GDPR & Cloud Providers Keynote Presentation

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "GDPR & Cloud Providers Keynote Presentation"

Transcription

1 Cloudscape VII 9 March 2015 GDPR & Cloud Providers Keynote Presentation Kuan Hon Research Consultant, Cloud Legal Project & MCCRC Centre for Commercial Law Studies Queen Mary, University of London

2 INTRODUCTION

3 Data Protection Directive recap Controller legally-obliged to comply with data protection ( DP ) principles in processing personal data ( PD ) + rules for special category sensitive data eg health May use processor incl. cloud provider must choose processor providing sufficient guarantees re. security measures + written contract ( instructions, security ) + ensure compliance Direct processor obligations few Member States ( MS )

4 GDPR progress Commission - draft General Data Protection Regulation ( GDPR ) 2012 & crime / law enforcement Directive European Parliament different version - Mar 2014 Council - yet another version being debated - Dec 2014 nothing is agreed until everything is agreed ( PGA ) EU institutions must agree same text before GDPR can become law flowchart Moving target!! + 2 years after adoption Regulation not Directive though discretion, ambiguity

5 Commission proposal 17/7/1990 Comparative legislative timeline Parliament 1st reading 95 amendments 11/3/1992 Commission amended proposal 15/10/1992 Council Common Position - amendments 20/2/1995 Parliament 2nd reading - amendments 15/6/1995 DPD adopted 25/10/ Data Protection Directive Commission proposal 25/1/2012 Parliament 1st reading 207 amendments 12/3/2014 Council 1st reading - amendments inevitable!??? GDPR adopted?? Draft General Data Protection Regulation 2015 Kuan Hon kuan0.com. You may copy/use this diagram under a CC BY 2.0 UK licence retaining the attribution in this paragraph.

6 Cloud providers often processors May use sub-processors layered services eg SaaS on IaaS / PaaS, PaaS on IaaS Current laws 1970s outsourcing ( 12Cs, 9Ds ): delivery, processors intelligible access, active processing as per controller s instructions encryption: provider doesn t know whether PD infrastructure - not active / instructions / knowledge o IaaS, PaaS, pure storage SaaS controller self-service o provider won t know if PD without looking, even unencrypted direction sub-processors & layered cloud commoditised, shared infrastructure cf customised GDPR would perpetuate 1970s assumptions 6

7 PROCESSORS UNDER GDPR

8 Direct processor obligations If processing PD in context of activities of establishment in EU like current controller establishment test o DCs?; establishment, context very broad ( Google Spain ) Parl incl non-eu processing If processing activities related to offering goods / services to DS in EU or monitoring them Parl + processors; free All - even if processing exempt - personal ( SNS / ); crime / national security?

9 Processor s main establishment For one stop shop purposes ie which MS s lead regulator if multiple MSs Council next week? Place of central administration in EU Council if none, EU establishment where main processing activities in EU occur ( DCs? ) Parliament EU establishment where main decisions on purposes o If no EU establishment?

10 Liability: involved, unlawful processing Processors ( sub-processors, DC providers? ) liable for entire amount of damage ( controller fault? ) o unless written allocation ( Parl ); recourse claims ( Council ) incompatible : strict liability. Council: non-compliance may ( cf must ) be exempted if prove it s not responsible for the event - eg DS / force majeure role of seal etc ( later ) Processors princelier pockets? analogy: chaffeur limo service vs rental ( carmakers? )

11 DPA powers over processors Same as over controllers extensive powers Processor must cooperate - info, orders etc Audit powers, access to premises ( on-site inspections ) though Google agreed to allow DPA Italy US premises (summary, order, approval ) Fines up to 5% annual worldwide turnover or 100m if greater ( Parl )

12 Requirements when using processors Controller must - choose processor providing sufficient guarantees to implement appropriate tech/org measures in such a way that the processing will meet GDPR o compliance with GDPR > security / instructions o sufficient guarantees - code / certification ( Parl, Council ) ensure compliance ( deleted by Council ), and implement contract with certain terms ( next ) NB Art. 17 processor agreements not continued: no grandfathering! Redo all ( not just cloud )! What if no controller personal use of cloud service?

13 Processor contract terms 1 Written contract ( >> current requirements ) subject-matter, duration, nature & purpose, type of personal data and categories of data subjects, rights of controller ( Council ) prying processors instructions o but cloud. self-service infrastructure use employ only staff under confidentiality obligations security measures ( later ) sub-processors ( soon ) DS requests unclear, Council assist ( but cloud? )

14 Processor contract terms 2 assist controller to ensure compliance o re. security, breach notification, DPbD/D, DPIA, prior authorisation / consultation how far? commoditised cloud data delivery at end, not process otherwise o deletion unless EU law requires retention Parl info to controller to show compliance ( & allow onsite inspection Parl / audits Council cloud? ) processor as police! self-service cloud?? GDPR ( non-contractual ) obligation to immediately inform the controller if, in his opinion, an instruction breaches this Regulation or Union or Member State data protection provisions - Council

15 Sub-processors Enlist iff prior controller consent ( vs direction? ) Different Parl & Council formulations - unclear Sub-processor contracts or other legal act under EU law must impose same obligations for sufficient guarantees Council code / certification including standard Commission / DPA standard clauses - an element to demonstrate sufficient guarantees

