Notification that data is being processed: Does the law provide the data subject with a right to be notified that their personal data is being processed? In some cases, this right is inferred from the combination of a requirement that information be collected directly from data subjects and that data subjects must be informed of certain information at the time of or prior to collection. However, in some cases, there are exceptions when collecting information from sources other than the data subjects themselves, which creates loopholes (in such cases, it is noted as “Partial.”) In some cases, data controllers are only required to notify the Data Protection Authority that data is being processed, which is counted as meeting the requirement.
Notification to DPA in event of a data breach: Does the law require the responsible party to notify the designated Data Protection Authroity if there is an unauthorised breach of the data under their control? Some countries require notification to the DPA but provide exceptions or qualifications for that requirement. In these cases, the country will be marked as “Partial.”
Notification to data subject in event of a data breach: Does the law require the responsible party to notify the data subject if there is an unauthorised breach of the data under their control? Some countries have exceptions under which notification is not required, such as if the responsible party has taken “appropriate safety precautions” or the breach is “unlikely to result in a high risk for data subjects’ rights,” and in those cases we have marked the country as “Partial.”
Specific timeframe for notification is specified: Does the law require the notification to either the DPA or the data subject to be completed within a specific period of time? Many countries provide vague requirements such as “within a reasonably practicable period,” which have been marked as “No.” Countries that require notification “immediately” have been marked as a “Yes.”
Exceptions exist to breach notification requirement: Are there specific exceptions to the requirement to notify either the Data Protection Authority (DPA) or the data subject in the event of a data breach? For example, some countries’ law require notification only in certain circumstances, while others exempt the responsible party from notifying the data subject if it has taken “appropriate security precautions.” Some also give the DPA the authority to decide whether a breach must be reported to the data subject.
Requires a data processing register: Does the law require responsible parties or the DPA to maintain a register of data processing which can be made available to the authority, or occasionally, to any person who requests it? It should be noted that the term “data processing register” is used here to mean a consolidated bundle of information on ongoing processing that is developed and maintained by either the Data Protection Authority or a responsible party. Where countries require the keeping of a register only for some types of processing, or where the requirement is not clear or comprehensive, it is marked as “Partial.”
Register is publicly available: Does the law require that the data processing register be made available to the general public? In some cases, the public may need to pay a fee to access the register, but this is still counted in the affirmative. Where it is not specified whether the public may access the register or not, this is marked “No”.
Provides for terms of service icons: terms of service icons are graphic representations of concepts often included in data protection legislation. They are sometimes used on websites or in digital products to quickly and easily enable users to understand whether the service complies with a concept. Some data protection laws require or regulate the use of terms of service icons.
DPA must submit at least annual report: Does the law require that the data protection authority submits a report on its activities at least once per year, or more regularly? If the law states that a DPA “may” submit a report but does not require it, it has been marked as “No.” If the law does not specify the time frame for which reports must be submitted, it has also been marked as “No.”
DPA report is made public: Is the report submitted by the data protection authority required to be published or accessible to the public?