Are there any registration or licensing requirements for entities covered by these laws and, if so, what are the requirements? Are there any exemptions?
Data Protection & Cyber Security
Registration with Roskomnadzor. There is a basic requirement to file a notification with Roskomnadzor on processing of personal data (“PII”) and thereby register as a data controller. There are, however, some exceptions to this rule, namely where PII:
- is processed in order to fulfil obligations imposed on the data controller in accordance with employment laws;
- is processed to fulfil the contract with the data subject, provided that the PII is used by the data controller solely for performance of that contract and not provided to the third parties;
- is made publicly available by a data subject;
- relates to members of the public association or religious organization and processed by such association or organization for performance of the legitimate tasks set out by their constituent documents, provided that PII is not distributed or disclosed to the third parties without data subjects’ written consents;
- includes data subjects’ names, patronymics and surnames only;
- is necessary for granting to data subject one-time authorization to access the data controller’s territory, or for similar purposes;
- is included in the state information systems and state PII information systems created to protect the state and public order;
- is processed without use of automated means;
- is processed in accordance with Russian laws on transportation security in order to ensure sustainable and secure functioning of the transport system, preserve private, social and public interests, and protect the public order.
Roskomnadzor construes these exceptions very narrowly and practically speaking majority of companies processing data should register as the data controllers.
Notification must be filed by the company once and with respect to all PII processing activities (i.e., those relating to all data subjects, such as employees, clients, representatives of business partners etc.). If there are any changes in PII processing activities, the data controller must notify Roskomnadzor of those changes within 10 business days. Registration does not include payment of state duties or other fees. There is an approved template of the registration form that should be completed.
Formally speaking, the data controller should notify Roskomnadzor prior to starting PII processing activities. However, from practical perspective the registration with Roskomnadzor is not a precondition of such processing.
Licensing requirements. Processing of PII does not require the company to obtain any prior authorization such as license.
However, there are certain services in the area of data protection, which may be provided only by the companies authorized to do so under the respective licenses. Such services in particular include technical protection of confidential information (including PII) and protection of information with use of encryption tools. The licensing bodies are FSTEC and FSB accordingly.
The licensing requirements apply only where services are rendered to the third party. They are not applicable to security measures implemented by the company for its own business needs.
Under the Data Protection Law, any database containing personal data must be registered before the Data Protection Authority.
Until recently, the registration procedure consisted of completing a form, submitting proper documentation and paying a fee. The form could be submitted online, but a hard copy still had to be sent to the Data Protection Authority. The registration had to be renewed annually.
However, in 2018 Data Protection Authority Regulation No. 132/2018 established a new procedure for the registration and renewal of public or private databases. The most significant changes were that all proceedings must now be carried out online, are free, and are not subject to annual renewal. Instead, the data controller must inform any supervening modification by means of a sworn declaration to keep the registry updated.
Brazilian law does not require any prior licensing or registration for data processing activity. On the other hand, companies are required to get licenses/authorizations to be issued by the competent regulatory agencies as regards, for example the provision of telecommunication, banking, health and other regulated activities/services. Those are the so-called regulated service sectors.
The GDPR removed the general obligation to notify the regulatory authority before processing personal data. No such general notification obligation to notify has been adopted under national law.
According to Article 25b PDPA both controllers and processors are obliged to notify the CPDP with specific details about an appointed data protection officer (DPO), including the DPO's: name, national personal identification number and contact details, if they appoint DPO.
FADP sets out a duty to register data files for the controller of such data files (see art. 11a FADP). Pursuant to art. 11a para. 2 FADP federal bodies must notify and register all their data files with the FDPIC. Private persons must notify their data files only in two constellations (see art. 11a para. 3 FADP):
- they regularly process sensitive personal data or personality profiles; or
- they regularly disclose personal data to third parties.
Art. 11a para. 5 FADP contains a list with exemptions from the notification duty. One of the most important exemptions is set out in art. 11a para. 5 lit. e FADP: Data files must not be registered in the case that the respective controller has appointed an internal data protection officer.
Data file as set out in art. 11a FADP means any set of personal data that is structured in such a way that the data is accessible by data subject (see art. 3 lit. g FADP).
Controller of the data file means private persons or federal bodies that decide on the purpose and content of a data file (art. 3 lit. i FADP).
