Published: Wednesday April 30, 2014
The revelations by US whistle blower Edward Snowden about the extent of surveillance by the security services have caused concerns not only for individuals, but also for the European Parliament. As a result, a significant number of amendments have been made to the EU Data Protection Regulation to enhance the protection of privacy.
The Regulation is expected to be adopted in late 2014 and Member States will be required to implement the Regulation within two years of adoption. There is no freedom about how to implement it because a Regulation must be implemented in the form in which it is adopted. The impact of that Regulation is likely to be significant and businesses will need to review their systems to ensure all privacy concerns are addressed and decide what changes are necessary, once the final text is known.
At the same time, the data protection provisions in the Fourth Directive will also affect businesses. Although the final text is not available, because it may yet change during the final negotiations which take place after the European elections, understanding the current proposals, and assessing how they may impact your business, is not a waste of time. Your business can plan for implementation and keep a close eye on the developments in your country.
The key points are;
- How long can you hold Customer Due Diligence (CDD) data for:
- Informing clients about how the data may be used;
- Only using data for the purpose for which it was obtained.
The proposed time limit is five years and after that period, you must delete the data. However, you may be able to retain data for a further five years, subject to Member State legislation and if you can justify the retention on a case-by-case basis.
Why are you holding data?
It's vital that businesses always keep in the front of their mind, why they are holding data and whether they need to retain all of the data.
You will need to inform new clients of the possible use of personal data for money laundering prevention purposes before you establish a business relationship. Businesses are reminded that sensitive personal data should be processed in accordance with the legislation.
Using data for the original purpose
It is obvious, but you should only use data for the original purpose and not for any other purpose, without consent.
Data protection issues should already be considered as a key area of risk for the legal practice, but it is clear that the EU believes that every citizen should be confident that their data is properly protected, regardless of the type of organisation holding that data.