1 Cloud computing and the legal framework - Guidance on legislative requirement and the contractual environment related to cloud computing
2 Content 1. Introduction 3 2. The Danish Act on Processing of Personal Data and the accompanying Executive Order on Security No processing of personal data Processing of personal data Authority to process personal data The data controller s leave of personal data to a data processor (cloud supplier) The security requirements of the Act on Processing of Personal Data Data processor agreement Cloud supplier outside the EU, including special rules for transfer to locations outside the EU Duty of notification Certain critical information Other relevant legislation The Bookkeeping Act (Bogføringsloven) The Audit Act (Regnskabsloven) The Archive Act (Arkivloven) 13
3 Page 3 of Introduction Cloud computing is expected to become more and more widespread in the future. The Agency for Digitisation has, therefore, in cooperation with Kammeradvokaten, the legal adviser to the Danish Government, prepared this guidance for the purpose of reviewing matters, which both the customer (e.g. a public authority) and the supplier of the cloud solution should consider and be aware of when forming a contract regarding cloud computing. In most cases, much data in a cloud solution will consist of personal data. Therefore the focus of this guidance is on legal matters relating to personal data. For explanatory notes, see chapter 2 below. In relation to chapter 2 below, please note the importance of the customer s awareness of what data is trusted to the supplier in relation to the cloud solution. The Danish Act on Processing of Personal Data limits what data is freely trusted to a supplier in a cloud solution. Furthermore, the Danish Act on Processing of Personal Data and the accompanying Executive Order on Security contain rules governing procurement of preceding consent by the Danish Data Protection Agency for the solution in question. Therefore, the customer must prior to forming a contract, carefully consider what data is to be managed by the cloud supplier in order to comply with the Danish Act on Processing of Personal Data and the accompanying Executive order on Security. Notes by the Danish Data Protection Agency in relation to legal matters regarding personal data are incorporated in the guidance. In chapter 3 is a brief introduction to other relevant legislation, which in certain cases may be important to cloud computing. It is recommended to read the guidance in full. The guidance addresses both public authorities and private companies. 2. The Danish Act on Processing of Personal Data and the accompanying Executive Order on Security The Danish Act on Processing of Personal Data Act (act nr 429 of 31. May 2000 on processing of personal data as amended) regulates processing of personal data. The term personal data comprises any data regarding an identified or identifiable natural person, cf. s 3, (1). Comprised by the term personal data is data transferable to a natural person even if it should require knowledge of personal identification
4 number, registration number or similar specific identifications such as e.g. serial number regardless of whether the data is on record or instantaneously obtainable. The definition also comprises circumstances under which personal data is transferable only to someone in the know. As an example, an address or an IP address may be personal data and thereby comprised by the Danish Act on Processing of Personal Data, because it would be possible to relate the IP address to a certain computer and its owner. An , therefore, does not have to contain the name or address of the receiver to be considered personal data. Page 4 of 13 The Danish Act on Processing of Personal Data only applies apart from few exceptions to data about natural persons and not data about legal persons. The Danish Act on Processing of Personal Data comprises processing of data by both public authorities as well as by the private sector. The same legislation therefore applies to both the public and private sector. Pursuant to the Danish Act on Processing of Personal Data several Executive Orders have been issued among other things regarding the requirements for data security. Further rules are set for the public administration in the Executive Order on Security. 1 The executive order applies to any processing of personal data done within the public administration entirely or partly by means of electronic data processing. The executive order defines the technical and organisational precautionary measures, which as a minimum need to be taken in the public administration in consideration of processing security (data security). The review in chapter 2 is not exhaustive and the customer must in any case assess compliance with the Danish Act on Processing of Personal Data if necessary by seeking legal assistance from the Danish Data Protection Agency. 2.1 No processing of personal data If a customer wishes to form a contract regarding a cloud solution in which no personal data is processed, the Danish Act on Processing of Personal Data does not limit exchange or transfer of data to a cloud supplier. In such case there is no need for including in the contract special terms and conditions in compliance with the Danish Act on Processing of Personal Data. This could e.g. be a cloud solution for operation of a statistical application not containing personal data. In such an event there are no limitations for the customer in regards to forming a contract with the cloud supplier regardless of its location. 1 Consolidated act nr 528 of 15 th June 2000 as changed by act nr 201 of 22 nd March 2001