Sensitive personal data means data on: 1. religious, ideological, political or trade union-related views or activities, 2. health, the intimate sphere or the racial origin, 3. social security measures, and 4. administrative or criminal proceedings and sanctions (see art. 3 lit. c FADP).
Personality profiles means a collection of data that permits an assessment of essential characteristics of the personality of a natural person (art. 3 lit. d FADP).
In general, compliance with the privacy regulations doesn’t require any registration or licensing of those entities which are affected by the previous laws, without prejudice to the obligation of registration for other reasons. The only case in which the organization shall submit a communication or registration to a public organization in relation with its obligations on data protection is the registration of the Data Protection Officer (DPO) in the competent data protection authority, which in Spain is the Agencia Española de Protección de Datos (AEPD). The DPO is regulated in section 4 of the GDPR, and it is compulsory for public authorities, except courts acting in their judicial capacity, and entities whose core activities require regular and systematic monitoring of data subjects or processing of special categories of data on a large scale. Nevertheless, any organization can decide to voluntarily designate a DPO, who will be subject to all the requirements and obligations established by the GDPR.
There is no registration process for private entities. Though, regarding personal data processing by government entities, the Service of Civil Registration and Identification shall keep a record of personal data base processed by such agencies (no fee payable).
The Data Privacy Act states any individual can process personal data, if the following requirements are met:
- The processing of personal data shall be authorized by one of the three following: (i) the Data Privacy Act; (ii) another legal provision; or (iii) the subject/holder of the personal data specifically consents thereto.
In addition, the authorization granted by the holder/subject of the personal data regarding to the processing of his/her data shall comply with the following requirements in order to be effective:
- it shall be accurately informed about the purpose of the storage of the personal data and if those data will be communicated or not to the public
- the consent shall be specified; in writing; and
- the personal data must be used only for the purposes for which it has been collected, unless it comes or has been collected from public sources. Even though, the data shall be accurate, updated and respond truthfully to the actual circumstances of the holder of the personal data.
There is no binding law require data controller/processor to register privacy mechanism, while if they fall into the scope of Network Operator under the CSL, they shall comply with the MLPS requirements (Multi-Level Protection Scheme, “等级保护制度”) .3
3 - CSL. § 21.
Entities are required to publish the contact details of the data protection officer and communicate them to the supervisory authority. Of course, this applies only to entities which are obliged to apply a DPO acc. to Art. 37 GDPR (§ 38 FDPA).
According to Art. 42 GDPR a data protection certification mechanism particularly at Union level is encouraged and further efforts will be made to gain accreditations by the official certifying organizations. These certifications are intended to demonstrate compliance with data protection laws. Likewise, controllers and processors who do not fall into the scope of the GDPR can prove suitable guarantees thereby. However, for the time being there are no certifications under Art. 42 GDPR in place.
The IT Act and the Privacy Rules do not provide for any registration or licensing requirements for body corporates possessing, dealing or handling PII or sensitive PII.
The Privacy Bill introduces the concept of 'significant data fiduciaries' – classified on the basis of volume and sensitivity of personal data processed, turnover etc. It is proposed for such significant data fiduciaries to register themselves with the Data Protection Authority (to be set up once the Privacy Bill is enacted, referred as "Authority"). There is no registration requirement for data fiduciaries, which are not significant data fiduciaries.14
14 - Certain provisions of the Privacy Bill will specifically apply to significant data fiduciaries. These include data audits, data protection impact assessment, record-keeping etc.
Depending on the category of ESO that processes Personal Data, a registration may be required. Based on GR 82/2012, ESOs are divided into two categories i.e., (i) ESO for Public Services, and (ii) ESO for Non-Public Services. Under the same regulation, ESOs for Public Services are required to conduct a registration while ESO for Non-Public Services may choose to register on a voluntary basis. Therefore, the registration is only mandatory to ESO for Public Services.
The further definition of ESO for Public Services is stipulated within MCI Regulation No. 36 of 2014 regarding Electronic System Operator (“MCI Regulation 36/2014”). Under MCI Regulation 36/2014, ESO for Public Services includes state-institutions, state-owned enterprises, and other legal entities that conduct public services for the purpose of state mission implementation. Specifically, the said legal entity refers to ESO that owns:
(a) A web portal, website, or online application via the internet that is used to facilitate offering and/or trading of goods and/or services.
(b) An electronic system that contains a payment facility and/or other financial transaction facilities online by means of communication of data or via the internet.
