Privacy and cloud computing
|
|
- Brett Ford
- 7 years ago
- Views:
Transcription
1 Privacy and cloud computing Protection of personal data in the cloud lends itself well to being a cloud service. The advantage is that it can be more efficient and less costly because there is no need for the IT department to set up its own mail server. Because the mail facility operates in a cloud, e- mails are now being exchanged outside the company network. The data is processed via the Internet without knowing where it actually is. If that data is personal data, privacy aspects will have to be considered when contracting a cloud computing provider. Several obligations under the Dutch Data Protection Act (Wet bescherming persoonsgegevens), such as those relating to the transfer of personal data, will clearly need to be addressed. As a first step, clients and cloud computing providers must clarify their division of roles in the context of privacy and the obligations incumbent upon them as a consequence. The Dutch Data Protection Act is based on the EU Privacy Directive 95/46. A draft proposal for an EU Privacy Regulation intended to replace the 1995 EU Privacy Directive in time - was leaked towards the end of This article focuses primarily on existing Dutch privacy law, with the qualification that we may be seeing a very different landscape in two or three years time. Although there may be an upsurge in interest in cloud computing, many people still do not know what it is. Wikipedia defines cloud computing as a parallel computer system which distributes the software amongst multiple computers on the Internet. The cloud means the Internet, in combination with those parts and actions of the application that do not occur on the end user s own equipment. Cloud computing obviates the need for the user to have extensive knowledge or control of the technology he is using. A distinction is often made in cloud computing between the different types of service model: Software as a Service (SaaS), Platform as a service (PaaS) and Infrastructure as a Service (IaaS). With SaaS the applications are offered as a service whereas PaaS offers a platform for software development. The IaaS model offers the IT infrastructure of an organisation as a service. Another common sub-division is based on the level of security or vulnerability of the cloud. There are four different models: public, community, private and hybrid. Public and community cloud computing entails outsourcing IT services to a cloud computer provider. The difference between the two types is that the provider's resources are shared with other users in a public cloud whereas in the community cloud, the hardware is dedicated. Private cloud computing uses technology within the organisation's data centre. Finally, hybrid cloud computing is a composition of public, community and private clouds. Van Doorne N.V. is gevestigd te Amsterdam en ingeschreven in het handelsregister onder nummer Van Doorne N.V. is de enige opdrachtnemer van alle werkzaamheden. Op deze werkzaamheden en alle rechtsverhoudingen met derden zijn van toepassing de Algemene Voorwaarden van Van Doorne N.V. en haar dochtermaatschappijen, waarin een beperking van aansprakelijkheid is opgenomen. Deze Voorwaarden, die zijn gedeponeerd ter griffie van de rechtbank te Amsterdam, kunnen worden geraadpleegd op en worden op verzoek toegezonden. Van Doorne N.V. has its registered offices in Amsterdam and is registered with the Commercial Register under number Van Doorne N.V. is the exclusive contracting party in respect of all commissioned work. This work and all legal relations with third parties shall be governed by the General Terms of Van Doorne N.V. and its subsidiaries which include a limitation of liability. These Terms, which have been filed with the District Court at Amsterdam, may be consulted at and will be forwarded upon request.
2 Personal data Personal data will inevitably be processed in the cloud, irrespective of the cloud computing model. The Dutch Data Protection Act defines personal data as data that are traceable to a living natural persons. They may be data that are directly traceable to a private person, for example their name, telephone number, address or address, but it could also be data that are only traceable to an individual in conjunction with other data, such as gender or date of birth. Some data, such as medical data, can also be more sensitive. However, the statutory regime which covers processing of this type of personal data is even stricter than the regime for processing "ordinary" personal data. In principle, the processing of special personal data is prohibited unless a statutory exception can be invoked. For instance, hospitals are permitted to process medical data (in a cloud), but most other organisations will only be permitted to process these data with the express permission of the individual concerned. Any action involving personal data, including collecting, recording, sorting, storing, amending, changing, requesting, consulting, using or supplying personal data, will automatically be regarded as processing. Even the deletion or destruction of personal data can be regarded as a processing operation. Such processing operations involving personal data are conceivable in cloud computing. The mere transmission of personal data, which can also occur in the cloud, does not constitute processing of personal data. In such cases, the privacy rules will not apply. Nor do the privacy rules apply to activities that are purely for personal or domestic purposes. However, European Court of Justice case law shows that this exception must be interpreted restrictively. For instance, it is accepted that placing personal data on a website does not fall under this exception because the data have been made publicly accessible. If data were placed in a cloud for personal purposes (for example a list of contacts) and were accessible by numerous individuals, it is unlikely that this exception could be invoked. In those circumstances, again, the privacy rules must be taken into account. Role of the cloud computing provider The most important privacy obligations are incumbent upon the data controller, i.e. the entity establishing the purposes and the means of the data processing. The data controller can outsource data processing to a data processor. Unlike the data controller, the data processor has no control over the data processing, but is contracted and instructed to carry out data processing by the data controller. A data processor processes the personal data on behalf of the data controller, without being subject to his direct authority. Assuming that cloud computing involves at least a client and the cloud computing provider, the roles could conceivably be divided as follows: the client is the data controller and the cloud computing provider is the data processor. After all, the cloud computing provider is offering the services under contract to and for the client. Nevertheless, qualification of the cloud computing provider as joint controller cannot be ruled out. According to the Opinion of the Article 29 Working Party, the European Commission advisory body on privacy, of February 2010 (WP 169) on interpretation of concepts such as controller" and "processor, it depends on how the parties process the data in practice. If the cloud computing provider also processes data for its own purposes, it is no longer a data processor, but also the data controller. In such circumstances the cloud computing provider must also comply with the obligations under the applicable privacy legislations. If the cloud computing provider is a data processor, this implies that the client and the provider must have agreements in place on the processing of personal data and more particularly the protection of personal data. These agreements, which are also referred to as "processor agreements", may be part of the service contract but can also be included in a separate annex. In any event it must be agreed that the cloud computing provider, as the data processor, may only process the personal data in as instructed by the client. In addition, there must be a contractual obligation upon the cloud computing provider to adhere to security measures which are applicable to the client. The client will have to monitor compliance with these regulations and it is recommended that the client reserves the right to do so.
