1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

First Data gains approval for its Processor BCRs

Dentons has advised First Data Corporation (“First Data“), a global leader in payment technology and service solutions, in successfully obtaining approval for its Binding Corporate Rules (“BCRs“) for Data Processors. BCRs are a company-wide privacy policy to guarantee that a company’s practices are consistent with European data protection law. They are widely considered the platinum standard for compliance with the European Data Protection Directive.

Here are our 5 big takeaways from this story:

  1. First by the ICO – First Data is the first company to obtain authorisation for BCRs for Processors under the leadership of the UK’s Information Commissioner’s Office (“ICO“). The only other DPAs to have led a successful application for Processor BCRs are the Dutch DPA and the French CNIL.
  2. First payment processor – First Data is the only payments technology company to obtain such authorisation. First Data will no longer need to enter into model contracts with many of its clients, simplifying the contractual process. This should give it a competitive advantage in a marketplace that is increasingly sensitive to privacy issues.
  3. Dual approval – First Data is one of only five companies worldwide that has completed this rigorous process for information processed both as a Data Processor and as a Data Controller.
  4. 2 Year project – The Data Processor authorisation is the culmination of a two-year project. If you are considering making an application, this is a guide to the timescales you should be expecting (although this was the first application and the process may be streamlined).
  5. Easier for Data Controllers – The BCRs approval will open the door to a streamlined process for Data Controllers wanting to rely on the BCRs to enable their data to be shared across borders.

If you would like any more information on this application, you can find First Data’s press release here, or you can contact Scott Singer, Nicola Harding or me directly.

, , , , ,

First Data gains approval for its Processor BCRs

Europe under Review: Part 3 of 8 – Accuracy and Proportionality

As the next in our series of “back to privacy basics”, we look at the rules regarding accuracy and proportionality in the processing of personal data.

As we will do throughout this series, we take a look at the current position and what is best practice for an organisation.  We will also briefly consider what the new Data Protection Regulation may mean in this area.

Accuracy and proportionality

Data protection law requires the data controller to ensure personal data is accurate and up-to-date. In practice this means an organisation should:

  • try to ensure personal data it collects is accurate;
  • keep a record of the source of any personal data;
  • assess the risks of personal data being, or becoming, inaccurate; and
  • consider how it will ensure the information stays up-to-date.

Data protection law also requires that personal data collected is not excessive for the purpose for which it was collected. In practice this means organisations should not hold more information about the individual than it needs.

Best Practice

Organisations should consider these simple steps for keeping data up to date:

  • Before adding information to your database, ask the individual to confirm it is accurate. For example, in call centre scripts, ensure the operator reads the information back to the individual and confirms it is correct.
  • Ask the individual to confirm the data remains accurate on a periodic basis. For example, once a year when an individual logs into their account, you could present their information to them and ask them to amend it, or tick a box to confirm it is accurate.
  • If you replace IT, securely delete personal data from legacy systems. If the database is not maintained, get rid of it!

Similarly, procedures should be put in place to ensure you are not collecting excessive data:

  • Review your databases regularly and ask yourself if you need all of the information you are collecting. If not, stop collecting it!
  • Don’t hold personal data on the off-chance that it might be useful in the future – you must know the purpose for collecting it first!
  • It’s ok to hold information, even if you never  need to use it, as long as you are holding it for a legitimate purpose – for example, emergency contact details.
  • Identify information that is insufficient for its intended purpose – for example, CCTV images that are poor quality so  they are not able to achieve their purpose.

Position under draft Data Protection Regulation

The draft Data Protection Regulation raises the bar:

  • It requires that “every reasonable step” must be taken to ensure that inaccurate personal data are erased, or corrected, without delay.
  • Only “the minimum necessary” information may be collected and may only be processed if processing non-personal information could not fulfil the purposes. So regulators are likely to expect anonymisation of data where de-personalised data could achieve the same purpose.

It remains to be seen what will be considered as sufficient to comply with the new requirements of the Regulation. However, the good practice steps identified above are a good starting point. Next up in our series is the topic of data retention.

Europe under Review: Part 3 of 8 – Accuracy and Proportionality

Romanian DPA approves use of BCRs

Yesterday (27 March 2014) the Romanian DPA approved a decision on the use of Binding Corporate Rules (BCRs).

Historically the DPA would not authorise transfers of personal data outside the European Economic Area on the basis of BCRs. However, the DPA has been reconsidering this position and this decision reverses that policy.

This is great news for the many multi-national companies that use Romania as a low-cost processing centre, but have previously been unable to take advantage of the flexibility provided by the BCRs solution to ensure compliant international transfers.

However, the decision leaves a number of procedural matters unclear and Romania is still not part of the Mutual Recognition Process, so obtaining authorisation may not be plain sailing quite yet…

, , , ,

Romanian DPA approves use of BCRs

Is the new Regulation back on track?

The Data Protection Regulation is potentially back on track after a major roadblock was resolved.

Germany is reported to have agreed to ensure its rules relating to access to public sector information are compatible with the new Data Protection Regulation. Previously, Germany had sought a complete exemption from the Regulation for the public sector. However, at a recent meeting of EU ministers in Cyprus, Germany withdrew these objections provided that it was given flexibility in how to apply the rules. This flexibility will also apply to all other Member States, so this concession is likely to reduce the level of harmonisation in relation to public sector data across Europe.

But the road ahead for the Regulation is still not clear.  Many Member States still have significant objections. A leaked document from the Council of the European Union, published recently by civil liberties group Statewatch, makes clear the extent of these concerns and shows there is significant work to do before all Member States are on board. It also shows a near universal concern is the extent of the application of burdensome rules to Small and Medium-sized Enterprises (SMEs). This demonstrates that effective lobbying by business bodies such as the CBI and various e-business bodies have been partially successful. As SMEs are seen as the engine of growth by governments, their opinions are clearly influential in these recessionary times.

So the new Regulation may be back on track. But given that Belgium and the UK have also suggested the Regulation should actually be a Directive – rather a fundamental point – you could be forgiven for thinking the opposite.

Is the new Regulation back on track?

Copying ID documents – Dutch data regulator issues guidance

We have all been asked before to provide copies of our passports to organisations such as telecoms providers, hotels and car rental companies. But Jan Willem van den Bos, Partner at Dentons, warned clients this week that they need to be careful in the Netherlands when engaging in this widely adopted practice following new guidance published on 12 July by the Dutch data protection commission (College Bescherming Persoonsgegevens – CPB).

Essentially, the CPB is stepping up the pressure on organisations to think twice before taking a photocopy or scanning the passports of their clients, customers or other relations – and, if they do have to take copies, to make sure they:

  • cover the photo;
  • cover the unique personal “BSN” number (so only show the shorter passport number);
  • store all copies securely; and
  • destroy copies safely as soon as they are no longer necessary.

Clearly, the main underlying concern is ID fraud.

It is illegal under Dutch law to take a copy of anyone’s passport, subject to some limited exceptions.

The CPB recognises that certain organisations need to carry out ID checks (including for credit reference purposes), but the CPB says that in many circumstances it should be enough for people simply to show their passport and for organisations merely to take a note of the ID document type and number, rather than copying the whole document.

With the new guidance, the CPB is trying to clarify the law and impress on industry that there are other less intrusive and risky ways of checking someone’s ID.  The CPB also has published a checklist for consumers, including FAQs about handing over copies of their passports.

Of course, the implications of this guidance go much broader than the Netherlands. The issues raised apply in all countries where  ID fraud is a risk …..that’s everywhere!  So very timely advice from the Dutch regulator.

Copying ID documents – Dutch data regulator issues guidance