gpg dp etop master

7/30/2019 Gpg Dp Etop Master

1/127


2/127

www.lexmundi.com Page 12009 Lex Mundi

About this Guide

This survey entitled Data Privacy was conducted in 2010 by members of the Lex Mundi E-commerce,Technology, Outsourcing and Privacy Practice Group. The guide presents overviews on general dataprivacy laws on personally identifiable information, personal health information, financial information andother sensitive data in different jurisdictions around the world.

This multi-jurisdictional survey will be updated from time to time. For the most up to date information,please go the Lex Mundi web site (www.lexmundi.com) and access the Data Privacy survey from the E-commerce, Technology, Outsourcing and Privacy Practice Group web page or from the Publication andResources page. If you need assistance, please contact the Lex Mundi office 1.713.626.9393.

The results of the survey are not intended to represent a comprehensive guide nor a legal adviceon the matters covered by them but rather provide a general overview on the subject. They mayonly be used as an indication and advice should always be sought from the appropriate Lex

Mundi member law firm.Please note that each response was provided on a different date, and therefore the answers to thesurvey refer to laws and regulations in force on that specific date.

Table of Contents

Austr ia ................................................................................................................................................... 1Barbados ............................................................................................................................................... 4Brazil ...................................................................................................................................................... 8Bulgaria................................................................................................................................................ 13Canada, Manitoba ................................................................................................................................ 16Canada, Nova Scotia ........................................................................................................................... 18Chile ..................................................................................................................................................... 20Colombia .............................................................................................................................................. 24Cyprus ................................................................................................................................................. 27Dominican Republic ............................................................................................................................ 29Estonia ................................................................................................................................................. 32Finland ................................................................................................................................................. 36Greece .................................................................................................................................................. 41Hungary ............................................................................................................................................... 44Ireland .................................................................................................................................................. 47Italy....................................................................................................................................................... 50Latvia ................................................................................................................................................... 53

Lithuania .............................................................................................................................................. 56Malta ..................................................................................................................................................... 59New Zealand ........................................................................................................................................ 63Panama ................................................................................................................................................ 67Romania ............................................................................................................................................... 71Russia .................................................................................................................................................. 76Scotland ............................................................................................................................................... 84Slovenia ............................................................................................................................................... 87South Africa ......................................................................................................................................... 94
http://www.lexmundi.com/http://www.lexmundi.com/


3/127


Spain .................................................................................................................................................. 101Sweden .............................................................................................................................................. 105Switzerland ........................................................................................................................................ 110Thailand ............................................................................................................................................. 113The Netherlands ................................................................................................................................ 116United Arab Emirates ........................................................................................................................ 121


4/127


Data Privacy Survey

Austr iaPrepared by Lex Mundi member firm CHSH Cerha Hempel Spiegelfeld Hlawati

1. Provide a brief description of the subject matter of data privacy laws in your jurisdict ion thatare appli cable to Personally Identifiable Information, and any material obligations.a) What is the cite to such laws? Provide a link, if available, to an online copy of such law.

Personally identifiable data is primarily protected under the Federal Act Concerning the Protectionof Personal Data (Datenschutzgesetz 2000). A copy is available on the website of the AustrianData Protection Commission (Datenschutzkommission):www.dsk.gv.at/site/6230/default.aspx.

The Telecommunications Act (Telekommunikationgesetz) sets out the duty of secrecy regardingcommunications and the protection afforded to content data, as specified in 96 et seq. A copycan be downloaded from:www.rtr.at/en/tk/TKG2003/TKG_2003_eng.pdf.

Criminal sanctions for violations of data protection provisions and secrecy obligations regardingcommunications are stipulated in the Austrian Criminal Code (Strafgesetzbuch). A copy isavailable online atwww.ris.bka.gv.at(only in German).

b) What are the penalties imposed for a breach of such law? Any criminal sanctions?

Depending on the breach, the aforementioned laws contain administrative penalties(administrative penalties of up to EUR 25,000 can be imposed under the Federal Act Concerning

the Protection of Personal Data) and criminal penalties (including custodial sentences of up toone year for breaching the Federal Act Concerning the Protection of Personal Data, theTelecommunications Act or the Austrian Criminal Code). Individuals may also seek damages.

c) Identity the applicable administrative authority with jurisd iction for enforcement of suchlaws.

Depending on the kind of breach, administrative penalties can be imposed by the Austrian DataProtection Commission in accordance with the Federal Act Concerning the Protection of PersonalData or by established national telecommunication authorities. Criminal penalties are imposed bya court of law.

d) Any additional info rmation that is material?

2. Provide a brief description of the subject matter of data privacy laws in your juri sdiction thatare appli cable to Personal Health Information, and any material obl igations.

a) What is the cite to such laws? Provide a link , if available, to an online copy of such law.

Personal health information is deemed to be sensitive data pursuant to 4 para. 2 of the FederalAct Concerning the Protection of Personal Data (see:www.dsk.gv.at/site/6230/default.aspx).Sensitive data is defined as data relating to natural persons concerning their racial or ethnic
http://www.lexmundi.com/http://www.dsk.gv.at/site/6230/default.aspxhttp://www.dsk.gv.at/site/6230/default.aspxhttp://www.rtr.at/en/tk/TKG2003/TKG_2003_eng.pdfhttp://www.rtr.at/en/tk/TKG2003/TKG_2003_eng.pdfhttp://www.ris.bka.gv.at/http://www.ris.bka.gv.at/http://www.ris.bka.gv.at/http://www.dsk.gv.at/site/6230/default.aspxhttp://www.dsk.gv.at/site/6230/default.aspxhttp://www.dsk.gv.at/site/6230/default.aspxhttp://www.dsk.gv.at/site/6230/default.aspxhttp://www.ris.bka.gv.at/http://www.rtr.at/en/tk/TKG2003/TKG_2003_eng.pdfhttp://www.dsk.gv.at/site/6230/default.aspxhttp://www.lexmundi.com/


5/127


origin, political opinion, trade-union membership, religious or philosophical beliefs, and dataconcerning health or sex life.

The DSG contains stricter rules for sensitive data, e.g. necessary approval of the Data ProtectionAuthorities before it can be used at all and the restricted use of sensitive data.

The Health Telematics Act (Gesundheitstelematikgesetz) stipulates additional data safetymeasures for the electronic transmission of health data.


Please see section 2a as the penalties also apply to health data. Furthermore, the HealthTelematics Act stipulates an administrative penalty of up to EUR 50,000.


Please see section 2b. The implementation of and compliance with the Health Telematics Act isgoverned by the Ministry for Health and Women.


3. Provide a brief description of the subject matter of data privacy laws in your juri sdiction thatare appli cable to Financial Information, and any material obligations.


The general provisions of the Federal Act Concerning the Protection of Personal Data, theTelecommunications Act and the Austrian Criminal Code apply to data concerning an individualscreditworthiness. However, according to 18 (2) 3. of the Federal Act Concerning the Protectionof Personal Data, data applications whose purpose is to provide information on thecreditworthiness of data subjects are subject to prior registration with the Data ProtectionRegister.


