right to erasure:

Where processing is necessary:

  • to exercise the right of freedom of expression and information;
  • to comply with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • for reasons of public interest in the area of public health;
  • for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, insofar as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  • for the establishment, exercise or defence of legal claims.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
Portugal

Answer ... Right to information: Data subjects have the right to be informed of:

  • the identity and contact details of the controller (and the data protection officer, where there is one);
  • the purposes and legal basis for the processing;
  • the recipients of the data;
  • any intention to transfer the data to a third country;
  • the period for which the personal data will be stored;
  • the existence of the rights to access, rectify or erase data, to object to processing, to withdraw consent and to lodge a complaint;
  • whether the provision of data is required by law or by contract; and
  • the consequences of the data subject’s failure to provide the data.

The data subject should also be given meaningful information about any automated decision-making processes involving the data subject’s personal data.

Right to access: This includes:

  • the right to obtain from the controller confirmation as to whether personal data concerning him or her is being processed;
  • if affirmative, the right to know the purposes of processing, the categories of data concerned, the recipients of the data and the storage period;
  • the right to request from the controller the rectification or erasure of data; and
  • the right to lodge a complaint and be given information about any automated decision-making process involving the data.

Right to rectification: The data subject has the right to request rectification of inaccurate personal data. This right must be notified to the data subject.

Right to be forgotten: The data subject has the right to erasure of personal data in the following circumstances:

  • The data is no longer required for the purposes of the original processing;
  • The data subject withdraws the relevant consent for processing; or
  • The data is being unlawfully processed.

This right must be notified to the data subject.

Right to restriction of processing: Under certain circumstances, data subjects have the right to request restrictions to the processing of their personal data. This must be notified to the data subject.

Right to data portability: Data subjects have the right to receive their personal data (provided by them) in a structured, commonly used, machine-readable format, and to transmit that data to another controller.

Right to object: Data subjects have the right to object on reasonable grounds to the processing of their personal data. In the case of processing for direct marketing purposes, the right to object may be exercised at any time.

Right to individual decision making: Data subjects have the right not to be subject to decisions made by the automatic processing of their data. This includes the right not to be subject to decisions made on the sole basis of profiling.

For more information about this answer please contact: Óscar Madureira from Rato & Cortés, Sociedade de Advogados, SP, RL
Switzerland

Answer ...

  • Right of access to data/copies of data: Data subjects may request information from the controller of the data files as to whether data concerning them is being processed (Article 8(1) of the Federal Act on Data Protection (DPA)). Generally, the information must be provided in writing, in the form of a printout or copy, and free of charge.
  • Right to rectification of errors: Data subjects may request that incorrect data be corrected (Article 5(2) of the DPA).
  • Right to deletion: Data subjects may request that incorrect data be deleted.
  • Right to object to processing: Data subjects may request that data processing be stopped and/or that data not be disclosed to third parties.
  • Right to be forgotten: Although the right to be forgotten is not explicitly stated in the DPA, the Federal Data Protection and Information Commissioner and case law consider that the right to be forgotten results from the general principle of proportionality.

For more information about this answer please contact: Carol S. Rothenfluh from SwissLegal
Taiwan

Answer ... Article 3 of the Personal Data Protection Act (PDPA) provides that a data subject can exercise the following rights with regard to his or her personal data, which may not be waived or limited contractually in advance:

  • the right to make an inquiry in relation to and to review his or her personal data;
  • the right to request a copy of his or her personal data;
  • the right to supplement or correct his or her personal data;
  • the right to demand the cessation of the collection, processing or use of his or her personal data; and
  • the right to erase his or her personal data.

One the other hand, Article 11 of the PDPA also allows a data controller to refuse to comply with a data subject’s request if the use of the personal data is necessary for the data controller to perform its duties or conduct its business operations, or if the data subject’s written consent has been obtained.

For more information about this answer please contact: Ken-Ying Tseng from Lee And Li
Turkey

Answer ... Every data subject has the following rights:

  • to learn whether his or her personal data is being processed;
  • to demand details of the processing of his or her personal data;
  • to learn the purpose of the data processing and whether his or her personal data is being used in accordance with this purpose;
  • to learn of any third parties to which his or her personal data has been transferred, whether in Turkey or abroad;
  • to request the rectification of incomplete or inaccurate data;
  • to request the erasure or destruction of his or her personal data under the conditions specified in the Law on the Protection of Personal Data;
  • to request notification of deletion or correction to third parties to which his or her personal data has been transferred;
  • to object to a result relating to himself or herself arising through the analysis of his or her data processed solely through automated systems; and
  • to claim compensation for damages arising from the unlawful processing of his or her personal data.

For more information about this answer please contact: Burak Özdağıstanli from Ozdagistanli Ekici Avukatlık Ortaklığı
UK

Answer ... Data subjects have a significant number of rights under the General Data Protection Regulation (GDPR). It is worth bearing in mind that these are not absolute rights and a number of qualifications and exemptions apply which should be considered carefully when responding:

  • Right to be informed: Individuals have the right to be informed about when their personal data is being collected and why. This is a key aspect of fulfilling transparency.
  • Right to access: Individuals have a right to ask to see the information that is held on them. These requests can be made either orally or in writing, and organisations must respond within one month of receiving the request. Organisations cannot charge individuals to fulfil this request.
  • Right to rectification: Individuals have the right to seek to have their personal data corrected if they are inaccurate or completed if they are incomplete. Individuals can make a request for rectification orally or in writing, and organisations must respond within one month of receiving the request. There are some limited instances in which a request for rectification can be refused.
  • Right to be forgotten: Individuals can ask for their information to be erased. Individuals can make a request for rectification orally or in writing, organisations must response within one month of receiving the request. It is important to remember that this right is not absolute and can be applied only in limited circumstances.
  • Right to restrict processing: Individuals have the right to request the restriction or suppression of their personal data. This is not an absolute right and applies only in certain circumstances. When processing is restricted, the controller is permitted to store the personal data, but not use it.
  • Right to data portability: This allows individuals to obtain and use their personal data for their own purposes across different services. It allows for personal data to be easily copied from one IT environment to another. Doing this enables individuals to take advantage of applications and services that can use this data to find them better deals or understand their spending habits. This right applies only to information that an individual has provided to a controller. Some organisations in the United Kingdom already offer data portability through data and similar initiatives which allow individuals to view, access and use their personal consumption and transaction data in a way that is portable and safe.
  • Right to object (to direct marketing): Under the GDPR, individuals have an absolute right to stop their data being used for direct marketing. Individuals can make a request for rectification orally or in writing, and organisations must response within one month of receiving the request.
  • Right to review automated decision making/profiling: Automated individual decision making (making a decision solely by automated means without any human involvement) and profiling (automated processing of personal data to evaluate certain things about an individual) are covered by the GDPR. Profiling can be part of an automated decision-making process. The GDPR has additional rules to protect individuals where an organisation is carrying out solely automated decision making that has legal or similarly significant effects on them. If processing under Article 22, this must be identified and, if so, give individuals must be informed about the processing. Organisations that use such methods should consider ways of incorporating the individual’s ability to question the decision making or request human intervention.

Some limited exemptions apply to some of these rights, further details of which can be found in the Data Protection Act 2018, as summarised in the response to question 2.2 and that should be carefully considered by a controller responding to a data subject request.

For more information about this answer please contact: Benjamin Ross from Bortstein Legal Group
United States

Answer ... Federal privacy statutes offer certain data subject rights. For example:

  • the Health Insurance Portability and Accountability Act gives patients the right to view and receive copies of their health information;
  • the Gramm-Leach-Bliley Act gives consumers a right to opt out if they do not want their financial information shared with non-affiliated third parties;
  • the Family Educational Rights and Privacy Act affords parents the rights to access, correct and have some control over the disclosure of personally identifiable information in their children’s educational records;
  • the Children’s Online Privacy Protection Act gives parents the right to review the personal information collected about a child, the right to revoke consent and the right to refuse further use or collection of personal information about a child, and the right to request that a child’s personal information be deleted; and
  • the Fair Credit Reporting Act gives consumers the right to obtain a copy of a consumer report, the right to dispute incomplete or inaccurate information, and the right to restrict access to those with a valid need for access.

Several states have also enacted or proposed legislation that provides consumers or data subjects with one or more rights. For example, the California Consumer Privacy Act (CCPA) provides consumers with:

  • a right to access the categories and specific pieces of personal information held by covered businesses;
  • a right to delete data;
  • a right to portability of personal information; and
  • a right to opt out of sales of personal information.

Maine’s data privacy law includes a right to restrict data processing and an opt-in requirement for the sale of personal information. Nevada’s data privacy law provides a right to opt out of the sale of personal information.

Several exemptions may apply. For example, the CCPA provides several exemptions to the deletion of personal data, including where the data is necessary to:

  • complete a transaction for which the personal data was collected;
  • detect security incidents;
  • exercise free speech;
  • debug or repair errors in a service; or
  • comply with a legal obligation.

For more information about this answer please contact: Jenny Colgate from Rothwell, Figg, Ernst & Manbeck, P.C.
7.2
How can data subjects seek to exercise their rights in your jurisdiction?
Australia

Answer ... An individual may not take direct action against an APP entity in the event that entity breaches the Privacy Act in relation to her personal information. Instead, the individual must first complain to the APP entity. Only if his or her complaint is not resolved satisfactorily by the APP entity may an individual complain to the Information Commissioner (noting representative complaints may be made by an individual on her own behalf and on behalf of other similarly impacted individuals). The commissioner is obliged to investigate all complaints other than as expressly provided in the Privacy Act, such as where the complaint is frivolous or vexatious.

Individuals have very limited rights to take action to protect their privacy outside of the complaint mechanism in the Privacy Act. There is no general law right to privacy in Australia. There is limited judicial authority that protects privacy, though in 2019 an innovative privacy class action was settled in New South Wales. In that case, the complainants alleged that the unauthorised disclosure of their personal information amounted to, among other things, a breach of contract and misleading and deceptive conduct.

The government has committed to reform Australia’s privacy law over 2020/21, which could see a direct right of action for individuals to seek compensation under the Privacy Act for interference with their privacy introduced into the Privacy Act, as well as – more controversially – the introduction of a statutory tort for serious invasions of privacy which would entitle individuals to take action outside the Privacy Act.

For more information about this answer please contact: Angela Flannery from Holding Redlich
India

Answer ... The Privacy Rules requires a body corporate to address all grievances of a data subject with respect to the processing of personal data or SPDI. For this, the body corporate must appoint a grievance officer to address all grievances of the data subject on behalf of the body corporate.

Accordingly, in the event that a data subject is unable to exercise his or her rights, a grievance can be raised with the grievance officer, who must redress such grievances within one month of the date of receipt of such grievance.

For more information about this answer please contact: Probir Roy Chowdhury from J. Sagar Associates
Liechtenstein

Answer ... A data subject has the right to obtain from the data controller confirmation as to whether his or her personal data is being processed, and if so, to access the personal data.

For complaints, the Data Protection Authority provides electronical complaint forms, which can be downloaded at https://formulare.llv.li/formserver_DSS/start.do;jsessionid=F9B72489053C08CB5C4F281930A90385?wfjs_enabled=true&vid=c4b2dadf97cea2a7&wfjs_orig_req=%2Fstart.do%3Fgeneralid%3DDSS_BF%26lang%3Den&txid=6cdcf0565eb5e23e7f8b20a6999979f6dacd6666#.