3 Security From the point of view of privacy, protection of personal data seems to represent a serious threat in cloud computing. For instance, it would not be inconceivable for the system to be down for a certain time, thus preventing access to essential personal data, with all the attendant consequences. An additional problem is that companies which process their data in the cloud have normally stopped backing up this data, They are completely reliant on the availability of data in the cloud. Another feature of cloud computing is that the data may be at several locations, making monitoring of data processing more difficult. Security problems will probably occur mostly in the public cloud because it is accessible to the public. In a private cloud, the personal data remains within a private network and the cloud is not shared with other clients. In principle, therefore, organisations will still be capable of monitoring data processing themselves in the private cloud, unlike the public cloud. In the Netherlands, the statutory framework for imposing security requirements can be found in article 13 of the Dutch Data Protection Act, which is equivalent to article 17 of the EU Privacy Directive 95/46. The Dutch provision requires that adequate technical measures and security measures are put in place to protect personal data. This raises the question, however, of the scope of this security obligation in the case of cloud computing. Aspects to be considered are the state of the art, the cost of their implementation, the risks represented by processing and the nature of the data to be protected. These are open standards. The Dutch Data Protection Authority (College Bescherming Persoonsgegevens), which monitors compliance with privacy standards, has created a number of risk categories to specify these standards in further detail. A data controller which is contemplating transferring data to a cloud must first analyse the risk to privacy. This will involve analysing the nature and extent of the data processing, who will be granted access to the data, the privacy risks envisaged and their potential consequences. This analysis can then be used as a basis for establishing the applicable risk category and the applicable level of protection. The more sensitive the data being processed in the cloud, the higher the risk category. If, for example, the data being processed is special personal data or personal data which is subject to an obligation of confidentiality, the processing will be categorised as high risk. The current risk categories were defined in The Dutch Data Protection Authority announced that new guidelines were being developed for the protection of personal data, but they have not yet been published. At the same time, the Dutch Data Protection Authority indicated its intention to tighten up monitoring of data protection compliance. This is good to know, both for clients who use cloud computing and for the cloud computing providers. Obligation to notify data breaches When data is processed in a cloud, there is an increased risk of leaks and, as a consequence, infringements of privacy. Therefore measures to protect personal data should also have regard to the envisaged introduction of a statutory obligation to notify data breaches. At the moment no statutory regulation in the Netherlands obliges organisations to report the loss of privacy-sensitive information (unlike the United States or Germany, for example). A Bill has now been tabled to amend the Dutch Telecommunications Act, which implements (inter alia) the EU Citizens Rights Directive 2009/136. Essentially, the obligation to notify data breaches as it is currently proposed, entails immediate reporting by public communications service providers to the parties involved and the OPTA (the Dutch telecommunications watchdog) of any infringement of the security of personal data being processed in the context of a public electronic communications service which is provided within the EU. This Citizens Rights Directive should have been transposed into Dutch law by May 2011, but this deadline was not met. The Bill is currently before the Dutch Senate. The Bill proposes that for the moment, the obligation to notify data breaches will apply only to providers of public telecommunications services. However, given that leaks can occur in many other organisations the value of such an limited obligation to report is questionable, which is why plans for a wide-ranging obligation to report are currently being developed in the Netherlands and Europe. If these plans come to fruition, the obligation to notify data breaches will also apply to other organisations that process personal data, such as financial institutions, social networks, web shops, hospitals and public transport organisations. This extension is not expected at European level until the review of the EU Privacy Directive 95/46 which will probably be replaced by a regulation. The Dutch government did not want to wait for this: the preliminary Bill proposing the inclusion of a general obligation to notify data breaches in the Dutch Data Protection Act was published in December If the foregoing is applied to cloud computing, then the following will apply. Assuming that a general obligation to notify data breaches is indeed introduced, the clients of
4 cloud providers, as data controllers, will be obliged to inform both the data subjects involved and the relevant supervisory authority of any data breach that is coupled with the unlawful acquisition of personal data from the cloud. It is specifically important in the context of cloud computing that clients are dependent on their cloud provider for this information and it is therefore advisable for both parties, since the cloud provider knows the exact situation, to include a definition of the obligation to notify data breaches t in the service contract/processing agreement. International aspects With cloud computing, data are normally stored in different locations. They may be in a different country. The Dutch Data Protection Act applies only to personal data that are processed as part of the activities of a data controller established in the Netherlands. The Dutch Data Protection Act also applies if the data controller is established outside the EU and the data processing uses resources in the Netherlands, such as servers, cookies, banners, search engines, social networks, cloud computing and/or outsourcing. In the latter case, the data