JISCMail - DATA-PROTECTION Archives

Antoinette,

I would be cautious about applying the lesser of two standards.

Article 4 of Directive 96/46/EC is arguably the 'cornerstone' of all the
recent debate regarding jurisdiction of data protection laws. This article,
and other preamble 'bits'(19), clearly sets out the "principle of
establishment" and how this impacts on the applicability of national
legislation within a federal system i.e. the EU.
Art. 4 states ...

Each Member State shall apply the national provisions it adopts pursuant to
this Directive to the processing of personal data where:
(a) the processing is carried out in the context of the activities of an
establishment of the controller on the territory of the Member State; when
the same controller is established on the territory of several Member
States, he must take the necessary measures to ensure that each of these
establishments complies with the obligations laid down by the national law
applicable;

As you can see from part (a), if you have an office in Poland, you will be
'established' on the territory of another member state. By the principle of
establishment, you must comply with the obligations laid down by national
law i.e. Polish data protection legislation.

This is one of the major problems our clients have with trans national
marketing. Most have offices globally e.g. in other European countries, and
therefore have to assess and comply with ALL legislation of the countries in
which they are established and processing data. This is not a small task;
made even more difficult by the fact that there are substantial difference
in the interpretation of the 95/46/EC Directive.

The key to success is knowing how the law varies in different EU states, the
'aggressiveness' of the relevant Authority in policing and enforcing its
legislation, AND the (cultural) expectations of the citizens of each member
state.

Hope that helps.

Regards,

Duncan S Smith
Director
iCompli Limited Northampton UK
T: 08707 70 48 66 F: 08707 70 48 69 M: 07775 56 81 80
Mailto:[log in to unmask] Web: www.icompli.co.uk
"Compliance in your language"


-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Antoinette Carter
Sent: 30 November 2004 16:41
To: [log in to unmask]
Subject: [data-protection] Poland DPA

I have been contacted by our office in Poland, who were one of the ten
countries to join the EU this year. The Polish DPA appears to set much
higher standards with regard to system user access/security than we do in
the UK. For example, they insist that users' passwords are changed at least
every 30 days. Our corporate policy is to apply the UK DPA globally unless
local legislation is stronger, which appears to be the case here. But on
reading the text of the Polish Act, Article 4 reads "The provisions of the
Act shall apply, save where otherwise provided for by any international
agreement to which the Republic of Poland is party." Would you construe from
this that signing up to the EU is just such an international agreement, and
that it is sufficient for us (as registered data controllers in the UK) to
continue to apply the UK standards rather than the Polish. Any thoughts
would be much appreciated....
Antoinette Carter
Data Protection Officer
Tel: 0207 389 4970

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
      If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
        http://www.jiscmail.ac.uk/help/commandref.htm
  (all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^