HomeContactExtranet
About usEventsMembershipJoinSponsorshipNewsBrit in DKCOBCOEScholarshipsLinks
 
 
You are here:   Home / News / Business News & Information / Data Protection - an international issue
News
BCCD News
Business News & Information
British Airways: Heathrow T5 World's best. Introducing services to Seoul in South Korea
British Airways are closing the rute between Copenhagen Airport and London City Airport
Miller Rosenfalck announce a change to their management structure
British Airways offers fast track service at Copenhagen Airport
2010 Culture Prize awarded to Ian Burns of That Theatre
Abuse of the employer’s trade secrets
New Danish Supreme Court ruling on buy-back provisions in incentive programme
Finance for Foreigners
Refurbishment of the Copenhagen Marriott Hotel
Employees in Denmark - need to know labour law
Promotion of Pharmaceutical Products and the Bribery Act 2010
Fleet Flagship visits Copenhagen
Trying out the Triathlon
Data Protection - an international issue
Patent Box
Better Place and Renault launch
IT Branchen's Annual Conference
State of the World 2011 Launch
Jutlandia Memorial Event
Burns-Supper
Working together on intellectual property and life sciences
UK Nordic Baltic Summit
UK Offshore Wind Supply Chain Seminar 2010
10 Years of Rethinking
J K Rowling receives award
Crowne Plaza
The President of Ireland Official Visit
World Translation hailed as a Gazelle
The New Pioneers
World Climate Solutions Conference
New Copenhagen to London City route
UK's Emergency Budget
Network connects UK and Ireland businesses to europe
ISS - New CEO
Marriott opens Midtown Grill
Mongolia 2010 Expedition - Press Release
New appointments and a new look signal rapid growth for European business law firm Miller Rosenfalck
BCCD Annual Supplements
E-mails to members
Invites and reminders
Newsletter
Newsletter Sign-up
Newsletter Archive
News archive

  
Data Protection - an international issuePrint

Article provided by Eversheds - view full pdf



Data protection - an international issue

The technological development has created a situation where companies with cross-border activities see a major advantage in compiling their data centrally. As an example to this it is not rare that medium-sized companies or groups choose to compile information about customers or aspects related to personnel administration in one place rather than having the data distributed among several units and jurisdictions. In addition to achieving a quick and efficient exchange of information, the companies are also able to create congruence among the individual legal entities.

One thing is the technological possibilities, another thing is the legal challenges this will entail. Particularly relevant is the question whether this can be done in terms of data protection, and what it will imply. To get closer to these questions it is necessary to consider the following aspects. Will processing of personal data take place? Which types of personal data will be processed? Who is responsible for the processing? Are the personal data going to be transferred to a third country, and is this country outside the EU? The rules of The Danish Act on Processing of Personal Data will be a delicate balance between considering both the interests of the companies and the integrity of the data subjects.


Processing of personal data

The Danish Act on Processing of Personal Data regulates when and how personal data may be processed. To be able to assess, whether processing of specific data is covered by the Danish Act on Processing of Personal Data, the following section will briefly go through the most important concepts and principles.


Personal data

The Danish Act on Processing of Personal Data defines that ”Any information relating to an identified or identifiable physical person” is to be regarded as personal data. The definition is rather broad, and thus most data about customers, employees and other persons related to a company would seem to be comprised by the Danish Act on Processing of Personal Data.


Processing

A transfer of personal data between a subsidiary established in Denmark and a parent company established in a different country, for instance in the US, will be regarded as processing subject to the data protection legislation. So will a company’s compilation and registration of data about its customers be regarded as processing subject to the data protection legislation, irrespective of how it is carried out (for instance physically, manually, electronically). The above examples are merely meant to illustrate that the concept of processing covers quite a wide field.


Data controller or data processor?

In connection with processing of personal data it is important for a company to realise, whether it is acting as data controller or data processor. A data processor carries out the practical processing of personal data on behalf of the data controller. When this is said, it is the data controller who has the overall responsibility for the data, and who will be held responsible for the data being processed in accordance with applicable law.

In case processing of personal data takes place with a data processor, the data controller is required to sign a written agreement with the data processor that he must only act according to instructions from the data controller, and that the data processor must ensure the necessary technical and organisational security measures. This means i.a. that procedures will have to be set up indicating who will have access to the data, and how the data will be secured against destruction or deterioration - this may be in the form of locked rooms/cabinets or through use of access codes or encryption in connection with the use of IT. Such an agreement is known as a Data Processing Agreement.


Types of personal data

The Danish Act on Processing of Personal Data distinguishes between three types of personal data: Ordinary, sensitive and semi-sensitive. Ordinary personal data are for instance information about name, phone number and date of birth. Sensitive data may be information about sexual and health conditions, religious or political beliefs. Finally, the semi-sensitive data cover for instance information about criminal offences, significant social problems and other purely private matters.

The reason for the division of the different personal data is that different terms and procedures apply dependent on what types of personal data are being processed. In general it can be said that the more sensitive the data are, the more strict the demands for the processing and the purpose hereof will be.


Permission from the Danish Data Protection Agency

When a company wants to process sensitive or semi-sensitive data, the main rule is that the processing needs to be notified to the Danish Data Protection Agency, which needs to give its permission prior to the processing taking place.

