Norwegian Data Inspectorate

Size: px
Start display at page:

Download "Norwegian Data Inspectorate"

Transcription

1 Norwegian Data Inspectorate Narvik kommune Postboks NARVIK Norway Your reference Our reference (please quote in any reply) Date 1111/1210-6/PEJA 11/ /SEV 16 January 2012 Notification of decision New solution within Narvik local authority (Narvik kommune) Google Apps 1 Reference is made to the Norwegian Data Inspectorate s letter of 30 June 2011, the local authority s letter of 8 July 2011, the Data Inspectorate s letter of 1 August 2011, and the local authority s statement received on 2 September The matter concerns the local authority s existing, and planned extended, use of the product Google Apps. In the Data Inspectorate s letter of 30 June 2011, a statement was requested from the local authority concerning the following points: 1. An account of the personal data that the local authority will process in Google Apps. 2. The risk assessment that the local authority has carried out in respect of the processing of personal data in Google Apps; cf. Section 13 of the Norwegian Personal Data Act and Section 2-4 of the Norwegian Personal Data Regulations. 3. A copy of any agreement that the local authority has entered into with Google, together with an overview of the security measures that Google has implemented in the solution that the local authority has decided to use. 4. A copy of any processor agreement between the local authority and Google, as well as a description of the information system s design and physical location. 5. A description of how the following problems have been clarified with Google: Back-up Who at Google has access to the local authority s personal data? How will the local authority conduct a security audit of Google? Cf. Section 2-5 of the Personal Data Regulations. Postal address: Office address: Telephone: Fax: Company reg. no.: Website: Postboks 8177 Dep Tollbugt 3 (+47) (+47) OSLO Norway 1 The translation is unofficial. Should any doubt arise, only the Norwegian text of the decision is valid and binding.

2 Assessment of the local authority s statement Point 1 An account of the personal data that the local authority will process in Google Apps. The regulatory requirements Section 13 of the Personal Data Act states that the controller must ensure a satisfactory level of information security with regard to confidentiality, integrity and availability in connection with the processing of personal data through the use of planned and systematic measures. Section 2-11 third paragraph of the Personal Data Regulations states that personal data that is transferred electronically with the aid of a transfer medium that is outside the controller s physical control shall be encrypted or otherwise secured when confidentiality is necessary. The local authority s statement The local authority states that only an solution has so far been taken into use. However, it is stated that the organisation is also considering using other services that are offered via Google Apps. The local authority justifies this through a need for efficient internal cooperation through the sharing of documents, presentations, spreadsheets, forms or drawings. The local authority then gives some examples of areas where it may be appropriate to use the other tools. Common to these examples is the fact that the processing of personal data will, as regards the employees, be limited to name, telephone number, address and organisational affinity. The local authority furthermore states that all this information is already published on the local authority s website. The Data Inspectorate s assessment The Data Inspectorate restricts its assessment to the specified area of use: to/from and between the local authority s employees. The local authority describes clarity in the regulations, which state that no sensitive personal information must be sent by . Much of the work that is carried out within the local authority is linked to the provision of services to the inhabitants of the municipality, and it is therefore natural that much of the communication to/from the local authority and between the local authority s employees contains personal data. From a purely practical perspective, the Data Inspectorate believes that the local authority faces challenges in preventing sensitive data being sent by , either to/from or between the local authority s employees. However, the local authority can limit the risks through systematic training and the repeated communication of applicable routines. The Data Inspectorate believes that the risk of unauthorised sending of sensitive or confidential personal data will apply both between employees and between the local authority and the public. The Data Inspectorate does not however consider this to be a problem that is limited to Google Apps alone. The reason that this point is highlighted is that, with the specified solution, such information will be processed in systems that are not under the direct control of the controller. The Data Inspectorate s experience suggests that unauthorised communication (e.g. that contains sensitive personal data) will be stored on the processor s server for a long period of time, even after the user has actively deleted messages. This is due to the replication of content, among other things. 2

3 The local authority draws an analogy with Norway Post s distribution system as regards the opportunity for the public to assess the level of security in the communication between the local authority and the public regardless of whether this takes place via or via the post. The Data Inspectorate does not support such an argument. The security level and organisation of Norway Post s distribution system is subject to strict regulation through the Norwegian Postal Services Act and associated regulations. Letters with private or confidential content will be sent in sealed envelopes, where necessary as a registered consignment. The level of security for unencrypted is however based on a standard protocol called Simple Mail Transfer Protocol (SMTP). In practice, this protocol does not afford the content of the communication any protection. The Data Inspectorate s conclusion The local authority cannot exclude the possibility that sensitive personal data will be processed in the solution, and must therefore take into account the fact that both sensitive and general personal data will be processed in the system. The Data Inspectorate does not believe that the local authority has implemented adequate measures (cf. Section 2-11 of the Personal Data Regulations), given that confidential information will be processed in the solution. The local authority must take this into consideration in connection with an assessment of information security; cf. the discussion in the points below. Point 2 A statement with regard to the risk assessment that the local authority has carried out in respect of the processing of personal data in Google Apps; cf. Section 13 of the Norwegian Personal Data Act; cf. Section 2-4 of the Norwegian Personal Data Regulations. The regulatory requirements Section 13 of the Personal Data Act states that the controller must ensure a satisfactory level of information security with regard to confidentiality, integrity and availability in connection with the processing of personal data through the use of planned and systematic measures. Section 2-4 second paragraph of the Personal Data Regulations states that the controller must carry out a risk assessment in order to assess the probability and consequences of security breaches. The local authority s statement The local authority states that an overall risk analysis has been carried out as regards the introduction of a new ICT system. The analysis was enclosed with the local authority s letter. According to the analysis, the use of Google Apps will in most cases give a risk picture similar to that of the local authority s old system with certain exceptions. The local authority notes that the existing challenge of a lack of space and access to technological resources constituted an important factor in the choice of solution. The local authority furthermore refers to the risk of the existing organisation being unable to obtain and maintain specialist expertise to operate yet another specialised IT system. The local authority states that that due to the lack of space it would not be desirable to further burden the local authority s IT centre. 3

