Practice Areas
Business
- Get free trial for practice areas as below
- Business
- Consumer
- Corporations
- Criminal
- Employment
- Family
- General Counsel
- Governance
- Immigration
- Intellectual Property
- Personal Injury NSW
- Personal Injury Qld
- Personal Injury Vic
- Personal Property Security
- Property
- Succession
- Work Health & Safety
- Tax
- Mergers & Acquisitions
- Banking & Finance
- Social Justice
- Cybersecurity, Data Protection & Privacy
- Insolvency
- Competition
LexisNexis Practical Guidance®
Straightforward guidance across a range of topics
- International Content
- Data protection & privacy
Data protection & privacy in 30 jurisdictions worldwide
Click here to download the Data protection and privacy 2019 report, published by Getting the Deal Through.
Jurisdictions covered
The following 30 jurisdictions are covered in this report:
Argentina; Australia; Austria; Belgium; Brazil; Chile; China; Colombia; France; Germany; Greece; India; Ireland; Italy; Japan; Korea; Lithuania; Malta; Mexico; Portugal; Russia; Serbia; Singapore; Spain; Sweden; Switzerland; Taiwan; Turkey; United Kingdom; United States.
Questions
The set of questions relating to the topic of data protection and privacy and answered by the guide for each jurisdiction covered include:
Law and regulatory authority
- • Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments on privacy or data protection?
- • Which authority is responsible for overseeing the data protection law? Describe the investigative powers of the authority.
- • Are there legal obligations on the data protection authority to cooperate with data protection authorities, or is there a mechanism to resolve different approaches?
- • Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?
Scope
- • Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?
- • Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals? If not, list other relevant laws in this regard.
- • Identify any further laws or regulations that provide specific data protection rules for related areas (for example, rules on employee monitoring, e-health records, the use of social media or credit information)?
- • What forms of PII are covered by the law?
Extraterritoriality
- • Is the reach of the law limited to PII owners and processors of PII established or operating in the jurisdiction?
Covered uses of PII
- • Is all processing or use of PII covered? Is a distinction made between those who control or own PII and those who provide PII processing services to owners? Do owners’, controllers’ and processors’ duties differ?
Legitimate processing of PII
- • Does the law require that the holding of PII be legitimised on specific grounds, for example to meet the owner’s legal obligations or if the individual has provided consent??
- • Does the law impose more stringent rules for specific types of PII?
Data handling responsibilities of owners of PH
- • Does the law require owners of PII to notify individuals whose PII they hold? What must the notice contain and when must it be provided?
- • When is notice not required?
- • Must owners of PII offer individuals any degree of choice or control over the use of their information? In which circumstances?
- • Does the law impose standards in relation to the quality, currency and accuracy of PII?
- • Does the law restrict the amount of PII that may be held or the length of time it may be held?
- • Are the purposes for which PII can be used by owners restricted? Has the “finality principle” been adopted?
- • If the finality principle has been adopted, how far does the law allow for PII to be used for new purposes? Are there exceptions or exclusions from the finality principle?
Security
- • What security obligations are imposed on PII owners and service providers that process PII on their behalf?
- • Does the law include (general or sector-specific) obligations to notify the supervisory authority or individuals of data breaches? (If so, explain the nature and extent of the obligation and whether there is a threshold for notification to be mandatory.) If breach notification is not required by law, is it recommended by the supervisory authority? (If so, under what circumstances?)
Internal controls
- • Is the appointment of a data protection officer mandatory? (If the obligation depends on the context, give details.) What are the data protection officer’s legal responsibilities?
- • Are owners or processors of PII required to maintain any internal records or establish internal processes or documentation?
- • Are there any obligations in relation to new processing operations (for example, requirements to apply a privacy-by-design approach or carry out privacy impact assessments).
Registration and notification
- • Are PII owners or processors of PII required to register with the supervisory authority? Are there any exemptions?
- • What are the formalities for registration?
- • What are the penalties for a PII owner or processor for failure to make or maintain an entry on the register?
- • On what grounds may the supervisory authority refuse to allow an entry on the register?
- • Is the register publicly available? How can it be accessed?
- • Does an entry on the register have any specific legal effect?
- • Are there any other public transparency duties (for example, to make public statements as to the nature of the processing)?
Transfer and disclosure of PII
- • How does the law regulate the transfer of PII to entities that provide outsourced processing services?
- • Describe any specific restrictions on the disclosure of PII to other recipients.
- • Is the transfer of PII outside the jurisdiction restricted?
- • Does transfer of PII require notification to or authorisation from a supervisory authority??
- • If transfers outside the jurisdiction are subject to restriction or authorisation, do these apply equally to transfers to service providers and onwards transfers?
Rights of individuals
- • Do individuals have the right to see a copy of their personal information held by PII owners? Describe how this right can be exercised as well as any limitations to this right.
- • Do individuals have other substantive rights?
- • Are individuals entitled to monetary damages or compensation if they are affected by breaches of the law? Is actual damage required or is injury to feelings sufficient?
- • Are these rights exercisable through the judicial system or enforced by the supervisory authority or both?
Exemptions, derogations and restrictions
- • Does the law include any derogations, exclusions or limitations other than those already described? Describe the relevant provisions.
Supervision
- • Can PII owners appeal against orders of the supervisory authority to the courts?
Specific data processing
- • Describe any rules on the use of “cookies” or equivalent technology.
- • Describe any rules on marketing by e-mail, fax or telephone.
- • Describe any rules or regulator guidance on the use of cloud computing services.
