2

I am dealing with a client (an official organization in one EU country) who is storing all clients' ID numbers in an Excel spreadsheet. They need those numbers to present their clients once per year i.e. to register to be members of one society. I do not like about such a practice. All pieces of contact information are stored as plain text and accessible by all administrative board without any logs.

I do not like such a practice, especially when the organization is planning to work to USA.

What are security requirements of organizations in storing identifiable pieces of information in EU/USA?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Léo Léopold Hertz 준영
  • 143
  • 8

1 Answers1

1

Above all: every use of individual related data has to be reported if there isn't an explicit exception! So if the excel sheet contains names, addresses, telephone numbers etc. I would definitely talk to a legal expert. If there is no individual related data to be transferred, no additional rules apply.

If you are looking for laws regarding encryption (key length, algorithms,...)- i don't think the EU has clear regulations for the protection of data, other than the data has to be adequately protected. There is a FAQ to get an overview to the topic of data transfer.

If your customer has it's legal headquarters within the EU there are three different "data export categories" applying to him:

  • If he wants to transfer data within the EU or "EEA" no additional rules apply
  • If countries outside of that "community" are considered to adequately protect data, transfer should be no problem: list of countries
  • If the country to which the data should be exported doesn't fit one of the above criterias, the company who is receiving the data has to assure an adequate level of protection. There are standard contractual clauses to make the report of the data transfer more easy: standard contractual clauses
sam
  • 103
  • 11