Privacy Laws & Business European Privacy Officers Network

Privacy Laws & Business European Privacy Officers Network ROUNDTABLE WITH THE DIRECTOR SPAIN’S DATA PROTECTION AGENCY AND HIS SENIOR COLLEAGUES Madrid, Spain, March 12TH 2008

Programme

MORNING AGENDA

8:45: Registration

9:00 – 9:20: Opening session

Introduction to EPON meeting Stewart Dresner, EPON Secretariat Javier Fernández-Samaniego, Partner, Bird and Bird, Madrid

Introduction to Spain’s Data Protection Agency Professor Artemi Rallo, Director, Spain’s DPA

9:20 – 10:15 Session 1 – Royal Decree implementing Spain’s Data Protection Law. New developments Agustin Puente Escobar, Chief State Attorney

1. Data processors 2. Common data bases on asset solvency and creditworthiness 3. Consent of Minors 4. Security measures including data retention 5. Scope 6. Lawfulness of the data processing 7. Processing of data 8. Standard codes of conduct

Questions and answers

10.15 - 11:00 Marketing Jesus Rubi Navarrete, Deputy Director

1. Marketing data bases 2. Specific marketing rules 3. Location based marketing, for example, Bluetooth (marketing to mobile phones or similar devices near a particular location, for example, a cinema or restaurant)

1 4. Rules on other new marketing techniques, for example, SMS (to mobile phones) and RFIDs (linking of products bought with contact details of buyers via their credit or debit card details)

11:00 – 11:15 Coffee

11:15 – 13:00: Session 2 - International transfers of personal data Mª Jose Blanco Anton, Deputy-Head of the Registry Department

1. Requirement to notify Agencia of transfers of personal data between EU member states 2. International transfers of personal data: outsourcing and globalisation. 3. Binding Corporate Rules (BCR) 4. Number of processes required by Agencia to approve companies’ use of EU model contracts 5. Agencia’s attitude to the International Chamber of Commerce’s proposed amendment to the processor to sub-processor model contract. What type of compliance should be in place? 6. Clarify who is controller and processor 7. Agencia’s attitude towards the Netherlands DPA’s model of generic notification to the DPA about transfers to data processors outside the European Union 8. How to handle requests from regulatory authorities outside the European Union where there appears to be a conflict with Spain’s data protection law 9. Need to notify Spain’s Agencia of transfers of personal data to the USA when there is a conflict of law, for example, SWIFT, Safe Harbor, the Patriot Act and anti-corruption law. How to simplify the process? Guidelines on how to proceed? 10. How to manage a data processor agreement, for example, the level of detail needed? Is it permitted for a parent company to sign on behalf of a subsidiary?

13:00 – 14:00: Lunch

AFTERNOON AGENDA

14:00 – 14:45: Session 3 – Data protection and employment Irene Agundez Leira and Ms. Nieves Buisan Garcia, a senior judge of the Administrativo de la Audiencia Nacional, the court that hears the appeals against the Agency’s administrative decisions

1. May an employee ever give valid consent for the processing of personal data? 2. Whistle blowing 3. Employee monitoring: Recent case law 4. Employees’ use of the Internet

2 5. Access to employees’ e-mail 6. Video Surveillance 7. Internal investigations 8. Access to records in situations involving conflicts of laws and e-discovery 9. Role of workers’ councils and related employment law

14:45 – 15:30: Enforcement Jose Lopez Calvo, Deputy-Head, Inspection Department

1. Inspections 2. Agencia prosecutions 3. Other sanctions 4. Ways to work with companies to resolve any problems at an early stage 5. Any recent changes or changes ahead on enforcement policy 6. Attitude towards a national data breach law

15.30 – 15.50: Questions and answers on other issues

1. Anti-money laundering rules 2. Clinical trials 3. How does a company resolve conflicts between two legal regimes? Role for discussion with the Agencia? 4. Agencia’s view of the European Court of Justice’s January 29th decision on the conflict between the enforcement of copyright and privacy rights. How such conflicts should be resolved in Spain 5. Other issues

All the participants

15:50 – 16:00: Close

. Professor Rallo, Director, Spanish DPA . Javier Fernández-Samaniego, Partner, Bird and Bird, Madrid . Stewart Dresner, Secretariat, European Privacy Officers Network and Chief Executive, Privacy Laws & Business