1 Cloud computing and the legal framework - Guidance on legislative requirement and the contractual environment related to cloud computing
2 Content 1. Introduction 3 2. The Danish Act on Processing of Personal Data and the accompanying Executive Order on Security No processing of personal data Processing of personal data Authority to process personal data The data controller s leave of personal data to a data processor (cloud supplier) The security requirements of the Act on Processing of Personal Data Data processor agreement Cloud supplier outside the EU, including special rules for transfer to locations outside the EU Duty of notification Certain critical information Other relevant legislation The Bookkeeping Act (Bogføringsloven) The Audit Act (Regnskabsloven) The Archive Act (Arkivloven) 13
3 Page 3 of Introduction Cloud computing is expected to become more and more widespread in the future. The Agency for Digitisation has, therefore, in cooperation with Kammeradvokaten, the legal adviser to the Danish Government, prepared this guidance for the purpose of reviewing matters, which both the customer (e.g. a public authority) and the supplier of the cloud solution should consider and be aware of when forming a contract regarding cloud computing. In most cases, much data in a cloud solution will consist of personal data. Therefore the focus of this guidance is on legal matters relating to personal data. For explanatory notes, see chapter 2 below. In relation to chapter 2 below, please note the importance of the customer s awareness of what data is trusted to the supplier in relation to the cloud solution. The Danish Act on Processing of Personal Data limits what data is freely trusted to a supplier in a cloud solution. Furthermore, the Danish Act on Processing of Personal Data and the accompanying Executive Order on Security contain rules governing procurement of preceding consent by the Danish Data Protection Agency for the solution in question. Therefore, the customer must prior to forming a contract, carefully consider what data is to be managed by the cloud supplier in order to comply with the Danish Act on Processing of Personal Data and the accompanying Executive order on Security. Notes by the Danish Data Protection Agency in relation to legal matters regarding personal data are incorporated in the guidance. In chapter 3 is a brief introduction to other relevant legislation, which in certain cases may be important to cloud computing. It is recommended to read the guidance in full. The guidance addresses both public authorities and private companies. 2. The Danish Act on Processing of Personal Data and the accompanying Executive Order on Security The Danish Act on Processing of Personal Data Act (act nr 429 of 31. May 2000 on processing of personal data as amended) regulates processing of personal data. The term personal data comprises any data regarding an identified or identifiable natural person, cf. s 3, (1). Comprised by the term personal data is data transferable to a natural person even if it should require knowledge of personal identification
4 number, registration number or similar specific identifications such as e.g. serial number regardless of whether the data is on record or instantaneously obtainable. The definition also comprises circumstances under which personal data is transferable only to someone in the know. As an example, an address or an IP address may be personal data and thereby comprised by the Danish Act on Processing of Personal Data, because it would be possible to relate the IP address to a certain computer and its owner. An , therefore, does not have to contain the name or address of the receiver to be considered personal data. Page 4 of 13 The Danish Act on Processing of Personal Data only applies apart from few exceptions to data about natural persons and not data about legal persons. The Danish Act on Processing of Personal Data comprises processing of data by both public authorities as well as by the private sector. The same legislation therefore applies to both the public and private sector. Pursuant to the Danish Act on Processing of Personal Data several Executive Orders have been issued among other things regarding the requirements for data security. Further rules are set for the public administration in the Executive Order on Security. 1 The executive order applies to any processing of personal data done within the public administration entirely or partly by means of electronic data processing. The executive order defines the technical and organisational precautionary measures, which as a minimum need to be taken in the public administration in consideration of processing security (data security). The review in chapter 2 is not exhaustive and the customer must in any case assess compliance with the Danish Act on Processing of Personal Data if necessary by seeking legal assistance from the Danish Data Protection Agency. 2.1 No processing of personal data If a customer wishes to form a contract regarding a cloud solution in which no personal data is processed, the Danish Act on Processing of Personal Data does not limit exchange or transfer of data to a cloud supplier. In such case there is no need for including in the contract special terms and conditions in compliance with the Danish Act on Processing of Personal Data. This could e.g. be a cloud solution for operation of a statistical application not containing personal data. In such an event there are no limitations for the customer in regards to forming a contract with the cloud supplier regardless of its location. 1 Consolidated act nr 528 of 15 th June 2000 as changed by act nr 201 of 22 nd March 2001