Please see section 1b.


Please see section 1c.


4. Provide a brief description of the subject matter of data privacy laws in your jurisdict ion that

is applicable to other sensitive data, and any material obli gations.a) What is the cite to such laws? Provide a link , if available, to an online copy of such law.

9 of the Federal Act Concerning the Protection of Personal Data provides regulations for theuse of sensitive data and it defines when the use of sensitive data does not infringe the interestsin secrecy deserving protection. Furthermore, data applications involving sensitive data may onlybe taken into operation after prior registration with the Data Protection Authorities ( 18 (2) of theFederal Act Concerning the Protection of Personal Data). (www.dsk.gv.at/site/6230/default.aspx)
http://www.lexmundi.com/http://www.dsk.gv.at/site/6230/default.aspxhttp://www.dsk.gv.at/site/6230/default.aspxhttp://www.dsk.gv.at/site/6230/default.aspxhttp://www.dsk.gv.at/site/6230/default.aspxhttp://www.lexmundi.com/


6/127





Please see section 1c.


Contact Information

Mag. Claudia [email protected]

Dr. Hans [email protected]

CHSH Cerha Hempel Spiegelfeld HlawatiParkring 2A-1010 Vienna, Austria

Tel 43.1.514.35.0 Fax 43.1.514.35.35www.chsh.com

This guide is part of the Lex Mundi Global Practice Guide Series which features substantive overviews oflaws, practice areas, and legal and business issues in jurisdictions around the globe. View the completeseries of Lex Mundi Global Practice Guides at:www.lexmundi.com/GlobalPracticeGuides
http://www.lexmundi.com/http://www.lexmundi.com/GlobalPracticeGuideshttp://www.lexmundi.com/GlobalPracticeGuideshttp://www.lexmundi.com/GlobalPracticeGuideshttp://www.lexmundi.com/GlobalPracticeGuideshttp://www.lexmundi.com/


7/127


Data Privacy Survey

BarbadosPrepared by Lex Mundi member firm Clarke Gittens Farmer

1. Provide a brief description of the subject matter of data privacy laws in your jurisdict ion thatare appli cable to Personally Identifiable Information, and any material obligations.


Data privacy in Barbados is dealt with under various pieces of legislation. There is a draft DataProtection Bill that seeks to provide for the regulation of the collection, keeping, processing, useor dissemination of personal data and the protection of the privacy of individuals in relation topersonal data but this has not yet been passed into law.

Section 22 of the Electronic Transactions Act, Cap. 308B of the laws of Barbados (ETA), prohibitsthe use of information obtained under the ETA and that relates to the private affairs of a naturalperson without that persons consent. However, this prohibition does not apply where disclosureof information is made in certain circumstances including in connection with the investigation ofany criminal offence or for the purpose of facilitating the carrying out of prescribed publicfunctions of any person.A copy of the ETA may be found at:http://www.commerce.gov.bb/Legislation/Documents/CAP%20308B.PDF


Section 22(5) of the ETA provides that any person who discloses any information in contraventionof the section is liable on summary conviction to a fine of $10,000 or imprisonment for a term of

two years or to fine of $10,000 or to both.c) Identity the applicable administrative authority with jurisd iction for enforcement of such

laws.

Section 22(6) of the ETA provides that the Minister may make regulations prescribing thestandards for the processing of personal data whether that data originates within or outside ofBarbados. No regulations have been prescribed to date.


The ETA provides that the regulations may provide for the registration of standards by datacontrollers and data processors.

A data controller who registers a standard must comply with the standard and any amendmentsmade to that standard in respect of any personal data that originates from a country to which thestandard applies and is collected by the data controller during the period of registration. A datacontroller who fails to comply with this provision is guilty of an offence and is liable to summaryconviction to imprisonment for a term of six months or to a fine of $5000 or to both.
http://www.lexmundi.com/http://www.commerce.gov.bb/Legislation/Documents/CAP%20308B.PDFhttp://www.commerce.gov.bb/Legislation/Documents/CAP%20308B.PDFhttp://www.commerce.gov.bb/Legislation/Documents/CAP%20308B.PDFhttp://www.lexmundi.com/


8/127




There is no legislation that provides for data privacy as regards personal health information.Generally, doctors owe a common law duty of confidentiality to their patients. The patientsconfidential information should not be disclosed to a third party without his consent. In theabsence of consent, members of the medical profession are in breach of their duty if theydisclose such information unless required to do so by due process of law.A doctor may only disclose a patients personal health information under the followingcircumstances:

i. when giving testimony in a court of law;ii. where the patient has given express or implied consent; oriii. where it is required in the public interest.iv.

A patient may give express or implied consent to the disclosure of confidential information by theirdoctor. However, whether consent is implied is a question of fact and the burden of proof lies onthe doctor to prove that consent was given.


N/A


N/A

d) Any additional information that is material?

N/A

3. Provide a brief description of the subject matter of data privacy laws in your juri sdiction thatare applicable to Financial Information, and any material obligations.


The main statutes applicable to data privacy with respect to financial information are:The Financial Institutions Act, Cap. 324A of the laws of Barbados (FIA) -http://www.centralbank.org.bb/WEBCBB.nsf/web_documents/C03B815750FE1F3E042572FC0012E992/$File/financial_institutions_act.pdf

The Securities Act, Cap. 318A of the laws of Barbados (SA) http://www.seccom.com.bb/(S(wyvc3545xitiucf5l421s055)/media/documents/SecuritiesActCAP31

8A_2002.pdfThe Securities Regulations, 2002 (SR)-http://www.seccom.com.bb/(S(wyvc3545xitiucf5l421s055))/media/documents/SecuritiesRegulations_2002.pdfand

