Tag: data protection

India publishes draft of a data protection bill

14. September 2018

After the Hon’ble Supreme Court declared in its landmark decision that privacy is a “guaranteed fundamental right”, the Sikrishna Committee drafted a Personal Data Protection Bill, 2018.

In contrast to the terms “data subjects” and “controllers” chosen in the GDPR, the Indian draft designates the individuals whose personal data is processed “data principals” and the organisations responsible for the processing “data fiduciaries”.

With the new data protection bill, data principals have a variety of rights such as rights to access, rectification or the right to be forgotten. In order to ensure data compliance, the concept of an annual data audit, which will be carried out by organisations through independent data auditors, was also introduced. In addition to data fiduciaries who are based in India, the regulations also apply to those who systematically offer goods and services to data principals in India, or those whose work involves profiling of Indian data principals.

The new data protection bill also introduces the figure of the Data Protection Officer (DPO) for India. Organisations must appoint a DPO if they are “significant data fiduciaries”, i.e. if they are involved in high-risk processing activities, or if they are not present in India but covered by the bill. Those organisations shall appoint a DPO who is based in India. In contrast to the GDPR there is however no requirement of the independence of the DPO.

For cross-border data transfers, it is required that at least one copy of personal data is stored on servers or data centres located in India. Data classified as “critical personal data” may only be processed in a server or data centre located in India.

According to the Sikrishna Committee, the draft could be seen as a template for developing countries all over the world.

Category: India · Personal Data
Tags:

Belgium publishes new data protection law

12. September 2018

On September 5 2018, the new data protection law (“Law of 30 July”) was published in the Belgian Official Gazette (“Belgisch Staatsblad”) and entered into force with this publication.

After the “Law of 3 December 2017”, which replaced the Belgian Privacy Commission with the Belgian Data Protection Authority (“Gegevensbeschermingsautoriteit”), the Law of 30 July is the second law that implements the General Data Protection Regulation (GDPR).

The laws regulate various essential areas of data protection. New regulations are for instance, the reducing of the age of consent from 16 (as regulated in GDPR) to 13 years old for information society services or the requirement to list persons who have access to genetic, biometric and health-related data. Therewith, Belgium has also made use of the possibility to deviate from the GDPR in different scopes.

With the law of 30 July, Belgium has thus completed the incorporation of the GDPR into national law. The Law is available in French and Dutch.

Category: Belgium · GDPR
Tags: ,

Singapore: Collecting NRIC numbers will be prohibited for organisations

5. September 2018

From September 2019, there will be stricter rules for the protection of personal data in Singapore hence the collection, use and disclosure of NRIC numbers of individuals and making copies of their NRIC cards will be illegal for organisations.

In the past years, it was not unusual for shopping malls and other places to collect the NRIC number of a customer for instance when registering for memberships.

From the unique section of numbers and letters of the Singapore National Registration Identification Card (“NRIC”) an individual can be precisely identified. Therefore, the NRIC number is considered personal data. Besides the number, the physical NRIC card contains the individual’s full name, photograph, thumbprint and residential address.

Apart from the prohibition of collecting, using and disclosing of NRIC numbers it will also be generally forbidden to collect, use or disclose individual’s birth certificate numbers, foreign identification numbers and work permit numbers. Exemptions are regulated in the new PDPC guidance (issued 31 August 2018) and will only apply where it is required by law or when it is necessary to verify an individual’s identity ”to a high degree of fidelity” (e.g. transactions involving healthcare).

If an organisation already collected those data they should proof whether they need to retain the numbers or not. In case they need to keep the data they have to ensure that there is adequate protection or they should anonymise the NRIC. The new regulation does not apply to the government or public agencies or organisations acting on its behalf, but organisations can be fined up to $ 1 million for disobeying the act.

Turkey – Starting dates for registration obligation for processing data has been announced

3. September 2018

The data protection authority in turkey has announced in his decision 2018/88 starting dates to register as a data controller on VERBIS prior to processing personal data, the online registration system VERBIS can be found on the homepage of the Turkish data protection authority. 

Earliest starting date for the registration process will be the 1st of October 2018.

 

Following start dates have been announced

a) 1st of October 2018 – 30th of September 2019, for data controllers that employ more than 50 employees and whose annual financial statement exceeds TRY 25 million

b) 1st of October 2018 – 30th of September 2019, for data controllers established outside of Turkey

c) 1st of January 2019 – 31st of March2019, for data controllers that employ less than 50 employees, whose financial statement does not exceed TRY 25 million, but whose core business includes the processing of sensitive data

d) 1st of April – 30th June, for public institutions and organizations that act as data controllers

 

Data controllers should take the necessary action and register with VERBIS during the applicable period.

Data Protection in the UK after the “Brexit”

4. April 2017

After the Brexit, keeping data by the UK companies and organizations is expected to become more certain locally than globally.

Elizabeth Denham, the UK’s Information Commissioner, recently commented before the House of Lords EU Home Affairs Sub-Committee, that the UK should apply to the European Commission for a full “adequacy” decision in terms of proving the adequate data protection measures as UK will become soon a non-EU country.

British government comments on the free trade deal with these words: “no deal for the UK is better than a bad deal for the UK”.

In the context of Brexit, it is crucial for the industry of the UK to keep the data-flows unhindered though.

British politician David Davis indicates that the UK and EU are now on their way to find and maintain equivalence (and not identity) in their relations (especially when it comes to business) in order to keep up their common interest.

Even though Davis is not using the “adequacy” term in his speech, this is what the UK technology industry is asking for.

Government assures that if no accord in that matter will be reached, there are still many alternatives to adequacy.

Category: UK
Tags: ,