data protection report >>> - morrison & foerster · · 2016-06-13local privacy...

Reproduced with permission from World Data ProtectionReport, 16 WDPR 05, 05/26/2016. Copyright � 2016 by TheBureau of National Affairs, Inc. (800-372-1033) http://www.bna.com

In the first of a series on the status of data protec-tion laws in Europe and Eurasia (non-EEA), East,Central, and South Asia and the Pacific, the West-ern Hemisphere and Africa and the Near East,

the author explores developments in Europe andEurasia, where 17 jurisdictions have comprehen-sive privacy laws.

Privacy Laws in Europe and Eurasia (non-EEA)

By Cynthia Rich

Introduction/Region at-a-Glance.

With the recent adoption of the European GeneralData Protection Directive (GDPR), attention of the

business community has been focused on changes tothe privacy rules in the 28 members states of the Euro-pean Union (and as well as Switzerland and the othermembers of the European Economic Area or EEA).However, these changes are likely to have a ripple ef-fect on existing privacy laws in the 17 jurisdictions inEurope and Eurasia that are not part of the EU orEEA: Albania, Andorra, Armenia, Azerbaijan, Belarus,Bosnia and Herzegovina, Georgia, Kosovo, Macedonia,Moldova, Monaco, Montenegro, Russia, San Marino,Serbia, Turkey and Ukraine.

These laws contain the basic elements found under EUmember state laws, but some also have unique ele-ments not found in other laws in the region or withinthe EEA. Almost half of the laws were enacted in thepast five years, so it is unclear if or how soon thesecountries will amend these relatively new laws to followthe changes under the GDPR.

This article examines the commonalities and differ-ences among the privacy laws in the region and dis-cusses current trends and new developments.

Cynthia Rich is a senior advisor at Morrison & FoersterLLP in Washington. As a member of the firm’s inter-national Privacy and Data Security Practice since 2001,Ms. Rich works with clients on legal issues relating toprivacy around the world.

News and analysis of data protection developments around the world. For the latest updates, visit www.bna.com

International Information for International Business

WORLD DATA PROTECTION REPORT >>>

BNA International Inc., a subsidiary of The Bureau of National Affairs, Inc., U.S.A.

VOLUME 16, NUMBER 5 >>> MAY 2016

Common Elements Found in European/EurasianLaws

Notice:

All of the laws in region include some type of notice ob-ligation. That is, every law requires that individuals betold what personal information is collected, why it is col-lected and with whom it is shared.

Choice/Legal Basis for Collection and Use (Processing):

Every privacy law contains some kind of choice elementand requires organizations to have a legal basis on whichto process personal information. Similar to those foundin the EU, these legal bases include the following: theindividual has consented to the processing (consent);the processing is necessary to fulfill a contract (contrac-tual necessity); the processing is necessary to pursue alegitimate interest of the controller (legitimate inter-ests); and the processing is necessary to protect the vitalinterests of the individual (vital interests) or the process-ing is necessary to comply with a legal requirement (le-gal requirement). However, depending on the jurisdic-tion, not all of these legal bases are available. For ex-ample, one third of the countries in the region do notpermit organizations to rely on legitimate interests as alegal basis for their processing. Three of the countries inthis group also do not provide for contractual necessityas a legal basis. One country permits processing on thebasis of consent only.

Security:

Furthermore, all of the laws require organizations thatcollect, use and disclose personal information to takereasonable precautions to protect that information fromloss, misuse, unauthorized access, disclosure, alternationand destruction. Two-thirds of the countries have speci-fied in greater detail how these obligations are to bemet.

Access and Correction:

One of the core elements of every privacy law is the rightof all individuals to access the information that organi-zations have collected about them and, where possibleand appropriate, correct, update or suppress that infor-mation. Interestingly, compared to their EU and Asiancounterparts, many countries in this region require or-ganizations to respond to access and correction requestsin a much shorter period of time. Slightly more thanhalf of the countries (nine) require organizations to re-spond to access and/or correction requests within 15days or fewer (two require as little as five days); morethan one-third (seven) require responses within 30 daysand two others do not specify any time periods.

Data Integrity:

Organizations that collect personal information mustalso ensure that their records are accurate, completeand kept up-to-date for the purposes for which the infor-mation will be used.

Data Retention:

Generally these laws require organizations to retain thepersonal information only for the period of time re-quired to achieve the purpose of the processing. Specificretention periods of time are not prescribed in many oflaws in this region, with Russia being the most notableexception. Russia requires that when the purposes havebeen achieved or if the individual withdraws his or herconsent to the processing, the operator must discon-tinue the processing, destroy the data within 30 days andnotify the individual that his or her data has been de-stroyed.

Differences in Approaches.

While the core data protection principles and require-ments are embodied in all of these laws, specific require-ments, particularly with respect to cross-border transfers,registration, data security, data breach notification andthe appointment of a data protection officer (DPO),vary widely from each other and from laws in other re-gions of the world.

For example, all but two of the countries in the regionrequire registration of processing, and all but one re-strict cross-border transfers; however, the reality is thatthere are 15 different registration and 16 different cross-border rules and procedures. Generally a contract, con-sent or a contract and consent are required to transferoutside the country. In some cases, the EU StandardContractual Clauses (SCCs) may be used; in others, thedata protection authorities (DPAs) have not specifiedwhat must be contained in these contracts or rules. Two-thirds of the DPAs in the region recognize the EEAcountries and/or signatories to the Council of EuropeConvention for the Protection of Individuals with regardto Automatic Processing of Personal Data (Convention108) as providing adequate protection. One-third havenot issued lists of countries that they believe provide ad-equate protection, and thus companies are left to as-sume that all countries are deemed to be inadequateand must put in place mechanisms (such as consent orcontracts) to satisfy the rules.

There are 15 different registration and 16 different

cross-border rules and procedures.

The differences widen when comparing their respectiverules on data breach notification, security and DPO ob-ligations: one-quarter require notification in the eventof a data breach; one-third require the appointment ofa DPO; and two-thirds have specified in greater detailhow their security obligations are to be met.

A careful read of these laws is imperative. These differ-ences pose challenges to organizations, with respect tothe adjustments that may be required to global and/orlocal privacy compliance practices, as well as privacystaffing requirements. Compliance programs that com-ply with only EEA obligations will run afoul of many ofthe country obligations of this region.

