Cloud computing and the legal framework
|
|
- May Young
- 8 years ago
- Views:
Transcription
1 Cloud computing and the legal framework - Guidance on legislative requirement and the contractual environment related to cloud computing
2 Content 1. Introduction 3 2. The Danish Act on Processing of Personal Data and the accompanying Executive Order on Security No processing of personal data Processing of personal data Authority to process personal data The data controller s leave of personal data to a data processor (cloud supplier) The security requirements of the Act on Processing of Personal Data Data processor agreement Cloud supplier outside the EU, including special rules for transfer to locations outside the EU Duty of notification Certain critical information Other relevant legislation The Bookkeeping Act (Bogføringsloven) The Audit Act (Regnskabsloven) The Archive Act (Arkivloven) 13
3 Page 3 of Introduction Cloud computing is expected to become more and more widespread in the future. The Agency for Digitisation has, therefore, in cooperation with Kammeradvokaten, the legal adviser to the Danish Government, prepared this guidance for the purpose of reviewing matters, which both the customer (e.g. a public authority) and the supplier of the cloud solution should consider and be aware of when forming a contract regarding cloud computing. In most cases, much data in a cloud solution will consist of personal data. Therefore the focus of this guidance is on legal matters relating to personal data. For explanatory notes, see chapter 2 below. In relation to chapter 2 below, please note the importance of the customer s awareness of what data is trusted to the supplier in relation to the cloud solution. The Danish Act on Processing of Personal Data limits what data is freely trusted to a supplier in a cloud solution. Furthermore, the Danish Act on Processing of Personal Data and the accompanying Executive Order on Security contain rules governing procurement of preceding consent by the Danish Data Protection Agency for the solution in question. Therefore, the customer must prior to forming a contract, carefully consider what data is to be managed by the cloud supplier in order to comply with the Danish Act on Processing of Personal Data and the accompanying Executive order on Security. Notes by the Danish Data Protection Agency in relation to legal matters regarding personal data are incorporated in the guidance. In chapter 3 is a brief introduction to other relevant legislation, which in certain cases may be important to cloud computing. It is recommended to read the guidance in full. The guidance addresses both public authorities and private companies. 2. The Danish Act on Processing of Personal Data and the accompanying Executive Order on Security The Danish Act on Processing of Personal Data Act (act nr 429 of 31. May 2000 on processing of personal data as amended) regulates processing of personal data. The term personal data comprises any data regarding an identified or identifiable natural person, cf. s 3, (1). Comprised by the term personal data is data transferable to a natural person even if it should require knowledge of personal identification
4 number, registration number or similar specific identifications such as e.g. serial number regardless of whether the data is on record or instantaneously obtainable. The definition also comprises circumstances under which personal data is transferable only to someone in the know. As an example, an address or an IP address may be personal data and thereby comprised by the Danish Act on Processing of Personal Data, because it would be possible to relate the IP address to a certain computer and its owner. An , therefore, does not have to contain the name or address of the receiver to be considered personal data. Page 4 of 13 The Danish Act on Processing of Personal Data only applies apart from few exceptions to data about natural persons and not data about legal persons. The Danish Act on Processing of Personal Data comprises processing of data by both public authorities as well as by the private sector. The same legislation therefore applies to both the public and private sector. Pursuant to the Danish Act on Processing of Personal Data several Executive Orders have been issued among other things regarding the requirements for data security. Further rules are set for the public administration in the Executive Order on Security. 1 The executive order applies to any processing of personal data done within the public administration entirely or partly by means of electronic data processing. The executive order defines the technical and organisational precautionary measures, which as a minimum need to be taken in the public administration in consideration of processing security (data security). The review in chapter 2 is not exhaustive and the customer must in any case assess compliance with the Danish Act on Processing of Personal Data if necessary by seeking legal assistance from the Danish Data Protection Agency. 2.1 No processing of personal data If a customer wishes to form a contract regarding a cloud solution in which no personal data is processed, the Danish Act on Processing of Personal Data does not limit exchange or transfer of data to a cloud supplier. In such case there is no need for including in the contract special terms and conditions in compliance with the Danish Act on Processing of Personal Data. This could e.g. be a cloud solution for operation of a statistical application not containing personal data. In such an event there are no limitations for the customer in regards to forming a contract with the cloud supplier regardless of its location. 1 Consolidated act nr 528 of 15 th June 2000 as changed by act nr 201 of 22 nd March 2001
5 2.2 Processing of personal data When processing personal data, compliance with the Danish Act on Processing of Personal Data is required. In this context processing means any operation or number of operations with or without use of electronic data processing, the data is subjected to, cf. s. 3 (2). Page 5 of 13 The processing term comprises any processing of data, e.g. collecting, registration, systemising, storage, alteration, search, transmission, entrusting, releasing, juxtaposition, multiprogramming, blocking, deletion or destruction Authority to process personal data Regardless of what solution is chosen for managing personal data, it is important to be aware of the relating provisions. Both the Danish Act on Processing of Personal Data and special rules by other legislation limit what kind of data may be included as well as the usage of that data, e.g. disclosure of data. Personal data can be divided into: Regular, non-sensitive data (section 6) Sensitive personal data (section 7 e.g. data about race, political background, religion etc.) Other types of sensitive personal data (section 8 e.g. data about criminal record, social issues etc.) Whether there is legal basis for processing personal data is determined by e.g. the purpose and the character of the data, respectively section 6, 7 or 8-data. Any processing of personal data must comply with the basic requirements of section 5 on proper data managing ethics and requirements that the purpose of processing the data must be specified and factual. It is also required that the data managed must be relevant and adequate. Processing must be carried out so that the data is updated properly. Furthermore, the data may not be stored in a way that makes it possible to identify the data subjects for a longer period of time than necessary to the purpose of the data processing, cfr. section 5, sub-sections The data controller s leave of personal data to a data processor (cloud supplier) Section 3, nr 4 and 5 of the Act on Processing of Personal Data defines the terms data controller and data processor. A cloud supplier will in most cases be a data processor.