5 2.2 Processing of personal data When processing personal data, compliance with the Danish Act on Processing of Personal Data is required. In this context processing means any operation or number of operations with or without use of electronic data processing, the data is subjected to, cf. s. 3 (2). Page 5 of 13 The processing term comprises any processing of data, e.g. collecting, registration, systemising, storage, alteration, search, transmission, entrusting, releasing, juxtaposition, multiprogramming, blocking, deletion or destruction Authority to process personal data Regardless of what solution is chosen for managing personal data, it is important to be aware of the relating provisions. Both the Danish Act on Processing of Personal Data and special rules by other legislation limit what kind of data may be included as well as the usage of that data, e.g. disclosure of data. Personal data can be divided into: Regular, non-sensitive data (section 6) Sensitive personal data (section 7 e.g. data about race, political background, religion etc.) Other types of sensitive personal data (section 8 e.g. data about criminal record, social issues etc.) Whether there is legal basis for processing personal data is determined by e.g. the purpose and the character of the data, respectively section 6, 7 or 8-data. Any processing of personal data must comply with the basic requirements of section 5 on proper data managing ethics and requirements that the purpose of processing the data must be specified and factual. It is also required that the data managed must be relevant and adequate. Processing must be carried out so that the data is updated properly. Furthermore, the data may not be stored in a way that makes it possible to identify the data subjects for a longer period of time than necessary to the purpose of the data processing, cfr. section 5, sub-sections The data controller s leave of personal data to a data processor (cloud supplier) Section 3, nr 4 and 5 of the Act on Processing of Personal Data defines the terms data controller and data processor. A cloud supplier will in most cases be a data processor.
6 The data controller decides for what purpose and by which aids personal data may be processed, while the data processor processes personal data on behalf of the data controller. The data controller is effectively responsible for processing personal data and controls the data. Page 6 of 13 A data processor may perform the practical processing of personal data on behalf of the data controller. It is up to the data controller to decide whether the data processor is to process the data on behalf of the data controller. It is the data controller s responsibility that processing complies with the legislation this also applies for data processed by the data processor The security requirements of the Act on Processing of Personal Data. A number of factors require attention regardless of whether data is left with a cloud supplier in Denmark, another EU country or a third country. It is the data controlling authority s responsibility that the Act on Processing of Personal Data and the Executive Order on Security are complied with by the data processor. The rules of the Executive Order on Security apply to processing of personal data in the public administration. Security requirements in the private sector For the private sector, there is also legal basis to issue an executive order on security requirements, but such legal basis has not been exercised. However, the Danish Data Protection Agency has in concrete cases set further rules on security precautions by making use of rules, which state that the Agency may set terms when issuing licenses. The Danish Data Protection Agency has furthermore on different occasions recommended that private companies to the widest possible extent prepare security measures corresponding to the Executive Order on Security. Additionally, the Danish Data Protection Agency has set a number of requirements and recommendations to the private sector in relation to transfer of personal data via the internet. These may be read at the Danish Data Protection Agency s website: The data controller must produce a total risk assessment of whether a given solution supplies a sufficient security level. The risk assessment may be done based on a standard for data security such as ISO/IEC or DS 484, which is the common governmental standard for data security. Both contain examples of what elements that may comprise a risk assessment. In terms of a cloud solution
7 inspiration for the risk assessment may be found in ENISA 2 s publication Cloud computing Benefits, risks and recommendations for data security. (See the check list on page in the report): Page 7 of 13 In any case the data controller must ensure that the data processing by the data processor complies with the Danish security requirements described in the Act on Processing of Personal Data sections and the Executive Order on security. These requirements will be described in the following. The aim of the security requirements is first and foremost that both public and private data controller and data processor must implement the necessary technical and organisational security measures against accidental or unlawful destruction, loss or alteration and against unauthorized disclosure, abuse or other processing in violation of section 41, 3 of the Act on Processing of Personal Data This is in terms of processing personal data for public authorities further described in the national security executive order (publication nr 528 of 15 th June 2000 as changed by publication nr 201 of 22 nd March 2001) and security guidelines (the Danish Data Protection Agency s guidelines nr 37 of 2 nd April 2001). According to the Executive Order on Security the Danish Data Protection Agency is entitled to make recommendations to the data controlling authority in regards to security measures made. The Executive Order on Security and the security guidelines, to which references are made in the following, describe and elaborate on the technical and