2

05/16 COPYRIGHT � 2016 BY THE BUREAU OF NATIONAL AFFAIRS, INC., WASHINGTON, D.C. WDPR ISSN 1473-3579

A country-by-country summary of the obligations inthese key areas is provided below. Other noteworthycharacteristics are also highlighted and, where appli-cable, the responsible enforcement authority is identi-fied. In addition, a chart is provided at the end to showat a glance the countries with mandatory cross-border,DPO, data security breach notification and registrationobligations.

Trends.

Enforcement:

There are wide variations within this region with respectto enforcement activities, depending on the maturity ofthe regulatory regime. In some countries, there is noreal DPA (Belarus), the DPA has yet to be established(Armenia) or the DPA was recently established (Azerbai-jan and Georgia). For example, in Georgia, the DPA’senforcement powers vis-a-vis the private sector only be-gan in late 2014 but the DPA has already imposed finesfor law violations, such as for failing to obtain consent,violating direct marketing rules by not providing theability to opt out, and failing to demonstrate that con-sent had been obtained to disclose personal informa-tion.

One of the most significant, recent developments in

this region was the entry into force of Russia’s

data localization requirements in September 2015.

Countries such as Kosovo, Macedonia and Moldova aremore focused on building awareness of individuals’ pri-vacy rights and private and public sector obligations un-der the law; although all three conduct routine inspec-tions and issue enforcement actions when violations arefound. In Bosnia, the DPA has been largely focused onpublic sector processing of personal information.

In contrast, in Albania, which has had a privacy law inplace since 2008, the DPA conducts regular inspections,issues corrective orders when violations are found andthen conducts follow up inspections to confirm thechanges have been implemented. It issues administrativefines if the organization fails to implement its orders. In2015, in response to complaints received, the AlbaniaDPA conducted a joint investigation of call center com-panies with the Italy DPA. Fines were issued to call cen-ter companies for law violations.

In Serbia, the DPA is advocating for the adoption of anew data protection law: one that will, among others,provide the DPA with authority to issue binding deci-sions. Last year, the DPA reported that most of the datacontrollers have failed to comply with Serbia’s data pro-tection requirements, citing as an example that less thanhalf of one percent of data controllers have filed themandatory DPA notifications/registrations.

Data Localization:

One of the most significant, recent developments in thisregion was the entry into force of Russia’s data localiza-tion requirements in September 2015. Enacted in July2014, the Data Localization Law amends three existinglaws, including the Federal Law No. 152-FZ On PersonalData, and requires that personal information of Russiancitizens be stored in Russia. All operators who are sub-ject to DPA notification requirements under the FederalLaw No. 152-FZ On Personal Data must notify the DPAof their personal data processing servers, and operatorsfound by a court to have violated Russian laws on pro-cessing personal data will have their websites blocked bythe DPA and be listed on a public register of companiesthat have been found to be in violation of the law. Non-compliance with the data localization requirement canresult in administrative penalties, civil penalties anddamages and criminal sanctions. Individuals whose per-sonal information is not processed in compliance withthe law also have a private right of action for damagesand compensation of moral harm.

While the current maximum fines are very low, the Rus-sian Parliament may amend the Russian Code of Admin-istrative Offences to increase the maximum fine to300,000 rubles ($4,537). The Russian state magistratecourts responsible for deciding administrative fines alsomay issue an order to rectify noncompliance with thelaw. Failure to comply with the magistrate court’s ordermay result in criminal liability for company executives.

Since the data localization requirements went into ef-fect, the DPA has been actively auditing large multina-tionals to determine whether their local businesses meetthe Russian data localization requirements. In 2015, theDPA audited 317 companies and found only two localbusinesses violating the data localization requirements.In mid-January 2016, the DPA announced a detailedplan for 1000 scheduled data localization complianceaudits during the course of the year.

Right to Be Forgotten:

Russia has enacted a law on the right to be forgottenand Ukraine is poised to do the same. In addition, aTurkish court has recently recognized for the first time,a very broad right to be forgotten that applies to digitaland analog information carriers (e.g., books).

Russia passed its right to be forgotten law in July 2015.The law, which entered into effect on Jan. 1, 2016, re-quires that a search engine remove links to informationthat is unreliable or false, outdated or irrelevant, orposted in violation of the law. Search engines have 10days to either remove the links or provide a reasoned ex-planation for refusal. Search engines that violate the lawon the right to be forgotten are subject to fines of 80,000to 100,000 rubles ($1,210-$1,512) if they refuse to re-move links at an individual’s request and fines of800,000 to 1 million rubles ($12,098-15,123) if they vio-late a court order to remove links. However, Russiansearch engines have been hesitant to approve many ofthe right to be forgotten requests. Since the law took ef-fect in January, 73 percent of requests have been deniedby Yandex LLC—Russia’s leading search engine.

3

WORLD DATA PROTECTION REPORT ISSN 1473-3579 Bloomberg BNA 05/16

http://src.bna.com/fhO

Russia has enacted a law on the right to be

forgotten and Ukraine is poised to do the same. In

addition, a Turkish court has recently recognized for

the first time a very broad right to be forgotten.

In April 2016, legislation was introduced into the Ukrai-nian Parliament that if approved would amend thecountry’s Civil Code to allow Ukrainian citizens to de-mand removal and retraction of online information if itdiscredits ‘‘honor, dignity or business reputation of anindividual.’’ The legislation would also make the retrac-tion available online.

Lastly, in a recently published judgment, the TurkishCourt of Appeals has recognized a very broad right to beforgotten that applies not only to digital but also to ana-log information carriers (e.g., books). At the time of theCourt of Appeals ruling, Turkey had not yet enacteddata privacy legislation; however, the court used the EUdata protection laws and the European Court of Justices’Google v. Spain decision to develop and apply the right tobe forgotten. The Turkish Court of Appeals defined theright to be forgotten as a broad right to request erasureand prevention of further dissemination of informationpertaining to an individual’s past, when such personalinformation could have negative effects on the individu-al’s future.