In connection with the Danish Data Protection Agency’s processing of the notification, an assessment is made of whether the purpose of the processing can be considered reasoned, and whether the notifying company has authority to handle the specific types of data. A permission from the Danish Data Protection Agency is always conditioned on the notifying company complying with a number of specifically emphasized terms, including the demand for establishment of particular security and handling procedures.


Consequences of not complying with the rules

Non-compliance with the rules of the Danish Act on Processing of Personal Data, including missing notification or permission from the Danish Data Protection Agency, may as a rule be sanctioned by a fine or at worst by imprisonment. In addition, the Danish Data Protection Agency can at their own initiative choose to publish their rulings and the control results at the agency’s own website.


International transfers of personal data

As described above, it does not take much to constitute a transfer and thereby processing of personal data. When for instance a Danish subsidiary sends customer or employee related information to a parent company established outside the EU/EES, for instance in the US, it will constitute a transfer comprised by the Danish Act on Processing of Personal Data. It will also constitute a transfer, if employees or others related to a Danish subsidiary as a part of a group’s whistleblower scheme are in a position to report potential illegalities, and the scheme is administered by the American parent company or a third party company established in the US.

Some companies find it difficult to comprehend that transfer of personal data from one country to another cannot be done just like that. To be able to transfer personal data to a parent company established in the US, without creating any legal challenges, may seem to be a natural part of the concept of running a business.

It is however important to emphasize that the rules on processing of personal data should not be regarded as an obstacle, but rather as a prerequisite for processing such data.

When assessing whether a transfer of personal data can take place and what it would imply, it is at first relevant to look at what country the data are to be transferred to.


Transfer within the EU/EES

Personal data can as a rule be transferred to EU and EES countries. The reason for this is that these countries are considered countries having an adequate level of protection meaning that in practice transfer of data to these countries does not substantially reduce the protection of the data subject. Thus, a principle of free transfer applies within the EU/EES.


Transfer outside the EU/EES

When transferring personal data outside the EU/EES, also called third countries, it is a condition that the recipient country has an adequate level of protection. The EU Commission has in advance assessed a number of countries outside the EU/EES as having an adequate level of protection. These countries include Switzerland, Argentina, Israel and the Faeroe Islands.

In case the receiving third country does not have an adequate level of protection, it is as a rule forbidden to transfer personal data to such country. As a lot of international companies have activities in insecure third countries, such as for instance the US, and since a prohibition will function more like a hindrance to a lot of cross-border activities, the personal data legislation has listed a number of possibilities for making an exception to the prohibition. Below are the most common legal basis’ in connection with transfers.


Consent

It is evident from the Danish Act on Processing of Personal Data that transfer of data can take place if the data subject, for instance an employee, has given his explicit consent to this. When transferring data related to personnel administration to an American parent company, all employees in the Danish subsidiary are required to consent to the transfer. In practice this may create some challenges, particularly in the light of the fact that a consent may be revoked at any time.


The Commission’s standard contractual clauses

The EU Commission has drafted a number of standard contractual clauses to be used when transferring data to third countries that do not have an adequate level of protection. Entering these clauses will ensure that personal data transferred will be handled adequately.

The standard contractual clauses have been designed differently dependent on whether the data are being transferred to a data controller or a data processor. Prior to signing the clauses, the data controller should seek to clarify who the recipient of the data is, and how the flow of data must be.

When using the standard contractual clauses it is a condition that the company achieves prior permission from the Danish Data Protection Agency.


Safe Harbor

As regards transfers of personal data to the US, a special scheme - the Safe Harbor scheme - has been introduced. The Safe Harbor scheme is a scheme that American companies can use in connection with the import of data from the EU. By joining the scheme with the American Department of Commerce, the company declares that it will uphold a level of protection in line with EU’s legislation on protection of personal data.

In addition to the registered company binding itself to comply with a number of personal data principles and thus maintaining an adequate level of protection, the scheme practically means that permission for the transfer from the Danish Data Protection Agency is not necessary. Thereby the exporting company saves substantial time and resources.

At the Danish Data Protection Agency’s website is a link to a list of the companies that have joined the scheme.


Concluding remarks

The law on personal data is a discipline that is here to stay, and not in the least in the light of this, an increased focus on understanding and complying with the rules has developed. This is something we see also here at Eversheds, where cases related to data protection continue to be on the rise.

Eversheds has vast international experience in this field and has access to knowledge from our colleagues worldwide. This offers your company cost-efficient, quick and well thought out solutions cross-border, but through one single point of contact.

If you have questions or wish to receive further information on the challenges regarding processing and transfer of personal data to the US, including assistance with preparation of notifications to the Danish Data Protection Agency, transfer agreements/the Commission’s standard contractual clauses, data processing agreements and advice on security measures, you are welcome to contact us.



Contacts

For further information, please contact your usual Eversheds contact or Catrine Søndergaard Byrne, Associate / Head of Employment and Data Law team, +45 33 75 05 64, catrinesondergaardbyrne"@"eversheds.com

 
Copyright © 2012 British Chamber of Commerce in Denmark, BCCD and British Import Union, BIU   Arrow grey bottommenu  Credits   Arrow grey bottommenu  Privacy Policy   Arrow grey bottommenu  Legal Notice   Arrow grey bottommenu  Sitemap
The latest update of this web site was funded by Chevron Denmark and developed by Nemetos 
The website is licensed by Sitecore CMS and hosted by Nemetos with  Ankiro search engine technology