Does the law include any derogations, exclusions or limitations other than those already described? Please describe the relevant provisions.
Data Protection & Cyber Security
Russian law provides for so-called localization requirement. It implies that certain operations on PII of the Russian citizens (namely recording, systematization, accumulation, storage, adaptation/alteration, and retrieval) shall be carried out in database(s) located in Russia once such data is collected.
In other words, once PII is collected, it shall be placed in the database located in Russia (‘primary’ database) so that all mentioned operations on data should be carried out locally. Afterwards, the data can be transferred abroad for further processing (to so-called ‘secondary’ database).
Please pay attention that local database should be maintained accurate and updated - operations required for updating/rectifying PII shall be primarily made in the local database(s).
The Data Protection Law defines personal data as any kind of information referring to individuals or legal entities, whether identified or identifiable. Therefore, anonymized data which cannot be linked to an individual or entity will fall outside of the scope of the Data Protection Law.
In addition, section 1 of the Data Protection Law provides that the provisions of the law cannot affect the sources of journalistic information.
Brazilian Data Protection Law does not apply to the processing of personal data:
- Carried out by a natural person for strictly personal and non-economic purposes;
- Carried out exclusively for journalistic, artistic or academic purposes;
- Carried out exclusively for purposes of public safety, national defense, state security, or activities of investigation and prosecution of criminal offenses;
- Originated from outside the national territory and which are not the object of communication, shared use of data with Brazilian processing agents or subject to international transfer of data with another country that is not the country of origin, provided that the country of origin has a level of personal data protection suitable for the provisions of this LGPD.
In addition to the general GDPR provisions, special rules with regard to the processing of personal data in Bulgaria are settled for the following matters:
- General prohibition on making copies of ID cards, driver’s licenses, or residence permits unless explicitly required by law (Article 25d PDPA)
- General prohibition on public access to information containing data subjects’ national personal identification number unless explicitly required by law (Article 25g PDPA; cf. Question 16 above)
- Obligation for employers in their capacity of data controllers, to adopt special rules and procedures when implementing or introducing within their organisation:
- whistleblowing systems
- restrictions on the use of in-house resources, and
- systems for access control, working time and work discipline.
(Article 25i PDPA; Cf. Question 8 above)
- Retention period of data collected for the purposes of personnel recruitment may not exceed 6 months unless the applicant has consented to a longer period (Article 25k, PDPA; Cf. Question 5 above)
- Obligation for the controller to obtain consent from a parent or guardian exercising parental rights for the processing the personal data of a minor under the age of 14 based on consent (Article 25c PDPA; Cf. Question 5 above)
- When processing deceased persons’ data, obligation for the controller to:
- have a legal basis
- implement appropriate measures so that the processing does not adversely affect the rights or freedoms of others or any public interest, and
- provide access to and a copy of the processed personal data to the successors of the deceased persons and other persons with legal interest.
(Article 25f PDPA)
- When processing personal data for the purposes of journalistic, academic, artistic and or literary expression, the controller must balance freedom of expression, right to information, and privacy in compliance with the criteria set out in the PDPA, including:
- the nature of the personal data
- the impact which the disclosure of the personal data or its public announcement would have on the integrity of the data subject’s personal life and good reputation
- the circumstances under which the personal data has become known to the data controller
- the character and nature of the statement through which the rights to freedom of expression and to information are being exercised
- the relevance of the disclosure of personal data or its public announcement for the purposes of clarifying an issue of public interest
- the data subject’s role in society, such as whether the person has a high state post such as president, vice president, parliament member, or if a person has lower protection of personal integrity or whose actions have impact on society because of the person’s activity or role in the public life
- the data subject’s role in disclosure, such as whether the data subject has actively contributed to disclosing its personal data or information about its personal or family life
- the purpose, content, form, and consequences of the resulting statement
- the correspondence of the statement with the citizens’ fundamental rights, and
- the other relevant circumstances. (Article 25h PDPA)
Pursuant to art. 2 para. 2 FADP, the statute does not apply to:
- personal data that is processed by a natural person exclusively for personal use and which is not disclosed to outsiders;
- deliberations of the Federal Assembly and in parliamentary committees;
- pending civil proceedings, criminal proceedings, international mutual assistance proceedings and proceedings under constitutional or under administrative law, with the exception of administrative proceedings of first instance;
- public registers based on private law;
- personal data processed by the International Committee of the Red Cross.