16 Security 1 Controllers may process PD for NIS reasons extent strictly necessary legit. interest gap controllers only Security of processing tech & org measures to ensure security level appropriate to risks, with regard to state of the art, costs + DPIA Parl; + available tech, nature etc of processing, likelihood / severity of risk - Council C & I ( implicitly A ) o explicit with Parl: security policy + resilience, restoration; sensitive PD: measures to ensure situational awareness of risks, ability to take near real time action; regular testing Commission power to specify security requirements o deleted by Parl & Council ( ENISA role? )

17 Security 2 certifications / codes of conduct may be used as an element to demonstrate compliance Risk evaluation to assess appropriate security level variations between Parl and Council cloud - commoditised mixed use infrastructure prying processors, customisation, HCD? ( cost ) Processor directly sliable for security breach including personal use, no controller o if user s bad password? prove not responsible o NB personal user could process own PD, other people s

18 Risk analysis, DPIA, prior consultation Parl risk analysis to check if specific risks likely controller, or, where applicable the processor o when applicable? prying processors, again? cf commoditised cloud including > 5k data subjects in 12 mths; sensitive data, location data, data on children or employees in large scale filing systems ; profiling; core activities require regular & systematic monitoring Controller s DPIA / prior DPA consultation - profiling, etc or processor on controller's behalf o when? ( not for prior consultation - Council ) processor should assist controller where necessary and upon request - comply with obligations deriving from DPIA / prior consultation ( Council recital ) - cf commoditised cloud?

19 Data protection officer Controller and processor must appoint if processing by public sector body processing by org. >= 250 employees ( processor? ) o Changed to > 5k DS in 12 mths Parl core activities of controller or processor nature requires regular & systematic monitoring of DS o + core activities sensitive data, location data, data on children or employees in large scale filing systems Parl unclear - must processor appoint if controller is public sector etc? ( prying processor ) or, MS decision whether to require DPO Council 19

20 ( Parl. R. 75a) at least the following qualifications extensive knowledge of the substance and application of data protection law, including technical and organisational measures and procedures; mastery of technical requirements for privacy by design, privacy by default and data security; industry-specific knowledge in accordance with the size of the controller or processor and the sensitivity of the data to be processed; the ability to carry out inspections, consultation, documentation, and log file analysis; and the ability to work with employee representation The designation as a data protection officer does not necessarily require fulltime occupation

21 Other processor obligations Transfers ( restriction on PD exports unless adequate protection / safeguards ) - processors no own decision; legitimate interests but not if frequent / massive / (Parl) structural / repetitive; protection through law only ( eg contract ), not technology; anti-fisa clause ( Parl ); processor BCRs ( Parl would exclude ) see eg A4Cloud paper DP by design / default - tech / org measures, at design & use stages, to ensure / show compliance with DP principles + processors & public procurement tenders ( Parl ) Record-keeping requirements

22 Codes & certifications / seals Council - DPA-approved industry code / certification may help demonstrate compliance ( as an element ) - processor sufficient guarantees ( Parl too ), security, DPIA etc Detailed certification procedures, role of DPAs, accreditation of certification bodies, auditors - Council Approved codes; not certification but DPA-awarded European Data Protection Seal Parl EDP seal - shield against fines if non-intentional, non-negligent Iff legally enforceable [ by DS ]? ( Council ) Legal consequences? incl. liability incentives, certifiers / accreditors, erroneous certificates, comply with code but breach, etc

23 Issues cloud-inappropriate? Encrypted data, infrastructure providers still caught Google Spain mixed data Liability risk ( no intermediary defence? ) Council would exclude E-Commerce Directive application Unclear responsibility allocation ( controller & processor ) Often controller or processor either, both, when? Net cast very wide; obligations too in some cases Processing related to offering goods etc, EU data centres? Customisation required? eg security Access to premises controllers, DPAs ( Intelligible access, instructions vs use / disclosure, vs infrastructure cloud, commoditised cloud )

24 Practical implications Cloud providers & other ( sub ) processors - contract terms liability allocation, indemnities etc ( & seek fault-based? ) Could non-eea providers raise all prices - or refuse if EEA, PD etc? ( & if customer lies?? ); close EEA ops, free consumer services; stop using EEA DCs? impact on innovation / services needs considered policy decision Or, will laws just be ignored, if too wide? Enforceability ( outside EEA )? DPA resources? But huge fines Big players may be the winners required contract terms ( incl sub-processors ); security, etc Codes & certifications much increased role Clarification which processor obligations apply when, scope, liability; certifications / codes

25 ARE WE THERE YET?

26 Rough scale of data protection legislation DPD (1990) No. of articles No. of recitals No. of pages DPD (1995) GDPR (2012) Note: no. of pages of legislative text are from English PDF versions excluding explanatory text Kuan Hon kuan0.com. You may copy/use this diagram under a CC BY 2.0 UK licence retaining the attribution in this paragraph. 26

27 European Parliament: how many amendments? 3999 Proposed by Committees Approved by Parliament (1st reading) Number of amendments 363 DPD GDPR 2015 Kuan Hon kuan0.com. You may copy/use this diagram under a CC BY 2.0 UK licence retaining the attribution in this paragraph. 27