organisational security measures, which because of the data security must be taken in the public administration in accordance with the general rules for security measures in sections These requirements, from the Executive Order on Security, must as a minimum be observed. In addition, the security measures taken must reflect that the processing of personal data in a cloud solution is done via the internet, which tightens the requirements for data security. The Act on Processing of Personal Data, the Executive Order on Security and the security guidelines describe a number of security measures, which must be met when processing personal data for the public administration. Below is a list of some of those security measures especially relevant to cloud solutions. It is noted that the list is not exhaustive but merely highlights some of the present measures in general: Personal data must be deleted after processing 2 European Network and Data Security Agency
8 By discarding or distribution of used data media it must be ensured that personal data is not accessible for unauthorised persons When transmitting data through the open internet, encryption of data is a minimum requirement Security for authentication (sender s and receiver s identity) and integrity (the validity of the transmitted data) must be secured to such extend as circumstances may require, e.g. by using a two-factor-authentication It must be ensured that only authorised users can access the system. Rejected access attempts must be monitored The Executive Order on Security, section 19 on logging must be observed. Page 8 of 13 If the data processor is located in other EU countries than Denmark the data processor must also comply with security requirements of the EU country in question, cfr. the Act on Processing of Personal Data, section 42, 2 and Data processor agreement When a data controller transfers data to a data processor the data controller must actively ensure that the data processor observes the necessary data security. E.g. it is required that a written agreement (a data processor agreement) is signed between the data controller and the data processor when personal data is transferred, cfr. the Act on Processing of Personal Data section 42, nr 2, 1 and the Executive Order on Security section 7. The agreement must state that the data processor solely act on instructions from the data controller. Furthermore, the agreement must state that the data processor must take the necessary technical and organisational security measures. If the data controller is a public authority, the data processor agreement must state, that the rules of the Executive Order on Security are observed by the data processor Cloud supplier outside the EU, including special rules for transfer to locations outside the EU The Act on Processing of Personal Data section 27 regulates when data may be transferred e.g. data processors in a third country (countries outside the EU/EEA). As a general rule, when personal data is transferred to third countries after section 27, the rules of the Act on Processing of Personal Data must still be met, cfr. section 27, nr 5. When using a cloud supplier outside the EU, the following possibilities are useable for transferring data to third countries: A. Transfer to a secure third country B. Safe Harbor agreement C. The Commission s model clauses on transferring data to third countries
9 A. Transfer to a secure third country The Act on Processing of Personal Data section 27, nr 1 states that data may only be transferred to a third country if the security level of the country in question is sufficient. Page 9 of 13 Per 15 th June 2010, the Commission has deemed the following third countries have a sufficient security level in general by either legislation or other precautionary measures: Switzerland, Canada (on a limited scale), Argentine, Guernsey, USA (on a limited scale), Isle of Man, Jersey, Faroe Islands, Andorra and Israel. The register over generally approved countries can be found on the Danish Data Protection Agency s website. Transfer of data to cloud suppliers in these countries may therefore be done in accordance with the Act on Processing of Personal Data section 27, nr 1. Such transfer does, in certain cases, require permission from the Danish Data Protection Agency cfr. the Act on Processing of Personal Data section 50, nr 2. B. The Safe Harbor Agreement As mentioned above data may only be transferred to a third country if the security level of the country in question is sufficient, cfr. the Act on Processing of Personal Data section 27, nr 1. The EU Commission has decided that American companies affiliated with the socalled Safe Harbor Agreement presumably meet sufficient protection level for personal data, transferred from EU to these companies. Transferring of personal data to such companies may therefore be done according to the Act on Processing of Personal Data section 27, nr 1. Such transfer does, in certain cases, require permission from the Danish Data Protection Agency cfr. the Act on Processing of Personal Data section 50, nr 2. C. The EU Commission s model clauses on transfer to third countries In those cases where the security level of the third country is not sufficient (and where the enumerated exceptions in the Act on Processing of Personal Data section 27, nr 3 does not render transference possible) the Danish Data Protection Agency may authorise transference of data to the third country. Such authorisation is conditioned on whether the data controller provides sufficient guaranties for protection of the rights of those registered. This is stated in the Act on Processing of Personal Data section 27, nr 4. The Commission has found that the requirement in section 27, nr 4 on requisite guaranties for sufficient protection of the rights of those registered, may appear in certain standard contractual clauses.