New Data Protection Law:

Turkey became the most recent country in this region toenact data protection legislation in March 2016. TheLaw on the Protection of Personal Data is intended tobring Turkey, which is seeking to gain admittance intothe EU, into compliance with the EU data protectionlaw. Some provisions of the Turkish Law took effect inApril while others, such as cross-border transfers, accessand correction, registration, and penalties, do not takeeffect until October 2016.

Country-by-Country Review of Differences

ALBANIA

The Protection of Personal Data Law (Albanian Law)which became effective in 2008 and amended mostly re-cently in 2014, regulates the processing of all personalinformation of natural persons by both the public andprivate sectors.

In Brief

The Albanian Law requires database registration, imposes DPOand special data security obligations, and restricts cross-bordertransfers to countries that do not provide adequate protection-.However, there are no data breach notification requirements.

Special Characteristics

Data Protection Authority

The Commissioner for Information Rights and Protec-tion of Personal Data (DPA), an independent adminis-trative authority, is charged with overseeing compliancewith the Albanian Law. It carries out online and onsiteinspections on its own initiative and in response to com-plaints and issues fines, most commonly in cases whereorganizations fail to implement its recommendations ororders. In 2015, in response to complaints received, itconducted a joint investigation of call center companieswith the Italy DPA which resulted in administrative fines.

Access and Correction

Access and correction requests must be responded towithin 30 days.

Cross-Border Transfers

There are no restrictions on cross-border transfer of per-sonal information to recipients in countries that providean adequate level of protection. Albania has recognizedall EU/EEA countries, signatories to the 1981 Council ofEurope Convention for ‘‘Protection of Individuals withregard to Automatic Processing of Personal Data,’’ andcountries recognized by the European Commission asproviding adequate protection. To transfer personal in-formation to a country that does not provide an ad-equate level of protection, DPA authorization is re-quired or an exception under the law must apply. Excep-tions include consent, contractual necessity, vitalinterests, or legal requirement.

Data Protection/Security Officer

Large controllers (with six or more persons engaged indata processing) must authorize in writing one or morepersons responsible for the internal data security super-vision. One of the people appointed will serve as thecontact person, registered with the Commissioner. Smallcontrollers (with less than six persons engaged in dataprocessing) may, but are not required to, authorize inwriting, one or more persons responsible for the inter-nal security supervision.

Data Security

Different organizational and technical data securitymeasures are provided by law, depending on whetherthe controller is large or small. For example, small con-trollers must carry out a risk assessment procedure as aminimum standard measure of data security. Large con-trollers must apply and maintain an information securitymanagement system (SMSI). SMSI is based on the iden-tification, assessment and mitigation of risks threateningpersonal information security while taking into consider-ation: (i) the information technology and communica-tion system used to process personal information, (ii) allmanual forms of processing personal information and(iii) the physical security of premises and the security ofthe personnel, electronic and moveable equipment. Therisk assessment and treatment are part of the mandatoryInformation Security Policy (PSI) of the controller.

4


http://src.bna.com/fhP

http://src.bna.com/fhd

http://www.idp.al

http://www.idp.al

Large controllers must carry out information securityaudits at least once per year and provide security train-ing to employees. In addition, there are encryption re-quirements in connection with transfers of sensitive in-formation and equipment used to process informationthrough cloud computing platforms.

Legal Basis for Collection and Use

To collect and use personal information, organizationsmust have a legal basis such as consent, contractual ne-cessity, legal requirement, legitimate interests, or vital in-terests.

Registration

The Albanian Law requires that controllers notify theDPA of all categories of personal information they pro-cess for all purposes unless one of the limited exemp-tions applies. However, even when a notification exemp-tion applies, minimum information on the data process-ing activities must be provided such as: name andaddress of controller, categories and purposes of pro-cessed information and categories of recipients. De-pending on the category of information, the controllermust either register the processing or obtain an authori-zation from the DPA prior to processing.

ANDORRA

The Protection of Personal Data Law (Andorran Law),which became effective in 2004, regulates public andprivate sector processing of all personal information ofnatural persons, except where the information relates totheir business, professional or commercial activities. An-dorra is regarded as providing an adequate level of pro-tection for personal information transferred from theEU/EEA.

In Brief

The Andorran Law requires database registration and the ap-pointment of a DPO and restricts cross-border transfers to coun-tries that do not provide adequate protection. In addition, theperiod of time within which organizations must respond to ac-cess requests is exceedingly short and there is no provision forprocessing personal information on the basis of legitimate inter-ests. However, there are no special security and data breach no-tification requirements.



The Andorran Agency for Data Protection (DPA), an in-dependent public authority, is responsible for oversee-ing compliance with the Andorran Law


Organizations must respond to access requests withinfive working days and correction requests within onemonth.


Personal Data may not be transferred to third countriesthat do not provide an equivalent level of protection un-less consent or another of one of the limited exceptionssuch as contractual obligations, vital interests or legal re-quirements applies. Countries that provide an equiva-lent level of protection are the EU Member States andcountries found by the European Commission or theAndorran DPA to provide equivalent protection.


To collect and use personal information, organizationsmust have a legal basis such as consent, contractual ne-cessity, legal requirement, or vital interests.

Registration

Controllers must register their databases with the DPAand update their registration records whenever there isa change in the information listed.

ARMENIA

The Law on Personal Data (Armenian Law), which be-came effective in 2015, regulates the processing of allpersonal information of natural persons by both thepublic and private sectors.

In Brief

The Armenian Law requires database registration, restrictscross-border transfers to countries that do not provide adequateprotection, and imposes special security and breach notificationobligations. In addition, the period of time within which orga-nizations must respond to correction requests is exceedinglyshort and there are limited legal bases provided for the collectionand use of personal information. However, there is no DPO ob-ligation.



The Law provides for the establishment of the Autho-rized State Body for the Protection of Personal Data Pro-cessing (Armenian DPA); however, it is not yet estab-lished.


The Armenian Law does not specify a time period forresponding to access requests. Corrections should becarried out (or refused) within five days after receivingthe written request.


Personal Data may be transferred cross border eitherwith the consent of the individual or where the transferis necessary to carry out processing previously consentedto by the individual. In addition, DPA authorization isrequired to transfer to those countries that are not onthe DPA’s approved list of countries that provide ad-equate protection. A transfer permit is required in suchcases. The DPA must also approve the organization’scontractual clauses governing the transfer.

