Lee & White

On 25th of June 2013, the Belgian Privacy Commission and the Ministry of Justice entered into a protocol agreement which forms the framework for the transfer of personal data outside the EU. Following this, contracts governing the exchange of personal data between companies outside the EU will be handled more smoothly from now on.

The immense volume of personal data transferred between countries has rightly demanded the need for the protection of such personal data. Where the data is transferred within Belgium and the EU, personal data may be transferred subject to the Belgian Data Protection Law. EU member states are accorded the same level of protection for the processing of personal data by virtue of the European Directive 95/46/EC.

Where the data is transferred outside the EU, personal data can only be transferred to countries which provide an adequate level of protection of the data - similar to the protection accorded within the EU. The European Commission has recognised a number of countries which are regarded as providing an adequate level of protection of personal data. This can be viewed on the European Commission's website.

Where a country is not recognised as offering an adequate level of protection, personal data may still be transferred through:

• European Commission's model contracts or contractual clauses drawn up by organizations themselves offering an adequate level of protection of the personal data to be transferred
• Binding Corporate Rules
• Exceptions provided by law.

In Belgium, where the European Commission's model contracts are used, these contracts are sent to the Belgian Privacy Commission to be checked to ensure conformity with the European Commission's standard contractual clauses. There is however, no need for a Royal Decree to validate such contracts and this has been clearly stated in the recent protocol agreement between the Belgian Privacy Commission and the Ministry of Justice. The date on which conformity with the standard contractual clauses is confirmed in writing by the Privacy Commission is also the date on which the data transfer is allowed.

In the second instance where organizations themselves draw up their own contractual clauses binding themselves and the receivers of the personal data, the existing situation is such that a Royal Decree is necessary. However, owing to the shared jurisdiction of the Belgian Privacy Commission and the Ministry of Justice, the process became long and cumbersome and meant that very few organizations took up this method of providing an adequate level of protection.

The protocol agreement has changed that - the Privacy Commission will now play the leading role in this procedure and quicken the process. Organizations can send the contracts to the Privacy Commission for review. If the necessary guarantees for the protection of personal data are in place, the Privacy Commission will forward these contracts to the Ministry of Justice along with a positive assessment and a proposed wording for a Royal Decree for the King's signature and publication in the Belgian Official Gazette. If not, the Privacy Commission will contact the applicant and refer to the principles which are required to be addressed properly in the contractual clauses.

The new procedure will significantly shorten the period of approval of such contracts and is said to be a win-win situation for the government, organizations and citizens. It will also prevent the possible consequences of violation and provide more legal certainty for the data subjects whos personal data is transferred as well as the organizations involved. The protocol agreement takes effect immediately.

Cloud computing, it is a hot topic these days. But what is it all about?

Basically, it describes technologies to deliver software as a service. The cloud provider provides processing power, software, data access, and storage in order to deliver services to the consumer of the cloud services.

How does it look from your end of the screen? Compare it to your water supplier; at the end of the day, the average user would probably require that when he turns on the tap, water comes out. The more concerned user would be a bit more interested in the quality and origin of the water coming out.

A better parallel with regard to your data however would be the attended cloakroom. You would arrive at the theatre and hand your coat to the cloakroom attendant in exchange for a numbered ticket. After the show, you would hand the ticket to the attendant in order to have your coat returned.

So as a user (the data subject), you would hand your personal data to a company (the data controller) you trust, and this company would store your data or process it in ‘the cloud’ through his cloud provider (a data processor).

If the attended cloakroom is unattended (after closing hours) or in case of an emergency, you could browse through the coat hangers in the cloak room and find your coat. What if it wasn’t there, what if the cloakroom had ‘outsourced’ storing the coats? You would appreciate a sign saying ‘We outsource our coat storage to external sites in x, y and z’. You could still go to x, y and z and retrieve your coat.

With data however, nobody is guaranteeing that the data is stored completely in one location, it might be distributed over multiple data stores. It is also not guaranteed that the data is stored only once, only that it is stored at least once. And no guarantees that if data is deleted or moved, it is physically removed or erased in the original location.

So what can we learn from this short story:
It is vital that everybody involved knows where the data resides, handles it with care and only for as long as needed and wanted, keeps it safe from abuse, and deletes it when no longer needed.

Data Controller

• Draw up and adhere to rules regarding handling personal data. (data handling procedures)
• Draw up and implement procedures to allow data subjects to execute their legal rights under the Data Protection Law.
• Ensure your subcontractors abide by the same rules you impose on yourself.
• Inform your data subjects of these rules, be transparent. (privacy statement)
• Audit yourself regularly to check adherence to your rules and the Data Protection Law.
• Audit your subcontractors to check the above.
• Be vigilant!