controller established outside the EU must appoint a representative in the Netherlands who will be regarded as the data controller. Having regard to the earlier consideration that a cloud provider can also be the data controller, this adds an extra dimension to the already complex issue of applicability of the Dutch Data Protection Act. Here again, the ambiguity and attendant lack of certainty on applicability of the Dutch Data Protection Act can present an obstacle to cloud computing. Furthermore, the applicability of the Dutch Data Protection Act at European level could be of subordinate importance if an EU Privacy Regulation were indeed introduced. The aforementioned Opinion of the Article 29 Working Party states that data controllers will be required to know where the data processing takes place. A complication with cloud computing, however, is that clients will often be uncertain about the destination countries to which their data are transferred. It is self-evident that the data can be transferred to countries outside the European Economic Area (EEA). As a rule of thumb, personal data may only be transferred to countries with an appropriate level of protection. Even if a country cannot offer an appropriate level of protection, transfer of data will be nevertheless permitted if a statutory exception can be invoked or if the Dutch Minister of Justice has issued a permit for the transfer. The following countries are presumed to have an appropriate level of protection: Argentina, Guernsey, Jersey, Switzerland, Canada, Isle of Man, Israel, Andorra. Faroe Islands (Uruguay, New Zealand and Australia). The same applies to companies established in the United States which have an obligation to comply with the Safe Harbor principles. If the company in question is not in one of these countries and is not a established in the United States which has endorsed the Safe Harbor principles, a statutory exception must be invoked or the client contracting a cloud computing provider must apply for a permit. The statutory exceptions do not really appear to offer an option for validating the transfer of personal data in the framework of cloud computing. Clearly, requesting the unequivocal consent of all data subjects involved (one of the statutory exceptions) will pose practical difficulties. Not only is this a rather exacting alternative, but refusal by the data subject involved to give consent gives rise to the problem that his personal data may not be transferred to the third country; hence it is not a realistic option. Personal data may also be transferred if the client can demonstrate that the transfer is necessary to implement an agreement concluded between the client and the data subject involved. This might also be an agreement which is or will be concluded, in the interests of the data subject, between the client and a third party, for example the cloud computing provider. It may be possible to justify the transfer on the basis of the statutory exception in the case of cloud computing. If it is not, the client will have no other option than to apply for a permit, in which case the client must know the destination countries for the personal data which, as stated above, can be problematic with cloud computing. The permit is granted by the Dutch Minister of Justice. The application for the permit must be submitted to the Dutch Data Protection Authority. The permit application attaches further conditions which act as safeguards to protect the personal data in question. The easiest way of demonstrating that these safeguards are offered is by using the model contracts approved by the European Commission. In 2010 a new model contract between the controller/data exporter and the processor/data importer was defined. This contract must be concluded between the client and the cloud computing provider. Moreover, this model contract applies only if the cloud computing provider is established outside the EEA and it is therefore unclear whether it can also be used if the cloud computing provider is established within the EEA, but uses subcontractors which are established in a country outside the EEA without appropriate levels of protection.
5 As stated above, it is not incumbent upon the cloud computing provider to ensure that the transfer to the client is legitimate. It is therefore the client who must complete the necessary formalities. If the cloud computing provider wishes to take over these formalities from its clients, it must elect to apply for a "generic permit". The idea here is that the client is the data controller with respect to data processing in the Netherlands, whereas the cloud computing provider is the data controller in the context of transfer of the personal data. This allows the cloud computing provider to relieve his clients of some administrative burdens. Moreover, the cloud computer must in principle be aware of the destination countries for the data. The issue of the permit will become less controversial in future given that a Bill has been tabled which proposes that the permit requirement ceases to be valid if the model contracts are used without amendment. Another way of validating the transfer is to use Binding Corporate Rules (BCRs). Apart from the fact that applying for a BCR can be rather time-consuming, BCRs are currently only available for transfers within the data controller's group. Because cloud computing involves providing the data to the cloud computing provider, as the data processor, the BCR solution is not (for the moment) a viable option. In light of the current text of the proposed EU Privacy Regulation, BCRs are expected to become increasingly important in the transfer of personal data. In conclusion The problems surrounding the privacy aspects of cloud computing are not inconsiderable, particularly in regard to protection of personal data. Other obligations under the Dutch Data Protection Act, such as those relating to the transfer of personal data, will clearly need to be examined. In any event, the first step is for clients and cloud computing providers to clarify their division of roles in the context of privacy and what obligations may be incumbent upon them as a consequence. If cloud computing is to be a successful venture for all concerned we must keep our head out of the clouds" and keep "both feet on the ground. Van Doorne N.V. Jachthavenweg KM Amsterdam t +31 (0) Postbus f +31 (0) AG Amsterdam info@vandoorne.com The Netherlands For more information: Dr. Elisabeth Thole t +31 (0) f +31 (0) m +31 (0) thole@vandoorne.com