4 The local authority furthermore states that a new IT system is to be added. It has been found that it would be appropriate to replace some of the systems that the local authority currently uses with a system that requires fewer operating resources. As the Data Inspectorate understands the situation, the local authority must completely phase out use of the old solution in order to switch to the new one. In connection with such migration, it would be natural for both hardware and physical space to be released. The local authority states that it is believed that Google Apps solution is adequate with regard to availability, integrity and security. Nevertheless, the local authority acknowledges that it is worth noting that in many cases no probability/frequency can be described, as there is no usable reference material for this type of incident. The local authority also gives an account of how it will audit its processor. This will take place through a third party company, which the processor hires, conducting an audit based on the ISAE3402 standard and making available its findings in an audit report. The local authority will have access to this report and will be able to bring up issues within the local authority s information security committee. The Data Inspectorate s assessment Despite the absence of any basis, the local authority has decided to set values for defining the probability in its risk assessment. The Data Inspectorate notes that in the analyses very low probabilities are set for data intrusion, failure in continuity and lack of monitoring in Google Apps solution as mentioned previously without having any usable reference material at its disposal. The Data Inspectorate believes that the uncertainty linked to the probability should be stated much more clearly in the analysis. As regards failure in continuity, the local authority cannot exclusively consider the processor s uptime, but must also consider the uptime of the infrastructure from the local authority s network to the processor. It is unclear to the Data Inspectorate how the local authority will be able to alter the way in which the processor processes its data through the abovementioned audit reports. It appears to the Data Inspectorate that the local authority will only be able to alter how they themselves use the solution, and will have little influence over the design of the solution itself. The latter view is based on observations that the Data Inspectorate has made generally with regard to agreements between organisations. An audit report, based on the ISAE3402 standard, otherwise normally constitutes confirmation or rejection that the organisation complies with a given standard, its own security regime and any certificates that the solution is required to have. Such reports will therefore give little indication as to whether the local authority s standard with regard to security measures is met. The local authority can of course choose a different supplier if the results in the audit report are unsatisfactory, but it must thus be assumed that forcing the existing supplier to implement direct changes will be a challenging process. The Data Inspectorate is aware that changing supplier can lead to major challenges with regard to lock-in effects. There could for example be a contract period and added work involved in the migration process. In the best case scenario, the local authority must verify that this can be done in purely practical terms should a dispute arise. 4

5 The Data Inspectorate s conclusion The Data Inspectorate does not believe that the risk assessment gives a complete picture of the risks associated with the solution chosen by the local authority. The type of risk assessment that the local authority carried out in this case is not sufficient according to Section 2-4 of the Personal Data Regulations. Points 3 and 4 A copy of any agreement that the local authority has entered into with Google, including: An overview of the security measures that Google has implemented in the solution that the local authority has decided to use. A description of the information system s design and physical location. The regulatory requirements Processor agreement Section 15 of the Personal Data Act states that a processor cannot process personal data in any manner other than as agreed in writing with the controller. In addition, the data cannot be transferred to any other party for storage or processing without such an agreement. The agreement with the controller must also state that the processor is obliged to carry out such security measures as follow from Section 13. The information system s design and security measures Section 13 first paragraph of the Personal Data Act states that the controller must ensure a satisfactory level of information security with regard to confidentiality, integrity and availability in connection with the processing of personal data through the use of planned and systematic measures. Section 13 third paragraph of the Personal Data Act states that a controller that permits another party to gain access to personal data, e.g. a processor or other party that is carrying out an assignment in connection with the information system, must ensure that the party concerned fulfils the requirements in the first and second paragraphs. Physical location Section 29 of the Personal Data Act states that personal data can only be transferred to States that ensure appropriate processing of the information. States that have implemented Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, fulfil the requirement for appropriate processing. The local authority s statement The local authority has not entered into any mutual agreement with Google concerning the delivery of a solution for , but has, through system integrator Avalon Information Systems AB, been referred to Google s document which describes the service level and customer support. The local authority states that, as the solution is based on Cloud computing, no additional agreement concerning support from the supplier is necessary, other than the service levels that are listed in the standard agreement from Google. The local authority gives an account of the security measures that Google has described in the Security Whitepaper: Google Apps Messaging and Collaboration Products. In other contexts, the Data Inspectorate has found that such documents are often subject to revision by 5

6 the supplier without negotiation. In such a case, the local authority would have to accept such changes or choose a different supplier. The local authority refers to security mechanisms that Google describes in its Whitepaper. This Whitepaper refers to a number of security adaptations and options that the controller can implement through the solution. The local authority has not explained whether they have chosen any of these adaptations and options. The local authority believes that the supplier s Whitepaper, Google s affiliation to the Safe Harbor agreement and the fact that the local authority has access to the audit reports, should be sufficient to satisfy the authorities requirements concerning a processor agreement. The local authority states that for security reasons Google does not wish to release details concerning the supplier s IT centres. Google also does not wish to publish technical details which could compromise security. The Data Inspectorate s assessment On its website, the Data Inspectorate has presented a proposal for a processor agreement which contains the points that the Data Inspectorate believes should be included in a processor agreement. These points are: the aim and purpose of the agreement, the processor s obligations, the use of subcontractors, security, security audits, duration of the agreement, in the event of termination, communication, and choice of law and legal venue. As the processor does not wish to release information concerning the countries in which their IT centres are located, this presents challenges with regard to the requirements in a processor agreement; cf. Sections 15 and 29 of the Personal Data Act. The local authority will not be able to adequately clarify the level of security in the solution without knowing that the States to which information is transferred have an adequate level of protection for personal data. States that have implemented Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data fulfil the requirement for appropriate processing. Google is an American company and it is therefore possible that information that is processed in the local authority s solution will be stored in the USA and elsewhere. The USA is currently not included in the list of countries that the Commission recognises as ensuring adequate protection for personal data. In order to remedy this, the Safe Harbor scheme was established in This scheme means that US companies can be considered as providing adequate protection for personal data that they receive from the EU/EEA if they voluntarily implement a set of rules for processing of the information. Since Safe Harbor was established, the USA has introduced a law entitled Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act, abbreviated to the USA Patriot Act, as a result of the terrorist attacks on 11 September This act is extremely complicated and comprehensive. The act gives US authorities the right to monitor terrorist suspects without charge or legal proceedings. In connection with this, the Data Inspectorate wishes to note that the USA Patriot Act must be considered as representing a challenge with regard to the safeguarding of personal privacy, even within the Safe Harbor scheme. The Data Inspectorate s conclusion 6