5


http://src.bna.com/fhQ

http://www.apda.ad

http://src.bna.com/fhR

Data Breach Notification

The controller must make a public announcement with-out delay and notify the police and the DPA when a datasecurity breach occurs.

Data Security

Encryption measures are required to protect informa-tion systems containing personal information from loss,unauthorized access, illegal use and destruction, and il-legal copying and disclosure. The law also provides forthe government to set security standards in informationsystems, physical records of biometric data and personaldata storage technologies other that electronic informa-tion systems.


Personal information may be processed only with theconsent of the individual or where such processing isprovided for or required by law or where the data arepublicly available.

Registration

The DPA has the right to require controllers to notifythe DPA about the collection or processing of personalinformation; otherwise such notification is voluntary.

AZERBAIJAN

The Law on Personal Data (Azerbaijani Law), which be-came effective in 2010, regulates the processing of allpersonal information of natural persons by both thepublic and private sectors. The Azerbaijani Law differen-tiates personal information according to public and con-fidential categories. Public data are: (i) data that are de-personalized or anonymized, (ii) data that are declaredpublic by the individual or (iii) data that are included inan information system created for general use with theconsent of the individual. A natural person’s name, lastname, and patronymic will always be considered as pub-lic data.

In Brief

The Azerbaijani Law requires database registration, restrictscross-border transfers to countries that do not provide adequateprotection, and imposes special security obligations. In addi-tion, the period of time within which organizations must re-spond to access and correction requests is exceedingly short andthere are limited legal bases provided for the collection and useof personal information. However, there is no data breach noti-fication or DPO obligations.



The State Register at the Ministry of Communicationsand Information Technologies (DPA) is responsible forregistering information systems and ensuring compli-ance with the Azerbaijani Law.


Organizations must respond to access and correction re-quests within seven days.


Cross-border transfers are be prohibited where: (i) suchtransfer creates a threat to the national security of theAzerbaijan Republic, or (ii) the laws of the countries towhich the personal information is transferred do notprovide the same level of protection as that provided byAzerbaijani laws. However, personal information can betransferred across the border to a country regardless ofthe level of legal protection of personal informationwhere the individual expressly agrees to the transfer. Inaddition, although not expressly stated in the Law, crossborder transfers are permitted where the transfer is nec-essary to protect the life or health of the individual. DPAauthorization is not required; however, information onsuch transfer and the categories of the personal infor-mation transferred must be provided to the DPA at thetime of the registration of the information system. TheDPA has stated informally that the cross-border transferprovisions apply to the transfer of databases (i.e. per-sonal information of a significant number of individu-als); transfers of personal information limited to one orseveral individuals across the border would likely triggerthe rules for transfers to third parties, not the cross bor-der transfer rules.

Data Security

Controllers and processors must implement organiza-tional and technical measures to guarantee the securityof personal information during its collection, use anddisclosure (including cross-border transfer). They mustdetermine the risks for the security of the personal in-formation and based on such risks must continually im-prove the information system in order to neutralize pos-sible risks. There are regulations that prescribe a longlist of technical organizational safety requirements. Or-ganizations must encrypt all transmitted records. Thelength of the encryption key used during the transfermay not be less than 256 bit.

As is evident from the registration card for informationsystems approved by the Regulations on the Registrationand Deregistration of Information Systems, organiza-tions must have control and audit mechanisms for thecollection and processing of personal information; how-ever, the frequency of such audits and their substancehave not been specified.


To collect and use personal information, organizationsmust have a legal basis such as consent, legal require-ment, or vital interests.

Registration

Information systems containing personal informationmust be registered with the State Register unless an ex-emption applies. The State Registry is maintained by the

6


http://src.bna.com/fhS

http://www.rabita.az

http://www.rabita.az

http://src.bna.com/fhT

Data Computing Center at the Ministry of Communica-tion and Information Technologies.

BELARUS

The Law On Information, Informatization and Protec-tion of Information (Belarusian Law), which became ef-fective in 2008, regulates the processing of all personalinformation of natural persons by both the public andprivate sectors.

In Brief

Under the Belarusian Law, consent is the only permissible ba-sis on which to process (and transfer cross-border) personal in-formation. In addition, the law imposes special security obliga-tions; however, there are no registration, breach notification, orDPO obligations.



There is no DPA in Belarus akin to the DPAs found inother jurisdictions. The state authority that performsany data protection-related functions is the OperativeAnalytics Center of the President of the Republic of Be-larus (OAC). However, to date, OAC’s competence ismore technical in nature and does not include only dataprotection-related competence. For example, the OACis empowered to certify information technology (IT) sys-tems, hardware and software data protection solutions,and regulate general IT and Internet relations.


The Belarusian Law does not specify a time period forresponding to access requests and is silent on correctionrights.


There are no specific limitations on cross-border trans-fers. By general rule, each transfer, including cross-border transfers, require the consent of the individual.

Data Protection/Security Officer

A special individual or department for security measuresmust be appointed.

Data Security

Controllers must take effective measures to ensure secu-rity of personal information from the moment of receiptuntil its destruction. Under the Belarusian Law andimplementing regulations, this obligation includes vari-ous organizational and technical security measures. Inparticular, controllers must maintain a data protectionsystem certified by the certification centers accredited bythe DPA. Organizations must file annual reports ontheir security measures to the OAC by Dec. 30.

In addition, there are cryptographic regulations that de-fine legal and organizational basics of technical andcryptographic measures of information security. Con-trollers must comply with these regulations which

among others things require that personal informationbe encrypted in transit.1


Consent is required to process Personal Data. The Be-larusian Law does not provide for any other legal basessuch as contractual necessity, vital interests or legal re-quirements.

BOSNIA AND HERZEGOVINA

The Law on the Protection of Personal Data (Bosnia andHerzegovina Law), which became effective in 2006,regulates the processing of all personal information ofnatural persons by the public and private sectors.2

In Brief

The Bosnia and Herzegovina Law requires database registra-tion, restricts cross-border transfers to countries that do not pro-vide adequate protection, and imposes special security obliga-tions. However, there are no data breach notification or DPOobligations.



The Personal Data Protection Agency (DPA), an inde-pendent administrative organization, is responsible forenforcement of the Bosnia and Herzegovina Law.