Offshoring and Privacy Aspects A case study under Dutch law from the perspective of an IT provider
Elisabeth P.M. Thole A case study under Dutch law from the perspective of an IT provider In February 2006 Widmer and Nair described the data protection issues in the context of outsourcing from the Swiss
More informationThe eighth data protection principle and international data transfers
Data Protection Act 1998 The eighth data protection principle and international data transfers The Information Commissioner s recommended approach to assessing adequacy including consideration of the issue
More informationGUIDE ON DATA PROTECTION REQUIREMENTS IN THE CONTEXT OF CLOUD COMPUTING SERVICES
GUIDE ON DATA PROTECTION REQUIREMENTS IN THE CONTEXT OF CLOUD COMPUTING SERVICES CONTENT 1. WHY A CLOUD COMPUTING GUIDE?... 2 2. WHAT IS CLOUD COMPUTING?... 4 3. WHAT ARE THE ROLES OF THE CLOUD SERVICES
More informationtechnical factsheet 176
technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection
More informationBriefly summarised, SURFmarket has submitted the following questions to the Dutch DPA:
UNOFFICIAL TRANSLATION Written opinion on the application of the Wet bescherming persoonsgegevens [Dutch Data Protection Act] in the case of a contract for cloud computing services from an American provider
More informationAn overview of UK data protection law
An overview of UK data protection law Our team Vinod Bange Partner +44 (0)20 7300 4600 v.bange@taylorwessing.com Graham Hann Partner +44 (0)20 7300 4839 g.hann@taylorwessing.com Chris Jeffery Partner +44
More informationSummary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL
Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL 1. Definition of Cloud Computing In the public consultation, CNIL defined
More informationRecommendations for companies planning to use Cloud computing services
Recommendations for companies planning to use Cloud computing services From a legal standpoint, CNIL finds that Cloud computing raises a number of difficulties with regard to compliance with the legislation
More informationPRINCIPLES OF THE TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY. Introduction
PRINCIPLES OF THE TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY Introduction The continuous globalization of the world economy influences the international transfer of personal data. The transfer of personal
More informationApplication of Data Protection Concepts to Cloud Computing
Application of Data Protection Concepts to Cloud Computing By Denitza Toptchiyska Abstract: The fast technological development and growing use of cloud computing services require implementation of effective
More informationLIABILITY FOR NON-COMPLIANCE WITH DATA PROTECTION OBLIGATIONS
LIABILITY FOR NON-COMPLIANCE WITH DATA PROTECTION OBLIGATIONS This document is a rough draft aiming at presenting key provisions, current clauses used in Cloud computing contracts and first drafts on possible
More informationThe HR Skinny: Effectively managing international employee data flows
The HR Skinny: Effectively managing international employee data flows Topics we will cover today Laws affecting HR data flows HR international data protection challenges and strategic solutions Case study
More informationData transfers in the Cloud
Data transfers in the Cloud Rapporteur: Emmanuelle Bartoli Meeting date: 28 th March 2014 1 The purpose of this document is to explore options for how contracts between Cloud providers and consumers and
More informationData Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document
Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1
More informationData Protection in Ireland
Data Protection in Ireland 0 Contents Data Protection in Ireland Introduction Page 2 Appointment of a Data Processor Page 2 Security Measures (onus on a data controller) Page 3 8 Principles Page 3 Fair
More informationCCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING
CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING CCBE response regarding the European Commission Public Consultation on Cloud Computing The Council of Bars and Law
More informationArticle 29 Working Party Issues Opinion on Cloud Computing
Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,
More informationCloud Computing Legal Considerations for Data Controllers
Cloud Computing Legal Considerations for Data Controllers CLOUD COMPUTING LEGAL CONSIDERATIONS FOR DATA CONTROLLERS What is cloud computing and why is it relevant? Cloud computing can be described as technology
More informationThe reform of the EU Data Protection framework - Building trust in a digital and global world. 9/10 October 2012
The reform of the EU Data Protection framework - Building trust in a digital and global world 9/10 October 2012 Questionnaire addressed to national Parliaments Please, find attached a number of questions
More informationInformation Technology - Switzerland
Newsletters Law Directory Deals News Subscribe Home Information Technology - Switzerland Data Protection - Key Issues Contributed by Homburger December 2 2003 Introduction No Free Flow of Data within a
More informationCOMMISSION STAFF WORKING DOCUMENT. on the existing EU legal framework applicable to lifestyle and wellbeing apps. Accompanying the document
EUROPEAN COMMISSION Brussels, 10.4.2014 SWD(2014) 135 final COMMISSION STAFF WORKING DOCUMENT on the existing EU legal framework applicable to lifestyle and wellbeing apps Accompanying the document GREEN
More informationBRING YOUR OWN DEVICE
BRING YOUR OWN DEVICE Legal Analysis & Practical TIPs for an effective BYOD corporate Policy CONTENTS 1. What is BYOD? 2. Benefits and risks of BYOD in Europe 3. BYOD and existing Policies 4. Legal issues
More informationExcellence in igaming (EiG), 22 October 2014. Quickfire Update on Dutch regulatory progress
Excellence in igaming (EiG), 22 October 2014 Quickfire Update on Dutch regulatory progress by Ms Marja APPELMAN Chief Executive of The Netherlands Gaming Authority Thank you, Daniel 1, and thank you, Excellence
More informationData Protection Policy Information for Clients
Data Protection Policy Information for Clients Foreword This document outlines Numis Securities Limited s ( the Firm or Numis ) legal obligations and policy on data protection. Further information can
More informationPrivacy in the cloud. DNB has indicated that it considers cloud computing a form of outsourcing.
