PL&B International E-news, Issue 89

1. UK ICO approves Hyatt Hotels’ Binding Corporate Rules application

The UK Information Commissioner’s Office (ICO) yesterday announced that it has given the green light to group transfers of personal data within Hyatt Hotels and Resorts Business to 48 countries, some of them outside the European Economic Area. The terms of the authorisation state that he may withdraw it if “any entity” in the company” has contravened or is contravening any of the provisions of their BCR.”

The authorisation for the company’s binding corporate rules programme is encouraging for those in the midst of the application process, as Hyatt’s BCRs are the first ones to be approved under the EU Data Protection authorities’ mutual recognition policy. The UK acted as lead authority and assessed the adequacy of the company’s BCRs. After a set of “simple administrative steps” says Hyatt’s law firm, Linklaters, the BCRs will be rubber stamped by the other 16 EEA data protection authorities that have agreed with this method. This is evidence that the mutual recognition is working in practice, and should make the process much simpler and less time consuming for future applicants. For Hyatt, which was assisted by Linklaters, it took 12 months from start to finish. This timescale is much quicker than that for the previous applicants, such as Atmel (2009), Accenture (2009), Philips (2007) and GE (2005).

The BCR approval is dated 15 September.

Italy’s policy on Binding Corporate Rules will be explained by a speaker from the Garante, its Data Protection Authority, at the European Privacy Officers Network Roundtable in Rome on October 13th and 14th. See the detailed programme, covering subjects relevant to companies in all sectors in Italy.

2. EU Data Protection Supervisor’s annual report addresses privacy issues relevant to all sectors

The EU Data Protection Supervisor, Peter Hustinx, today published his annual report covering his fourth year in office which covers issues beyond the processing of data in Community institutions. For the first time, he addresses access control with iris scanning or fingerprint authentication, monitoring use of the Internet by staff and video surveillance systems, all relevant to companies. He also covers new technologies, such as the “Internet of things”, RFID, cloud computing, DNA sequencing and covers long running issues, such as Passenger Name Records and much more.

The full report is available in English and there are summaries in all Community languages.

Employee surveillance across Europe will be covered by Privacy Laws & Business’s conference in Madrid on November 3rd: Employee surveillance in Europe: Balancing privacy rights and management control. Speakers include Data Protection Commissioners and their senior staff from Finland, France, Germany, Italy, Spain and the United Kingdom, plus lawyers and managers from several countries.

Click here for further information about subscribing to the international newsletter.

Copyright Privacy Laws & Business 2009