For more information about this answer please contact: Thomas Nägele from NAGELE Attorneys at Law LLC
Luxembourg

Answer ... Data subjects may contact the controller to exercise their rights by post, email or phone. The controller may ask additional information necessary to confirm the identity of the data subject, if it has reasonable doubts about this.

Information must be provided in writing or by other means – including, where appropriate, by email – in a concise, transparent, understandable and easily accessible manner, with clear and simple terms. The controller must reply to the request without undue delay, and in principle within one month of receipt of the request. This period may be extended by two months where necessary (eg, in complex cases or if multiple requests are made). In such case, the controller must inform the data subject of the reason for the extension within the first month.

Information shall be provided free of charge. However, where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may charge a reasonable fee taking into account the administrative costs of providing the information or refuse to act on the request.

If the controller rejects the request, then it must inform the data subject of the reasons for doing so and of his or her right to file a complaint with the National Commission for Data Protection and to seek a judicial remedy.

Where a data subject makes a request by electronic means, the controller shall provide the requested information by electronic means where possible, unless the data subject requests otherwise.

For more information about this answer please contact: Anne Morel from Bonn Steichen & Partners
Pakistan

Answer ... Data subjects must present a written request to the data controller.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
Portugal

Answer ... Data subjects may exercise their rights directly before the controller, the controller’s representative or, where such a role exists, the data protection officer.

For more information about this answer please contact: Óscar Madureira from Rato & Cortés, Sociedade de Advogados, SP, RL
Switzerland

Answer ... To exercise the right to access data, the data subject must typically file a written request and provide proof of his or her identity, although an online request is also possible if the controller of the data file has made this available. The ‘right to information’ includes information about:

  • the source of the personal data;
  • the purpose of and, if applicable, the legal basis for the processing;
  • the categories of personal data processed;
  • the other parties involved in the processing; and
  • the data recipient concerned (Article 8(2) of the DPA).

The requested information must normally be provided within 30 days of receipt of the request, in writing, in the form of a printout or a photocopy, and must be free of charge.

In addition, data subjects have the ordinary judicial remedies available under civil law to protect their personality rights (Article 15 of the DPA in relation to Articles 28–28l of the Swiss Civil Code. In particular, the data subject may request that the data processing be stopped, that data not be disclosed to third parties and that personal data be corrected or deleted.

For more information about this answer please contact: Carol S. Rothenfluh from SwissLegal
Taiwan

Answer ... Data subjects may contact the data controller to exercise their rights in any manner (eg, by phone, email or letter). The PDPA requires a data controller to inform data subjects, upon collecting their personal data, of how they can exercise their rights under Article 3 of the PDPA.

For more information about this answer please contact: Ken-Ying Tseng from Lee And Li
Turkey

Answer ... The data subject must send his or her request regarding his or her rights:

  • in writing;
  • by registered electronic mail, secured by:
    • electronic signature;
    • mobile signature; or
    • an email address which has been previously recorded in the data controller’s system; or
  • through software or an application designed to receive data subjects’ requests.

The request must contain the following:

  • the data subject’s name, surname and signature, if the request is made in writing,
  • for Turkish citizens, the data subject’s identity number; for foreigners, his or her nationality, passport number or identity number if available;
  • the data subject’s residential and business address, subject to notification;
  • the data subject’s email address, telephone and fax number, if available, subject to notification; and
  • the request itself.

All documents and information regarding the request must be attached accordingly. In the case of written requests, the request date is the date on which the document is notified to the data controller or its representative.

For other electronic methods, the notification date is the date on which the request is delivered to the data controller.

Data controllers must respond to and comply with such requests within 30 days of receipt of a valid request. If there are justified grounds to reject the request (eg, a destruction request), the data controller must communicate its reasoned response within 30 days of receipt.

For more information about this answer please contact: Burak Özdağıstanli from Ozdagistanli Ekici Avukatlık Ortaklığı
UK

Answer ... There are no formal requirements or barriers to exercising data subject rights, so it is important for an organisation to train its staff on recognising data subject requests as the clock starts ticking on the timeline for responding to a request (generally a month; but there are specific rules on calculating time periods which should be considered).

Organisations should include in their privacy notice the contact details of their data protection officer or the relevant person or team responsible for data protection matters, to encourage data subjects to contact that person; but a data subject can contact anyone at an organisation and need not mention that he or she is exercising his or her rights under the GDPR or data protection laws in order to make an effective data subject request.

For more information about this answer please contact: Benjamin Ross from Bortstein Legal Group
United States

Answer ... Consumers may submit verified requests to the businesses to exercise their rights.

For more information about this answer please contact: Jenny Colgate from Rothwell, Figg, Ernst & Manbeck, P.C.
7.3
What remedies are available to data subjects in case of breach of their rights?
Australia

Answer ... As mentioned in question 7.2, individuals cannot take direct action under the Privacy Act.

Where the Information Commissioner undertakes an investigation of a complaint (including a representative complaint) or undertakes an investigation of acts or practices that may be a breach of the Privacy Act on the commissioner’s own initiative (referred to as a commissioner initiated investigation) and determines that a breach has occurred, the commissioner may make a determination that includes particular types of remedies.

These remedies include not only declarations that specific steps must be taken by the breaching APP entity to ensure the breach is not repeated or continued, but also that compensation is payable to impacted individuals. The Office of the Australian Information Commissioner Guidelines state that any compensation awards should be “restrained but not minimal”. The commissioner will award compensation for hurt feelings, humiliation and expenses incurred by the complainant in connection with making the complaint. Aggravated damages may be awarded where the conduct of the respondent warrants this, for example, if it acts maliciously. To date, such awards have not been large.

In addition, when investigating a complaint, the commissioner may seek to conciliate it, which may result in direct remedies being provided to impacted individuals.

The commissioner also has the right to accept court enforceable undertakings and take proceedings in Australia’s Federal Court or Federal Circuit Court to seek injunctions and civil penalties in relation to specific breaches of the Privacy Act. These remedies are not directly available to individuals.

For more information about this answer please contact: Angela Flannery from Holding Redlich
India

Answer ... The IT Act provides for civil and criminal remedies for breach of a data subject’s privacy rights where such breach results in harm or injury to the individual.

Section 72(A) of the IT Act prescribes the punishment applicable for the disclosure of information in breach of a lawful contract. As per Section 72(A) of the IT Act, an individual may be punished by imprisonment for up to three years or a fine of up to INR 500,000, or both, if he or she:

  • secures access to any material containing personal information about another person pursuant to a lawful contract;
  • discloses such information to a third party without the consent of person concerned or in breach of the terms of the contract; and
  • intends to cause wrongful loss or wrongful gain, or knows that he or she is likely to cause such wrongful loss or wrongful gain.

Further, as per Section 43A of the IT Act, a body corporate that fails to implement reasonable security practices and procedures for the protection of personal information and SPDI may be required to compensate an aggrieved data subject for any injury or harm caused to him or her on account of such failure.

For more information about this answer please contact: Probir Roy Chowdhury from J. Sagar Associates
Liechtenstein

Answer ...

  • Article 77 of the General Data Protection Regulation (GDPR): right to lodge a complaint with a supervisory authority; and
  • Article 83 of the GDPR: right to compensation and liability.

For more information about this answer please contact: Thomas Nägele from NAGELE Attorneys at Law LLC
Luxembourg

Answer ... In case of breach of their rights, data subjects have the following rights:

  • the right to lodge a complaint with supervisory authorities where their data have been processed in a way that does not comply with the EU General Data Protection Regulation (GDPR);
  • the right to an effective judicial remedy:
    • against legally binding decisions concerning him or her taken by a supervisory authority; or
    • where a supervisory authority fails to deal with a complaint or fails to inform the data subject within three months of the progress or outcome of his or her complaint;
  • the right to an effective judicial remedy against a relevant controller or processor responsible for the alleged breach.; and
  • the right to compensation from a relevant controller or processor for material or immaterial damage resulting from infringement of the GDPR.

For more information about this answer please contact: Anne Morel from Bonn Steichen & Partners
Pakistan

Answer ... The first remedy under the draft Pakistan Personal Data Protection Bill, 2020 is to file a complaint with the Personal Data Protection Authority of Pakistan. Appeals against decisions of the authority must be referred to the high court or to any other tribunal established by the federal government for the purpose in the manner prescribed by the high court.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
Portugal

Answer ... Data subjects have the right to lodge a complaint with the National Data Protection Commission (CNPD). Where corrective action may be taken, the CNPD has the power to order that such corrective action be taken by the controller or the processor (eg, the erasure of data).

Data subjects have the right to resort to judicial remedies against the handling of their complaints by the CNPD or against decisions taken by the CNPD that adversely affect their rights.

Regardless of the administrative remedies outlined above, data subjects may also start judicial proceedings against controllers or processors in case of a breach of their rights. These proceedings may be brought before the courts of the member state in which the controller or processor has an establishment or before the courts of the data subject’s country of residence.

For more information about this answer please contact: Óscar Madureira from Rato & Cortés, Sociedade de Advogados, SP, RL
Switzerland

Answer ... The data subject may further claim compensation for moral suffering and payment of damages or the handing over of profits, provided that he or she can prove actual damage based on privacy infringements, which is difficult in practice.

For more information about this answer please contact: Carol S. Rothenfluh from SwissLegal
Taiwan
If the data subjects suffer any damages or losses, they may seek compensation from the data controller. The data controller may also be subject to criminal sanctions. If its sectoral regulator discovers non-compliance, the regulator may order the data controller to comply with the data subjects’ request within a certain timeframe; otherwise, the regulator has the power to impose an administrative fine of between NTD 20,000 and NTD 200,000 consecutively until the required action is taken.

For more information about this answer please contact: Ken-Ying Tseng from Lee And Li
Turkey

Answer ... If the request is rejected, or if the data controller provides an insufficient response or does not respond in due time, the data subject may lodge a complaint with the Data Protection Authority within 30 days of the date on which he or she learns of the data controller’s reply, and in any event within 60 days of the date of the request.

The data subject may also claim compensation from the data controller if he or she suffered any damage due to the unlawful processing of his or her personal data.

For more information about this answer please contact: Burak Özdağıstanli from Ozdagistanli Ekici Avukatlık Ortaklığı
UK

Answer ... Data subjects can complain to the Information Commissioner’s Office (which may then investigate and/or fine the organisation).

Data subjects also have a right to claim compensation through the courts in instances where they have suffered material or non-material damage due to a GDPR infringement. Compensation can be claimed from both controllers and processors.

For more information about this answer please contact: Benjamin Ross from Bortstein Legal Group
United States

Answer ... All 50 states have unfair or deceptive acts or practices statutes, many of which provide for a private right of action, and numerous common law claims are available to data subjects in the case of breach of their rights. Additionally, a handful of state and federal privacy laws provide with consumers a private right of action for certain types of violations of their data privacy rights. For example:

  • the CCPA provides a limited private right of action pertaining to data security breaches of non-encrypted and non-redacted personal information;
  • the Telephone Consumer Protection Act provides for a private right of action for violations and statutory damages in the amount of $500 for each violation and up to $1,500 for each wilful violation; and
  • the Illinois Biometric Information Privacy Act provides a private right of action for any person ‘aggrieved’ by a violation thereof, and permits recovery of statutory damages of $1,000 per negligent violation or $5,000 if the violation is deemed intentional or reckless.

The Fair Credit Reporting Act, the Electronic Communications Privacy Act and the Video Privacy Protection Act (VPPA) are other examples of privacy statutes which provide for private rights of action. The VPPA broadly prevents disclosure of personally identifiable rental records of “prerecorded video cassette tapes or similar audio visual material”, and offers civil remedies not less than $2500.

Consumers can additionally submit complaints to state and federal entities for law enforcement action against violators.

For more information about this answer please contact: Jenny Colgate from Rothwell, Figg, Ernst & Manbeck, P.C.
8.
Compliance
8.1
Is the appointment of a data protection officer mandatory in your jurisdiction? If so, what are the consequences of failure to do so?
Australia

Answer ... APP 1.2(a) requires APP entities to take reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles (APPs) (and any applicable APP codes). It is not a mandatory requirement of APP 1.2(a) to appoint a privacy officer, but the Office of the Australian Information Commissioner (OAIC) Guidelines suggest this is an appropriate governance mechanism.

Commonwealth government agencies, other than government ministers, must comply with the Privacy (Australian Government Agencies – Governance) APP Code 2017 (Cth). The code sets out steps regulated agencies must take to comply with APP 1.2. The code requires agencies to have at least one privacy officer. The code also requires that agencies have a privacy champion: a senior official of the agency who promotes a privacy culture in the relevant agency and provides leadership on strategic privacy issues.

Even though private sector APP entities are not bound by the code, many would have a privacy officer as part of their practices and procedures to comply with the Privacy Act.

The code is a registered APP code under the Privacy Act. Section 26A of the Privacy Act requires compliance with registered APP codes, meaning that the consequences for an agency of not appointing a privacy officer will be the same as for any other breach of the Privacy Act. For other APP entities, a failure to have a privacy officer is not of itself a breach, but is likely to be taken into consideration by the OAIC in assessing compliance with APP 1.2.

For more information about this answer please contact: Angela Flannery from Holding Redlich
India

Answer ... Under the Privacy Rules, the appointment of a data protection officer is not mandatory in India. In fact, there is no concept of a data protection officer under the current law.

For more information about this answer please contact: Probir Roy Chowdhury from J. Sagar Associates
Liechtenstein

Answer ... Article 37 of the GDPR sets out three primary scenarios in which the appointment of a data protection officer (DPO) is mandatory, as follows:

  • The data processing is carried out by a public authority or body;
  • The core activities of the controller or the processor consist of processing operations which require the regular and systematic monitoring of data subjects on a large scale; or
  • The core activities of the controller or the processor consist of processing on a large scale of sensitive personal data or personal data relating to criminal convictions and offences.

For more information about this answer please contact: Thomas Nägele from NAGELE Attorneys at Law LLC
Luxembourg

Answer ... The designation of a data protection officer (DPO) is mandatory in the following cases:

  • The processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
  • The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
  • The core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.

An organisation may also designate a DPO on a voluntary basis. In such case, the same requirements apply to his or her designation, position and missions as if the designation had been mandatory.

Unless it is evident that an organisation is not required to designate a DPO, it is recommended that controllers and processors document the internal analysis carried out to determine whether a DPO is to be appointed.

Failure to appoint a DPO where mandatory may result in administrative fines of up to €10 million or, in the case of an undertaking, up to 2% of its total worldwide annual turnover in the preceding financial year.

For more information about this answer please contact: Anne Morel from Bonn Steichen & Partners
Pakistan

Answer ... Section 34(2)(c)((viii) of the draft Pakistan Personal Data Protection Bill, 2020 empowers the Personal Data Protection Authority of Pakistan to formulate a compliance framework regarding the responsibilities of the data protection officer. The draft bill does not define the term or provide any further details. On the establishment of the authority, this framework will be devised addressing matters such as mandatory or voluntary appointment of data protection officer and the consequences of failure to do so.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
Portugal

Answer ... In cases where processing is carried out by a public authority or body, except for courts acting in their judicial capacity, a data protection officer must be appointed.

In the private sector, a data protection officer must also be appointed where the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale.

Finally, a data protection officer must also be appointed where the core activities of the controller or the processor consist of the processing on a large scale of sensitive personal data or personal data relating to criminal convictions and offences.

The failure to appoint a data protection officer, where mandatory, is deemed a serious administrative offence and is subject to fines of up to €10 million or 2% of annual worldwide turnover, in the case of large corporations. For small and medium-sized enterprises, the first limit becomes €1 million; this shall not exceed €250,000 in the case of natural persons.

Payment of the fine does not exempt a data controller from the duty to appoint a data protection officer.

For more information about this answer please contact: Óscar Madureira from Rato & Cortés, Sociedade de Advogados, SP, RL
Switzerland

Answer ... The Federal Act on Data Protection currently in force does not stipulate an obligation for companies to appoint a data protection officer; thus, this appointment is optional and no consequences of failure apply.

For more information about this answer please contact: Carol S. Rothenfluh from SwissLegal
Taiwan

Answer ... No. The Personal Data Protection Act (PDPA) does not require a private business to appoint a data protection officer. However, the Enforcement Rules suggest that a private business should allocate sufficient resources to handle personal data related matters within its organisation.

For more information about this answer please contact: Ken-Ying Tseng from Lee And Li
Turkey

Answer ... There is no requirement to appoint a data protection officer under Turkish law. That said, all foreign controllers must appoint a data controller representative (please see questions 3.2 and 4.2).

For more information about this answer please contact: Burak Özdağıstanli from Ozdagistanli Ekici Avukatlık Ortaklığı
UK

Answer ... The appointment of a data protection officer (DPO) is mandatory in the following circumstances:

  • the processing is being carried out by a public authority or body, except for courts;
  • the core activity of the controller or processor consists of processing operations which require the regular monitoring of data subjects; or
  • the core activity of the data controller and processor involves the processing of special categories of data on a large scale, or of data that relates to criminal convictions or offences.

There is guidance which expands on these triggers. Otherwise, an organisation can voluntarily choose to appoint a DPO; but it is important to bear in mind that all obligations, powers and responsibilities of a mandatorily appointed DPO then apply to the voluntarily appointed DPO.

If an organisation does not appoint a voluntary DPO, it still needs to ensure that appropriate staff are responsible for and report on data protection matters.

For more information about this answer please contact: Benjamin Ross from Bortstein Legal Group
United States

Answer ... Appointing a data protection officer is not mandatory in the United States. However, depending on the organisation, the type of data it collects, the nature of its business and how it operates, it may well be advisable that the company have either an in-house or third-party resource to address the day-to-day issues around data protection and privacy.

Especially for companies involved in the regular and systematic processing or storing of significant amounts of personal information, a data protection officer (DPO) may play a critical role in the data protection governance structure. The DPO can help to navigate the constantly evolving landscape of data protection in the United States and offer expert guidance on demonstrating compliance with the patchwork of state laws. By serving as a liaison between upper management and the company’s employees and staff, the DPO can monitor data protection efforts and keep the organisation apprised of its compliance obligations, as well as helping to mitigate liability and/or damages or penalties in the event of a breach or other data privacy investigation.

For more information about this answer please contact: Jenny Colgate from Rothwell, Figg, Ernst & Manbeck, P.C.
8.2
What qualifications or other criteria must the data protection officer meet?
Australia

Answer ... Neither the Privacy Act nor the Privacy (Australian Government Agencies – Governance) APP Code mandates specific qualifications or other criteria privacy officers must meet. However, the OAIC has issued a Privacy Officer Toolkit for agencies. This outlines the skills and knowledge the OAIC expects agency privacy officers to have, as follows:

  • unsurprisingly, an in-depth knowledge of the Privacy Act (and the code) and an ability to operationalise those requirements;
  • an understanding not only of the relevant agency’s strategic priorities and key projects involving the collection and use of personal information, but also of the agency’s systems and processes to handle personal information;
  • strong communications and stakeholder management skills; and
  • an understanding of privacy dispute resolution and complaint handling processes.

Although, as mentioned in question 8.1, the code is not binding on private sector APP entities, the Privacy Officer Toolkit is a useful resource for such APP entities in considering the qualifications that a privacy officer should have. In the case of a private sector APP entity, a privacy officer should have not only a good understanding of the requirements of the Privacy Act (and any applicable APP codes), but also the ability to operationalise those requirements. In addition, such a privacy officer will need the skills to work with both internal and external stakeholders, act as an advocate for good privacy practices and assist in relation to the resolution of privacy complaints. Often this means that an appointed privacy officer has legal qualifications or regulatory or governance related skills.

For more information about this answer please contact: Angela Flannery from Holding Redlich
India

Answer ... Not applicable.

For more information about this answer please contact: Probir Roy Chowdhury from J. Sagar Associates
Liechtenstein

Answer ... There is currently no uniform training through which a prospective DPO can acquire the necessary skills. The requirement profile – that is, the necessary qualifications of a DPO – will also depend on the specific data processing processes carried out in the company and the necessary protection of the personal data processed. In companies that conduct complex data processing activities or that process sensitive data on a large scale, the DPO may need to have a higher level of professional competence than in a company with less complex data processing activities.

For more information about this answer please contact: Thomas Nägele from NAGELE Attorneys at Law LLC
Luxembourg

Answer ... The DPO shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil his or her tasks.

The EU General Data Protection Regulation (GDPR) does not define precisely the necessary level of knowledge, but it must be commensurate with the sensitivity, complexity and amount of data that the organisation processes.

Relevant skills and expertise include in particular:

  • expertise in national and European data protection laws and practices, including an in-depth understanding of the GDPR;
  • an understanding of the processing operations carried out by the organisation;
  • an understanding of information technologies and data security;
  • knowledge of the business sector and the organisation; and
  • the ability to promote a data protection culture within the organisation.

For more information about this answer please contact: Anne Morel from Bonn Steichen & Partners
Pakistan

Answer ... Not currently applicable.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
Portugal

Answer ... Portugal does not require the professional certification of data protection officers.

The requirements of the General Data Protection Regulation (GDPR) apply: the data protection officer should be appointed on the basis of his or her professional qualities and, in particular, expert knowledge of data protection law and practices and ability to fulfil his or her tasks (see question 8.3).

For more information about this answer please contact: Óscar Madureira from Rato & Cortés, Sociedade de Advogados, SP, RL
Switzerland

Answer ... If a company intends to appoint a data protection officer, such person should be adequately skilled, with expert knowledge of data protection law and practices, in order to be able to assist the company in monitoring internal compliance with the legal framework and training employees in the field of data protection. The necessary level of expert knowledge should be connected to the specific data processing operations carried out and the protection required for the personal data processed by the company. It is equally important that the data protection officer is in a position to perform his duties in an independent manner.

For more information about this answer please contact: Carol S. Rothenfluh from SwissLegal
Taiwan

Answer ... N/A.

For more information about this answer please contact: Ken-Ying Tseng from Lee And Li
Turkey

Answer ... N/A.

For more information about this answer please contact: Burak Özdağıstanli from Ozdagistanli Ekici Avukatlık Ortaklığı
UK

Answer ... The DPO must be independent, an expert in data protection and sufficiently resourced, and report to the highest level of management.

For more information about this answer please contact: Benjamin Ross from Bortstein Legal Group
United States

Answer ... The DPO of a US-based company should first and foremost have a robust knowledge and understanding of the changing state privacy laws as they continue to roll out, as well as monitoring guidance issued by the state attorneys general. This may require:

  • regular consultation with in-house counsel;
  • updated privacy certifications;
  • participation in privacy conferences and industry association events; and
  • subscriptions to compliance reporting service updates to stay informed of new developments in the field.

Aside from being well versed in privacy and data protection law, the DPO should have a foundational knowledge of the relevant data privacy infrastructure pieces and stakeholders, such as IT, cybersecurity, human resources, general counsel, marketing, third parties and managers. Experience in risk assessments and strong communication skills are also qualifications that a company should seek when appointing a DPO.

Because the role of DPO is complex and multifaceted, it requires an independent position within the organisation. While other company employees, such as in-house counsel or IT staff, may be knowledgeable about privacy and data protection issues, to avoid distraction or any conflicts, the DPO should be a separate and unbiased entity.

For more information about this answer please contact: Jenny Colgate from Rothwell, Figg, Ernst & Manbeck, P.C.
8.3
What are the key responsibilities of the data protection officer?
Australia

Answer ... Section 10 of the Privacy (Australian Government Agencies – Governance) APP Code specifies the functions that a privacy officer of a regulated agency must perform. These are:

  • acting as the agency’s primary contact for privacy advice;
  • handling privacy enquiries, complaints and requests for access to, and correction of, personal information (whether internal or external);
  • maintaining records of personal information holdings;
  • assisting in the preparation of privacy impact assessments for high privacy risk projects and keeping a register of the agency’s privacy impact assessments; and
  • assessing compliance with the agency’s plan for taking reasonable steps to implement practices, procedures and systems to comply with the APPs and manage enquiries and complaints (ie, its plan for compliance with APP 1.2) and documenting assessments.

The role of an agency privacy officer, as mandated by the code, is very compliance focused. These are minimum requirements only and it would be expected that an agency’s privacy officer(s) would have a broader role. For example, privacy officers (including privacy officers for private sector APP entities) would typically also be required to:

  • develop and operationalise not only an APP entity’s privacy policy, but also its internal policies, procedures and systems to ensure compliance with all applicable privacy regulation (including by updating these for changes in the law);
  • monitor compliance with policies, procedures and systems;
  • undertake training of the APP entity’s employees and other staff;
  • be a key member of the data breach response team; and
  • report to senior management and/or the board on privacy issues.

For more information about this answer please contact: Angela Flannery from Holding Redlich
India

Answer ... Not applicable.

For more information about this answer please contact: Probir Roy Chowdhury from J. Sagar Associates
Liechtenstein

Answer ... The primary role of the DPO is to ensure that his or her organisation processes the personal data of staff, customers, providers and other individuals in compliance with the applicable data protection rules.

For more information about this answer please contact: Thomas Nägele from NAGELE Attorneys at Law LLC
Luxembourg

Answer ... The DPO shall be involved in all issues related to personal data. The GDPR provides for a list of tasks that the DPO must have as a minimum:

  • The DPO should assist the controller or the processor to monitor internal compliance with the GDPR. In particular, the DPO may:
    • collect information to identify processing activities;
    • analyse and check the compliance of processing activities; and
    • inform, advise and issue recommendations to the controller or the processor.
  • The DPO should provide advice where requested as regards the data protection impact assessment and monitor its performance.
  • The DPO should also cooperate with the supervisory authority and act as a contact point for the supervisory authority on issues relating to data processing.

The DPO contributes to the awareness and training of staff involved in personal data processing operations. In the performance of his or her tasks, the DPO should have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.

For more information about this answer please contact: Anne Morel from Bonn Steichen & Partners
Pakistan

Answer ... Not currently applicable.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
Portugal

Answer ... The key responsibilities of a data protection officer include the following:

  • to inform and advise the controller or the processor, and employees who carry out data processing, of their obligations pursuant to the regime;
  • to monitor compliance with the regime and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness raising and training of staff involved in processing operations, and related audits;
  • to provide advice where requested as regards data protection impact assessments and monitor their performance; and
  • to cooperate with the CNPD and act as the contact point for the CNPD on issues relating to processing.

In performing these tasks, the data protection officer should have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of the processing.

Additionally, the data protection officer should:

  • ensure that regular and random audits are conducted;
  • promote awareness of the importance of early detection of security incidents; and
  • actively engage data subjects on all matters relating to the data protection regime.

For more information about this answer please contact: Óscar Madureira from Rato & Cortés, Sociedade de Advogados, SP, RL
Switzerland

Answer ... The data protection officer’s key responsibilities include the following:

  • to maintain a list of data files;
  • to inform and advise the company;
  • to monitor compliance with the legal framework for data protection;
  • to raise awareness and train employees involved in processing operations; and
  • to cooperate with and act as contact person for the supervisory authority, if applicable.

For more information about this answer please contact: Carol S. Rothenfluh from SwissLegal
Taiwan

Answer ... N/A.

For more information about this answer please contact: Ken-Ying Tseng from Lee And Li
Turkey

Answer ... N/A.

For more information about this answer please contact: Burak Özdağıstanli from Ozdagistanli Ekici Avukatlık Ortaklığı
UK

Answer ... The key responsibilities of the DPO under the GDPR are to:

  • inform and advise organisations and employees about data protections laws and their obligations in relation to those;
  • manage organisations’ compliance with data protections laws, ensuring that company policies and procedures, where relevant, are compliant;
  • carry out and monitor data protection impact assessments;
  • be the first point of contact for the Information Commissioner’s Office (ICO) and cooperate with the ICO; and
  • be the first point of contact internally for any data protection issues.

A DPO must be mindful of high-risk processing of personal data, including instances where special categories of data are being processed. In instances where the DPO’s advice is not followed, the organisation should clearly document the reasons for not doing so.

A DPO can be responsible for other tasks; however, tasks should not conflict with what is required as a DPO by virtue of a tension which can sometimes exist between an organisation’s aims and its data protection obligations. For this reason, the DPO is not usually the organisation’s lawyer and is more likely to sit in the compliance or operations teams.

For more information about this answer please contact: Benjamin Ross from Bortstein Legal Group
United States

Answer ... The role of DPO is fairly comprehensive and often includes a variety of tasks. As an expert in data protection, the DPO should:

  • develop and maintain ongoing training and awareness to promote compliance with the applicable regulations and mitigate operational risk;
  • maintain an inventory of personal data and/or processing activities; and
  • monitor organisational practices to identify new processes or changes to existing processes and ensure the implementation of privacy by design principles.

The DPO may also be responsible for:

  • developing and ensuring adherence to a privacy policy and a data privacy breach response plan; and
  • conducting regular data privacy impact assessments to address potential issues proactively.

The DPO would also ideally serve as the point of contact for inquiries from government officials and requests and complaints from individuals (eg, requests to access, modify, delete, or opt out of the sale of personal information under the California Consumer Privacy Act). To oversee and implement the company’s data protection strategy, the DPO must engage both internal (eg, board of directors, management, employees) and external (eg, regulators, third parties, clients) stakeholders in regular communication about data privacy and ongoing compliance efforts.

For more information about this answer please contact: Jenny Colgate from Rothwell, Figg, Ernst & Manbeck, P.C.
8.4
Can the role of the data protection officer be outsourced in your jurisdiction? If so, what requirements, restrictions and best practices should be considered in this regard?
Australia

Answer ... An agency may outsource the role of privacy officer to another agency, but not to a private sector entity (see Section 10(2) of the Privacy (Australian Government Agencies – Governance) APP Code). For private sector APP entities, where privacy officers are not mandated, it is possible to outsource this role.

Before an APP entity (whether in the public or private sector) decided to outsource this role, it should consider whether this would satisfy its obligations under APP 1.2 to take reasonable steps to implement practices, procedures and systems to ensure compliance with the APPs (and applicable codes) and to manage privacy enquiries and complaints. The OAIC Guidelines set out the factors that an APP entity needs to consider in determining the reasonable steps it should take to comply with APP 1.2:

  • An APP entity may consider factors such as its size, resources and business model. Where an entity has a small number or staff or limited internal resources, it may be appropriate to outsource at least some part of the role of a privacy officer (eg, relating to development of processes and policies, training and the like).
  • The nature of the personal information held by an APP entity is also relevant. For example, where an APP entity handles large volumes of sensitive information, outsourcing may not be appropriate.
  • Practicability is taken into account. An entity which handles very little personal information may determine outsourcing is the best option, taking into consideration time and cost.

For more information about this answer please contact: Angela Flannery from Holding Redlich
India

Answer ... Not applicable.

For more information about this answer please contact: Probir Roy Chowdhury from J. Sagar Associates
Liechtenstein

Answer ... It is possible to outsource the role of DPO; in such case the same principles apply as for an internal DPO. The DPO must be an expert in data protection. He or she must also have sufficient credibility both to report to the board (the GDPR states that the DPO must report to the top-level decision-making body in an organisation) and to liaise with the Data Protection Authority in a number of scenarios, including breach.

For more information about this answer please contact: Thomas Nägele from NAGELE Attorneys at Law LLC
Luxembourg

Answer ... Yes. The function of the DPO can be exercised on the basis of a service contract concluded with an individual or an organisation outside the controller’s/processor’s organisation. In this latter case, such individual or organisation should fulfil all relevant requirements of Section 4 of the GDPR. The DPO must have the required professional qualities and perform his or her tasks in an independent manner, and should not fulfil other tasks and duties that would result in a conflict of interest.

For more information about this answer please contact: Anne Morel from Bonn Steichen & Partners
Pakistan

Answer ... Not currently applicable.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
Portugal

Answer ... The data protection officer may be, but need not be, an employee of the data controller or processor.

As provided by the GPDR, a data protection officer may fulfil his or her tasks on the basis of a service contract.

Exclusivity is not a mandatory requirement: two or more controllers (more often in the public sector) may have the same data protection officer.

However, a data protection officer must carry out his or her tasks with complete technical independence and is under a strict duty of secrecy, unlimited by time.

For more information about this answer please contact: Óscar Madureira from Rato & Cortés, Sociedade de Advogados, SP, RL
Switzerland

Answer ... In principle, no special rules apply. The outsourcing company must ensure that the external data protection officer has the necessary skills and is able and empowered to conduct his role in an independent manner.

For more information about this answer please contact: Carol S. Rothenfluh from SwissLegal
Taiwan

Answer ... N/A.

For more information about this answer please contact: Ken-Ying Tseng from Lee And Li
Turkey

Answer ... N/A.

For more information about this answer please contact: Burak Özdağıstanli from Ozdagistanli Ekici Avukatlık Ortaklığı
UK

Answer ... The role of a DPO can be outsourced to an external organisation, as long as the externally appointed DPO has the same tasks and duties as that of an internally appointed DPO and is easily accessible to employees, the ICO and data subjects.

It is also possible to appoint a DPO to act for a group of companies or public authorities. In doing so, it is important that the organisation can determine whether the shared DPO has the resources to realistically carry out its role in both organisations.

For more information about this answer please contact: Benjamin Ross from Bortstein Legal Group
United States

Answer ... Since a DPO is not required in the United States, the responsibility for data privacy may theoretically be outsourced to an individual or entity outside the company. A DPO does not have to be a company employee and can instead act more as a consultant on privacy-related issues, working for several companies simultaneously.

In lieu of, or in addition to, a DPO, many organisations in the United States are also turning to privacy management software systems (eg, OneTrust or WireWheel) that are capable of automating some compliance-related tasks, such as creating data maps or providing a platform for receiving and responding to data subject requests.

For more information about this answer please contact: Jenny Colgate from Rothwell, Figg, Ernst & Manbeck, P.C.
8.5
What record-keeping and documentation requirements apply in the data privacy context?
Australia

Answer ... The Privacy Act does not impose specific record-keeping and documentation requirements. However, the OAIC Guidelines and the Privacy (Australian Government Agencies – Governance) APP Code assist in determining the types of records and documents that should be kept to demonstrate compliance with the Privacy Act.