(c) An electronic system used to process electronic information which contains or requires deposit of funds or other similar form of funds.
(d) An electronic system used to process, administer, or store data related to facilities that are associated with customer data for public serving operational activity on financial transactions and trading activity.
(e) An electronic system used for the delivery of payable digital material through a data network, either by means of download via web portal/website, email transmission, or other application to the user device.
Requirements in conducting registration is further elaborated in MCI Regulation No. 7 of 2018 regarding Electronic Integrated Licensing Service for Communication and Informatic Sector (“MCI Regulation 7/2018”). Under MCI Regulation 7/2018, in order to conduct registration, there are certain requirements which need to be fulfilled including general profile, corporate documents, tax identification number, profile of company’s contact person, and certification of information security based on Electronic System category. In addition, ESO who conduct registration must able to provide technical overview layout covering details on electronic system profile, URL website, domain name system / IP server address, brief description on Electronic System function and business process, explanation on utilization of hosting, and willingness to conduct personal data protection.
Since 25 May 2018 entities covered (natural or legal person, public authority, agency or other body that acts as a data controller or a data processor, without prejudice of a few exceptions, such as those foreseen in article 2.2 of the GDPR) by Data Protection Laws are no longer required to neither register their data processing nor apply for any authorisation to the CNPD.
Yes, under the Data Protection (Charges and Information) Regulations 2018, individuals and organisations that process personal data (known as a 'controller') need to pay a data protection fee to the Information Commissioner's Office (ICO) unless they are exempt. There is a three tier system based on the size of an organisation and how much personal data the organization is processing. The fee ranges from £40 to £2,900 dependent on number of employees or turnover.
All controllers are regarded by the ICO as eligible to pay a fee in tier 3 unless and until the controller tells the ICO otherwise.
Public authorities categorise themselves according to staff numbers. They do not need to take turnover into account.
There is an exemption where the processing of personal data falls within certain limited purposes such as for staff administration, advertising, marketing and public relations and accounts and records.
A fixed penalty regime (ranging from £400 to £4,000) applies where a controller should have notified and paid the appropriate fee to the ICO and has not. The fixed penalty may be increased to the statutory maximum of £4,350 for controllers in respect of a failure to provide the ICO with sufficient information to determine the appropriate fee/exemption, depending on aggravating factors (for example, a failure to engage or co-operate with the ICO).
There are no registration or licensing requirements under the GDPR, the Data Protection Act or the Data Protection Ordinance.
Following the application of the GDPR certain obligations under the previous Law 2472/1997 were abolished. For instance, under the previous legal framework, there was an obligation to notify the HDPA for establishing and operating a non-sensitive personal data file and for performing such processing. Moreover, article 7 of Law 2472/1997 provided for a licensing procedure on the processing of sensitive personal data.
In addition, according to the decision No 46/2018 of the HDPA «the provisions of Article 7 of Law 2472/1997, insofar as they provide for an authorization of the (Hellenic) Data Protection Authority, are no longer applicable from 25.05.2018 onwards as contrary to the GDPR, which is directly applicable, given that the categories of data, referred to in this Article of the national law, do not coincide with those referred to in Article 9 (4) of the GDPR. Therefore, the Authority is no longer competent to issue authorizations for the processing and for the establishment and operation of a file based on Article 7 of Law 2472/1997».
Pursuant to Article 16 of the Law No. 6698, data controllers are under the obligation to register with the Registry of Data Controllers (“Registry”), operated by the Board. Principles and procedures relating to the fulfilment of such obligation are further provided for under the Regulation on the Registry of Data Controllers (“Regulation on the Registry”).
Further to the authority vested in the Board, the scope of the obligation to register with the Registry and the related calendar has been determined under certain board decisions. As per the said decisions, the Board decided that the below-listed data controllers shall not be required to be registered with the Registry:
- Persons who process personal data as part of any data recording system, solely through non-automatic means,
- Associations, foundations and unions that process personal data for their employees, members and donors, only in accordance with the relevant legislation, purposes and limited to their areas of activity,
- Political parties,
- Independent Accountants and Financial Advisors and Certified Public Accountants,
- Customs brokers and authorized customs brokers,
- Legal entities, whose (i) annual headcount is less than 50, (ii) annual sum of financial balance sheet is less than TRY 25.000.000, and (iii) the main field of activity is not processing special categories of personal data.