With regard to the material scope of the GDPR, it does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity, so in case a natural person violates the privacy of a third party, none of the provisions of the GDPR would be applicable and national law should apply.
Furthermore, it is significant the exclusion of the processing of personal data which concerns legal persons from the scope of the GDPR. It means that this Regulation does not cover the processing of the name and the form of the legal person and the contact details of the legal person. The previous Spanish data protection law, apart from the previous information, also did not cover the contact details of natural persons providing their services in the organizations, when consisting solely of their name and surname, their functions or position held. It also did not cover the details of individual entrepreneurs when referring to them in their capacity as traders. The application of the GDPR has meant that these data, which were previously excluded, are now subject to the protection of this regulation. However, the Spanish legislator has introduced in article 19 LOPD a presumption in relation to these data, which will be deemed to be covered by legitimate interest as a basis for their processing, unless proven otherwise and provided that a series of requirements are met.
According to Net Neutrality Law No. 20,453, states the principle by which the ISPs and those that own and administrate the backbone structure of the internet service, shall not make any discrimination and differentiation among the information that runs through their equipment or the network infrastructure. This law was complemented by a special regulation, published on 18 March 2011, which establishes the specific requirements that ISPs shall accomplish in connection with these network neutrality legal obligations. In addition, PTS concessionaires that provide internet access services (IAS), services providers (SP) and also ISPs: cannot arbitrarily block, interfere with, discriminate against, obstruct or restrict the right of any internet user to use, send, receive or offer any content, application or legitimate service through the internet, as well as any other activity or legitimate use performed through the network. They shall provide each user with an internet service access or connectivity with the provider of internet access, as appropriate, which cannot arbitrarily distinguish content, applications or services, based on the source or ownership thereof, taking into account the different configurations of the internet connection under the current contract with the users; cannot limit the right of a user to add or use any sort of tools or devices on the network, provided that they are legitimate and that they do not damage or harm the network or the service quality; shall provide, at the expense of users who request such services, parental control services for contents against the law, morality or good customs, provided that the user is clearly and precisely informed in advance about the scope of such services; and shall publish on its website all information connecting to the characteristics of internet access service offered, speed, link quality, distinguishing between national and international networks, as well as the nature of the service and service warranties.
Nevertheless, providers of PTS and ISPs could take the measures or actions necessary for traffic and network management, in the exclusive scope of activity that has been licensed to them, if this is not designed to perform actions that affect or may affect free competition.
Providers of PTS and ISPs shall seek to preserve user privacy, virus protection and network security.
Additionally, ISPs may block access to certain content, applications or services, only at the express request of the user and at such user’s own expense. This blocking cannot arbitrarily affect other providers of services and applications that are provided through the internet. Finally, according to our legislation, a court instruction might order to block access to internet sites or services either by a ruling or an injunction.
Cybersecurity Policy: The country will have in place a robust and resilient information infrastructure, prepared to face and recover from cybersecurity incidents, under a risk management approach. In this regard:
- Concept. Risk identification and management: Cybersecurity is described as a condition presenting the least risk for cyberspace –understood as a set of physical and logical infrastructure, and the human interactions taking place in the same. Within this set, the main feature to be protected is information confidentiality, integrity and availability which, in turn, create a robust and resilient cyberspace.
This framework does not include the increased capability of state or private surveillance actions by using digital technologies, which relate with public order or national security objectives and are discussed in other instruments having a different focus. Surveillance actions proposed in this instrument will only be aimed at managing the risks of information in the cyberspace.
Prevention and management models for cyberspace will be created from the Policy, including physical risks that may affect the same, regularly updated by a continuous improvement model, which shall be the basis for technical measures to be adopted in order to prevent, manage and overcome actual risks, with an emphasis on service resilience and continuity within a set deadline and focus on maximizing the country’s cybersecurity levels.
- Protection of the information infrastructure Information infrastructure is composed of people, processes, procedures, tools, installations and technologies supporting the creation, use, transport, storage and destruction of information.
