Cloud computing and the legal framework

Size: px
Start display at page:

Download "Cloud computing and the legal framework"

Transcription

1 Cloud computing and the legal framework - Guidance on legislative requirement and the contractual environment related to cloud computing

2 Content 1. Introduction 3 2. The Danish Act on Processing of Personal Data and the accompanying Executive Order on Security No processing of personal data Processing of personal data Authority to process personal data The data controller s leave of personal data to a data processor (cloud supplier) The security requirements of the Act on Processing of Personal Data Data processor agreement Cloud supplier outside the EU, including special rules for transfer to locations outside the EU Duty of notification Certain critical information Other relevant legislation The Bookkeeping Act (Bogføringsloven) The Audit Act (Regnskabsloven) The Archive Act (Arkivloven) 13

3 Page 3 of Introduction Cloud computing is expected to become more and more widespread in the future. The Agency for Digitisation has, therefore, in cooperation with Kammeradvokaten, the legal adviser to the Danish Government, prepared this guidance for the purpose of reviewing matters, which both the customer (e.g. a public authority) and the supplier of the cloud solution should consider and be aware of when forming a contract regarding cloud computing. In most cases, much data in a cloud solution will consist of personal data. Therefore the focus of this guidance is on legal matters relating to personal data. For explanatory notes, see chapter 2 below. In relation to chapter 2 below, please note the importance of the customer s awareness of what data is trusted to the supplier in relation to the cloud solution. The Danish Act on Processing of Personal Data limits what data is freely trusted to a supplier in a cloud solution. Furthermore, the Danish Act on Processing of Personal Data and the accompanying Executive Order on Security contain rules governing procurement of preceding consent by the Danish Data Protection Agency for the solution in question. Therefore, the customer must prior to forming a contract, carefully consider what data is to be managed by the cloud supplier in order to comply with the Danish Act on Processing of Personal Data and the accompanying Executive order on Security. Notes by the Danish Data Protection Agency in relation to legal matters regarding personal data are incorporated in the guidance. In chapter 3 is a brief introduction to other relevant legislation, which in certain cases may be important to cloud computing. It is recommended to read the guidance in full. The guidance addresses both public authorities and private companies. 2. The Danish Act on Processing of Personal Data and the accompanying Executive Order on Security The Danish Act on Processing of Personal Data Act (act nr 429 of 31. May 2000 on processing of personal data as amended) regulates processing of personal data. The term personal data comprises any data regarding an identified or identifiable natural person, cf. s 3, (1). Comprised by the term personal data is data transferable to a natural person even if it should require knowledge of personal identification

4 number, registration number or similar specific identifications such as e.g. serial number regardless of whether the data is on record or instantaneously obtainable. The definition also comprises circumstances under which personal data is transferable only to someone in the know. As an example, an address or an IP address may be personal data and thereby comprised by the Danish Act on Processing of Personal Data, because it would be possible to relate the IP address to a certain computer and its owner. An , therefore, does not have to contain the name or address of the receiver to be considered personal data. Page 4 of 13 The Danish Act on Processing of Personal Data only applies apart from few exceptions to data about natural persons and not data about legal persons. The Danish Act on Processing of Personal Data comprises processing of data by both public authorities as well as by the private sector. The same legislation therefore applies to both the public and private sector. Pursuant to the Danish Act on Processing of Personal Data several Executive Orders have been issued among other things regarding the requirements for data security. Further rules are set for the public administration in the Executive Order on Security. 1 The executive order applies to any processing of personal data done within the public administration entirely or partly by means of electronic data processing. The executive order defines the technical and organisational precautionary measures, which as a minimum need to be taken in the public administration in consideration of processing security (data security). The review in chapter 2 is not exhaustive and the customer must in any case assess compliance with the Danish Act on Processing of Personal Data if necessary by seeking legal assistance from the Danish Data Protection Agency. 2.1 No processing of personal data If a customer wishes to form a contract regarding a cloud solution in which no personal data is processed, the Danish Act on Processing of Personal Data does not limit exchange or transfer of data to a cloud supplier. In such case there is no need for including in the contract special terms and conditions in compliance with the Danish Act on Processing of Personal Data. This could e.g. be a cloud solution for operation of a statistical application not containing personal data. In such an event there are no limitations for the customer in regards to forming a contract with the cloud supplier regardless of its location. 1 Consolidated act nr 528 of 15 th June 2000 as changed by act nr 201 of 22 nd March 2001

5 2.2 Processing of personal data When processing personal data, compliance with the Danish Act on Processing of Personal Data is required. In this context processing means any operation or number of operations with or without use of electronic data processing, the data is subjected to, cf. s. 3 (2). Page 5 of 13 The processing term comprises any processing of data, e.g. collecting, registration, systemising, storage, alteration, search, transmission, entrusting, releasing, juxtaposition, multiprogramming, blocking, deletion or destruction Authority to process personal data Regardless of what solution is chosen for managing personal data, it is important to be aware of the relating provisions. Both the Danish Act on Processing of Personal Data and special rules by other legislation limit what kind of data may be included as well as the usage of that data, e.g. disclosure of data. Personal data can be divided into: Regular, non-sensitive data (section 6) Sensitive personal data (section 7 e.g. data about race, political background, religion etc.) Other types of sensitive personal data (section 8 e.g. data about criminal record, social issues etc.) Whether there is legal basis for processing personal data is determined by e.g. the purpose and the character of the data, respectively section 6, 7 or 8-data. Any processing of personal data must comply with the basic requirements of section 5 on proper data managing ethics and requirements that the purpose of processing the data must be specified and factual. It is also required that the data managed must be relevant and adequate. Processing must be carried out so that the data is updated properly. Furthermore, the data may not be stored in a way that makes it possible to identify the data subjects for a longer period of time than necessary to the purpose of the data processing, cfr. section 5, sub-sections The data controller s leave of personal data to a data processor (cloud supplier) Section 3, nr 4 and 5 of the Act on Processing of Personal Data defines the terms data controller and data processor. A cloud supplier will in most cases be a data processor.