10 Provided that the data controller enters into an agreement with a cloud supplier on terms based on the Commission s model clauses, transfer of personal data to the cloud supplier may be authorised. Page 10 of 13 Furthermore, the model clauses provide the option that only one authorisation for transfer of personal data to a given data processor in a third country has to be obtained, even when the data processor uses sub-data processors also based in third countries. If the data processor is based within the EU and uses sub-data processors in a third country, transfer of personal data may happen if: The data controller within the EU enters into an agreement, with terms based on the standard contractual clauses of the Commission, directly with a sub-data processor in a third country, or The data controller authorises the data processor in the EU to agree terms with the sub-data processors in the name of and on behalf of the data controller. The Commission s model clauses are available on the Commissions website on the following link: Furthermore, reference is made to the information on transfer of information to third countries on the Danish Data Protection Agency s website Duty of notification The Act on Processing of Personal Data contains a principal rule that the Danish Data Protection Agency must be notified before processing of personal data is executed. In relation to the notification the Danish Data Protection Agency must, when the notification concerns personal data comprised by sections 7 and 8 issue an authorisation or a statement before the processing. This applies in relation to both cloud computing and other cases where personal data is processed. In most cases public authorities and private companies will have notified the Danish Data Protection Agency beforehand. If the IT-architecture that forms the basis for a solution is changed, e.g. if parts of the IT system are converted into cloud solutions, it is not always necessary to re-notify the Danish Data Protection Agency about the processing of personal data. In some cases, it will only be necessary to update the existing notification. Initially, it is up to the data controller to assess whether the previous notification remains valid or whether the conversion requires a new notification or an update of the current notification, e.g. when converting something into a cloud computing solution.
11 Page 11 of 13 Reference is made to the Act on Processing of Personal Data chapter 12 (sections 43-47) and the Danish Data Protection Agency s guidelines nr 125 of July 10th 2000 regarding notification of processing done on behalf of the public administration. Furthermore reference is made to the Act on Processing of Personal Data chapter 13 (sections 48-51) regarding notification of processing done on behalf of private data controllers. These documents can be found on the Danish Data Protection Agency s website It should also be noted, that transfer of personal data to third countries in certain cases require authorisation from the Danish Data Protection Agency, cfr. the Act on Processing of Personal Data section 50, nr 2. The duty of notification lies with the data controller even when the processing of personal according to a data processing agreement is carried out by a data processor. 2.4 Certain critical information When the data controller as a public authority process data of special interest to foreign powers precautions must be taken to ensure that the data can be disposed of or destroyed in the event of war or other such events, cfr. the Act on Processing of Personal Data section 41, nr 4. This rule primarily concerns data included in registers, which may be of special interest for a foreign power, e.g. to help find individuals with special training or education or special equipment like vehicles etc., which may help the foreign power in case of occupation etc. This rule the so-called war-rule entails that e.g. information from the Civil Register ( CPR-registret ), central tax registers and other special registers, in general must not be transferred to a data processor outside Denmark. Whether the data controlling authority in such case can to transfer personal data comprised by the Act on Processing of Personal Data section 41, nr 4 to a cloud supplier, relies on an individual assessment, firstly made by the data controller himself. If the data controller is in doubt, he may contact the Danish Data Protection Agency. 3. Other relevant legislation In this section, other legislation, which in some cases may be relevant to observe in relation to cloud computing, is presented.
