Presentation gdpr ahti
-
Upload
sofie-van-der-meulen -
Category
Law
-
view
216 -
download
3
Transcript of Presentation gdpr ahti
![Page 1: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/1.jpg)
DATA PROTECTION SEMINAR
14 July 2016 Sofie van der Meulenwww.axonadvocaten.nl
![Page 2: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/2.jpg)
2
What is privacy?
![Page 3: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/3.jpg)
“I was Patient Zero,” said Lewinsky, now 41, to an auditorium full of 1,000-plus high-achieving millennials at Forbes’ inaugural 30 Under 30 summit in Philadelphia. “The first person to have their reputation completely destroyed worldwide via the Internet.”https://www.ted.com/talks/monica_lewinsky_the_price_of_shame?language=en
‘(…)…Don't matter if I step on the sceneOr sneak away to the PhilippinesThey still gon' put pictures of my derriere in the magazineYou want a piece of me?You want a piece of me’
(Britney Spears – Lyrics ‘Piece of me’)
Ask Monica Lewinsky…
Ask Britney Spears…Ask Jennifer Lawrence…
What about your reputation?
![Page 4: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/4.jpg)
You want a piece of me?• Privacy policyTell people WHY you want their data, tell them HOW you handle the data and WHAT you are going to do with it.
• Privacy by design Make privacy and security part of the development of your products.
![Page 5: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/5.jpg)
5
![Page 6: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/6.jpg)
Time to say goodbye…
6
to the Data Protection Directive!
![Page 7: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/7.jpg)
And hi to the new General Data Protection Regulation 2016/679• Virtually everything we currently do will become more
complicated, more expensive, more administratively burdensome• 261 pages, 108 of Recitals• Regulation shall apply from 25 May 2018
• Regulation enters into force on 24 May 2016 (published in the Journal on 4 May), but two year transition
• No grandfathering of existing consents etc
• Many clients target compliance by May 2017 to allow stress testing of systems
Prepare now!
7
![Page 8: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/8.jpg)
![Page 9: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/9.jpg)
Impact on healthcare?
Healthcare business related top 8 points of attention:
1. Informed consent criteria2. Data concerning health scope3. Right to be forgotten (applies to
commercial collection of health data)4. Impact assessment
• For data concerning health• In case of profiling
5. Profiling requirements• including right to object if
processing significantly affects data subject
6. Data portability right of user7. Security requirements8. Export of data to extra-EU
jurisdictions
![Page 10: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/10.jpg)
GDPR: processing of personal data
Definition of ‘processing’:
‘means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.’
![Page 11: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/11.jpg)
Parties involved in processing• Controller:The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law’
• Processor:‘means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller’
• Third party
• Data subject
- Right to access- Right to correction- Right to erasure- Right to objection
That’s you & me!
![Page 12: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/12.jpg)
Personal data?Personal data under DPD:
any information relating to an identified or identifiable natural person ('data subject'); whether directly or indirectly identifiable.
“data relates to an individual if it refers to the identity, characteristics or behaviour of an individual or if such information is used to determine or influence the way in which that person is treated or evaluated” (WP136)
Future scope of ‘personal data’ under GDPR?
![Page 13: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/13.jpg)
Personal data under GDPR
Definitions for: • Data concerning health – (sensitive data)• Genetic data – (sensitive data)• Biometric data• Personal data:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’
13
![Page 14: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/14.jpg)
DPD: Health dataHealth data is special category of data - processing prohibited UNLESS
Explicit consent
OR
Medical treatment exemption:
Processing of the data is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and those data are processed by a health professional subject under national law or rules established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy.
![Page 15: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/15.jpg)
Scope of ‘health data’?European Court of Justice in Case C-101/01 (Lindqvist):
‘In the light of the purpose of the directive, the expression “data concerning health” used in Article 8(1) thereof must be given a wide interpretation so as to include information concerning all aspects, both physical and mental, of the health of an individual.’
Letter of WP29 of 5 February 2015 on data collected by mHealth apps. Health data includes:
• Medical data: ‘data about the physical or mental health status of a data subject (…) generated in a professional, medical context
• Health related data used in an administrative context (information to public entities)
• Data about the purchase of medical products and services provided that the health status can be determined
![Page 16: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/16.jpg)
Health data case studyPerformance data becomes health data
![Page 17: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/17.jpg)
Future scope of ‘health data’
![Page 18: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/18.jpg)
Biological samples?• Recitals 13, 34 and 35: Genetic data should be defined as
personal data relating to the inherited or acquired genetic characteristics of a natural person which result from the analysis of a biological sample from the natural person in question. Prior to analysis: is person identifiable?
Personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.
• Genetic data is regarded as personal data concerning health, and is included among the special categories of data.