6 The data controller decides for what purpose and by which aids personal data may be processed, while the data processor processes personal data on behalf of the data controller. The data controller is effectively responsible for processing personal data and controls the data. Page 6 of 13 A data processor may perform the practical processing of personal data on behalf of the data controller. It is up to the data controller to decide whether the data processor is to process the data on behalf of the data controller. It is the data controller s responsibility that processing complies with the legislation this also applies for data processed by the data processor The security requirements of the Act on Processing of Personal Data. A number of factors require attention regardless of whether data is left with a cloud supplier in Denmark, another EU country or a third country. It is the data controlling authority s responsibility that the Act on Processing of Personal Data and the Executive Order on Security are complied with by the data processor. The rules of the Executive Order on Security apply to processing of personal data in the public administration. Security requirements in the private sector For the private sector, there is also legal basis to issue an executive order on security requirements, but such legal basis has not been exercised. However, the Danish Data Protection Agency has in concrete cases set further rules on security precautions by making use of rules, which state that the Agency may set terms when issuing licenses. The Danish Data Protection Agency has furthermore on different occasions recommended that private companies to the widest possible extent prepare security measures corresponding to the Executive Order on Security. Additionally, the Danish Data Protection Agency has set a number of requirements and recommendations to the private sector in relation to transfer of personal data via the internet. These may be read at the Danish Data Protection Agency s website: The data controller must produce a total risk assessment of whether a given solution supplies a sufficient security level. The risk assessment may be done based on a standard for data security such as ISO/IEC or DS 484, which is the common governmental standard for data security. Both contain examples of what elements that may comprise a risk assessment. In terms of a cloud solution

7 inspiration for the risk assessment may be found in ENISA 2 s publication Cloud computing Benefits, risks and recommendations for data security. (See the check list on page in the report): Page 7 of 13 In any case the data controller must ensure that the data processing by the data processor complies with the Danish security requirements described in the Act on Processing of Personal Data sections and the Executive Order on security. These requirements will be described in the following. The aim of the security requirements is first and foremost that both public and private data controller and data processor must implement the necessary technical and organisational security measures against accidental or unlawful destruction, loss or alteration and against unauthorized disclosure, abuse or other processing in violation of section 41, 3 of the Act on Processing of Personal Data This is in terms of processing personal data for public authorities further described in the national security executive order (publication nr 528 of 15 th June 2000 as changed by publication nr 201 of 22 nd March 2001) and security guidelines (the Danish Data Protection Agency s guidelines nr 37 of 2 nd April 2001). According to the Executive Order on Security the Danish Data Protection Agency is entitled to make recommendations to the data controlling authority in regards to security measures made. The Executive Order on Security and the security guidelines, to which references are made in the following, describe and elaborate on the technical and organisational security measures, which because of the data security must be taken in the public administration in accordance with the general rules for security measures in sections These requirements, from the Executive Order on Security, must as a minimum be observed. In addition, the security measures taken must reflect that the processing of personal data in a cloud solution is done via the internet, which tightens the requirements for data security. The Act on Processing of Personal Data, the Executive Order on Security and the security guidelines describe a number of security measures, which must be met when processing personal data for the public administration. Below is a list of some of those security measures especially relevant to cloud solutions. It is noted that the list is not exhaustive but merely highlights some of the present measures in general: Personal data must be deleted after processing 2 European Network and Data Security Agency

8 By discarding or distribution of used data media it must be ensured that personal data is not accessible for unauthorised persons When transmitting data through the open internet, encryption of data is a minimum requirement Security for authentication (sender s and receiver s identity) and integrity (the validity of the transmitted data) must be secured to such extend as circumstances may require, e.g. by using a two-factor-authentication It must be ensured that only authorised users can access the system. Rejected access attempts must be monitored The Executive Order on Security, section 19 on logging must be observed. Page 8 of 13 If the data processor is located in other EU countries than Denmark the data processor must also comply with security requirements of the EU country in question, cfr. the Act on Processing of Personal Data, section 42, 2 and Data processor agreement When a data controller transfers data to a data processor the data controller must actively ensure that the data processor observes the necessary data security. E.g. it is required that a written agreement (a data processor agreement) is signed between the data controller and the data processor when personal data is transferred, cfr. the Act on Processing of Personal Data section 42, nr 2, 1 and the Executive Order on Security section 7. The agreement must state that the data processor solely act on instructions from the data controller. Furthermore, the agreement must state that the data processor must take the necessary technical and organisational security measures. If the data controller is a public authority, the data processor agreement must state, that the rules of the Executive Order on Security are observed by the data processor Cloud supplier outside the EU, including special rules for transfer to locations outside the EU The Act on Processing of Personal Data section 27 regulates when data may be transferred e.g. data processors in a third country (countries outside the EU/EEA). As a general rule, when personal data is transferred to third countries after section 27, the rules of the Act on Processing of Personal Data must still be met, cfr. section 27, nr 5. When using a cloud supplier outside the EU, the following possibilities are useable for transferring data to third countries: A. Transfer to a secure third country B. Safe Harbor agreement C. The Commission s model clauses on transferring data to third countries