It should also be emphasized that there is no provision thereunder requiring the payment of a registration fee.
Since the GDPR came into force, no general obligation to report data processing to the Data Protection Authority exists in Austria.
However, reporting obligations can arise on the basis of special constellations (e.g. notification of the contact details of a data protection officer to the Data Protection Authority; notification in the case of a data breach).
There is no registration or licensing requirement for entities covered by these laws.
The legal framework governing data protection applies to all entities that fall within its scope of application. One can note that the entry into force of the GDPR ended the mandatory prior formalities to the CNIL for certain types of data processing.
The U.S. does not have any privacy-oriented general requirements to register personal information processing activities. However, certain industry-specific self-regulatory programs that touch on privacy may be applicable. For example, the Payment Card Industry Data Security Standard (PCI-DSS) – a standard, not a law – provides security requirements for all entities accepting or processing payment transactions and might apply in this scenario. The digital advertising industry is governed by self-regulatory principles enforced by the Digital Advertising Alliance and the Network Advertising Initiative.
Requirements for Registration
Section 13 and Section 14 of the PDPA stipulates a formal registration system of several classes of data users. The Personal Data Protection (Class of Data Users) Order 2013 (hereinafter referred to as “the Regulations”) specifies the classes of data users that must be registered under the said Act. The main classes are: -
- Banking and financial institutions
- Tourism and hospitalities
- Direct selling
- Real estate
The steps to be taken for the purposes of registration can be found in the Personal Data Protection (Registration of Data Users) Regulations 2013. Upon submission, a receipt acknowledgment slip will be provided and the Data User will receive a notification of the approval of the registration via email. A registration fee of RM 200 (USD50) shall be made within 21 days of receipt of the notification of the approval of registration via email.
Once registration is complete, the Data User will receive a Certificate of Registration. The certificate of registration is just like applying for a licence to carry on business operations, except in this case, it is a licence to process personal data. This Certificate is valid for two years, after which it shall be renewable.
The renewal shall be made three months before the expiry of the Certificate of registration for a fee of RM 200 (USD50).
Data protection officers (DPO) need to be registered with the GRA. A DPO is a senior position within an entity (paragraph 11 below clarifies when the appointment of a DPO is mandatory).
The DPO is responsible for:
- assisting the entity in monitoring internal compliance with GDPR requirements;
- informing and advising the entity on its data protection obligations;
- providing advice regarding “data protection impact assessments” (DPIA); and
- acting as the entity’s contact point for data subjects and the supervisory authority.
In order to register with the GRA the DPO must complete and submit a “Data Protection Officer Notification Form” to the GRA.
No, there is no requirement for data controllers (as defined in 3 below) or data processors (as defined in 3 below) to register with, or to obtain a licence from, the DPC.
As a system for evaluating and certifying business operators who aim to comply with applicable standards for the establishment of personal information protection systems, there are the (i) JIS Q 15001, Privacy Mark system, and (ii) APEC (Asia-Pacific Economic Cooperation)/ CBPR (Cross Border Privacy Rules) system.
APPI only stipulates rules to be observed, and does not set forth specific procedures for the protection of information. Therefore, as a policy for the establishment of such system, there are many personal information protection management systems introduced so far. The standard evaluation/certification system in Japan is JIS Q 15001, Privacy Mark System. On the other hand, APEC/ CBPR system is designed for cross-border data processing.
- JIS Q 15001 Privacy Mark System
- APEC/ CBPR System
JIS Q 15001 is a standard personal information management system in the field of personal information protection in Japan.
If a business operator establishes a system for proper personal information protection in accordance with JIS Q 15001, it can apply for and obtain a Privacy Mark after going through an assessment by JIPDEC (Japan Information Processing Development Center).
The CBPR system is a system that certifies compliance with the APEC Privacy Framework for initiatives by companies in relation to the cross-border protection of personal information, etc., in which Japan is also participating.
Business operators who wish to participate in CBPR are required to establish and enforce a personal information protection policy that meets the APEC Privacy Framework, and they are also required to be evaluated for compliance with requirements of a relevant accountability agent in the participating country.
As a general rule in Japan, a business operator handling personal information must obtain the consent of the data subject in advance to enable the provision of personal data to a third party in a foreign country. However by obtaining the CBPR certification, the business operator will be able to bypass this general rule.