Access requests must be responded to within 30 days;there is no specified time period for responding to cor-rection requests.


Personal Data may not be transferred to another coun-try that does not guarantee adequate safeguards for per-sonal information that are equivalent to those under theBosnia and Herzegovina Law, unless the prior consentof the individual has been obtained or another excep-tion applies, such as contractual necessity or vital inter-ests. Exceptionally, the DPA may authorize such trans-fers. Neither the Bosnia and Herzegovina Law nor theDPA provide a specific list of ‘‘adequate’’ countries, sothe controller is responsible for assessing whether thecountry to which personal information are transferredguarantees protections equivalent to those provided forunder the Bosnia and Herzegovina Law.

1 Regulation on Technical and Cryptographic Security of Informa-tion in the Republic of Belarus, approved by the Edict of the Presidentof the Republic of Belarus N 196 On Certain Measures for ImprovingInformation Security, 2013, available here (in Russian).

Regulation On the Technical Security of Information and Regula-tion On the Technical and Cryptographic Protection of Information,both approved by the Order of Operative Analytics Center of the Presi-dent of the Republic of Belarus of 30 August 2013 N 62, available here(in Russian)

2 The 2011 amendments to the Bosnia and Herzegovina Law isavailable in English here.

7


http://src.bna.com/fhU

http://src.bna.com/fhU

www.oac.gov.by

www.oac.gov.by

http://src.bna.com/fhh

www.azlp.gov.ba

http://src.bna.com/fhV

http://src.bna.com/fhW

http://src.bna.com/fhX

Data Security

In addition to the general security obligations under theBosnia and Herzegovina Law, regulations issued in 2009set forth more detailed security requirements. In par-ticular, the regulations require controllers and proces-sors, among other things, to have a written security plan,data protection training for employees and additionaltechnical and organizational security measures for sensi-tive information such as encryption or equivalent‘‘crypto-protection’’ when the data are in transit.


To collect and use personal information, organizationsmust have a legal basis such as consent, contractual ne-cessity, legitimate interests, legal requirement, or vital in-terests.

Registration

Controllers must register all processing of personal datawith the DPA prior to the establishment of the personaldata filing system or any processing, unless one of thevery narrow registration exemptions applies.

GEORGIA

The Law on the Protection of Personal Data (GeorgianLaw), which went into effect in 2012 and amended in2014, regulates the processing of all personal informa-tion of natural persons by the public and private sectors.

In Brief

The Georgian Law requires database registration and restrictscross-border transfers to countries that do not provide adequateprotection. However, there are no data breach notification,DPO, or special security obligations.



The Personal Data Protection Inspector (DPA), an inde-pendent authority, is responsible for enforcing the Geor-gian Law.


Organizations must respond to access requests within 10days and correction requests within 15 days.


Transfers of personal information outside Georgia arepermitted to countries that provide adequate protec-tion. The DPA issued a list of approved countries that in-clude: the EEA countries, Australia, Albania, Andorra,Argentina, New Zealand, Bosnia and Herzegovina, Is-rael, Canada, Croatia, Macedonia, Moldova, Monaco,Montenegro, Serbia, Ukraine and Uruguay. Wheretransfers are to jurisdictions that are not recognized asproviding adequate protection, DPA-approved contractsare required.


To collect and use personal information, organizationsmust have a legal basis such as consent, contractual ne-cessity, legitimate interests, vital interests, or legal re-quirements.

Registration

Controllers must register with the DPA prior to creationof filing systems and inclusion of new categories of datain those filing system.

KOSOVO

The Law on the Protection of Personal Data (KosovoLaw), which went into effect 2010, regulates the process-ing of all personal information of natural persons by thepublic and private sectors.

In Brief

The Kosovo Law requires database registration, restricts cross-border transfers to countries that do not provide adequate pro-tection, and imposes special security obligations. However, thereare no data breach notification or DPO obligations.



The National Agency for the Protection of PersonalData (DPA), an independent agency, is responsible forenforcing the Kosovo Law.


Organizations must respond to access requests within 15days and provide access within 30 days. They must com-ply with correction requests within 15 days.


Personal Data may only be transferred to countries out-side Kosovo that ensure an adequate level of data pro-tection, unless one of the legal bases for data transfer ap-plies (e.g., consent, contractual necessity, or vital inter-ests). Adequate countries include the EEA countries andthe other jurisdictions recognized by the EU as provid-ing adequate protection. The DPA must be notifiedabout all transfers to inadequate countries; authoriza-tion is required for such transfers.

Data Security

Among other requirements, controllers and processorsmust have internal documentation that describes thepersonal information security measures that are inplace. Sensitive personal information must be specifi-cally protected and classified in order to prevent unau-thorized access and use. Sensitive personal informationthat is transmitted over telecommunications networkswill be considered suitably protected if the informationis encrypted to ensure that it is rendered incomprehen-sible or unrecognizable.

8


http://src.bna.com/fhY

http://src.bna.com/fhZ

http://personaldata.ge

http://src.bna.com/fh0





Registration

Registration is required. The controller must keep a re-cord of all processing of personal information, the ‘‘Fil-ing System Catalogue,’’ a copy of which must be filedwith the DPA prior to establishment of the filing system.

MACEDONIA

The Law on Personal Data Protection (‘‘MacedonianLaw’’), which went into effect in February 2005, regu-lates the processing of all personal information of natu-ral persons by the public and private sectors.

In Brief

The Macedonian Law requires database registration and theappointment of a DPO, restricts cross-border transfers to coun-tries that do not provide adequate protection and imposes spe-cial security obligations. However, there is no data breach noti-fication obligation.



The Directorate for Personal Data Protection (DPA), anindependent state authority, is responsible for enforcingthe Macedonian Law.


Organizations must respond to access requests within 15days and correction requests within 30 days.


Personal information may be transferred to countriesthat provide adequate protection, such as EEA coun-tries. For all other transfers, one of the transfer exemp-tions must apply (e.g., consent, contractual necessity, orvital interests) or prior DPA authorization is required. Inorder to obtain approval of the Directorate, a writtendata transfer agreement must be in place between thecontroller and the recipient, preferably based on the EUstandard contractual clauses.