6 The data controller decides for what purpose and by which aids personal data may be processed, while the data processor processes personal data on behalf of the data controller. The data controller is effectively responsible for processing personal data and controls the data. Page 6 of 13 A data processor may perform the practical processing of personal data on behalf of the data controller. It is up to the data controller to decide whether the data processor is to process the data on behalf of the data controller. It is the data controller s responsibility that processing complies with the legislation this also applies for data processed by the data processor The security requirements of the Act on Processing of Personal Data. A number of factors require attention regardless of whether data is left with a cloud supplier in Denmark, another EU country or a third country. It is the data controlling authority s responsibility that the Act on Processing of Personal Data and the Executive Order on Security are complied with by the data processor. The rules of the Executive Order on Security apply to processing of personal data in the public administration. Security requirements in the private sector For the private sector, there is also legal basis to issue an executive order on security requirements, but such legal basis has not been exercised. However, the Danish Data Protection Agency has in concrete cases set further rules on security precautions by making use of rules, which state that the Agency may set terms when issuing licenses. The Danish Data Protection Agency has furthermore on different occasions recommended that private companies to the widest possible extent prepare security measures corresponding to the Executive Order on Security. Additionally, the Danish Data Protection Agency has set a number of requirements and recommendations to the private sector in relation to transfer of personal data via the internet. These may be read at the Danish Data Protection Agency s website: The data controller must produce a total risk assessment of whether a given solution supplies a sufficient security level. The risk assessment may be done based on a standard for data security such as ISO/IEC or DS 484, which is the common governmental standard for data security. Both contain examples of what elements that may comprise a risk assessment. In terms of a cloud solution
7 inspiration for the risk assessment may be found in ENISA 2 s publication Cloud computing Benefits, risks and recommendations for data security. (See the check list on page in the report): Page 7 of 13 In any case the data controller must ensure that the data processing by the data processor complies with the Danish security requirements described in the Act on Processing of Personal Data sections and the Executive Order on security. These requirements will be described in the following. The aim of the security requirements is first and foremost that both public and private data controller and data processor must implement the necessary technical and organisational security measures against accidental or unlawful destruction, loss or alteration and against unauthorized disclosure, abuse or other processing in violation of section 41, 3 of the Act on Processing of Personal Data This is in terms of processing personal data for public authorities further described in the national security executive order (publication nr 528 of 15 th June 2000 as changed by publication nr 201 of 22 nd March 2001) and security guidelines (the Danish Data Protection Agency s guidelines nr 37 of 2 nd April 2001). According to the Executive Order on Security the Danish Data Protection Agency is entitled to make recommendations to the data controlling authority in regards to security measures made. The Executive Order on Security and the security guidelines, to which references are made in the following, describe and elaborate on the technical and organisational security measures, which because of the data security must be taken in the public administration in accordance with the general rules for security measures in sections These requirements, from the Executive Order on Security, must as a minimum be observed. In addition, the security measures taken must reflect that the processing of personal data in a cloud solution is done via the internet, which tightens the requirements for data security. The Act on Processing of Personal Data, the Executive Order on Security and the security guidelines describe a number of security measures, which must be met when processing personal data for the public administration. Below is a list of some of those security measures especially relevant to cloud solutions. It is noted that the list is not exhaustive but merely highlights some of the present measures in general: Personal data must be deleted after processing 2 European Network and Data Security Agency
8 By discarding or distribution of used data media it must be ensured that personal data is not accessible for unauthorised persons When transmitting data through the open internet, encryption of data is a minimum requirement Security for authentication (sender s and receiver s identity) and integrity (the validity of the transmitted data) must be secured to such extend as circumstances may require, e.g. by using a two-factor-authentication It must be ensured that only authorised users can access the system. Rejected access attempts must be monitored The Executive Order on Security, section 19 on logging must be observed. Page 8 of 13 If the data processor is located in other EU countries than Denmark the data processor must also comply with security requirements of the EU country in question, cfr. the Act on Processing of Personal Data, section 42, 2 and Data processor agreement When a data controller transfers data to a data processor the data controller must actively ensure that the data processor observes the necessary data security. E.g. it is required that a written agreement (a data processor agreement) is signed between the data controller and the data processor when personal data is transferred, cfr. the Act on Processing of Personal Data section 42, nr 2, 1 and the Executive Order on Security section 7. The agreement must state that the data processor solely act on instructions from the data controller. Furthermore, the agreement must state that the data processor must take the necessary technical and organisational security measures. If the data controller is a public authority, the data processor agreement must state, that the rules of the Executive Order on Security are observed by the data processor Cloud supplier outside the EU, including special rules for transfer to locations outside the EU The Act on Processing of Personal Data section 27 regulates when data may be transferred e.g. data processors in a third country (countries outside the EU/EEA). As a general rule, when personal data is transferred to third countries after section 27, the rules of the Act on Processing of Personal Data must still be met, cfr. section 27, nr 5. When using a cloud supplier outside the EU, the following possibilities are useable for transferring data to third countries: A. Transfer to a secure third country B. Safe Harbor agreement C. The Commission s model clauses on transferring data to third countries