The OAIC Guidelines state compliance with APP 1.2 will typically require that an APP entity puts in place:

  • risk identification and management processes, including for conducting privacy impact assessments for new projects that involve handling personal information;
  • security systems to protect personal information and procedures for identifying and responding to privacy breaches;
  • staff policies, including for training and for supervision of staff who handle personal information on a regular basis;
  • processes and systems for proactive management of agents and contractors that handle the personal information of the APP entity; and
  • governance mechanisms and a programme for the review and audit of the APP entity’s privacy policy and its internal privacy policies, procedures and systems.

These policies, procedures and systems should be appropriately documented and records kept of compliance.

Section 9 of the code requires that each regulated agency have a documented privacy management plan. The purpose of the plan is to assist in promoting a good privacy culture, and a privacy-by-design approach, in in the agency. The plan must set out specific and measurable privacy targets and how the agency will meet its obligations under APP 1.2. The privacy officer must assess the agency’s performance against that plan at least annually and document those assessments.

For more information about this answer please contact: Angela Flannery from Holding Redlich
India

Answer ... The Privacy Rules impose no specific obligations on a body corporate in relation to record keeping or documentation when dealing with personal data or sensitive personal data or information (SPDI). However, as per the Privacy Rules, any personal information or SPDI collected from an individual data subject may be retained only for so long as necessary to fulfil the purpose disclosed to the data subject at the time of collection.

For more information about this answer please contact: Probir Roy Chowdhury from J. Sagar Associates
Liechtenstein

Answer ... Article 30 of the GDPR deals with record keeping. All provisions and requirements are clearly laid out, so this is one article of the GDPR in relation to which there is little to no ambiguity.

The records should contain at least the following:

  • the contact details of a person within the organisation;
  • the purpose of the data processing, explained in detail;
  • the categories of personal data processed;
  • special categories of data (sensitive data), if any;
  • any data transfers to third countries;
  • any processing of the data of minors;
  • the retention periods;
  • an overview of security and technical data protection measures;
  • a list of categories of recipients of personal data; and
  • any additional information, if deemed necessary.

For more information about this answer please contact: Thomas Nägele from NAGELE Attorneys at Law LLC
Luxembourg

Answer ... Each data controller should maintain a record of processing activities which contains:

  • the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
  • the purposes of the processing;
  • a description of the categories of data subjects and of the categories of personal data;
  • the categories of recipients to which the personal data have been or will be disclosed, including recipients in third countries or international organisations;
  • where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
  • where possible, the envisaged time limits for erasure of different categories of data; and
  • where possible, a general description of technical and organisational security measures.

Each processor must also maintain a record of all categories of processing activities carried out on the behalf of the controller.

However, this obligation shall not apply if the following conditions are fulfilled:

  • The enterprise or an organisation employs fewer than 250 persons;
  • The processing it carries out is not likely to result in a risk to the rights and freedoms of data subjects;
  • The processing is occasional; and
  • The processing does not include special categories of data (Article 9(1) of the GDPR) or personal data relating to criminal convictions and offences (Article 10 of the GDPR).

The GDPR does not define a unique template or format for the records of processing activities. A register of processing activities may be created using the GDPR Compliance Support Tool developed by the National Commission for Data Protection (CNPD).

For more information about this answer please contact: Anne Morel from Bonn Steichen & Partners
Pakistan

Answer ... Section 11 of the draft Pakistan Personal Data Protection Bill, 2020 provides that a data controller must retain a record of any application, notice, request or any other information relating to personal data that has been or is being processed by it. The Personal Data Protection Authority of Pakistan may determine the manner and form in which this record must be maintained.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
Portugal

Answer ... The burden of proof of compliance with all requirements of the regime rests on the data controller.

This means that the data controller must maintain a record of processing activities under its responsibility, including, at least:

  • the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
  • the purposes of the processing;
  • a description of the categories of data subjects and the categories of personal data;
  • the categories of recipients to which the personal data has been or will be disclosed, including recipients in third countries or international organisations;
  • where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, where applicable, the documentation of suitable safeguards;
  • where possible, the envisaged time limits for erasure of the different categories of data; and
  • where possible, a general description of the technical and organisational security measures adopted.

As a general rule, these requirements do not apply to controllers with fewer than 250 employees, although some exceptions exist.

The data controller has a duty to keep documentation on key aspects of the data processing, such as the data subject’s consent. Failure to produce such documentation may render the processing unlawful.

Specifically, the controller must document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. This documentation will enable the supervisory authority to verify compliance with the duty of notification of such data breaches.

For more information about this answer please contact: Óscar Madureira from Rato & Cortés, Sociedade de Advogados, SP, RL
Switzerland

Answer ... The general provisions on the archiving of business documents apply; unless otherwise stipulated, all records and documents in relation to personal data must be kept for 10 years.

For more information about this answer please contact: Carol S. Rothenfluh from SwissLegal
Taiwan

Answer ... There are no specific record-keeping or documentation requirements under the PDPA. In relation to appropriate security measures, the Enforcement Rules suggest that a company should keep records, logs and relevant evidence with regard to its collection and use of personal data.

For more information about this answer please contact: Ken-Ying Tseng from Lee And Li
Turkey

Answer ... Data controllers must prepare and retain the following:

  • a data processing inventory (please see questions 3.2 and 5.3);
  • a privacy notice for the different categories of data subject (please see question 5.3); and
  • a data retention and destruction policy (please see question 5.3).

For more information about this answer please contact: Burak Özdağıstanli from Ozdagistanli Ekici Avukatlık Ortaklığı
UK

Answer ... Documenting is the principal way that organisations can fulfil the principle of accountability required by the GDPR. There are several specified areas in which records must be maintained, such as the purposes of processing personal data, data sharing and retention.

Some examples of key documentation that is typically required include:

  • privacy notices to data subjects as required by the GDPR;
  • a data protection policy explaining how the organisation processes personal data;
  • an appropriate policy document as required by the Data Protection Act 2018;
  • a record of processing as required by the GDPR, which must be produced to the ICO upon demand;
  • data protection impact assessments for higher-risk processing;
  • legitimate interest assessments when relying on legitimate interests as a lawful basis; and
  • training materials and records of training.

For more information about this answer please contact: Benjamin Ross from Bortstein Legal Group
United States

Answer ... Record keeping in the privacy context is critical to demonstrate compliance and accountability. In addition to maintaining documentation of the types of personal data that are collected and how and to where the data flows (eg, between systems, between processes, between countries), an organisation should document, whenever possible:

  • communications between internal and external privacy stakeholders;
  • the legal basis or the business purposes for processing personal data;
  • any internal policies and procedures relating to data privacy (eg, collecting sensitive data, handling data of minors, de-identification or encryption of data, secure destruction of data); participation in data privacy training activities;
  • the results of and any actions taken in response to a privacy impact assessment/data privacy impact assessment;
  • data subject requests; and
  • metrics for data privacy complaints (eg, number, root cause, risk, resolution).

As a best practice for transparency, organisations may provide a repository of privacy information for employees, such as an internal data privacy intranet, through which employees can access training and awareness materials, privacy and breach notification policies, and DPO or privacy personnel contact information. Appropriate public-facing privacy materials may be provided on the company’s website or other customer interfaces to demonstrate compliance and build trust with consumers.

For more information about this answer please contact: Jenny Colgate from Rothwell, Figg, Ernst & Manbeck, P.C.
8.6
What other requirements, restrictions and best practices should be considered from a compliance perspective in the data privacy context?
Australia

Answer ... The OAIC’s regulatory priorities, as announced in May 2020, focus on online platforms and social media, particularly looking at privacy policies, default settings and issues of consent. Personal information security and data breaches are also areas targeted by the OAIC. These priorities highlight compliance issues for all APP entities, whether operating in an online or offline environment.

A privacy policy set out the types of personal information an APP entity collects, as well as how it holds, protects uses and discloses that information. As such, it is a cornerstone of an APP entity’s compliance framework. The Australian Competition and Consumer Commission’s (ACCC) Digital Platforms Inquiry, conducted over 2018 and 2019, concluded digital platforms privacy policies are often long, complex, vague and difficult to understand. Although the ACCC’s analysis was limited to digital platforms, given its findings, the government has accepted the ACCC’s recommendation that changes are made to the Privacy Act to strengthen notification and consent requirements. Each APP entity should therefore give careful consideration to whether its privacy policy is not only compliant with APP 1.4 (which states the minimum information a privacy policy must contain), but is also clear and straightforward for individuals to understand.

Data breaches may happen even where entities have strong and robust security systems to protect personal information. Given the OAIC’s focus on this area, it is important from a compliance perspective that data breach policies are fully documented and regularly tested so that, in the unfortunate case that a breach occurs, these policies may be efficiently implemented.

For more information about this answer please contact: Angela Flannery from Holding Redlich
India

Answer ... There are no other overarching requirements or restrictions that must be considered. However, entities in specific regulated industries must comply with sector-specific regulations regarding data storage and record keeping. For instance, insurers must comply with the Insurance Regulatory and Development Authority of India’s regulations on the storage of insurance records.

For more information about this answer please contact: Probir Roy Chowdhury from J. Sagar Associates
Liechtenstein

Answer ... The Data Protection Authority provides extensive services in this regard, including tips, sample templates and guidelines. In case of doubt, the Data Protection Authority should be contacted as a best practice.

For more information about this answer please contact: Thomas Nägele from NAGELE Attorneys at Law LLC
Luxembourg

Answer ... The DPO cannot be penalised or dismissed by the controller or the processor for performing his or her tasks, and should directly report to the highest management level of the controller or the processor.

The DPO may fulfil other tasks and duties, provided that this does not give rise to a conflict of interests. The DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data.

Details of the DPO must be communicated to the CNPD. In this regard, a form allowing organisations to send their DPO’s details to the CNPD is available on the CNPD website.

For more information about this answer please contact: Anne Morel from Bonn Steichen & Partners
Pakistan

Answer ... The draft Pakistan Personal Data Protection Bill, 2020 includes only the requirements set out in questions 8.1 and 8.5. Once the law has been promulgated and enforced, the Personal Data Protection Authority of Pakistan, under its rule-making powers, will issue a framework setting out further requirements.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
Portugal

Answer ... Under Article 8 of the GDPR, the legal age for a data subject to consent to the processing of his or her personal data in relation to the offer of information society services is 16 years.

However, member states may specify a lower age for those purposes, provided that this is not below 13 years. This is the case for Portugal, where the age of consent for such purposes has been set at 13 years.

For more information about this answer please contact: Óscar Madureira from Rato & Cortés, Sociedade de Advogados, SP, RL
Switzerland

Answer ... Not applicable.

For more information about this answer please contact: Carol S. Rothenfluh from SwissLegal
Taiwan

Answer ... Given that the PDPA does not require the appointment of a data protection officer, data protection matters are often handled by different departments, including legal, HR, IT and compliance. As a result, it is often difficult to handle a particular data protection matter within an organisation; and sometimes personal data protection matters are not in fact handled by any of the relevant departments. It is very important that a company designate and empower a particular department with responsibility for data protection matters, or establish a joint taskforce among different departments to this end.

For more information about this answer please contact: Ken-Ying Tseng from Lee And Li
Turkey

Answer ...