There is an especially relevant group, within information structure, for a country to keep moving forward, called critical information infrastructure (CII), which includes the installation, networks, services and physical and information technology equipment whose impairment, degradation, rejection, interruption or destruction may have an important impact on the security, health and wellbeing of people and on the effective operation of the State and the private sector.
Special emphasis will be placed on the impact that an information security incident may have on physical infrastructures controlled or monitored from the cyberspace, and on the security of industrial surveillance sensors and devices enabling such actions.
CIIs shall the designed with an architecture maximizing their robustness and resilience against events that may render them non-operational, and enabling them to adapt to natural phenomena, human interventions and information interferences such as non-voluntary incidents or cyber-attacks.
- Identification and prioritization of critical information infrastructure
Sectors included in the definition of CII are very similar and recurrent in various international classifications. In Chile, while consideration of a specific policy for critical infrastructure is under consideration, information infrastructure in the following sectors will be considered as critical: energy, telecommunications, water, health, financial services, public security, transport, the civil service, civil protection and defense. The policy contains a full set of areas, roles and responsible State entities used to identify and specify the critical level of each sector.
Technical bodies in charge of executing measures derived from this policy shall include special cybersecurity standards for CIIs depending on the different levels of development, especially about special processes.
The medium term will see the implementation of measures ensuring service continuity through the redundancy of the physical infrastructure of some CII, especially in the fields of telecommunications, civil service, civil protection and defense.
In Art. 85 GDPR the GDPR allows the possibility for member states of the EU to make exceptions from a number of the regulation for journalistic, scientific, artistic or literary purposes in national law. This should reconcile the right to protect personal data with the right to freedom of expression and information.
For example, member states can give media privileges so that broadcasters and the press can still do their job without considering every general requirement of the GDPR. In Germany the so called ‘Medienprivileg’ is governed by the ‘Rundfunkstaatsvertrag’ (Broadcasting Treaty) and the many Press Laws of the federal states. These Press Laws might deviate from each other rendering the situation quite complex. In general, the media is bound by the GDPR and the FDPA with several exceptions. Journalists do not have to prove a legal ground for the processing of personal data, including legitimate interest in processing, nor do they have to inform data subjects about their rights regarding personal data security. The data subject’s rights themselves are also limited. For example, neither the right to access nor the right to object are applicable, where a media agent is processing personal data. However, the processing of data by the media is governed by other laws. As an example §§ 9 and 57 of the Broadcasting Treaty provide a right to information for the subjects of media coverage, albeit under more restrictive conditions than the right to access for data subjects under the GDPR.
Furthermore, the processing in the context of employment according to Art. 88 GDPR offers the member states the option to provide more specific rules to ensure the protection of the rights and freedoms of employees’ personal data. In Germany these can be found in § 26 FDPA and include certain rules for company-, service- or collective agreements as well as criteria for consent in the employment context considering possible dependency issues.
Also, other articles in the GDPR offer the possibility for member states to specify certain aspects of data privacy in national law, especially in Art. 23 GDPR for national and public security as well as prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.
The IT Act, and the rules framed thereunder constitute a Central legislation, which is applicable to the whole of India. The Central Government is exclusively empowered to legislate on matters relating to data protection, hence it is not permitted for States to derogate by passing secondary legislation.
Generally speaking, body corporates are not permitted to derogate from or claim exemptions from the requirements imposed therein, except in specific circumstances, including information access and disclosure requests from authorized Government agencies including CERT for prevention or investigation of cyber security incidents, prosecution and punishment of offences, to name a few.
The PI Specification elaborates following exceptions to obtaining consent of the personal information subject for the collection and use of personal information:62
i. those directly related national security and national defense;
ii. those directly related to public safety, public health, and significant public interests;
iii. those directly related to criminal investigation, prosecution, trial, and judgment enforcement, etc.;
iv. when safeguarding the major lawful rights and interests such as life and property of personal information subjects or other persons, and it is difficult to obtain the consent of the personal information subject;
v. when the personal information subject voluntarily opened the collected personal information to the general public;
vi. when the personal information is collected from legitimate public information channels, such as the legitimate news reports and open government information;
vii. when necessary to sign and perform a contract according to the personal information subject’s request;
viii. when necessary to maintain the safe and stable operation of the provided products or services, such as to detect and handle product or service malfunctions;
ix. when necessary for the personal information controller, as a news agency, to make legal news reports;
x. when necessary for the personal information controller, as an academic research institute, to conduct statistical or academic research in the public interest, which also has de-identified the personal information when providing academic research or results externally;
xi. when other situations specified by laws and regulations.