12 3.1 The Bookkeeping Act (Bogføringsloven) The Bookkeeping Act 3 regulates the general minimum requirements for a company s bookkeeping. Page 12 of 13 According to the Bookkeeping Act section 10 financial records must be stored adequately secure for 5 years from the end of the financial year the records concern. This includes that the financial records during the entire storage period must be protected against theft, fire or other intended or unintended destruction or disposal insofar it is reasonable. If the records are stored digitally, continuous backup of the records must be made and the backup-copy must be revised in terms of readability. The basis of the Bookkeeping Act section 12 is that financial records must be stored in Denmark or in the Nordic countries 4. This applies to both physical appendixes and digital data. Hence, if financial records are stored on a server physically placed outside Denmark a complete copy must be kept in Denmark. It is not adequate having online access to the foreign server where the financial records are stored. If the financial records are stored on a foreign server (e.g. by a cloud service), it is, therefore, necessary to download a copy of the records electronically or make sure that a paper copy is available. The electronic copy must be placed on a server in Denmark and be retrievable, readable and printable without having to be processed. According to regulations of the Bookkeeping Act it will be adequate to make such copy (electronically or by paper) on a monthly basis. The regulations on financial records as a starting point must be stored in Denmark are i.a. based on the consideration that public authorities must be able to perform their tasks. The purpose of the storage requirements is to ensure that e.g. the Central Tax Administration (SKAT) has easy access to financial records in connection with inspection or investigation. The Danish Commerce and Companies Agency may subsequently to preceding application exempt from above requirements concerning storage of financial records in Denmark. The Danish Commerce and Companies Agency has based on above-mentioned considerations as yet only in special circumstances and by a number of additional conditions granted exemption for storing financial records exclusively abroad. In terms of appendices exemption for exclusive abroad storage cannot be granted. Financial records may at all times be stored abroad, provided that an exact copy of the financial records exists in Denmark, e.g. electronically. 3.2 The Audit Act (Regnskabsloven) The governmental accountancy is regulated according to the Audit Act and the Danish Executive Order on the Preparation of Financial Statements 5. 3 Consolidated act nr 648 of 15th June Act nr 250 of 23rd March 2006 about storing financial records abroad 5 Act nr 131 of 28th March 1984 on the Government s accountancy etc.
13 Page 13 of 13 Similar to business enterprises, financial records for governmental institutions must be stored adequately secure for 5 years from the end of the financial year the records concern, unless longer respite appears from other legislation. The records must be kept, so that, during the entire storage period, independent and unequivocal retrieving of the records in question is possible cfr. section 44 of the Danish Executive Order on the Preparation of Financial Statements. The basis for the Audit Act section 45 is that financial records must be stored in Denmark. This applies to both physical appendixes and digital data. As by the Bookkeeping Act described above, this regulation means, that financial records may be stored on a server abroad provided that an exact copy of the records is made on a monthly basis at a minimum. Such copy must be placed on a server in Denmark or in paper. The Agency for Governmental Management will be able to exempt from legislation in section 45 for institutions, which need to store financial records in the Nordic counties (Finland, Iceland, Norway and Sweden). 3.3 The Archive Act (Arkivloven) The Archive Act 6 and subjacent regulations concern public authorities archives. The Archive Act is only relevant in relation to cloud computing if an authority chooses to store or run its casework-system in a cloud solution. In such case the authority must observe the rules of the Archive Act. The Government s archives assume responsibility for preservation of the individual archives when these are transferred to the Government s archives cfr. section 8, nr 3. Until then authorities must make sure to observe archival considerations, including that archives are stored adequately secure cfr. section 8, nr 1. Furthermore, authorities must, according to section 8, nr 2, make sure, that archives stored digitally are kept so that they can be transferred to public archives. In depth regulations on archival considerations (cfr. section 8 nr 1) about processing, storage and discarding of government agencies archives can be found in the Danish Executive Order on the Preparation of Archives 7. 6 Consolidated act nr 1035 of 21st August Act nr 591 of 26 March 2003 on public archives and public archives activities.
technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection
Recommendations for companies planning to use Cloud computing services From a legal standpoint, CNIL finds that Cloud computing raises a number of difficulties with regard to compliance with the legislation
Protection of Personal Data RPC001147_EN_WB_L_1 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Responsibility of Employees
London Borough of Barnet DATA PROTECTION 11 Document Control Document Description Data Transfer Policy Version v.2 Date Created December 2010 Status Authorisation Name Signature Date Prepared By: IS Checked
Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services
Information Technology Management Page 357-1 INFORMATION TECHNOLOGY MANAGEMENT CONTENTS CHAPTER A GENERAL 357-3 1. Introduction 357-3 2. Applicability 357-3 CHAPTER B SUPERVISION AND MANAGEMENT 357-4 3.