28 30 How many EU Member States involved? Initial proposal 20 Parliament 1st reading Council 1st reading Parliament 2nd reading 10 1 Jan 1995: Austria, Finland and Sweden joined 1 July 2013: Croatia joined 5 0 Number of EU Member States DPD GDPR 2015 Kuan Hon kuan0.com. You may copy/use this diagram under a CC BY 2.0 UK licence retaining the attribution in this paragraph. 28

29 700 Council of the EU: how many footnotes? /94 (12/10/1994 ) /94 (30/11/1994) 11013/13 (21/6/2013) /14 (30/6/2014) /14 (19/12/2014) Number of footnotes DPD GDPR From consolidated draft versions considered in Council. The number of footnotes is used as a rough measure of the extent of Member State issues, because most ( though not all ) footnotes contained reservations or similar statements by Member States or the Commission 2015 Kuan Hon kuan0.com. You may copy/use this diagram under a CC BY 2.0 UK licence retaining the attribution in this paragraph. 29

30 DPD vs GDPR summary Vital statistics DPD (1990): 33, 24, 27 DPD (1995): 34, 72, N/A GDPR: 91, 139, 82 Order: Arts, Rec, pgs No. of Member States DPD: GDPR: Parliament Committee amendments proposed DPD: 363 GDPR: 3999 Council no. of footnotes in consolidated text DPD: 87 (2 yrs. on) 60 (2+ yrs. on) GDPR: 509 (1.5 yrs. on) 584 (2.5 yrs. on) 497 (3 yrs. on) Parliament amendments approved in 1 st reading DPD: 95 GDPR: 207 Timing DPD: > 5 yrs. GDPR: 3 yrs Kuan Hon kuan0.com. You may copy/use this diagram under a CC BY 2.0 UK licence retaining the attribution in this paragraph. 30

31 Thanks for listening! cloudlegalproject.org mccrc.eu kuan0.com blog.kuan0.com

GDPR & Service Providers ( Cloud Focus )

GDPR & Service Providers ( Cloud Focus ) OASIS / EEMA Digital Enterprise Europe 2015 Building Trust in the Hyperconnected World 8 July 2015 GDPR & Service Providers ( Cloud Focus ) Kuan Hon Senior Researcher, Cloud Legal Project & Microsoft Cloud

More information

Cloud Security under the EU Data Protection Directive and draft General Data Protection Regulation

Cloud Security under the EU Data Protection Directive and draft General Data Protection Regulation ENISA EU28 Cloud Security Conference 16 June 2015 Cloud Security under the EU Data Protection Directive and draft General Data Protection Regulation Kuan Hon Senior Researcher, Cloud Legal Project & Microsoft

More information

Cloud Security under Forthcoming Laws

Cloud Security under Forthcoming Laws SecureCloud 2016 25 May 2016 Cloud Security under Forthcoming Laws Kuan Hon kuan.hon@pinsentmasons.com k@kuan0.com The laws, they are a-changin Cloud security under General Data Protection Regulation Proposed

More information

Cloud Data Protection Fitness - A Workout

Cloud Data Protection Fitness - A Workout Cloudscape 2016 8 March 2016 Cloud Data Protection Fitness - A Workout Dr Kuan Hon k@kuan0.com kuan.hon@pinsentmasons.com General Data Protection Regulation Adoption 2016? Jurists / linguists to finalise

More information

Article 29 Working Party Issues Opinion on Cloud Computing

Article 29 Working Party Issues Opinion on Cloud Computing Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,

More information

New EU Data Protection legislation comes into force today. What does this mean for your business?

New EU Data Protection legislation comes into force today. What does this mean for your business? 24 th May 2016 New EU Data Protection legislation comes into force today. What does this mean for your business? After years of discussion and proposals, the General Data Protection Regulation ( GDPR )

More information

LIABILITY FOR NON-COMPLIANCE WITH DATA PROTECTION OBLIGATIONS

LIABILITY FOR NON-COMPLIANCE WITH DATA PROTECTION OBLIGATIONS LIABILITY FOR NON-COMPLIANCE WITH DATA PROTECTION OBLIGATIONS This document is a rough draft aiming at presenting key provisions, current clauses used in Cloud computing contracts and first drafts on possible

More information

EU Data Protection and Information Security for Banking & Financial Service sectors 4 th December 2014

EU Data Protection and Information Security for Banking & Financial Service sectors 4 th December 2014 EU Data Protection and Information Security for Banking & Financial Service sectors 4 th December 2014 Janine Regan, Associate George Willis, Associate charlesrussellspeechlys.com Janine Regan Associate

More information

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA:

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA: UNOFFICIAL TRANSLATION Written opinion on the application of the Wet bescherming persoonsgegevens [Dutch Data Protection Act] in the case of a contract for cloud computing services from an American provider

More information

Response to Justice Select Committee's Call for Evidence on the EU Data Protection Framework Proposals. Cloud Legal Project 17 August 2012

Response to Justice Select Committee's Call for Evidence on the EU Data Protection Framework Proposals. Cloud Legal Project 17 August 2012 Response to Justice Select Committee's Call for Evidence on the EU Data Protection Framework Proposals Cloud Legal Project 17 August 2012 1. This response is by Christopher Millard, Alan Cunningham and

More information

Multi-Jurisdictional Study: Cloud Computing Legal Requirements. Julien Debussche Associate January 2015

Multi-Jurisdictional Study: Cloud Computing Legal Requirements. Julien Debussche Associate January 2015 Multi-Jurisdictional Study: Cloud Computing Legal Requirements Julien Debussche Associate January 2015 Content 1. General Legal Framework 2. Data Protection Legal Framework 3. Security Requirements 4.

