Antoinette, I would be cautious about applying the lesser of two standards. Article 4 of Directive 96/46/EC is arguably the 'cornerstone' of all the recent debate regarding jurisdiction of data protection laws. This article, and other preamble 'bits'(19), clearly sets out the "principle of establishment" and how this impacts on the applicability of national legislation within a federal system i.e. the EU. Art. 4 states ... Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where: (a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable; As you can see from part (a), if you have an office in Poland, you will be 'established' on the territory of another member state. By the principle of establishment, you must comply with the obligations laid down by national law i.e. Polish data protection legislation. This is one of the major problems our clients have with trans national marketing. Most have offices globally e.g. in other European countries, and therefore have to assess and comply with ALL legislation of the countries in which they are established and processing data. This is not a small task; made even more difficult by the fact that there are substantial difference in the interpretation of the 95/46/EC Directive. The key to success is knowing how the law varies in different EU states, the 'aggressiveness' of the relevant Authority in policing and enforcing its legislation, AND the (cultural) expectations of the citizens of each member state. Hope that helps. Regards, Duncan S Smith Director iCompli Limited Northampton UK T: 08707 70 48 66 F: 08707 70 48 69 M: 07775 56 81 80 Mailto:[log in to unmask] Web: www.icompli.co.uk "Compliance in your language" -----Original Message----- From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Antoinette Carter Sent: 30 November 2004 16:41 To: [log in to unmask] Subject: [data-protection] Poland DPA I have been contacted by our office in Poland, who were one of the ten countries to join the EU this year. The Polish DPA appears to set much higher standards with regard to system user access/security than we do in the UK. For example, they insist that users' passwords are changed at least every 30 days. Our corporate policy is to apply the UK DPA globally unless local legislation is stronger, which appears to be the case here. But on reading the text of the Polish Act, Article 4 reads "The provisions of the Act shall apply, save where otherwise provided for by any international agreement to which the Republic of Poland is party." Would you construe from this that signing up to the EU is just such an international agreement, and that it is sufficient for us (as registered data controllers in the UK) to continue to apply the UK standards rather than the Polish. Any thoughts would be much appreciated.... Antoinette Carter Data Protection Officer Tel: 0207 389 4970 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at : - http://www.jiscmail.ac.uk/help/commandref.htm (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at : - http://www.jiscmail.ac.uk/help/commandref.htm (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^