Data Protection Officer

The appointment of a DPO is required except where thecontroller a) has a collection of personal informationthat only refers to ten employees or less; or b) processespersonal information of members of associationsfounded for political, philosophical, religious or trade-union purposes.

Data Security

There are special security rules that together with the se-curity provisions under the Macedonian Law require,among other things, the adoption and implementation

of written security programs, carrying out risk assess-ments, conducting annual internal and triannual exter-nal audits, providing employee security training and en-crypting data in transit, data stored on portable devices,and back-up copies.


To collect and use personal information, organizationsmust have a legal basis such as consent, contractual ne-cessity, legitimate interests, vital interests and legal re-quirements.

Registration

All data must be registered by controllers for all pur-poses, unless one of the limited exemptions applies.

MOLDOVA

The Law on Personal Data Protection (Moldovan Law),which took effect in April 2012, regulates the processingof all personal information of natural persons by thepublic and private sectors.

In Brief

The Moldovan Law requires database registration, restrictscross-border transfers to countries that do not provide adequateprotection, and imposes data breach notification and special se-curity obligations. However, there is no DPO obligation.



The National Centre for Personal Data Protection(DPA), an independent agency, is responsible for en-forcing the Moldovan Law.


Access and correction requests must be responded towithout delay (no time period is specified).


Personal Data may not be transferred to countries out-side Moldova unless that country ensures an adequatelevel of protection. If the proposed transfer is to a coun-try that is not considered adequate, one of the transferexceptions must apply, such as consent, contractual ne-cessity, or vital interests. DPA authorization is also re-quired in such cases.

Data Security

The Moldovan Law and implementing regulations pre-scribe detailed security requirements which include theneed to maintain and reevaluate annually the organiza-tion’s data security policy and implement specific physi-cal and electronic security measures, including encryp-tion. Regular data security audits must be carried out.These audits must include an assessment of the organi-zation, its security measures and use of communicationpartners and suppliers. The results of the security auditmust be documented.

9


http://src.bna.com/fhk




www.datepersonale.md


Data Security Breach Notification

All controllers must submit to the DPA an annual reporton any security incidents involving information systemsduring that year.



Registration

Controllers and processors must register their process-ing for all purposes unless one of the limited exemp-tions applies.

MONACO

The Protection of Personal Data Act (Monaco Law),which took effect in December 1993, regulates the pro-cessing of personal data of natural persons by the pub-lic and private sectors.

In Brief

The Monaco Law requires database registration and the ap-pointment of a DPO and restricts cross-border transfers to coun-tries that do not provide adequate protection. However, there areno data breach notification or special security obligations.



The Personal Data Protection Supervisory Commission(DPA) is responsible for enforcement compliance withthe Monaco Law.


Access and correction requests must be responded towithin one month.


Personal information may not be transferred outsideMonaco unless the recipient country provides an ad-equate level of protection. Parties to the Council of Eu-rope Convention for the Protection of Individuals withregard to Automatic Processing of Personal Data (Con-vention 108) are recognized as providing adequate pro-tection. Where the transfer is to a country which doesnot provide adequate protection, one of the specified le-gal bases, such as consent, vital interests or contractualnecessity must apply. In addition, the DPA may authorizetransfers on the basis of appropriate contractual clauses.


To collect and use personal information, organizationsmust have a legal basis such as consent, contractual ne-cessity, legitimate interests, vital interests, and legal re-quirements.

Registration

Controllers must register all automatic processing ofpersonal information with the DPA unless one of thelimited exceptions applies. Certain processing is alsosubject to DPA authorization (e.g., biometric data).

MONTENEGRO

The Personal Data Protection Law (Montenegrin Law),which took effect in 2012, regulates the processing ofpersonal data of natural persons by the public and pri-vate sectors.

In Brief

The Montenegrin Law requires database registration, restrictscross-border transfers to countries that do not provide adequateprotection, and imposes DPO and special security obligations.However, there is no data breach notification obligation.



The Personal Data Protection Agency (DPA), an inde-pendent regulatory authority, is responsible for enforc-ing the Montenegrin Law.


Organizations must respond to access and correction re-quests within 15 days.


Personal Data may be transferred from Montenegro toan EEA country or a country deemed adequate by theEU, or where the transfer is based on EU standard con-tractual clauses. Alternatively, the transfer may takeplace where another legal basis applies such as consent,contractual necessity, or vital interests. Otherwise, DPAauthorization is required.


Where the controller has 10 or more employees per-forming data protection activities, the controller mustdesignate a person who will be responsible for the dataprotection matters immediately after establishing a per-sonal data filing system.

Data Security

Detailed security requirements are set forth in the Regu-lation on the Form and Manner of Maintaining of Per-sonal Data Filing System, covering areas such as theform, the manner of keeping data in personal data fil-ing systems, the content of the records, the types of per-sonal information contained in the filing system, thedata retention periods, the manner of collection of per-sonal information, and the transfer of data. For ex-ample, the Regulations require that sensitive informa-tion be kept separately, according to the type of data andthat the legal basis on which the personal information isbeing processed is noted in the data filing system.

10



http://www.ccin.mc

http://src.bna.com/fhm

http://azlp.me






Registration

Prior to establishing a personal data filing system, thecontroller must inform the DPA by submitting the noti-fication containing all the prescribed elements. Personaldata filing systems required by law do not require regis-tration.

RUSSIA

The Federal Law No. 152-FZ On Personal Data (RussianLaw), which took effect January 2007, regulates the pro-cessing of all personal information of natural persons bythe public and private sectors. The Russian Law was re-cently amended in 2014, imposing controversial data lo-calization requirements.

In Brief

The Russian Law requires database registration, restricts cross-border transfers to countries that do not provide adequate pro-tection, and imposes DPO, data breach notification, special se-curity and data localization obligations. In addition, the periodof time within which organizations must respond to correctionrequests is exceedingly short and there is no provision for pro-cessing personal information on the basis of legitimate interests.



The Federal Service for Supervision in the Field of Com-munication Information Technology and Mass Commu-nications, commonly known as Roscomnadzor, (DPA) isresponsible for enforcement of the Russian Law.


Organizations must respond to access requests within 30days, and correction and deletion requests within 10days.