More information

The potential legal consequences of a personal data breach

The potential legal consequences of a personal data breach The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.

More information

Cloud computing and personal data protection. Gwendal LE GRAND Director of technology and innovation CNIL

Cloud computing and personal data protection. Gwendal LE GRAND Director of technology and innovation CNIL Cloud computing and personal data protection Gwendal LE GRAND Director of technology and innovation CNIL 1 Data protection in Europe Directive 95/46/EC Loi 78-17 du 6 janvier 1978 amended in 2004 (France)

More information

Data and Cyber Laws Up-date 9 July 2015

Data and Cyber Laws Up-date 9 July 2015 Data and Cyber Laws Up-date 9 July 2015 Janine Regan Alexia Zuber Viktoria Protokova Simon Holdsworth charlesrussellspeechlys.com Topics Updates on the key aspects of, and commentary on, the proposed GDPR

More information

Data Protection and Cloud Computing: an Overview of the Legal Issues

Data Protection and Cloud Computing: an Overview of the Legal Issues Data Protection and Cloud Computing: an Overview of the Legal Issues Christopher Kuner Partner, Hunton & Williams, Brussels Research Assistant, University of Copenhagen Nordic IT Law Conference Copenhagen,

More information

Data Protection Act 1998. Guidance on the use of cloud computing

Data Protection Act 1998. Guidance on the use of cloud computing Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered

More information

Welcome & Introductions

Welcome & Introductions Addressing Data Privacy and Security Compliance in Cloud Computing Benjamin Hayes, Director of Legal Services, Data Privacy Compliance North America Accenture Copyright 2011 Accenture All Rights Reserved.

More information

Clause 1. Definitions and Interpretation

Clause 1. Definitions and Interpretation [Standard data protection [agreement/clauses] for the transfer of Personal Data from the University of Edinburgh (as Data Controller) to a Data Processor within the European Economic Area ] In this Agreement:-

More information

Office 365 Data Processing Agreement with Model Clauses

Office 365 Data Processing Agreement with Model Clauses Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081

More information

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements Policy and Procedure for approving, monitoring and reviewing personal data processing agreements 1 Personal data processing by external suppliers, contractors, agents and partners Policy and Procedure

More information

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS Mat Wright www.britishcouncil.org CONTENTS Purpose of the code 1 Scope of the code 1 The British Council s data protection commitment and

More information

Recommendations for companies planning to use Cloud computing services

Recommendations for companies planning to use Cloud computing services Recommendations for companies planning to use Cloud computing services From a legal standpoint, CNIL finds that Cloud computing raises a number of difficulties with regard to compliance with the legislation

More information

ARTICLE 29 DATA PROTECTION WORKING PARTY

ARTICLE 29 DATA PROTECTION WORKING PARTY ARTICLE 29 DATA PROTECTION WORKING PARTY 2588/15/EN WP 232 Opinion 02/2015 on C-SIG Code of Conduct on Cloud Computing Adopted on 22 September 2015 This Working Party was set up under Article 29 of Directive

More information

Application of Data Protection Concepts to Cloud Computing

Application of Data Protection Concepts to Cloud Computing Application of Data Protection Concepts to Cloud Computing By Denitza Toptchiyska Abstract: The fast technological development and growing use of cloud computing services require implementation of effective

More information

Pensions. Data protection and pensions. Briefing. Application Data Controller v Data Processor

Pensions. Data protection and pensions. Briefing. Application Data Controller v Data Processor Financial institutions Energy Infrastructure, mining and commodities Transport Technology and innovation Life sciences and healthcare Pensions Data protection and pensions Briefing January 2016 Trustees

More information

The reform of the EU Data Protection framework - Building trust in a digital and global world. 9/10 October 2012

The reform of the EU Data Protection framework - Building trust in a digital and global world. 9/10 October 2012 The reform of the EU Data Protection framework - Building trust in a digital and global world 9/10 October 2012 Questionnaire addressed to national Parliaments Please, find attached a number of questions

More information

ARTICLE 29 DATA PROTECTION WORKING PARTY

ARTICLE 29 DATA PROTECTION WORKING PARTY ARTICLE 29 DATA PROTECTION WORKING PARTY 00658/13/EN WP 204 Explanatory Document on the Processor Binding Corporate Rules Adopted on 19 April 2013 This Working Party was set up under Article 29 of Directive

More information

OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES

OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES 4 April 2013 James Castro-Edwards Solicitor Monica Salgado Advogada / Portuguese Lawyer OUR TEAM Speechly Bircham is an ambitious, full-service law firm with

More information

The eighth data protection principle and international data transfers

The eighth data protection principle and international data transfers Data Protection Act 1998 The eighth data protection principle and international data transfers The Information Commissioner s recommended approach to assessing adequacy including consideration of the issue

