Print

Print


I appreciate the responses to my question.  This message and one earlier
answered my question on company personnel (HR) information being
transmitted electronically.

Susan, if I remember correctly, the U.S. and the E.U. are still having a
problem with the requirement and discussions are still being held.  If
memory serves me, our laws are not stringent enough to suit the E.U. and
they want enactment by our government to align U.S. laws with the E.U.

Bob Dalton, CRM

-----Original Message-----
From: Records Management Program [mailto:[log in to unmask]] On
Behalf Of [log in to unmask]
Sent: Monday, September 09, 2002 1:19 AM
To: [log in to unmask]
Subject: Re: Data Protection

Bob Dalton asked:

"Does anyone happen to know the current status of the EU-US Safe Harbor
Agreement on the transfer of information via the internet.  In the back
of my head, I seem to remember seeing something that stated it was still
being discussed.
Did it also put a restriction on a company on managing/maintaining
personnel files in electronic format and transferring the information
via the internet to subsidiaries in the U.S. or other countries?
Any assistance would be appreciated."

I can summarize very briefly, at the risk of oversimplifying:
The European Union Data Protection Directive forbids the transfer of
individually identifiable information (data about individuals) to
countries
outside the European Union.  Exceptions include those countries with an
officially recognized adequate level of protection (Switzerland,
Hungary,
some industries in Canada to date)

Transfers of personal data are permitted under certain circumstances,
some
of these are: to a US company that has self-certified with the FTC as a
"safe harbor", or to a US company that is a party (as "data importer")
to a
contractually binding agreement with the "data exporter" regarding data
protection. This applies to all forms of electronic transfer and indeed
applies to "personnel files in electronic format...via the internet
to...the U.S."

Both Safe Harbor and the contractual agreements ("Data Transfer
Agreements") oblige the "data importer",  to implement very stringent
protection measures that match those in Europe and to agree to audits by
"data exporters" and inspections from EU data protection authorities.

These rules apply even when a data "importer" is, for ex., the Head
Office
of a multinational, and the "exporter" a "simple" affiliate based in a
EU
country.

In other words, there is no shortcut to protecting European personal
data.
The European level of protection should apply to European data, wherever
it
is sent, otherwise the party sending the data from Europe is breaking
the
law.


I hope this helps, apologies for simplification.

from Strasbourg, France, capital of Europe
Susan,
Susan Vaillant
Head of Records Management and Data Protection Compliance
Legal & Quality Services Quintiles Europe
tel.: +33 (0)3 88 77 44 52
mobile: +33 (0)6 83 379 389
fax:  +33(0)3 88 77 45 05
mail: Quintiles, B.P. 306, F-67832 Tanneries cedex, FRANCE
[log in to unmask]

List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance

List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance