Data Privacy & Transfer in Investigations

Published on Monday 18th October 2021

SCOPE OF DATA PROTECTION LAWS RELEVANT TO CROSS-BORDER INVESTIGATIONS

1. What laws and regulations in your jurisdiction regulate the collection and processing of personal data? Are there any aspects of those laws that have specific relevance to cross-border investigations?

2. What other laws and regulations, besides data protection laws, may prevent data sharing in the context of an investigation?

3. What constitutes personal data for the purposes of data protection laws?

4. What is the scope of application of data protection laws in your jurisdiction? What activities trigger the application of data protection laws, to whom do they apply and what is their territorial extent?

5. What are the principal requirements under data protection laws that are relevant in the context of investigations?

6. Identify the data protection requirements relevant to a company carrying out an internal investigation and to a party assisting with an investigation.

RIGHTS OF INDIVIDUALS

7. Is the consent of the data subject mandatory for the processing of personal data as part of an investigation?

8. If not mandatory, should consent still be considered when planning and carrying out an investigation?

9. Is consent given by employees likely to be valid in an investigation carried out by their employer?

10. How can consent be given by a data subject? Is it possible for data subjects to give their consent to processing in advance?

11. What rights do data subjects have to access or verify their personal data, or to influence or resist the processing of their personal data, as part of an investigation?

EXTRACTION, LEGAL REVIEW AND ANALYSIS BY THIRD PARTIES, INTERNATIONAL TRANSFER

12. Are there specific requirements to consider where third parties are appointed to process personal data in connection with an investigation?

13. Is it permitted to share personal data with law firms for the purpose of providing legal advice?

14. What is the position and status of law firms under data protection laws? Are law firms directly accountable for data processing under data protection laws, or is responsibility for processing by law firms shared between the law firm and the client?

15. What is the position and status of legal process outsourcing firms under data protection laws?

16. Are there any additional requirements, beyond those specified above, that regulate the disclosure of data to third parties within your jurisdiction for the purpose of reviewing the content of documents, etc?

17. What rules regulate the transfer of data held in your jurisdiction to a third party in another country for the purpose of reviewing the content of documents, etc?

18. Are there specific exemptions, derogations or mechanisms to enable international transfers of personal data in connection with investigations?

TRANSFER TO REGULATORS OR ENFORCEMENT AUTHORITIES

19. Under what circumstances is the transfer of personal data to regulators or enforcement authorities within your jurisdiction permissible?

20. Under what circumstances is the transfer of personal data held within your jurisdiction to regulators or enforcement authorities in another country permissible?

21. What are some recommended steps to take on receipt of a request from a regulator for disclosure of personal data?

ENFORCEMENT AND SANCTIONS

22. What are the sanctions and penalties for non-compliance with data protection laws?

RELEVANT MATERIALS

23. Provide a list of relevant materials, including any decisions or guidance of the data protection authority in your jurisdiction regarding internal and external investigations, and transfers to regulators or enforcement authorities within and outside your jurisdiction.

Get unlimited access to all Global Investigations Review content