7 On the basis of the above, the Data Inspectorate does not believe that Google s standard agreement is sufficient in relation to what is expected of a processor agreement; cf. Section 15 of the Personal Data Act. In the opinion of the Data Inspectorate, the absence of a processor agreement will constitute a deviation in relation to the requirements in Section 15 of the Personal Data Act. The Data Inspectorate does not believe that the local authority has the opportunity to use a processor which, among other things, does not state which country the information will be processed in and, as a consequence of this, does not provide an adequate account of security measures; cf. Section 29 of the Personal Data Act. Point 5 A description of how the following problems have been clarified with Google: Backup Who at Google has access to the local authority s personal data? How will the local authority conduct a security audit at Google? Cf. Section 2-5 of the Personal Data Regulations. The regulatory requirements Section 2-12 fourth paragraph of the Personal Data Regulations states that personal data and other information that is necessary for the restoration of normal use must be backed up. Section 2-8 of the Personal Data Regulations states that employees of the controller must only use the information system in order to carry out assigned tasks, and must themselves be authorised for such use. The employees must possess the knowledge necessary to use the information system in accordance with the established routines. Section 2-5 of the Personal Data Regulations states that security audits of the use of the information system must be conducted regularly. The security audit must include an assessment of the organisation, security measures and use of communication partners and suppliers. If the security audit identifies unforeseen use of the information, this must be treated as a deviation; cf. Section 2-6. The local authority s statement The local authority refers to Google s Whitepaper, which states that the data will be stored on several systems at the same IT centre and simultaneously replicated to a secondary IT centre. There is no description of how Google has designed their backup system, except that it is presupposed that no data will ever be lost. As regards disposal, the Whitepaper describes how the file will be de-indexed and eventually written over by other data. Google also does not state who has access to the local authority s information, but states that this information is covered by Google s system for authorisation and access control. No statement is given of how many people this concerns and the specific job positions or access requirements that this covers is not defined. The reply concerning security audits is given with under question 2. The Data Inspectorate s assessment and conclusion The local authority has accepted Google s description of the solution. The Data Inspectorate does not believe that the local authority has any opportunity to influence how this solution is put together. On the basis of this, the Data Inspectorate does not believe that the local authority has demonstrated that the conditions in Chapter 2 of the Personal Data Regulations are met. 7

8 Other circumstances On pages 11, 13 and 15 of the appendix entitled Risk and vulnerability analysis for the implementation of a new system within Narvik local authority Google Apps (the analysis document), it is stated that Google has recently introduced an additional function which can be activated by the local authority in order to reject the sending of which contains words or expressions that could indicate sensitive or unacceptable content under current guidelines. The Data Inspectorate does not believe that the introduction of such an additional function will overcome the abovementioned challenges on its own. It is possible that such a solution could, depending on how it is practised, be problematic when viewed in context with Chapter 9 of the Personal Data Regulations. On page 13 of the analysis document, it is stated that an additional layer of security can be added through requiring each individual employee who sends to confirm that the e- mail does not contain sensitive personal data by typing the text Does not contain sensitive personal data in the message. The Data Inspectorate does not believe that this routine will necessarily add an extra layer of security in reality. We believe that this could be automated by the users in order to send . This is therefore a measure which can easily be circumvented and which is little suited to preventing undesirable behaviour. Segmentation of different controllers A processor cannot process personal data on behalf of a controller unless a processor agreement has been established; Section 15 of the Personal Data Act. In practice, this means that if personal data is processed on behalf of several controllers, the processor must process the personal data for each individual controller with an adequate degree of separation. In its documents, Google has not explained how this requirement is adequately met in the solution. It is however explained that the overall system will ensure that it is not be possible to extract the controller s data from a location. This could involve the mixing of information belonging to different controllers. The level of information security is common to all controllers, based on guidelines established by the processor. Such a practice could come into conflict with the role of Google as processor for different parties, which could each have differing requirements concerning security. The problem of such sequential storage becomes of even greater relevance in connection with the need to delete information from the solution. This must be done in accordance with the guidelines that different controllers establish. The problem is also of relevance in connection with the question of deletion in backup copies; cf. Section 28 of the Personal Data Act concerning deletion. In the case of a sequential database, every single entry in the database must be reviewed in order to assess whether it should be deleted, unlike a segmented database for each individual processor s data where one can go in and delete elements that are no longer relevant. This can be done in the form of segmentation of the database. Such a solution means that data from different controllers is not mixed together in a large database, but kept sufficiently separate. Segmentation will be necessary for all activity that can be attributed to a controller. This also includes copies of communicated content, logs, etc. The Data Inspectorate s conclusion In accordance with the regulations, the local authority must implement a satisfactory logical or physical segmentation of the information system, so that the requirements for a satisfactory 8