Personal Data may only be transferred to a country thatprovides a sufficient level of protection. The countriesrecognized by the DPA as providing adequate protectioninclude: all of the signatories to the Council of EuropeConvention for the Protection of Individuals with Re-gard to Automatic Processing of Personal Data (Arme-nia, Azerbaijan, Bosnia & Herzegovina, Georgia, Mol-dova, Montenegro, Macedonia, San Marino, Serbia, Tur-key, Ukraine, Uruguay and the EEA Member States),Angola, Argentina, Australia, Benin, Canada, CapeVerde, Chile, Israel, Hong Kong, Malaysia, Mexico, Mon-golia, Morocco, New Zealand, Peru, Senegal, South Ko-rea, Switzerland and Tunisia.

Transfers to countries that do not provide adequate pro-tection are permitted where there is a legal basis such asconsent, contractual necessity, or vital interests. Prior

DPA approval or authorization is not required; however,if the organization is subject to the registration require-ments, it must indicate in its registration the countriesto which it transfers the information.


The appointment of an internal data protection officeris required.

Data Localization

Under the amended law, organizations that collect andprocess personal information of Russian citizens (inelectronic and paper form) must store that informationin Russia. Organizations must notify the DPA of theirserver locations. The DPA will maintain a register of vio-lators and will block any infringing websites. These local-ization requirements only apply to deliberate activitiesto collect information from Russians.

Data Breach Notification

In the event of a data security breach, organizationsmust take measures to remedy the breach (or, if that isnot possible, to destroy the affected data) within threedays and then notify affected individuals about suchmeasures. The DPA must be notified (about rectificationof the breach) only if it has issued a request to the orga-nization to remedy the breach. The requirements to no-tify individuals about a security breach apply to any situ-ation where an organization has processed the wrongdata or there was any unauthorized processing of per-sonal information. Such a breach may be detected bythe organization itself or as a result of an access or cor-rection request by the individual concerned.

Data Security

Organizations must take all reasonable organizationaland technical measures to protect personal information,which include adopting internal data protection rulesthat are mandatory for all employees and conductingrisk assessments, audits and oversight of compliancewith the Russian Law. In addition, organizations mustmaintain special IT systems for protecting Personal Data(software and hardware measures) that comply with thetechnical requirements of the Russian Federal SecurityService (FSB) and the Federal Service for Technical andExport Control (FSTEK), and in particular with the Or-der of FSTEK No. 21 dated Feb. 18, 2013.


To collect and use personal information, organizationsmust have a legal basis such as consent, contractual ne-cessity, legal requirements, or vital interests.

Registration

Organizations must notify the DPA of their intent to pro-cess personal information, unless an exception applies.For example, registration is not required to process em-ployee data or where personal information was obtainedthrough an agreement between the organization andthe individual concerned, and such information is not

11


http://src.bna.com/fho




distributed or transferred to third parties without theconsent of the individual. They are used by the organi-zation solely for the purposes of performance of theagreement or for entering into new agreements with theindividual in the future.

Organizations must also register the location of data-bases that contain personal information of Russian citi-zens.

SAN MARINO

The Law Regulating the Collection of Personal Data(San Marino Law), which went into effect in 1995, regu-lates the processing of all personal information of natu-ral and legal persons by the public and private sectors.

In Brief

The San Marino Law requires DPA authorization to processpersonal information unless one of the limited legal bases ap-plies. There is no provision for processing personal informationon the basis of consent (except in the case of sensitive informa-tion) or legitimate interests. DPA authorization is always re-quired for crossborder transfers. However, there are no DPO,data breach notification, or special security obligations.



The Garante for the Protection Of Confidentiality ofPersonal Data (DPA) is responsible for enforcement ofthe San Marino Law. There is no website for the DPA.


The San Marino Law does not prescribe a time frame tocomply with access and correction requests.


DPA authorization is required to transfer cross-borderpersonal information of San Marino citizens or compa-nies. The San Marino Law does not set out any specificrequirements or conditions that must be met to obtainDPA authorizations for such cross-border transfers.


To collect and use personal information in a private databank, prior DPA authorization is required unless an ex-ception applies such as contractual necessity, legal re-quirement or the information is publicly available. TheSan Marino Law does not set out consent obligations forthe use of personal information except where such in-formation concern political, union or religious opinionsand activities. In such cases, express consent is required.

Registration

Prior DPA approval is required for the collection, pro-cessing and use of personal information by private own-ers of data banks unless an exception applies such assuch as contractual necessity, legal requirement, the in-formation is publicly available, or the personal informa-tion is processed by a political, social or cultural organi-zation and relate to the members of that organization.

SERBIA

The Law on Personal Data Protection (Serbian Law),which went into effect in 2009, protects all personal dataof natural persons processed by the public and privatesectors.

In Brief

The Serbian Law requires database registration and restrictscross-border transfers. In addition, the period of time withinwhich organizations must respond to correction requests is ex-ceedingly short. However, there are DPO, data breach notifica-tion, or special security obligations.



The Commissioner for Information of Public Impor-tance and Personal Data Protection (DPA) is responsiblefor enforcing the Serbian Law.


Organizations must respond to access requests within 30days and correction and deletion requests within 10days.


Data can be transferred from Serbia to a country that isa signatory to the Council of Europe Convention for theProtection of Individuals with regard to Automatic Pro-cessing of Personal Data. Data may be transferred to astate that is not a party to the Convention if such statehas a regulation or a data transfer agreement in forcewhich provides a level of data protection equivalent tothat envisaged by the Convention. In cases of data trans-fers that do not provided an equivalent level of protec-tion, the DPA authorization is required.



Registration

Controllers must register their processing with the DPAfor all purposes. Very limited exceptions apply.

TURKEY

The Law on the Protection of Personal Data (TurkishLaw), which was enacted in March 2016, regulates theprocessing of personal information of natural personsby individuals and private sector organizations. Someprovisions of the Turkish Law took effect in April whileothers, such as cross-border transfers, access and correc-tion, registration, and penalties, do not enter into forceuntil October 2016. With respect to personal informa-tion processed by organizations before the publicationof the Turkish Law in April 2016, the organizations mustmake such information compliant with the Turkish Lawwithin two years or they must delete, destroy or anony-

12


http://src.bna.com/fhp

http://src.bna.com/fia

http://src.bna.com/fib

http://src.bna.com/fib

http://src.bna.com/fic

mize the data. However, the consents lawfully receivedbefore the date of publication of the Turkish Law will bedeemed to be compliant with this Law if the individualsconcerned have not objected to the processing withinone year.