5 2.2 Processing of personal data When processing personal data, compliance with the Danish Act on Processing of Personal Data is required. In this context processing means any operation or number of operations with or without use of electronic data processing, the data is subjected to, cf. s. 3 (2). Page 5 of 13 The processing term comprises any processing of data, e.g. collecting, registration, systemising, storage, alteration, search, transmission, entrusting, releasing, juxtaposition, multiprogramming, blocking, deletion or destruction Authority to process personal data Regardless of what solution is chosen for managing personal data, it is important to be aware of the relating provisions. Both the Danish Act on Processing of Personal Data and special rules by other legislation limit what kind of data may be included as well as the usage of that data, e.g. disclosure of data. Personal data can be divided into: Regular, non-sensitive data (section 6) Sensitive personal data (section 7 e.g. data about race, political background, religion etc.) Other types of sensitive personal data (section 8 e.g. data about criminal record, social issues etc.) Whether there is legal basis for processing personal data is determined by e.g. the purpose and the character of the data, respectively section 6, 7 or 8-data. Any processing of personal data must comply with the basic requirements of section 5 on proper data managing ethics and requirements that the purpose of processing the data must be specified and factual. It is also required that the data managed must be relevant and adequate. Processing must be carried out so that the data is updated properly. Furthermore, the data may not be stored in a way that makes it possible to identify the data subjects for a longer period of time than necessary to the purpose of the data processing, cfr. section 5, sub-sections The data controller s leave of personal data to a data processor (cloud supplier) Section 3, nr 4 and 5 of the Act on Processing of Personal Data defines the terms data controller and data processor. A cloud supplier will in most cases be a data processor.
6 The data controller decides for what purpose and by which aids personal data may be processed, while the data processor processes personal data on behalf of the data controller. The data controller is effectively responsible for processing personal data and controls the data. Page 6 of 13 A data processor may perform the practical processing of personal data on behalf of the data controller. It is up to the data controller to decide whether the data processor is to process the data on behalf of the data controller. It is the data controller s responsibility that processing complies with the legislation this also applies for data processed by the data processor The security requirements of the Act on Processing of Personal Data. A number of factors require attention regardless of whether data is left with a cloud supplier in Denmark, another EU country or a third country. It is the data controlling authority s responsibility that the Act on Processing of Personal Data and the Executive Order on Security are complied with by the data processor. The rules of the Executive Order on Security apply to processing of personal data in the public administration. Security requirements in the private sector For the private sector, there is also legal basis to issue an executive order on security requirements, but such legal basis has not been exercised. However, the Danish Data Protection Agency has in concrete cases set further rules on security precautions by making use of rules, which state that the Agency may set terms when issuing licenses. The Danish Data Protection Agency has furthermore on different occasions recommended that private companies to the widest possible extent prepare security measures corresponding to the Executive Order on Security. Additionally, the Danish Data Protection Agency has set a number of requirements and recommendations to the private sector in relation to transfer of personal data via the internet. These may be read at the Danish Data Protection Agency s website: The data controller must produce a total risk assessment of whether a given solution supplies a sufficient security level. The risk assessment may be done based on a standard for data security such as ISO/IEC or DS 484, which is the common governmental standard for data security. Both contain examples of what elements that may comprise a risk assessment. In terms of a cloud solution
7 inspiration for the risk assessment may be found in ENISA 2 s publication Cloud computing Benefits, risks and recommendations for data security. (See the check list on page in the report): Page 7 of 13 In any case the data controller must ensure that the data processing by the data processor complies with the Danish security requirements described in the Act on Processing of Personal Data sections and the Executive Order on security. These requirements will be described in the following. The aim of the security requirements is first and foremost that both public and private data controller and data processor must implement the necessary technical and organisational security measures against accidental or unlawful destruction, loss or alteration and against unauthorized disclosure, abuse or other processing in violation of section 41, 3 of the Act on Processing of Personal Data This is in terms of processing personal data for public authorities further described in the national security executive order (publication nr 528 of 15 th June 2000 as changed by publication nr 201 of 22 nd March 2001) and security guidelines (the Danish Data Protection Agency s guidelines nr 37 of 2 nd April 2001). According to the Executive Order on Security the Danish Data Protection Agency is entitled to make recommendations to the data controlling authority in regards to security measures made. The Executive Order on Security and the security guidelines, to which references are made in the following, describe and elaborate on the technical and