But since these exceptions are given by the non-binding PI Specification instead of the CSL, the CSL prevails in case of any conflict.
62 - PI Specification. 7.3 a).
Aside from the above, MCI Regulation 20/2016 also mandates that ESO must acquire certification of its electronic system in order to conduct collection and processing of Personal Data, which is supposed to be further regulated in an implementing regulation. However, until to date, there has been no regulation issued to govern such certification requirement.
The Portuguese Data Protection Law that will accommodate the GDPR in Portugal may include derogations, exclusions and limitations other than those provided in the GDPR but up to date its content is not known as the first version of the draft Law was not approved and since almost a year ago it is under discussion in the Parliament
The Data Protection Act 2018 (DPA 2018) sets out exemptions from some of the rights individuals have and the obligations it imposes on a controller. The exemptions are intended to be considered on a case by case basis and if a controller relies on an exemption it should justify and document its reasons for doing so. This is part of the accountability obligation that applies to a controller.
There are a number of different exemptions which are detailed in Schedules 2 to 4 of the DPA 2018. These exemptions can relieve a controller of some of its obligations. For example in relation to the right to be informed, the right of access, dealing with other individual's rights and complying with the data protection principles. How the exemptions are applied and the extent of the exemption will differ depending on the purpose for which a controller is processing the personal data.
Examples of the types of purposes that may rely on an exemption in the DPA 2018 include:
- for the prevention and detection of crime, apprehension and prosecution of offenders and assessment or collection of a tax or duty;
- information required to be disclosed by law or in connection with legal proceedings;
- discharging functions designed to protect the public;
- discharging a regulatory function conferred under specific legislation;
- processing for journalistic, academic, artistic or literary purposes; and
- processing for scientific or historical research purposes or for statistical purposes.
There are also a number of exemptions that relate to the processing of health and social work data in certain circumstances.
Some exemptions only apply to the extent that complying with the DPA 2018 would prejudice the purpose for which a controller is using the data or where it would prevent or seriously impair the controller from processing personal data in a way that is required or necessary for its purpose. If this is not so then a controller must comply with the DPA 2018 as normal. Some exemptions have additional provisions that have to be met before the exemption can be relied upon.
Some types of processing of personal data are not covered by the GDPR. Examples of this (some of which are now covered by parts of the DPA 2018) are:
- personal data that is processed for purely personal or household activity with no connection to a professional or commercial activity. This type of processing is not covered by the DPA 2018;
- processing of personal data by competent law authorities for law enforcement purposes eg police investigating a crime. This processing is covered by the rules in Part 3 of the DPA 2018; and
- processing of personal data for the purposes of safeguarding national security or defence. This is covered by Part 2, Chapter 3 of the DPA 2018.
Yes, the Data Protection Act stipulates certain further limitations on how processing of personal data may be carried out, namely in relation to processing of personal data relating to criminal convictions and offences as well as personal identity numbers and coordination numbers.
The general rule is that only authorities may process personal data relating to criminal convictions and offences. Others than authorities must have a lawful basis in the Data Protection Ordinance or in regulations or decision from Swedish Data Protection Authority to be able to process personal data. It is currently unclear if criminal convictions and offences also includes suspicion of a crime and the Swedish Data Protection Authority has expressed that it will provide more guidance on this later.
Personal identity numbers and coordination numbers may only be processed if the data subjects have given their consent or when it is clearly motivated taking into consideration the purpose of the processing, the importance of an accurate identification or any other considerable reason.
In addition to the derogations, exclusions or limitations described above there are also general limitations of the material scope of the GDPR. In particular, the GDPR does not apply to the processing of personal data:
a) in the course of an activity which falls outside the scope of Union law,
b) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU,
c) by a natural person in the course of a purely personal or household activity,
d) By competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
Finally, the scope of the GDPR does not apply on anonymous data. More precisely, information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identified, is not subject to the GDPR provisions. The above exception does not cover cases of pseudonymous data, which are still subject to EU data protection laws.