Privacy in the cloud computing, and the company concerned is required to submit a risk analysis to DNB. 3 Cloud computing entails the saving, processing and using of company data on the servers of a cloud
More informationCorporate Policy. Data Protection for Data of Customers & Partners.
Corporate Policy. Data Protection for Data of Customers & Partners. 02 Preamble Ladies and gentlemen, Dear employees, The electronic processing of virtually all sales procedures, globalization and growing
More informationAIRBUS GROUP BINDING CORPORATE RULES
1 AIRBUS GROUP BINDING CORPORATE RULES 2 Introduction The Binding Corporate Rules (hereinafter BCRs ) of the Airbus Group finalize the Airbus Group s provisions on the protection of Personal Data. These
More informationARTICLE 29 DATA PROTECTION WORKING PARTY
ARTICLE 29 DATA PROTECTION WORKING PARTY 00658/13/EN WP 204 Explanatory Document on the Processor Binding Corporate Rules Adopted on 19 April 2013 This Working Party was set up under Article 29 of Directive
More informationThird European Cyber Security Awareness Day BSA, European Parliament, 13 April 2010. Panel IV: Privacy and Cloud Computing
Third European Cyber Security Awareness Day BSA, European Parliament, 13 April 2010 Panel IV: Privacy and Cloud Computing Data Protection and Cloud Computing under EU law Peter Hustinx European Data Protection
More informationCloud Computing and Privacy Laws! 17.7. 22.7. 2011 Prof. Dr. Thomas Fetzer, LL.M. Technische Universität Dresden Law School
DEUTSCH-FRANZÖSISCHE SOMMERUNIVERSITÄT! FÜR NACHWUCHSWISSENSCHAFTLER 2011! CLOUD COMPUTING : HERAUSFORDERUNGEN UND MÖGLICHKEITEN UNIVERSITÉ DʼÉTÉ FRANCO-ALLEMANDE POUR JEUNES CHERCHEURS 2011! CLOUD COMPUTING
More informationAlign Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved.
Align Technology Data Protection Binding Corporate Rules Processor Policy Confidential Contents INTRODUCTION TO THIS POLICY 3 PART I: BACKGROUND AND ACTIONS 4 PART II: PROCESSOR OBLIGATIONS 6 PART III:
More informationARTICLE 29 DATA PROTECTION WORKING PARTY
ARTICLE 29 DATA PROTECTION WORKING PARTY 2588/15/EN WP 232 Opinion 02/2015 on C-SIG Code of Conduct on Cloud Computing Adopted on 22 September 2015 This Working Party was set up under Article 29 of Directive
More informationBusiness process. Telecommunications. Public sector. Other. CROSS-BORDER HANDBOOKS www.practicallaw.com/outsourcinghandbook 169
Outsourcing 2007/08 The Netherlands The Netherlands Ferdinand Mason and Casper Haket, Boekel De Nerée NV www.practicallaw.com/8-380-5308 General 1. To what extent does national law specifically regulate
More informationA list of CIArb subsidiaries relevant to this notice and their activities is set out below.
CHARTERED INSTITUTE OF ARBITRATORS DATA PRIVACY NOTICE INTRODUCTION This data protection notice explains what personal data will be collected by the Chartered Institute of Arbitrators and its subsidiary
More informationCloud computing and the legal framework
Cloud computing and the legal framework - Guidance on legislative requirement and the contractual environment related to cloud computing Content 1. Introduction 3 2. The Danish Act on Processing of Personal
More informationAlign Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved.
Align Technology Data Protection Binding Corporate Rules Controller Policy Contents INTRODUCTION 3 PART I: BACKGROUND AND ACTIONS 4 PART II: CONTROLLER OBLIGATIONS 6 PART III: APPENDICES 13 2 P a g e INTRODUCTION
More informationOUTSOURCING, HOSTING AND DATA PRIVACY ISSUES
OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES 4 April 2013 James Castro-Edwards Solicitor Monica Salgado Advogada / Portuguese Lawyer OUR TEAM Speechly Bircham is an ambitious, full-service law firm with
More informationNew EU Data Protection legislation comes into force today. What does this mean for your business?
24 th May 2016 New EU Data Protection legislation comes into force today. What does this mean for your business? After years of discussion and proposals, the General Data Protection Regulation ( GDPR )
More informationbasic corporate documents, in particular the company s articles of association; The principle is applied.
Warszawa, 2016-04-29 13:14:53 Grupa Żywiec Spółka Akcyjna A statement on the company's compliance with the corporate governance recommendations and principles contained in Best Practice for GPW Listed
More informationARTICLE 29 Data Protection Working Party
ARTICLE 29 Data Protection Working Party 11601/EN WP 90 Opinion 5/2004 on unsolicited communications for marketing purposes under Article 13 of Directive 2002/58/EC Adopted on 27 February 2004 This Working
More informationProcessor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries
Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Sopra HR Software as a Data Processor Sopra HR Software, 2014 / Ref. : 20141120-101114-m 1/32 1.