organisational security measures, which because of the data security must be taken in the public administration in accordance with the general rules for security measures in sections These requirements, from the Executive Order on Security, must as a minimum be observed. In addition, the security measures taken must reflect that the processing of personal data in a cloud solution is done via the internet, which tightens the requirements for data security. The Act on Processing of Personal Data, the Executive Order on Security and the security guidelines describe a number of security measures, which must be met when processing personal data for the public administration. Below is a list of some of those security measures especially relevant to cloud solutions. It is noted that the list is not exhaustive but merely highlights some of the present measures in general: Personal data must be deleted after processing 2 European Network and Data Security Agency
8 By discarding or distribution of used data media it must be ensured that personal data is not accessible for unauthorised persons When transmitting data through the open internet, encryption of data is a minimum requirement Security for authentication (sender s and receiver s identity) and integrity (the validity of the transmitted data) must be secured to such extend as circumstances may require, e.g. by using a two-factor-authentication It must be ensured that only authorised users can access the system. Rejected access attempts must be monitored The Executive Order on Security, section 19 on logging must be observed. Page 8 of 13 If the data processor is located in other EU countries than Denmark the data processor must also comply with security requirements of the EU country in question, cfr. the Act on Processing of Personal Data, section 42, 2 and Data processor agreement When a data controller transfers data to a data processor the data controller must actively ensure that the data processor observes the necessary data security. E.g. it is required that a written agreement (a data processor agreement) is signed between the data controller and the data processor when personal data is transferred, cfr. the Act on Processing of Personal Data section 42, nr 2, 1 and the Executive Order on Security section 7. The agreement must state that the data processor solely act on instructions from the data controller. Furthermore, the agreement must state that the data processor must take the necessary technical and organisational security measures. If the data controller is a public authority, the data processor agreement must state, that the rules of the Executive Order on Security are observed by the data processor Cloud supplier outside the EU, including special rules for transfer to locations outside the EU The Act on Processing of Personal Data section 27 regulates when data may be transferred e.g. data processors in a third country (countries outside the EU/EEA). As a general rule, when personal data is transferred to third countries after section 27, the rules of the Act on Processing of Personal Data must still be met, cfr. section 27, nr 5. When using a cloud supplier outside the EU, the following possibilities are useable for transferring data to third countries: A. Transfer to a secure third country B. Safe Harbor agreement C. The Commission s model clauses on transferring data to third countries
9 A. Transfer to a secure third country The Act on Processing of Personal Data section 27, nr 1 states that data may only be transferred to a third country if the security level of the country in question is sufficient. Page 9 of 13 Per 15 th June 2010, the Commission has deemed the following third countries have a sufficient security level in general by either legislation or other precautionary measures: Switzerland, Canada (on a limited scale), Argentine, Guernsey, USA (on a limited scale), Isle of Man, Jersey, Faroe Islands, Andorra and Israel. The register over generally approved countries can be found on the Danish Data Protection Agency s website. Transfer of data to cloud suppliers in these countries may therefore be done in accordance with the Act on Processing of Personal Data section 27, nr 1. Such transfer does, in certain cases, require permission from the Danish Data Protection Agency cfr. the Act on Processing of Personal Data section 50, nr 2. B. The Safe Harbor Agreement As mentioned above data may only be transferred to a third country if the security level of the country in question is sufficient, cfr. the Act on Processing of Personal Data section 27, nr 1. The EU Commission has decided that American companies affiliated with the socalled Safe Harbor Agreement presumably meet sufficient protection level for personal data, transferred from EU to these companies. Transferring of personal data to such companies may therefore be done according to the Act on Processing of Personal Data section 27, nr 1. Such transfer does, in certain cases, require permission from the Danish Data Protection Agency cfr. the Act on Processing of Personal Data section 50, nr 2. C. The EU Commission s model clauses on transfer to third countries In those cases where the security level of the third country is not sufficient (and where the enumerated exceptions in the Act on Processing of Personal Data section 27, nr 3 does not render transference possible) the Danish Data Protection Agency may authorise transference of data to the third country. Such authorisation is conditioned on whether the data controller provides sufficient guaranties for protection of the rights of those registered. This is stated in the Act on Processing of Personal Data section 27, nr 4. The Commission has found that the requirement in section 27, nr 4 on requisite guaranties for sufficient protection of the rights of those registered, may appear in certain standard contractual clauses.
