6.1 Is there a legal obligation for companies to register with the Data Protection Authority (or any other government body) in relation to their processing activities? The Data Protection Act provides for exceptions for certain organisations. For example, small business operators (by and large businesses with annual sales for the previous fiscal year of $3,000,000 or less) are generally not subject to the Privacy Act except in certain circumstances, such as when the small business provides a health care service and stores health information, discloses personal information for a benefit, service or advantage, or a contract is a service provider for a Commonwealth contract. According to Commissioner`s decision No. 8 of 31. In October 2016, the following states have an adequate level of data protection: In August 2019, the Australian Federal Government passed the Treasury Laws Amendment (Consumer Data Right) Act 2019 (Cth), which creates a framework for a national consumer data act (the “CDR”) that grants consumers other rights to data portability (outside of the Privacy Act). The RDC gives consumers the right to access certain categories of data stored about them by designated organizations and to effectively transfer this data to accredited third parties. The third exception applies where the personal data is sensitive information and the data subject has given consent to the use or disclosure of the personal data for direct marketing purposes. 15.1 Is there a general obligation to ensure the security of personal data? If so, which entities are responsible for data security (e.g. controllers, processors, etc.)? For example, in January 2020, acma reported that telecommunications company Optus had paid a notification of $504,000 of spam law violations.
The violations concerned sending email marketing messages after consumers unsubscribed and sending commercial emails without the ability to unsubscribe. In addition, in mid-2019, the ACMA issued a $46,000 Notice of Violation to an energy supplier that made telemarketing calls to numbers in the Do Not Call Registry. Yes. The above reporting obligations with regard to the OAIC also apply to persons whose personal data have been subject to such a breach. Since APP 8 regulates the “disclosure” of personal data overseas (as opposed to the “transfer” of information), APP 8 applies whenever an organisation provides personal data to companies outside of Australia, even if the information is still stored in Australia. In addition, the new RDC regime refers to persons defined as “consumers”, which means that they must at least reasonably be identifiable on the basis of the data and relate to that person because he or she has provided goods or services to him or to one of his affiliates. Organizations that have reasonable grounds to believe that an eligible data breach may have occurred are also required under the CRS regime to immediately assess the situation and determine whether or not there is an eligible data breach. An organization shall take all reasonable steps to complete that assessment within 30 calendar days of the date on which it first became aware of the relevant grounds for suspicion. Most Australian states and territories also have their own data protection laws that apply to them, including: The Republic of Albania regulates the protection of personal data in accordance with Law No. 9887 of 10 March 2008 “On the Protection of Personal Data”, as amended (“Data Protection Law”) (Official Gazette of the Republic of Albania No.
44 of 1 April 2008). The Data Protection Act was last amended in 2014 and therefore still needs to be harmonised with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”). If a natural or legal person falsely claims that he or she is accredited to store or receive data from the RDC, he or she will be liable to criminal and civil penalties. While the OAIC focuses on domestically based businesses and businesses, the OAIC takes action with respect to foreign organizations. For example, in 2016, the OAIC, in collaboration with Canada`s Data Protection Commissioner, received a binding commitment from a Canadian media company regarding concerns about personal data security, data retention and accuracy, and reporting, monitoring and compliance enforcement. A Decision by the Commissioner on an organization is neither binding nor conclusive. However, the data subject or the agent shall have the right to initiate legal proceedings for the enforcement of the decision. A legitimate data breach exists where there is unauthorised access, disclosure or loss of personal data held by a company and the entity concerned has reasonable grounds to believe that the access, disclosure or loss is likely to cause serious harm to one of the persons to whom the information relates. In this case, an organization must submit a statement to the Commissioner as soon as possible and inform the persons concerned and/or persons at risk of serious harm as soon as possible after informing the Commissioner.
The Agent may also request an organization to report on an authorized data breach. APP companies may use the usual means by which they communicate with data subjects, to the extent possible, to inform all data subjects of the legitimate data breach. If this is not possible, the APP entity should consider other ways to report the authorized data breach, but just because it is not possible to personally inform each person does not mean that it is necessary to notify, and other appropriate means should be developed to inform the data subjects. In order to discourage inaction, the provisions require at least that the required notice be published in a clearly visible manner on the company`s website or that it be otherwise widely disseminated. If the foreign activity of an organization is prescribed by the law of a foreign country, that activity is not considered an invasion of the privacy of a data subject under the Data Protection Act.