четверг, 13 марта 2014 г.

ЕС: ужесточение правил по защите персональных данных, передающихся в страны, не входящих в Союз

Депутаты Европарламента обеспечили более сильную защиту персональных данных граждан ЕС, которые передаются в страны, не входящие в Союз, проголосовав за изменение законов ЕС о защите данных. Новые правила направлены на то, чтобы дать людям больше контроля над их личными данными и облегчить работу компаний за пределами своей страны, обеспечивая применение одинаковых правил во всех государствах-членах ЕС.

Правила также обеспечат лучшую защиту данных в Интернете. Они включают в себя право на удаление персональных данных, новые ограничения по «профилированию» (попытки анализировать или предугадать поведение человека на работе, его экономическую ситуацию, местоположение и т.д.), а также требование использовать ясный и простой язык для объяснения политики конфиденциальности. Депутаты также увеличили штрафы, налагаемые на фирмы (поисковые системы, социальной сети или поставщиков услуг облачного хранения), нарушающие правила, которые могут доходить до 100 млн. евро или 5% от мирового оборота.

The directive

Whereas the general regulation will apply directly in member states, the directive on data processed by police and judicial authorities to prevent, investigate, detect or prosecute criminal offences or enforce criminal penalties will need to be transposed into national laws. EU countries may set higher standards than those enshrined in the directive.

Civil Liberties Committee MEPs insist that it is important to remove disparities among member states’ existing laws in this field and to close loopholes. To this end, this directive should be dealt with at the same time as the regulation (as a package). Here is an overview of some of the committee's key proposals for the directive:

- a number of concepts envisaged in the regulation, such as profiling, explicit consent, using clear, simple language and appointing a data protection officer, should also apply to the directive, says Parliament's negotiating mandate,

- personal data could be transferred to third countries or international organisations only if the transfer is needed for the same purposes of the directive, if the controller in the foreign country/organisation is a public authority and if the same level of data protection as is provided for in the directive is guaranteed. Transfers would also be allowed if the European Commission decides that the foreign country/organisation provides a proper level of data protection or when appropriate safeguards are established in a legally binding instrument (Article 33),

- member states should ensure that clear, easily understandable information is given to a person regarding the processing of his/her data and key rights, such as the right of access, rectification and erasure of their data, the right to lodge a complaint and to go to court and the right to compensation in the event of unlawful processing. Such rights should be exercised free of charge (Article 9a, Articles 11-17),

- data must be dealt with in a way that is protected against non-authorised or unlawful processing and against accidental loss, destruction or damage (Article 4),

- personal data should not be processed for purposes other than those for which they were collected. They must be deleted if they are no longer necessary for those initial purposes, say MEPs, adding that member states must ensure that time limits are set for the erasure of personal data (Article 7a, Article 4),

- profiling activities to single out a person without the suspicion that he/she has committed or will commit a crime would be possible only if strictly needed for the investigation of a serious crime or to prevent an imminent threat to public security or the life of persons (Article 9),

- as a general rule, law enforcement authorities would have access to the data of persons convicted for a crime, suspects (on reasonable grounds), victims and other persons connected to a criminal investigation, such as witnesses. Data of other persons would be processed only for as long as necessary for the investigation or for targeted, preventive purposes (Article 5), and

- MEPs introduce strict limits for the use of sensitive data (Article 8). Genetic data should be processed only to prevent a threat to public security or a specific criminal offence (Article 8a).

«Personal data» is any information concerning a person's private, professional or public life. It may be a name, a photo, an email address, bank details, his/her posts on social networks, medical information or his/her computer's IP address.

«Data processors» process personal information on behalf and under the authority of data controllers but do not take decisions on conditions, purposes and means of the processing (outsourcers). For example, payroll companies, accountants and market research companies are data processors when they process personal information on behalf of others (e.g. other companies or public authorities, which would be data controllers in such cases). However, if they decide on conditions, purposes or act beyond the instructions of the controllers, they become controllers for that specific processing activity.

«Data controllers» decide on the conditions, purposes and the manner in which personal data are processed. They may be individuals, firms or public authorities. Examples of individuals who act as data controllers include doctors, pharmacists and politicians, when they keep data on their patients, clients and constituents.

Источники:
http://www.europarl.europa.eu/pdfs/news/expert/background/20130502BKG07917/20130502BKG07917_en.pdf
http://www.europarl.europa.eu/news/en/news-room/content/20140307IPR38204/html/MEPs-tighten-up-rules-to-protect-personal-data-in-the-digital-era

Комментариев нет:

Отправить комментарий