More informationAcquia Comments on EU Recommendations for Data Processing in the Cloud
Acquia Comments on EU Recommendations for Data Processing in the Cloud Executive Summary On July 1, 2012, European Union (EU) data protection regulators provided guidelines for service providers processing
More informationCOMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL
EUROPEAN COMMISSION Brussels, 6.11.2015 COM(2015) 566 final COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL on the Transfer of Personal Data from the EU to the United States
More informationTilburg University. U.S. Subpoenas and European data protection legislation Moerel, Lokke; Jansen, Nani; Koëter, Jeroen
Tilburg University U.S. Subpoenas and European data protection legislation Moerel, Lokke; Jansen, Nani; Koëter, Jeroen Published in: International Data Privacy Law Document version: Preprint (usually an
More informationCloud Computing and Risk: A look at the EU and the application of. Protection Directive to cloud computing
Infopreneurship Journal (IJ) Available online at www.infopreneurship.net Infopreneurship Journal (IJ), 2013, Vol.1, No.1 Cloud Computing and Risk: A look at the EU and the application of the Data Protection
More informationCorporate Compliance: A Global Perspective
Corporate Compliance: A Global Perspective 6/27/2012 37 Offices in 18 Countries Current Compliance Environment Ever-intensifying regulatory burden new areas of regulation existing regulations becoming
More informationARTICLE 29 - DATA PROTECTION WORKING PARTY
ARTICLE 29 - DATA PROTECTION WORKING PARTY 11639/02/EN WP 74 Working Document: Transfers of personal data to third countries: Applying Article 26 (2) of the EU Data Protection Directive to Binding Corporate
More informationCloud Computing. Introduction
Cloud Computing Introduction This information leaflet aims to advise organisations which are considering engaging cloud computing on the factors they should consider. It explains the relationship between
More informationThe transfer of personal data to third countries and international organisations by EU institutions and bodies. Position paper
The transfer of personal data to third countries and international organisations by EU institutions and bodies Position paper Brussels, 14 July 2014 1 Executive summary This paper provides guidance to
More informationThe Århus Convention by Jens Hamer, ERA
The Århus Convention by Jens Hamer, ERA I. Introduction This dossier deals with the so called Århus Convention, an international environmental treaty aiming at involving citizens in the environmental decision
More informationHow To Understand The Privacy Shield
The Privacy Shield and EU GDP Regulation- A Data Safekeeping Revolution? SCCE Webinar May 24, 2016 Presenter: Dan Cotter dcotter@butlerrubin.com 312-696-4497 Agenda - What is the Privacy Shield - What
More informationHow To Protect Your Data In European Law
Corporate Data Protection Code of Conduct for the Protection of the Individual s Right to Privacy in the Handling of Personal Data within the Deutsche Telekom Group 2010 / 04 We make ICT strategies work
More informationPRACTICAL LAW DATA PROTECTION MULTI-JURISDICTIONAL GUIDE 2012/13. The law and leading lawyers worldwide
PRACTICAL LAW MULTI-JURISDICTIONAL GUIDE 2012/13 The law and leading lawyers worldwide Essential legal questions answered in 30 key jurisdictions Analysis of critical legal issues AVAILABLE ONLINE AT WWW.PRACTICALLAW.COM/DATAPROTECTION-MJG
More informationInvestigation Report: HKA Holidays Limited Leaked Customers Personal Data through the Mobile Application TravelBud
Published under Section 48(2) of the Personal Data (Privacy) Ordinance (Cap. 486) Investigation Report: HKA Holidays Limited Leaked Customers Personal Data through the Mobile Application TravelBud Report
More informationCookies and consent. The Article 29 Working Party has identified seven types of cookies that are not subject to the consent requirement.
Cookies and consent Cookies are small text files placed on a computer and accessed by the browser when opening a webpage. - DDMA 2012 The statutory requirements governing the placement of cookies were
More informationData protection issues on an EU outsourcing
Data protection issues on an EU outsourcing Saam Golshani, Alastair Gorrie and Diego Rigatti, Orrick Herrington & Sutcliffe www.practicallaw.com/8-380-8496 Outsourcing can mean subcontracting a process
More informationTRANSLATION OF THE OFFICIAL PUBLICATION OF SINT MAARTEN (AB 2010, GT no. 2 )
TRANSLATION OF THE OFFICIAL PUBLICATION OF SINT MAARTEN (AB 2010, GT no. 2 ) EXPLANATORY MEMORANDUM General Introduction In a modern society, increasing use is made of data files in which data that can
More informationData Protection Policy.