9 A. Transfer to a secure third country The Act on Processing of Personal Data section 27, nr 1 states that data may only be transferred to a third country if the security level of the country in question is sufficient. Page 9 of 13 Per 15 th June 2010, the Commission has deemed the following third countries have a sufficient security level in general by either legislation or other precautionary measures: Switzerland, Canada (on a limited scale), Argentine, Guernsey, USA (on a limited scale), Isle of Man, Jersey, Faroe Islands, Andorra and Israel. The register over generally approved countries can be found on the Danish Data Protection Agency s website. Transfer of data to cloud suppliers in these countries may therefore be done in accordance with the Act on Processing of Personal Data section 27, nr 1. Such transfer does, in certain cases, require permission from the Danish Data Protection Agency cfr. the Act on Processing of Personal Data section 50, nr 2. B. The Safe Harbor Agreement As mentioned above data may only be transferred to a third country if the security level of the country in question is sufficient, cfr. the Act on Processing of Personal Data section 27, nr 1. The EU Commission has decided that American companies affiliated with the socalled Safe Harbor Agreement presumably meet sufficient protection level for personal data, transferred from EU to these companies. Transferring of personal data to such companies may therefore be done according to the Act on Processing of Personal Data section 27, nr 1. Such transfer does, in certain cases, require permission from the Danish Data Protection Agency cfr. the Act on Processing of Personal Data section 50, nr 2. C. The EU Commission s model clauses on transfer to third countries In those cases where the security level of the third country is not sufficient (and where the enumerated exceptions in the Act on Processing of Personal Data section 27, nr 3 does not render transference possible) the Danish Data Protection Agency may authorise transference of data to the third country. Such authorisation is conditioned on whether the data controller provides sufficient guaranties for protection of the rights of those registered. This is stated in the Act on Processing of Personal Data section 27, nr 4. The Commission has found that the requirement in section 27, nr 4 on requisite guaranties for sufficient protection of the rights of those registered, may appear in certain standard contractual clauses.

10 Provided that the data controller enters into an agreement with a cloud supplier on terms based on the Commission s model clauses, transfer of personal data to the cloud supplier may be authorised. Page 10 of 13 Furthermore, the model clauses provide the option that only one authorisation for transfer of personal data to a given data processor in a third country has to be obtained, even when the data processor uses sub-data processors also based in third countries. If the data processor is based within the EU and uses sub-data processors in a third country, transfer of personal data may happen if: The data controller within the EU enters into an agreement, with terms based on the standard contractual clauses of the Commission, directly with a sub-data processor in a third country, or The data controller authorises the data processor in the EU to agree terms with the sub-data processors in the name of and on behalf of the data controller. The Commission s model clauses are available on the Commissions website on the following link: Furthermore, reference is made to the information on transfer of information to third countries on the Danish Data Protection Agency s website Duty of notification The Act on Processing of Personal Data contains a principal rule that the Danish Data Protection Agency must be notified before processing of personal data is executed. In relation to the notification the Danish Data Protection Agency must, when the notification concerns personal data comprised by sections 7 and 8 issue an authorisation or a statement before the processing. This applies in relation to both cloud computing and other cases where personal data is processed. In most cases public authorities and private companies will have notified the Danish Data Protection Agency beforehand. If the IT-architecture that forms the basis for a solution is changed, e.g. if parts of the IT system are converted into cloud solutions, it is not always necessary to re-notify the Danish Data Protection Agency about the processing of personal data. In some cases, it will only be necessary to update the existing notification. Initially, it is up to the data controller to assess whether the previous notification remains valid or whether the conversion requires a new notification or an update of the current notification, e.g. when converting something into a cloud computing solution.

11 Page 11 of 13 Reference is made to the Act on Processing of Personal Data chapter 12 (sections 43-47) and the Danish Data Protection Agency s guidelines nr 125 of July 10th 2000 regarding notification of processing done on behalf of the public administration. Furthermore reference is made to the Act on Processing of Personal Data chapter 13 (sections 48-51) regarding notification of processing done on behalf of private data controllers. These documents can be found on the Danish Data Protection Agency s website It should also be noted, that transfer of personal data to third countries in certain cases require authorisation from the Danish Data Protection Agency, cfr. the Act on Processing of Personal Data section 50, nr 2. The duty of notification lies with the data controller even when the processing of personal according to a data processing agreement is carried out by a data processor. 2.4 Certain critical information When the data controller as a public authority process data of special interest to foreign powers precautions must be taken to ensure that the data can be disposed of or destroyed in the event of war or other such events, cfr. the Act on Processing of Personal Data section 41, nr 4. This rule primarily concerns data included in registers, which may be of special interest for a foreign power, e.g. to help find individuals with special training or education or special equipment like vehicles etc., which may help the foreign power in case of occupation etc. This rule the so-called war-rule entails that e.g. information from the Civil Register ( CPR-registret ), central tax registers and other special registers, in general must not be transferred to a data processor outside Denmark. Whether the data controlling authority in such case can to transfer personal data comprised by the Act on Processing of Personal Data section 41, nr 4 to a cloud supplier, relies on an individual assessment, firstly made by the data controller himself. If the data controller is in doubt, he may contact the Danish Data Protection Agency. 3. Other relevant legislation In this section, other legislation, which in some cases may be relevant to observe in relation to cloud computing, is presented.