ECSA EuroCloud Star Audit Data Privacy Audit Guide Page 1 of 15 Table of contents Introduction... 3 ECSA Data Privacy Rules... 4 Governing Law... 6 Sub processing... 6 A. TOMs: Cloud Service... 7 TOMs:
Dublin City University Data Protection Policy Data Protection Policy Contents Purpose... 1 Scope... 1 Data Protection Principles... 1 Disclosure of Personal Data... 2 Summary of Responsibilities... 3 Rights
Supplier Instructions for Processing of Personal Data 1 PURPOSE SOS International has legal and contractual obligations on the matters of data protection and IT security. As a part of these obligations
Data Protection in Ireland 0 Contents Data Protection in Ireland Introduction Page 2 Appointment of a Data Processor Page 2 Security Measures (onus on a data controller) Page 3 8 Principles Page 3 Fair
Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,
Summary of Data Protection Requirements When transferring Data Outside the UK End Users 14 May 2010 Background to transfers of the Data outside the UK Data can be transferred in a couple of ways in relation
Data Protection Consent Clause and Policy Background The Singapore Personal Data Protection Act - 2012 (PDPA) establishes a data protection law that comprises various rules governing the collection, use,
BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS Mat Wright www.britishcouncil.org CONTENTS Purpose of the code 1 Scope of the code 1 The British Council s data protection commitment and
Cloud Computing Legal Considerations for Data Controllers CLOUD COMPUTING LEGAL CONSIDERATIONS FOR DATA CONTROLLERS What is cloud computing and why is it relevant? Cloud computing can be described as technology
CHARTERED INSTITUTE OF ARBITRATORS DATA PRIVACY NOTICE INTRODUCTION This data protection notice explains what personal data will be collected by the Chartered Institute of Arbitrators and its subsidiary
NEWS FROM PLESNER JUNI 2008 INTERNET AND EMAIL SECURITY Introduction By Attorney-at-Law, junior-partner Michael Hopp In Denmark, a data controller must implement appropriate technical and organizational
Corporate Policy. Data Protection for Data of Customers & Partners. 02 Preamble Ladies and gentlemen, Dear employees, The electronic processing of virtually all sales procedures, globalization and growing
LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT 2300 Pursuant to its authority from Article 59 of the Rules of Procedure of the Croatian Parliament, the Legislation Committee determined the revised text
CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING CCBE response regarding the European Commission Public Consultation on Cloud Computing The Council of Bars and Law
Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081
AlixPartners, LLP General Data Protection Statement GENERAL DATA PROTECTION STATEMENT 1. INTRODUCTION 1.1 AlixPartners, LLP ( AlixPartners ) is committed to fulfilling its obligations under the data protection
Rector s Directive No. 1/2013 On Data Protection and the Detailed and Uniform Data Management Regulation Budapest, 2013 Version effective as of 31 January 2013 Directives on Data Protection and the Uniform
[Standard data protection [agreement/clauses] for the transfer of Personal Data from the University of Edinburgh (as Data Controller) to a Data Processor within the European Economic Area ] In this Agreement:-
Philips Lumify App Privacy Notice This Privacy Notice was last changed on September 1, 2015. Philips Electronics North America Corporation ("Philips") strongly believes in protecting the privacy of the
Privacy and Cloud Computing for Australian Government Agencies Better Practice Guide February 2013 Version 1.1 Introduction Despite common perceptions, cloud computing has the potential to enhance privacy
UNOFFICIAL TRANSLATION Written opinion on the application of the Wet bescherming persoonsgegevens [Dutch Data Protection Act] in the case of a contract for cloud computing services from an American provider
Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID This Microsoft Online Services Security Amendment ( Amendment ) is between
Microsoft Online Subscription Agreement Amendment adding Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Proposal ID MOSA number Microsoft to complete This Amendment
Separating fact from fiction about new software licensing /SaaS/ cloud computing models: advantages, disadvantages and ethical implications. Information Security Risks when going cloud. How to deal with
Data Protection Act 1998 The eighth data protection principle and international data transfers The Information Commissioner s recommended approach to assessing adequacy including consideration of the issue
Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1
Safeguarding Personally Identifiable Information A Summary of GSK s Binding Corporate Rules The Issue The processing of Personally Identifiable Information (PII) 1 and Sensitive Personally Identifiable
Council Policy Records & Information Management COUNCIL POLICY RECORDS AND INFORMATION MANAGEMENT Policy Number: GOV-13 Responsible Department(s): Information Systems Relevant Delegations: None Other Relevant