9 A. Transfer to a secure third country The Act on Processing of Personal Data section 27, nr 1 states that data may only be transferred to a third country if the security level of the country in question is sufficient. Page 9 of 13 Per 15 th June 2010, the Commission has deemed the following third countries have a sufficient security level in general by either legislation or other precautionary measures: Switzerland, Canada (on a limited scale), Argentine, Guernsey, USA (on a limited scale), Isle of Man, Jersey, Faroe Islands, Andorra and Israel. The register over generally approved countries can be found on the Danish Data Protection Agency s website. Transfer of data to cloud suppliers in these countries may therefore be done in accordance with the Act on Processing of Personal Data section 27, nr 1. Such transfer does, in certain cases, require permission from the Danish Data Protection Agency cfr. the Act on Processing of Personal Data section 50, nr 2. B. The Safe Harbor Agreement As mentioned above data may only be transferred to a third country if the security level of the country in question is sufficient, cfr. the Act on Processing of Personal Data section 27, nr 1. The EU Commission has decided that American companies affiliated with the socalled Safe Harbor Agreement presumably meet sufficient protection level for personal data, transferred from EU to these companies. Transferring of personal data to such companies may therefore be done according to the Act on Processing of Personal Data section 27, nr 1. Such transfer does, in certain cases, require permission from the Danish Data Protection Agency cfr. the Act on Processing of Personal Data section 50, nr 2. C. The EU Commission s model clauses on transfer to third countries In those cases where the security level of the third country is not sufficient (and where the enumerated exceptions in the Act on Processing of Personal Data section 27, nr 3 does not render transference possible) the Danish Data Protection Agency may authorise transference of data to the third country. Such authorisation is conditioned on whether the data controller provides sufficient guaranties for protection of the rights of those registered. This is stated in the Act on Processing of Personal Data section 27, nr 4. The Commission has found that the requirement in section 27, nr 4 on requisite guaranties for sufficient protection of the rights of those registered, may appear in certain standard contractual clauses.
10 Provided that the data controller enters into an agreement with a cloud supplier on terms based on the Commission s model clauses, transfer of personal data to the cloud supplier may be authorised. Page 10 of 13 Furthermore, the model clauses provide the option that only one authorisation for transfer of personal data to a given data processor in a third country has to be obtained, even when the data processor uses sub-data processors also based in third countries. If the data processor is based within the EU and uses sub-data processors in a third country, transfer of personal data may happen if: The data controller within the EU enters into an agreement, with terms based on the standard contractual clauses of the Commission, directly with a sub-data processor in a third country, or The data controller authorises the data processor in the EU to agree terms with the sub-data processors in the name of and on behalf of the data controller. The Commission s model clauses are available on the Commissions website on the following link: Furthermore, reference is made to the information on transfer of information to third countries on the Danish Data Protection Agency s website Duty of notification The Act on Processing of Personal Data contains a principal rule that the Danish Data Protection Agency must be notified before processing of personal data is executed. In relation to the notification the Danish Data Protection Agency must, when the notification concerns personal data comprised by sections 7 and 8 issue an authorisation or a statement before the processing. This applies in relation to both cloud computing and other cases where personal data is processed. In most cases public authorities and private companies will have notified the Danish Data Protection Agency beforehand. If the IT-architecture that forms the basis for a solution is changed, e.g. if parts of the IT system are converted into cloud solutions, it is not always necessary to re-notify the Danish Data Protection Agency about the processing of personal data. In some cases, it will only be necessary to update the existing notification. Initially, it is up to the data controller to assess whether the previous notification remains valid or whether the conversion requires a new notification or an update of the current notification, e.g. when converting something into a cloud computing solution.
11 Page 11 of 13 Reference is made to the Act on Processing of Personal Data chapter 12 (sections 43-47) and the Danish Data Protection Agency s guidelines nr 125 of July 10th 2000 regarding notification of processing done on behalf of the public administration. Furthermore reference is made to the Act on Processing of Personal Data chapter 13 (sections 48-51) regarding notification of processing done on behalf of private data controllers. These documents can be found on the Danish Data Protection Agency s website It should also be noted, that transfer of personal data to third countries in certain cases require authorisation from the Danish Data Protection Agency, cfr. the Act on Processing of Personal Data section 50, nr 2. The duty of notification lies with the data controller even when the processing of personal according to a data processing agreement is carried out by a data processor. 2.4 Certain critical information When the data controller as a public authority process data of special interest to foreign powers precautions must be taken to ensure that the data can be disposed of or destroyed in the event of war or other such events, cfr. the Act on Processing of Personal Data section 41, nr 4. This rule primarily concerns data included in registers, which may be of special interest for a foreign power, e.g. to help find individuals with special training or education or special equipment like vehicles etc., which may help the foreign power in case of occupation etc. This rule the so-called war-rule entails that e.g. information from the Civil Register ( CPR-registret ), central tax registers and other special registers, in general must not be transferred to a data processor outside Denmark. Whether the data controlling authority in such case can to transfer personal data comprised by the Act on Processing of Personal Data section 41, nr 4 to a cloud supplier, relies on an individual assessment, firstly made by the data controller himself. If the data controller is in doubt, he may contact the Danish Data Protection Agency. 3. Other relevant legislation In this section, other legislation, which in some cases may be relevant to observe in relation to cloud computing, is presented.