More information

AIRBUS GROUP BINDING CORPORATE RULES

AIRBUS GROUP BINDING CORPORATE RULES 1 AIRBUS GROUP BINDING CORPORATE RULES 2 Introduction The Binding Corporate Rules (hereinafter BCRs ) of the Airbus Group finalize the Airbus Group s provisions on the protection of Personal Data. These

More information

Response to the UK Ministry of Justice s Call for Evidence on the European Commission s Data Protection Proposals

Response to the UK Ministry of Justice s Call for Evidence on the European Commission s Data Protection Proposals Response to the UK Ministry of Justice s Call for Evidence on the European Commission s Data Protection Proposals Cloud Legal Project, Queen Mary, University of London This response is made by Christopher

More information

Salesforce s Processor Binding Corporate Rules. for the. Processing of Personal Data

Salesforce s Processor Binding Corporate Rules. for the. Processing of Personal Data Salesforce s Processor Binding Corporate Rules for the Processing of Personal Data Table of Contents 1. Introduction 3 2. Definitions 3 3. Scope and Application 4 4. Responsibilities Towards Customers

More information

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Sopra HR Software as a Data Processor Sopra HR Software, 2014 / Ref. : 20141120-101114-m 1/32 1.

More information

ECSA EuroCloud Star Audit Data Privacy Audit Guide

ECSA EuroCloud Star Audit Data Privacy Audit Guide ECSA EuroCloud Star Audit Data Privacy Audit Guide Page 1 of 15 Table of contents Introduction... 3 ECSA Data Privacy Rules... 4 Governing Law... 6 Sub processing... 6 A. TOMs: Cloud Service... 7 TOMs:

More information

Comments and proposals on the Chapter IV of the General Data Protection Regulation

Comments and proposals on the Chapter IV of the General Data Protection Regulation Comments and proposals on the Chapter IV of the General Data Protection Regulation Ahead of the trialogue negotiations later this month, EDRi, Access, Panoptykon Bits of Freedom, FIPR and Privacy International

More information

Inhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten. MHC.ie

Inhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten. MHC.ie Inhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten MHC.ie Rewriting the Past Oisin Tobin otobin@mhc.ie Agenda 1. Background 2. Findings and impact: a) Jurisdiction b) A

More information

Data Centres North Data Centre Security is the tail wagging the dog? May 11-12 2015

Data Centres North Data Centre Security is the tail wagging the dog? May 11-12 2015 Data Centres North Data Centre Security is the tail wagging the dog? May 11-12 2015 Mark Bailey - Partner charlesrussellspeechlys.com Introduction Why do data centres exist? process data? protect data?

More information

ARTICLE 29 DATA PROTECTION WORKING PARTY

ARTICLE 29 DATA PROTECTION WORKING PARTY ARTICLE 29 DATA PROTECTION WORKING PARTY 01037/12/EN WP 196 Opinion 05/2012 on Cloud Computing Adopted July 1 st 2012 This Working Party was set up under Article 29 of Directive 95/46/EC. It is an independent

More information

Financial Advisers (Amendment) Bill

Financial Advisers (Amendment) Bill Financial Advisers (Amendment) Bill Bill No. 15/2015. Read the first time on 11 May 2015. A BILL intituled An Act to amend the Financial Advisers Act (Chapter 110 of the 2007 Revised Edition). Be it enacted

More information

Mapping of outsourcing requirements

Mapping of outsourcing requirements Mapping of outsourcing requirements Following comments received during the first round of consultation, CEBS and the Committee of European Securities Regulators (CESR) have worked closely together to ensure

More information

Data Processing Agreement for Oracle Cloud Services

Data Processing Agreement for Oracle Cloud Services Data Processing Agreement for Oracle Cloud Services Version November 3, 2015 1. Scope and order of precedence This agreement (the Data Processing Agreement ) applies to Oracle s Processing of Personal

More information

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid. Microsoft Online Subscription Agreement Amendment adding Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Proposal ID MOSA number Microsoft to complete This Amendment

More information

Firm Registration Form

Firm Registration Form Firm Registration Form Firm Registration Form This registration form should be completed by firms who are authorised and regulated by the Financial Conduct Authority. All sections of this form are mandatory.

More information

Into the Cloud: How will the Draft EU Data Protection Regulation affect cloud computing service providers and users?

Into the Cloud: How will the Draft EU Data Protection Regulation affect cloud computing service providers and users? 10 Juni 2013 Taylor Wessing - Essay Competition 2013 Into the Cloud: How will the Draft EU Data Protection Regulation affect cloud computing service providers and users? by Katarina Kesselová, LLM. Introduction

More information

Dean Bank Primary and Nursery School. Secure Storage of Data and Cloud Storage

Dean Bank Primary and Nursery School. Secure Storage of Data and Cloud Storage Dean Bank Primary and Nursery School Secure Storage of Data and Cloud Storage January 2015 All school e-mail is disclosable under Freedom of Information and Data Protection legislation. Be aware that anything

More information

Mitigating and managing cyber risk: ten issues to consider

Mitigating and managing cyber risk: ten issues to consider Mitigating and managing cyber risk: ten issues to consider The board of directors is responsible for managing and mitigating risk exposure. A recent study conducted by the Ponemon Institute 1 revealed

More information

Data Processing Agreement for Oracle Cloud Services

Data Processing Agreement for Oracle Cloud Services Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services