• Netherlands: Federa ‘Code Goed Gebruik’- Secondary use for research/scientific purposes (no ‘objection’)- Secondary use for commercial purposes (consent)
18
![Page 19: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/19.jpg)
Privacy principles – art. 5 GDPR
1. Lawfulness, fairness and transparency2. Purpose limitation3. Data minimisation (adequate, relevant and limited)4. Storage limitation5. Integrity & confidentiality6. Accountability (controller is responsible for compliance)
![Page 20: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/20.jpg)
Anonymous information
Recital 26 GDPR:
‘The principles of data protection should not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.
This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.’
20
![Page 21: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/21.jpg)
Anonymous?
21
Zip code, Date of Birth & Gender are sufficient to identify a large part of the population..
![Page 22: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/22.jpg)
AnonymisationAnonymisation criteria WP29 Opinion 05/2014:
• Is it still possible to single out an individual?• Is it still possible to link records relating to an individual?• Can information about an individual be inferred? Outcome after technique is applied: be as permanent as erasure of the personal data – it should make processing of personal data impossible. <- Realistic?
Absolute anonymisation is impossible -> focus on mitigating risks of re-identification.
It’s not a one off exercise!
22
![Page 23: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/23.jpg)
Pseudonomysation
GDPR: processing of personal data in such a manner that the personal data can
• no longer be attributed to a specific data subject
• without the use of additional information,
• provided that such additional information is kept separately and
• is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person
= security measure to reduce the linkability of a dataset to the original identity of a data subject
23
![Page 24: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/24.jpg)
Consent-based business model tricky‘GDPR: ‘means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’
Recitals 32, 42 and 43 GDPR • silence, pre-ticked boxes or inactivity do not constitute consent• Processing for multiple purposes? Consent should be given for
all of them!• Controller must be able to prove valid consent was obtained and
provide intelligible consent language• Consent invalid “in a specific case where there is a clear
imbalance between the data subject and the controller”24
![Page 25: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/25.jpg)
Consent participation clinical studies = different legal basis!
![Page 26: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/26.jpg)
GDPR: Research
Consent & research purposes:
26
![Page 27: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/27.jpg)
GDPR: ResearchPurpose limitation:
27
![Page 28: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/28.jpg)
GDPR: Research
Data minimisation should be ensured
28
![Page 29: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/29.jpg)
Research – ‘Right to be forgotten’Article 17 (1) GDPR: The data subject has the right to obtain the erasure of personal without undue delay from the controller.
Last year: risk that statistical analyses will be “depowered” as a result of exercise of right to withdraw consent and erasure of data.
Now: the ‘right to be forgotten’ ONLY does not apply if the processing takes place:
‘for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing.’
Right to be forgotten does apply in all commercial processing of health data!
![Page 30: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/30.jpg)
Privacy by design
• Know what to design for: do a PIA to identify and reduce risks of projects
• Designing projects, processes, products or systems with privacy in mind at the outset can lead to benefits which include:
• Potential problems are identified at an early stage, when addressing them will often be simpler and less costly
• Increased awareness of privacy and data protection across an organisation
• Organisations are more likely to meet their legal obligations and less likely to breach the GDPR
• Actions are less likely to be privacy intrusive and have a negative impact on individuals
![Page 31: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/31.jpg)
Privacy by design (art. 25 GDPR)
• Privacy by design requirements requires designing compliant policies, procedures and systems at the outset of any product or process development.
![Page 32: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/32.jpg)
Privacy by default
• 'Privacy by default' requires that controllers implement appropriate technical and organisational measures to ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed
• Implement appropriate technical and organisational measures to ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed (e.g. amount collected, extent of processing, storage period and accessibility).
![Page 33: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/33.jpg)
Practical things
Practical measures to take (for example):
• implementing a privacy impact assessment template that the business can populate each time it designs, procures or implements a new system
• revising standard contracts with data processors to set out how risk/liability will be apportioned between the parties in relation to the implementation of 'privacy by design' and 'privacy by default' requirements
• revisiting data collection forms/web-pages to ensure that excessive data is not collected
![Page 34: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/34.jpg)
Export
Export only with legal basis:
• Appropriate safeguards (BCR and SCCs) ensuring third party rights for data subjects, approved code or certification mechanism
• Privacy Shield
• Specific situation• informed consent• necessary for performance of contract
![Page 35: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/35.jpg)
Data transfer outside EU
• Surveillance practices (PRISM)
Safe harbor for transfer to US?Safe Harbor Certification merely means that the transfer of personal data to the US is allowed in principle because it demonstrates the adequacy of the US as jurisdiction
• Facebook case (Schrems, C‑362/14) invalidates Safe Harbor transfer mechanism
Alternatives:• Data transfer agreement based on European
Commission’s standard contractual clauses• Binding corporate rules blessed by a DPA• Adequacy decision?
• “Privacy Shield” – text adopted by European Commission
![Page 36: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/36.jpg)
SecurityData controllers and processors should implement appropriate technical & organizational measures to protect data from loss or any form of unlawful processing
• Article 32 defines security principles
Security measures must take into account (recital 78):
• Nature of the data to be protected and consequences of security breach
• State of the art • Security by design• Aim to prevent unnecessary collection and further processing of
personal data• Overriding principle: Plan-Do-Check-Act
• Data breach notification (article 33/34)• to DPA (<72 hours) and to data subject• processor must inform controller
![Page 37: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/37.jpg)
On our way to Snowden 2.0?