Data Protection Policy. Data Protection Policy Foreword 2 Foreword Ladies and Gentlemen, In the information age, we offer customers the means to be always connected, even in their cars. This requires data
More informationFederated Access Management
Federated Access Management Document Version: 2 DRAFT Date: Oct 2011 Author (Version 2): Andrew Cormack (JANET(UK)) Authors (Version 1): Andrew Cormack (JANET(UK)), Eva Kassenaar (SURFnet), Mikael Linden
More informationEuropean Privacy Reporter
Is this email not displaying correctly? Try the web version or print version. ISSUE 02 European Privacy Reporter An Update on Legal Developments in European Privacy and Data Protection November 2012 In
More informationMessage 791 Communication from the Commission - SG(2012) D/50777 Directive 98/34/EC Notification: 2011/0188/D
Message 791 Communication from the Commission - SG(2012) D/50777 Directive 98/34/EC Notification: 2011/0188/D Reaction of the Commission to the response of a Member State notifying a draft regarding a
More informationData Protection in Clinical Studies Implications of the New EU General Data Protection Regulation
June 19, 2012 Practice Group(s): Health Care Life Sciences Data Protection in Clinical Studies Implications of the New EU General Data Protection Regulation By Mathias Schulze Steinen and Daniela Bohn
More informationClause 1. Definitions and Interpretation
[Standard data protection [agreement/clauses] for the transfer of Personal Data from the University of Edinburgh (as Data Controller) to a Data Processor within the European Economic Area ] In this Agreement:-
More informationCloud computing and personal data protection. Gwendal LE GRAND Director of technology and innovation CNIL
Cloud computing and personal data protection Gwendal LE GRAND Director of technology and innovation CNIL 1 Data protection in Europe Directive 95/46/EC Loi 78-17 du 6 janvier 1978 amended in 2004 (France)
More informationCouncil of the European Union Brussels, 28 July 2015 (OR. en)
Conseil UE Council of the European Union Brussels, 28 July 2015 (OR. en) PUBLIC 11243/15 LIMITE DRS 50 CODEC 1084 NOTE From: To: Subject: General Secretariat of the Council Delegations Proposal for a DIRECTIVE
More informationDIRECTIVE 2009/38/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
L 122/28 Official Journal of the European Union 16.5.2009 DIRECTIVE 2009/38/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 6 May 2009 on the establishment of a European Works Council or a procedure
More informationInter-company credit: Decree n 2016-501 of 22 April 2016
Inter-company credit: Decree n 2016-501 of 22 April 2016 p.1 The supervisory committee of a simplified joint-stock company (SAS) qualified as de jure director: impact on the personal liability of the supervisory
More informationGSK Public policy positions
Safeguarding Personally Identifiable Information A Summary of GSK s Binding Corporate Rules The Issue The processing of Personally Identifiable Information (PII) 1 and Sensitive Personally Identifiable
More informationResponse to Justice Select Committee's Call for Evidence on the EU Data Protection Framework Proposals. Cloud Legal Project 17 August 2012
Response to Justice Select Committee's Call for Evidence on the EU Data Protection Framework Proposals Cloud Legal Project 17 August 2012 1. This response is by Christopher Millard, Alan Cunningham and
More informationSouth East Asia: Data Protection Update
Data Privacy and Security Team To: Our Clients and Friends September 2013 South East Asia: Data Protection Update Europe has had data protection laws in place for over a decade. Such laws regulate how
More informationProtection. Code of Practice. of Personal Data RPC001147_EN_D_19
Protection of Personal Data RPC001147_EN_D_19 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Rules Responsibility
More informationRegister of People with Significant Control. Guidance for Companies, Societates Europaeae and Limited Liability Partnerships
Register of People with Significant Control Guidance for Companies, Societates Europaeae and Limited Liability Partnerships Version: 4 Published: 11 April 2016 Overview This guidance explains what you
More information7.08.2 Privacy Rules for Customer, Supplier and Business Partner Data. Directive 7.08 Protection of Personal Data
Akzo Nobel N.V. Executive Committee Rules 7.08.2 Privacy Rules for Customer, Supplier and Business Partner Data Source Directive Content Owner Directive 7.08 Protection of Personal Data AkzoNobel Legal
More informationHow To Settle A Cross Border Dispute With Ancien De L'Ormonde (Cep)
DRAFT DECISION Settlement of a crossborder dispute between EDA and ZON concerning telephone lists I FACTS 1. The application of EDA 1.1. On 07.12.2010, an application was filed at ICP-ANACOM for the settlement
More informationon the Proposal for a Regulation of the European Parliament and of the Council laying
Opinion of the European Data Protection Supervisor on the Proposal for a Regulation of the European Parliament and of the Council laying down measures concerning the European single market for electronic
More informationDublin City University
Dublin City University Data Protection Policy Data Protection Policy Contents Purpose... 1 Scope... 1 Data Protection Principles... 1 Disclosure of Personal Data... 2 Summary of Responsibilities... 3 Rights
More informationProposed guidance for firms outsourcing to the cloud and other third-party IT services
Guidance consultation 15/6 Proposed guidance for firms outsourcing to the cloud and other third-party IT services November 2015 1. Introduction and consultation 1.1 The purpose of this draft guidance is
More informationPensionsEurope position paper on personal pension products
March 2014 PensionsEurope position paper on personal pension products About PensionsEurope PensionsEurope represents national associations of pension funds and similar institutions for workplace pensions.
More informationData and Cyber Laws Up-date 9 July 2015
Data and Cyber Laws Up-date 9 July 2015 Janine Regan Alexia Zuber Viktoria Protokova Simon Holdsworth charlesrussellspeechlys.com Topics Updates on the key aspects of, and commentary on, the proposed GDPR
More informationImplementing Privacy Compliant Hybrid Cloud Solutions
Implementing Privacy Compliant Hybrid Cloud Solutions SESSION ID: DSP-T07A Peter J Reid Privacy Officer, Enterprise Business Hewlett-Packard Company Historical IT Outsourcing Perspective Cloud Web 2.0
More informationEUROPEAN COMMISSION Directorate General Internal Market and Services. CAPITAL AND COMPANIES Audit and Credit Rating Agencies
EUROPEAN COMMISSION Directorate General Internal Market and Services CAPITAL AND COMPANIES Audit and Credit Rating Agencies Brussels, 3 September 2014 Q&A - Implementation of the New Statutory Audit Framework
More informationPrivacy Rules for Customer, Supplier and Business Partner Data
Privacy Rules for Customer, Supplier and Business Partner Data Contact details Philips Privacy Office c/o Philips International BV, Amstelplein 2, 1096 BC, the Netherlands. E-mail: Philips_Privacy_Office@philips.com
More informationCOMMISSION OF THE EUROPEAN COMMUNITIES GREEN PAPER
EN EN EN COMMISSION OF THE EUROPEAN COMMUNITIES Brussels, 11.11.2009 COM(2009) 624 final GREEN PAPER on obtaining evidence in criminal matters from one Member State to another and securing its admissibility
More information(a) the kind of data and the harm that could result if any of those things should occur;
Cloud Computing This information leaflet aims to advise organisations on the factors they should take into account in considering engaging cloud computing. It explains the relevance of the Personal Data
More informationI. Personal data and its use in the business to business environment.
