European Union

Policies for promoting compliance with European Union Privacy regulations.

  • Denmark

    Denmark Personal Information Protection Law:

    The Denmark Personal Information Protection Law (PIP) regulates the handling of personal information. The policy comprises rules for detection of CPR numbers and Danish bank account numbers. The rules for this policy are:

    • DPIP: CPR and Name - Wide
    • DPIP: CPR and Name - Default
    • DPIP: CPR and Name - Narrow
    • DPIP: CPR numbers (Wide)
    • DPIP: CPR numbers (narrow)
    • DPIP: CPR numbers (default)
    • DPIP: Credit Cards
    • DPIP: Bank Account number - Wide
    • DPIP: Bank Account number with terms
    • DPIP: Bank Account number with strict format - Narrow
  • Finland

    Personal Data Act (523/1999):

    Finland’s Personal Data Act provides restrictions on the processing, storage and transmission of personal and sensitive information, including personal ID. Under the Law, personal information relating to identity may only be processed, stored and transmitted with the consent of the individual. Personal information cannot generally be transferred outside of Finland unless the country has “comparable” protections. The policy comprises rules for detection of Finnish Social Security Numbers and DNA sequences. The rules for this policy are:

    • Finland Personal Data Act: Finnish SSN (Wide)
    • Finland Personal Data Act: Finnish SSN
    • Finland Personal Data Act: DNA Sequence
  • France
    • France BNR (Ordonnance 2011-1012):

      A policy to promote compliance with the France Breach Notification Requirement (Ordonnance 2011-1012). According to this Ordinance, electronic communication service provider must inform, without delay, the French Data Protection Authority in case of any security breach. A data security breach is defined as any security breach that accidentally or unlawfully results in the destruction, loss, alteration, disclosure or unauthorized access to personal data that is being processed in the context of electronic communication services that are provided to the public. The rules for this policy are:

      • France BNR 2011-1012: CCN and Name
      • France BNR 2011-1012: Name and Health
      • France BNR 2011-1012: Name and Social Security Number (NIR)
      • France BNR 2011-1012: Name and INSEE
      • France BNR 2011-1012: Social Security Number (NIR) (Default)
      • France BNR 2011-1012: Social Security Number (NIR) (Wide)
    • France Data Protection Law 2004-801:

      Policy for the French Law 2004-801, which implements the EU Directive 95 on privacy. The policy contains rules to detect combinations of French full names and INSEE numbers with sensitive private information like credit card number or health conditions. The rules for this policy are:

      • France Privacy: CCN and Name
      • California Consumer Privacy Act
      • France Privacy: Name and Health
      • France Privacy: Name and INSEE
      • France Privacy: Name and Social Security Number (NIR)
      • France Privacy: Social Security Number (NIR) (Default)
      • France Privacy: Social Security Number (NIR) (Wide)
  • Germany

    Germany Federal Privacy Protection Act:

    Policy for the German Federal Privacy Protection Act, implementing the EU Directive 95 on privacy. The policy contains rules to detect combinations of German full names with sensitive private information like credit card number, ethnicity, and health conditions. the rules for this policy are:

    • Germany FPP: CCN and Name
    • Germany FPP: Ethnicity and Name
    • Germany FPP: Health and Name
    • Germany FPP: Crime and Name
  • Greece

    Greece - Hellenic DPA of 1997:

    The Hellenic Data Protection Act of 1997 regulates the processing of personal data and therefore mandates the protection of private information. The policy detects Greek AFM (Αριθμός Φορολογικού Μητρώου) and ID numbers, alone or in proximity to a Greek names in Greek or Latin letters, and combinations of Greek names in proximity to sensitive medical information in Greek and English. The rules for this policy are:

    • Greece DPA: AFM Number (Default)
    • Greece DPA: AFM Number (Wide)
    • Greece DPA: AFM Number and Name (Default)
    • Greece DPA: AFM Number and Name (Wide)
    • Greece DPA: ID and Name (Default)
    • Greece DPA: ID and Name (Wide)
    • Greece DPA: Sensitive Medical Information and Name (Default)
    • Greece DPA: Sensitive Medical Information and Name (Wide)
  • Hungary

    Hungarian Data Protection Laws:

    Act LXIII of 1992 on Protection of Personal Data and Disclosure of Data Public Interest mandates, among others, that personal data shall be protected against unauthorized access, transfer and public exposure. Data may only be processed, stored and transmitted with the consent of the individual. The Act sets out sanctions for violations. The policy comprises rules for detection of Hungarian Personal Numeric Code Numbers (szemelyi azonosito szam) Social Security Numbers (TAJ szam), Tax ID Numbers (Adoazonosito jel) and DNA information. The rules for this policy are:

      • Hungarian Data Protection Laws: Hungary Szemelyi Azonosito Szam (Wide)
      • Hungarian Data Protection Laws: Hungary Szemelyi Azonosito Szam (Default)
      • Hungarian Data Protection Laws: Hungary TAJ szam (Wide)
      • Hungarian Data Protection Laws: Hungary TAJ szam (Default)
      • Hungarian Data Protection Laws: Hungary Adoazonosito jel (Wide)
      • Hungarian Data Protection Laws: Hungary Adoazonosito jel (default)
      • Hungarian Data Protection Laws: DNA Sequence
  • Ireland

    Ireland Data Protection Acts (DPA):

    Ireland Data Protection Acts (DPA) of 1988 and 2003, and in particular, the Personal Data Security Breach Code of Practice set by Ireland Data Protection Commissioner (DPC), mandate protection of personal information and requires that, in case where there is a risk of unauthorized disclosure, loss, destruction or alteration of personal data, the data controller must give immediate consideration to informing those affected. The policy contains rules to detect Irish Personally Identifiable Information (PII) like Personal Public Service Numbers (PPS/RSI) or passport numbers, alone or in combination with credit card numbers. The rules for this policy are:

    • Ireland DPA: Irish PRSI/PPS Number and CCN
    • Ireland DPA: Irish Driver Number and CCN
    • Ireland DPA: Irish Passport Number and CCN
    • Ireland DPA: Irish Personal Public Service Number
    • Ireland DPA: Irish Driver Number
    • Ireland DPA: Irish Passport Number
    • Ireland DPA: Irish IBAN (default)
    • Ireland DPA: Irish IBAN (wide)
    • Ireland DPA: Irish Bank Account
    • Ireland DPA: Name and Sensitive Diseases
  • Italy

    Italy Health Data Privacy Act:

    The Italy Health Data Privacy Act protects persons from violation of their right to privacy through the processing of personal data. The Act helps to ensure that personal data is processed in accordance with fundamental respect for the right to privacy, including the need to protect personal integrity and private life and ensures that personal data is of adequate quality. The policy contains rules to detect combinations of Italy Personally Identifiable Information (PII) like Codice Fiscale and full name, with sensitive health information. The rules for this policy are:
    • Italy HDPA: Codice Fiscale
    • Italy HDPA: Codice Fiscale and Health Information
    • Italy HDPA: DICOM
    • Italy HDPA: Name and Codice Fiscale
    • Italy HDPA: Name and Health Information
    • Italy HDPA: SPSS Text Files
  • Netherlands

    Netherlands Personal Data Protection Act:

    Policy to promote compliance with the Dutch Personal Data Protection Act, which implements the EU Directive 95 on privacy. The policy contains rules to detect combinations of Netherlands sofinummer and sensitive private information like account number, driver license number, passport number, ethnicity and health conditions. The rules for this policy are:

    • Netherlands PDPA: Bank Account Number (Wide)
    • Netherlands PDPA: Bank Account Number (Default)
    • Netherlands PDPA: Citizen Service Number and CCN
    • Netherlands PDPA: Citizen Service Number and Crime
    • Netherlands PDPA: Citizen Service Number and Disease
    • Netherlands PDPA: Citizen Service Number and Ethnicity
    • Netherlands PDPA: Citizen Service Number and Password (Wide)
    • Netherlands PDPA: Citizen Service Number and Password (Default)
    • Netherlands PDPA: Citizen Service Number and Password (Narrow)
    • Netherlands PDPA: Driver License Number
    • Netherlands PDPA: Passport Number
  • Poland

    Poland LPPD:

    The Law on the Protection of Personal Data (LPPD) is based on the European Union (EU) Data Protection Directive. Under the Law, personal information relating to identity may only be processed, stored and transmitted with the consent of the individual. Personal information cannot generally be transferred outside of Poland unless the country has 'comparable' protections. The law sets out civil and criminal sanctions for violations. The policy comprises rules for detection of Polish NIP numbers, PESEL numbers, Polish ID numbers, DNA information and Polish REGON numbers, alone or in proximity to a Polish name. The rules for this policy are:

    • Poland LPPD: DNA Sequence
    • Poland LPPD: Name and PESEL
    • Poland LPPD: NIP Number (Wide)
    • Poland LPPD: NIP Number (Default)
    • Poland LPPD: NIP Number and Name
    • Poland LPPD: PESEL Number (Wide)
    • Poland LPPD: PESEL Number (Default)
    • Poland LPPD: Polish ID Number (Wide)
    • Poland LPPD: Polish ID Number (Default)
    • Poland LPPD: Polish ID and Name
    • Poland LPPD: REGON Number (Wide)
    • Poland LPPD: REGON Number (Default)
    • Poland LPPD: REGON and Name
  • Spain

    Spain Data Privacy Act:

    The Spanish Data Privacy Act implementing the EU Directive 95 on privacy. The policy contains rules to detect combinations of Spain National Identity Documents and sensitive private information like account numbers, ethnicity and health conditions. The rules for this policy are:

    • SPAIN DPA: DNI, Account Number and Password
    • SPAIN DPA: DNI and Credit Card Number
    • SPAIN DPA: DNI and Crime
    • SPAIN DPA: DNI and Disease
    • SPAIN DPA: DNI and Ethnicity
    • SPAIN DPA: SSN, Account and Password (Wide)
    • SPAIN DPA: SSN, Account and Password (Default)
    • SPAIN DPA: SSN and Credit Card Number (Wide)
    • SPAIN DPA: SSN and Credit Card Number (Default)
    • SPAIN DPA: SSN and Crime (Wide)
    • SPAIN DPA: SSN and Crime (Default)
    • SPAIN DPA: SSN and Disease (Wide)
    • SPAIN DPA: SSN and Disease (Default)
    • SPAIN DPA: SSN and Ethnicity (Wide)
    • SPAIN DPA: SSN and Ethnicity (Default)
  • Sweden
    • Sweden Personal Data Act of 1998:

      Sweden’s Personal Data Act of 1998 was enacted to protect people against the violation of their personal integrity by processing of personal data. The act includes restrictions on the storage and transmission of personal data. The pre-defined policy comprises rules for detection of Swedish Personal Identity Number (personnummer) in traffic and DNA information. The rules for this policy are:

      • Sweden Personal Data Act: Swedish ID - wide
      • Sweden Personal Data Act: Swedish ID - default
      • Sweden Personal Data Act: DNA Sequence
    • Swedish Patient Data Act (SFS 2008:355 Patientdatalagen):
      A policy to promote compliance with the Swedish Patient Data Act (Patientdatalag, SFS 2008:355) that mandates protection of protected health information (PHI) and Personally Identifiable Information (PII) of Swedish citizens and residents. The policy comprises rules for detection of health information or medical conditions (in Swedish or English), in proximity to personally identifiable information such as personnummer or name, and for detection of SPSS files and Database files. The rules for this policy are:
      • SFS 2008:355: Database File
      • SFS 2008:355: DICOM
      • SFS 2008:355: DNA Profile
      • SFS 2008:355: ICD10 Code
      • SFS 2008:355: ICD10 Code and Description
      • SFS 2008:355: ICD10 Code and Name (Wide)
      • SFS 2008:355: ICD10 Code and Name (Default)
      • SFS 2008:355: ICD10 Code and Name (Narrow)
      • SFS 2008:355: ICD10 Code and Personal Number
      • SFS 2008:355: ICD10 Description
      • SFS 2008:355: Name and Health Information
      • SFS 2008:355: Name and Personal Number
      • SFS 2008:355: Name and Sensitive Disease or Drug
      • SFS 2008:355: Personal Number
      • SFS 2008:355: Personal Number and Health Information
      • SFS 2008:355: Personal Number and Sensitive Disease or Drug
      • SFS 2008:355: SPSS Text File
  • UK
    • Information Governance Toolkit:

      Policy for compliance with the NHS Information Governance Toolkit (IG Toolkit). The rules for this policy are:

      • IG Toolkit: DICOM
      • IG Toolkit: DNA Profile (Default)
      • IG Toolkit: DNA Profile (Narrow)
      • IG Toolkit: DOB and Name
      • IG Toolkit: Driver Number and Name (Wide)
      • IG Toolkit: Driver Number and Name (Default)
      • IG Toolkit: ICD9 Code
      • IG Toolkit: ICD9 Code and Full Name
      • IG Toolkit: ICD9 Description and Full Name
      • IG Toolkit: ICD10 Code
      • IG Toolkit: ICD10 Code and Full Name
      • IG Toolkit: ICD10 Description and Full Name
      • IG Toolkit: Name and Common Medical Condition (Default)
      • IG Toolkit: Name and Common Medical Condition (Narrow)
      • IG Toolkit: Name and Sensitive Disease or Drug (Default)
      • IG Toolkit: Name and Sensitive Disease or Drug (Narrow)
      • IG Toolkit: National Insurance Number and Name
      • IG Toolkit: NDC Number (Default)
      • IG Toolkit: NDC Number (Narrow)
      • IG Toolkit: NHS Number (Wide)
      • IG Toolkit: NHS Number (Default)
      • IG Toolkit: NHS Number (Narrow)
      • IG Toolkit: Passport Number and Name
      • IG Toolkit: Tax ID Number and Name
    • UK DPA:

      The UK Data Protection Act 1998 provides provision for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information. The policy contains rules to detect UK Personally Identifiable Information (PII) like National Insurance numbers, passport numbers, alone or in combination with credit card numbers. The rules for this policy are:

      • UK DPA: UK National Insurance Number and CCN
      • UK DPA: UK Driver Number and CCN
      • UK DPA: UK Driver Number and CCN (Wide)
      • UK DPA: UK Passport Number and CCN
      • UK DPA: UK Tax ID Number and CCN
      • UK DPA: UK National Insurance Number
      • UK DPA: UK Driver Number
      • UK DPA: UK Passport Number
      • UK DPA: UK Tax ID Number
      • UK DPA: NHS Numbers (wide)
      • UK DPA: NHS Numbers (narrow)
      • UK DPA: NHS Numbers (default)
  • EU Finance:

    Policy for promoting regulatory compliance with the requirements of the Basel Committee on Banking Supervision. The policy contains rules to detect financial data like account numbers, passwords, or magnetic credit card tracks. Additional rules detect combinations of Personally Identifiable Information (PII) like credit cards and identification numbers. The rules for this policy are:

    • EU Finance: CCN: with National ID
    • EU Finance: CCN and PIN number
    • EU Finance: Suspected passwords
    • EU Finance: Credit Card Magnetic Strips
    • EU Finance: Password dissemination for Web traffic
    • EU Finance: 5-8 digit Account Numbers
    • EU Finance: 10 digit Account Numbers
    • EU Finance: 9 digit Account Numbers