![Page 38: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/38.jpg)
The Guardian 18 February 2016
![Page 39: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/39.jpg)
26 February 2016
![Page 40: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/40.jpg)
Data breachesNL: Legislative proposal adopted amending the Data Protection Act and Telecommunications Act by incorporating a notification obligation for data controllers in case of data breaches. Until now: hundreds of notifications!
The Data Protection Authority can impose administrative fines up to EUR 820.000 in case of violation of the notification obligation.
Notification obligation applies if:
• Security breach• Entity in public or private sector (companies, governmental
organizations) • The infringement leads to a significant risk of adverse impact on
the protection of personal data processed by the organization (theft, loss or abuse of personal data).
![Page 41: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/41.jpg)
Data Protection Officer (art. 37)The controller and the processor shall designate a data protection officer in any case where:
(a) […](b) the core activities of the controller or the processor consist of
processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 (data concerning health).
• A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment
• May be employed or consultant• Details to be notified to DPA
![Page 42: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/42.jpg)
Impact AssessmentArticle 35
• PIA prior to processing – similar operations with similar risks can be grouped
• Count on all grant funded projects and clinical trails or investigations or registries that require ethics approval needing PIA
• Authorities will make lists of operations subject to PIA
![Page 43: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/43.jpg)
Impact Assessment
![Page 44: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/44.jpg)
Profiling requirements• Profiling based on health data -> always PIA
• 'profiling' means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
• Data subject must be informed• Article 22: right not to be subject to a decision based solely on
automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, unless
• decision is necessary for performance or entering into contract• decision is based on explicit consent
• AND: • explicit consent in case of profiling based on health data• Implement suitable measures to safeguard the data subject's
rights and freedoms and legitimate interests are in place
![Page 45: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/45.jpg)
Data portability right• Controller must inform data subject about right, and:
Right to receive data
Right to have data transferred
![Page 46: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/46.jpg)
New responsibilities data processor• controller shall use only processors providing sufficient
guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject
• processor not allowed to engage another processor without prior specific or general written authorisation of the controller and without contract
• processor must also designate DPO (art. 37 (1))
![Page 47: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/47.jpg)
What changes?• Fines/penalties for breach
• Up to 4% of annual worldwide turnover for serious breaches (eg requirements relating to international transfers or the basic principles for processing)
• Up to 2% of annual worldwide turnover for other breaches
• Data protection becomes a fundamental right• More access rights (e.g. data portability)
• Impact Assessments required• Prior approval of impact assessment of each act of
processing (sets of similar processing can be grouped)
• Profiling requirements• Explanation of automated processing logic
![Page 48: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/48.jpg)
What changes?• Consent requirements tougher• Pseudonymous data remains personal data regardless of the
number and nature of steps taken to key code• Biological samples = identifiable data?• Exemptions for processing without consent
• Exemptions not suited for outsourced processing in eHealth / mHealth services and not drafted for regulatory clinical data obligations or health technology assessments
• Technical standards
• Commission can issue technical standards related to implementation of GDPR requirements
• Mandatory Privacy Officer
![Page 49: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/49.jpg)
Known unknowns and wide open doors
• This means that member states can still require geofencing, hosting accreditation and things like that for processing of genetic, biometric and/or health data!
• Only restriction is that these cannot be contrary to the requirements of the internal market and must be proportionate
![Page 50: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/50.jpg)
Case studies• Personalized home-based HTN care
• Employee wellness programs
• Consumer Health Home monitoring
• Data for research vs data for commercial development
![Page 51: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/51.jpg)
Questions• Personal data? Sensitive data?• Data subjects? • Act of processing?• For which purposes?• Consent?• Profiling?• Sharing data? Export?• Storage? • Security?• Vulnerabilities?• Data breaches?
![Page 52: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/52.jpg)
Sofie van der MeulenAxon AdvocatenPiet Heinkade 1831019 HC Amsterdam
+31 88 650 6500+31 6 53 44 05 [email protected]
THANK YOU FOR YOUR ATTENTION!
![Page 53: Presentation gdpr ahti](https://reader033.fdocuments.ec/reader033/viewer/2022042614/58ee6bcb1a28ab487c8b464d/html5/thumbnails/53.jpg)
Legal stuff• The information in this presentation is provided for information
purposes only.
• The information is not exhaustive. While every endeavour is made to ensure that the information is correct at the time of publication, the legal position may change as a result of matters including new legislative developments, new case law, local implementation variations or other developments.
• The information does not take into account the specifics of any person's position and may be wholly inappropriate for your particular circumstances.
• The information is not intended to be legal advice, cannot be relied on as legal advice and should not be a substitute for legal advice.