12 3.1 The Bookkeeping Act (Bogføringsloven) The Bookkeeping Act 3 regulates the general minimum requirements for a company s bookkeeping. Page 12 of 13 According to the Bookkeeping Act section 10 financial records must be stored adequately secure for 5 years from the end of the financial year the records concern. This includes that the financial records during the entire storage period must be protected against theft, fire or other intended or unintended destruction or disposal insofar it is reasonable. If the records are stored digitally, continuous backup of the records must be made and the backup-copy must be revised in terms of readability. The basis of the Bookkeeping Act section 12 is that financial records must be stored in Denmark or in the Nordic countries 4. This applies to both physical appendixes and digital data. Hence, if financial records are stored on a server physically placed outside Denmark a complete copy must be kept in Denmark. It is not adequate having online access to the foreign server where the financial records are stored. If the financial records are stored on a foreign server (e.g. by a cloud service), it is, therefore, necessary to download a copy of the records electronically or make sure that a paper copy is available. The electronic copy must be placed on a server in Denmark and be retrievable, readable and printable without having to be processed. According to regulations of the Bookkeeping Act it will be adequate to make such copy (electronically or by paper) on a monthly basis. The regulations on financial records as a starting point must be stored in Denmark are i.a. based on the consideration that public authorities must be able to perform their tasks. The purpose of the storage requirements is to ensure that e.g. the Central Tax Administration (SKAT) has easy access to financial records in connection with inspection or investigation. The Danish Commerce and Companies Agency may subsequently to preceding application exempt from above requirements concerning storage of financial records in Denmark. The Danish Commerce and Companies Agency has based on above-mentioned considerations as yet only in special circumstances and by a number of additional conditions granted exemption for storing financial records exclusively abroad. In terms of appendices exemption for exclusive abroad storage cannot be granted. Financial records may at all times be stored abroad, provided that an exact copy of the financial records exists in Denmark, e.g. electronically. 3.2 The Audit Act (Regnskabsloven) The governmental accountancy is regulated according to the Audit Act and the Danish Executive Order on the Preparation of Financial Statements 5. 3 Consolidated act nr 648 of 15th June Act nr 250 of 23rd March 2006 about storing financial records abroad 5 Act nr 131 of 28th March 1984 on the Government s accountancy etc.
13 Page 13 of 13 Similar to business enterprises, financial records for governmental institutions must be stored adequately secure for 5 years from the end of the financial year the records concern, unless longer respite appears from other legislation. The records must be kept, so that, during the entire storage period, independent and unequivocal retrieving of the records in question is possible cfr. section 44 of the Danish Executive Order on the Preparation of Financial Statements. The basis for the Audit Act section 45 is that financial records must be stored in Denmark. This applies to both physical appendixes and digital data. As by the Bookkeeping Act described above, this regulation means, that financial records may be stored on a server abroad provided that an exact copy of the records is made on a monthly basis at a minimum. Such copy must be placed on a server in Denmark or in paper. The Agency for Governmental Management will be able to exempt from legislation in section 45 for institutions, which need to store financial records in the Nordic counties (Finland, Iceland, Norway and Sweden). 3.3 The Archive Act (Arkivloven) The Archive Act 6 and subjacent regulations concern public authorities archives. The Archive Act is only relevant in relation to cloud computing if an authority chooses to store or run its casework-system in a cloud solution. In such case the authority must observe the rules of the Archive Act. The Government s archives assume responsibility for preservation of the individual archives when these are transferred to the Government s archives cfr. section 8, nr 3. Until then authorities must make sure to observe archival considerations, including that archives are stored adequately secure cfr. section 8, nr 1. Furthermore, authorities must, according to section 8, nr 2, make sure, that archives stored digitally are kept so that they can be transferred to public archives. In depth regulations on archival considerations (cfr. section 8 nr 1) about processing, storage and discarding of government agencies archives can be found in the Danish Executive Order on the Preparation of Archives 7. 6 Consolidated act nr 1035 of 21st August Act nr 591 of 26 March 2003 on public archives and public archives activities.
technical factsheet 176
technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection
More informationRecommendations for companies planning to use Cloud computing services
Recommendations for companies planning to use Cloud computing services From a legal standpoint, CNIL finds that Cloud computing raises a number of difficulties with regard to compliance with the legislation
More informationProtection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1
Protection of Personal Data RPC001147_EN_WB_L_1 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Responsibility of Employees
More informationData Transfer Policy London Borough of Barnet
London Borough of Barnet DATA PROTECTION 11 Document Control Document Description Data Transfer Policy Version v.2 Date Created December 2010 Status Authorisation Name Signature Date Prepared By: IS Checked
More informationData Processing Agreement for Oracle Cloud Services
Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services
More informationINFORMATION TECHNOLOGY MANAGEMENT CONTENTS. CHAPTER C RISKS 357-7 8. Risk Assessment 357-7
Information Technology Management Page 357-1 INFORMATION TECHNOLOGY MANAGEMENT CONTENTS CHAPTER A GENERAL 357-3 1. Introduction 357-3 2. Applicability 357-3 CHAPTER B SUPERVISION AND MANAGEMENT 357-4 3.