9 level of information security and different needs with regard to deletion between different controllers can be safeguarded; cf. Sections 13 and 15 of the Personal Data Act. Summary Given the above, the Data Inspectorate does not believe that the local authority has adequately ensured that the use of Google Apps is in line with the Personal Data Act. This particularly applies to the establishment of a valid processor agreement in accordance with Section 15 of the Personal Data Act, requirements concerning the transfer of personal data abroad (cf. Section 29) and fulfilment of the requirements concerning information security in accordance with Section 13 of the Personal Data Act. Against the background of the Data Inspectorate s conclusion, the decision is notified to the local authority. Reference is made to the following section. Notification of decision This is notification that the Data Inspectorate, pursuant to Section 46 of the Personal Data Act, will reach a decision concerning the following instruction: 1. Narvik local authority s use of Google Apps must cease, unless the processing of personal data in the solution can be brought into line with the requirements of the Personal Data Act; cf. Sections 13, 15 and 29 of the Personal Data Act. Deadline for replies Any comments concerning this notification should be sent to the Data Inspectorate as soon as possible and by 1 March 2012 at the latest. It is recommended that the company send the Data Inspectorate a proposal for a schedule for eliminating the deviations described in the control report. The Data Inspectorate will consider this schedule when it sets a deadline for the organisation s implementation of the decision. Notwithstanding the above, the Data Inspectorate will not adopt the decision referred to here if by the same deadline the organisation is able to document that the deviations described in the control report have been closed. Yours sincerely, Bjørn Erik Thon Director Stein Erik Vetland Chief Engineer 9

10 10

Cloud Computing and Data Protection Compliance - Experiences from Norway

Cloud Computing and Data Protection Compliance - Experiences from Norway Cloud Computing and Data Protection Compliance - Experiences from Norway PhD Thomas Olsen Legal Aspects of Cloud Computing, UiO, 27 January 2015 www.svw.no Overview Cloud Computing Introduction to EU and

More information

Data Processing Agreement for Oracle Cloud Services

Data Processing Agreement for Oracle Cloud Services Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services

More information

Dean Bank Primary and Nursery School. Secure Storage of Data and Cloud Storage

Dean Bank Primary and Nursery School. Secure Storage of Data and Cloud Storage Dean Bank Primary and Nursery School Secure Storage of Data and Cloud Storage January 2015 All school e-mail is disclosable under Freedom of Information and Data Protection legislation. Be aware that anything

More information

Recommendations for companies planning to use Cloud computing services

Recommendations for companies planning to use Cloud computing services Recommendations for companies planning to use Cloud computing services From a legal standpoint, CNIL finds that Cloud computing raises a number of difficulties with regard to compliance with the legislation

More information

Data Protection Act 1998. Guidance on the use of cloud computing

Data Protection Act 1998. Guidance on the use of cloud computing Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered

More information

Supplier IT Security Guide

Supplier IT Security Guide Revision Date: 28 November 2012 TABLE OF CONTENT 1. INTRODUCTION... 3 2. PURPOSE... 3 3. GENERAL ACCESS REQUIREMENTS... 3 4. SECURITY RULES FOR SUPPLIER WORKPLACES AT AN INFINEON LOCATION... 3 5. DATA

More information

INFORMATION TECHNOLOGY MANAGEMENT CONTENTS. CHAPTER C RISKS 357-7 8. Risk Assessment 357-7

INFORMATION TECHNOLOGY MANAGEMENT CONTENTS. CHAPTER C RISKS 357-7 8. Risk Assessment 357-7 Information Technology Management Page 357-1 INFORMATION TECHNOLOGY MANAGEMENT CONTENTS CHAPTER A GENERAL 357-3 1. Introduction 357-3 2. Applicability 357-3 CHAPTER B SUPERVISION AND MANAGEMENT 357-4 3.

More information

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA:

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA: UNOFFICIAL TRANSLATION Written opinion on the application of the Wet bescherming persoonsgegevens [Dutch Data Protection Act] in the case of a contract for cloud computing services from an American provider

More information

Data controllers and data processors: what the difference is and what the governance implications are

Data controllers and data processors: what the difference is and what the governance implications are ICO lo : what the difference is and what the governance implications are Data Protection Act Contents Introduction... 3 Overview... 3 Section 1 - What is the difference between a data controller and a

More information

technical factsheet 176

technical factsheet 176 technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection

More information

The potential legal consequences of a personal data breach

The potential legal consequences of a personal data breach The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.

More information

Privacy and Electronic Communications Regulations

Privacy and Electronic Communications Regulations ICO lo Notification of PECR security breaches Privacy and Electronic Communications Regulations Contents Introduction... 2 Overview... 2 Relevant security breaches... 3 What is a service provider?... 3

More information

Privacy Policy. February, 2015 Page: 1

Privacy Policy. February, 2015 Page: 1 February, 2015 Page: 1 Revision History Revision # Date Author Sections Altered Approval/Date Rev 1.0 02/15/15 Ben Price New Document Rev 1.1 07/24/15 Ben Price Verify Privacy Grid Requirements are met

More information

Tasks for which the efaktura connection unit is responsible are performed by Nets Norway AS (Nets) on behalf of the bank.

Tasks for which the efaktura connection unit is responsible are performed by Nets Norway AS (Nets) on behalf of the bank. A. Introductory provisions 1. Brief description of the service efaktura B2C is a service for the electronic transmission and presentation of payment claims and invoices in the invoice recipient s (payer

More information

The supplier shall have appropriate policies and procedures in place to ensure compliance with

The supplier shall have appropriate policies and procedures in place to ensure compliance with Supplier Instructions for Processing of Personal Data 1 PURPOSE SOS International has legal and contractual obligations on the matters of data protection and IT security. As a part of these obligations

More information

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS Mat Wright www.britishcouncil.org CONTENTS Purpose of the code 1 Scope of the code 1 The British Council s data protection commitment and

More information

Third Party Security Requirements Policy

Third Party Security Requirements Policy Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,

More information

Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL

Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL 1. Definition of Cloud Computing In the public consultation, CNIL defined

More information

AIRBUS GROUP BINDING CORPORATE RULES

AIRBUS GROUP BINDING CORPORATE RULES 1 AIRBUS GROUP BINDING CORPORATE RULES 2 Introduction The Binding Corporate Rules (hereinafter BCRs ) of the Airbus Group finalize the Airbus Group s provisions on the protection of Personal Data. These

More information

Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen. Supplementary data protection agreement. to the license agreement for license ID: between

Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen. Supplementary data protection agreement. to the license agreement for license ID: between Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen Supplementary data protection agreement to the license agreement for license ID: between...... represented by... Hereinafter referred to as the "Client"

More information

Align Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved.