12 3.1 The Bookkeeping Act (Bogføringsloven) The Bookkeeping Act 3 regulates the general minimum requirements for a company s bookkeeping. Page 12 of 13 According to the Bookkeeping Act section 10 financial records must be stored adequately secure for 5 years from the end of the financial year the records concern. This includes that the financial records during the entire storage period must be protected against theft, fire or other intended or unintended destruction or disposal insofar it is reasonable. If the records are stored digitally, continuous backup of the records must be made and the backup-copy must be revised in terms of readability. The basis of the Bookkeeping Act section 12 is that financial records must be stored in Denmark or in the Nordic countries 4. This applies to both physical appendixes and digital data. Hence, if financial records are stored on a server physically placed outside Denmark a complete copy must be kept in Denmark. It is not adequate having online access to the foreign server where the financial records are stored. If the financial records are stored on a foreign server (e.g. by a cloud service), it is, therefore, necessary to download a copy of the records electronically or make sure that a paper copy is available. The electronic copy must be placed on a server in Denmark and be retrievable, readable and printable without having to be processed. According to regulations of the Bookkeeping Act it will be adequate to make such copy (electronically or by paper) on a monthly basis. The regulations on financial records as a starting point must be stored in Denmark are i.a. based on the consideration that public authorities must be able to perform their tasks. The purpose of the storage requirements is to ensure that e.g. the Central Tax Administration (SKAT) has easy access to financial records in connection with inspection or investigation. The Danish Commerce and Companies Agency may subsequently to preceding application exempt from above requirements concerning storage of financial records in Denmark. The Danish Commerce and Companies Agency has based on above-mentioned considerations as yet only in special circumstances and by a number of additional conditions granted exemption for storing financial records exclusively abroad. In terms of appendices exemption for exclusive abroad storage cannot be granted. Financial records may at all times be stored abroad, provided that an exact copy of the financial records exists in Denmark, e.g. electronically. 3.2 The Audit Act (Regnskabsloven) The governmental accountancy is regulated according to the Audit Act and the Danish Executive Order on the Preparation of Financial Statements 5. 3 Consolidated act nr 648 of 15th June Act nr 250 of 23rd March 2006 about storing financial records abroad 5 Act nr 131 of 28th March 1984 on the Government s accountancy etc.

13 Page 13 of 13 Similar to business enterprises, financial records for governmental institutions must be stored adequately secure for 5 years from the end of the financial year the records concern, unless longer respite appears from other legislation. The records must be kept, so that, during the entire storage period, independent and unequivocal retrieving of the records in question is possible cfr. section 44 of the Danish Executive Order on the Preparation of Financial Statements. The basis for the Audit Act section 45 is that financial records must be stored in Denmark. This applies to both physical appendixes and digital data. As by the Bookkeeping Act described above, this regulation means, that financial records may be stored on a server abroad provided that an exact copy of the records is made on a monthly basis at a minimum. Such copy must be placed on a server in Denmark or in paper. The Agency for Governmental Management will be able to exempt from legislation in section 45 for institutions, which need to store financial records in the Nordic counties (Finland, Iceland, Norway and Sweden). 3.3 The Archive Act (Arkivloven) The Archive Act 6 and subjacent regulations concern public authorities archives. The Archive Act is only relevant in relation to cloud computing if an authority chooses to store or run its casework-system in a cloud solution. In such case the authority must observe the rules of the Archive Act. The Government s archives assume responsibility for preservation of the individual archives when these are transferred to the Government s archives cfr. section 8, nr 3. Until then authorities must make sure to observe archival considerations, including that archives are stored adequately secure cfr. section 8, nr 1. Furthermore, authorities must, according to section 8, nr 2, make sure, that archives stored digitally are kept so that they can be transferred to public archives. In depth regulations on archival considerations (cfr. section 8 nr 1) about processing, storage and discarding of government agencies archives can be found in the Danish Executive Order on the Preparation of Archives 7. 6 Consolidated act nr 1035 of 21st August Act nr 591 of 26 March 2003 on public archives and public archives activities.

technical factsheet 176

technical factsheet 176 technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection

More information

Recommendations for companies planning to use Cloud computing services

Recommendations for companies planning to use Cloud computing services Recommendations for companies planning to use Cloud computing services From a legal standpoint, CNIL finds that Cloud computing raises a number of difficulties with regard to compliance with the legislation

More information

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1 Protection of Personal Data RPC001147_EN_WB_L_1 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Responsibility of Employees

More information

Data Transfer Policy London Borough of Barnet

Data Transfer Policy London Borough of Barnet London Borough of Barnet DATA PROTECTION 11 Document Control Document Description Data Transfer Policy Version v.2 Date Created December 2010 Status Authorisation Name Signature Date Prepared By: IS Checked

More information

Appendix 11 - Swiss Data Protection Act

Appendix 11 - Swiss Data Protection Act GLEIF- LOU Restricted Appendix 11 - Swiss Data Protection Act GLEIF Revision Version: 1.0 2015-09-23 Master Copy page 2 of 11 Applicable Provisions of the Swiss Data Protection Act (DPA) including the

More information

Data Processing Agreement for Oracle Cloud Services

Data Processing Agreement for Oracle Cloud Services Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services

More information

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19 Protection of Personal Data RPC001147_EN_D_19 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Rules Responsibility

More information

INFORMATION TECHNOLOGY MANAGEMENT CONTENTS. CHAPTER C RISKS 357-7 8. Risk Assessment 357-7

INFORMATION TECHNOLOGY MANAGEMENT CONTENTS. CHAPTER C RISKS 357-7 8. Risk Assessment 357-7 Information Technology Management Page 357-1 INFORMATION TECHNOLOGY MANAGEMENT CONTENTS CHAPTER A GENERAL 357-3 1. Introduction 357-3 2. Applicability 357-3 CHAPTER B SUPERVISION AND MANAGEMENT 357-4 3.

More information

The potential legal consequences of a personal data breach

The potential legal consequences of a personal data breach The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.

More information

ECSA EuroCloud Star Audit Data Privacy Audit Guide

ECSA EuroCloud Star Audit Data Privacy Audit Guide ECSA EuroCloud Star Audit Data Privacy Audit Guide Page 1 of 15 Table of contents Introduction... 3 ECSA Data Privacy Rules... 4 Governing Law... 6 Sub processing... 6 A. TOMs: Cloud Service... 7 TOMs:

More information

The supplier shall have appropriate policies and procedures in place to ensure compliance with

The supplier shall have appropriate policies and procedures in place to ensure compliance with Supplier Instructions for Processing of Personal Data 1 PURPOSE SOS International has legal and contractual obligations on the matters of data protection and IT security. As a part of these obligations

More information

Dublin City University

Dublin City University Dublin City University Data Protection Policy Data Protection Policy Contents Purpose... 1 Scope... 1 Data Protection Principles... 1 Disclosure of Personal Data... 2 Summary of Responsibilities... 3 Rights