In Brief

The Turkish Law requires database registration, restricts cross-border transfers to countries that do not provide adequate pro-tection, expansively defines and limits processing of sensitive in-formation, and imposes breach notification and special securityobligations. However, there is no DPO obligation.



The Turkish Data Protection Board (DPA), which will beestablished within six months of the Turkish Law’s pub-lication date, is responsible for enforcement of the Turk-ish Law. Its powers include the ability to impose admin-istrative sanctions for law violations.


To transfer personal information outside of Turkey, ex-press consent of the individual must be provided unlessone of the exceptions applies (e.g., contractual neces-sity, vital interests, legitimate interests, or legal require-ment). In addition, the transfer of personal informationmay only be to countries that provide adequate protec-tion (the DPA will provide a list). If the transfer is to acountry that does not provide adequate protection,there must be a contract in place between the partiesand the DPA must authorize the transfer. These cross-border transfer rules will take effect Oct. 7, 2016.

Data Breach Notification.

Organizations must notify individuals and the DPA ‘‘assoon as possible’’ if personal information is obtained bythird parties ‘‘in an illegal manner.’’

Data Security

The data controller must take every necessary technicaland administrative precaution to prevent unlawful pro-cessing of and access to personal information and en-sure the safeguarding of that information. In addition,the data controller must carry out the necessary internalinspections/audits to ensure compliance with the Turk-ish Law. If the personal information will be processed bythird party processor, the data controller will be jointlyresponsible for taking of the necessary security mea-sures.


To collect and use personal information, organizationsmust have a legal basis such as explicit consent, contrac-tual necessity, legitimate interests, vital interests, or legalrequirements.

Registration

Data controllers will need to register their processing ac-tivities before they begin processing. Exceptions may bespecified by the DPA. The Turkish Law provides for theestablishment of the DPA within six months (October2016). The registration provisions enter into force at thesame time; however, the Turkish Law states that the DPAset the date by which data controllers must be regis-tered.

Sensitive Information

The Turkish Law defines special categories of personalinformation (sensitive information) as information re-lated to a person’s racial, ethnic origins, political opin-ions, philosophical beliefs, religion, sect or other beliefs,clothing, membership with associations, foundations ortrade-unions, health or sexual life, criminal convictionsand biometric and genetic data related to security mea-sures. Processing of this information is prohibited ex-cept with the explicit consent of the individual. How-ever, such information—with the exception of healthand sexual life—may be processed without explicit con-sent where such processing is envisaged under Turkishlaws. Health and sexual information may be processedby persons or authorized institutions and organizationsthat are bound by confidentiality obligations, solely forthe purpose of protecting public health, preventivemedicine, medical diagnosis, treatment and care,healthcare services and healthcare financial planningand management.

UKRAINE

The Law On the Protection of Personal Data (UkrainianLaw), which went into effect in 2011, regulates the pro-cessing of all personal data of natural persons by publicand private sectors. The Ukrainian Law was recentlyamended in September 2015.

In Brief

The Ukrainian Law requires database registration, restrictscross-border transfers to countries that do not provide adequateprotection, and imposes DPO and special security obligations.In addition, the period of time within which organizations mustrespond to correction requests is exceedingly short. However,there is no breach notification obligation.



The Ukrainian Parliament Commissioner for HumanRights (DPA) is responsible for enforcement of the Law.


Organizations must respond to access and correction re-quests within 10 days.


Personal Data may be transferred to third countries thatprovide sufficient protection for personal informationwhich include the EEA countries, signatories to the

13


http://src.bna.com/fid

http://www.ombudsman.gov.ua

http://www.ombudsman.gov.ua

Council of Europe Convention and states on the DPAapproved list (which is not yet adopted). Personal infor-mation can also be transferred to countries that do notprovide adequate protection if a legal basis applies suchas consent, contractual necessity, or vital interests. DPAauthorization is not required; however, information re-garding cross-border transfers of the personal informa-tion must be included in the original registration/negotiation filed with DPA .


Organizations must appoint a department or a personresponsible for the protection of personal informationduring the processing of that information.

Data Security Breach Notification

There is no obligation on any entities to give notice inthe event of a data security breach; however, the control-ler must document/log violations of in course of Pro-cessing and develop plan of actions in case of unauthor-ized access to personal information.

Data Security

The Ukrainian Law and implementing regulations re-quire organizations to, among other things, establish aninternal security policy and implement specific securitymeasures including employee training, data disposalmeasures and documentation requirements involvingaccess and control procedures.



Registration

Controllers must file a notification with DPA about pro-cessing of certain categories of sensitive personal infor-mation such as health, biometrical and genetic data,geolocation, trade union or political or religious mem-berships, race ethnic or national origin, criminal re-cords.

Countries with Privacy Laws

RegistrationRequirement

DPO Required

Cross- Border Limitations

Data Breach Notification Requirement 1

Europe/Eurasia (Non-EEA)

(17)15 5 16 4

Albania Yes Yes Yes No

Andorra Yes No Yes No

Armenia No No Yes Yes

Azerbaijan Yes No Yes No

Belarus No No No No

Bosnia and Herzegovina Yes No Yes No

Georgia Yes No Yes No

Kosovo Yes No Yes No

Macedonia Yes Yes Yes No

Moldova Yes No Yes Yes

Monaco Yes No Yes No

Montenegro Yes Yes Yes No

Russia Yes Yes Yes Yes

San Marino Yes No Yes No

Serbia Yes No Yes No

Turkey Yes No Yes Yes

Ukraine Yes Yes Yes No

1 This chart identifies only those jurisdictions that have enacted legally binding data breach notification requirements. It does

not reflect the local notification practices or the DPA’s expectations about whether organizations should provide notice.

Consequently, organizations should consider a variety of factors, not just whether the rules are legally binding.

European/Eurasian Privacy Laws

Source: BNA A BNA Graphic/laws24g1

14


data protection report >>> - morrison & foerster · · 2016-06-13local privacy...

Documents