Align Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved. Align Technology Data Protection Binding Corporate Rules Processor Policy Confidential Contents INTRODUCTION TO THIS POLICY 3 PART I: BACKGROUND AND ACTIONS 4 PART II: PROCESSOR OBLIGATIONS 6 PART III:

More information

Cloud computing and the legal framework

Cloud computing and the legal framework Cloud computing and the legal framework - Guidance on legislative requirement and the contractual environment related to cloud computing Content 1. Introduction 3 2. The Danish Act on Processing of Personal

More information

Data Breach Management Policy and Procedures for Education and Training Boards

Data Breach Management Policy and Procedures for Education and Training Boards Data Breach Management Policy and Procedures for Education and Training Boards POLICY on DATA BREACHES in SCHOOLS/COLLEGES and OTHER EDUCATION and ADMINISTRATIVE CENTRES UNDER the REMIT of TIPPERARY EDUCATION

More information

Article 29 Working Party Issues Opinion on Cloud Computing

Article 29 Working Party Issues Opinion on Cloud Computing Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,

More information

NYSED DATA DASHBOARD SOLUTIONS RFP ATTACHMENT 6.4 MAINTENANCE AND SUPPORT SERVICES

NYSED DATA DASHBOARD SOLUTIONS RFP ATTACHMENT 6.4 MAINTENANCE AND SUPPORT SERVICES NYSED DATA DASHBOARD SOLUTIONS RFP ATTACHMENT 6.4 MAINTENANCE AND SUPPORT SERVICES 1. Definitions. The definitions below shall apply to this Schedule. All capitalized terms not otherwise defined herein

More information

SHARPCLOUD SECURITY STATEMENT

SHARPCLOUD SECURITY STATEMENT SHARPCLOUD SECURITY STATEMENT Summary Provides details of the SharpCloud Security Architecture Authors: Russell Johnson and Andrew Sinclair v1.8 (December 2014) Contents Overview... 2 1. The SharpCloud

More information

VPO NOK Rules. Rules for the Central Securities Settlement. in Norwegian Kroner

VPO NOK Rules. Rules for the Central Securities Settlement. in Norwegian Kroner Entry into force: 29. April 2015 Version: 1.1 Published 27. April 2015 VPO NOK Rules Rules for the Central Securities Settlement in Norwegian Kroner This document is a translation from the original Norwegian

More information

University of Liverpool

University of Liverpool University of Liverpool Information Security Policy Reference Number Title CSD-003 Information Security Policy Version Number 3.0 Document Status Document Classification Active Open Effective Date 01 October

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

Negotiating Contracts That Will Keep our Clouds Afloat: You re going to put THAT in a cloud? Meteorologist: Daniel T. Graham

Negotiating Contracts That Will Keep our Clouds Afloat: You re going to put THAT in a cloud? Meteorologist: Daniel T. Graham Negotiating Contracts That Will Keep our Clouds Afloat: You re going to put THAT in a cloud? Meteorologist: Daniel T. Graham The dynamic provisioning of IT capabilities, whether hardware, software, or

More information

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid. Microsoft Online Subscription Agreement Amendment adding Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Proposal ID MOSA number Microsoft to complete This Amendment

More information

Big Data for Mutuals. Marc Dautlich 25 November 2013

Big Data for Mutuals. Marc Dautlich 25 November 2013 Big Data for Mutuals Marc Dautlich 25 November 2013 Agenda BIG DATA What is it? OPPORTUNITIES What are they? LEGAL CHALLENGES How do we overcome them? LEGAL REFORM What can we do now to minimise impact?

More information

Decision on adequate information system management. (Official Gazette 37/2010)

Decision on adequate information system management. (Official Gazette 37/2010) Decision on adequate information system management (Official Gazette 37/2010) Pursuant to Article 161, paragraph (1), item (3) of the Credit Institutions Act (Official Gazette 117/2008, 74/2009 and 153/2009)

More information

CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING

CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING CCBE response regarding the European Commission Public Consultation on Cloud Computing The Council of Bars and Law

More information

Microsoft Online Services - Data Processing Agreement

Microsoft Online Services - Data Processing Agreement Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID This Amendment consists of

More information

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS As a world leader in electronic commerce and payment services, First Data Corporation and its subsidiaries ( First Data entity or entities ),

More information

Federal Act on Combating Money Laundering and Terrorist Financing in the Financial Sector 1

Federal Act on Combating Money Laundering and Terrorist Financing in the Financial Sector 1 English is not an official language of the Swiss Confederation. This translation is provided for information purposes only and has no legal force. Federal Act on Combating Money Laundering and Terrorist

More information

Act no 41 on Insurance Mediation (2005-06-10)

Act no 41 on Insurance Mediation (2005-06-10) Translation Translated January 2006 This translation is for information purposes only. Legal authenticity remains with the official Norwegian version as published in Norsk Lovtidend. Act no 41 on Insurance

More information

Comments and proposals on the Chapter IV of the General Data Protection Regulation

Comments and proposals on the Chapter IV of the General Data Protection Regulation Comments and proposals on the Chapter IV of the General Data Protection Regulation Ahead of the trialogue negotiations later this month, EDRi, Access, Panoptykon Bits of Freedom, FIPR and Privacy International

More information

Gas Supplier Agreement. between. the Distribution Company. and. the Gas Supplier

Gas Supplier Agreement. between. the Distribution Company. and. the Gas Supplier Gas Supplier Agreement between the Distribution Company and the Gas Supplier (Version 2.0) Valid as from 6th June 2012 Non-binding translation TABLE OF CONTENTS 1. PARTIES TO THE AGREEMENT... 3 2. PURPOSE...