More information

A guide for in-house lawyers

A guide for in-house lawyers A guide for in-house lawyers June 2015 The Proposed EU General Data Protection Regulation Index Introduction to the Regulation - 3 Progress of the Regulation - 4 Using this Guide - 5 Conceptual Overview

More information

Third European Cyber Security Awareness Day BSA, European Parliament, 13 April 2010. Panel IV: Privacy and Cloud Computing

Third European Cyber Security Awareness Day BSA, European Parliament, 13 April 2010. Panel IV: Privacy and Cloud Computing Third European Cyber Security Awareness Day BSA, European Parliament, 13 April 2010 Panel IV: Privacy and Cloud Computing Data Protection and Cloud Computing under EU law Peter Hustinx European Data Protection

More information

The Role and Function of a Data Protection Officer in the European Commission s Proposed General Data Protection Regulation. Initial Discussion Paper

The Role and Function of a Data Protection Officer in the European Commission s Proposed General Data Protection Regulation. Initial Discussion Paper The Role and Function of a Data Protection Officer in the European Commission s Proposed General Data Protection Regulation 1. Introduction Initial Discussion Paper The data protection officer ( DPO )

More information

Information Security Risks when going cloud. How to deal with data security: an EU perspective.

Information Security Risks when going cloud. How to deal with data security: an EU perspective. Separating fact from fiction about new software licensing /SaaS/ cloud computing models: advantages, disadvantages and ethical implications. Information Security Risks when going cloud. How to deal with

More information

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft Cyber Security and Privacy Services Working in partnership with you to protect your organisation from cyber security threats and data theft 2 Cyber Security and Privacy Services What drives your security

More information

The Data Protection Landscape. Before and after GDPR: General Data Protection Regulation

The Data Protection Landscape. Before and after GDPR: General Data Protection Regulation The Data Protection Landscape Before and after GDPR: General Data Protection Regulation Data Protection regulations across Europe Current regulations & guidance European Directives 95/46/EC (Data Protection)

More information

Data protection issues on an EU outsourcing

Data protection issues on an EU outsourcing Data protection issues on an EU outsourcing Saam Golshani, Alastair Gorrie and Diego Rigatti, Orrick Herrington & Sutcliffe www.practicallaw.com/8-380-8496 Outsourcing can mean subcontracting a process

More information

OPINION MAY 2012 ON CLOUD COMPUTING Article 29 Data Protection Working Party (July 1, 2012)

OPINION MAY 2012 ON CLOUD COMPUTING Article 29 Data Protection Working Party (July 1, 2012) OPINION MAY 2012 ON CLOUD COMPUTING Article 29 Data Protection Working Party (July 1, 2012) ARTICLE 29 DATA PROTECTION WORKING PARTY 01037/12/EN WP 196 Opinion 05/2012 on Cloud Computing Adopted July 1

More information

Offshoring and Privacy Aspects A case study under Dutch law from the perspective of an IT provider

Offshoring and Privacy Aspects A case study under Dutch law from the perspective of an IT provider Elisabeth P.M. Thole A case study under Dutch law from the perspective of an IT provider In February 2006 Widmer and Nair described the data protection issues in the context of outsourcing from the Swiss

More information

Position of the retail and wholesale sector on the Draft Data Protection Regulation in view of the trilogue 2015

Position of the retail and wholesale sector on the Draft Data Protection Regulation in view of the trilogue 2015 2 September 2015 Position of the retail and wholesale sector on the Draft Data Protection Regulation in view of the trilogue 2015 We support the efforts of EU legislators to create a harmonised data protection

More information

White Paper: Data Protection In The Cloud. Data Protection In The Cloud

White Paper: Data Protection In The Cloud. Data Protection In The Cloud White Paper: Data Protection In The Cloud Data Protection In The Cloud Introduction The rapid emergence of cloud computing has placed it at the forefront of IT decision making and business strategies.

More information

Data transfers in the Cloud

Data transfers in the Cloud Data transfers in the Cloud Rapporteur: Emmanuelle Bartoli Meeting date: 28 th March 2014 1 The purpose of this document is to explore options for how contracts between Cloud providers and consumers and

More information

The European General Data Protection Regulation. A guide for the insurance industry

The European General Data Protection Regulation. A guide for the insurance industry The European General Data Protection Regulation A guide for the insurance industry IMPORTANT NOTE: This guide is based on the politically agreed compromise text agreed by the European Commission, EU Parliament

More information

Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL

Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL 1. Definition of Cloud Computing In the public consultation, CNIL defined

More information

Data Retention and Investigatory Powers Bill

Data Retention and Investigatory Powers Bill Data Retention and Investigatory Powers Bill CONTENTS Retention of relevant communications data 1 Powers for retention of relevant communications data subject to safeguards 2 Section 1: supplementary Investigatory

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection

More information

slaughter and may The new EU Data Protection Regulation revolution or evolution?

slaughter and may The new EU Data Protection Regulation revolution or evolution? slaughter and may The new EU Data Protection Regulation revolution or evolution? BRIEFING April 2012 Reform of Europe s data protection regime moved one step closer this January with the publication of

More information

Data Protection for Charities

Data Protection for Charities Data Protection for Charities CFG 15 May 2014 Overview Overview and key definitions The data protection principles Fair and lawful processing Data security and outsourcing Rights of data subjects Recent

More information

1.1 An initial request to enter into a contractual arrangement may be initiated by either Massey University or another party (Other Party).