The Central Bank of Barbados Act, Cap. 323C of the laws of Barbados (CBA).http://www.centralbank.org.bb/WEBCBB.nsf/web_documents/B6F606E8405FEE63042572FA00705583/$File/cbb_act.pdf
http://www.lexmundi.com/http://www.centralbank.org.bb/WEBCBB.nsf/web_documents/C03B815750FE1F3E042572FC0012E992/$File/financial_institutions_act.pdfhttp://www.centralbank.org.bb/WEBCBB.nsf/web_documents/C03B815750FE1F3E042572FC0012E992/$File/financial_institutions_act.pdfhttp://www.centralbank.org.bb/WEBCBB.nsf/web_documents/C03B815750FE1F3E042572FC0012E992/$File/financial_institutions_act.pdfhttp://www.seccom.com.bb/(S(wyvc3545xitiucf5l421s055)/media/documents/SecuritiesActCAP318A_2002.pdfhttp://www.seccom.com.bb/(S(wyvc3545xitiucf5l421s055)/media/documents/SecuritiesActCAP318A_2002.pdfhttp://www.seccom.com.bb/(S(wyvc3545xitiucf5l421s055)/media/documents/SecuritiesActCAP318A_2002.pdfhttp://www.seccom.com.bb/(S(wyvc3545xitiucf5l421s055))/media/documents/SecuritiesRegulations_2002.pdfhttp://www.seccom.com.bb/(S(wyvc3545xitiucf5l421s055))/media/documents/SecuritiesRegulations_2002.pdfhttp://www.seccom.com.bb/(S(wyvc3545xitiucf5l421s055))/media/documents/SecuritiesRegulations_2002.pdfhttp://www.centralbank.org.bb/WEBCBB.nsf/web_documents/B6F606E8405FEE63042572FA00705583/$File/cbb_act.pdfhttp://www.centralbank.org.bb/WEBCBB.nsf/web_documents/B6F606E8405FEE63042572FA00705583/$File/cbb_act.pdfhttp://www.centralbank.org.bb/WEBCBB.nsf/web_documents/B6F606E8405FEE63042572FA00705583/$File/cbb_act.pdfhttp://www.centralbank.org.bb/WEBCBB.nsf/web_documents/B6F606E8405FEE63042572FA00705583/$File/cbb_act.pdfhttp://www.centralbank.org.bb/WEBCBB.nsf/web_documents/B6F606E8405FEE63042572FA00705583/$File/cbb_act.pdfhttp://www.seccom.com.bb/(S(wyvc3545xitiucf5l421s055))/media/documents/SecuritiesRegulations_2002.pdfhttp://www.seccom.com.bb/(S(wyvc3545xitiucf5l421s055))/media/documents/SecuritiesRegulations_2002.pdfhttp://www.seccom.com.bb/(S(wyvc3545xitiucf5l421s055)/media/documents/SecuritiesActCAP318A_2002.pdfhttp://www.seccom.com.bb/(S(wyvc3545xitiucf5l421s055)/media/documents/SecuritiesActCAP318A_2002.pdfhttp://www.centralbank.org.bb/WEBCBB.nsf/web_documents/C03B815750FE1F3E042572FC0012E992/$File/financial_institutions_act.pdfhttp://www.centralbank.org.bb/WEBCBB.nsf/web_documents/C03B815750FE1F3E042572FC0012E992/$File/financial_institutions_act.pdfhttp://www.lexmundi.com/


9/127


The FA: Section 44 of the FA provides that subject to s. 43 (7) and s. 44(2), no statement, returnor information furnished or submitted by a licensee in respect of its business shall be disclosed bythe Central Bank, any officer of Central Bank or any person authorized by the Central Bank toreceive such information on behalf of the Central Bank. Section 43(7) provides for the CentralBank to publish information submitted on the quarterly returns of each licensee in the OfficialGazette and a daily newspaper but prohibits the publication of information in respect of the affairsof a particular customer. Section 44(2) permits the Central Bank to disclose information withoutthe consent of a licensee to the Director of Public Prosecutions, Commissioner of Inland Revenueor the appropriate supervisory authority of financial institutions outside Barbados at the request ofthat authority, where there is a branch, holding company or affiliate of the licensee operating inthat country.

See response 3d for more on the CBA, SA andd SR.


Any person who contravenes section 18(1) of the CBA is guilty of an offence and liable tosummary conviction to a fine of $500 or to imprisonment for 6 months or to both.A person who contravenes section 18(1) or (2) of the SA is guilty of an offence and liable onsummary conviction to a fine of $50 000 and to imprisonment for 12 months.


The Minister of Finance and the Securities Commission are the applicable administrativeauthorities.


The CBA provides for the establishment of the Central Bank of Barbados (the Bank) and forrelated matters. Pursuant to section 18(1) of the CBA, no Director officer or employee of the Bankshall disclose to any person any material information relating to the affairs of the Bank or of anyother bank or financial institution or other person, firm, company or organization which he

acquired in the performance of his duties or the exercise of his functions, except for the purposeof the performance of his duties or the exercise of his functions or when lawfully required to do soby any court or under the provision of the law. The SA provides for the establishment of aSecurities Commission and makes provision for the regulation of the securities market and thecapital market, the protection of investors and related matters. Pursuant to section 8(1) of theSA, no Commissioner or other person employed or retained by the Commission shall make, use,either directly or indirectly, of any confidential information obtained as a result of his relationshipwith the Commission for his own benefit or advantage. Pursuant to section 8(2) confidentialinformation may also not be disclosed unless it is in connection with the enforcement of the SA ofany other law in Barbados. The SR are regulations made by the Minister of Finance in exercise ofthe powers conferred on him by section 126(7) of the SA. Regulation 5( c) of the SR prohibits themembers of the Security Commission (the Commission), the General Manager and each officer,clerk or other persons who are employed by the Commission or who hold office or an

appointment under the SA or the SR or any person to whom any authority has been delegated bythe Commission from divulging or releasing, in advance or otherwise, confidential, non-public orofficial information to a person unless they are authorized under the SA or the SR.


10/127


4. Provide a brief description of the subject matter of data privacy laws in your juri sdiction thatis applicable to other sensitive data, and any material obl igations.


There is no legislation that otherwise applies to other sensitive data.


N/A


N/A


N/A

Contact Information

Gillian [email protected]

Clarke Gittens FarmerParker HouseWildey Business ParkWildey RoadSt. Michael BB14006, Barbados

Tel 1.246.436.6287 Fax 1.246.436.9812www.clarkes.com.bb



11/127


Data Privacy Survey

BrazilPrepared by Lex Mundi member firm Demarest e Almeida



Personally identifiable information protection is set forth on the Brazilian Federal Constitution, aswell as on the Consumer Protection Code, on a more specific scope, regarding consumerrelations. The Brazilian Federal Constitution establishes the sanctity of private life and intimacy,as set forth in its article 5, item X, and explicitly forbids breaking and entering in its article 5, item

XI, proclaiming one's home to be a sacred asylum, except for the hypothesis of one being caughtred-handed, urgent help being needed, or, during daytime, in compliance with a judicialdetermination. The interception of phone calls, mail and/or general data is also prohibited by theBrazilian Federal Constitution, as provided on article 5, item XII. The Consumer Protection Code,established by Law number 8078/90, stipulates, in its article 43, a series of rights and warrantiesfor the consumer concerning personal information recorded in database and registration files. Thedispositions contained on the Consumer Protection Code intend to set boundaries and limit theuse of consumer personal information by the renderer of services in an attempt to balanceconsumer relations.