More informationAppendix 11 - Swiss Data Protection Act
GLEIF- LOU Restricted Appendix 11 - Swiss Data Protection Act GLEIF Revision Version: 1.0 2015-09-23 Master Copy page 2 of 11 Applicable Provisions of the Swiss Data Protection Act (DPA) including the
More informationThe potential legal consequences of a personal data breach
The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.
More informationSummary of Data Protection Requirements When transferring Data Outside the UK End Users
Summary of Data Protection Requirements When transferring Data Outside the UK End Users 14 May 2010 Background to transfers of the Data outside the UK Data can be transferred in a couple of ways in relation
More informationThe supplier shall have appropriate policies and procedures in place to ensure compliance with
Supplier Instructions for Processing of Personal Data 1 PURPOSE SOS International has legal and contractual obligations on the matters of data protection and IT security. As a part of these obligations
More informationData Protection in Ireland
Data Protection in Ireland 0 Contents Data Protection in Ireland Introduction Page 2 Appointment of a Data Processor Page 2 Security Measures (onus on a data controller) Page 3 8 Principles Page 3 Fair
More informationProtection. Code of Practice. of Personal Data RPC001147_EN_D_19
Protection of Personal Data RPC001147_EN_D_19 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Rules Responsibility
More informationBRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS
BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS Mat Wright www.britishcouncil.org CONTENTS Purpose of the code 1 Scope of the code 1 The British Council s data protection commitment and
More informationDublin City University
Dublin City University Data Protection Policy Data Protection Policy Contents Purpose... 1 Scope... 1 Data Protection Principles... 1 Disclosure of Personal Data... 2 Summary of Responsibilities... 3 Rights
More informationCloud Computing Legal Considerations for Data Controllers
Cloud Computing Legal Considerations for Data Controllers CLOUD COMPUTING LEGAL CONSIDERATIONS FOR DATA CONTROLLERS What is cloud computing and why is it relevant? Cloud computing can be described as technology
More informationArticle 29 Working Party Issues Opinion on Cloud Computing
Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,
More informationAlixPartners, LLP. General Data Protection Statement
AlixPartners, LLP General Data Protection Statement GENERAL DATA PROTECTION STATEMENT 1. INTRODUCTION 1.1 AlixPartners, LLP ( AlixPartners ) is committed to fulfilling its obligations under the data protection
More informationECSA EuroCloud Star Audit Data Privacy Audit Guide
ECSA EuroCloud Star Audit Data Privacy Audit Guide Page 1 of 15 Table of contents Introduction... 3 ECSA Data Privacy Rules... 4 Governing Law... 6 Sub processing... 6 A. TOMs: Cloud Service... 7 TOMs:
More informationOffice 365 Data Processing Agreement with Model Clauses
Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081
More information<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129
Addendum Amendment ID Proposal ID Enrollment number Microsoft to complete This addendum ( Windows Azure Addendum ) is entered into between the parties identified on the signature form for the
More informationLEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT
LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT 2300 Pursuant to its authority from Article 59 of the Rules of Procedure of the Croatian Parliament, the Legislation Committee determined the revised text
More informationINTERNET AND EMAIL SECURITY
NEWS FROM PLESNER JUNI 2008 INTERNET AND EMAIL SECURITY Introduction By Attorney-at-Law, junior-partner Michael Hopp In Denmark, a data controller must implement appropriate technical and organizational
More informationSupplier IT Security Guide
Revision Date: 28 November 2012 TABLE OF CONTENT 1. INTRODUCTION... 3 2. PURPOSE... 3 3. GENERAL ACCESS REQUIREMENTS... 3 4. SECURITY RULES FOR SUPPLIER WORKPLACES AT AN INFINEON LOCATION... 3 5. DATA
More informationThis Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.
Microsoft Online Subscription Agreement Amendment adding Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Proposal ID MOSA number Microsoft to complete This Amendment
More informationData Protection Consent Clause and Policy Background
Data Protection Consent Clause and Policy Background The Singapore Personal Data Protection Act - 2012 (PDPA) establishes a data protection law that comprises various rules governing the collection, use,
More informationA list of CIArb subsidiaries relevant to this notice and their activities is set out below.
CHARTERED INSTITUTE OF ARBITRATORS DATA PRIVACY NOTICE INTRODUCTION This data protection notice explains what personal data will be collected by the Chartered Institute of Arbitrators and its subsidiary
More informationGSK Public policy positions
Safeguarding Personally Identifiable Information A Summary of GSK s Binding Corporate Rules The Issue The processing of Personally Identifiable Information (PII) 1 and Sensitive Personally Identifiable
More informationData Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document
Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1
More informationOn Data Protection and the Detailed and Uniform Data Management Regulation
Rector s Directive No. 1/2013 On Data Protection and the Detailed and Uniform Data Management Regulation Budapest, 2013 Version effective as of 31 January 2013 Directives on Data Protection and the Uniform
More informationEnrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 --------------
w Microsoft Volume Licensing Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 Enrollment for Education Solutions number Microsoft to complete --------------
More informationClause 1. Definitions and Interpretation
[Standard data protection [agreement/clauses] for the transfer of Personal Data from the University of Edinburgh (as Data Controller) to a Data Processor within the European Economic Area ] In this Agreement:-
More informationInformation Security Risks when going cloud. How to deal with data security: an EU perspective.
