<p> Privacy Laws & Business European Privacy Officers Network ROUNDTABLE WITH THE DIRECTOR SPAIN’S DATA PROTECTION AGENCY AND HIS SENIOR COLLEAGUES Madrid, Spain, March 12TH 2008</p><p>Programme</p><p>MORNING AGENDA</p><p>8:45: Registration</p><p>9:00 – 9:20: Opening session</p><p>Introduction to EPON meeting Stewart Dresner, EPON Secretariat Javier Fernández-Samaniego, Partner, Bird and Bird, Madrid</p><p>Introduction to Spain’s Data Protection Agency Professor Artemi Rallo, Director, Spain’s DPA</p><p>9:20 – 10:15 Session 1 – Royal Decree implementing Spain’s Data Protection Law. New developments Agustin Puente Escobar, Chief State Attorney</p><p>1. Data processors 2. Common data bases on asset solvency and creditworthiness 3. Consent of Minors 4. Security measures including data retention 5. Scope 6. Lawfulness of the data processing 7. Processing of data 8. Standard codes of conduct</p><p>Questions and answers</p><p>10.15 - 11:00 Marketing Jesus Rubi Navarrete, Deputy Director</p><p>1. Marketing data bases 2. Specific marketing rules 3. Location based marketing, for example, Bluetooth (marketing to mobile phones or similar devices near a particular location, for example, a cinema or restaurant)</p><p>1 4. Rules on other new marketing techniques, for example, SMS (to mobile phones) and RFIDs (linking of products bought with contact details of buyers via their credit or debit card details)</p><p>11:00 – 11:15 Coffee</p><p>11:15 – 13:00: Session 2 - International transfers of personal data Mª Jose Blanco Anton, Deputy-Head of the Registry Department</p><p>1. Requirement to notify Agencia of transfers of personal data between EU member states 2. International transfers of personal data: outsourcing and globalisation. 3. Binding Corporate Rules (BCR) 4. Number of processes required by Agencia to approve companies’ use of EU model contracts 5. Agencia’s attitude to the International Chamber of Commerce’s proposed amendment to the processor to sub-processor model contract. What type of compliance should be in place? 6. Clarify who is controller and processor 7. Agencia’s attitude towards the Netherlands DPA’s model of generic notification to the DPA about transfers to data processors outside the European Union 8. How to handle requests from regulatory authorities outside the European Union where there appears to be a conflict with Spain’s data protection law 9. Need to notify Spain’s Agencia of transfers of personal data to the USA when there is a conflict of law, for example, SWIFT, Safe Harbor, the Patriot Act and anti-corruption law. How to simplify the process? Guidelines on how to proceed? 10. How to manage a data processor agreement, for example, the level of detail needed? Is it permitted for a parent company to sign on behalf of a subsidiary?</p><p>Questions and answers</p><p>13:00 – 14:00: Lunch</p><p>AFTERNOON AGENDA</p><p>14:00 – 14:45: Session 3 – Data protection and employment Irene Agundez Leira and Ms. Nieves Buisan Garcia, a senior judge of the Administrativo de la Audiencia Nacional, the court that hears the appeals against the Agency’s administrative decisions</p><p>1. May an employee ever give valid consent for the processing of personal data? 2. Whistle blowing 3. Employee monitoring: Recent case law 4. Employees’ use of the Internet</p><p>2 5. Access to employees’ e-mail 6. Video Surveillance 7. Internal investigations 8. Access to records in situations involving conflicts of laws and e-discovery 9. Role of workers’ councils and related employment law</p><p>Questions and answers</p><p>14:45 – 15:30: Enforcement Jose Lopez Calvo, Deputy-Head, Inspection Department</p><p>1. Inspections 2. Agencia prosecutions 3. Other sanctions 4. Ways to work with companies to resolve any problems at an early stage 5. Any recent changes or changes ahead on enforcement policy 6. Attitude towards a national data breach law</p><p>15.30 – 15.50: Questions and answers on other issues</p><p>1. Anti-money laundering rules 2. Clinical trials 3. How does a company resolve conflicts between two legal regimes? Role for discussion with the Agencia? 4. Agencia’s view of the European Court of Justice’s January 29th decision on the conflict between the enforcement of copyright and privacy rights. How such conflicts should be resolved in Spain 5. Other issues</p><p>All the participants</p><p>15:50 – 16:00: Close </p><p>. Professor Rallo, Director, Spanish DPA . Javier Fernández-Samaniego, Partner, Bird and Bird, Madrid . Stewart Dresner, Secretariat, European Privacy Officers Network and Chief Executive, Privacy Laws & Business</p><p>3</p>