More information

Article 29 Working Party Issues Opinion on Cloud Computing

Article 29 Working Party Issues Opinion on Cloud Computing Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,

More information

Data Protection in Ireland

Data Protection in Ireland Data Protection in Ireland 0 Contents Data Protection in Ireland Introduction Page 2 Appointment of a Data Processor Page 2 Security Measures (onus on a data controller) Page 3 8 Principles Page 3 Fair

More information

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS Mat Wright www.britishcouncil.org CONTENTS Purpose of the code 1 Scope of the code 1 The British Council s data protection commitment and

More information

Summary of Data Protection Requirements When transferring Data Outside the UK End Users

Summary of Data Protection Requirements When transferring Data Outside the UK End Users Summary of Data Protection Requirements When transferring Data Outside the UK End Users 14 May 2010 Background to transfers of the Data outside the UK Data can be transferred in a couple of ways in relation

More information

Cloud Computing Legal Considerations for Data Controllers

Cloud Computing Legal Considerations for Data Controllers Cloud Computing Legal Considerations for Data Controllers CLOUD COMPUTING LEGAL CONSIDERATIONS FOR DATA CONTROLLERS What is cloud computing and why is it relevant? Cloud computing can be described as technology

More information

A list of CIArb subsidiaries relevant to this notice and their activities is set out below.

A list of CIArb subsidiaries relevant to this notice and their activities is set out below. CHARTERED INSTITUTE OF ARBITRATORS DATA PRIVACY NOTICE INTRODUCTION This data protection notice explains what personal data will be collected by the Chartered Institute of Arbitrators and its subsidiary

More information

INTERNET AND EMAIL SECURITY

INTERNET AND EMAIL SECURITY NEWS FROM PLESNER JUNI 2008 INTERNET AND EMAIL SECURITY Introduction By Attorney-at-Law, junior-partner Michael Hopp In Denmark, a data controller must implement appropriate technical and organizational

More information

LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT

LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT 2300 Pursuant to its authority from Article 59 of the Rules of Procedure of the Croatian Parliament, the Legislation Committee determined the revised text

More information

Office 365 Data Processing Agreement with Model Clauses

Office 365 Data Processing Agreement with Model Clauses Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081

More information

AlixPartners, LLP. General Data Protection Statement

AlixPartners, LLP. General Data Protection Statement AlixPartners, LLP General Data Protection Statement GENERAL DATA PROTECTION STATEMENT 1. INTRODUCTION 1.1 AlixPartners, LLP ( AlixPartners ) is committed to fulfilling its obligations under the data protection

More information

CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING

CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING CCBE response regarding the European Commission Public Consultation on Cloud Computing The Council of Bars and Law

More information

Data Protection Consent Clause and Policy Background

Data Protection Consent Clause and Policy Background Data Protection Consent Clause and Policy Background The Singapore Personal Data Protection Act - 2012 (PDPA) establishes a data protection law that comprises various rules governing the collection, use,

More information

Corporate Policy. Data Protection for Data of Customers & Partners.

Corporate Policy. Data Protection for Data of Customers & Partners. Corporate Policy. Data Protection for Data of Customers & Partners. 02 Preamble Ladies and gentlemen, Dear employees, The electronic processing of virtually all sales procedures, globalization and growing

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

Addendum Windows Azure Data Processing Agreement Amendment ID M129

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129 Addendum Amendment ID Proposal ID Enrollment number Microsoft to complete This addendum ( Windows Azure Addendum ) is entered into between the parties identified on the signature form for the

More information

On Data Protection and the Detailed and Uniform Data Management Regulation

On Data Protection and the Detailed and Uniform Data Management Regulation Rector s Directive No. 1/2013 On Data Protection and the Detailed and Uniform Data Management Regulation Budapest, 2013 Version effective as of 31 January 2013 Directives on Data Protection and the Uniform

More information

Clause 1. Definitions and Interpretation

Clause 1. Definitions and Interpretation [Standard data protection [agreement/clauses] for the transfer of Personal Data from the University of Edinburgh (as Data Controller) to a Data Processor within the European Economic Area ] In this Agreement:-

More information

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid. Microsoft Online Subscription Agreement Amendment adding Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Proposal ID MOSA number Microsoft to complete This Amendment

More information

singapore american school

singapore american school Background The Singapore Personal Data Protection Act - 2012 (PDPA) establishes a data protection law that comprises various rules governing the collection, use, disclosure, and care of personal data.

More information

Supplier IT Security Guide

Supplier IT Security Guide Revision Date: 28 November 2012 TABLE OF CONTENT 1. INTRODUCTION... 3 2. PURPOSE... 3 3. GENERAL ACCESS REQUIREMENTS... 3 4. SECURITY RULES FOR SUPPLIER WORKPLACES AT AN INFINEON LOCATION... 3 5. DATA

More information

Privacy and Cloud Computing for Australian Government Agencies

Privacy and Cloud Computing for Australian Government Agencies Privacy and Cloud Computing for Australian Government Agencies Better Practice Guide February 2013 Version 1.1 Introduction Despite common perceptions, cloud computing has the potential to enhance privacy

More information

Type of Personal Data We Collect and How We Use It

Type of Personal Data We Collect and How We Use It Philips Lumify App Privacy Notice This Privacy Notice was last changed on September 1, 2015. Philips Electronics North America Corporation ("Philips") strongly believes in protecting the privacy of the

More information

GSK Public policy positions

GSK Public policy positions Safeguarding Personally Identifiable Information A Summary of GSK s Binding Corporate Rules The Issue The processing of Personally Identifiable Information (PII) 1 and Sensitive Personally Identifiable

More information

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1

More information

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA:

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA: UNOFFICIAL TRANSLATION Written opinion on the application of the Wet bescherming persoonsgegevens [Dutch Data Protection Act] in the case of a contract for cloud computing services from an American provider

More information

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 --------------

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 -------------- w Microsoft Volume Licensing Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 Enrollment for Education Solutions number Microsoft to complete --------------

More information

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10 Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID This Microsoft Online Services Security Amendment ( Amendment ) is between

More information

The eighth data protection principle and international data transfers

The eighth data protection principle and international data transfers Data Protection Act 1998 The eighth data protection principle and international data transfers The Information Commissioner s recommended approach to assessing adequacy including consideration of the issue

More information

Information Security Risks when going cloud. How to deal with data security: an EU perspective.