Online copy of the mentioned legal provisions:http://www.planalto.gov.br/ccivil_03/constituicao/constituiao.htmhttp://www.planalto.gov.br/ccivil_03/LEIS/L8078.htm


The violation of one's domicile, mail or phone communication, as well as the disclosure of one'sprivate and/or confidential information are considered crimes, set forth on articles 150, 151 and153, respectively, of the Brazilian Penal Code. The criminal sanction stipulated for the crime ofdomicile violation is detention, from one to three months, or fine. If the crime is committed by apublic officer, in a situation other than those authorized by law, or not in compliance with theformalities set forth by law, or with abuse of power, the criminal sanction is increased by onethird. If the crime is committed during night time, at a deserted place or with the use of violence ora weapon, or by two or more people, the criminal sanction is detention, from six months to twoyears, in addition to the penalty concerning the use of violence. The criminal sanction stipulatedfor the crime of mail or phone communication violation is detention, from one to six months, orfine. If the crime causes damage to others, the criminal sanction is increased by half. If the crimeis committed by an agent of the postal service or phone service provider with abuse of dutyrelated privileges, the criminal sanction is detention, from one to three years. Disclosing, withoutgood cause, the contents of a private document or confidential mail, being that such disclosurecauses damage to others, is also a crime, for which the criminal sanction is detention, from one tosix months, or fine. The Consumer Protection Code sets forth, in its articles 72 and 73, the crimesof denying a consumer access to his/hers personal data and refusing to correct inaccurateinformation.
http://www.lexmundi.com/http://www.planalto.gov.br/ccivil_03/constituicao/constitui%C3%A7ao.htmhttp://www.planalto.gov.br/ccivil_03/constituicao/constitui%C3%A7ao.htmhttp://www.planalto.gov.br/ccivil_03/LEIS/L8078.htmhttp://www.planalto.gov.br/ccivil_03/LEIS/L8078.htmhttp://www.planalto.gov.br/ccivil_03/LEIS/L8078.htmhttp://www.planalto.gov.br/ccivil_03/constituicao/constitui%C3%A7ao.htmhttp://www.lexmundi.com/


12/127



Confidentiality of personally identifiable information is protected by the Brazilian FederalConstitution and only a competent judge can enforce the applicable penalties after the conclusionof due criminal proceeding. Concerning the dispositions set forth on the Consumer ProtectionCode, the administrative authority is the PROCON - Grupo Executivo de Proteo aoConsumidor (Executive Group for Consumer Protection). If a judicial proceeding should becommenced to investigate the crime, only a competent judge can enforce the applicable penaltiesafter the conclusion of due criminal proceeding.


None.

2. Provide a brief description of the subject matter of data privacy laws in your juri sdiction thatare appli cable to Personal Health Information, and any material obligations.


Personal health information can be considered part of one's intimacy and private life, for whichreason it is protected by the Brazilian Federal Constitution, as provided in its article 5, item X. Thesecrecy of personal health information is also set forth on the Medical Ethics Code, in its articlesfrom 73 to 79. According to such provisions, a doctor is forbidden from disclosing information ofwhich he/she has knowledge due to duty related privileges, except in light of legal determination,good cause or with the patient's consent. Where under aged children are concerned, theprohibition is extended to the patient's parents or legal guardians, unless the non-disclosure maycause damage to the patient.

Online copy of the mentioned legal provisions:

http://www.planalto.gov.br/ccivil_03/constituicao/constituiao.htm

http://www.cremesp.org.br/library/modulos/legislacao/versao_impressao.php?id=8822


The disclosure of privileged information, obtained due to professional practice, is considered acrime, set forth on article 154 of the Brazilian Penal Code. The criminal sanction stipulated forsuch crime is detention, from three months to one year, or fine. The health professionals that donot comply with the provisions set forth on the Medical Ethics Code, and whose actions maycause irreparable damage to a patient or to the society, may be suspended from medicalpractice. If a judicial proceeding should be commenced to investigate the crime, only a competent

judge can enforce the applicable penalties after the conclusion of due criminal proceeding.

c) Identity the applicable administrative authority with jurisd iction for enforcement of such

laws.The confidentiality of all personally identifiable information, which encompasses personal healthinformation, is protected by the Brazilian Federal Constitution and only a competent judge canenforce the applicable penalties after the conclusion of due criminal proceeding. Concerning thedispositions set forth on the Medical Ethics Code, the administrative authority is the RegionalCouncil of Medicine, which, in case of failure in compliance, may commence specificadministrative proceedings, which, in its turn, may lead to the suspension of such doctor's licenseto practice medicine. If a judicial proceeding should be commenced as a consequence of the
http://www.lexmundi.com/http://www.planalto.gov.br/ccivil_03/constituicao/constitui%C3%A7ao.htmhttp://www.planalto.gov.br/ccivil_03/constituicao/constitui%C3%A7ao.htmhttp://www.cremesp.org.br/library/modulos/legislacao/versao_impressao.php?id=8822http://www.cremesp.org.br/library/modulos/legislacao/versao_impressao.php?id=8822http://www.cremesp.org.br/library/modulos/legislacao/versao_impressao.php?id=8822http://www.planalto.gov.br/ccivil_03/constituicao/constitui%C3%A7ao.htmhttp://www.lexmundi.com/


13/127


administrative proceeding, only a competent judge can enforce the applicable penalties after theconclusion of due criminal proceeding.


None.

3. Provide a brief description of the subject matter of data privacy laws in your jurisdiction thatare appli cable to Financial Information, and any material obligations.


The Supplementary Law number 105/10 provides for the confidentiality of financial data andoperations. Such law determines that Brazilian financial institutions shall maintain the secrecy ofactive and passive operations and banking services. Although this is the general rule, thefollowing conducts, among others, do not constitute a breach of the duty of confidentiality: (i) theexchange of enrollment information between financial institutions, (ii) provision of enrollmentinformation of issuers of insufficient-founds checks or borrowers in default to the entities of creditprotection, (iii) communication of the competent authorities about illegal practices, including thesupply of information on transactions involving funds that are bound to any criminal wrongdoing

and (iv) disclosure of information with express consent of the ones involved on the operation.

In addition, this law provides for the possibility of authorized breach of bank confidentiality whenthere's need to verify the existence of any unlawful conduct, such as, but not limited to: terrorism,illicit trafficking of narcotic substances or similar drugs, smuggling or trafficking of fire arms ormaterials for their production, extortion through kidnapping, crimes against the national financialsystem, against the Public Administration or against tax and social security, money launderingand any crimes performed by a criminal organization. It is important to point out that this breachhas to be authorized by a Judge during any sort of Police/Administrative Inquiry or J udicialProceeding.

It should be emphasized that the Brazilian Federal Constitution does not provide for afundamental right to bank confidentiality. However, this right can be inferred from a general right

to privacy and intimacy determined by the article 5, item X, of the Constitution.

Online copy of the mentioned legal provisions:http://www.planalto.gov.br/ccivil/leis/LCP/Lcp105.htm


According to the article 10 of the Supplementary Law number 105/10, the breach of bankconfidentiality performed outside the authorized hypotheses under this law constitutes a crimeand subject those responsible for it to imprisonment from one to four years and a fine. The samearticle provides that the one who omits, delay or provides false information required under thisLaw, is subjected to the same penalties.