  • Employee training; and
  • Organisational measures

For more information about this answer please contact: Burak Özdağıstanli from Ozdagistanli Ekici Avukatlık Ortaklığı
UK

Answer ... When processing personal data, individuals whom it concerns must be informed why their information is needed, what will be done with it and who will have access to it. This information must be provided in a manner that can be easily understood by the intended audience, and there is detailed guidance on formatting, tone and style which should be taken into consideration.

The best way to relay this information may be in written form in a document called a privacy notice, which as a general rule should be provided to data subjects at the point in which the data is collected from them, although there are qualifications to this which need to be carefully considered. The privacy notice must be tailored to the organisation’s data protection practices and operations, and the ICO considers very negatively copying and pasting wholesale of privacy notices among organisations. Privacy notices must contain:

  • the contact details of the controller;
  • the contact details of a data protection officer or person responsible for data protection related matters;
  • the purpose(s) of the processing and the lawful basis for the processing;
  • if there is reliance on legitimate interest, details of what that is;
  • details of any other recipient of the data;
  • information concerning transfers to third parties if applicable and safeguarding measures;
  • the retention period for the information;
  • the existence of data subject rights;
  • where processing is based on consent, an explanation that data subjects can withdraw consent at any time, without affecting what was processed based on the consent prior to withdrawal;
  • an explanation of the right to lodge a complaint with the ICO;
  • whether providing personal data is a statutory or contractual requirement and, if applicable, the consequences of failure to provide the personal data;
  • whether the personal data will be subject to any automated decision-making processes that will be applied to the data, including profiling, and how decisions are made based on that; and
  • if the purpose of why the data was collected changes, advance notice of this change and any other information required.

For more information about this answer please contact: Benjamin Ross from Bortstein Legal Group
United States

Answer ... Wherever possible, to mitigate operational risk, data privacy policies and procedures should be embedded in organisational practices. For instance, data privacy should be integrated into record retention, marketing practices, information security practices, HR and employee health and safety practices, cookies and online tracking mechanisms, third-party contracts and agreements and so on.

Businesses in the United States should also strive to develop a privacy management framework that aligns with the best practices set forth in the General Data Protection Regulation, including:

  • data minimisation (collecting and processing only personal data for which the company has a legitimate business purposes);
  • data accuracy (keeping only relevant and up-to-date data); and
  • accountability and transparency.

For more information about this answer please contact: Jenny Colgate from Rothwell, Figg, Ernst & Manbeck, P.C.
9.
Data security and data breaches
9.1
What obligations apply to data controllers and processors to preserve the security of personal data?
Australia

Answer ... Under APP 11.1, each APP entity must take reasonable steps to protect the personal information that it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure.

The Office of the Australian Information Commissioner’s view is that the reasonable steps required will depend on the relevant circumstances. These circumstances include:

  • the nature of the APP entity (eg, size, complexity);
  • the amount and sensitivity of the information;
  • the potential adverse consequences for impacted individuals if there is a breach;
  • the practical implications of implementing security measures; and
  • whether any proposed measure is privacy invasive.

Reasonable steps include not only putting in place ICT and access security arrangements but also implementing steps and strategies regarding:

  • governance, culture and training;
  • the conclusion of binding contractual arrangements with service providers that access personal information;
  • processes for dealing with data breaches; and
  • policies for dealing with personal information that is no longer required to be held (noting that APP11.2 imposes a separate obligation on APP entities to destroy or de-identify such personal information).

The Information Commissioner has taken regulatory action in numerous cases where APP entities have not complied with APP 11.1. For example, in 2019 she accepted an enforceable undertaking from Commonwealth Bank of Australia in relation to breaches of APP 11.1 which involved the loss of data tapes holding customer personal information and an absence of appropriate policies and procedures to restrict employees from accessing personal information of customers when this was not required to perform their roles.

For more information about this answer please contact: Angela Flannery from Holding Redlich
India

Answer ... A data collector must implement such security practices and procedures as are commensurate with the personal information and sensitive personal data or information that is being collected and stored.

This requirement includes implementing a documented information security programme and information security policies containing managerial, technical, operational and physical security control measures.

Notably, the Privacy Rules prescribe International Standard IS/ISO/IEC 27001 on Information Technology-Security Techniques-Information Security Management System-Requirements as a recommended data security standard.

For more information about this answer please contact: Probir Roy Chowdhury from J. Sagar Associates
Liechtenstein

Answer ... The General Data Protection Regulation (GDPR) refers to the obligation to have the ‘appropriate technical and organisational measures’ in place some 89 times, stressing the importance that is placed on such measures.

Technical and organisational measures include functions, processes, controls, systems, procedures and measures taken to protect and secure the personal information that an organisation processes.

The measures taken and implemented by an organisation will relate directly to its size, scope and activities; and will need to reflect the type and volume of personal data being processed. The scope and range of the GDPR’s technical and organisational measures are expansive, from assessment controls such as vulnerability scans and risk management to firewalls, strong passwords and third-party due diligence.

For more information about this answer please contact: Thomas Nägele from NAGELE Attorneys at Law LLC
Luxembourg

Answer ... Data controllers and processors must implement appropriate technical and organisational measures in order to ensure a level of security appropriate to the risk represented by personal data. Those measures should take into account:

  • the state of the art;
  • the costs of implementation;
  • the nature, scope, context and purposes of the processing; and
  • the varying risks represented for the rights and freedoms of natural persons.

Such measures can include:

  • the pseudonymisation and encryption of personal data;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability and access to personal data in a timely manner in the event of an incident; and
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisation measures to ensure the security of the processing.

In assessing the appropriate level of security, account must be taken in particular of the risks that are presented by processing – in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

Compliance with these requirements can be demonstrated by adhering to an approved code of conduct or certification mechanism.

Data controllers and processors must take reasonable steps to ensure that any natural person acting on their behalf who has access to personal data does not process the data except on instructions given by the controller, unless he or she is required to do so by law.

For more information about this answer please contact: Anne Morel from Bonn Steichen & Partners
Pakistan

Answer ... The Personal Data Protection Authority of Pakistan, under Section 8 of the draft Pakistan Personal Data Protection Bill, 2020, is to prescribe standards to protect personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction. The data controller and the data processor must comply with the standards prescribed by the authority.

Once the law has been promulgated and enforced, the authority, under its rule-making powers, will issue a framework setting out further requirements.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
Portugal

Answer ... When processing personal data, the controller and the processor are fully responsible for adopting and using appropriate technical and organisational measures to ensure the appropriate security of the data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

In doing so, the controller shall take into account:

  • the state of the art;
  • the costs of implementation;
  • the nature, scope, context and purposes of processing; and
  • the likelihood and severity of the risks presented to the rights and freedoms of natural persons.

Technical and organisational measures may include:

  • the pseudonymisation and encryption of personal data;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

The controller shall also conduct a security risk assessment and is encouraged to adhere to an appropriate code of conduct in this regard, where this is available.

The controller and the processor have a special duty to ensure that anyone who has access to personal data does not process it except under the controller’s or processor’s instructions.

For more information about this answer please contact: Óscar Madureira from Rato & Cortés, Sociedade de Advogados, SP, RL
Switzerland

Answer ... Article 7(1) of the Act on Data Protection (DPA) states the general rule that personal data must be protected against unauthorised processing through adequate technical and organisational measures.

Additionally, Article 8 of the Ordinance to the Federal Act on Data Protection contains additional detailed provisions on data security: anyone who, as a private individual, processes personal data or provides a data communication network must ensure the confidentiality, availability and integrity of the data in order to ensure an appropriate level of data protection. In particular, he or she must protect systems against the following risks:

  • unauthorised or accidental destruction;
  • accidental loss;
  • technical faults;
  • forgery, theft or unlawful use; and
  • unauthorised alteration, copying, access or other unauthorised processing.

The technical and organisational measures must be adequate and reviewed periodically. In particular, they must take account of the following criteria:

  • the purpose of the data processing;
  • the nature and extent of the data processing;
  • an assessment of the possible risks to data subjects; and
  • the current state of the art.

There are even more extensive obligations for the controllers of data files. For the automated processing of personal data, such controllers must take the necessary technical and organisational measures to achieve the following goals, in particular:

  • Entrance control: Unauthorised persons must be denied access to facilities in which personal data is being processed.
  • Personal data carrier control: Unauthorised persons must be prevented from reading, copying, altering or removing data carriers.
  • Transport control: On the disclosure of personal data, as well as during the transport of data carriers, the unauthorised reading, copying, alteration or deletion of data must be prevented.
  • Disclosure control: Data recipients to whom personal data is disclosed by means of devices for data transmission must be identifiable.
  • Storage control: Unauthorised storage in the memory as well as the unauthorised knowledge, alteration or deletion of stored personal data must be prevented.
  • Usage control: The use by unauthorised persons of automated data processing systems by means of devices for data transmission must be prevented.
  • Access control: Access by authorised persons must be limited to the personal data that they require to fulfil their task.
  • Input control: In automated systems, it must be possible to carry out a retrospective examination of what personal data was entered at what time and by whom.

The data files must be structured so that data subjects can assert their right of access and their right to have data corrected.

For more information about this answer please contact: Carol S. Rothenfluh from SwissLegal
Taiwan

Answer ... The Personal Data Protection Act (PDPA) requires that a data controller adopt ‘appropriate’ security measures to safeguard the personal data that it holds. A data processor should also take ‘appropriate’ security measures on the instruction of the data controller. If a data processor fails to do so, the data controller will be held liable for such non-compliance. The Enforcement Rules suggest that the following measures should be implemented in order to safeguard personal data:

  • allocating management personnel and reasonable resources;
  • defining the scope of personal data;
  • establishing a mechanism for risk assessment and management of personal data;
  • establishing a mechanism for preventing, giving notice of and responding to data breaches;
  • establishing an internal control procedure for the collection, processing and use of personal data;
  • managing data security and personnel;
  • promoting awareness, education and training;
  • managing facility security;
  • establishing an audit mechanism for data security;
  • keeping records, logs and relevant evidence; and
  • implementing integrated and persistent improvements to the security and maintenance of personal data.

For more information about this answer please contact: Ken-Ying Tseng from Lee And Li
Turkey

Answer ... The Law on the Protection of Personal Data does not contain detailed provisions on the technical and organisational measures that must be taken by data controllers. The law stipulates that data controllers must take all necessary technical and organisational measures to provide an appropriate level of security in order to:

  • prevent the unlawful processing of personal data;
  • prevent unlawful access to personal data; and
  • ensure the protection of personal data.

If a data processor is used, the data controller is jointly liable with the data processor for taking these measures. Written agreements between data controllers and data processors are not mandatory; however, the Data Protection Authority (DPA) recommends that written agreements be concluded.

Further, the Law on the Protection of Personal Data requires all data controllers to undertake the necessary compliance measures to ensure the correct implementation of the law and secondary legislation.

Separate organisational and technical measures also apply to sensitive personal data.

For more information about this answer please contact: Burak Özdağıstanli from Ozdagistanli Ekici Avukatlık Ortaklığı
UK

Answer ... One of the key principles of the General Data Protection Regulation (GDPR) is to ensure that personal data is processed securely, which requires organisations to put in place ‘appropriate technical and organisational measures’ to ensure that personal data held is not compromised or damaged, and/or does not fall into the wrong hands.

The GDPR provides specifics around the security of processing and requires organisations to carefully consider the state of technology, at the time of implementation and throughout the processing:

  • the cost of implementation;
  • the nature, scope, context and purpose of processing; and
  • whether the level of security is appropriate to the risk.

Security covers not only network and information system security, but also physical and organisational security measures.