Information Security Risks when going cloud. How to deal with data security: an EU perspective. Separating fact from fiction about new software licensing /SaaS/ cloud computing models: advantages, disadvantages and ethical implications. Information Security Risks when going cloud. How to deal with

More information

Council Policy. Records & Information Management

Council Policy. Records & Information Management Council Policy Records & Information Management COUNCIL POLICY RECORDS AND INFORMATION MANAGEMENT Policy Number: GOV-13 Responsible Department(s): Information Systems Relevant Delegations: None Other Relevant

More information

MIS Privacy Statement. Our Privacy Commitments

MIS Privacy Statement. Our Privacy Commitments MIS Privacy Statement Our Privacy Commitments MIS Training Institute Holdings, Inc. (together "we") respect the privacy of every person who visits or registers with our websites ("you"), and are committed

More information

Data controllers and data processors: what the difference is and what the governance implications are

Data controllers and data processors: what the difference is and what the governance implications are ICO lo : what the difference is and what the governance implications are Data Protection Act Contents Introduction... 3 Overview... 3 Section 1 - What is the difference between a data controller and a

More information

PRIVACY REGULATIONS regarding the Web Health History ("W.H.H.") Service called LifepassportPRO provided by Meshpass SA

PRIVACY REGULATIONS regarding the Web Health History (W.H.H.) Service called LifepassportPRO provided by Meshpass SA PRIVACY REGULATIONS regarding the Web Health History ("W.H.H.") Service called LifepassportPRO provided by Meshpass SA Updated: 20 Jun 2015 (substitutes previous versions) This Privacy Policy describes

More information

TERMS & CONDITIONS of SERVICE for MSKnote. Refers to MSKnote Limited. Refers to you or your organisation

TERMS & CONDITIONS of SERVICE for MSKnote. Refers to MSKnote Limited. Refers to you or your organisation TERMS & CONDITIONS of SERVICE for MSKnote Definitions: "Us or Our or We or Company" You or Your or Client Refers to MSKnote Limited Refers to you or your organisation Information about us: We are MSKnote

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

This Applicant Privacy Notice Continental Europe is dated: July 2012 WILLIS.COM: PRIVACY NOTICE

This Applicant Privacy Notice Continental Europe is dated: July 2012 WILLIS.COM: PRIVACY NOTICE Applicant Privacy Notice for Positions in Willis Companies Located in the European Union and European Economic Area Excluding the United Kingdom ( Applicant Privacy Notice Continental Europe ) This Applicant

More information

Consolidated Insurance Mediation Act 1

Consolidated Insurance Mediation Act 1 Consolidated Insurance Mediation Act 1 Act no. 930 of 18 September 2008 This is an Act to consolidate the Insurance Meditation Act, cf. Consolidated Act no. 401 of 25 April 2007, as amended by section

More information

Policy and Procedure Title: Maintaining Secure Learner Records Policy No: CCTP1001 Version: 1.0

Policy and Procedure Title: Maintaining Secure Learner Records Policy No: CCTP1001 Version: 1.0 PROVIDER NAME: POLICY AREA: College of Computing Technology (CCT) Standard 10: Information Management, Student Information System & Data Protection Policy and Procedure Title: Maintaining Secure Learner

More information

PRACTICAL LAW DATA PROTECTION MULTI-JURISDICTIONAL GUIDE 2012/13. The law and leading lawyers worldwide

PRACTICAL LAW DATA PROTECTION MULTI-JURISDICTIONAL GUIDE 2012/13. The law and leading lawyers worldwide PRACTICAL LAW MULTI-JURISDICTIONAL GUIDE 2012/13 The law and leading lawyers worldwide Essential legal questions answered in 30 key jurisdictions Analysis of critical legal issues AVAILABLE ONLINE AT WWW.PRACTICALLAW.COM/DATAPROTECTION-MJG

More information

Data Protection Policy and Code of Practice

Data Protection Policy and Code of Practice Data Protection Policy and Code of Practice All our written information can be made available, on request, in a range of different formats and languages. If you would like this document in any other language

More information

Information Governance Policy

Information Governance Policy Information Governance Policy 1 Introduction Healthwatch Rutland (HWR) needs to collect and use certain types of information about the Data Subjects who come into contact with it in order to carry on its

More information

Last updated: 30 May 2016. Credit Suisse Privacy Policy

Last updated: 30 May 2016. Credit Suisse Privacy Policy Last updated: 30 May 2016 Credit Suisse Please read this privacy policy (the ) as it describes how we intend to collect, use, store, share, and safeguard your information. By accessing, visiting or using

More information

Responsibilities of Custodians and Health Information Act Administration Checklist

Responsibilities of Custodians and Health Information Act Administration Checklist Responsibilities of Custodians and Administration Checklist APPENDIX 3 Responsibilities of Custodians in Administering the Each custodian under the Act must establish internal processes and procedures

More information

Data protection compliance checklist

Data protection compliance checklist Data protection compliance checklist What is this checklist for? This checklist is drawn up on the basis of analysis of the relevant provisions of European law. Although European law aims at harmonizing

More information

Privacy and Electronic Communications Regulations

Privacy and Electronic Communications Regulations ICO lo Notification of PECR security breaches Privacy and Electronic Communications Regulations Contents Introduction... 2 Overview... 2 Relevant security breaches... 3 What is a service provider?... 3