1.1 An initial request to enter into a contractual arrangement may be initiated by either Massey University or another party (Other Party). CONTRACT MANAGEMENT PROCEDURE Section Risk Management Contact Risk Manager Last Review February 2013 Next Review February 2016 Approval Not required Procedures Contract Initiation Request Mandatory Guidance

More information

FRANCE. Chapter XX OVERVIEW

FRANCE. Chapter XX OVERVIEW Chapter XX FRANCE Merav Griguer 1 I OVERVIEW France has an omnibus privacy, data protection and cybersecurity framework law. As a member of the European Union, France has implemented the EU Data Protection

More information

Data Protection in Ireland

Data Protection in Ireland Data Protection in Ireland 0 Contents Data Protection in Ireland Introduction Page 2 Appointment of a Data Processor Page 2 Security Measures (onus on a data controller) Page 3 8 Principles Page 3 Fair

More information

IG: Third Party Contracts and Contractors Policy

IG: Third Party Contracts and Contractors Policy IG: Third Party Contracts and Contractors Policy Document Summary This policy provides guidance on the Information Governance arrangements that need to be considered and / or implemented when engaging

More information

COMMISSION STAFF WORKING DOCUMENT. on the existing EU legal framework applicable to lifestyle and wellbeing apps. Accompanying the document

COMMISSION STAFF WORKING DOCUMENT. on the existing EU legal framework applicable to lifestyle and wellbeing apps. Accompanying the document EUROPEAN COMMISSION Brussels, 10.4.2014 SWD(2014) 135 final COMMISSION STAFF WORKING DOCUMENT on the existing EU legal framework applicable to lifestyle and wellbeing apps Accompanying the document GREEN

More information

White paper. The Essential Guide to the EU Data Law Changes. your technology, expertly marketed

White paper. The Essential Guide to the EU Data Law Changes. your technology, expertly marketed White paper The Essential Guide to the EU Data Law Changes This guide explains exactly what the EU Data Protection Regulation is and how it will change life as we know it when it comes into enforcement

More information

Impact of EU General Data Protection Regulation

Impact of EU General Data Protection Regulation Impact of EU General Data Protection Regulation A White Paper Thursday 15 October 2015 The law stated is correct as of this date. This does not constitute legal advice and it is highly recommended to seek

More information

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19 Protection of Personal Data RPC001147_EN_D_19 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Rules Responsibility

More information

AN INSIDE VIEW FROM THE EU EXPERT GROUP ON CLOUD COMPUTING

AN INSIDE VIEW FROM THE EU EXPERT GROUP ON CLOUD COMPUTING AN INSIDE VIEW FROM THE EU EXPERT GROUP ON CLOUD COMPUTING 1. Overview and Background On 27 September 2012, the European Commission adopted a strategy for "Unleashing the potential of cloud computing in

More information

TERMS & CONDITIONS of SERVICE for MSKnote. Refers to MSKnote Limited. Refers to you or your organisation

TERMS & CONDITIONS of SERVICE for MSKnote. Refers to MSKnote Limited. Refers to you or your organisation TERMS & CONDITIONS of SERVICE for MSKnote Definitions: "Us or Our or We or Company" You or Your or Client Refers to MSKnote Limited Refers to you or your organisation Information about us: We are MSKnote

More information

Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved.

Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved. Align Technology Data Protection Binding Corporate Rules Controller Policy Contents INTRODUCTION 3 PART I: BACKGROUND AND ACTIONS 4 PART II: CONTROLLER OBLIGATIONS 6 PART III: APPENDICES 13 2 P a g e INTRODUCTION

More information

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1 Protection of Personal Data RPC001147_EN_WB_L_1 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Responsibility of Employees

More information

Merthyr Tydfil County Borough Council. Data Protection Policy

Merthyr Tydfil County Borough Council. Data Protection Policy Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the

More information

Draft GDPR and health-related scientific research: Where do we stand with the EU Council?

Draft GDPR and health-related scientific research: Where do we stand with the EU Council? Draft GDPR and health-related scientific research: Where do we stand with the EU Council? Gauthier Chassang, Lawyer BIOBANQUES Infrastructure, INSERM US013, France Data Protection for health: Enabling

More information

The Impact of EU Data Protection Legislation. Thomas Rivera Hitachi Data Systems

The Impact of EU Data Protection Legislation. Thomas Rivera Hitachi Data Systems Privacy PRESENTATION vs Data TITLE Protection: GOES HERE The Impact of EU Data Protection Legislation Thomas Rivera Hitachi Data Systems SNIA Legal Notice The material contained in this tutorial is copyrighted

More information

Terms and Conditions of Offer and Contract (Works & Services) Conditions of Offer

Terms and Conditions of Offer and Contract (Works & Services) Conditions of Offer Conditions of Offer A1 The offer documents comprise the offer form, letter of invitation to offer (if any), these Conditions of Offer and Conditions of Contract (Works & Services), the Working with Queensland

More information

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively.