This law also determines that the official who uses or permits the use of any information obtainedas a result of a breach of confidentiality, responds personally and directly for any damages, whichdoes not exclude the objective responsibility of the public entity, when proven that the employeewas acting in accordance with official guidance. In order words, the employee and the companycan be held responsible for any civil damages that resulted from the breach.
http://www.lexmundi.com/http://www.planalto.gov.br/ccivil/leis/LCP/Lcp105.htmhttp://www.planalto.gov.br/ccivil/leis/LCP/Lcp105.htmhttp://www.planalto.gov.br/ccivil/leis/LCP/Lcp105.htmhttp://www.lexmundi.com/


14/127



It is important to point out that this Law is applicable to any financial institution in Brazil, whichmeans banks of any kind, securities dealers, currency exchange and securities agencies, credit,finance and securities companies, real estate credit companies, credit card managers, leasingcompanies, credit unions, savings and loans associations, stock exchanges, entities of clearingand settlement and other companies that, due to the nature of the financial operations performedby them, will be considered by the National Monetary council.

According to the article 10 of the Supplementary Law number 105/10, the Central Bank of Braziland the Securities Commission have jurisdiction for enforcement of such law and they areresponsible for supervising the operations and for informing the Public Prosecutor's office of anydetected trace of unlawful conduct (article 9). It should be emphasized that, although theseadministrative authorities are entitled to enforce the Supplementary Law number 105/10, they cannot perform the breach of confidentiality by themselves, because a court order is alwaysnecessary for that to happen.


None.



It is important to point out that Brazilian Legislation also protects the confidentiality of telephoneand written communications. The Federal Constitution (article 5, item XII) provides that it isirrefragable the confidentiality of correspondence, telegraphic, data and telephonecommunications, except if there is a court order, in the cases and form provided by law, forpurposes of criminal investigations and proceeding.

In order to regulate this issue, there is also the Law 9296/96, which describes the proceeding thatshould be adopted in order to perform the breach of confidentiality in a lawful way. It shouldemphasized that any breach of confidentiality shall be authorized by a Court Order in order to belegal and legitimate.


According to the Law 9296/96, it is a crime to intercept telephone or on line communicationwithout a court order or to serve a goal which is not authorized by law. The responsible for saidconduct can also be obliged to pay for civil damages cause by the unlawful action.

The Brazilian Penal code also provides that it is a crime to disclose, transmit or abusively make

use of telegraph, radio communication or telephone conversations between two people. The onewho is found responsible for such crime can be sentenced to imprisonment from 1 to 6 months ora fine.


15/127



These sort of confidentiality is protected by the Federal Constitution and only the Police Authorityor the Public Prosecutor can request the breach during a criminal Proceeding or investigation.

Therefore, there are no administrative authorities with jurisdiction for said measure.


None.

Contact Information

Lus Carlos [email protected] Latre

Andrea Vainer

Demarest e AlmeidaAv. Pedroso de Moraes, 1201Centro Cultural OhtakeSao Paulo 05419-001, Brazil

Tel 55.11.3356.1800 Fax 55.11.3356.1700www.demarest.com.br



16/127


Data Privacy Survey

BulgariaPrepared by Lex Mundi member firm Penkov, Markov & Partners1. Provide a brief description of the subject matter of data privacy laws in your jurisdict ion that

are appli cable to Personally Identifiable Information, and any material obligations.


The general provisions of the data privicy are in Bulgarian Law for Protection of Personal Data -link:http://www.cpdp.bg/en/index.php?p=element&aid=128

Some aspects of the data privicy are detailed in;

i. Rules on the activity of the commission for personal data protection and its administration- link:http://www.cpdp.bg/en/index.php?p=element&aid=36ii. Ordinance ? 1 dated 7 February 2007 on the minimal level of technical and organizational

measures and the admissible type of personal data protection - link:http://www.cpdp.bg/en/index.php?p=element&aid=37


The penalties vary from BGN 1000 to BGN 100 000 (approximately EUR 500 to EUR 51 000)

The criminal sactions are prvided by Bulgarian Criminal Code only for disclosing passwords orcodes for access to a computer system or to computer data, which leads to disclosure of personaldata. The sanction is deprivation of liberty of up to one year.

If thah criminal offence is committed with a venal goal in mind, or where it has causedconsiderable damage or other grave consequences have occurred, punishment shall bedeprivation of liberty of up to three years


Commission for Personal Data Protection




The infomation provided for Personally Identifiable Information is also applicable


http://www.lexmundi.com/http://www.cpdp.bg/en/index.php?p=element&aid=128http://www.cpdp.bg/en/index.php?p=element&aid=128http://www.cpdp.bg/en/index.php?p=element&aid=128http://www.cpdp.bg/en/index.php?p=element&aid=36http://www.cpdp.bg/en/index.php?p=element&aid=36http://www.cpdp.bg/en/index.php?p=element&aid=36http://www.cpdp.bg/en/index.php?p=element&aid=37http://www.cpdp.bg/en/index.php?p=element&aid=37http://www.cpdp.bg/en/index.php?p=element&aid=37http://www.cpdp.bg/en/index.php?p=element&aid=36http://www.cpdp.bg/en/index.php?p=element&aid=128http://www.lexmundi.com/


17/127



Commission for Personal Data Protection

Ministry of Healthcare


3. Provide a brief description of the subject matter of data privacy laws in your jurisdiction thatare appli cable to Financial Information, and any material obligations.


The general provisions regarding the private financial information are regulated by: i. BulgarianLaw for Protection of Personal Data and ii. Credit Institutions Act.

link to Credit Institutions Act-http://www.bnb.bg/bnbweb/groups/public/documents/bnb_law/laws_creditinstitutions_en.pdf


According to the provisiosn of Credit Institutions Act any person, who commits or suffers anotherto commit a violation of this Act or of any statutory instrument issued for the application thereof,shall be liable to a fine of BGN 1,000 to BGN 4,000, and for repeated violation - BGN 3,000 toBGN 12,000, unless the act constitutes a criminal offence.


Bulgarian National Bank







http://www.lexmundi.com/http://www.bnb.bg/bnbweb/groups/public/documents/bnb_law/laws_creditinstitutions_en.pdfhttp://www.bnb.bg/bnbweb/groups/public/documents/bnb_law/laws_creditinstitutions_en.pdfhttp://www.bnb.bg/bnbweb/groups/public/documents/bnb_law/laws_creditinstitutions_en.pdfhttp://www.lexmundi.com/


18/127



Contact Information

Svetoslav [email protected] Penkov, Markov & Partners13B Tintyava Str., Floor 6

1113 Sofia, Bulgaria

Tel 359.2.971.3935 Fax 359.2.971.1191www.penkov-markov.eu



19/127


Data Privacy Survey

Canada, ManitobaPrepared by Lex Mundi member firm Thompson Dorfman Sweatman LLP



The Freedom of Information and Protection of Privacy ActThe Personal Health Information Act

http://web2.gov.mb.ca/laws/statutes/ccsm/f175e.php

http://web2.gov.mb.ca/laws/statutes/ccsm/p033-5e.php


The Personal Data Act provides that the handling of personal or sensitive data in breach of theprovisions of the Personal Data Act will cause the database administrator to be liable for alldamages caused to the person, including monetary damages and pain and suffering (daomoral). There are no criminal sanctions established in the Personal Data Act.