Separating fact from fiction about new software licensing /SaaS/ cloud computing models: advantages, disadvantages and ethical implications. Information Security Risks when going cloud. How to deal with
More informationMicrosoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10
Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID This Microsoft Online Services Security Amendment ( Amendment ) is between
More informationPrivacy and Cloud Computing for Australian Government Agencies
Privacy and Cloud Computing for Australian Government Agencies Better Practice Guide February 2013 Version 1.1 Introduction Despite common perceptions, cloud computing has the potential to enhance privacy
More informationThe eighth data protection principle and international data transfers
Data Protection Act 1998 The eighth data protection principle and international data transfers The Information Commissioner s recommended approach to assessing adequacy including consideration of the issue
More informationCorporate Policy. Data Protection for Data of Customers & Partners.
Corporate Policy. Data Protection for Data of Customers & Partners. 02 Preamble Ladies and gentlemen, Dear employees, The electronic processing of virtually all sales procedures, globalization and growing
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationPRIVACY REGULATIONS regarding the Web Health History ("W.H.H.") Service called LifepassportPRO provided by Meshpass SA
PRIVACY REGULATIONS regarding the Web Health History ("W.H.H.") Service called LifepassportPRO provided by Meshpass SA Updated: 20 Jun 2015 (substitutes previous versions) This Privacy Policy describes
More informationType of Personal Data We Collect and How We Use It
Philips Lumify App Privacy Notice This Privacy Notice was last changed on September 1, 2015. Philips Electronics North America Corporation ("Philips") strongly believes in protecting the privacy of the
More informationCCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING
CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING CCBE response regarding the European Commission Public Consultation on Cloud Computing The Council of Bars and Law
More informationsingapore american school
Background The Singapore Personal Data Protection Act - 2012 (PDPA) establishes a data protection law that comprises various rules governing the collection, use, disclosure, and care of personal data.
More informationThis Applicant Privacy Notice Continental Europe is dated: July 2012 WILLIS.COM: PRIVACY NOTICE
Applicant Privacy Notice for Positions in Willis Companies Located in the European Union and European Economic Area Excluding the United Kingdom ( Applicant Privacy Notice Continental Europe ) This Applicant
More informationData Protection Policy and Code of Practice
Data Protection Policy and Code of Practice All our written information can be made available, on request, in a range of different formats and languages. If you would like this document in any other language
More informationPRACTICAL LAW DATA PROTECTION MULTI-JURISDICTIONAL GUIDE 2012/13. The law and leading lawyers worldwide
PRACTICAL LAW MULTI-JURISDICTIONAL GUIDE 2012/13 The law and leading lawyers worldwide Essential legal questions answered in 30 key jurisdictions Analysis of critical legal issues AVAILABLE ONLINE AT WWW.PRACTICALLAW.COM/DATAPROTECTION-MJG
More informationBriefly summarised, SURFmarket has submitted the following questions to the Dutch DPA:
UNOFFICIAL TRANSLATION Written opinion on the application of the Wet bescherming persoonsgegevens [Dutch Data Protection Act] in the case of a contract for cloud computing services from an American provider
More informationData controllers and data processors: what the difference is and what the governance implications are
ICO lo : what the difference is and what the governance implications are Data Protection Act Contents Introduction... 3 Overview... 3 Section 1 - What is the difference between a data controller and a
More informationTERMS & CONDITIONS of SERVICE for MSKnote. Refers to MSKnote Limited. Refers to you or your organisation
TERMS & CONDITIONS of SERVICE for MSKnote Definitions: "Us or Our or We or Company" You or Your or Client Refers to MSKnote Limited Refers to you or your organisation Information about us: We are MSKnote
More informationCouncil Policy. Records & Information Management
Council Policy Records & Information Management COUNCIL POLICY RECORDS AND INFORMATION MANAGEMENT Policy Number: GOV-13 Responsible Department(s): Information Systems Relevant Delegations: None Other Relevant
More informationMIS Privacy Statement. Our Privacy Commitments
MIS Privacy Statement Our Privacy Commitments MIS Training Institute Holdings, Inc. (together "we") respect the privacy of every person who visits or registers with our websites ("you"), and are committed
More informationMicrosoft Online Services - Data Processing Agreement
Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID This Amendment consists of
More informationConsolidated Insurance Mediation Act 1
Consolidated Insurance Mediation Act 1 Act no. 930 of 18 September 2008 This is an Act to consolidate the Insurance Meditation Act, cf. Consolidated Act no. 401 of 25 April 2007, as amended by section
More informationGUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4
GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4 PREFACE The following provides general guidance on data protection
More informationPolicy and Procedure Title: Maintaining Secure Learner Records Policy No: CCTP1001 Version: 1.0
PROVIDER NAME: POLICY AREA: College of Computing Technology (CCT) Standard 10: Information Management, Student Information System & Data Protection Policy and Procedure Title: Maintaining Secure Learner
More informationCLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:
CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: Privacy Responsibilities and Considerations Cloud computing is the delivery of computing services over the Internet, and it offers many potential
More informationNorwegian Data Inspectorate
Norwegian Data Inspectorate Narvik kommune Postboks 64 8501 NARVIK Norway Your reference Our reference (please quote in any reply) Date 1111/1210-6/PEJA 11/00593-7/SEV 16 January 2012 Notification of decision
More informationData protection compliance checklist
Data protection compliance checklist What is this checklist for? This checklist is drawn up on the basis of analysis of the relevant provisions of European law. Although European law aims at harmonizing
More informationResponsibilities of Custodians and Health Information Act Administration Checklist
Responsibilities of Custodians and Administration Checklist APPENDIX 3 Responsibilities of Custodians in Administering the Each custodian under the Act must establish internal processes and procedures
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationDanske Bank Group Certificate Policy
Document history Version Date Remarks 1.0 19-05-2011 finalized 1.01 15-11-2012 URL updated after web page restructuring. 2 Table of Contents 1. Introduction... 4 2. Policy administration... 4 2.1 Overview...
