Historia de la Empresa

The privacy model developed by the EU is formally expressed in the 1995 EU Data Directive (95/46/EC3). Under the EU Data Directive each EU member state establishes, implements, and enforces its own regulatory structure consistent with the guidance provided by the EU Directive. The EU Directive is, however, not in itself a law applicable to all private citizens. It must be read only as a guide to the general content of the national laws that are adopted by each member state.

Each of the 27 members of the EU is responsible for adopting and enforcing their own privacy or data protection laws. Countries that are not members of the EU, such as Norway, Iceland, and Switzerland, have adopted EU compliant laws as part of their integrated trade policies. A Minnesota business must therefore consider the data privacy laws and regulations of the country where it does business.

The EU 1995 Data Directive has five principles that are set forth in Article 6 as follows:

Article 6

1. Member States shall provide that personal data must be: (a) processed fairly and lawfully;

(b) collected for specified, explicit and legitimate purposes and not

further processed in a way incompatible with those purposes. Further

processing of data for historical, statistical or scientific purposes shall

not be considered as incompatible provided that Member States provide appropriate safeguards;

(c) adequate, relevant and not excessive in relation to the purposes for

which they are collected and/or further processed;

(d) accurate and, where necessary, kept up to date; every reasonable step

must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which

they are further processed, are erased or rectified;

(e) kept in a form which permits identification of data subjects for no

longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for

historical, statistical or scientific use. [emphasis added]

Data Controller or Processor? The EU Data Directive establishes the concepts of a “controller” and “processor” and creates specific legal obligations applicable to the data controllers. A controller determines the purposes and means of the processing of personal data. The controller decides how the data is collected, stored,

used, altered and disclosed. The processor is a person (other than an employee of the controller ) who processes personal data on behalf of the controller. The distinction between controller and processor becomes important as it determines who is responsible for compliance with the relevant data protection laws and the enforcement authorities.

Data processing is broadly defined in the EU Data Directive and includes any operation or set of operations which is performed upon personal data, whether or not by automatic means such as collection, recording, organization, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.

Notification to the Data Protection Authority in Advance. One of the first things a Minnesota business may need to do when setting up an office or operation in Europe is to notify the relevant Data Protection Authorities (DPAs) that the business intends on processing personal information as a data controller within the relevant jurisdiction. This can be as simple as processing personal data of just a few employees to pay their salaries or the processing of significant amounts of customer data maintained in databases in multiple locations.

A unique and key part of the EU Data Directive is the requirement for notification to the appropriate DPA by the data controller before processing may commence. The purpose of such notification is to allow the DPA to assess the risk posed to the rights and freedoms of the data subjects by the proposed processing, and to post such information in a national register accessible to all. This notification requirement is the part of the EU Directive with which a Minnesota business will likely have the most contact.

Data processing by the Minnesota business is not supposed to start until this notification is complete. Data Protection Authorities differ

however in when this notice is effective. It could be that notice is complete when the fee is paid or it may not be effective until a receipt and notice is actually received from the DPA. Failure to notify a DPA prior to commencing the data processing activities may, in some cases, constitute a criminal offense.

Proposed Revisions to the Directive. In January 2012 the European Commission announced proposed revisions to the EU Data Directive. These proposed revisions continue to be debated and the status of the so-called new EU Data Protection Framework remains unclear.

If the new EU Data Protection Framework under consideration is ever implemented the current EU Data Directive would likely be repealed and replaced by one set of consistent rules. The main change would be a one stop shop rule so that a Minnesota business would only have to report to the DPA in the country where the business has its foreign office instead of reporting to multiple DPAs as required currently. This would certainly make compliance much easier for a Minnesota based business.

Another change being discussed would require that security breaches be reported within 24 hours of discovery. New sanctions and hefty fines for non-compliance might also be imposed under the new EU Data Protection Framework. As of the publication of this Guide the new EU Data Protection Framework continues to be discussed but has not yet been adopted. Minnesota businesses must therefore continue to operate under the current EU Data Directive.

Transfer of Personal Data Outside Of The