The Ombudsman of Manitoba administers the legislation. That is an independent office of the

Manitoba legislature (ie. not government).d) Any additional information that is material?


a) What is the cite to such laws? Provide a link, if available, to an online copy of such law.

See earlier references.


Same as earlier references.c) Identity the applicable administrative authority with jurisd iction for enforcement of such

laws.

Same as earlier references.
http://www.lexmundi.com/http://web2.gov.mb.ca/laws/statutes/ccsm/f175e.phphttp://web2.gov.mb.ca/laws/statutes/ccsm/f175e.phphttp://web2.gov.mb.ca/laws/statutes/ccsm/p033-5e.phphttp://web2.gov.mb.ca/laws/statutes/ccsm/p033-5e.phphttp://web2.gov.mb.ca/laws/statutes/ccsm/p033-5e.phphttp://web2.gov.mb.ca/laws/statutes/ccsm/f175e.phphttp://www.lexmundi.com/


20/127





I do not believe that there is legislation specific to financial information




4. Provide a brief description of the subject matter of data privacy laws in your jurisdict ion thatis applicable to other sensitive data, and any material obli gations.


I cannot think of other relevant legislation in this regard.




Contact Information

Lisa [email protected] Thompson Dorfman Sweatman LLP201 Portage Avenue, Suite 2200

Winnipeg, Manitoba R3B 3L3, Canada

Tel 1.204.957.1930 Fax 1.204.934.0570www.tdslaw.com



21/127


Data Privacy Survey

Canada, Nova ScotiaPrepared by Lex Mundi member firm McInnes Cooper



The Personal Information Protection and Electronic Documents Act(http://laws.justice.gc.ca/en/P-8.6/) applies to information collected, used and disclosed in thecourse of commercial activities and employee information collected, used and disclosed byfederal works, undertakings or businesses.




Privacy Commissioner of Canada (http://www.priv.gc.ca)

d) Any additional info rmation that is material?J urisdiction over privacy in Canada is split between the federal government and the provinces.Different laws apply to the public sector (government, government corporations, agencies).



In Nova Scotia, a range of laws such as the Hospitals Act and public health legislation apply topersonal health information. The general private sector law applies to health informationcollected, used and disclosed by private practitioners. We anticipate a Personal HealthInformation Act to be introduced and passed in the coming year.


There are no penalties under the public sector laws. In the private sector, the remedies are thesame as for the general private sector privacy law.
http://www.lexmundi.com/http://laws.justice.gc.ca/en/P-8.6/http://laws.justice.gc.ca/en/P-8.6/http://laws.justice.gc.ca/en/P-8.6/http://www.priv.gc.ca/http://www.priv.gc.ca/http://www.priv.gc.ca/http://www.priv.gc.ca/http://laws.justice.gc.ca/en/P-8.6/http://www.lexmundi.com/


22/127



Protection of Privacy Review Officer.




Financial information is covered by the general privacy statutes in Canada.




4. Provide a brief description of the subject matter of data privacy laws in your juri sdiction thatis applicable to other sensitive data, and any material obli gations.


N/A


N/A



Contact Information

David TS [email protected] McInnes Cooper1300-1969 Upper Water Street

Purdy's Wharf Tower IIHalifax, Nova Scotia B3J 2V1, Canada

Tel 1.902.425.6500 Fax 1.902.425.6350www.mcinnescooper.com



23/127


Data Privacy Survey

ChilePrepared by Lex Mundi member firm Claro & Cia., Abogados



The Chilean Personal Data Protection Act (the Personal Data Act) provides for rules on thetreatment of personal data in general. The Personal Data Act establishes general rules regardingtreatment of personal data (any information concerning a person) and sensitive data.

Any person can engage in the treatment and management of personal data, as long as itcomplies with the following:i. the treatment of personal data must be authorized in writing and may be revoked;ii. the identity of those retrieving personal data must be recorded;iii. all personal data a.) which storage has lost legal basis must be eliminated; b.) which is

found to be mistaken, inaccurate, equivocal or incomplete must be amended, and c.)which accuracy cannot be proven or which effectiveness is doubtful must be blocked;d.)personal data must kept confidential; e.) all personal data must only be used for thepurpose for which it was collected; and f.) sensitive data cannot be subject to treatment,unless expressly authorized by law, its owner, or for purposes of obtaining healthbenefits.

No authorization is required for publicly available information of economic, financial, banking or

commercial nature; information contained in lists segregating individuals on profession,education, address or date of birth; for response to commercial communications or sales, andtreatment made by a company for its own use.

The Chilean Labor Code requires employers to treat any private information and data of theiremployees confidentially.

The Chilean Constitution recognizes the protection of private communication in general.

This is a link to the Personal Data Act:http://www.leychile.cl/Navegar?idNorma=141599

This is a link to the Chilean Labor Code:http://www.leychile.cl/Navegar?idNorma=207436

This is a link to the Chilean Constitution:http://www.leychile.cl/Navegar?idNorma=207436


The Personal Data Act provides that the handling of personal or sensitive data in breach of theprovisions of the Personal Data Act will cause the database administrator to be liable for all
http://www.lexmundi.com/http://www.leychile.cl/Navegar?idNorma=141599http://www.leychile.cl/Navegar?idNorma=141599http://www.leychile.cl/Navegar?idNorma=207436http://www.leychile.cl/Navegar?idNorma=207436http://www.leychile.cl/Navegar?idNorma=207436http://www.leychile.cl/Navegar?idNorma=207436http://www.leychile.cl/Navegar?idNorma=207436http://www.leychile.cl/Navegar?idNorma=207436http://www.leychile.cl/Navegar?idNorma=141599http://www.lexmundi.com/


24/127


damages caused to the person, including monetary damages and pain and suffering (daomoral). There are no criminal sanctions established in the Personal Data Act.


There is no specific administrative authority with jurisdiction for the enforcement of the PersonalData Act. The Personal Data Act provides for special procedures for a person to enforce her orhis rights, but such procedures provide for the filing of a claim to be made at a court.

The administrative authority with jurisdiction for the enforcement of labor laws is the Direction ofLabor.


Sensitive data refers to information regarding physical or moral characteristics of a person, andfacts or circumstances of such persons private life and intimacy, such as personal habits, racialbackground, political opinions, religious beliefs, physical and mental health and sex life.

2. Provide a brief description of the subject matter of data privacy laws in your juri sdiction that

are appli cable to Personal Health Information, and any material obl igations.


The definition of sensitive information by the Personal Data Act covers personal healthinformation. Consequently, the Personal Data Act is applicable to such information. In addition,article 127 of the Chilean Sanitary Code provides that doctors prescriptions, clinical laboratoryanalysis and exams, and any services related to health are reserved.

This is a link to the Chilean Sanitary Code:http://www.leychile.cl/Navegar?idNorma=5595


Because the definition of personal health information fits in the definition of sensitive data, thesanctions set forth by the Personal Data Act are also applicable to the disclosure of personalhealth information in breach of the law. The Personal Data Act provides that the handling ofpersonal or sensitive data in breach of the provisions of the Personal Data Act will cause thedatabase administrator to be liable for all damages caused to the person, including monetarydamages and pain and suffering (dao moral).