More information

Business Merchant Capture Agreement. A. General Terms and Conditions

Business Merchant Capture Agreement. A. General Terms and Conditions Business Merchant Capture Agreement A. General Terms and Conditions Merchant Capture (MC), the Service, allows you to deposit checks to your LGE Business Account from remote locations by electronically

More information

HIPAA Compliance and the Protection of Patient Health Information

HIPAA Compliance and the Protection of Patient Health Information HIPAA Compliance and the Protection of Patient Health Information WHITE PAPER By Swift Systems Inc. April 2015 Swift Systems Inc. 7340 Executive Way, Ste M Frederick MD 21704 1 Contents HIPAA Compliance

More information

2) applied methods and means of authorisation and procedures connected with their management and use;

2) applied methods and means of authorisation and procedures connected with their management and use; Guidelines on the way of developing the instruction specifying the method of managing the computer system used for personal data processing, with particular consideration of the information security requirements.

More information

Practical Overview on responsibilities of Data Protection Officers. Security measures

Practical Overview on responsibilities of Data Protection Officers. Security measures Practical Overview on responsibilities of Data Protection Officers Security measures Manuel Villaseca Spanish Data Protection Agency mvl@agpd.es Security measures Agenda: The rol of DPO on security measures

More information

Microsoft Online Services - Data Processing Agreement

Microsoft Online Services - Data Processing Agreement Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID This Amendment consists of

More information

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements Policy and Procedure for approving, monitoring and reviewing personal data processing agreements 1 Personal data processing by external suppliers, contractors, agents and partners Policy and Procedure

More information

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4 GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4 PREFACE The following provides general guidance on data protection

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Approval date: June 2014 Approved by: Board Responsible Manager: Executive Director of Resources Next Review June 2016 Data Protection Policy 1. Introduction Data Protection Policy

More information

Data Protection Policy.

Data Protection Policy. Data Protection Policy. Data Protection Policy Foreword 2 Foreword Ladies and Gentlemen, In the information age, we offer customers the means to be always connected, even in their cars. This requires data

More information

Cloud Computing: Legal Risks and Best Practices

Cloud Computing: Legal Risks and Best Practices Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent

More information

Norwegian Data Inspectorate

Norwegian Data Inspectorate Norwegian Data Inspectorate Narvik kommune Postboks 64 8501 NARVIK Norway Your reference Our reference (please quote in any reply) Date 1111/1210-6/PEJA 11/00593-7/SEV 16 January 2012 Notification of decision

More information

on the transfer of personal data from the European Union

on the transfer of personal data from the European Union on the transfer of personal data from the European Union BCRsseptembre 2008.doc 1 TABLE OF CONTENTS I. PRELIMINARY REMARKS 3 II. DEFINITIONS 3 III. DELEGATED DATA PROTECTION MANAGER 4 IV. MICHELIN GROUP

More information

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: Privacy Responsibilities and Considerations Cloud computing is the delivery of computing services over the Internet, and it offers many potential

More information

Records Management Policy.doc

Records Management Policy.doc INDEX Pages 1. DESCRIPTORS... 1 2. KEY ROLE PLAYERS... 1 3. CORE FUNCTIONS OF THE RECORDS MANAGER... 1 4. CORE FUNCTIONS OF THE HEAD OF REGISTRIES... 1 5. PURPOSE... 2 6. OBJECTIVES... 2 7. POLICY... 2

More information

APPROPRIATE USE OF INFORMATION TECHNOLOGY SYSTEMS INFRASTRUCTURE RESOURCES

APPROPRIATE USE OF INFORMATION TECHNOLOGY SYSTEMS INFRASTRUCTURE RESOURCES APPROPRIATE USE OF INFORMATION TECHNOLOGY SYSTEMS (INCLUDING INTERNET & E-MAIL) EMC CORPORATE POLICY COPYRIGHT 2007 EMC CORPORATION. ALL RIGHTS RESERVED. NO PORTION OF THIS MATERIAL MAY BE REPRODUCED,

More information

DATA AND PAYMENT SECURITY PART 1

DATA AND PAYMENT SECURITY PART 1 STAR has teamed up with Prevention of Fraud in Travel (PROFiT) and the Fraud Intelligence Network (FIN) to offer our members the best advice about fraud prevention. We recognise the increasing threat of

More information

Southern Law Center Law Center Policy #IT0014. Title: Privacy Expectations for SULC Computing Resources

Southern Law Center Law Center Policy #IT0014. Title: Privacy Expectations for SULC Computing Resources Southern Law Center Law Center Policy #IT0014 Title: Privacy Expectations for SULC Computing Resources Authority: Department Original Adoption: 5/7/2007 Effective Date: 5/7/2007 Last Revision: 9/17/2012

More information

235.1. Federal Act on Data Protection (FADP) Aim, Scope and Definitions

235.1. Federal Act on Data Protection (FADP) Aim, Scope and Definitions English is not an official language of the Swiss Confederation. This translation is provided for information purposes only and has no legal force. Federal Act on Data Protection (FADP) 235.1 of 19 June

More information

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Sopra HR Software as a Data Processor Sopra HR Software, 2014 / Ref. : 20141120-101114-m 1/32 1.

More information

Danske Bank Group Certificate Policy

Danske Bank Group Certificate Policy Document history Version Date Remarks 1.0 19-05-2011 finalized 1.01 15-11-2012 URL updated after web page restructuring. 2 Table of Contents 1. Introduction... 4 2. Policy administration... 4 2.1 Overview...