More information

Regulations on the obligation to provide information, the obligation to ensure compliance, and the right of inspection

Regulations on the obligation to provide information, the obligation to ensure compliance, and the right of inspection Regulations on the obligation to provide information, the obligation to ensure compliance, and the right of inspection Laid down by the Ministry of Labour and Social Inclusion on 22 February 2008 pursuant

More information

This interpretation of the revised Annex

This interpretation of the revised Annex Reprinted from PHARMACEUTICAL ENGINEERING The Official Magazine of ISPE July/August 2011, Vol. 31 No. 4 www.ispe.org Copyright ISPE 2011 The ISPE GAMP Community of Practice (COP) provides its interpretation

More information

SERVICE SCHEDULE INFRASTRUCTURE AND PLATFORM SERVICES

SERVICE SCHEDULE INFRASTRUCTURE AND PLATFORM SERVICES SERVICE SCHEDULE INFRASTRUCTURE AND PLATFORM SERVICES This Product Schedule Terms & Conditions is incorporated into a Services Agreement also comprising the General Terms and Conditions which the Customer

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( Agreement ) is by and between ( Covered Entity ) and Xelex Digital, LLC ( Business Associate ), and is effective as of. WHEREAS,

More information

Data Protection Policy.

Data Protection Policy. Data Protection Policy. Data Protection Policy Foreword 2 Foreword Ladies and Gentlemen, In the information age, we offer customers the means to be always connected, even in their cars. This requires data

More information

How To Protect Decd Information From Harm

How To Protect Decd Information From Harm Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

Pursuant to Convention No. 108 of the Council of Europe for the protection of persons with regard to the automated processing of personal data;

Pursuant to Convention No. 108 of the Council of Europe for the protection of persons with regard to the automated processing of personal data; Decision No. 2011-316 dated 6 October 2011 adopting a standard for delivering privacy seals in audit procedures covering the protection of persons with regard to the processing of personal data The French

More information

Caedmon College Whitby

Caedmon College Whitby Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be

More information

Spillemyndigheden s Certification Programme Information Security Management System

Spillemyndigheden s Certification Programme Information Security Management System SCP.03.00.EN.1.0 Table of contents Table of contents... 2 1 Objectives of the... 3 1.1 Scope of this document... 3 1.2 Version... 3 2 Certification... 3 2.1 Certification frequency... 3 2.1.1 Initial certification...

More information

Coláiste Pobail Bheanntraí

Coláiste Pobail Bheanntraí Coláiste Pobail Bheanntraí Seskin Bantry, Co. Cork. Principal: Dr. Kevin Healy B.A, H.D.E, M.Ed, Ed.D Deputy Principal: Mr. Denis O Sullivan, BSc. (Ed.), H.D.E Phone: 027 56434 Fax: 027 56439 E-mail: admin@colaistepobailbheanntrai.com

More information

Signing the Contract - Contracture of People Managers

Signing the Contract - Contracture of People Managers CERTIFICATION APPLICATION FOR AN ELECTRONIC DOCUMENT MANAGEMENT SYSTEM This form is reserved for agencies and brokers acting on their own account and for designers of EDM systems for those agencies and

More information

Estate Agents Authority

Estate Agents Authority INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in

More information

Practical Overview on responsibilities of Data Protection Officers. Security measures

Practical Overview on responsibilities of Data Protection Officers. Security measures Practical Overview on responsibilities of Data Protection Officers Security measures Manuel Villaseca Spanish Data Protection Agency mvl@agpd.es Security measures Agenda: The rol of DPO on security measures

More information

Corporate Information Security Policy

Corporate Information Security Policy Corporate Information Security Policy. A guide to the Council s approach to safeguarding information resources. September 2015 Contents Page 1. Introduction 1 2. Information Security Framework 2 3. Objectives

More information

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS Policy: Title: Status: ISP-S9 Use of Computers Policy Revised Information Security Policy Documentation STRATEGIC POLICY 1. Introduction 1.1. This information security policy document contains high-level

More information

PRIVACY REGULATIONS regarding the Web Health History ("W.H.H.") Service called LifepassportPRO provided by Meshpass SA

PRIVACY REGULATIONS regarding the Web Health History (W.H.H.) Service called LifepassportPRO provided by Meshpass SA PRIVACY REGULATIONS regarding the Web Health History ("W.H.H.") Service called LifepassportPRO provided by Meshpass SA Updated: 20 Jun 2015 (substitutes previous versions) This Privacy Policy describes

More information

Records Management Policy.doc

Records Management Policy.doc INDEX Pages 1. DESCRIPTORS... 1 2. KEY ROLE PLAYERS... 1 3. CORE FUNCTIONS OF THE RECORDS MANAGER... 1 4. CORE FUNCTIONS OF THE HEAD OF REGISTRIES... 1 5. PURPOSE... 2 6. OBJECTIVES... 2 7. POLICY... 2

More information

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Sopra HR Software as a Data Processor Sopra HR Software, 2014 / Ref. : 20141120-101114-m 1/32 1.

More information

ADRI. Advice on managing the recordkeeping risks associated with cloud computing. ADRI-2010-1-v1.0

ADRI. Advice on managing the recordkeeping risks associated with cloud computing. ADRI-2010-1-v1.0 ADRI Advice on managing the recordkeeping risks associated with cloud computing ADRI-2010-1-v1.0 Version 1.0 29 July 2010 Advice on managing the recordkeeping risks associated with cloud computing 2 Copyright

More information

Clause 1. Definitions and Interpretation

Clause 1. Definitions and Interpretation [Standard data protection [agreement/clauses] for the transfer of Personal Data from the University of Edinburgh (as Data Controller) to a Data Processor within the European Economic Area ] In this Agreement:-

More information

Office 365 Data Processing Agreement with Model Clauses

Office 365 Data Processing Agreement with Model Clauses Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081

More information

DBC 999 Incident Reporting Procedure

DBC 999 Incident Reporting Procedure DBC 999 Incident Reporting Procedure Signed: Chief Executive Introduction This procedure is intended to identify the actions to be taken in the event of a security incident or breach, and the persons responsible