More informationInformation Governance Policy
Information Governance Policy 1 Introduction Healthwatch Rutland (HWR) needs to collect and use certain types of information about the Data Subjects who come into contact with it in order to carry on its
More informationBusiness Merchant Capture Agreement. A. General Terms and Conditions
Business Merchant Capture Agreement A. General Terms and Conditions Merchant Capture (MC), the Service, allows you to deposit checks to your LGE Business Account from remote locations by electronically
More informationWelcome to our job search and application platform (the Platform ). Please read our Legal Terms (which includes our Privacy Policy) carefully.
LEGAL TERMS AND PRIVACY POLICY Welcome to our job search and application platform (the Platform ). Please read our Legal Terms (which includes our Privacy Policy) carefully. The Platform is accessible
More informationHIPAA Compliance and the Protection of Patient Health Information
HIPAA Compliance and the Protection of Patient Health Information WHITE PAPER By Swift Systems Inc. April 2015 Swift Systems Inc. 7340 Executive Way, Ste M Frederick MD 21704 1 Contents HIPAA Compliance
More information2) applied methods and means of authorisation and procedures connected with their management and use;
Guidelines on the way of developing the instruction specifying the method of managing the computer system used for personal data processing, with particular consideration of the information security requirements.
More informationData Protection Policy.
Data Protection Policy. Data Protection Policy Foreword 2 Foreword Ladies and Gentlemen, In the information age, we offer customers the means to be always connected, even in their cars. This requires data
More informationPolicy and Procedure for approving, monitoring and reviewing personal data processing agreements
Policy and Procedure for approving, monitoring and reviewing personal data processing agreements 1 Personal data processing by external suppliers, contractors, agents and partners Policy and Procedure
More informationPrivacy and Electronic Communications Regulations
ICO lo Notification of PECR security breaches Privacy and Electronic Communications Regulations Contents Introduction... 2 Overview... 2 Relevant security breaches... 3 What is a service provider?... 3
More informationCloud Computing: Legal Risks and Best Practices
Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent
More informationon the transfer of personal data from the European Union
on the transfer of personal data from the European Union BCRsseptembre 2008.doc 1 TABLE OF CONTENTS I. PRELIMINARY REMARKS 3 II. DEFINITIONS 3 III. DELEGATED DATA PROTECTION MANAGER 4 IV. MICHELIN GROUP
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY Approval date: June 2014 Approved by: Board Responsible Manager: Executive Director of Resources Next Review June 2016 Data Protection Policy 1. Introduction Data Protection Policy
More informationAPPROPRIATE USE OF INFORMATION TECHNOLOGY SYSTEMS INFRASTRUCTURE RESOURCES
APPROPRIATE USE OF INFORMATION TECHNOLOGY SYSTEMS (INCLUDING INTERNET & E-MAIL) EMC CORPORATE POLICY COPYRIGHT 2007 EMC CORPORATION. ALL RIGHTS RESERVED. NO PORTION OF THIS MATERIAL MAY BE REPRODUCED,
More informationRecords Management Policy.doc
INDEX Pages 1. DESCRIPTORS... 1 2. KEY ROLE PLAYERS... 1 3. CORE FUNCTIONS OF THE RECORDS MANAGER... 1 4. CORE FUNCTIONS OF THE HEAD OF REGISTRIES... 1 5. PURPOSE... 2 6. OBJECTIVES... 2 7. POLICY... 2
More informationPractical Overview on responsibilities of Data Protection Officers. Security measures
Practical Overview on responsibilities of Data Protection Officers Security measures Manuel Villaseca Spanish Data Protection Agency mvl@agpd.es Security measures Agenda: The rol of DPO on security measures
More information235.1. Federal Act on Data Protection (FADP) Aim, Scope and Definitions
English is not an official language of the Swiss Confederation. This translation is provided for information purposes only and has no legal force. Federal Act on Data Protection (FADP) 235.1 of 19 June
More informationData Protection Policy Information for Clients
Data Protection Policy Information for Clients Foreword This document outlines Numis Securities Limited s ( the Firm or Numis ) legal obligations and policy on data protection. Further information can
More informationFollow the trainer s instructions and explanations to complete the planned tasks.
CERT Exercises Toolset 171 20. Exercise: CERT participation in incident handling related to Article 4 obligations 20.1 What will you learn? During this exercise you will learn about the rules, procedures
More informationDATA AND PAYMENT SECURITY PART 1
STAR has teamed up with Prevention of Fraud in Travel (PROFiT) and the Fraud Intelligence Network (FIN) to offer our members the best advice about fraud prevention. We recognise the increasing threat of
More informationProcessor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries
Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Sopra HR Software as a Data Processor Sopra HR Software, 2014 / Ref. : 20141120-101114-m 1/32 1.