More information

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY Originated by: Data Protection Working Group: November 2008 Impact Assessment: (to be confirmed) Recommended by Senate: 28 January 2009 Approved by Council:

More information

Southern Law Center Law Center Policy #IT0004. Title: Email Policy

Southern Law Center Law Center Policy #IT0004. Title: Email Policy Southern Law Center Law Center Policy #IT0004 Title: Email Policy Authority: Department Original Adoption: 7/20/2007 Effective Date: 7/20/2007 Last Revision: 9/17/2012 1.0 Purpose: To provide members of

More information

Information Governance Framework. June 2015

Information Governance Framework. June 2015 Information Governance Framework June 2015 Information Security Framework Janice McNay June 2015 1 Company Thirteen Group Lead Manager Janice McNay Date of Final Draft and Version Number June 2015 Review

More information

Welcome to our job search and application platform (the Platform ). Please read our Legal Terms (which includes our Privacy Policy) carefully.

Welcome to our job search and application platform (the Platform ). Please read our Legal Terms (which includes our Privacy Policy) carefully. LEGAL TERMS AND PRIVACY POLICY Welcome to our job search and application platform (the Platform ). Please read our Legal Terms (which includes our Privacy Policy) carefully. The Platform is accessible

More information

Data protection issues on an EU outsourcing

Data protection issues on an EU outsourcing Data protection issues on an EU outsourcing Saam Golshani, Alastair Gorrie and Diego Rigatti, Orrick Herrington & Sutcliffe www.practicallaw.com/8-380-8496 Outsourcing can mean subcontracting a process

More information

Merthyr Tydfil County Borough Council. Data Protection Policy

Merthyr Tydfil County Borough Council. Data Protection Policy Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the

More information

CROATIAN PARLIAMENT 1364

CROATIAN PARLIAMENT 1364 CROATIAN PARLIAMENT 1364 Pursuant to Article 88 of the Constitution of the Republic of Croatia, I hereby pass the DECISION PROMULGATING THE ACT ON PERSONAL DATA PROTECTION I hereby promulgate the Act on

More information

2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy

2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy Version History Author Approved Committee Version Status date Eddie Jefferson 09/15/2009 Full Governing 1.0 Final Version Body Eddie Jefferson 18/08/2012 Full Governing Body 2.0 Emended due to the change

More information

BUSINESS ASSOCIATE AGREEMENT ( BAA )

BUSINESS ASSOCIATE AGREEMENT ( BAA ) BUSINESS ASSOCIATE AGREEMENT ( BAA ) Pursuant to the terms and conditions specified in Exhibit B of the Agreement (as defined in Section 1.1 below) between EMC (as defined in the Agreement) and Subcontractor

More information

ROYAL AUSTRALASIAN COLLEGE OF SURGEONS

ROYAL AUSTRALASIAN COLLEGE OF SURGEONS 1. SCOPE This policy details the College s privacy policy and related information handling practices and gives guidelines for access to any personal information retained by the College. This includes personal

More information

Data Protection and Cloud Computing: an Overview of the Legal Issues

Data Protection and Cloud Computing: an Overview of the Legal Issues Data Protection and Cloud Computing: an Overview of the Legal Issues Christopher Kuner Partner, Hunton & Williams, Brussels Research Assistant, University of Copenhagen Nordic IT Law Conference Copenhagen,

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Title Author Approved By and Date Review Date Mike Pilling Latest Update- Corporation May 2008 1 Aug 2013 DATA PROTECTION ACT 1998 POLICY FOR ALL STAFF AND STUDENTS 1.0 Introduction 1.1 The Data Protection

More information

Data Protection Policy Information for Clients

Data Protection Policy Information for Clients Data Protection Policy Information for Clients Foreword This document outlines Numis Securities Limited s ( the Firm or Numis ) legal obligations and policy on data protection. Further information can

More information

An overview of UK data protection law

An overview of UK data protection law An overview of UK data protection law Our team Vinod Bange Partner +44 (0)20 7300 4600 v.bange@taylorwessing.com Graham Hann Partner +44 (0)20 7300 4839 g.hann@taylorwessing.com Chris Jeffery Partner +44

More information

Estate Agents Authority

Estate Agents Authority INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in

More information

Follow the trainer s instructions and explanations to complete the planned tasks.

Follow the trainer s instructions and explanations to complete the planned tasks. CERT Exercises Toolset 171 20. Exercise: CERT participation in incident handling related to Article 4 obligations 20.1 What will you learn? During this exercise you will learn about the rules, procedures

More information

Terms and conditions of business for a NemID administrator of commercial NemID

Terms and conditions of business for a NemID administrator of commercial NemID Terms and conditions of business for a NemID administrator of commercial NemID 1 Background...2 2 Scope and object...3 3 Administrator and Certificates...3 3.1 General obligations of the Customer...3 3.2

More information

Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen. Supplementary data protection agreement. to the license agreement for license ID: between

Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen. Supplementary data protection agreement. to the license agreement for license ID: between Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen Supplementary data protection agreement to the license agreement for license ID: between...... represented by... Hereinafter referred to as the "Client"

More information

07/2013. Specific Terms and Conditions Mobile Device Management

07/2013. Specific Terms and Conditions Mobile Device Management 07/2013 Specific Terms and Conditions Mobile Device Management GENERAL PROVISIONS 1. Offer and Agreement 1.1 The present contractual terms and conditions (hereinafter referred to as Terms and Conditions

More information

TERRITORY RECORDS OFFICE BUSINESS SYSTEMS AND DIGITAL RECORDKEEPING FUNCTIONALITY ASSESSMENT TOOL

TERRITORY RECORDS OFFICE BUSINESS SYSTEMS AND DIGITAL RECORDKEEPING FUNCTIONALITY ASSESSMENT TOOL TERRITORY RECORDS OFFICE BUSINESS SYSTEMS AND DIGITAL RECORDKEEPING FUNCTIONALITY ASSESSMENT TOOL INTRODUCTION WHAT IS A RECORD? AS ISO 15489-2002 Records Management defines a record as information created,

More information