More information

Gmail Security - Concerns About Privacy

Gmail Security - Concerns About Privacy Office of Risk Management and Access to Information MEMORANDUM Tel.: (807) 343-8518; 343-8267 Fax: (807) 346-7735 Email: mshaw1@lakeheadu.ca TO: FROM: Inquirers about Lakehead University s Adoption of

More information

Cork ETB Data Breach Management Policy and Procedures

Cork ETB Data Breach Management Policy and Procedures Cork ETB Data Breach Management Policy and Procedures POLICY ON THE MANAGEMENT OF DATA BREACHES IN SCHOOLS/COLLEGES AND OTHER EDUCATION AND ADMINISTRATIVE CENTRES UNDER THE REMIT OF CORK EDUCATION AND

More information

BRING YOUR OWN DEVICE

BRING YOUR OWN DEVICE BRING YOUR OWN DEVICE Legal Analysis & Practical TIPs for an effective BYOD corporate Policy CONTENTS 1. What is BYOD? 2. Benefits and risks of BYOD in Europe 3. BYOD and existing Policies 4. Legal issues

More information

White Paper Security. Data Protection and Security in School Management Systems

White Paper Security. Data Protection and Security in School Management Systems White Paper Security Data Protection and Security in School Management Systems This paper clarifies the roles and responsibilities of those dealing with the data that is central to school management systems.

More information

GRTGAZ NETWORK TRANSMISSION CONTRACT

GRTGAZ NETWORK TRANSMISSION CONTRACT Page 1 of 9 GRTGAZ NETWORK TRANSMISSION CONTRACT APPENDIX A3 STANDARD EVIDENCE AGREEMENT English translation for information. Disclaimer The present translation is not binding and is provided by GRTgaz

More information

RS Official Gazette, No 23/2013 and 113/2013

RS Official Gazette, No 23/2013 and 113/2013 RS Official Gazette, No 23/2013 and 113/2013 Pursuant to Article 15, paragraph 1 and Article 63, paragraph 2 of the Law on the National Bank of Serbia (RS Official Gazette, Nos 72/2003, 55/2004, 85/2005

More information

TERMS & CONDITIONS of SERVICE for MSKnote. Refers to MSKnote Limited. Refers to you or your organisation

TERMS & CONDITIONS of SERVICE for MSKnote. Refers to MSKnote Limited. Refers to you or your organisation TERMS & CONDITIONS of SERVICE for MSKnote Definitions: "Us or Our or We or Company" You or Your or Client Refers to MSKnote Limited Refers to you or your organisation Information about us: We are MSKnote

More information

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129 Addendum Amendment ID Proposal ID Enrollment number Microsoft to complete This addendum ( Windows Azure Addendum ) is entered into between the parties identified on the signature form for the

More information

Transition Guidelines: Managing legacy data and information. November 2013 v.1.0

Transition Guidelines: Managing legacy data and information. November 2013 v.1.0 Transition Guidelines: Managing legacy data and information November 2013 v.1.0 Document Control Document history Date Version No. Description Author October 2013 November 2013 0.1 Draft Department of

More information

CAVAN AND MONAGHAN EDUCATION AND TRAINING BOARD. Data Breach Management Policy. Adopted by Cavan and Monaghan Education Training Board

CAVAN AND MONAGHAN EDUCATION AND TRAINING BOARD. Data Breach Management Policy. Adopted by Cavan and Monaghan Education Training Board CAVAN AND MONAGHAN EDUCATION AND TRAINING BOARD Data Breach Management Policy Adopted by Cavan and Monaghan Education Training Board on 11 September 2013 Policy Safeguarding personally identifiable information

More information

IBX Business Network Platform Information Security Controls. 2015-02- 20 Document Classification [Public]

IBX Business Network Platform Information Security Controls. 2015-02- 20 Document Classification [Public] IBX Business Network Platform Information Security Controls 2015-02- 20 Document Classification [Public] Table of Contents 1. General 2 2. Physical Security 2 3. Network Access Control 2 4. Operating System

More information

How To Use A Minicloud Server On An Ovh Cloud (For Free) For A Long Time

How To Use A Minicloud Server On An Ovh Cloud (For Free) For A Long Time O V H SPECIAL CONDITIONS FOR MINICL0UD SOLUTIONS Version dated 31th May 2010 Definitions: Cloud: Technology aimed for the remote use of executing resources and storage. Loyalty scheme: A section in the

More information

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE 1. INTRODUCTION Annex C 1.1 Surrey Heath Borough Council (SHBC) processes personal data and must respond appropriately against unauthorised or unlawful

More information

Regulations concerning measures to combat money laundering and the financing of terrorism, etc.

Regulations concerning measures to combat money laundering and the financing of terrorism, etc. Regulations concerning measures to combat money laundering and the financing of terrorism, etc. Translation as of April 2009. This translation is for information purposes only. Legal authenticity remains

More information

INSURANCE ACT 2008 CORPORATE GOVERNANCE CODE OF PRACTICE FOR REGULATED INSURANCE ENTITIES

INSURANCE ACT 2008 CORPORATE GOVERNANCE CODE OF PRACTICE FOR REGULATED INSURANCE ENTITIES SD 0880/10 INSURANCE ACT 2008 CORPORATE GOVERNANCE CODE OF PRACTICE FOR REGULATED INSURANCE ENTITIES Laid before Tynwald 16 November 2010 Coming into operation 1 October 2010 The Supervisor, after consulting

More information

Service Level Policy. San Diego Geographic Information Source. City and County of San Diego. by and between. and. Version 1.1 Revised January 12, 2011

Service Level Policy. San Diego Geographic Information Source. City and County of San Diego. by and between. and. Version 1.1 Revised January 12, 2011 Service Level Policy by and between San Diego Geographic Information Source and City and County of San Diego Version 1.1 Revised January 12, 2011 TABLE OF CONTENTS REVISION HISTORY... 3 INTRODUCTION...