Contracts between controllers and processors and between controllers should describe the technical and organisational measures which are implemented, and these should be evaluated by controllers as part of due diligence.

For more information about this answer please contact: Benjamin Ross from Bortstein Legal Group
United States

Answer ... All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted security breach laws, each typically specifying definitions of ‘personal information’ and a ‘breach’, as well as requirements for notice and exemptions to the requirement.

Entities are generally required to implement and maintain reasonable security procedures and practices appropriate to the nature of the personal data collected, to protect the unauthorised access, destruction, use, modification or disclosure of personal data. There is no precise definition of ‘reasonable security measures’, and entities instead tend to evaluate applicable industry norms and practices, the risks at stake and prior enforcement actions where a company was found not to have taken adequate security measures. Several security frameworks exist – such as the National Institute of Standards and Technology Cybersecurity Framework and the International Organization for Standardization 27001 series for information security management – to assist entities in demonstrating implementation and maintenance of reasonable security measures.

In addition, nearly all federal privacy statutes (eg, the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), the Family Educational Rights and Privacy Act, the Children’s Online Privacy Protection Act and the Fair Credit Reporting Act) require that reasonable security procedures and practices be followed.

For more information about this answer please contact: Jenny Colgate from Rothwell, Figg, Ernst & Manbeck, P.C.
9.2
Must data breaches be notified to the regulator? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?
Australia

Answer ... Part IIIC of the Privacy Act contains the notifiable data breach regime, which applies to “eligible data breaches”.

A data breach is unauthorised access or disclosure of personal information or loss of personal information where unauthorised access or disclosure is likely to occur. However, a data breach must satisfy the following additional criteria before it is considered to be an eligible data breach:

  • The data breach is likely to result in “serious harm” to the relevant individual(s); and
  • The relevant APP entity has been unable to take steps to prevent that likely risk of serious harm.

Section 26WG of the Privacy Act sets out factors that need to be considered in determining whether serious harm is likely from a data breach, including:

  • the sensitivity of the information;
  • the persons who have obtained (or may obtain) the information; and
  • the nature of the harm that may result.

Financial harm would be serious harm, but this is a broader concept and could include physical, emotional or psychological harm.

If there are reasonable grounds to believe that an eligible data breach has occurred, an APP entity must notify the Information Commissioner as soon as practicable (Section 26WK of the Privacy Act). The notification must include:

  • the name and contact details of the entity (and of any other entities involved in the breach);
  • a description of the breach;
  • the type of information involved; and
  • recommended steps for protection from the consequences of the breach.

The My Health Records Act has a separate data breach notification regime.

For more information about this answer please contact: Angela Flannery from Holding Redlich
India

Answer ... In India, as per the Information Technology (Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (‘CERT-In Rules’), all bodies corporate must report certain cybersecurity incidents, including any incidents of unauthorised access to IT systems/data, to CERT-In. Such reporting must be done as soon as possible, to allow CERT-In to take or suggest corrective actions. However, Indian companies do not ordinarily report cybersecurity incidents to CERT-In where no third-party actor (eg, a hacker) is involved.

CERT-In is not a data protection authority and only:

  • prescribes suggested remedial actions;
  • warns stakeholders; and
  • coordinates responses to incidents.

Further, no sanctions or penalties have been prescribed in the CERT-In rules for a failure to report cybersecurity incidents to CERT-In.

For more information about this answer please contact: Probir Roy Chowdhury from J. Sagar Associates
Liechtenstein

Answer ... The GDPR obliges all organisations to report certain types of personal data breach to the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible.

For more information about this answer please contact: Thomas Nägele from NAGELE Attorneys at Law LLC
Luxembourg

Answer ... If a data breach results in a risk to the rights and freedoms of individuals, the controller must notify the personal data breach to the National Commission for Data Protection (CNPD) without undue delay and, where feasible, within 72 hours of becoming aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the CNPD is not made within 72 hours, the controller must also justify the reasons for the delay.

The notification must, at least:

  • describe the nature of the personal data breach – including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  • communicate the DPO’s name and contact details or other contact point;
  • describe the likely consequences of the personal data breach; and
  • describe the measures taken or proposed to be taken by the controller to address the personal data breach, including measures to mitigate its possible adverse effects.

Notification of the violation shall be sent by email to the CNPD. A form available on the CNPD website may be used to notify the breach.

Data processors are also responsible for setting up organisational and technical measures to be able to notify the controller without undue delay after becoming aware of a personal data breach in order to comply with the 72-hour notification period after the incident is detected.

For more information about this answer please contact: Anne Morel from Bonn Steichen & Partners
Pakistan

Answer ... Section 13 of the draft Pakistan Personal Data Protection Bill, 2020 requires that the data controller report a data breach to the Personal Data Protection Authority of Pakistan within 72 hours. The exception is where the personal data breach is unlikely to result in a risk to the rights and freedoms of the data subject.

Where the notification is made beyond 72 hours, the notification must state the reasons for delay.

The notification must contain the following information:

  • a description of the nature of the personal data breach, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  • the name and contact details of the data protection officer or other contact point where more information can be obtained;
  • the likely consequences of the personal data breach; and
  • the measures adopted or proposed to be adopted by the data controller to address the personal data breach, including where appropriate measures to mitigate its possible adverse effects.

The draft bill stipulates no process for notifying the data breach to the authority. The procedural aspect of this notifying requirement will be dealt under the rule-making powers of the authority.

The draft bill includes a mandatory requirement to notify the authority of data breaches, leaving no room for voluntary notification.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
Portugal

Answer ... In the case of a personal data breach, the controller must – without undue delay and, where feasible, within 72 hours of becoming aware of it – notify the personal data breach to the National Data Protection Commission (CNPD).

Where the supervisory authority is not notified within 72 hours, the controller must specify reasons for the delay.

The notification must include, at least:

  • a description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned;
  • the name and contact details of the data protection officer or other contact point where more information can be obtained;
  • a description of the likely consequences of the personal data breach; and
  • a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

If not all information is available immediately, the information which is available should be notified to the CNPD without undue delay in stages.

If the personal data breach is unlikely to present a risk to the rights and freedoms of natural persons, the controller shall nevertheless fully document the incident, stating the facts relating to the personal data breach, its effects and the remedial action taken. This will enable the CNPD to verify compliance.

For more information about this answer please contact: Óscar Madureira from Rato & Cortés, Sociedade de Advogados, SP, RL
Switzerland

Answer ... No, there is no legal obligation to notify the Federal Data Protection and Information Commissioner.

For more information about this answer please contact: Carol S. Rothenfluh from SwissLegal
Taiwan

Answer ... The PDPA does not require that data breaches be reported to the authorities.

However, under the PDPA, the central competent authorities have the power to stipulate further rules concerning a ‘security and maintenance plan for personal information files’ in the industry sectors under their charge. For example, the central competent authority in charge of the online retail industry has stipulated such rules for this sector and requires relevant business operators to report any incident which is material and may impact on the normal operations of the business or the interests of numerous data subjects. Quite a few other central competent authorities have issued similar rules for the industries they regulate, including the information services industry.

For more information about this answer please contact: Ken-Ying Tseng from Lee And Li
Turkey

Answer ... Under the Law on the Protection of Personal Data, a data breach occurs if an unauthorised third party obtains personal data unlawfully.

In case of a data breach, the data controller must notify the DPA by using the data breach notification form on its website. The notification to the DPA must be made within 72 hours of becoming aware of the breach.

It is possible to notify the breach in stages if not all information required to complete the form is available within 72 hours.

The following information should be included in the notification:

  • the data controller’s identification information (eg, name and address), and the details of the person preparing the notification on behalf of the data controller;
  • information regarding the data breach (eg, start and end date and time of the breach) and, if the breach was notified to the data controller by the data processor, information such as the name and address of the data processor and the date and time at which the data controller was informed of the detection and notification;
  • information on the source of the data breach and how it happened;
  • the security criteria affected by the data breach;
  • details of how the data breach was detected;
  • the categories of personal data affected by the data breach;
  • the numbers of persons and records affected by the data breach;
  • the groups of data subjects affected by the data breach and the effect on them;
  • information relating to late notification and whether the breach has been notified to the data subjects;
  • information relating to potential consequences of the breach; and
  • information relating to security measures.

For more information about this answer please contact: Burak Özdağıstanli from Ozdagistanli Ekici Avukatlık Ortaklığı
UK

Answer ... All organisations have a duty to report personal data breaches to the Information Commissioner’s Office (ICO), unless it is unlikely to result in a risk to the rights or freedoms of natural persons – for example, because the data is encrypted or otherwise not accessible. This must be done within 72 hours of the organisation becoming aware of the breach. There is detailed guidance on when an organisation is deemed to be aware for this purpose. If this is not feasible, organisations must provide a reason to the ICO for the delay.

When reporting a breach, the GDPR requires the following information to be provided to the ICO:

  • a description of the nature of the personal data breach, including:
    • where possible, the categories and approximate number of individuals concerned; and
    • where possible, the categories and approximate number of personal data records concerned;
  • the name and contact details of the data protection officer (DPO) (if there is one) or other appropriate contact point where more information can be obtained;
  • a description of the likely consequences of the personal data breach; and
  • a description of the measures taken or to be taken to deal with the personal data breach; this may also include measures taken to mitigate any possible adverse effects.

It is accepted that it will not always be feasible to know all details surrounding a breach within 72 hours of becoming aware of it. The GDPR allows notification to occur in stages; however, controllers must prioritise the investigation and it is best practice to provide a reason for the delay and when information will likely be provided in full.

Breaches can be reported via the ICO website at https://ico.org.uk/for-organisations/report-a-breach/. Part of the form for reporting a personal data breach requires the organisation to confirm whether the relevant individuals at the organisation have been trained on data protection and when that took place, emphasising the importance of training as a mitigant when the ICO is considering any enforcement.

In general, since the GDPR came into force, organisations have vastly over-reported incidents which may not necessarily qualify as reportable personal data breaches, so it is important to consider carefully whether an incident necessitates being reported. Reporting in error could lead to unintended consequences if the ICO were to investigate. Organisations should maintain a register of data security incidents, including recording when an incident is not reported as well as when it is.

For more information about this answer please contact: Benjamin Ross from Bortstein Legal Group
United States

Answer ... At least 20 states require that certain data breaches (eg, affecting at least 500 or 1000 residents) must be reported to the attorney general, and potentially an additional state agency. While each state has a different definition of ‘personal information’, in general, a data breach may require notification if any of the following information is leaked:

  • name and social security or ID number (eg, driver’s licence number);
  • account number and password (eg, for a bank account);
  • health information;
  • ‘biological characteristics’ or biometric information; or
  • username and password (eg, for a healthcare system).

Certain jurisdictions require the notice to the attorney general to include a sample or template of the notification that will be submitted to the affected individuals, whereas other jurisdictions require the use of a particular data breach reporting form.

In addition, numerous federal laws also require data breach notification, such as the GLBA and the HIPAA. Some Federal Trade Commission (FTC) rules and regulations also speak to data breach notification. For example, the FTC has a ‘health breach notification’ rule that applies to all health data (not just HIPAA-covered health data).

Entities are encouraged to voluntarily report to the federal government cyber incidents that:

  • result in a significant loss of data, or a significant loss in control or availability of a system;
  • impact on a large number of victims;
  • affect critical infrastructure; or
  • impact on national security, economic security or public health and safety.