MIS Privacy Statement Our Privacy Commitments MIS Training Institute Holdings, Inc. (together "we") respect the privacy of every person who visits or registers with our websites ("you"), and are committed
ICO lo Notification of PECR security breaches Privacy and Electronic Communications Regulations Contents Introduction... 2 Overview... 2 Relevant security breaches... 3 What is a service provider?... 3
TERMS & CONDITIONS of SERVICE for MSKnote Definitions: "Us or Our or We or Company" You or Your or Client Refers to MSKnote Limited Refers to you or your organisation Information about us: We are MSKnote
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
PROVIDER NAME: POLICY AREA: College of Computing Technology (CCT) Standard 10: Information Management, Student Information System & Data Protection Policy and Procedure Title: Maintaining Secure Learner
Applicant Privacy Notice for Positions in Willis Companies Located in the European Union and European Economic Area Excluding the United Kingdom ( Applicant Privacy Notice Continental Europe ) This Applicant
Data Protection Policy and Code of Practice All our written information can be made available, on request, in a range of different formats and languages. If you would like this document in any other language
PRACTICAL LAW MULTI-JURISDICTIONAL GUIDE 2012/13 The law and leading lawyers worldwide Essential legal questions answered in 30 key jurisdictions Analysis of critical legal issues AVAILABLE ONLINE AT WWW.PRACTICALLAW.COM/DATAPROTECTION-MJG
on the transfer of personal data from the European Union BCRsseptembre 2008.doc 1 TABLE OF CONTENTS I. PRELIMINARY REMARKS 3 II. DEFINITIONS 3 III. DELEGATED DATA PROTECTION MANAGER 4 IV. MICHELIN GROUP
Information Governance Policy 1 Introduction Healthwatch Rutland (HWR) needs to collect and use certain types of information about the Data Subjects who come into contact with it in order to carry on its
Data protection compliance checklist What is this checklist for? This checklist is drawn up on the basis of analysis of the relevant provisions of European law. Although European law aims at harmonizing
Business Merchant Capture Agreement A. General Terms and Conditions Merchant Capture (MC), the Service, allows you to deposit checks to your LGE Business Account from remote locations by electronically
Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID This Amendment consists of
GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4 PREFACE The following provides general guidance on data protection
HIPAA Compliance and the Protection of Patient Health Information WHITE PAPER By Swift Systems Inc. April 2015 Swift Systems Inc. 7340 Executive Way, Ste M Frederick MD 21704 1 Contents HIPAA Compliance
Guidelines on the way of developing the instruction specifying the method of managing the computer system used for personal data processing, with particular consideration of the information security requirements.
DATA PROTECTION POLICY Approval date: June 2014 Approved by: Board Responsible Manager: Executive Director of Resources Next Review June 2016 Data Protection Policy 1. Introduction Data Protection Policy
Norwegian Data Inspectorate Narvik kommune Postboks 64 8501 NARVIK Norway Your reference Our reference (please quote in any reply) Date 1111/1210-6/PEJA 11/00593-7/SEV 16 January 2012 Notification of decision
Practical Overview on responsibilities of Data Protection Officers Security measures Manuel Villaseca Spanish Data Protection Agency firstname.lastname@example.org Security measures Agenda: The rol of DPO on security measures
Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent
INDEX Pages 1. DESCRIPTORS... 1 2. KEY ROLE PLAYERS... 1 3. CORE FUNCTIONS OF THE RECORDS MANAGER... 1 4. CORE FUNCTIONS OF THE HEAD OF REGISTRIES... 1 5. PURPOSE... 2 6. OBJECTIVES... 2 7. POLICY... 2
STAR has teamed up with Prevention of Fraud in Travel (PROFiT) and the Fraud Intelligence Network (FIN) to offer our members the best advice about fraud prevention. We recognise the increasing threat of
English is not an official language of the Swiss Confederation. This translation is provided for information purposes only and has no legal force. Federal Act on Data Protection (FADP) 235.1 of 19 June
CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: Privacy Responsibilities and Considerations Cloud computing is the delivery of computing services over the Internet, and it offers many potential
Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen Supplementary data protection agreement to the license agreement for license ID: between...... represented by... Hereinafter referred to as the "Client"
Southern Law Center Law Center Policy #IT0014 Title: Privacy Expectations for SULC Computing Resources Authority: Department Original Adoption: 5/7/2007 Effective Date: 5/7/2007 Last Revision: 9/17/2012
Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Sopra HR Software as a Data Processor Sopra HR Software, 2014 / Ref. : 20141120-101114-m 1/32 1.