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively. Joint work between experts from the Article 29 Working Party and from APEC Economies, on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities in

More information

Cloud Software Services for Schools

Cloud Software Services for Schools Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Supplier name Address Contact name Contact email Contact telephone Parent Teacher Online

More information

UNIVERSITY OF SOUTHAMPTON DATA PROTECTION POLICY

UNIVERSITY OF SOUTHAMPTON DATA PROTECTION POLICY UNIVERSITY OF SOUTHAMPTON DATA PROTECTION POLICY 1. Purpose 1.1 The Data Protection Act 1998 ( the Act ) has two principal purposes: i) to regulate the use by those (known as data controllers) who obtain,

More information

Key privacy / data protection questions

Key privacy / data protection questions Illuminating the Cloud: the What, Who and Where of Privacy Compliance Professor IAPP Europe Data Protection Intensive, London, April 2012 Key privacy / data protection questions What information in clouds

More information

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1

More information

Acquia Comments on EU Recommendations for Data Processing in the Cloud

Acquia Comments on EU Recommendations for Data Processing in the Cloud Acquia Comments on EU Recommendations for Data Processing in the Cloud Executive Summary On July 1, 2012, European Union (EU) data protection regulators provided guidelines for service providers processing

More information

(a) the kind of data and the harm that could result if any of those things should occur;

(a) the kind of data and the harm that could result if any of those things should occur; Cloud Computing This information leaflet aims to advise organisations on the factors they should take into account in considering engaging cloud computing. It explains the relevance of the Personal Data

More information

Data Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014

Data Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014 Data Protection Avoiding Information Commissioner Fines Caroline Egan 5 June 2014 Why is data protection a hot topic in pensions? Pension schemes hold large amounts of personal data Individuals more aware

More information

Data Compliance. And. Your Obligations

Data Compliance. And. Your Obligations Information Booklet Data Compliance And Your Obligations What is Data Protection? It is the safeguarding of the privacy rights of individuals in relation to the processing of personal data. The Data Protection

More information

US Safe Harbor Framework declared invalid How to continue legally transferring personal data to the United States

US Safe Harbor Framework declared invalid How to continue legally transferring personal data to the United States US Safe Harbor Framework declared invalid How to continue legally transferring personal data to the United States Summary of the ruling October 6, 2015, in a ground-breaking judgment, the Court of Justice

More information

THE TRANSFER OF PERSONAL DATA ABROAD

THE TRANSFER OF PERSONAL DATA ABROAD THE TRANSFER OF PERSONAL DATA ABROAD MARCH 2014 THIS NOTE CONSIDERS THE SITUATION OF AN IRISH ORGANISATION OR BUSINESS SEEKING TO TRANSFER PERSONAL DATA ABROAD FOR STORAGE OR PROCESSING, IN LIGHT OF THE

More information

Standard conditions of purchase

Standard conditions of purchase Standard conditions of purchase 1 OFFER AND ACCEPTANCE 2 PROPERTY, RISK & DELIVERY 3 PRICES & RATES The Supplier shall provide all Goods and Services in accordance with the terms and conditions set out

More information

Align Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved.

Align Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved. Align Technology Data Protection Binding Corporate Rules Processor Policy Confidential Contents INTRODUCTION TO THIS POLICY 3 PART I: BACKGROUND AND ACTIONS 4 PART II: PROCESSOR OBLIGATIONS 6 PART III:

More information

Security incidents affecting personal data: an exploratory travel from technology to law (*under Chatham House Rule)

Security incidents affecting personal data: an exploratory travel from technology to law (*under Chatham House Rule) Security incidents affecting personal data: an exploratory travel from technology to law (*under Chatham House Rule) DPO meeting 8 May 2015 Mario Guglielmetti Legal officer Unit Supervision and Enforcement

More information

Data Protection Act. Privacy & Security in the Information Age. April 26, 2013. Ministry of Communications, Ghana

Data Protection Act. Privacy & Security in the Information Age. April 26, 2013. Ministry of Communications, Ghana Data Protection Act Privacy & Security in the Information Age April 26, 2013 Agenda Privacy in The Information Age The right to privacy Why We Need Legislation Purpose of the Act The Data Protection Act

More information

Privacy Level Agreement Outline for the Sale of Cloud Services in the European Union

Privacy Level Agreement Outline for the Sale of Cloud Services in the European Union Privacy Level Agreement Working Group Privacy Level Agreement Outline for the Sale of Cloud Services in the European Union February 2013 The PLA Outline has been developed within CSA by an expert working

More information

Data protection legislation influence on cloud computing from local as well as EU perspective

Data protection legislation influence on cloud computing from local as well as EU perspective mag. Andrej Tomšič Deputy Information Commissioner Information Commissioner Data protection legislation influence on cloud computing from local as well as EU perspective CLASS conference 2012 I Cloud Assisted

More information

CCBE RECOMMENDATIONS FOR THE IMPLEMENTATION OF THE DATA RETENTION DIRECTIVE

CCBE RECOMMENDATIONS FOR THE IMPLEMENTATION OF THE DATA RETENTION DIRECTIVE Représentant les avocats d Europe Representing Europe s lawyers CCBE RECOMMENDATIONS FOR THE IMPLEMENTATION OF THE DATA RETENTION DIRECTIVE CCBE RECOMMENDATIONS FOR THE IMPLEMENTATION OF THE DATA RETENTION

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Introduction This policy sets out the framework for a consistent SDS wide approach to handling information relating to identifiable individuals (Personal Data). Skills Development

More information