10 Provided that the data controller enters into an agreement with a cloud supplier on terms based on the Commission s model clauses, transfer of personal data to the cloud supplier may be authorised. Page 10 of 13 Furthermore, the model clauses provide the option that only one authorisation for transfer of personal data to a given data processor in a third country has to be obtained, even when the data processor uses sub-data processors also based in third countries. If the data processor is based within the EU and uses sub-data processors in a third country, transfer of personal data may happen if: The data controller within the EU enters into an agreement, with terms based on the standard contractual clauses of the Commission, directly with a sub-data processor in a third country, or The data controller authorises the data processor in the EU to agree terms with the sub-data processors in the name of and on behalf of the data controller. The Commission s model clauses are available on the Commissions website on the following link: Furthermore, reference is made to the information on transfer of information to third countries on the Danish Data Protection Agency s website Duty of notification The Act on Processing of Personal Data contains a principal rule that the Danish Data Protection Agency must be notified before processing of personal data is executed. In relation to the notification the Danish Data Protection Agency must, when the notification concerns personal data comprised by sections 7 and 8 issue an authorisation or a statement before the processing. This applies in relation to both cloud computing and other cases where personal data is processed. In most cases public authorities and private companies will have notified the Danish Data Protection Agency beforehand. If the IT-architecture that forms the basis for a solution is changed, e.g. if parts of the IT system are converted into cloud solutions, it is not always necessary to re-notify the Danish Data Protection Agency about the processing of personal data. In some cases, it will only be necessary to update the existing notification. Initially, it is up to the data controller to assess whether the previous notification remains valid or whether the conversion requires a new notification or an update of the current notification, e.g. when converting something into a cloud computing solution.
11 Page 11 of 13 Reference is made to the Act on Processing of Personal Data chapter 12 (sections 43-47) and the Danish Data Protection Agency s guidelines nr 125 of July 10th 2000 regarding notification of processing done on behalf of the public administration. Furthermore reference is made to the Act on Processing of Personal Data chapter 13 (sections 48-51) regarding notification of processing done on behalf of private data controllers. These documents can be found on the Danish Data Protection Agency s website It should also be noted, that transfer of personal data to third countries in certain cases require authorisation from the Danish Data Protection Agency, cfr. the Act on Processing of Personal Data section 50, nr 2. The duty of notification lies with the data controller even when the processing of personal according to a data processing agreement is carried out by a data processor. 2.4 Certain critical information When the data controller as a public authority process data of special interest to foreign powers precautions must be taken to ensure that the data can be disposed of or destroyed in the event of war or other such events, cfr. the Act on Processing of Personal Data section 41, nr 4. This rule primarily concerns data included in registers, which may be of special interest for a foreign power, e.g. to help find individuals with special training or education or special equipment like vehicles etc., which may help the foreign power in case of occupation etc. This rule the so-called war-rule entails that e.g. information from the Civil Register ( CPR-registret ), central tax registers and other special registers, in general must not be transferred to a data processor outside Denmark. Whether the data controlling authority in such case can to transfer personal data comprised by the Act on Processing of Personal Data section 41, nr 4 to a cloud supplier, relies on an individual assessment, firstly made by the data controller himself. If the data controller is in doubt, he may contact the Danish Data Protection Agency. 3. Other relevant legislation In this section, other legislation, which in some cases may be relevant to observe in relation to cloud computing, is presented.