Terms and conditions of business for a NemID administrator of commercial NemID 1 Background...2 2 Scope and object...3 3 Administrator and Certificates...3 3.1 General obligations of the Customer...3 3.2
ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY Originated by: Data Protection Working Group: November 2008 Impact Assessment: (to be confirmed) Recommended by Senate: 28 January 2009 Approved by Council:
Identity Cards Act 2006 CHAPTER 15 Explanatory Notes have been produced to assist in the understanding of this Act and are available separately 6 50 Identity Cards Act 2006 CHAPTER 15 CONTENTS Registration
Southern Law Center Law Center Policy #IT0004 Title: Email Policy Authority: Department Original Adoption: 7/20/2007 Effective Date: 7/20/2007 Last Revision: 9/17/2012 1.0 Purpose: To provide members of
Document history Version Date Remarks 1.0 19-05-2011 finalized 1.01 15-11-2012 URL updated after web page restructuring. 2 Table of Contents 1. Introduction... 4 2. Policy administration... 4 2.1 Overview...
Information Governance Framework June 2015 Information Security Framework Janice McNay June 2015 1 Company Thirteen Group Lead Manager Janice McNay Date of Final Draft and Version Number June 2015 Review
SCP.03.00.EN.1.0 Table of contents Table of contents... 2 1 Introduction... 3 1.1 Spillemyndigheden s certification programme... 3 1.2 Objectives of the... 3 1.3 Scope of this document... 4 1.4 Definitions...
Data protection issues on an EU outsourcing Saam Golshani, Alastair Gorrie and Diego Rigatti, Orrick Herrington & Sutcliffe www.practicallaw.com/8-380-8496 Outsourcing can mean subcontracting a process
Version History Author Approved Committee Version Status date Eddie Jefferson 09/15/2009 Full Governing 1.0 Final Version Body Eddie Jefferson 18/08/2012 Full Governing Body 2.0 Emended due to the change
Data Protection Policy. Data Protection Policy Foreword 2 Foreword Ladies and Gentlemen, In the information age, we offer customers the means to be always connected, even in their cars. This requires data
CROATIAN PARLIAMENT 1364 Pursuant to Article 88 of the Constitution of the Republic of Croatia, I hereby pass the DECISION PROMULGATING THE ACT ON PERSONAL DATA PROTECTION I hereby promulgate the Act on
DATA PROTECTION POLICY The information and guidelines within this Policy are important and apply to all members, Fellows and staff of the College 1. INTRODUCTION Like all educational establishments, the
BUSINESS ASSOCIATE AGREEMENT ( BAA ) Pursuant to the terms and conditions specified in Exhibit B of the Agreement (as defined in Section 1.1 below) between EMC (as defined in the Agreement) and Subcontractor
Title Author Approved By and Date Review Date Mike Pilling Latest Update- Corporation May 2008 1 Aug 2013 DATA PROTECTION ACT 1998 POLICY FOR ALL STAFF AND STUDENTS 1.0 Introduction 1.1 The Data Protection
Service Description for the Registration and Administration of Domain Names by Swisscom 1 Area of application This Service Description govern the conditions for the registration, administration, and use
CERT Exercises Toolset 171 20. Exercise: CERT participation in incident handling related to Article 4 obligations 20.1 What will you learn? During this exercise you will learn about the rules, procedures
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1