The Sanitary Code provides for criminal sanctions for the breaching of any provision thereof,which would be applicable for the infringement of the article addressing the handling of personalhealth information. The penalties set forth by the code relate are fines of up to one thousandmonthly tax units (approximately, US$70,000). Repeat offenders can be fined up to twice themaximum amount. In addition, sanitary authorities may revoke operating licenses and/or order

the closing of facilities.c) Identity the applicable administrative authority with jurisd iction for enforcement of such

laws.

The administrative authorities with jurisdiction for the enforcement of the Sanitary Code are theDirectors of the Services of Public Health and the Director of the Institute of Public Health ofChile.

http://www.lexmundi.com/http://www.leychile.cl/Navegar?idNorma=5595http://www.leychile.cl/Navegar?idNorma=5595http://www.leychile.cl/Navegar?idNorma=5595http://www.lexmundi.com/


25/127


3. Provide a brief description of the subject matter of data privacy laws in your jurisdict ion thatare appli cable to Financial Information, and any material obligations.


The Personal Data Act applies to personal financial information. In such regard, the PersonalData Act provides that those engaged in the treatment of personal data may disclose economic,financial, banking or commercial information, when such information is evidenced by protestedbills of exchange, promissory notes or checks, or referred to breaches of commercial, mortgage,bank or government loans, and other obligations determined by the President of the Republic byExecutive Decree. In no event, can public utility debts be disclosed.

Information on a specific obligation cannot be disclosed after five years from the date in whichsuch obligation became enforceable, nor after such obligation has been fully paid or otherwisedischarged.

Article 154 of the Chilean Banking Act provides the rules of secrecy for banking transactions.

In addition, article one of the Chilean Bank Checking Accounts and Checks Act provides that a

bank shall maintain the activity in the checking accounts and balances of its clients in strictsecrecy and may only provide this information to the drawer, authorized persons or the courts.

This is a link to the Chilean Banking Act:http://www.leychile.cl/Navegar?idNorma=83135

This is a link to the Chilean Bank Checking Accounts and Checks Act:http://www.leychile.cl/Navegar?idNorma=5594


Our answer to question 1b applies here.

Notwithstanding those penalties that the Superintendence of Banks and Financial Institutions mayimpose pursuant to its authority, article 154 of the Chilean Banking Act provides for imprisonmentto up to three years for those who breach bank secrecy laws.

In addition, the Superintendence of Banks and Financial Institutions may impose fines of up tofive thousand unidades de fomento (approximately, US$200,000) to those entities that infringethis provision, among other penalties. A fine of up to one thousand unidades de fomento(approximately, US$ 40,000) may be imposed to the directors and officers found responsible.

These fines can be increased fivefold incase of repeated offenses.


The Superintendency of Banks and Financial Institutions is the administrative authority withjurisdiction for enforcement of the Chilean Bank Checking Accounts and Checks Act.

http://www.lexmundi.com/http://www.leychile.cl/Navegar?idNorma=83135http://www.leychile.cl/Navegar?idNorma=83135http://www.leychile.cl/Navegar?idNorma=5594http://www.leychile.cl/Navegar?idNorma=5594http://www.leychile.cl/Navegar?idNorma=5594http://www.leychile.cl/Navegar?idNorma=83135http://www.lexmundi.com/


26/127


4. Provide a brief description of the subject matter of data privacy laws in your juri sdiction thatis applicable to other sensitive data, and any material obligations.


The Data Protection Act defines sensitive data as any information regarding physical or moralcharacteristics of a person, and facts or circumstances of such persons private life and intimacy,such as personal habits, racial background, political opinions, religious beliefs, physical andmental health and sex life. Sensitive data cannot be subject to treatment, unless expresslyauthorized by law, its owner, or for purposes of obtaining health benefits.

This is a link to the Personal Data Act:http://www.leychile.cl/Navegar?idNorma=141599


Please see our response to question 1b.

c) Identity the applicable administrative authority with jurisdiction for enforcement of such

laws.

Please see our response to question 1c.


Contact Information

Jos Mara Eyzaguirre [email protected]

Claro & Cia., AbogadosAv. Apoquindo 3721, 14th FloorLas CondesSantiago 755 0177,Chile

Tel 56.2.367.3000 Fax 56.2.367.3003www.claro.cl

http://www.lexmundi.com/http://www.leychile.cl/Navegar?idNorma=141599http://www.leychile.cl/Navegar?idNorma=141599http://www.lexmundi.com/GlobalPracticeGuideshttp://www.lexmundi.com/GlobalPracticeGuideshttp://www.lexmundi.com/GlobalPracticeGuideshttp://www.lexmundi.com/GlobalPracticeGuideshttp://www.leychile.cl/Navegar?idNorma=141599http://www.lexmundi.com/


27/127


Data Privacy Survey

ColombiaPrepared by Lex Mundi member firm Brigard & Urrutia Abogados



On December, 2010, Colombian Congress enacted a new general data protection law (the "NewData Protection Act" or "NDPA") which established the regulations for processing personalinformation. As this law regulates fundamental rights, it required the prior approval by theConstitutional Court to enter into force. Although the Court s decision is not yet public, on a

recent press release the Court established that with the exception of a few articles the NDPApassed the constitutional test.

http://www.oas.org/dil/Newsletter/newsletter_api_ppd_NOV-2011_Colombia_new_law.pdf


The Superintendency of Industry and Commerce (The Colombian data privacy authority) mayimpose the following sanctions for non-compliance of the NDPA: (i) fines up to USD 596.500, (ii)suspension of activities related to the processing and/or (iii) permanent or temporary closure ofthe operation.

In addition, pursuant to Law 1273 of 2009, it is a crime to obtain, gather, subtract, offer, sell,

exchange, send, buy, intercept, divulge, modify or use personal data () for personal purposesor of third parties, without being authorized to do so. Individuals or companies that commit thiscrime may be subject to fines of up to USD 220,000, and prison of 4 to 8 years.


Superintendency of Industry and Commerce.