RESPONSE FROM THE DIRECT MARKETING ASSOCIATION (UK) LTD. TO THE EUROPEAN COMMISSION'S CONSULTATION ON THE IMPLEMENTATION OF DIRECTIVE 95/46 EC ON THE PROTECTION OF INDIVIDUALS WITH REGARD TO THE PROCESSING
More informationCCBE GUIDELINES ON THE USE OF CLOUD COMPUTING SERVICES BY LAWYERS
CCBE GUIDELINES ON THE USE OF CLOUD COMPUTING SERVICES BY LAWYERS CCBE guidelines on the use of cloud computing services by lawyers TABLE OF CONTENTS I. INTRODUCTION... 3 1. Scope of the guidelines...
More informationCCBE RECOMMENDATIONS FOR THE IMPLEMENTATION OF THE DATA RETENTION DIRECTIVE
Représentant les avocats d Europe Representing Europe s lawyers CCBE RECOMMENDATIONS FOR THE IMPLEMENTATION OF THE DATA RETENTION DIRECTIVE CCBE RECOMMENDATIONS FOR THE IMPLEMENTATION OF THE DATA RETENTION
More informationTEMPLATE FOR COMMENTS
EBF_009237D PUBLIC CONSULTATION DRAFT ECB REGULATION ON SUPERVISORY FEES TEMPLATE FOR COMMENTS Contact details (will not be published) Institution/Company European Banking Federation Contact person Mr
More informationOPINION MAY 2012 ON CLOUD COMPUTING Article 29 Data Protection Working Party (July 1, 2012)
OPINION MAY 2012 ON CLOUD COMPUTING Article 29 Data Protection Working Party (July 1, 2012) ARTICLE 29 DATA PROTECTION WORKING PARTY 01037/12/EN WP 196 Opinion 05/2012 on Cloud Computing Adopted July 1
More informationsingapore american school
Background The Singapore Personal Data Protection Act - 2012 (PDPA) establishes a data protection law that comprises various rules governing the collection, use, disclosure, and care of personal data.
More informationON MUTUAL COOPERATION AND THE EXCHANGE OF INFORMATION RELATED TO THE OVERSIGHT OF AUDITORS
Mr. Ryutaro Hatanaka Commissioner Financial Services Agency Government of Japan 3-2-1 Kasumigaseki Chiyoda-ku, Tokyo Japan 100-8967 Dr. Kunio Chiyoda Chairman Certified Public Accountants and Auditing
More informationBehavioral Targeting Legal Developments in Europe and the Netherlands
1 Behavioral Targeting Legal Developments in Europe and the Netherlands Frederik Zuiderveen Borgesius Ph.D researcher, focusing on behavioral targeting and privacy law Institute for Information Law, University
More informationThe Role and Function of a Data Protection Officer in the European Commission s Proposed General Data Protection Regulation. Initial Discussion Paper
The Role and Function of a Data Protection Officer in the European Commission s Proposed General Data Protection Regulation 1. Introduction Initial Discussion Paper The data protection officer ( DPO )
More informationDamages Fund for Violent Crimes Act
Damages Fund for Violent Crimes Act Article 1 The following definitions shall apply for the purposes of implementing the Act: the Fund: the Damages Fund for Violent Crimes referred to in Article 2; the
More informationThe Data Protection Landscape. Before and after GDPR: General Data Protection Regulation
The Data Protection Landscape Before and after GDPR: General Data Protection Regulation Data Protection regulations across Europe Current regulations & guidance European Directives 95/46/EC (Data Protection)
More informationCLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:
CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: Privacy Responsibilities and Considerations Cloud computing is the delivery of computing services over the Internet, and it offers many potential
More informationDIRECTIVE 2014/32/EU OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
29.3.2014 Official Journal of the European Union L 96/149 DIRECTIVE 2014/32/EU OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 26 February 2014 on the harmonisation of the laws of the Member States relating
More informationValue added tax on financial services 1
Value added tax on financial services 1 1. Background Financial services are exempted from value added tax. Proposition No. 1 (2012 2013) to the Storting; Bill and Draft Resolution on Taxes, discussed
More informationTHE POSSIBILITIES FOR PRIVATE ENFORCEMENT OF THE COMPETITION RULES IN THE NETHERLANDS
THE POSSIBILITIES FOR PRIVATE ENFORCEMENT OF THE COMPETITION RULES IN THE NETHERLANDS A survey commissioned by the Dutch Ministry of Economic Affairs - EXECUTIVE SUMMARY - Amsterdam, 3 November 2005 Mr.
More information