For more information about this answer please contact: Jenny Colgate from Rothwell, Figg, Ernst & Manbeck, P.C.
9.3
Must data breaches be notified to the affected data subjects? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?
Australia

Answer ... When the Information Commissioner is notified of an eligible data breach, as set out in question 9.2, individuals impacted by that eligible data breach must also be notified (Section 26WL of the Privacy Act) and provided with the same information the commissioner receives. Where more than one APP entity is involved in an eligible data breach, only one of those entities is required to notify the commissioner and the impacted individuals.

If it is practicable to notify each individual whose information has been disclosed or each individual at risk of serious harm, the APP entity must take reasonable steps to do this. If an entity usually communicates with an individual using a particular communication method, that method may be used, but this is not obligatory. Email, phone, text or similar may be appropriate, depending on the circumstances. If it is not practicable to directly notify individuals, the entity must publish the notification statement on the entity’s website (if it has one) and take reasonable steps to ensure that impacted individuals are aware of that statement.

Care should be taken in considering whether to make notifications in cases where this is not required under Part IIIC of the Privacy Act. The Information Commissioner has warned that unnecessary notifications may cause distress as well as potentially resulting in ‘notification fatigue’, creating a risk that individuals will ignore all notifications and not take protective action in cases where they truly are at serious risk from a data breach.

For more information about this answer please contact: Angela Flannery from Holding Redlich
India

Answer ... No, there is no mandatory requirement under Indian law to notify the affected data subjects.

For more information about this answer please contact: Probir Roy Chowdhury from J. Sagar Associates
Liechtenstein

Answer ... If a breach presents a high risk that the rights and freedoms of individuals will be adversely affected, those individuals must be informed without undue delay.

The communication to the data subject should describe, in clear and plain language, the nature of the personal data breach and (at least) the information and measures referred to in Articles 33(3)(b) to (d) of the GDPR. In other words, it should:

  • communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
  • describe the likely consequences of the personal data breach; and
  • describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

For more information about this answer please contact: Thomas Nägele from NAGELE Attorneys at Law LLC
Luxembourg

Answer ... When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must communicate the personal data breach to the data subject without undue delay.

The communication to the data subject must describe in clear and plain language the nature of the personal data breach and contain at least:

  • the DPO’s name and contact details or other contact point where further information can be obtained;
  • a description of the likely consequences of the personal data breach; and
  • a description of the measures taken or proposed to be taken by the controller to address the personal data breach – including, where appropriate, measures to mitigate its possible adverse effects.

However, communication to the data subject is not required in certain cases, such as where:

  • the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach; or
  • communication would involve disproportionate effort.

In such a case, the controller can inform the data subjects by public communication or similar measure whereby the data subjects are informed in an equally effective manner.

For more information about this answer please contact: Anne Morel from Bonn Steichen & Partners
Pakistan

Answer ... There is no requirement to notify the affected data subjects. The draft Pakistan Personal Data Protection Bill, 2020 includes no provisions on voluntary notification; however, this may be governed under the contractual stipulations between the data controller and data subject at the time of collection of personal data, following the promulgation and enforcement of the law.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
Portugal

Answer ... Data subjects need not be notified of data breaches in all circumstances.

Whenever such notification is carried out, it should be in clear and plain language and include, at least:

  • the name and contact details of the data protection officer or other contact point where more information can be obtained;
  • a description of the likely consequences of the personal data breach; and
  • a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

However, if the risk to the rights and freedoms of natural persons is not deemed to be high, the controller may opt not to notify the data subjects.

In this event, the CNPD, upon an assessment that the risk might be high, may order the controller to notify the data subjects accordingly.

For more information about this answer please contact: Óscar Madureira from Rato & Cortés, Sociedade de Advogados, SP, RL
Switzerland

Answer ... No, there is no legal obligation to notify the data subject. However, in view of the general principles of the DPA – in particular, the principle of transparency – it is advisable to notify the data subject in case of a data breach.

For more information about this answer please contact: Carol S. Rothenfluh from SwissLegal
Taiwan

Answer ... Yes. Under the PDPA, where personal data is stolen, disclosed, altered or otherwise infringed as a result of a violation of the PDPA, the data controller must notify the affected data subjects in a proper manner after investigating the incident. The notification must include details of the infringement of personal data and the measures which have been taken in response.

Further, according to the Enforcement Rules, the notification must be made in a timely manner, whether orally, in a written document, by telephone, text message, email, fax electronic record or in such other manner as is sufficient to communicate such notification to the data subjects. However, if this would be too costly, notification may be made online, through the news media or through another appropriate disclosure manner, after taking technical feasibility and privacy protection into account.

For more information about this answer please contact: Ken-Ying Tseng from Lee And Li
Turkey

Answer ... All data breaches must be notified to the data subjects. If the data controller has the contact information of affected data subjects, notification must be sent to their electronic or physical address.

If the data controller does not have the data subjects’ contact information, a data breach notification may also be announced on its website.

There is no clear deadline to inform data subjects, but the Law on the Protection of Personal Data requires that they be notified as soon as possible.

The data subjects must be notified of the breach in clear and plain language and be provided with at least the following information:

  • the date and time of the data breach;
  • the categories of personal data affected by the breach (distinguishing between personal data and special categories of personal data);
  • the possible consequences of the breach;
  • the measures that they should take to mitigate the negative effects of the breach; and
  • the ways in which they can contact the data controller with regard to the data breach, such as the name and contact details of contact persons, a link to the data controller’s website, a call centre number and so on.

For more information about this answer please contact: Burak Özdağıstanli from Ozdagistanli Ekici Avukatlık Ortaklığı
UK

Answer ... Where a breach will likely result in high risk to the rights and freedom of individuals, under the GDPR those concerned must be notified directly without undue delay. This takes precedence over notifying the ICO. An assessment will need to be made in relation to both the severity of the impact on individuals as a result of the breach and the likelihood of this occurring. It is important to notify individuals to allow them to take necessary steps to protect themselves from the breach.

It is important to inform individuals of the nature of the personal data breach in plain, clear and unambiguous language. It is also important to inform them of following (this is not an exhaustive list, but an indication of what should be included at the most basic level):

  • details of the DPO where applicable, or another relevant contact who can provide information about the breach or other related queries
  • a description of the likely consequences of the personal data breach; and
  • an explanation of the measures taken, or proposed to be taken, to deal with the personal data breach and where appropriate, of the measures taken to mitigate any possible adverse effects.

For more information about this answer please contact: Benjamin Ross from Bortstein Legal Group
United States

Answer ... The affected individuals must be notified of covered data breaches. Notification must typically be made in writing and as expeditiously as possible within a certain timeframe (eg, seven, 30 or 45 days). In some circumstances, substitute notice may be permitted if:

  • a business must notify a threshold number of persons;
  • the cost of notifying exceeds a certain threshold; or
  • the notifying entity does not have sufficient contact information.

Substitute notice may include:

  • notification by email;
  • notice to or publication in the media; and/or
  • a conspicuous posting on the notifying entity’s website.

States with notice content requirements typically require that the following be included in the notice:

  • the date of the notice;
  • a description of the incident;
  • the date or date range of the breach;
  • a description of the actions that the business is taking to remedy the breach;
  • the type of personal information affected in the breach;
  • whether notification was delayed due to a law enforcement investigation;
  • the contact information at the notifying entity for law enforcement, state and/or federal agencies; and
  • advice for consumers to be vigilant and on how to protect themselves from fraud.

Certain exemptions may apply. For example, an entity may not be required to notify affected individuals if:

  • it determines that there is no reasonable likelihood of harm to the affected individuals as a result of the breach; or
  • misuse of the personal information has not occurred and is unlikely to occur.

For more information about this answer please contact: Jenny Colgate from Rothwell, Figg, Ernst & Manbeck, P.C.
9.4
What other requirements, restrictions and best practices should be considered in the event of a data breach?
Australia

Answer ... An APP entity requires appropriate policies and procedures not only to ensure that it notifies eligible data breaches, but also to detect and assess data breaches and to take action either to prevent or to limit the risk of harm arising from any data breach.

APP entities should bear in mind that although the majority of data breaches reported under Part IIIC of the Privacy Act since it commenced in early 2018 arose from malicious or criminal attacks, approximately one-third of reported incidents were caused by human error. Therefore, it is critical that data breach policies and procedures include appropriate training for an APP entity’s staff that will limit the risk of such errors. Also, not all breaches arise from cyber incidents and, depending on the nature and operations of an APP entity, physical security may be as, or more, important than security for ICT systems.

An APP entity must promptly assess any event which it has reasonable grounds to suspect is an eligible data breach (see Section 26WH of the Privacy Act). Prompt assessment is required not only to ensure that an APP entity complies with its notification requirements, but also to ensure that it may take steps to mitigate or eliminate the impacts of a data breach. Taking such action is important to protect the individuals who may be impacted from harm. In addition, where steps may be taken to prevent serious harm, the relevant data breach need not be notified under the Part IIIC regime.

For more information about this answer please contact: Angela Flannery from Holding Redlich
India

Answer ... While it is not mandatory for data collectors to report every data breach incident to CERT-In, if the data collector believes that there has been a data breach (even though there is no involvement of a third-party hacker), it must report such incidents to CERT-In. Further, data collectors must also make it a practice to inform the data subjects if the data they have shared has been compromised and keep them informed of the remedial measures adopted to overcome such breach.

For more information about this answer please contact: Probir Roy Chowdhury from J. Sagar Associates
Liechtenstein

Answer ... Obtain professional help, respond in accordance with the legal framework and seek support from the Data Protection Authority. Best practice also includes prevention measures and preparation.

For more information about this answer please contact: Thomas Nägele from NAGELE Attorneys at Law LLC
Luxembourg

Answer ... The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken (including data breaches not notified to the CNPD).

The CNPD may request access to this documentation to verify compliance by the controller or processor with the EU General Data Protection Regulation.

For more information about this answer please contact: Anne Morel from Bonn Steichen & Partners
Pakistan

Answer ... The draft Pakistan Personal Data Protection Bill, 2020 includes only the requirements set out in questions 9.1 and 9.2. Once the law has been promulgated and enforced, the Personal Data Protection Authority of Pakistan, under its rule-making powers, will issue a framework setting out further requirements.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
Portugal

Answer ... Data controllers are entrusted with the precious personal details of many individuals.

Regardless of any mandatory measures provided by law, the social responsibility of controllers entails an ethical duty to take every possible step to minimise the impact of a data breach on the lives of the data subjects.

Common measures adopted by controllers include, where appropriate:

  • public disclosure of a data breach;
  • the establishment of information centres to provide details of the compromised categories of data; and
  • clear instructions on how to prevent any further negative consequences, where possible.

These measures should be adopted at the earliest feasible stage.

For more information about this answer please contact: Óscar Madureira from Rato & Cortés, Sociedade de Advogados, SP, RL
Switzerland

Answer ... See question 9.3

For more information about this answer please contact: Carol S. Rothenfluh from SwissLegal
Taiwan

Answer ... In the event of a data breach, a company should act as fast as possible to investigate what has happened and retain the relevant records, and should notify the affected data subjects as soon as possible. Under the PDPA, when a data subject seeks compensation from a data controller for damages caused by the data controller’s failure to comply with the PDPA, the data subject need not prove that the data controller was negligent for the non-compliance; rather, the data controller must prove that it was not negligent with regard to the breach. By notifying the data subjects as soon as possible, the data controller can strengthen its argument that it was not negligent in complying with the PDPA and took swift action to limit the damage from the breach.

For more information about this answer pleas