More information

ATMD Bird & Bird. Singapore Personal Data Protection Policy

ATMD Bird & Bird. Singapore Personal Data Protection Policy ATMD Bird & Bird Singapore Personal Data Protection Policy Contents 1. PURPOSE 1 2. SCOPE 1 3. COMMITMENT TO COMPLY WITH DATA PROTECTION LAWS 1 4. PERSONAL DATA PROTECTION SAFEGUARDS 3 5. ATMDBB EXCEPTIONS:

More information

Distribution Agreement for the ENC Service by and between Norwegian Hydrographic Service and. Agreement No.:.. Version No.: 1.0

Distribution Agreement for the ENC Service by and between Norwegian Hydrographic Service and. Agreement No.:.. Version No.: 1.0 Distribution Agreement for the ENC Service by and between Norwegian Hydrographic Service and. Agreement No.:.. Version No.: 1.0 Contents: 1 Parties and relevant documents... 3 2 Definitions... 3 3 Grant

More information

THE BUDAPEST STOCK EXCHANGE LTD. REGULATIONS ON THE USE OF REMOTE TRADING

THE BUDAPEST STOCK EXCHANGE LTD. REGULATIONS ON THE USE OF REMOTE TRADING THE BUDAPEST STOCK EXCHANGE LTD. REGULATIONS ON THE USE OF REMOTE TRADING Date and reference no. of approval/modification resolutions by the Board of Directors: Date and reference no. of approval by Supervisory

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

The Anti-Corruption Compliance Platform

The Anti-Corruption Compliance Platform The Anti-Corruption Compliance Platform DATA COLLECTION RISK IDENTIFICATION SCREENING INTEGRITY DUE DILIGENCE CERTIFICATIONS GIFTS, TRAVEL AND ENTERTAINMENT TRACKING SECURITY AND DATA PROTECTION The ComplianceDesktop

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

Heslop & Platt Solicitors Limited

Heslop & Platt Solicitors Limited TERMS OF BUSINESS Heslop & Platt Solicitors Limited 1. Introduction and Definitions 1.1 In these terms of business, the following words and phrases have the following meanings: Initial Client Letter Client

More information

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 --------------

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 -------------- w Microsoft Volume Licensing Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 Enrollment for Education Solutions number Microsoft to complete --------------

More information

Rules for the admission of shares to stock exchange listing (Listing Rules)

Rules for the admission of shares to stock exchange listing (Listing Rules) Rules for the admission of shares to stock exchange listing (Listing Rules) TABLE OF CONTENTS: 1. GENERAL... 3 2. CONDITIONS FOR ADMISSION TO LISTING... 3 2.1 GENERAL CONDITIONS... 3 2.1.1 Public interest,

More information

Data Transfer Policy. Data Transfer Policy London Borough of Barnet

Data Transfer Policy. Data Transfer Policy London Borough of Barnet Data Transfer Policy Data Transfer Policy London Borough of Barnet Document Control POLICY NAME Data Transfer Policy Document Description Policy surrounding data transfers (electronic and paper based).

More information

Indicative Requirements for Cloud Service Providers. connect communicate collaborate

Indicative Requirements for Cloud Service Providers. connect communicate collaborate Requirements Document Cloud Services connect communicate collaborate www.geant.net This document has been produced with the financial assistance of the European Union. The contents of this document are

More information

CODE OF CONDUCT as adopted by the Board of Directors on 20 February 2015

CODE OF CONDUCT as adopted by the Board of Directors on 20 February 2015 GOLDFIELDS MONEY LIMITED ACN 087 651 849 CODE OF CONDUCT as adopted by the Board of Directors on 20 February 2015 1. Purpose This Code of Conduct (Code) clearly states the standards of responsibility and

More information

HICAPS. Provider Agreement. Terms and Conditions

HICAPS. Provider Agreement. Terms and Conditions HICAPS Provider Agreement Terms and Conditions This agreement is made up of this booklet and the HICAPS Provider Agreement Details. HICAPS Pty Limited ABN 11 080 688 866 Terms and Conditions 1. Interpretation

More information

1. Scope of application

1. Scope of application Terms and conditions for electronic communication 1. Scope of application These terms and conditions apply to electronic communication undertaken by the Customer or the User using ebanking or telephone

More information

PAYMENT SERVICES AND SYSTEMS ACT (ZPlaSS) CHAPTER 1 GENERAL PROVISIONS SUBCHAPTER 1 CONTENT OF THE ACT. Article 1. (scope)

PAYMENT SERVICES AND SYSTEMS ACT (ZPlaSS) CHAPTER 1 GENERAL PROVISIONS SUBCHAPTER 1 CONTENT OF THE ACT. Article 1. (scope) Legal notice All effort has been made to ensure the accuracy of this translation, which is based on the original Slovenian text. All translations of this kind may, nevertheless, be subject to a certain

More information

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10 Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID This Microsoft Online Services Security Amendment ( Amendment ) is between

More information

EURODAC Central Unit. Inspection Report

EURODAC Central Unit. Inspection Report EURODAC Central Unit Inspection Report June 2012 Case file: 2011-1103 INDEX 1. INTRODUCTION... 3 1.1 The EURODAC system... 3 1.2 EDPS supervision of the EURODAC Central Unit... 3 1.3 Scope of the inspection...

More information

Quality Assurance Agreement (QAA)

Quality Assurance Agreement (QAA) Quality Assurance Agreement (QAA) between W. GESSMANN GmbH Eppinger Str. 221, D-74211 Leingarten - hereafter "W. GESSMANN" - and Company Road, house number Postal code and city - hereafter called "Supplier"

More information

Finansinspektionen s Regulatory Code

Finansinspektionen s Regulatory Code Finansinspektionen s Regulatory Code Publisher: Finansinspektionen, Sweden, www.fi.se ISSN 1102-7460 This translation is furnished for information purposes only and is not itself a legal document. Finansinspektionen's

More information

Using AWS in the context of Australian Privacy Considerations October 2015

Using AWS in the context of Australian Privacy Considerations October 2015 Using AWS in the context of Australian Privacy Considerations October 2015 (Please consult https://aws.amazon.com/compliance/aws-whitepapers/for the latest version of this paper) Page 1 of 13 Overview

More information

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information

More information