print | email | share
It's not just what we do. It's what we do differently.

Technology, Media & Telecommunications - European Data Protection Directive

The European Data Protection Directive imposes wide ranging obligations regarding the collection, storage and use of personal information relating to employees and customers. The measure, which has been implemented in each of the 18 member states of the European Economic Area (EEA) regulates both European business and the European subsidiaries of US and other non-EEA corporations. Such companies are now required:

  • to implement policies and practices that provide adequate protection for the privacy of the personal information held by that company -- both in the EEA and the US or any other non-EEA country to which personal data may be transferred for review or storage;
  • to register with a national data protection authority and provide details of privacy protection practices;
  • to give employees access to their personnel records;
  • to place notices on a range of corporate documentation to give customers, employees and any other person from whom they collect personal information regarding their data practices;
  • to enter into data protection agreements with any third-party with whom employee or customer information may be shared (including, for instance, payroll agencies and marketing firms).

The Directive also imposes an obligation on companies not to transfer personal data from their operations within the EEA to their operations in the United States (and other places outside the EEA) unless the recipient in the non-EEA country provides "an adequate level of protection" for the data. US companies may comply either by participating in the Safe Harbor scheme administered by the US Commerce Department or by the use of an intra-group transborder data flow contract.

Crowell & Moring lawyers are assisting a number of corporations to achieve compliance with the European Data Protection Directive, and have collected an extensive database regarding the nature of the national implementing regulations throughout the EEA. Typically, our work covers:

  • Registration with national data protection authorities;
  • Conforming human resource policies and practice to the requirement of the Directive;
  • Preparing data protection notices and conforming employee, customer and other corporate documentation;
  • Implementing third-party data processing policies and contracts;
  • Preparing an intra-group transborder data flow contract.

National Registration

Corporations with entities within Europe that collect and use personal information about either their employees or customers (or prospective customers) may be required to register details of their data practices with the national data protection authorities. Failure to register with a national data protection authority in contravention of national law is a criminal offence in most European countries.

The first step towards achieving compliance generally, and establishing in which countries registrations may be necessary, is the implementation of an information gathering exercise. This exercise will enable our lawyers to compile an accurate picture of current European data practices on a central level. This central information source will provide the data necessary to enable accurate registrations to be carried out where required, and will also form the basis of our broader compliance efforts, for example, enabling us to implement policies and procedures, and execute data contracts, which are tailored to actual practices.

Human Resource Policies and Practice

We are experienced in drafting employee policies that comply with the rules governing the collection and use of personal information, and for dealing with employee requests for access to their personnel records. Our lawyers will help to educate the relevant human resource managers as to their responsibilities under the Directive relating particularly to compliance with the data protection principles and respecting the rights of employees.

Third Party Transfers and Data Processing Contracts

The Directive requires businesses to ensure that personal data are only disclosed to third parties who can guarantee an adequate level of protection for the personal data which they receive. Such third parties will include outside pay-roll agencies, marketing firms, and similar companies to whom functions may be outsourced that require the transfer of personal information.

The Directive also requires companies to secure a binding obligation from any third party data processors to whom they disclose personal data to provide an adequate level of protection for that data. This can most readily be achieved through a data transfer contract.

Transborder Data Flow Contracts

The Directive prohibits transfers of personal data from companies within the EEA to third countries unless an "adequate level of protection" can be ensured for that personal data. US corporations that do not wish to join the US Safe Harbor scheme administered by the US Commerce Department may comply with this requirement through the use of transborder data flow contracts. We are experienced in both advising on achieving compliance with the US Safe Harbor scheme and in the preparation and implementation of tailored transborder data flow contracts.

Timeframe

The length of time it would take to complete this exercise and achieve compliance will vary according to the scope of the operations to be examined, the nature of the business and the extent to which steps have already been taken to achieve compliance. As a general guide, we would expect to complete a compliance program for a company with operations in, say, five European jurisdictions in around three months.

print | email | share

terms of use/privacy policy© Crowell & Moring LLP 2012

contact ussearchsite mapsubscriberss

aboutpracticesprofessionalsofficesnews & eventscareersdiversity