Article 28 of the Law No. 6698 regulates exceptions to the obligations set forth in the Law No. 6698. Within this scope, circumstances where the Law No. 6698 does not apply are enumerated in Paragraph 1 of the aforementioned article. Those are:
Processing of personal data;
- by natural persons in the course of a solely personal or household activity, provided that obligations relating to data security are complied with and data are not transferred to third parties.
- for the purposes of official statistics and through anonymization for research, planning, statistics and similar purposes.
- for the purposes of art, history, and literature or science, or within the scope of the freedom of expression, provided that national defence, national security, public safety, public order, economic safety, privacy of personal life or personal rights are not violated.
- within the scope of preventive, protective and intelligence-related activities by public institutions and organizations who are assigned and authorized for providing national defence, national security, public safety, public order or economic safety.
- by judicial authorities and execution agencies with regard to investigation, prosecution, adjudication or execution procedures.
Additionally; Paragraph 2 of Article 28 sets forth the circumstances where Article 10 (regarding the obligation to inform data subjects), Article 11 (envisaging the rights of the data subjects - except the right to demand compensation for the damages) and Article 16 (regulating the obligation to register with the Registry of Data Controllers) do not apply – as long as they are relevant and proportionate to the purpose and general principles of the Law No. 6698. Those are:
Processing of personal data;
- is necessary for prevention or investigation of a crime.
- made public by the data subject herself/himself.
- is necessary, deriving from the performance of supervision or regulatory duties, or disciplinary investigation or prosecution by assigned and authorized public institutions and organizations and professional organizations with public institution status.
- is necessary for the protection of economic and financial interests of the state related to budget, tax, and financial matters.
The most important exceptions have already been summarized above. However, the following provision in connection with the right to erasure is also worth mentioning: If the rectification or erasure of personal data processed by automated means cannot be carried out immediately as it can only be carried out at certain times for commercial or technical reasons, the processing of the personal data concerned must be restricted up to such point in time, with the effect as provided by art. 18 (2) GDPR.
The French DPA 1978 provides for some limitations in relation to the individual's rights. For example, according to Article 48 of the French DPA 1978, the obligation to inform for a data controller which did not obtained the PII from the data subject (i.e. through and indirect means of collection) is limited if the provision of such information (i) proves impossible, (ii) would involve disproportionate effort (iii), or is likely to render impossible or seriously impair the achievement of the objectives of the processing. However, such limitation shall only apply if the controller takes appropriate measures to protect the data subject's rights and freedoms and legitimate interests.
Similarly, the right to deletion does not apply for example where the processing of personal data is necessary to exercise the right to freedom of expression and information or for reasons of public interest in the field of public health.
There are also a number of specific provisions that apply in certain circumstances to some particular processing:
- processing of health data;
- processing for the purposes of research, study or evaluation in the field of health;
- processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
- processing of personal data for the purposes of journalism and literary and artistic expression; and
- processing in the electronic communications sector.
In addition, some types of PII processing are not covered by the GDPR:
- personal data that is processed for purely personal or household activity with no connection to a professional or commercial activity. This type of processing is out of scope of data protection legislation;
- French law excludes from the scope of French DPA 1978 temporary copies made in the context of the technical activities of transmitting and providing access to a digital network in order to allow other recipients of the service the best possible access to the information transmitted (French DPA 1978, Article 42(I)(4)). This derogation aims at taking into account the use of servers or "proxies" to temporarily store the addresses of Internet users and websites visited and therefore allow a faster display of previously visited pages;
- processing of personal data by competent law authorities for law enforcement purposes e.g. police investigating a crime. These processing are covered by the rules of Title 3 of the French DPA 1978, which implements the EU Police Crime Directive No 2016/680; and
- processing of PII for the purposes of safeguarding national security or defence. These processing are covered by the rules of Title 4 of the French DPA 1978.
Generally, U.S. federal and state privacy laws include a number of exclusions and limitations. For example, many state breach notification laws include exemptions from notification if an entity complies with obligations under sector-specific federal laws such as HIPAA and GLBA. In some cases, state privacy laws are pre-empted by sector-specific federal laws. Some state laws also provide for enhanced penalties under state law for violations of federal privacy laws. California’s new CCPA has exclusions of various degrees for data governed by HIPAA, GLBA, FCRA, and other state and federal laws.