12 3.1 The Bookkeeping Act (Bogføringsloven) The Bookkeeping Act 3 regulates the general minimum requirements for a company s bookkeeping. Page 12 of 13 According to the Bookkeeping Act section 10 financial records must be stored adequately secure for 5 years from the end of the financial year the records concern. This includes that the financial records during the entire storage period must be protected against theft, fire or other intended or unintended destruction or disposal insofar it is reasonable. If the records are stored digitally, continuous backup of the records must be made and the backup-copy must be revised in terms of readability. The basis of the Bookkeeping Act section 12 is that financial records must be stored in Denmark or in the Nordic countries 4. This applies to both physical appendixes and digital data. Hence, if financial records are stored on a server physically placed outside Denmark a complete copy must be kept in Denmark. It is not adequate having online access to the foreign server where the financial records are stored. If the financial records are stored on a foreign server (e.g. by a cloud service), it is, therefore, necessary to download a copy of the records electronically or make sure that a paper copy is available. The electronic copy must be placed on a server in Denmark and be retrievable, readable and printable without having to be processed. According to regulations of the Bookkeeping Act it will be adequate to make such copy (electronically or by paper) on a monthly basis. The regulations on financial records as a starting point must be stored in Denmark are i.a. based on the consideration that public authorities must be able to perform their tasks. The purpose of the storage requirements is to ensure that e.g. the Central Tax Administration (SKAT) has easy access to financial records in connection with inspection or investigation. The Danish Commerce and Companies Agency may subsequently to preceding application exempt from above requirements concerning storage of financial records in Denmark. The Danish Commerce and Companies Agency has based on above-mentioned considerations as yet only in special circumstances and by a number of additional conditions granted exemption for storing financial records exclusively abroad. In terms of appendices exemption for exclusive abroad storage cannot be granted. Financial records may at all times be stored abroad, provided that an exact copy of the financial records exists in Denmark, e.g. electronically. 3.2 The Audit Act (Regnskabsloven) The governmental accountancy is regulated according to the Audit Act and the Danish Executive Order on the Preparation of Financial Statements 5. 3 Consolidated act nr 648 of 15th June Act nr 250 of 23rd March 2006 about storing financial records abroad 5 Act nr 131 of 28th March 1984 on the Government s accountancy etc.
13 Page 13 of 13 Similar to business enterprises, financial records for governmental institutions must be stored adequately secure for 5 years from the end of the financial year the records concern, unless longer respite appears from other legislation. The records must be kept, so that, during the entire storage period, independent and unequivocal retrieving of the records in question is possible cfr. section 44 of the Danish Executive Order on the Preparation of Financial Statements. The basis for the Audit Act section 45 is that financial records must be stored in Denmark. This applies to both physical appendixes and digital data. As by the Bookkeeping Act described above, this regulation means, that financial records may be stored on a server abroad provided that an exact copy of the records is made on a monthly basis at a minimum. Such copy must be placed on a server in Denmark or in paper. The Agency for Governmental Management will be able to exempt from legislation in section 45 for institutions, which need to store financial records in the Nordic counties (Finland, Iceland, Norway and Sweden). 3.3 The Archive Act (Arkivloven) The Archive Act 6 and subjacent regulations concern public authorities archives. The Archive Act is only relevant in relation to cloud computing if an authority chooses to store or run its casework-system in a cloud solution. In such case the authority must observe the rules of the Archive Act. The Government s archives assume responsibility for preservation of the individual archives when these are transferred to the Government s archives cfr. section 8, nr 3. Until then authorities must make sure to observe archival considerations, including that archives are stored adequately secure cfr. section 8, nr 1. Furthermore, authorities must, according to section 8, nr 2, make sure, that archives stored digitally are kept so that they can be transferred to public archives. In depth regulations on archival considerations (cfr. section 8 nr 1) about processing, storage and discarding of government agencies archives can be found in the Danish Executive Order on the Preparation of Archives 7. 6 Consolidated act nr 1035 of 21st August Act nr 591 of 26 March 2003 on public archives and public archives activities.