Data Subject

• Read the information provided by the data controller before handing over your personal data.
• Execute your legal rights under the Data Protection Law.
• Stay in control of your personal data, know who is using it and what for.
• Be vigilant!

And finally. if in doubt, do not hand over your personal data and look for another provider.

One of the largest corporate insurers was recently fined by Britain's financial regulator, the FSA for the loss of customer data. Zurich Insurance PLC was fined a record £2.3m for losing 46000 customers' personal information which included identification information, details of bank accounts, credit cards and insured assets which could have resulted in significant loss to customers.

The loss of customers' data dates back to August 2008 when Zurich Insurance had outsourced data work to the company's South African unit which lost an unencrypted back-up tape. The loss however, was not discovered until a year later.

Companies would benefit from learning from the mistakes that cost Zurich Insurance PLC not only £2.3m in fine, but also the loss of its customers' trust which is a valuable asset for any company.

"It served to remind us of the need to strive continually to improve the ways in which we seek to protect customers' data," said Stephen Lewis, chief executive of Zurich Insurance.

Now, what are you as a company doing to ensure that your customers' personal information is protected? Do you have a Personal Data Protection Policy in place in your company, and are your employees aware of them? It would do you well to look at this seriously and ensure you are protected by protecting your customers.

It's almost the end of the quarter, sales numbers are nearly on target, we just need a little boost to get them higher, perhaps even above target, I need that bonus.

"You know what? Let's launch a quick campaign and mail our prospects!"

I'm sure this all sounds very familiar if you are in the marketing department of any medium to large company, and it is a great initiative of course. But who shall you email? Where do you get the addresses?

We could for example mail our prospects, people who expressed some interest in one of our products; or perhaps people who entered that competition last month; perhaps people who were submitted by someone in our friend-gets-friend referral campaign; perhaps the subscribers to our newsletter; what about ex-customers we want back; let's buy a list from a broker; ...

And this is where it gets hairy:

• Are you mailing the right people, possibly sending a super promo mail that will anger a new customer who paid so much more for the same product a few days ago?
• Do you have permission to email these prospects; did you ask them for their permission to send them this kind of promotions and did they opt-in?
• Did you exclude persons who opted out from your list?
• Is your list deduplicated? Are you not sending multiple mails to the same person through the same or different email addresses?
• Are you not publishing your list of email addresses to every recipient?

A mistake at this level can cost you dearly, in terms of losing face or upsetting client or supplier relations, and it could all be solved if you had followed proper procedures when you acquired the email addresses.

All you needed to do was:

• Ask for a prospect's email only when needed.
• If you want to use this information for other purposes, inform the prospect and ask for his explicit permission.
• Allow the prospect to review, change and delete his information at his simple request at any time.
• Check if the supplier of your mailing list or broker has obtained the permission of your prospects and has informed them of the possibility of their information going to you for marketing purposes.
• At any communication, give the prospect the opportunity to opt out of future communications of this kind or of any kind.

A Privacy Impact Assessment at the design phase of a project can detect such opportunities and a Data Protection Audit can analyse and correct the flow of information within your organisation.

It will save you in the long run!

So, here we are again with another case in the series of data handling blunders. The recent careless use of personal data of the Luxembourg branch of Kaupthing bank confirms that proper data handling procedures are crucial. Email addresses of customers were leaked due to the misuse of email.

Inadequately defined procedures for data handling can, and will lead to improper and careless handling of personal data. We've seen this occur countless of times. For example, not too long ago, 25 million records were lost by the HM Revenue and Customs and according to the investigation, the problem was not with individual workers, but due to the lack of processes for data handling.

All organisations should have reasonable security measures to protect personal data from misuse, loss, unauthorised access, and abuse. These measures can be stated in a Data Handling Manual, and must be implemented in a way where all concerned parties are well informed of the handling procedures. It is simply a guideline for handling personal data that should and must be adhered to by all in an organisation.

Unfortunately, in most companies, not only are such manuals non-existent, but where there is such a manual, it is usually collecting dust in some shelf and most employees and contractors are not even aware of or do not adhere to the manual. The other problem is the fact that lack of adherence is usually not noted or if it is, it is not reprimanded regularly - well, at least until a big foul-up happens and becomes the headlines of major newspapers.

It is perhaps more than timely for organisations to draw up these guidelines and train their personnel, ensuring regular audits to maintain adherence - in addition to appointing data protection officers and registering processes of personal data.

If you would like some help in customising a data handling manual, please review our privacy policy and then contact Lee & White.