Although there are some specific provisions in the Colombian health care regulations regardingthe processing of personal health information, as the NDPA is not yet enforceable, the rules forthe processing of such information when considered personal data have been established by the

judicial precedents of the Constitutional Court.The Constitutional Court has defined personal information as any information that by itself or inconnection with other information may identify a particular individual. The Court has issued about200 decisions since 1991 in connection with three fundamental rights that have direct impact on
http://www.lexmundi.com/http://www.oas.org/dil/Newsletter/newsletter_api_ppd_NOV-2011_Colombia_new_law.pdfhttp://www.oas.org/dil/Newsletter/newsletter_api_ppd_NOV-2011_Colombia_new_law.pdfhttp://www.oas.org/dil/Newsletter/newsletter_api_ppd_NOV-2011_Colombia_new_law.pdfhttp://www.lexmundi.com/


28/127


the protection of personal information: the habeas data right, the right to privacy, and the right tomaintain a public good name. One of these decisions, decision T729 of 2002 (Decision T-729),is one of the landmark decisions in connection with the right to personal data protection. Thisdecision sets forth the principles for the processing of personal data, of which it is important tomention the following:

Freedom:

Personal Data can only be processed with the free, express, informed, and

prior consent of the data subject.Purpose:

The Personal Data collected must have an explicit, determined and legitimatepurpose. This purpose must be informed to the data subject and its Processing must becarried out within the scope of the notified purpose.Restricted circulation:

The Personal Data collected may only be circulated within theparameters of the freedom and purpose principles. Therefore, the Personal Data mayonly circulate within the legal entity that has legitimately obtained such information andthe people expressly authorized by the data subject. Any transfer to third parties, even ifaffiliated, must be previously authorized by the data subject.Necessity:

Only the specific Personal Data that is required for the authorized purposemay be collected. Conversely, no information that is not specifically required for theauthorized purpose may be collected.Veracity or quality of the data:

Personal Data stored in databases must be true, complete,exact, up to date, verifiable and comprehensible. Recording of information that is partial,incomplete, fragmented or that induces to error is forbidden.

Temporality:

Personal Data must only be stored as long as it is useful for the authorizedpurpose for which it was collected.Security:

Confidentiality: All individuals and legal entities that intervene in the administration ofPersonal Data shall guarantee at all times the confidentiality of such information, evenafter they cease their labors.

Personal Information shall be handled using the necessary technical measuresthat guarantee its safety and integrity of the records as a whole.


As the NDPA is not currently enforceable there are no specific penalties for violation of theprinciples set forth by the Constitutional Court. Therefore, risks must be evaluated on a case bycase basis.

c) Identity the applicable administrative authority with jurisd iction for enforcement of suchlaws.Superintendency of Industry and Commerce and the Ministry of Health and Social Protectionwithout being authorized to do so.




Law 1266 of 2008 (Financial data Privacy Act). This law was originally intended to be thegeneral legal framework applicable to the management of personal information. However, afterbeing reviewed by the Constitutional Court (Decision C 1011 of 2008), its scope was reduced tobe applicable only to financial, credit, commercial, and services information (and to information ofthe same characteristics coming from abroad) destined to financial risk and credit riskassessment (Financial Personal Data). The paradigm case to which Law 1266 is applied wouldbe the data collected by financial institutions to determine whether or not they would grant a loan


29/127


to their clients. However, the Court has sustained that this Law 1266 applies to all data used bypeople other than financial institutions with the purpose of analyzing credit risk.http://www.secretariasenado.gov.co/senado/basedoc/ley/2008/ley_1266_2008.html


According to the Financial Data Privacy Act, the Superintendency of Finance may impose thefollowing sanctions for non-compliance of the Financial Data Privacy Act: (i) fines up to USD447.395, (ii) suspension of activities related to the data base administrator and/or (iii) permanentor temporary closure of the activities related to the management of the data base.In addition, pursuant to Law 1273 of 2009, it is a crime to obtain, gather, subtract, offer, sell,exchange, send, buy, intercept, divulge, modify or use personal data () for personal purposesor of third parties, without being authorized to do so. Individuals or companies that commit thiscrime may be subject to fines of up to USD 220,000, and prison of 4 to 8 years.


The Superintendency of Finance.




Pursuant to the NDPA, processing of sensitive data, understood as any data that affects theprivacy of the data subject or which its unlawful use may cause that the data subject could bediscriminated, is generally prohibited unless expressly authorized by law or if the data subject hasgranted its explicit consent for such processing. Data subject has the right to refuse providing anyinformation regarding sensitive data.





Contact Information

Juliana Pulecio [email protected]

Brigard & Urrutia AbogadosCalle 70 A #4 - 41Bogota, Colombia

Tel 57.1.346.20.11 Fax 57.1.310.06.09www.bu.com.co

http://www.lexmundi.com/http://www.secretariasenado.gov.co/senado/basedoc/ley/2008/ley_1266_2008.htmlhttp://www.secretariasenado.gov.co/senado/basedoc/ley/2008/ley_1266_2008.htmlhttp://www.lexmundi.com/GlobalPracticeGuideshttp://www.lexmundi.com/GlobalPracticeGuideshttp://www.lexmundi.com/GlobalPracticeGuideshttp://www.lexmundi.com/GlobalPracticeGuideshttp://www.secretariasenado.gov.co/senado/basedoc/ley/2008/ley_1266_2008.htmlhttp://www.lexmundi.com/


30/127


Data Privacy Survey

CyprusPrepared by Lex Mundi member firm Dr. K. Chrysostomides & Co LLC

1. Provide a brief description of the subject matter of data privacy laws in your jurisdiction thatare appli cable to Personally Identifiable Information, and any material obligations.


The Processing of Personal Data (Protection of the Individual) Law of 2001 (as amended)



c) Identity the applicable administrative authority with jurisdiction for enforcement of suchlaws.

The Office of the Commissioner for Personal Data Protection.


The Regulation of Electronic Communications and Postal Services Law of 2004 (112(I)/2004),

s.106 deals with the issue of unsolicited communications SPAM2. Provide a brief description of the subject matter of data privacy laws in your juri sdiction that

are appli cable to Personal Health Information, and any material obligations.




The Law provides for both criminal and administrative sanctions, including imprisonment (for aterm not exceeding five years) and/or a fine not exceeding EUR 8.543,00.





31/127



a) What is the cite to such laws? Provide a link , if available, to an online copy of such law.The Processing of Personal Data (Protection of the Individual) Law of 2001 (as amended)






4. Provide a brief description of the subject matter of data privacy laws in your jurisdict ion that

is applicable to other sensitive data, and any material obli gations.








Contact Information

Alexandros [email protected]

Dr. K. Chrysostomides & Co LLC1, Lampousas Street1095 Nicosia, Cyprus

Tel 357.22.777000 Fax 357.22.779939www.chrysostomides.com.cy



32/127


Data Privacy Survey

Dominican RepublicPrepared by Lex Mundi member firm Pellerano & Herrera






The Dominican Republic has no specific regulations protecting Personally IdentifiableInformation. Nonetheless, in general terms Dominican laws, and specifically the DominicanConstitution, do protect the individuals right to privacy. Article 44 provides the right to privacy ofindividuals, in general. It also states that any person has a right to access information and datathat on such individual, and his/her assets, is found in official or private registries, as well as toknow the destination of such information, with the limitations provided by law. Treatment givento personal and financial information must be given respecting the principles of quality, legality,loyalty, security and purpose. An individual may request a competent court authority to update,rectify or destroy such information that illegitimately affects such individuals rights.

Although, individuals do have a right to control the accuracy of their own personal information,there is no legal provision effectively protecting them from third-party access to such informationand its use and destination. The Constitution only provides a general principle that legalprovisions must, when enacted, effectively protect and enforce.

2. Provide a brief description of the subject matter of data privacy laws in your juri sdiction thatare appli cable to Personal Health Information, and any material obligations.



c)