More informationROEHAMPTON UNIVERSITY DATA PROTECTION POLICY
ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY Originated by: Data Protection Working Group: November 2008 Impact Assessment: (to be confirmed) Recommended by Senate: 28 January 2009 Approved by Council:
More informationSouthern Law Center Law Center Policy #IT0004. Title: Email Policy
Southern Law Center Law Center Policy #IT0004 Title: Email Policy Authority: Department Original Adoption: 7/20/2007 Effective Date: 7/20/2007 Last Revision: 9/17/2012 1.0 Purpose: To provide members of
More informationInformation Governance Framework. June 2015
Information Governance Framework June 2015 Information Security Framework Janice McNay June 2015 1 Company Thirteen Group Lead Manager Janice McNay Date of Final Draft and Version Number June 2015 Review
More informationLast updated: 30 May 2016. Credit Suisse Privacy Policy
Last updated: 30 May 2016 Credit Suisse Please read this privacy policy (the ) as it describes how we intend to collect, use, store, share, and safeguard your information. By accessing, visiting or using
More informationREVENUE REGULATIONS NO. 9-2009 issued on December 29, 2009 defines the requirements, obligations and responsibilities imposed on taxpayers for the
REVENUE REGULATIONS NO. 9-2009 issued on December 29, 2009 defines the requirements, obligations and responsibilities imposed on taxpayers for the maintenance, retention and submission of electronic records.
More informationMerthyr Tydfil County Borough Council. Data Protection Policy
Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the
More informationROYAL AUSTRALASIAN COLLEGE OF SURGEONS
1. SCOPE This policy details the College s privacy policy and related information handling practices and gives guidelines for access to any personal information retained by the College. This includes personal
More informationCROATIAN PARLIAMENT 1364
CROATIAN PARLIAMENT 1364 Pursuant to Article 88 of the Constitution of the Republic of Croatia, I hereby pass the DECISION PROMULGATING THE ACT ON PERSONAL DATA PROTECTION I hereby promulgate the Act on
More informationThe HR Skinny: Effectively managing international employee data flows
The HR Skinny: Effectively managing international employee data flows Topics we will cover today Laws affecting HR data flows HR international data protection challenges and strategic solutions Case study
More informationAstaro Services AG Rheinweg 7, CH-8200 Schaffhausen. Supplementary data protection agreement. to the license agreement for license ID: between
Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen Supplementary data protection agreement to the license agreement for license ID: between...... represented by... Hereinafter referred to as the "Client"
More informationInformation Circular
Information Circular Enquiries to: Brooke Smith Senior Policy Officer IC number: 0177/14 Phone number: 9222 0268 Date: March 2014 Supersedes: File No: F-AA-23386 Subject: Practice Code for the Use of Personal
More informationTerms and conditions of business for a NemID administrator of commercial NemID
Terms and conditions of business for a NemID administrator of commercial NemID 1 Background...2 2 Scope and object...3 3 Administrator and Certificates...3 3.1 General obligations of the Customer...3 3.2
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationBRING YOUR OWN DEVICE
BRING YOUR OWN DEVICE Legal Analysis & Practical TIPs for an effective BYOD corporate Policy CONTENTS 1. What is BYOD? 2. Benefits and risks of BYOD in Europe 3. BYOD and existing Policies 4. Legal issues
More informationBUSINESS ASSOCIATE AGREEMENT ( BAA )
BUSINESS ASSOCIATE AGREEMENT ( BAA ) Pursuant to the terms and conditions specified in Exhibit B of the Agreement (as defined in Section 1.1 below) between EMC (as defined in the Agreement) and Subcontractor
More informationData Protection and Cloud Computing: an Overview of the Legal Issues
Data Protection and Cloud Computing: an Overview of the Legal Issues Christopher Kuner Partner, Hunton & Williams, Brussels Research Assistant, University of Copenhagen Nordic IT Law Conference Copenhagen,
More informationTERRITORY RECORDS OFFICE BUSINESS SYSTEMS AND DIGITAL RECORDKEEPING FUNCTIONALITY ASSESSMENT TOOL
TERRITORY RECORDS OFFICE BUSINESS SYSTEMS AND DIGITAL RECORDKEEPING FUNCTIONALITY ASSESSMENT TOOL INTRODUCTION WHAT IS A RECORD? AS ISO 15489-2002 Records Management defines a record as information created,
More informationSouthern Law Center Law Center Policy #IT0014. Title: Privacy Expectations for SULC Computing Resources
Southern Law Center Law Center Policy #IT0014 Title: Privacy Expectations for SULC Computing Resources Authority: Department Original Adoption: 5/7/2007 Effective Date: 5/7/2007 Last Revision: 9/17/2012
More informationElectronic business conditions of use
Electronic business conditions of use This document provides Water Corporation s Electronic Business Conditions of Use. These are to be applied to all applications, which are developed for external users
More informationZinc Recruitment Pty Ltd Privacy Policy
1. Introduction Zinc Recruitment Pty Ltd Privacy Policy We manage personal information in accordance with the Privacy Act 1988 and Australian Privacy Principles. This policy applies to information collected
More informationHIPAA Compliance Guide
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
More informationCloud Service Contracts: An Issue of Trust
Cloud Service Contracts: An Issue of Trust Marie Demoulin Assistant Professor Université de Montréal École de Bibliothéconomie et des Sciences de l Information (EBSI) itrust 2d International Symposium,
More information